daemora 1.0.9 → 1.0.11

package/daemora-ui/dist/index.html

@@ -7,8 +7,8 @@
     <meta name="theme-color" content="#0a0a0f" />
     <meta name="description" content="Daemora — Self-hosted AI agent platform" />
     <title>Daemora</title>
-    <script type="module" crossorigin src="/assets/index-AfA65HSy.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-DP95eMOr.css">
+    <script type="module" crossorigin src="/assets/index-ZiuOJUu0.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-BkPHvKYt.css">
   </head>
   <body>
     <div id="root"></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "daemora",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "description": "A powerful open-source AI agent that runs on your machine. Connects to any AI model, any MCP server, any channel. Fully autonomous - plans, codes, tests, browses, emails, and manages your tools without asking permission.",
   "main": "src/index.js",
   "bin": {

package/skills/coding.md

@@ -1,7 +1,7 @@
 ---
 name: coding
 description: Use when writing, debugging, or reviewing code
-triggers: code, function, bug, error, refactor, implement, class, module, typescript, javascript, python, api, endpoint, test, debug, fix, PR, pull request, commit, git
+triggers: code, function, bug, error, refactor, implement, class, module, typescript, javascript, python, api, endpoint, test, debug, fix, PR, pull request, commit, git, push, pull, branch, merge, rebase, cherry-pick, stash, diff, log
 ---
 ## Workflow: Read → Understand → Change → Verify → Test
 
@@ -19,9 +19,28 @@ triggers: code, function, bug, error, refactor, implement, class, module, typesc
 - Security: no injection, XSS, hardcoded secrets, path traversal
 
 ## Git Workflow
-- Read the diff before committing: `git diff`
-- Write clear commit messages: imperative, present tense, explain WHY
-- One logical change per commit
+
+### Safety
+- Never push without explicit user approval.
+- Never force push. Never `reset --hard` without asking.
+- Check current branch before committing — warn if on main/master.
+- Never commit .env, credentials, or secrets.
+
+### Commits
+- `git diff` — review all changes before staging.
+- Stage specific files — avoid `git add .` (catches unwanted files).
+- Commit message: imperative, present tense, explain WHY not WHAT.
+- One logical change per commit. Don't batch unrelated work.
+
+### Branches
+- Feature work → create a branch first. Don't commit directly to main.
+- `git status` before switching branches — stash or commit dirty work.
+- Pull before push — avoid conflicts.
+
+### Pull Requests
+- Title: short (<70 chars). Body: what changed and why.
+- Reference related issues if applicable.
+- Run tests before creating PR.
 
