groove-dev 0.27.14 → 0.27.17

package/node_modules/@groove-dev/daemon/src/api.js

@@ -4,7 +4,8 @@
 import express from 'express';
 import { resolve, dirname } from 'path';
 import { fileURLToPath } from 'url';
-import { existsSync, readFileSync, readdirSync, statSync, writeFileSync, mkdirSync, unlinkSync, renameSync, rmSync, createReadStream, copyFileSync } from 'fs';
+import { existsSync, readFileSync, readdirSync, statSync, writeFileSync, mkdirSync, unlinkSync, renameSync, rmSync, createReadStream, copyFileSync, realpathSync } from 'fs';
+import { spawn, execFile } from 'child_process';
 import { lookup as mimeLookup } from './mimetypes.js';
 import { listProviders, getProvider } from './providers/index.js';
 import { OllamaProvider } from './providers/ollama.js';
@@ -13,25 +14,22 @@ import { validateAgentConfig } from './validate.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const isPro = process.env.GROOVE_EDITION === 'pro';
 
-let _subscriptionCache = { active: true, checkedAt: 0 };
+let _daemon = null;
 
 function proOnly(req, res, next) {
-  if (!isPro) {
-    return res.status(403).json({
-      error: 'Pro feature',
-      edition: 'community',
-      upgrade: 'https://groovedev.ai/pro',
-    });
-  }
-  if (!_subscriptionCache.active) {
-    return res.status(403).json({
-      error: 'Pro subscription required',
-      edition: 'pro',
-      subscriptionActive: false,
-      upgrade: 'https://groovedev.ai/pro',
-    });
-  }
-  next();
+  const sub = _daemon?.subscriptionCache || {};
+  if (isPro || sub.active) return next();
+  return res.status(403).json({
+    error: 'Pro subscription required',
+    edition: 'community',
+    plan: sub.plan || 'community',
+    subscriptionActive: false,
+    upgrade: 'https://groovedev.ai/pro',
+  });
+}
+
+function hasFeature(name) {
+  return (_daemon?.subscriptionCache?.features || []).includes(name);
 }
 
 async function _executeApprovalRetry(daemon, approval) {
@@ -64,6 +62,8 @@ async function _executeApprovalRetry(daemon, approval) {
 }
 
 export function createApi(app, daemon) {
+  _daemon = daemon;
+
   // CORS — restrict to localhost + bound interface origins
   app.use((req, res, next) => {
     const origin = req.headers.origin;
@@ -88,6 +88,15 @@ export function createApi(app, daemon) {
     next();
   });
 
+  // Security headers
+  app.use((req, res, next) => {
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('X-Frame-Options', 'DENY');
+    res.setHeader('X-XSS-Protection', '0');
+    res.setHeader('Content-Security-Policy', "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; connect-src 'self' ws://localhost:* ws://127.0.0.1:* http://localhost:* http://127.0.0.1:*; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'");
+    next();
+  });
+
   app.use(express.json({ limit: '6mb' }));
 
   // Health check
@@ -143,22 +152,28 @@ export function createApi(app, daemon) {
         await daemon.processes.kill(req.params.id);
       }
 
-      // Purge from registry if requested or if agent is dead
-      if (req.query.purge === 'true' || !isAlive) {
+      // Only purge from registry when explicitly requested.
+      // Killed/completed agents stay visible so the user can review output.
+      const purge = req.query.purge === 'true';
+      if (purge) {
         daemon.registry.remove(req.params.id);
       }
 
-      daemon.audit.log('agent.kill', { id: agent.id, role: agent.role, purged: req.query.purge === 'true' || !isAlive });
-      res.json({ ok: true, purged: req.query.purge === 'true' || !isAlive });
+      daemon.audit.log('agent.kill', { id: agent.id, role: agent.role, purged: purge });
+      res.json({ ok: true, purged: purge });
     } catch (err) {
       res.status(400).json({ error: err.message });
     }
   });
 
