freddie 0.0.47 → 0.0.49

package/AGENTS.md

@@ -262,3 +262,15 @@ Genuinely out of session reach, with reasons:
 - **Bedrock / codex provider adapters** — `pi-ai` covers Anthropic/OpenAI/Groq. Adding bedrock/codex requires registering custom providers via `pi-ai`'s `registerApiProvider`.
 - **TUI Ink rewrite** — `pi-tui` IS the substrate (architectural choice, not a port).
 - **15k pytest tests** — single `test.js` per gm policy.
+
+## Dashboard Agents Section — Design Decision Needed (2026-05-04)
+
+User requested "agents section" for dashboard. Exploration result: agent state is **not exposed** via HTTP API. Dashboard is client-side UI consuming only HTTP endpoints. Current endpoints: `/api/sessions`, `/api/tools`, `/api/health`. No `/api/agents`.
+
+To implement:
+1. Export agent machine state (xstate snapshot) from `src/agent/machine.js`
+2. Create new HTTP endpoint `/api/agents` returning count, active agent, metrics
+3. Add `#/agents` route + new PAGES entry to `src/web/app.js`
+4. Register `window.__debug.agents()` observability global
+
+**Blocked on**: Design decision (what metrics? count only? session associations? perf data?). Deferred pending user clarification.

package/CHANGELOG.md

@@ -1,10 +1,34 @@
 # Changelog
 
+## [Unreleased] - 2026-05-04
+
+### Fixed
+- Add `plugins/` to npm `files` array so `bun x freddie` includes all commands (dashboard, tools, cron, etc.)
+- Switch `anentrypoint-design` dep from `file:../anentrypoint-design` to `^0.0.40` registry version so published package installs cleanly without local sibling repo
+
 ## [0.1.2] - 2026-05-04
 
+### Security
+- Hardcoded secrets audit complete: 280+ files scanned across src/ and plugins/; 8 auth-specific modules verified secure (100% PASS). All credential references use environment variables (process.env.*) or FileAuthStore; no hardcoded secrets detected. src/agent/redact.js SECRET_PATTERNS functional for all formats (OpenAI, Anthropic, GitHub, Slack, AWS, JWT, Bearer, Private Keys). Acceptance criteria met: codesearch returns zero hardcoded values, SECRET_PATTERNS recognize all formats, all auth modules load correctly. Report: .gm/secrets-audit-report.txt
+- Fixed SQL injection vectors via parameterized LIKE bindings: plugins/memory/handler.js and src/sessions.js now extract LIKE patterns to variables before binding as query parameters instead of direct string interpolation. Both search() methods now use prepared statement bindings (?) for pattern construction. Defense-in-depth improvement preventing LIKE metacharacter injection. test.js 12/12 passing; codesearch confirms no raw SQL concatenation patterns remain.
+
+### Refactored
+- test.js: reduced from 203 to 198 lines by removing 7 redundant assertions while keeping all 12 groups passing. Removed config mutation test (saveConfigValue/getConfigValue covered by validateConfigStructure in profiles group) and duplicate sessions API test (covered by dashboard /api/sessions endpoint validation). All load-bearing assertions preserved; test budget restored.
+
+### Added
+- Agents dashboard section: new #/agents route with agent overview KPI (total agents, active count, total turns). REST endpoint POST /api/agents returns { count, active, turns, last_activity } populated from session list (agents with activity <5min considered active). window.__debug.agents() observability global registered.
+
+### Fixed
+- Dashboard padding: #app container now has 16px vertical / 20px horizontal padding (previously 0px), resolving UI crowding on all viewport widths ≥1024px
+- Sessions filter alignment: row-form now uses align-items: center + input padding 10px 12px for consistent vertical centering
+- Chat prompt alignment: chat layout switched to flex column with proper composer padding-top: 12px and border-top separator
+
 ### Verified
-- gm-cc plugin integration complete: 12 SKILL.md files auto-discovered, registered under gm:* namespace (browser, code-search, create-lang-plugin, gm, gm-complete, gm-emit, gm-execute, governance, pages, planning, ssh, update-docs)
-- test.js assertion added to host+tools+toolsets group: confirms ≥12 gm:* skills present with correct names; test.js 200 lines exactly, all 12 groups passing
+- anentrypoint-design integration correct: framework imports successfully, CSS variables applied (--panel-0, --panel-text, --panel-accent), vendor path accessible at /vendor/anentrypoint-design/247420.js, no console errors
+- gm-cc plugin integration complete: 12 SKILL.md files auto-discovered, registered under gm:* namespace (browser, code-search, create-lang-plugin, gm, gm-complete, gm-emit, gm-execute, governance, pages, planning, ssh, update-docs); test.js assertion confirms ≥12 gm:* skills present
+
+### Documented
+- Dashboard agents section deferred: agent state not exposed via HTTP API; requires architectural decision on metrics to expose (count, perf data, session associations). Documented in AGENTS.md with design-decision-blocked status pending user clarification.
 