 ## Code Review
 - Check for bugs, security issues, performance problems

package/skills/planning.md

@@ -0,0 +1,168 @@
+---
+name: planning
+description: Task planning for any complex work — coding, research, communication, automation. Decide when to plan vs just do, break into steps, get user confirmation before executing.
+triggers: plan, planning, design, architect, approach, strategy, implement, big task, complex task, multi-step, think through, break down, figure out, how should, what approach, steps, workflow
+---
+
+# Planning — Think Before You Act
+
+## When to Plan vs Just Do It
+
+**Plan first** when ANY of these apply:
+- **Multiple steps required** — the task needs 3+ distinct actions to complete.
+- **Multiple valid approaches** — the task can be solved several ways. Pick the right one first.
+- **Unclear scope** — you need to explore or research before understanding the full extent of work.
+- **User preferences matter** — the outcome could go multiple reasonable directions.
+- **High stakes** — mistakes are costly to undo (emails sent, files restructured, data transformed).
+- **Multi-agent work** — the task needs parallel or sequential agent coordination.
+- **New feature or system change** — adding meaningful new functionality or modifying existing behavior.
+- **Multi-file code changes** — the task will touch 3+ files. Map out which files and what changes.
+- **Architectural decisions** — choosing between patterns, libraries, data models, or technologies.
+
+**Skip planning** — do it directly:
+- Single-action tasks (send one email, fetch one page, fix a typo).
+- Tasks where the user gave very specific, detailed instructions.
+- Quick lookups, simple questions, casual conversation.
+- Few-line code fixes with obvious solutions.
+
+**When in doubt → plan.** The cost of planning is low. The cost of rework is high.
+
+## Planning Workflow
+
+1. **Explore** — gather context. Read files, search the web, check memory, review conversation history. Understand the current state before deciding what to change.
+2. **Identify the approach** — what needs to happen, in what order, using what tools/agents. Consider alternatives and pick the best one.
+3. **Break into steps** — ordered list of concrete actions. Each step = one verifiable outcome. Keep it short — a list of actions, not an essay.
+4. **Present the plan to the user** — before executing, tell the user what you're about to do and ask for confirmation. This prevents wasted effort and ensures alignment. Format: numbered list of concrete actions, not vague descriptions.
+5. **Execute on confirmation** — work through each step. Verify after each one.
+
+## User Confirmation
+
+**Always confirm before executing a complex plan.** Present the plan clearly and ask:
+- "Here's my plan — want me to go ahead?"
+- List the concrete steps so the user can see what will happen.
+- If the user adjusts, update the plan and confirm again.
+- Only skip confirmation for simple tasks that don't need planning.
+
+This is non-negotiable for complex work. The user should always know what's about to happen before it happens.
+
+## Exploration by Task Type
+
+**Code tasks:**
+- Find files — `glob("src/**/*.ts")`, `searchFiles("*.controller.*")` to map the structure.
+- Find patterns — `searchContent("export function", "src/")`, `grep("interface.*Props")` to see conventions.
+- Read key files — entry points, related components, tests, configs.
+- Check dependencies — what libraries, APIs, patterns are established.
+
+**Research tasks:**
+- Web search for current information on the topic.
+- Fetch and read actual pages — don't stop at summaries.
+- Check memory for previous findings on the same topic.
+- Cross-reference multiple sources for anything important.
+
+**Communication tasks:**
+- Review conversation history for context and tone.
+- Check memory for user preferences (writing style, contacts, templates).
+- Identify all recipients, attachments, and follow-up actions needed.
+
+**Automation / workflow tasks:**
+- Map the full workflow end-to-end before automating any step.
+- Identify dependencies between steps.
+- Check what tools, APIs, and MCP servers are available.
+
+3-5 targeted explorations is usually enough. Get the lay of the land, then plan.
+
+## What a Good Plan Looks Like
+
+A plan is a short ordered list of concrete actions:
+
+**Coding example:**
+```
+1. Add FooService class in src/services/foo.ts — handles X with methods Y, Z
+2. Update src/routes/api.ts — add GET /api/foo endpoint, wire to FooService
+3. Add tests in tests/foo.test.ts — cover happy path + error cases