-  // Kill all agents
+  // Kill all agents and purge registry (used by groove nuke)
   app.delete('/api/agents', async (req, res) => {
     const count = daemon.processes.getRunningCount();
     await daemon.processes.killAll();
+    // Purge all agents from registry — kill() no longer does this automatically
+    for (const agent of daemon.registry.getAll()) {
+      daemon.registry.remove(agent.id);
+    }
     daemon.audit.log('agent.kill_all', { count });
     res.json({ ok: true });
   });
@@ -227,11 +242,12 @@ export function createApi(app, daemon) {
     res.json({ removed });
   });
 
-  // Handoff chains (per role)
+  // Handoff chains (per role, optionally scoped by workspace)
   app.get('/api/memory/handoff-chain/:role', (req, res) => {
     res.json({
       role: req.params.role,
-      entries: daemon.memory.getHandoffChain(req.params.role),
+      workspace: req.query.workspace || null,
+      entries: daemon.memory.getHandoffChain(req.params.role, req.query.workspace),
     });
   });
 
@@ -239,12 +255,13 @@ export function createApi(app, daemon) {
     const count = Math.min(parseInt(req.query.count) || 3, 10);
     res.json({
       role: req.params.role,
-      markdown: daemon.memory.getRecentHandoffMarkdown(req.params.role, count, 10_000),
+      workspace: req.query.workspace || null,
+      markdown: daemon.memory.getRecentHandoffMarkdown(req.params.role, count, 10_000, req.query.workspace),
     });
   });
 
   app.get('/api/memory/handoff-chain', (req, res) => {
-    res.json({ roles: daemon.memory.listHandoffRoles() });
+    res.json({ roles: daemon.memory.listHandoffRoles(req.query.workspace) });
   });
 
   // Discoveries (error → fix pairs)
@@ -546,11 +563,22 @@ export function createApi(app, daemon) {
 
   // Edition
   app.get('/api/edition', (req, res) => {
-    res.json({ edition: isPro ? 'pro' : 'community' });
+    const sub = daemon.subscriptionCache || {};
+    res.json({
+      edition: (isPro || sub.active) ? 'pro' : 'community',
+      plan: sub.plan || 'community',
+      subscriptionActive: sub.active || false,
+      features: sub.features || [],
+      seats: sub.seats || 1,
+      periodEnd: sub.periodEnd || null,
+      cancelAtPeriodEnd: sub.cancelAtPeriodEnd || false,
+      status: sub.status || 'none',
+    });
   });
 
   // Daemon status
   app.get('/api/status', (req, res) => {
+    const sub = daemon.subscriptionCache || {};
     res.json({
       pid: process.pid,
       uptime: process.uptime(),
@@ -559,7 +587,7 @@ export function createApi(app, daemon) {
       host: daemon.host,
       port: daemon.port,
       projectDir: daemon.projectDir,
-      edition: isPro ? 'pro' : 'community',
+      edition: (isPro || sub.active) ? 'pro' : 'community',
     });
   });
 
@@ -739,8 +767,12 @@ export function createApi(app, daemon) {
         // Loop exists but not running — fall through to resume/rotate
       }
 
-      // CLI agent path — session resume or rotation
-      const resumed = !!agent.sessionId;
+      // CLI agent path — session resume or rotation.
+      // Force rotation (fresh session + handoff brief) past the resume ceiling:
+      // reviving a >5M-token claude session has crashed the CLI mid-HTTP-parse
+      // (V8 fatal in JsonStringifier) — the rotator's handoff brief sidesteps that.
+      const SESSION_RESUME_CEILING = 5_000_000;
+      const resumed = !!agent.sessionId && (agent.tokensUsed || 0) < SESSION_RESUME_CEILING;
       const newAgent = resumed
         ? await daemon.processes.resume(req.params.id, message.trim())
         : await daemon.rotator.rotate(req.params.id, { additionalPrompt: message.trim() });
@@ -799,8 +831,8 @@ export function createApi(app, daemon) {
     const { filename, content } = req.body;
     if (!filename || !content) return res.status(400).json({ error: 'filename and content required' });
 