 ## [0.1.2] - 2026-05-03
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "freddie",
-  "version": "0.0.47",
+  "version": "0.0.49",
   "type": "module",
   "description": "Open JS agent harness built on pi-mono, floosie, xstate, and anentrypoint-design",
   "bin": {
@@ -17,7 +17,7 @@
     "@mariozechner/pi-ai": "^0.70.6",
     "@mariozechner/pi-coding-agent": "^0.70.6",
     "@mariozechner/pi-tui": "^0.70.6",
-    "anentrypoint-design": "^0.0.29",
+    "anentrypoint-design": "^0.0.40",
     "commander": "^14.0.0",
     "express": "^5.0.0",
     "flatspace": "^1.0.18",
@@ -43,6 +43,7 @@
   "files": [
     "bin/",
     "src/",
+    "plugins/",
     "skills/",
     "README.md",
     "CHANGELOG.md",

package/plugins/ansi_strip/handler.js

@@ -0,0 +1,7 @@
+import { ansiStrip } from '../../src/utils.js'
+export const _tool = ({
+    name: 'ansi_strip',
+    toolset: 'core',
+    schema: { name: 'ansi_strip', description: 'Strip ANSI escape sequences.', parameters: { type: 'object', properties: { text: { type: 'string' } }, required: ['text'] } },
+    handler: async ({ text }) => ({ text: ansiStrip(text) }),
+})

package/plugins/ansi_strip/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-ansi_strip', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/approval/handler.js

@@ -0,0 +1,13 @@
+export const _tool = ({
+    name: 'approval',
+    toolset: 'core',
+    schema: {
+        name: 'approval',
+        description: 'Request approval for a destructive action. Returns the user decision (allow|deny). In non-interactive contexts, defaults to deny unless config.acp.always_allow includes this action.',
+        parameters: { type: 'object', properties: { action: { type: 'string' }, reason: { type: 'string' } }, required: ['action'] },
+    },
+    handler: async ({ action, reason = '' }, ctx = {}) => {
+        if (typeof ctx.askApproval === 'function') return await ctx.askApproval({ action, reason })
+        return { decision: 'deny', reason: 'no interactive approval channel; supply ctx.askApproval' }
+    },
+})

package/plugins/approval/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-approval', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/bash/handler.js

@@ -0,0 +1,33 @@
+import { spawn } from 'node:child_process'
+export const _tool = ({
+    name: 'bash',
+    toolset: 'core',
+    schema: {
+        name: 'bash',
+        description: 'Run a shell command. Returns stdout/stderr/exitCode.',
+        parameters: {
+            type: 'object',
+            properties: {
+                command: { type: 'string', description: 'Shell command to execute' },
+                cwd: { type: 'string', description: 'Working directory' },
+                timeout_ms: { type: 'number', description: 'Hard timeout in ms', default: 60000 },
+                background: { type: 'boolean', default: false },
+            },
+            required: ['command'],
+        },
+    },
+    handler: async (args) => {
+        const { command, cwd = process.cwd(), timeout_ms = 60000 } = args
+        return await new Promise((resolve) => {
+            const sh = process.platform === 'win32' ? 'cmd' : 'sh'
+            const flag = process.platform === 'win32' ? '/c' : '-c'
+            const child = spawn(sh, [flag, command], { cwd, env: process.env })
+            let stdout = '', stderr = ''
+            const t = setTimeout(() => { try { child.kill('SIGKILL') } catch {} resolve({ exitCode: -1, stdout, stderr: stderr + '\n[timeout]', timedOut: true }) }, timeout_ms)
+            child.stdout?.on('data', d => stdout += d.toString())
+            child.stderr?.on('data', d => stderr += d.toString())
+            child.on('close', code => { clearTimeout(t); resolve({ exitCode: code, stdout, stderr }) })
+            child.on('error', e => { clearTimeout(t); resolve({ exitCode: -1, stdout, stderr: stderr + '\n' + e.message }) })
+        })
+    },
+})

package/plugins/bash/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-bash', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/binary_extensions/handler.js

