fathom-mcp 0.5.19 → 0.5.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fathom-mcp",
-  "version": "0.5.19",
+  "version": "0.5.20",
   "description": "MCP server for Fathom — vault operations, search, rooms, and cross-workspace communication",
   "type": "module",
   "bin": {

package/src/agents.js

@@ -3,11 +3,13 @@
  *
  * Single source of truth for all agent definitions. The CLI uses this
  * for list/start/stop/restart/add/remove/config commands.
+ *
+ * All agents use stream-json transport — lifecycle delegated to fathom-server.
  */
 
 import fs from "fs";
 import path from "path";
-import { execSync, execFileSync } from "child_process";
+import { execSync } from "child_process";
 
 const CONFIG_DIR = process.env.FATHOM_CONFIG_DIR || path.join(process.env.HOME || "/tmp", ".config", "fathom-mcp");
 const AGENTS_FILE = path.join(CONFIG_DIR, "agents.json");
@@ -65,12 +67,17 @@ export function removeAgent(name) {
 export function isAgentRunning(name, entry) {
   if (entry.ssh) return "ssh";
 
-  const session = `${name}_fathom-session`;
+  // All agents: check via server API
   try {
-    execSync(`tmux has-session -t ${JSON.stringify(session)} 2>/dev/null`, {
-      stdio: "pipe",
+    const serverUrl = entry.server || "http://localhost:4243";
+    const apiKey = entry.apiKey || "";
+    const url = `${serverUrl}/api/activation/session?workspace=${encodeURIComponent(name)}`;
+    const resp = execSync(`curl -sf -H "Authorization: Bearer ${apiKey}" "${url}"`, {
+      encoding: "utf-8",
+      timeout: 5000,
     });
-    return "running";
+    const data = JSON.parse(resp);
+    return data.running ? "running" : "stopped";
   } catch {
     return "stopped";
   }
@@ -78,174 +85,54 @@ export function isAgentRunning(name, entry) {
 