-    // Sanitize filename — no path traversal
-    const safeName = String(filename).replace(/[/\\]/g, '_').replace(/\.\./g, '');
+    // Sanitize filename — strict allowlist, no path traversal
+    const safeName = String(filename).replace(/[^a-zA-Z0-9._-]/g, '_').replace(/^\.+/, '');
     if (!safeName) return res.status(400).json({ error: 'Invalid filename' });
 
     const dir = agent.workingDir || daemon.projectDir;
@@ -1077,6 +1109,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
     }
 
     const user = await daemon.skills.setAuth(token);
+    if (user) await daemon.setAuthToken(token);
     if (!user) {
       return res.send(`<!DOCTYPE html>
 <html><head><meta charset="UTF-8"><title>Groove — Login Failed</title>
@@ -1098,7 +1131,8 @@ Keep responses concise. Help them think, don't lecture them about the system the
 </body></html>`);
     }
 
-    const displayName = user?.displayName || user?.id || '';
+    const rawName = user?.displayName || user?.id || '';
+    const displayName = rawName.replace(/[&<>"']/g, (c) => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' })[c]);
     res.send(`<!DOCTYPE html>
 <html><head><meta charset="UTF-8"><title>Groove — Signed In</title>
 <link rel="icon" href="/favicon.png">
@@ -1111,28 +1145,28 @@ Keep responses concise. Help them think, don't lecture them about the system the
   h2{font-size:16px;font-weight:600;color:#e6e6e6;margin-bottom:6px}
   .user{font-size:13px;color:#33afbc;margin-bottom:16px}
   p{font-size:13px;color:#505862;line-height:1.5}
-  .bar{width:120px;height:2px;background:#2c313a;border-radius:1px;margin:20px auto 0;overflow:hidden}
-  .bar span{display:block;height:100%;background:#33afbc;border-radius:1px;animation:close 3s linear forwards}
-  @keyframes close{from{width:100%}to{width:0%}}
+  .btn{display:inline-block;margin-top:20px;padding:8px 20px;font-size:13px;font-weight:500;color:#e6e6e6;background:#2c313a;border:1px solid #3a3f48;border-radius:999px;cursor:pointer;transition:background 0.15s}
+  .btn:hover{background:#33afbc;border-color:#33afbc;color:#1a1e25}
 </style>
 </head><body>
 <div class="card">
   <div class="logo"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg></div>
   <h2>Connected to Groove</h2>
   ${displayName ? `<div class="user">${displayName}</div>` : ''}
-  <p>This tab will close automatically.</p>
-  <div class="bar"><span></span></div>
+  <p id="msg">You can close this tab and return to Groove.</p>
+  <button class="btn" onclick="window.close()">Close tab</button>
 </div>
-<script>setTimeout(()=>window.close(),3000)</script>
+<script>setTimeout(()=>{try{window.close()}catch(e){}setTimeout(()=>{document.getElementById('msg').textContent='Return to the Groove app to continue.'},500)},3000)</script>
 </body></html>`);
   });
 
-  // Auth status — returns current user or { authenticated: false }
+  // Auth status — returns current user + subscription or { authenticated: false }
   app.get('/api/auth/status', async (req, res) => {
     const user = daemon.skills.getUser();
     const token = daemon.skills.getToken();
     if (!user || !token) return res.json({ authenticated: false });
-    res.json({ authenticated: true, user });
+    const sub = daemon.subscriptionCache || {};
+    res.json({ authenticated: true, user, subscription: sub });
   });
 
   // Validate stored token (hits remote API)
@@ -1177,6 +1211,80 @@ Keep responses concise. Help them think, don't lecture them about the system the
     }
   });
 