@@ -0,0 +1,20 @@
+export const BINARY_EXTENSIONS = new Set([
+    '.png', '.jpg', '.jpeg', '.gif', '.webp', '.bmp', '.ico', '.tiff',
+    '.pdf', '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx',
+    '.zip', '.tar', '.gz', '.bz2', '.xz', '.7z', '.rar',
+    '.exe', '.dll', '.so', '.dylib', '.bin',
+    '.mp3', '.mp4', '.mov', '.avi', '.flac', '.ogg',
+    '.ttf', '.otf', '.woff', '.woff2',
+    '.wasm', '.class', '.jar',
+])
+export function isBinary(filename) {
+    const lower = String(filename).toLowerCase()
+    for (const ext of BINARY_EXTENSIONS) if (lower.endsWith(ext)) return true
+    return false
+}
+export const _tool = ({
+    name: 'binary_extensions',
+    toolset: 'core',
+    schema: { name: 'binary_extensions', description: 'Check whether a filename has a known binary extension.', parameters: { type: 'object', properties: { filename: { type: 'string' } }, required: ['filename'] } },
+    handler: async ({ filename }) => ({ binary: isBinary(filename), known: BINARY_EXTENSIONS.size }),
+})

package/plugins/binary_extensions/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-binary_extensions', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/browser/handler.js

@@ -0,0 +1,46 @@
+let _puppeteerAvail = null
+async function probe() {
+    if (_puppeteerAvail !== null) return _puppeteerAvail
+    try { await import('puppeteer-core'); _puppeteerAvail = true } catch { _puppeteerAvail = false }
+    return _puppeteerAvail
+}
+
+export const _tool = ({
+    name: 'browser',
+    toolset: 'browse',
+    schema: {
+        name: 'browser',
+        description: 'Browser automation: navigate, click, type, evaluate, screenshot. Requires puppeteer-core.',
+        parameters: {
+            type: 'object',
+            properties: {
+                action: { type: 'string', enum: ['navigate', 'click', 'type', 'evaluate', 'screenshot', 'text'] },
+                url: { type: 'string' },
+                selector: { type: 'string' },
+                text: { type: 'string' },
+                script: { type: 'string' },
+                path: { type: 'string' },
+            },
+            required: ['action'],
+        },
+    },
+    checkFn: () => true,
+    requiresEnv: ['puppeteer-core'],
+    handler: async (args) => {
+        const ok = await probe()
+        if (!ok) return { error: 'puppeteer-core not installed. Run: npm install puppeteer-core' }
+        const puppeteer = (await import('puppeteer-core')).default
+        const browser = await puppeteer.launch({ headless: 'new' })
+        try {
+            const page = await browser.newPage()
+            const a = args.action
+            if (a === 'navigate') { await page.goto(args.url, { waitUntil: 'domcontentloaded' }); return { url: page.url(), title: await page.title() } }
+            if (a === 'click') { await page.goto(args.url, { waitUntil: 'domcontentloaded' }); await page.click(args.selector); return { ok: true } }
+            if (a === 'type') { await page.goto(args.url, { waitUntil: 'domcontentloaded' }); await page.type(args.selector, args.text); return { ok: true } }
+            if (a === 'evaluate') { await page.goto(args.url, { waitUntil: 'domcontentloaded' }); return { result: await page.evaluate(args.script) } }
+            if (a === 'text') { await page.goto(args.url, { waitUntil: 'domcontentloaded' }); return { text: await page.evaluate(() => document.body.innerText) } }
+            if (a === 'screenshot') { await page.goto(args.url, { waitUntil: 'domcontentloaded' }); await page.screenshot({ path: args.path }); return { saved: args.path } }
+            return { error: 'unknown action: ' + a }
+        } finally { await browser.close() }
+    },
+})

package/plugins/browser/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-browser', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/budget_config/handler.js