+4. Run build + tests, fix any failures
+```
+
+**Research example:**
+```
+1. Search web for latest pricing on X, Y, Z services
+2. Fetch each provider's pricing page, extract plan details
+3. Compare features and costs in a structured table
+4. Save findings to memory for future reference
+```
+
+**Workflow example:**
+```
+1. Fetch all invoices from email (last 30 days)
+2. Extract amounts, dates, vendors from each
+3. Create summary spreadsheet in workspace
+4. Send summary to user via email
+```
+
+NOT:
+```
+First, I'll think about what to do. Then I'll consider the options.
+After that, I'll figure out the best approach. Finally, I'll do everything.
+```
+
+Each step should be specific enough to hand to someone with zero context.
+
+## Planning Multi-Agent Work
+
+Any task that spawns agents — `spawnAgent`, `parallelAgents`, `useMCP` — is multi-agent work. MCP tasks are spawned agent tasks. Plan them the same way.
+
+### Agent Isolation — Non-Negotiable
+- Each agent operates in its own context. No shared memory, no shared state, no implicit communication.
+- Agents must NOT touch files, paths, or resources owned by another agent. Define boundaries upfront.
+- If two agents need the same data, pass it explicitly via `sharedContext` or workspace files. Never assume one agent can read another's output unless the plan says so.
+- MCP agents (`useMCP`) get ONLY that server's tools. They cannot access files, shell, or other MCP servers. Plan accordingly — don't expect an MCP agent to do something outside its server's scope.
+
+### Contract-Based Planning
+Before spawning any agents, define the contract:
+1. **Inputs** — what each agent receives. Exact data, file paths, specs. Paste the actual content into the brief — don't reference it.
+2. **Outputs** — what each agent produces. File paths, data shapes, expected format.
+3. **Boundaries** — what each agent is NOT allowed to touch. Files, directories, APIs outside its scope.
+4. **Dependencies** — does agent B need output from agent A? Yes → sequential. No → parallel.
+5. **Profiles** — coder for code, researcher for research, writer for docs, analyst for data.
+
+### MCP as Spawned Agents
+- `useMCP(serverName, taskDescription)` spawns a specialist agent with ONLY that MCP server's tools.
+- The specialist has ZERO context beyond the task description you write. Include everything: what to do, all details, full content, background context.
+- Plan MCP calls like any other agent spawn — define inputs, expected outputs, and what happens with the result.
+- Multiple MCP calls to different servers can run in parallel if they don't depend on each other.
+
+### Preventing Cross-Agent Impact
+- Never let two agents write to the same file. Split by file or by section with clear ownership.
+- Never let an agent modify global state (env vars, configs, databases) without the plan explicitly calling for it.
+- Use workspace directories (`data/workspaces/{id}/`) as artifact stores. Each agent writes to its own path within the workspace.
+- After all agents finish, the parent synthesizes results. Agents never directly consume each other's output during execution.
+
+Load `readFile("skills/orchestration.md")` for full multi-agent coordination patterns, error recovery, and structured return conventions.
+
+## Tracking Complex Work
+
+For multi-step work, use `projectTracker("createProject")` to persist the plan:
+- Mark tasks `in_progress` before starting, `done` with notes when finished.
+- If interrupted → `projectTracker("listProjects")` to find and resume.
+- Workspace files survive crashes — work is never lost.
+
+## Re-Assessment
+
+If you're 3+ steps into execution and:
+- The approach isn't working as expected
+- You discovered something that changes the requirements
+- The scope is larger than initially estimated
+
+**Stop. Re-read the original request. Re-plan from current state.** Don't push through a broken plan. If the new plan differs significantly, confirm with the user again.
+
+## Planning Checklist
+
+Before executing, verify:
+- [ ] Gathered enough context (files, web, memory, conversation)
+- [ ] Identified the best approach from available options
+- [ ] Steps are ordered (dependencies resolved)
+- [ ] Each step has a clear, verifiable outcome
+- [ ] User has confirmed the plan (for complex work)
+- [ ] Edge cases and potential failures considered
+- [ ] Multi-agent tasks: contracts defined, boundaries set, no shared-file conflicts
+- [ ] MCP tasks: task descriptions are self-contained, expected outputs specified