 // ── Start / Stop ────────────────────────────────────────────────────────────
 
-/**
- * Default command per agent type + execution mode.
- */
-export function defaultCommand(agentType) {
-  const cmds = {
-    "claude-code": "claude --continue",
-    codex: "codex",
-    gemini: "gemini",
-    opencode: "opencode",
-  };
-  return cmds[agentType] || cmds["claude-code"];
-}
-
-/**
- * Check if a Claude Code project has any previous conversations to --continue from.
- * Claude stores conversations as .jsonl files in ~/.claude/projects/<encoded-path>/.
- *
- * The encoded directory name uses the *resolved* path that Claude sees at runtime,
- * which may differ from agents.json projectDir (e.g., container bind-mounts).
- * We resolve the real path and also check the literal path as a fallback.
- */
-function hasPreviousConversation(projectDir) {
-  const claudeProjectsDir = path.join(process.env.HOME || "/tmp", ".claude", "projects");
-
-  // Try both the literal path and the real (resolved symlink/bind-mount) path
-  const candidates = new Set([projectDir]);
-  try {
-    candidates.add(fs.realpathSync(projectDir));
-  } catch {
-    // projectDir might not exist on this machine (e.g., host path checked from container)
-  }
-
-  for (const dir of candidates) {
-    const encoded = dir.replace(/\//g, "-");
-    const convDir = path.join(claudeProjectsDir, encoded);
-    try {
-      const files = fs.readdirSync(convDir);
-      if (files.some((f) => f.endsWith(".jsonl"))) return true;
-    } catch {
-      // continue to next candidate
-    }
-  }
-
-  return false;
-}
-
 export function startAgent(name, entry) {
-  let command = entry.command || defaultCommand(entry.agentType || "claude-code");
-
-  // --continue crashes if there's no previous conversation. Strip it for new agents.
-  if (command.includes("--continue") && !hasPreviousConversation(entry.projectDir)) {
-    command = command.replace(/\s*--continue\b/g, "");
-  }
-
-  const session = `${name}_fathom-session`;
-
-  // Build env
-  const env = {
-    ...process.env,
-    PATH: `${process.env.HOME}/.local/bin:${process.env.HOME}/.claude/local/bin:${process.env.PATH}`,
-    ...(entry.env || {}),
-  };
-  // Remove CLAUDECODE to avoid nested session detection
-  delete env.CLAUDECODE;
-
-  if (entry.ssh) {
-    return startAgentSSH(name, entry, command, env);
-  }
-
-  return startAgentTmux(name, entry, command, session, env);
-}
-
-function startAgentTmux(name, entry, command, session, env) {
-  // Check if already running
+  // All agents: delegate lifecycle to fathom-server
+  const serverUrl = entry.server || "http://localhost:4243";
+  const apiKey = entry.apiKey || "";
   try {
-    execSync(`tmux has-session -t ${JSON.stringify(session)} 2>/dev/null`, {
-      stdio: "pipe",
+    const url = `${serverUrl}/api/activation/session/start?workspace=${encodeURIComponent(name)}`;
+    const resp = execSync(`curl -sf -X POST -H "Authorization: Bearer ${apiKey}" "${url}"`, {
+      encoding: "utf-8",
+      timeout: 30000,
     });
-    // Save pane ID in case it wasn't saved
-    savePaneId(name, session);
-    return { ok: true, message: `Session already running: ${session}`, alreadyRunning: true };
-  } catch {
-    // Not running — continue
-  }
-
-  try {
-    execSync(
-      `tmux new-session -d -s ${JSON.stringify(session)} -c ${JSON.stringify(entry.projectDir)} ${command}`,
-      { stdio: "pipe", env },
-    );
+    return { ok: true, message: `Delegated to server subprocess manager: ${resp.trim()}` };
   } catch (e) {
-    return { ok: false, message: `Failed to start tmux session: ${e.message}` };
-  }
-
-  // Brief wait for session to stabilize, then save pane ID
-  try {
-    execSync("sleep 1", { stdio: "pipe" });
-  } catch {
-    // ignore
-  }
-  savePaneId(name, session);
-
-  return { ok: true, message: `Started: ${session}` };
-}
-
-function savePaneId(name, session) {
-  try {
-    const paneId = execSync(
-      `tmux list-panes -t ${JSON.stringify(session)} -F '#{pane_id}' 2>/dev/null | head -1`,
-      { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] },
-    ).trim();
-    if (paneId) {
-      fs.mkdirSync(CONFIG_DIR, { recursive: true });
-      fs.writeFileSync(path.join(CONFIG_DIR, `${name}-pane-id`), paneId + "\n");
-    }
-  } catch {
-    // Non-critical
-  }
-}
-
-function startAgentSSH(name, entry, command, env) {
-  const { host, user, key } = entry.ssh;
-  const sshArgs = [];
-  if (key) sshArgs.push("-i", key);
-  const target = user ? `${user}@${host}` : host;
-  const remoteCmd = `cd ${JSON.stringify(entry.projectDir)} && ${command}`;
-
-  try {
-    execFileSync("ssh", [...sshArgs, target, remoteCmd], {
-      stdio: "inherit",
-      env,
-    });
-    return { ok: true, message: `SSH agent started on ${target}` };
-  } catch (e) {
-    return { ok: false, message: `SSH start failed: ${e.message}` };
+    return { ok: false, message: `Server delegation failed: ${e.message}` };
   }
 }
 
 export function stopAgent(name, entry) {
-  const session = `${name}_fathom-session`;
-  const messages = [];
-  let stopped = false;
-
   if (entry.ssh) {
     return { ok: false, message: "Cannot stop SSH agents remotely — connect to the host directly." };
   }
 