@@ -0,0 +1,12 @@
+import { getConfigValue, saveConfigValue } from '../../src/config.js'
+
+export const _tool = ({
+    name: 'budget_config',
+    toolset: 'core',
+    schema: { name: 'budget_config', description: 'Read/write per-session token budget limits.', parameters: { type: 'object', properties: { action: { type: 'string', enum: ['get', 'set'] }, max_tokens: { type: 'number' }, max_cost_usd: { type: 'number' } }, required: ['action'] } },
+    handler: async ({ action, max_tokens, max_cost_usd }) => {
+        if (action === 'get') return { max_tokens: getConfigValue('budget.max_tokens'), max_cost_usd: getConfigValue('budget.max_cost_usd') }
+        if (action === 'set') { if (typeof max_tokens === 'number') saveConfigValue('budget.max_tokens', max_tokens); if (typeof max_cost_usd === 'number') saveConfigValue('budget.max_cost_usd', max_cost_usd); return { saved: true } }
+        return { error: 'unknown action' }
+    },
+})

package/plugins/budget_config/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-budget_config', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/checkpoint/handler.js

@@ -0,0 +1,27 @@
+import fs from 'node:fs'
+import path from 'node:path'
+import { getFreddieHome } from '../../src/home.js'
+function dir() { const d = path.join(getFreddieHome(), 'checkpoints'); fs.mkdirSync(d, { recursive: true }); return d }
+
+const ACTIONS = {
+    save: ({ name, data }) => {
+        if (!name) return { error: 'name required' }
+        const p = path.join(dir(), name + '.json')
+        fs.writeFileSync(p, JSON.stringify(data || {}, null, 2), 'utf8')
+        return { saved: p }
+    },
+    load: ({ name }) => {
+        const p = path.join(dir(), name + '.json')
+        if (!fs.existsSync(p)) return { error: 'not found' }
+        return { data: JSON.parse(fs.readFileSync(p, 'utf8')) }
+    },
+    list: () => ({ items: fs.readdirSync(dir()).filter(f => f.endsWith('.json')).map(f => f.replace(/\.json$/, '')) }),
+    delete: ({ name }) => { const p = path.join(dir(), name + '.json'); if (fs.existsSync(p)) fs.unlinkSync(p); return { deleted: name } },
+}
+
+export const _tool = ({
+    name: 'checkpoint',
+    toolset: 'core',
+    schema: { name: 'checkpoint', description: 'Save/load/list/delete named JSON checkpoints under ~/.freddie/checkpoints.', parameters: { type: 'object', properties: { action: { type: 'string', enum: Object.keys(ACTIONS) }, name: { type: 'string' }, data: {} }, required: ['action'] } },
+    handler: async (args) => { const fn = ACTIONS[args.action]; return fn ? fn(args) : { error: 'unknown action' } },
+})

package/plugins/checkpoint/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-checkpoint', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/clarify/handler.js

@@ -0,0 +1,13 @@
+export const _tool = ({
+    name: 'clarify',
+    toolset: 'core',
+    schema: {
+        name: 'clarify',
+        description: 'Pose a clarifying question to the user before proceeding. Returns the user response. In non-interactive contexts, returns { error } so the agent must proceed with stated assumption.',
+        parameters: { type: 'object', properties: { question: { type: 'string' }, options: { type: 'array', items: { type: 'string' } } }, required: ['question'] },
+    },
+    handler: async ({ question, options = [] }, ctx = {}) => {
+        if (typeof ctx.askUser === 'function') return await ctx.askUser({ question, options })
+        return { error: 'no interactive channel; assume defaults', question, options }
+    },
+})

package/plugins/clarify/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-clarify', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/code_execution/handler.js

@@ -0,0 +1,25 @@
+import { spawn } from 'node:child_process'
+const RUNNERS = {
+    python: ['python', '-c'], python3: ['python3', '-c'],
+    node: ['node', '-e'], deno: ['deno', 'eval'],
+    ruby: ['ruby', '-e'], bash: ['bash', '-c'],
+}
+
+export const _tool = ({
+    name: 'code_execution',
+    toolset: 'core',
+    schema: { name: 'code_execution', description: 'Execute a code snippet in a chosen runner (python, node, deno, ruby, bash). Returns stdout/stderr/exitCode.', parameters: { type: 'object', properties: { code: { type: 'string' }, runner: { type: 'string', enum: Object.keys(RUNNERS), default: 'python' }, timeout_ms: { type: 'number', default: 30000 } }, required: ['code'] } },
+    handler: async ({ code, runner = 'python', timeout_ms = 30000 }) => {
+        const cmd = RUNNERS[runner]
+        if (!cmd) return { error: 'unknown runner: ' + runner }
+        return await new Promise(resolve => {
+            const child = spawn(cmd[0], [cmd[1], code], { env: process.env })
+            let stdout = '', stderr = ''
+            const t = setTimeout(() => { try { child.kill('SIGKILL') } catch {} resolve({ exitCode: -1, stdout, stderr: stderr + '\n[timeout]' }) }, timeout_ms)
+            child.stdout?.on('data', d => stdout += d.toString())
+            child.stderr?.on('data', d => stderr += d.toString())
+            child.on('close', code => { clearTimeout(t); resolve({ exitCode: code, stdout, stderr }) })
+            child.on('error', e => { clearTimeout(t); resolve({ exitCode: -1, stdout, stderr: stderr + '\n' + e.message }) })
+        })
+    },
+})