+  // --- Subscription ---
+
+  const SUB_API = 'https://docs.groovedev.ai/api/v1';
+
+  app.get('/api/subscription/plans', async (req, res) => {
+    try {
+      const resp = await fetch(`${SUB_API}/subscription/plans`);
+      const data = await resp.json();
+      res.json(data);
+    } catch (err) {
+      res.status(502).json({ error: 'Failed to fetch plans', message: err.message });
+    }
+  });
+
+  app.get('/api/subscription/status', (req, res) => {
+    const sub = daemon.subscriptionCache || {};
+    res.json(sub);
+  });
+
+  app.post('/api/subscription/checkout', async (req, res) => {
+    if (!daemon.authToken) return res.status(401).json({ error: 'Not authenticated' });
+    const { priceId } = req.body;
+    if (!priceId || typeof priceId !== 'string') return res.status(400).json({ error: 'priceId required' });
+    try {
+      const resp = await fetch(`${SUB_API}/subscription/checkout`, {
+        method: 'POST',
+        headers: { 'Authorization': `Bearer ${daemon.authToken}`, 'Content-Type': 'application/json' },
+        body: JSON.stringify({ priceId }),
+      });
+      const data = await resp.json();
+      if (!resp.ok) return res.status(resp.status).json(data);
+      res.json(data);
+    } catch (err) {
+      res.status(502).json({ error: 'Checkout failed', message: err.message });
+    }
+  });
+
+  app.post('/api/subscription/portal', async (req, res) => {
+    if (!daemon.authToken) return res.status(401).json({ error: 'Not authenticated' });
+    try {
+      const resp = await fetch(`${SUB_API}/subscription/portal`, {
+        method: 'POST',
+        headers: { 'Authorization': `Bearer ${daemon.authToken}`, 'Content-Type': 'application/json' },
+        body: '{}',
+      });
+      const data = await resp.json();
+      if (!resp.ok) return res.status(resp.status).json(data);
+      res.json(data);
+    } catch (err) {
+      res.status(502).json({ error: 'Portal failed', message: err.message });
+    }
+  });
+
+  app.patch('/api/subscription', async (req, res) => {
+    if (!daemon.authToken) return res.status(401).json({ error: 'Not authenticated' });
+    const { seats } = req.body;
+    if (!seats || typeof seats !== 'number' || seats < 1 || seats > 999 || !Number.isInteger(seats)) {
+      return res.status(400).json({ error: 'seats must be integer 1-999' });
+    }
+    try {
+      const resp = await fetch(`${SUB_API}/subscription`, {
+        method: 'PATCH',
+        headers: { 'Authorization': `Bearer ${daemon.authToken}`, 'Content-Type': 'application/json' },
+        body: JSON.stringify({ seats }),
+      });
+      const data = await resp.json();
+      if (!resp.ok) return res.status(resp.status).json(data);
+      daemon._pollSubscription();
+      res.json(data);
+    } catch (err) {
+      res.status(502).json({ error: 'Seat update failed', message: err.message });
+    }
+  });
+
   // --- Skills Marketplace ---
 
   app.get('/api/skills/registry', async (req, res) => {
@@ -1900,6 +2008,16 @@ Keep responses concise. Help them think, don't lecture them about the system the
     }
     const fullPath = resolve(projectDir, relPath);
     if (!fullPath.startsWith(projectDir)) return { error: 'Path outside project' };
+    // Symlink resolution — ensure real path is also within project
+    try {
+      const realPath = realpathSync(fullPath);
+      const realBase = realpathSync(projectDir);
+      if (!realPath.startsWith(realBase)) {
+        return { error: 'Path outside project (symlink)' };
+      }
+    } catch {
+      // File may not exist yet (for writes) — path prefix check is sufficient
+    }
     return { fullPath };
   }
 
@@ -2160,6 +2278,88 @@ Keep responses concise. Help them think, don't lecture them about the system the
     }
   });
 