-  // Kill tmux session
+  // All agents: delegate to server
   try {
-    execSync(`tmux has-session -t ${JSON.stringify(session)} 2>/dev/null`, { stdio: "pipe" });
-    execSync(`tmux kill-session -t ${JSON.stringify(session)}`, { stdio: "pipe" });
-    // Remove pane ID file
-    try {
-      fs.unlinkSync(path.join(CONFIG_DIR, `${name}-pane-id`));
-    } catch {
-      // ignore
-    }
-    messages.push(`Killed tmux session: ${session}`);
-    stopped = true;
-  } catch {
-    // No tmux session
-  }
-
-  if (!stopped) {
-    return { ok: false, message: `No running session found for: ${name}` };
+    const serverUrl = entry.server || "http://localhost:4243";
+    const apiKey = entry.apiKey || "";
+    const url = `${serverUrl}/api/activation/session/stop?workspace=${encodeURIComponent(name)}`;
+    const resp = execSync(`curl -sf -X POST -H "Authorization: Bearer ${apiKey}" "${url}"`, {
+      encoding: "utf-8",
+      timeout: 15000,
+    });
+    return { ok: true, message: `Server stopped subprocess: ${resp.trim()}` };
+  } catch (e) {
+    return { ok: false, message: `Server stop failed: ${e.message}` };
   }
+}
 
-  return { ok: true, message: messages.join("\n") };
+/**
+ * Default command per agent type (vestigial — used by CLI `add` flow).
+ * Stream-json agents don't use this at runtime; the server manages lifecycle.
+ */
+export function defaultCommand(agentType) {
+  const cmds = {
+    "claude-code": "claude",
+    codex: "codex",
+    gemini: "gemini",
+    opencode: "opencode",
+  };
+  return cmds[agentType] || cmds["claude-code"];
 }
 
 // ── Helpers ─────────────────────────────────────────────────────────────────
@@ -258,7 +145,7 @@ export function buildEntryFromConfig(projectDir, fathomConfig) {
   return {
     projectDir,
     agentType,
-    command: defaultCommand(agentType),
+    command: "",
     server: fathomConfig.server || "http://localhost:4243",
     apiKey: fathomConfig.apiKey || "",
     vault: fathomConfig.vault || "vault",

package/src/index.js

@@ -483,26 +483,143 @@ const telegramTools = [
   },
 ];
 
-// --- Primary-agent-only tools (policy gate) ----------------------------------
+// --- Policy evaluation tool (permission-prompt-tool for stream-json) ---------
 
-const primaryAgentTools = [
+const policyTools = [
   {
-    name: "fathom_session_inject",
+    name: "policy_evaluate",
     description:
-      "Inject a keystroke into a workspace's tmux session. Primary agent only. " +
-      "Used by the policy gate to respond to permission prompts. " +
-      "Keys must be a single digit 1-9 (to select a numbered option) or a named key (Enter, Escape).",
+      "Evaluate a permission request for a tool call. Called automatically by Claude " +
+      "via --permission-prompt-tool when a tool is not in the static allow list. " +
+      "Returns {behavior: 'allow'} or {behavior: 'deny', message: '...'}.",
     inputSchema: {
       type: "object",
       properties: {
-        workspace: { type: "string", description: "Target workspace name (e.g. 'navier-stokes')" },
-        keys: { type: "string", description: "Keys to send — single digit 1-9 or named key (Enter, Escape)" },
+        tool_name: { type: "string", description: "The tool being requested (e.g. 'Bash', 'Edit')" },
+        input: { type: "object", description: "The tool's input arguments" },
       },
-      required: ["workspace", "keys"],
+      required: ["tool_name", "input"],
     },
   },
 ];
 