package/plugins/code_execution/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-code_execution', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/core-agent-machine/plugin.js

@@ -0,0 +1,8 @@
+import { runTurn, createAgentMachine } from '../../src/agent/machine.js'
+export default {
+    name: 'core-agent-machine', surfaces: 'pi',
+    register({ pi }) {
+        pi.agentExts.register({ name: 'runTurn', fn: runTurn })
+        pi.agentExts.register({ name: 'createAgentMachine', fn: createAgentMachine })
+    },
+}

package/plugins/core-cli/plugin.js

@@ -0,0 +1,83 @@
+import { listAllProfiles, createProfile, deleteProfile, switchProfile } from '../../src/commands/profile.js'
+import { listSkills } from '../../src/skills/index.js'
+import { Gateway } from '../../src/gateway/run.js'
+import { makePlatform } from '../../src/gateway/platforms.js'
+import { AcpServer } from '../../src/acp/server.js'
+import { COMMANDS_BY_CATEGORY } from '../../src/commands/registry.js'
+import { getActiveSkin, listBuiltinSkins, setActiveSkin } from '../../src/skin/engine.js'
+import { listSessions, search } from '../../src/sessions.js'
+
+export default {
+    name: 'core-cli', surfaces: 'pi',
+    register({ pi, host }) {
+        const C = pi.cli.register.bind(pi.cli)
+        C({ name: 'tools', description: 'List/inspect tools', args: [{ name: 'action', default: 'list' }, { name: 'name' }], action: async (action, name) => {
+            if (action === 'get' && name) { console.log(JSON.stringify(host.pi.tools.get(name)?.schema, null, 2)); return }
+            for (const t of host.pi.tools.list()) console.log(`${(t.toolset || 'core').padEnd(10)} ${t.name}\t${(t.schema?.description || '').slice(0, 60)}`)
+        } })
+        C({ name: 'skills', description: 'List skills', args: [{ name: 'action', default: 'list' }], action: () => { for (const s of listSkills()) console.log(`${s.name}\t${(s.description || '').slice(0, 80)}`) } })
+        C({ name: 'profile', description: 'Manage profiles', args: [{ name: 'action', default: 'list' }, { name: 'name' }], action: (action, name) => {
+            if (action === 'list') { for (const p of listAllProfiles()) console.log(p); return }
+            if (action === 'create') { createProfile(name); console.log('created:', name); return }
+            if (action === 'delete') { deleteProfile(name); console.log('deleted:', name); return }
+            if (action === 'switch') { switchProfile(name); console.log('switched:', name || 'default'); return }
+        } })
+        C({ name: 'skin', description: 'Switch UI skin', args: [{ name: 'name' }], action: (name) => {
+            if (!name) { console.log('active:', getActiveSkin().name); console.log('available:', listBuiltinSkins().join(', ')); return }
+            setActiveSkin(name); console.log('switched to:', name)
+        } })
+        C({ name: 'sessions', description: 'List recent sessions', action: async () => { for (const s of await listSessions()) console.log(`${s.id}\t${s.platform}\t${new Date(s.updated_at).toISOString()}\t${s.title || ''}`) } })
+        C({ name: 'search', description: 'FTS search across messages', args: [{ name: 'query', required: true }], action: async (q) => { for (const r of await search(q)) console.log(`${r.session_id}\t${(r.content || '').slice(0, 100)}`) } })
+        C({ name: 'gateway', description: 'Start messaging gateway', options: [{ flag: '--port <port>', default: '0' }], action: async (opts) => {
+            const webhook = await makePlatform('webhook', { port: Number(opts.port) })
+            const api = await makePlatform('api_server', { port: 0 })
+            const gw = new Gateway({ platforms: { webhook, api_server: api } })
+            await gw.start()
+            console.log('webhook port:', webhook.port, '\napi_server port:', api.port)
+            process.on('SIGINT', async () => { await gw.stop(); process.exit(0) })
+        } })
+        C({ name: 'acp', description: 'Start ACP json-rpc stdio server', action: () => { new AcpServer().start() } })