+  // Git status — returns modified/added/deleted/untracked files
+  app.get('/api/files/git-status', (req, res) => {
+    const rootDir = getEditorRoot();
+    if (!rootDir) return res.status(400).json({ error: 'Editor root not set' });
+
+    execFile('git', ['status', '--porcelain'], { cwd: rootDir, timeout: 10000 }, (err, stdout) => {
+      if (err) {
+        // Not a git repo or git not installed — return empty
+        return res.json({ entries: [] });
+      }
+      const STATUS_MAP = { 'M': 'M', 'A': 'A', '?': '?', 'D': 'D', 'R': 'R', 'U': 'U' };
+      const entries = [];
+      for (const line of stdout.split('\n')) {
+        if (!line.trim()) continue;
+        const code = line[0] === ' ' ? line[1] : line[0];
+        const filePath = line.slice(3).trim();
+        if (!filePath) continue;
+        entries.push({ path: filePath, status: STATUS_MAP[code] || code });
+      }
+      res.json({ entries });
+    });
+  });
+
+  // Git branch — returns the current branch name
+  app.get('/api/files/git-branch', (req, res) => {
+    const rootDir = getEditorRoot();
+    if (!rootDir) return res.status(400).json({ error: 'Editor root not set' });
+
+    execFile('git', ['rev-parse', '--abbrev-ref', 'HEAD'], { cwd: rootDir, timeout: 5000 }, (err, stdout) => {
+      if (err) {
+        return res.json({ branch: null });
+      }
+      res.json({ branch: stdout.trim() });
+    });
+  });
+
+  // File search — fuzzy filename matching for quick-open (Ctrl+P)
+  app.get('/api/files/search', (req, res) => {
+    const query = req.query.q;
+    if (!query || typeof query !== 'string') return res.status(400).json({ error: 'q parameter is required' });
+    if (query.length > 200) return res.status(400).json({ error: 'Query too long' });
+
+    const maxResults = Math.min(parseInt(req.query.maxResults, 10) || 50, 200);
+    const rootDir = getEditorRoot();
+    if (!rootDir) return res.status(400).json({ error: 'Editor root not set' });
+
+    const lowerQuery = query.toLowerCase();
+    const results = [];
+
+    function fuzzyMatch(name) {
+      const lower = name.toLowerCase();
+      let qi = 0;
+      for (let i = 0; i < lower.length && qi < lowerQuery.length; i++) {
+        if (lower[i] === lowerQuery[qi]) qi++;
+      }
+      return qi === lowerQuery.length;
+    }
+
+    function walk(dir, rel) {
+      if (results.length >= maxResults) return;
+      let entries;
+      try { entries = readdirSync(dir, { withFileTypes: true }); } catch { return; }
+      for (const entry of entries) {
+        if (results.length >= maxResults) return;
+        if (IGNORED_NAMES.has(entry.name) || entry.name.startsWith('.')) continue;
+        const childRel = rel ? `${rel}/${entry.name}` : entry.name;
+        if (entry.isDirectory()) {
+          walk(resolve(dir, entry.name), childRel);
+        } else if (entry.isFile() && fuzzyMatch(entry.name)) {
+          results.push({ path: childRel, name: entry.name });
+        }
+      }
+    }
+
+    try {
+      walk(rootDir, '');
+      res.json({ files: results });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
   // --- Codebase Indexer ---
 
   app.get('/api/indexer', (req, res) => {
@@ -2208,19 +2408,27 @@ Keep responses concise. Help them think, don't lecture them about the system the
 