+// --- Primary-agent-only tools (reserved for future use) ----------------------
+
+const primaryAgentTools = [];
+
+// --- Policy evaluation -------------------------------------------------------
+
+/**
+ * Evaluate a permission request from Claude's --permission-prompt-tool.
+ *
+ * Decision logic:
+ *   1. Allow list: auto-approve safe tools/commands
+ *   2. Hard deny: auto-reject dangerous operations
+ *   3. Ambiguous: escalate to dashboard for human approval
+ */
+async function evaluatePermission(toolName, input) {
+  const projectDir = config.vault ? path.dirname(config.vault) : process.cwd();
+
+  // --- Allow list (auto-approve) ---
+  const alwaysAllowed = [
+    "mcp__fathom-vault__", "mcp__fathom__", "mcp__memento__",
+    "Read", "Glob", "Grep", "Agent",
+  ];
+  for (const prefix of alwaysAllowed) {
+    if (toolName === prefix || toolName.startsWith(prefix)) {
+      return { behavior: "allow" };
+    }
+  }
+
+  // Edit/Write — allow if path within workspace
+  if (toolName === "Edit" || toolName === "Write") {
+    const filePath = input.file_path || input.path || "";
+    if (filePath.startsWith(projectDir)) {
+      return { behavior: "allow" };
+    }
+    // Paths in home .claude dir are ok
+    const homeDir = process.env.HOME || "/tmp";
+    if (filePath.startsWith(path.join(homeDir, ".claude"))) {
+      return { behavior: "allow" };
+    }
+  }
+
+  // Bash — check against safe command patterns
+  if (toolName === "Bash") {
+    const cmd = (input.command || "").trim();
+    const safePatterns = [
+      /^(npm|npx|node|bun|deno|pnpm|yarn)\s/,
+      /^git\s+(status|log|diff|branch|show|remote|fetch|stash)/,
+      /^(ls|pwd|which|whoami|date|uname|cat|head|tail|wc)\b/,
+      /^(cd|echo|printf)\s/,
+      /^(curl|wget)\s/,
+      /^(python|python3|pip)\s/,
+      /^(cargo|rustc|go)\s/,
+      /^(make|cmake)\b/,
+      /^(docker|podman)\s+(ps|images|logs|inspect|compose\s+(ps|logs))/,
+      /^(tmux|screen)\s+(list|ls|has-session)/,
+      /^mkdir\s/,
+      /^cp\s/,
+      /^mv\s/,
+      /^touch\s/,
+      /^chmod\s/,
+      /^test\s/,
+      /^\[/,
+    ];
+    if (safePatterns.some(p => p.test(cmd))) {
+      return { behavior: "allow" };
+    }
+  }
+
+  // --- Hard deny list ---
+  if (toolName === "Bash") {
+    const cmd = (input.command || "").trim();
+    const denyPatterns = [
+      /\brm\s+-rf\s+[\/~]/,               // rm -rf broad paths
+      /\bsudo\b/,                           // privilege escalation
+      /\bsu\s/,                             // switch user
+      /\bgit\s+push\s+.*--force\s.*(main|master)/,  // force push to main
+      /\b(\.ssh|\.gnupg)\b/,               // sensitive directories
+    ];
+    for (const p of denyPatterns) {
+      if (p.test(cmd)) {
+        return { behavior: "deny", message: `Blocked by policy: ${cmd.slice(0, 100)}` };
+      }
+    }
+  }
+
+  // --- Ambiguous: escalate to dashboard ---
+  try {
+    const serverUrl = config.server || "http://localhost:4243";
+    const apiKey = config.apiKey || "";
+    const resp = await fetch(`${serverUrl}/api/permissions/request`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...(apiKey ? { Authorization: `Bearer ${apiKey}` } : {}),
+      },
+      body: JSON.stringify({
+        workspace: config.workspace,
+        tool_name: toolName,
+        tool_input: input,
+      }),
+    });
+    if (resp.ok) {
+      const data = await resp.json();
+      if (data.allow) {
+        return { behavior: "allow" };
+      }
+      return { behavior: "deny", message: data.reason || "Denied by human" };
+    }
+  } catch (err) {
+    console.error(`[policy] Dashboard escalation failed: ${err.message}`);
+  }
+
+  // Default deny if escalation fails
+  return { behavior: "deny", message: "Could not reach dashboard for approval" };
+}
+
+
 // --- Server setup & dispatch -------------------------------------------------
 
 const server = new Server(
@@ -521,7 +638,7 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
   } catch {
     // If settings unavailable, hide telegram tools
   }
-  const allTools = [...tools, ...(showTelegram ? [...telegramTools, ...primaryAgentTools] : [])];
+  const allTools = [...tools, ...policyTools, ...(showTelegram ? [...telegramTools, ...primaryAgentTools] : [])];
   return { tools: allTools };
 });
 