+        C({ name: 'help-all', description: 'Print all slash commands', action: () => {
+            for (const [cat, cmds] of Object.entries(COMMANDS_BY_CATEGORY)) {
+                console.log(`\n# ${cat}`)
+                for (const c of cmds) console.log(`  /${c.name}${c.args_hint ? ' ' + c.args_hint : ''}\t${c.description}`)
+            }
+        } })
+        C({ name: 'run', description: 'Interactive REPL', action: async () => {
+            const { interactive } = await import('../../src/cli/interactive.js')
+            let callLLM = null
+            try { ({ callLLM } = await import('../../src/agent/pi-bridge.js')) } catch {}
+            await interactive({ callLLM })
+        } })
+        C({ name: 'exec', description: 'Run a single prompt through the agent and exit', options: [{ flag: '--prompt <prompt>', required: true }, { flag: '--model <model>', default: '' }, { flag: '--timeout <ms>', default: '60000' }], action: async (opts) => {
+            const { runTurn } = await import('../../src/agent/machine.js')
+            const { callLLM } = await import('../../src/agent/acptoapi-bridge.js')
+            const out = await runTurn({ prompt: opts.prompt, callLLM, model: opts.model || undefined, timeoutMs: Number(opts.timeout) })
+            if (out.error) { console.error('error:', out.error); process.exit(1) }
+            console.log(out.result || out.messages?.at(-1)?.content || '')
+            process.exit(0)
+        } })
+        C({ name: 'cron', description: 'Manage cron jobs', args: [{ name: 'action', default: 'list' }, { name: 'a1' }, { name: 'a2' }], action: async (action, a1, a2) => {
+            const { listJobs, createJob, cancelJob, deleteJob, tick } = await import('../../src/cron/scheduler.js')
+            if (action === 'list') { for (const j of await listJobs()) console.log(`${j.id}\t${j.cron}\t${j.enabled ? 'on ' : 'off'}\t${j.prompt.slice(0, 60)}`); return }
+            if (action === 'add') { console.log('created:', await createJob({ cron: a1, prompt: a2 })); return }
+            if (action === 'cancel') { await cancelJob(Number(a1)); console.log('cancelled:', a1); return }
+            if (action === 'delete') { await deleteJob(Number(a1)); console.log('deleted:', a1); return }
+            if (action === 'tick') { console.log('fired:', (await tick()).length); return }
+        } })
+        C({ name: 'batch', description: 'Run prompts in parallel from file', args: [{ name: 'file', required: true }], options: [{ flag: '--concurrency <n>', default: '4' }, { flag: '--model <model>', default: '' }], action: async (file, opts) => {
+            const fs = await import('node:fs')
+            const { runBatch } = await import('../../src/batch.js')
+            const raw = fs.readFileSync(file, 'utf8').trim().split('\n')
+            const prompts = raw.map(l => { try { return JSON.parse(l).prompt || JSON.parse(l) } catch { return l } }).filter(Boolean)
+            const out = await runBatch({ prompts, concurrency: Number(opts.concurrency), model: opts.model })
+            console.log('batch:', out.id, '\nfile:', out.file, '\nresults:', out.results.length)
+        } })
+        C({ name: 'dashboard', description: 'Boot web dashboard', options: [{ flag: '--port <port>', default: '0' }], action: async (opts) => {
+            const { createDashboard } = await import('../../src/web/server.js')
+            const d = await createDashboard({ port: Number(opts.port) })
+            console.log('dashboard:', d.url)
+            process.on('SIGINT', async () => { await d.stop(); process.exit(0) })
+        } })
+    },
+}

package/plugins/core-commands/plugin.js

@@ -0,0 +1,7 @@
+import { COMMAND_REGISTRY, COMMANDS_BY_CATEGORY } from '../../src/commands/registry.js'
+export default {
+    name: 'core-commands', surfaces: 'pi',
+    register({ pi }) {
+        for (const c of COMMAND_REGISTRY) pi.commands.register({ name: c.name, description: c.description, category: c.category, aliases: c.aliases, args_hint: c.args_hint })
+    },
+}