   // --- Recommended Team (from planner) ---
 
-  // Find recommended-team.json — check all agent working dirs, then daemon's grooveDir
+  // Find recommended-team.json — check planner agents first (they write the file),
+  // sorted by most recent activity so the latest planner's team wins.
   function findRecommendedTeam() {
-    // Check agent working dirs first (planner may have written there)
     const agents = daemon.registry.getAll();
-    for (const agent of agents) {
-      if (agent.workingDir) {
-        const p = resolve(agent.workingDir, '.groove', 'recommended-team.json');
-        if (existsSync(p)) return { path: p, teamId: agent.teamId || null, agentId: agent.id || null };
-      }
+    const planners = agents
+      .filter((a) => a.role === 'planner' && a.workingDir)
+      .sort((a, b) => (b.lastActivity || b.spawnedAt || '').localeCompare(a.lastActivity || a.spawnedAt || ''));
+
+    // Check planner workingDirs first — most recently active planner wins
+    for (const planner of planners) {
+      const p = resolve(planner.workingDir, '.groove', 'recommended-team.json');
+      if (existsSync(p)) return { path: p, teamId: planner.teamId || null, agentId: planner.id || null };
     }
-    // Fallback to daemon's .groove dir
+
+    // Fallback to daemon's .groove dir — try to attribute to most recent planner
     const p = resolve(daemon.grooveDir, 'recommended-team.json');
-    if (existsSync(p)) return { path: p, teamId: null, agentId: null };
+    if (existsSync(p)) {
+      const fallbackTeamId = planners[0]?.teamId || null;
+      const fallbackAgentId = planners[0]?.id || null;
+      return { path: p, teamId: fallbackTeamId, agentId: fallbackAgentId };
+    }
     return null;
   }
 
@@ -2252,6 +2460,9 @@ Keep responses concise. Help them think, don't lecture them about the system the
     try {
       const raw = JSON.parse(readFileSync(found.path, 'utf8'));
 
+      // Delete immediately after reading to prevent duplicate launches from poll races
+      try { unlinkSync(found.path); } catch { /* already gone */ }
+
       // Support both old format (bare array) and new format ({ projectDir, agents })
       let agentConfigs;
       let projectDir = null;
@@ -2268,7 +2479,9 @@ Keep responses concise. Help them think, don't lecture them about the system the
         return res.status(400).json({ error: 'Recommended team is empty' });
       }
 
-      const baseDir = daemon.config?.defaultWorkingDir || daemon.projectDir;
+      // Resolve base directory from the planner that wrote the file, not the daemon root
+      const plannerAgent = found.agentId ? daemon.registry.get(found.agentId) : null;
+      const baseDir = plannerAgent?.workingDir || daemon.config?.defaultWorkingDir || daemon.projectDir;
 
       // Use the planner's teamId so launched agents join the correct team.
       // Priority: explicit from frontend > agent that wrote the file > most recent planner > default
@@ -2304,6 +2517,13 @@ Keep responses concise. Help them think, don't lecture them about the system the
         }];
       }
 
+      // Reset handoff cycle counters for this team so a fresh launch starts clean
+      if (daemon._handoffCounts) {
+        for (const key of [...daemon._handoffCounts.keys()]) {
+          if (key.startsWith(`${defaultTeamId}:`)) daemon._handoffCounts.delete(key);
+        }
+      }
+
       // Spawn phase 1 agents — reuse idle team members with matching roles when possible
       const spawned = [];
       const reused = [];
@@ -2592,7 +2812,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
 
   // --- Federation ---
 
-  // Federation status
+  // Federation status (v1 — includes whitelist, connections, ambassadors)
   app.get('/api/federation', proOnly, (req, res) => {
     res.json(daemon.federation.getStatus());
   });
@@ -2602,12 +2822,22 @@ Keep responses concise. Help them think, don't lecture them about the system the
     res.json(daemon.federation.getPeers());
   });
 
-  // Initiate pairing (local CLI calls this with the remote URL)
+  // Unpair a peer
+  app.delete('/api/federation/peers/:id', proOnly, (req, res) => {
+    try {
+      daemon.federation.unpair(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Initiate pairing with a remote daemon
   app.post('/api/federation/initiate', proOnly, async (req, res) => {
     try {
       const { remoteUrl } = req.body;
       if (!remoteUrl || typeof remoteUrl !== 'string') {
-        return res.status(400).json({ error: 'remoteUrl is required' });
+        return res.status(400).json({ error: 'remoteUrl is required (string)' });
       }
       const result = await daemon.federation.initiatePairing(remoteUrl);
       res.json(result);
@@ -2616,29 +2846,128 @@ Keep responses concise. Help them think, don't lecture them about the system the
     }
   });
 