package/src/agents/systemPrompt.js

@@ -52,6 +52,7 @@ export async function buildSystemPrompt(taskInput, promptMode = "full", runtimeM
         renderMCPTools(),
         renderToolUsageRules(),
         renderSkills(taskInput, 10),
+        renderMemory(),
         renderSubagentContext(runtimeMeta.taskDescription || taskInput),
       ])
     : await Promise.all([
@@ -65,7 +66,6 @@ export async function buildSystemPrompt(taskInput, promptMode = "full", runtimeM
         renderMemory(),
         renderSemanticRecall(taskInput),
         renderDailyLog(),
-        renderOperationalGuidelines(),
       ]);
 
   const runtime = renderRuntime(runtimeMeta);
@@ -162,7 +162,7 @@ You MUST respond with a JSON object matching this exact schema on every turn:
 - Task complete and verified → concise outcome in 1-3 sentences. finalResponse = true.
 
 ## Task execution rules
-1. Action requests → start with a tool call immediately.
+1. **Decide: plan or just do it.** Simple task (single action, clear instructions, quick fix) → start immediately with a tool call. Complex task (3+ steps, multiple approaches, unclear scope, high stakes, multi-agent, new feature, multi-file changes) → load the planning skill first (\`readFile("skills/planning.md")\`), gather context, break into steps, **present the plan to the user and get confirmation before executing**. When in doubt → plan. The cost of planning is low; the cost of rework is high.
 2. Chain multiple tool calls. After each result: need more? Call another. Done? Verify first, then finalize.
 3. After writing/editing any file, read it back to verify.
 4. After code changes, run build/tests. Fix failures until clean.
@@ -170,6 +170,7 @@ You MUST respond with a JSON object matching this exact schema on every turn:
 6. Never give up. Never ask the user to do it manually. Never report a problem without attempting to solve it.
 7. Never claim you did something without actually calling the tool.
 8. Never set finalResponse=true while errors or failures exist.
+9. If 3+ steps into execution and something doesn't add up → stop, re-read the request, re-plan from current state.
 