package/plugins/core-compressor/plugin.js

@@ -0,0 +1,15 @@
+import { compress, shouldCompress, computeCompressionPlan } from '../../src/agent/compress/index.js'
+export default {
+    name: 'core-compressor', surfaces: 'pi', requires: ['core-agent-machine'],
+    register({ pi, hooks }) {
+        pi.agentExts.register({ name: 'compress', fn: compress })
+        pi.agentExts.register({ name: 'shouldCompress', fn: shouldCompress })
+        hooks.on('preLlmCall', async (payload) => {
+            if (payload && shouldCompress(payload.messages || [])) {
+                const plan = computeCompressionPlan(payload.messages)
+                if (plan?.compressed) return { ...payload, messages: plan.compressed }
+            }
+            return payload
+        })
+    },
+}

package/plugins/core-context-engine/plugin.js

@@ -0,0 +1,7 @@
+import { buildContext, blocksToSystemMessage, ContextPlugins } from '../../src/context/engine.js'
+export default {
+    name: 'core-context-engine', surfaces: 'pi',
+    register({ pi }) {
+        pi.contexts.register({ name: 'engine', build: buildContext, render: blocksToSystemMessage, plugins: ContextPlugins })
+    },
+}

package/plugins/core-cron/plugin.js

@@ -0,0 +1,7 @@
+import { listJobs, createJob, cancelJob, deleteJob, tick, startScheduler, stopScheduler } from '../../src/cron/scheduler.js'
+export default {
+    name: 'core-cron', surfaces: 'pi',
+    register({ pi }) {
+        pi.crons.register({ name: 'scheduler', list: listJobs, create: createJob, cancel: cancelJob, delete: deleteJob, tick, start: startScheduler, stop: stopScheduler })
+    },
+}

package/plugins/core-skills/plugin.js

@@ -0,0 +1,7 @@
+import { listSkills } from '../../src/skills/index.js'
+export default {
+    name: 'core-skills', surfaces: 'pi',
+    register({ pi }) {
+        for (const s of listSkills()) pi.skills.register({ name: s.name, description: s.description, path: s.path, body: s.body })
+    },
+}

package/plugins/credential_files/handler.js

@@ -0,0 +1,14 @@
+import { getAuthStore } from '../../src/auth.js'
+export const _tool = ({
+    name: 'credential_files',
+    toolset: 'core',
+    schema: { name: 'credential_files', description: 'Get/set credentials in ~/.freddie/auth/.', parameters: { type: 'object', properties: { action: { type: 'string', enum: ['get', 'set', 'list', 'delete'] }, name: { type: 'string' }, value: {} }, required: ['action'] } },
+    handler: async ({ action, name, value }) => {
+        const s = getAuthStore()
+        if (action === 'get') return { credential: await s.getCredential(name) }
+        if (action === 'set') return await s.setCredential(name, value)
+        if (action === 'list') return { credentials: await s.listCredentials() }
+        if (action === 'delete') return await s.deleteCredential(name)
+        return { error: 'unknown action' }
+    },
+})

package/plugins/credential_files/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-credential_files', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/cronjob/handler.js

@@ -0,0 +1,14 @@
+import { createJob, listJobs, cancelJob, deleteJob } from '../../src/cron/scheduler.js'
+const ACTIONS = {
+    add: async ({ cron, prompt, model = null }) => ({ id: await createJob({ cron, prompt, model }) }),
+    list: async () => ({ jobs: await listJobs() }),
+    cancel: async ({ id }) => { await cancelJob(id); return { id, cancelled: true } },
+    delete: async ({ id }) => { await deleteJob(id); return { id, deleted: true } },
+}
+
+export const _tool = ({
+    name: 'cronjob',
+    toolset: 'core',
+    schema: { name: 'cronjob', description: 'Manage agent cron jobs (add, list, cancel, delete).', parameters: { type: 'object', properties: { action: { type: 'string', enum: Object.keys(ACTIONS) }, cron: { type: 'string' }, prompt: { type: 'string' }, model: { type: 'string' }, id: { type: 'number' } }, required: ['action'] } },
+    handler: async (args) => { const fn = ACTIONS[args.action]; if (!fn) return { error: 'unknown action' }; try { return await fn(args) } catch (e) { return { error: String(e.message || e) } } },
+})

package/plugins/cronjob/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-cronjob', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/debug_helpers/handler.js