@@ -817,13 +934,12 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
       }
       break;
     }
-    // --- Session injection (policy gate) ---
-    case "fathom_session_inject": {
-      if (!args.workspace) { result = { error: "workspace is required" }; break; }
-      if (!args.keys) { result = { error: "keys is required" }; break; }
-      result = await client.injectKeys(args.workspace, args.keys);
+    // --- Policy evaluation (permission-prompt-tool for stream-json agents) ---
+    case "policy_evaluate": {
+      result = await evaluatePermission(args.tool_name, args.input || {});
       break;
     }
+
     case "fathom_telegram_send_voice": {
       const voiceContactArg = args.contact;
       if (!voiceContactArg) { result = { error: "contact is required" }; break; }

package/src/server-client.js

@@ -309,14 +309,6 @@ export function createClient(config) {
     });
   }
 
-  // --- Session injection (policy gate) ----------------------------------------
-
-  async function injectKeys(targetWorkspace, keys) {
-    return request("POST", `/api/session/${encodeURIComponent(targetWorkspace)}/inject`, {
-      body: { keys },
-    });
-  }
-
   // --- Settings --------------------------------------------------------------
 
   async function getSettings() {
@@ -381,7 +373,6 @@ export function createClient(config) {
     telegramSendVoice,
     telegramStatus,
     speak,
-    injectKeys,
     getSettings,
     getApiKey,
     rotateKey,

package/src/ws-connection.js

@@ -2,15 +2,15 @@
  * WebSocket push channel — receives server-pushed messages and handles them locally.
  *
  * Connects to fathom-server's /ws/agent/{workspace} endpoint. Receives:
- *   - inject / ping_fire → tmux send-keys into local pane
  *   - image → cache base64 data to .fathom/telegram-cache/
  *   - ping → respond with pong
  *
+ * Stream-json agents handle inject/ping_fire via subprocess stdin — the server
+ * writes directly, so no tmux injection is needed here.
+ *
  * Auto-reconnects with exponential backoff (1s → 60s cap).
- * HTTP heartbeat still runs separately for backwards compat with old servers.
  */
 
-import { execSync } from "child_process";
 import fs from "fs";
 import os from "os";
 import path from "path";
@@ -96,8 +96,8 @@ export function createWSConnection(config) {
 
         case "inject":
         case "ping_fire":
-          console.error(`[ws] received ${msg.type} (${(msg.text || "").length} chars)`);
-          injectMessage(msg.text || "");
+          // Stream-json agents handle injection via subprocess stdin on the server side
+          console.error(`[ws] received ${msg.type} (${(msg.text || "").length} chars) — handled by server subprocess`);
           break;
 
         case "image":
@@ -160,50 +160,6 @@ export function createWSConnection(config) {
     reconnectDelay = Math.min(reconnectDelay * 2, MAX_RECONNECT_MS);
   }
 
-  // ── Message injection ───────────────────────────────────────────────────────
-
-  function injectMessage(text) {
-    if (!text) return;
-    injectToTmux(text);
-  }
-
-  function injectToTmux(text) {
-    if (!text) return;
-    const pane = resolvePaneTarget();
-
-    try {
-      // Send the text literally, pause for tmux to render, then press Enter
-      execSync(`tmux send-keys -t ${shellEscape(pane)} -l ${shellEscape(text)}`, {
-        timeout: 5000,
-        stdio: "ignore",
-      });
-      execSync("sleep 2", { timeout: 5000 });
-      execSync(`tmux send-keys -t ${shellEscape(pane)} Enter`, {
-        timeout: 5000,
-        stdio: "ignore",
-      });
-    } catch (err) {
-      console.error(`[ws] tmux inject failed for ${pane}: ${err.message}`);
-    }
-  }
-
-  function resolvePaneTarget() {
-    // Check for explicit pane ID file
-    const paneIdFile = path.join(os.homedir(), ".config", "fathom", `${workspace}-pane-id`);
-    try {
-      const paneId = fs.readFileSync(paneIdFile, "utf-8").trim();
-      if (paneId) return paneId;
-    } catch {
-      // Fall through to default
-    }
-    return `${workspace}_fathom-session`;
-  }
-
-  function shellEscape(s) {
-    // Escape for shell — wrap in single quotes, escape internal single quotes
-    return "'" + s.replace(/'/g, "'\\''") + "'";
-  }
-
   // ── Image cache ─────────────────────────────────────────────────────────────
 
   function cacheImage(msg) {