 ## Understanding user intent
 - Read the full request carefully. Identify exactly what the user wants done.
@@ -181,7 +182,15 @@ You MUST respond with a JSON object matching this exact schema on every turn:
 - 1-3 sentences. What happened, from the user's perspective.
 - Never dump tool output, full email bodies, API responses, status codes, message IDs, or JSON.
 - Never ask what to do next or offer follow-up options.
-- Never expose internal details (tool names, IDs, technical artifacts).`;
+- Never expose internal details (tool names, IDs, technical artifacts).
+
+## Output efficiency
+These rules apply to text responses sent to the user — NOT to tool params, sub-agent instructions, or task descriptions (those must remain detailed and complete).
+- Go straight to the point. Try the simplest approach first.
+- Lead with the answer or action, not the reasoning.
+- Skip filler words, preamble, and unnecessary transitions.
+- If you can say it in one sentence, don't use three.
+- Focus text on: decisions needing input, status updates at milestones, errors that change the plan.`;
 }
 
 function renderToolDocs() {
@@ -197,12 +206,19 @@ ${unconfigured.map(t => `- ${t} — needs: ${TOOL_REQUIRED_KEYS[t].join(" or ")}
   return `# Available Tools
 
 All tool params are STRINGS. Pass them as an array of strings.
+Use existing conversation context first — if you already have the data from a previous tool call, web search, file read, or user message, work with that. Only call a tool again when you need fresh or missing information.
 
 ## File Operations
 Always use absolute paths. Resolve ~ and relative paths from the user's context before calling any file tool.
-- readFile(filePath, offset?, limit?) — Read file with line numbers. Always read before editing.
+- MUST read a file before modifying it. Never edit blind — this will error if you haven't read the file first.
+- Don't re-read files already in context. Use existing content — only re-read if you need fresh state after an edit.
+- Read only what you need: use offset/limit to target specific sections, not the entire file.
+- Prefer editFile for modifying existing files — it only sends the diff. Most edits should use this.
+- applyPatch for multi-hunk changes — better than multiple editFile calls.
+- writeFile only for creating new files or complete rewrites. Never writeFile to change a few lines.
+- readFile(filePath, offset?, limit?) — Read file with line numbers. Use offset/limit to read specific sections.
 - writeFile(filePath, content) — Create or overwrite file. Content is the complete file.
-- editFile(filePath, oldString, newString) — Find-and-replace (exactly 3 params). Read file first to get exact match string.
+- editFile(filePath, oldString, newString) — Find-and-replace (exactly 3 params). Supports flexible whitespace matching.
 - applyPatch(filePath, patch) — Apply unified diff patch. Better than editFile for multi-hunk changes.
 - listDirectory(dirPath) — List files and folders with types and sizes.
 - searchFiles(pattern, directory?, optionsJson?) — Find files by name pattern. opts: {"sortBy":"modified","maxDepth":3}
@@ -245,6 +261,7 @@ ${_isToolConfigured("textToSpeech") ? `- textToSpeech(text, optionsJson?) — Te
 - sendFile(channel, target, filePath, caption?) — Send file to a DIFFERENT user on a specific channel.
 
 ## Memory
+Persistent memory per tenant. Contents survive across conversations. Consult memory to build on previous experience.
 - readMemory() — Read long-term MEMORY.md.
 - writeMemory(entry, category?) — Add timestamped entry. category: "user-prefs", "project", "learned", etc.
 - searchMemory(query, optionsJson?) — Search MEMORY.md and daily logs. opts: {"category":"...","limit":50}
@@ -253,6 +270,24 @@ ${_isToolConfigured("textToSpeech") ? `- textToSpeech(text, optionsJson?) — Te
 - readDailyLog(date?) — Read daily log for date (YYYY-MM-DD). Omit for today.
 - writeDailyLog(entry) — Append to today's daily log.
 