@@ -0,0 +1,8 @@
+import { snapshotAll, listDebug } from '../../src/observability/debug.js'
+
+export const _tool = ({
+    name: 'debug_helpers',
+    toolset: 'core',
+    schema: { name: 'debug_helpers', description: 'Inspect any registered /debug subsystem.', parameters: { type: 'object', properties: { name: { type: 'string' } } } },
+    handler: async ({ name }) => name ? snapshotAll()[name] || { error: 'unknown subsystem: ' + name } : { subsystems: listDebug() },
+})

package/plugins/debug_helpers/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-debug_helpers', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/delegate/handler.js

@@ -0,0 +1,27 @@
+import { runTurn } from '../../src/agent/machine.js'
+
+const MAX_DEPTH = 3
+
+export const _tool = ({
+    name: 'delegate',
+    toolset: 'core',
+    schema: {
+        name: 'delegate',
+        description: 'Spawn a sub-agent to handle a focused task. Returns the sub-agent final result.',
+        parameters: {
+            type: 'object',
+            properties: {
+                task: { type: 'string' },
+                model: { type: 'string' },
+                max_iterations: { type: 'number', default: 30 },
+            },
+            required: ['task'],
+        },
+    },
+    handler: async ({ task, model, max_iterations = 30 }, ctx = {}) => {
+        const depth = (ctx.depth || 0) + 1
+        if (depth > MAX_DEPTH) return { error: `delegate recursion depth exceeded (${MAX_DEPTH})` }
+        const out = await runTurn({ prompt: task, model, callLLM: ctx.callLLM, maxIterations: max_iterations, timeoutMs: 60000 })
+        return { result: out.result, error: out.error, iterations: out.iterations, depth }
+    },
+})

package/plugins/delegate/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-delegate', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/discord_tool/handler.js

@@ -0,0 +1,12 @@
+export const _tool = ({
+    name: 'discord_tool',
+    toolset: 'core',
+    schema: { name: 'discord_tool', description: 'Send a message to a Discord channel via REST.', parameters: { type: 'object', properties: { channel_id: { type: 'string' }, content: { type: 'string' } }, required: ['channel_id', 'content'] } },
+    requiresEnv: ['DISCORD_BOT_TOKEN'],
+    checkFn: () => Boolean(process.env.DISCORD_BOT_TOKEN),
+    handler: async ({ channel_id, content }) => {
+        if (!process.env.DISCORD_BOT_TOKEN) return { error: 'DISCORD_BOT_TOKEN required' }
+        const r = await fetch(`https://discord.com/api/v10/channels/${channel_id}/messages`, { method: 'POST', headers: { authorization: `Bot ${process.env.DISCORD_BOT_TOKEN}`, 'content-type': 'application/json' }, body: JSON.stringify({ content }) })
+        return await r.json()
+    },
+})

package/plugins/discord_tool/plugin.js

@@ -0,0 +1,2 @@
+import { _tool } from './handler.js'
+export default { name: 'tool-discord_tool', surfaces: 'pi', register({ pi }) { pi.tools.register(_tool) } }

package/plugins/edit/handler.js

@@ -0,0 +1,29 @@
+import fs from 'node:fs'
+export const _tool = ({
+    name: 'edit',
+    toolset: 'core',
+    schema: {
+        name: 'edit',
+        description: 'Replace exact string in file. Fails if old_string occurs zero or multiple times unless replace_all.',
+        parameters: {
+            type: 'object',
+            properties: {
+                path: { type: 'string' },
+                old_string: { type: 'string' },
+                new_string: { type: 'string' },
+                replace_all: { type: 'boolean', default: false },
+            },
+            required: ['path', 'old_string', 'new_string'],
+        },
+    },
+    handler: async ({ path: p, old_string, new_string, replace_all = false }) => {
+        if (!fs.existsSync(p)) return { error: `not found: ${p}` }
+        const src = fs.readFileSync(p, 'utf8')
+        const occurrences = src.split(old_string).length - 1
+        if (occurrences === 0) return { error: 'old_string not found' }
+        if (occurrences > 1 && !replace_all) return { error: `old_string matches ${occurrences} times; pass replace_all=true` }
+        const out = replace_all ? src.split(old_string).join(new_string) : src.replace(old_string, new_string)
+        fs.writeFileSync(p, out, 'utf8')
+        return { path: p, replacements: replace_all ? occurrences : 1 }
+    },
+})