+### What to save
+- User preferences for workflow, tools, and communication style.
+- Key architectural decisions, important file paths, and project structure.
+- Solutions to recurring problems and debugging insights.
+- When the user asks to remember something across sessions, save it immediately.
+
+### What NOT to save
+- Session-specific context (current task details, in-progress work, temporary state).
+- Speculative or unverified conclusions from a single interaction.
+- Information that duplicates what's already in memory — check first, update existing entries.
+
+### When to use memory
+- Start of a new conversation → readMemory() to recall user preferences and context.
+- User gives a preference or rule → writeMemory() immediately, don't wait.
+- User asks to forget something → find and remove the relevant entry.
+- Learned something stable across multiple interactions → save it.
+- Daily log for task tracking → writeDailyLog() at end of significant work.
+
 ## Agents
 For complex multi-agent tasks, load \`readFile("skills/orchestration.md")\` first — covers parallel execution, contract-based planning, workspace artifacts, and coordination patterns.
 - spawnAgent(taskDescription, optionsJson?) — Spawn sub-agent. opts: {"profile":"coder|researcher|writer|analyst","extraTools":[...],"skills":["skills/coding.md"],"parentContext":"...","model":"..."}. Pass skills array with skill paths from the Available Skills list — the skill content is injected directly into the sub-agent so it can follow the instructions without loading them. Task description must be comprehensive — sub-agent has no other context.
@@ -304,33 +339,42 @@ ${serverList}
 function renderToolUsageRules() {
   return `# Tool Usage Rules
 
-## Read Before Edit
-- ALWAYS read a file before modifying it. Never edit blind.
-- Use enough context in oldString for unambiguous match.
-
-## Choose the Right Tool
-- Small change → editFile. Major rewrite → writeFile. editFile keeps failing → switch to writeFile.
-- Find content → searchContent/grep. Find files → searchFiles/glob/listDirectory (not executeCommand("ls")).
+## Workflow
+1. Read → understand before touching anything.
+2. Act → editFile for small changes, writeFile for rewrites. Use tools, never tell the user to do it manually.
+3. Verify → readFile after writes. Run build/tests after code changes.
+4. Fix → build/test fails → fix and re-verify until clean.
+5. Report → 1-3 sentences. What happened, key outcomes. No raw output, no internal details.
+
+## Tool Selection
+- Small change → editFile. Full rewrite → writeFile. editFile keeps failing → switch to writeFile.
+- Find content → searchContent/grep. Find files → searchFiles/glob/listDirectory.
+- editFile oldString not found → re-read file, retry with exact content.
 
 ## Error Recovery
-- editFile oldString not found → re-read file, retry with exact content.
-- Command fails → read error, diagnose, try different approach.
-- NEVER tell user to do something manually. Use tools.
-
-## Don't Over-Engineer
-- Only make changes directly requested or clearly necessary.
-- No extra features, refactoring, or "improvements" beyond what was asked.
-- No comments/docstrings/type annotations on untouched code.
-- No error handling for impossible scenarios. No premature abstractions.
-- Unused code → delete it completely. No backwards-compatibility hacks.
-
-## Security
-- No command injection, XSS, SQL injection, path traversal. Fix insecure code immediately.
-- Never hardcode secrets. Use environment variables. Sanitize user input at boundaries.
-
-## Quality
-- Follow existing code conventions. Match project patterns. Check surrounding code first.
-- Prefer simplest correct solution. Complexity is a cost.`;
+- Tool fails → read error, try different approach. Fails again → try another. Exhaust options before reporting failure.
+- Same params fail twice → stop and diagnose. Don't brute force.
+- Never use destructive workarounds to clear a blocker.
+
+## Code Quality
+- Read before edit. Always. Use enough context in oldString for unambiguous match.
+- Follow existing conventions. Match project patterns. Simplest correct solution wins.
+- Only change what's requested. No extra features, refactoring, or "improvements" beyond scope.
+- No comments/docstrings on untouched code. No error handling for impossible scenarios.
+- Unused code → delete completely. No backwards-compatibility hacks.
+- No command injection, XSS, SQL injection, path traversal. Never hardcode secrets.
+
+## What NOT To Do
+- NEVER expose raw API responses, status codes, message IDs, or internal artifacts.
+- NEVER ask what to do next or offer follow-up options. Either do it or don't.
+- NEVER claim "fixed" without calling writeFile/editFile. NEVER plan without executing.
+- NEVER ask user to do things manually. NEVER give up after one failure.
+- NEVER set finalResponse true without verification or while errors exist.
+
+## Context Management
+- \`<conversation-summary>\` blocks are compacted history — treat as ground truth for earlier work.
+- Don't re-do work mentioned in the summary. Continue from where it left off.
+- If context is growing long, write key decisions to memory before they get compacted.`;
 }
 
 async function renderSkills(taskInput, limit = 20) {
@@ -350,6 +394,7 @@ async function renderSkills(taskInput, limit = 20) {
   return `# Available Skills
 
 Before replying, scan this list. If a skill applies, use readFile to load it, then follow it.
+Skills that need API keys or credentials access them from the runtime environment automatically — never ask the user for keys in chat.
 
 ${lines.join("\n")}${dirHint}`;
 }
@@ -376,33 +421,7 @@ function renderDailyLog() {
   return `# Today's Log (${today})\n\n${dailyLog}`;
 }
 
-function renderOperationalGuidelines() {
-  return `# Operational Guidelines
-
-## Workflow
-1. Read every file before touching it.
-2. Act with tools — editFile for small changes, writeFile for rewrites.
-3. Verify — readFile after writes. Run build/tests after code changes.
-4. Fix — if build/test fails, fix and re-verify until clean.
-5. Report — brief result in 1-3 sentences. Never expose internal details (tool names, IDs, JSON, raw API data).
-- NEVER set finalResponse true while a build error or test failure exists.
-
-## Requirements
-- Infer implied intent from vague requests. Ask only when truly ambiguous.
-- Match existing code style and conventions.
-
-## When Blocked
-- Read the error, try a different approach. Don't brute force.
-- Tool fails twice with same params → stop and diagnose.
-- Never use destructive workarounds to clear a blocker.
-
-## What NOT To Do
-- NEVER expose raw API responses, status codes, message IDs, or internal artifacts to the user.
-- NEVER ask the user what to do next or offer follow-up options. Either do it or don't.
-- NEVER claim "fixed" without calling writeFile/editFile. NEVER plan without executing.
-- NEVER ask user to do things manually. NEVER give up after one failure.
-- NEVER set finalResponse true without verification. NEVER over-engineer.`;
-}
+// renderOperationalGuidelines merged into renderToolUsageRules
 
 function renderSubagentContext(taskDescription) {
   if (!taskDescription) return null;
@@ -423,7 +442,10 @@ function renderRuntime(meta = {}) {
   if (meta.model) parts.push(`model=${meta.model}`);
   if (meta.thinkingLevel) parts.push(`thinking=${meta.thinkingLevel}`);
   if (meta.agentId) parts.push(`agent=${meta.agentId}`);
-  if (parts.length === 0) return null;
+  parts.push(`date=${new Date().toISOString().split("T")[0]}`);
+  parts.push(`os=${process.platform}/${process.arch}`);
+  parts.push(`cwd=${process.cwd()}`);
+  parts.push(`shell=${process.env.SHELL || "unknown"}`);
   return `Runtime: ${parts.join(" | ")}`;
 }
 

package/src/cli.js

@@ -871,10 +871,18 @@ function handleSandbox(action, args) {
         console.error(`\n  ${S.cross}  Usage: daemora sandbox add ${t.dim("<absolute-path>")}\n`);
         process.exit(1);
       }
-      if (!newPath.startsWith("/") && !newPath.match(/^[A-Za-z]:\\/)) {
+      if (!newPath.startsWith("/") && !newPath.match(/^[A-Za-z]:[\\\/]/)) {
         console.error(`\n  ${S.cross}  Path must be absolute (start with / or C:\\)\n`);
         process.exit(1);
       }
+      if (/[\x00-\x1f]/.test(newPath) || newPath.includes("\0")) {
+        console.error(`\n  ${S.cross}  Path must not contain control characters or null bytes.\n`);
+        process.exit(1);
+      }
+      if (/(^|[\\/])\.\.([\\/]|$)/.test(newPath)) {
+        console.error(`\n  ${S.cross}  Path must not contain ".." traversal.\n`);
+        process.exit(1);
+      }
       const updated = [...new Set([...allowedPaths, newPath])];
       writeEnvKey("ALLOWED_PATHS", updated.join(","));
       console.log(`\n${header}  ${S.check}  ${t.bold(newPath)} added to allowed paths.`);
@@ -909,6 +917,10 @@ function handleSandbox(action, args) {
         console.error(`\n  ${S.cross}  Usage: daemora sandbox block ${t.dim("<absolute-path>")}\n`);
         process.exit(1);
       }
+      if (/[\x00-\x1f]/.test(blockPath) || /(^|[\\/])\.\.([\\/]|$)/.test(blockPath)) {
+        console.error(`\n  ${S.cross}  Invalid path — no control characters or ".." traversal allowed.\n`);
+        process.exit(1);
+      }
       const updated = [...new Set([...blockedPaths, blockPath])];
       writeEnvKey("BLOCKED_PATHS", updated.join(","));
       console.log(`\n${header}  ${S.check}  ${t.bold(blockPath)} added to blocked paths.\n`);
@@ -972,15 +984,24 @@ async function handleTenant(action, args) {
   const port = process.env.PORT || "8081";
   const base = `http://localhost:${port}`;
 
+  // Read auth token for API calls
+  const tokenPath = join(config.dataDir, "auth-token");
+  const authToken = existsSync(tokenPath) ? readFileSync(tokenPath, "utf-8").trim() : "";
+
   async function apiCall(method, path, body) {
     const { default: http } = await import("http");
+    // Ensure path starts with /api/
+    const apiPath = path.startsWith("/api/") ? path : `/api${path}`;
     return new Promise((resolve, reject) => {
       const opts = {
         hostname: "localhost",
         port: parseInt(port),
-        path,
+        path: apiPath,
         method,
-        headers: { "Content-Type": "application/json" },
+        headers: {
+          "Content-Type": "application/json",
+          ...(authToken ? { "Authorization": `Bearer ${authToken}` } : {}),
+        },
       };
       const req = http.request(opts, (res) => {
         let data = "";
@@ -1285,9 +1306,100 @@ async function handleTenant(action, args) {
       break;
     }
 
+    case "workspace": {
+      // daemora tenant workspace <tenantId>                 — show paths
+      // daemora tenant workspace <tenantId> add <path>      — add to allowedPaths
+      // daemora tenant workspace <tenantId> remove <path>   — remove from allowedPaths
+      // daemora tenant workspace <tenantId> block <path>    — add to blockedPaths
+      // daemora tenant workspace <tenantId> unblock <path>  — remove from blockedPaths
+      const [tenantId, wsAction, wsPath] = args;
+      if (!tenantId) {
+        console.error(`\n  ${S.cross}  Usage: daemora tenant workspace ${t.dim("<tenantId> [add|remove|block|unblock] [path]")}\n`);
+        process.exit(1);
+      }
+
+      const { default: tm } = await import("./tenants/TenantManager.js");
+      const tenant = tm.get(tenantId);
+      if (!tenant) {
+        console.error(`\n  ${S.cross}  Tenant "${tenantId}" not found.\n`);
+        process.exit(1);
+      }
+
+      if (!wsAction) {
+        // Show current workspace paths
+        console.log(header);
+        console.log(`  ${S.bar}  Tenant         ${t.bold(tenantId)}`);
+        console.log(`  ${S.bar}  Workspace      ${t.dim(tm.getWorkspace(tenantId))}`);
+        const allowed = tenant.allowedPaths || [];
+        const blocked = tenant.blockedPaths || [];
+        if (allowed.length > 0) {
+          console.log(`  ${S.bar}  Allowed paths:`);
+          for (const p of allowed) console.log(`  ${S.bar}    ${S.check}  ${p}`);
+        } else {
+          console.log(`  ${S.bar}  Allowed paths  ${t.muted("(none — uses global or workspace default)")}`);
+        }
+        if (blocked.length > 0) {
+          console.log(`  ${S.bar}  Blocked paths:`);
+          for (const p of blocked) console.log(`  ${S.bar}    ${S.cross}  ${p}`);
+        } else {
+          console.log(`  ${S.bar}  Blocked paths  ${t.muted("(none)")}`);
+        }
+        console.log("");
+        break;
+      }
+
+      // Validate path is absolute
+      if (["add", "remove", "block", "unblock"].includes(wsAction)) {
+        if (!wsPath) {
+          console.error(`\n  ${S.cross}  Usage: daemora tenant workspace ${tenantId} ${wsAction} ${t.dim("<absolute-path>")}\n`);
+          process.exit(1);
+        }
+        if (!wsPath.startsWith("/") && !/^[A-Za-z]:\\/.test(wsPath)) {
+          console.error(`\n  ${S.cross}  Path must be absolute (start with / or C:\\)\n`);
+          process.exit(1);
+        }
+      }
+
+      try {
+        if (wsAction === "add") {
+          const updated = [...new Set([...(tenant.allowedPaths || []), wsPath])];
+          tm.set(tenantId, { allowedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} added to allowedPaths for ${t.bold(tenantId)}\n`);
+        } else if (wsAction === "remove") {
+          const updated = (tenant.allowedPaths || []).filter(p => p !== wsPath);
+          if (updated.length === (tenant.allowedPaths || []).length) {
+            console.error(`\n  ${S.cross}  "${wsPath}" not found in allowedPaths.\n`);
+            process.exit(1);
+          }
+          tm.set(tenantId, { allowedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} removed from allowedPaths for ${t.bold(tenantId)}\n`);
+        } else if (wsAction === "block") {
+          const updated = [...new Set([...(tenant.blockedPaths || []), wsPath])];
+          tm.set(tenantId, { blockedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} added to blockedPaths for ${t.bold(tenantId)}\n`);
+        } else if (wsAction === "unblock") {
+          const updated = (tenant.blockedPaths || []).filter(p => p !== wsPath);
+          if (updated.length === (tenant.blockedPaths || []).length) {
+            console.error(`\n  ${S.cross}  "${wsPath}" not found in blockedPaths.\n`);
+            process.exit(1);
+          }
+          tm.set(tenantId, { blockedPaths: updated });
+          console.log(`\n${header}  ${S.check}  ${t.bold(wsPath)} removed from blockedPaths for ${t.bold(tenantId)}\n`);
+        } else {
+          console.error(`\n  ${S.cross}  Unknown workspace action: ${wsAction}`);
+          console.log(`  ${t.muted("Usage:")} daemora tenant workspace ${t.dim("<id> [add|remove|block|unblock] <path>")}\n`);
+          process.exit(1);
+        }
+      } catch (err) {
+        console.error(`\n  ${S.cross}  ${err.message}\n`);
+        process.exit(1);
+      }
+      break;
+    }
+
     default:
       console.error(`\n  ${S.cross}  Unknown tenant command: ${action || "(none)"}`);
-      console.log(`  ${t.muted("Usage:")} daemora tenant ${t.dim("[list|show|set|plan|suspend|unsuspend|reset|delete|apikey|channel]")}\n`);
+      console.log(`  ${t.muted("Usage:")} daemora tenant ${t.dim("[list|show|set|plan|suspend|unsuspend|reset|delete|apikey|channel|workspace]")}\n`);
       process.exit(1);
   }
 }
@@ -2193,6 +2305,11 @@ ${line}
   ${t.cmd("tenant channel unset")} ${t.dim("<id> <key>")}  Remove a channel credential
   ${t.cmd("tenant channel list")} ${t.dim("<id>")}         List stored channel credential keys
   ${t.muted("  channel keys: email  email_password  resend_api_key  resend_from")}
+  ${t.cmd("tenant workspace")} ${t.dim("<id>")}             Show workspace + allowed/blocked paths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> add <path>")}  Add path to tenant's allowedPaths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> remove <path>")}  Remove from allowedPaths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> block <path>")}   Add to blockedPaths
+  ${t.cmd("tenant workspace")} ${t.dim("<id> unblock <path>")} Remove from blockedPaths
 
   ${t.cmd("channels")}                          List all 19 supported channels + setup status
   ${t.cmd("models")}                            List all model providers + task-type routing
@@ -2247,6 +2364,9 @@ ${line}
   ${t.dim("$")} daemora tenant channel set telegram:123 email_password xxxx-xxxx-xxxx-xxxx
   ${t.dim("$")} daemora tenant channel list telegram:123
   ${t.dim("$")} daemora tenant channel unset telegram:123 email_password
+  ${t.dim("$")} daemora tenant workspace telegram:123
+  ${t.dim("$")} daemora tenant workspace telegram:123 add /home/user/projects
+  ${t.dim("$")} daemora tenant workspace telegram:123 block /home/user/private
   ${t.dim("$")} daemora doctor
 `);
 }