-  // Accept pairing (remote daemon calls this during key exchange)
-  app.post('/api/federation/pair', proOnly, (req, res) => {
+  // --- Federation v1: Whitelist ---
+
+  app.get('/api/federation/whitelist', proOnly, (req, res) => {
+    res.json(daemon.federation.whitelist?.list() || []);
+  });
+
+  app.post('/api/federation/whitelist', proOnly, (req, res) => {
     try {
-      const result = daemon.federation.acceptPairing(req.body);
-      res.json(result);
+      const { ip, port, name } = req.body;
+      if (!ip || typeof ip !== 'string') {
+        return res.status(400).json({ error: 'ip is required (string)' });
+      }
+      const entry = daemon.federation.whitelist.add(ip, port, name);
+      daemon.broadcast({ type: 'federation:whitelist', data: daemon.federation.whitelist.list() });
+      res.json(entry);
     } catch (err) {
       res.status(400).json({ error: err.message });
     }
   });
 
-  // Unpair a peer
-  app.delete('/api/federation/peers/:id', proOnly, (req, res) => {
+  app.delete('/api/federation/whitelist/:ip', proOnly, (req, res) => {
     try {
-      daemon.federation.unpair(req.params.id);
+      daemon.federation.whitelist.remove(req.params.ip);
+      daemon.broadcast({ type: 'federation:whitelist', data: daemon.federation.whitelist.list() });
       res.json({ ok: true });
     } catch (err) {
       res.status(400).json({ error: err.message });
     }
   });
 
-  // Receive a signed contract from a peer
-  app.post('/api/federation/contract', proOnly, (req, res) => {
+  // Probe endpoint — remote daemons hit this to check if they are whitelisted
+  app.get('/api/federation/whitelist-check', (req, res) => {
+    const ip = req.ip?.replace('::ffff:', '') || req.socket?.remoteAddress?.replace('::ffff:', '') || '';
+    const whitelisted = daemon.federation.isWhitelisted(ip);
+    res.json({
+      whitelisted,
+      ...(whitelisted ? { daemonId: daemon.federation._daemonId() } : {}),
+    });
+  });
+
+  // --- Federation v1: Knock ---
+
+  app.post('/api/federation/knock', (req, res) => {
     try {
+      const callerIp = req.ip?.replace('::ffff:', '') || req.socket?.remoteAddress?.replace('::ffff:', '') || '';
+      const { senderId, publicKey, payload, signature } = req.body;
+      if (!senderId || !publicKey || !payload || !signature) {
+        return res.status(400).json({ error: 'senderId, publicKey, payload, and signature are required' });
+      }
+      const result = daemon.federation.handleKnock(senderId, publicKey, payload, signature, callerIp);
+      res.json(result);
+    } catch (err) {
+      res.status(403).json({ error: err.message });
+    }
+  });
+
+  // --- Federation v1: Connections ---
+
+  app.get('/api/federation/connections', proOnly, (req, res) => {
+    res.json(daemon.federation.connections?.getStatus() || []);
+  });
+
+  // --- Federation v1: Diplomatic Pouch ---
+
+  app.post('/api/federation/pouch', (req, res) => {
+    try {
+      const callerIp = req.ip?.replace('::ffff:', '') || req.socket?.remoteAddress?.replace('::ffff:', '') || '';
+      if (!callerIp || !daemon.federation.isWhitelisted(callerIp)) {
+        return res.status(403).json({ error: 'Caller IP not whitelisted' });
+      }
+      const { senderId, payload, signature } = req.body;
+      if (!senderId || !payload || !signature) {
+        return res.status(400).json({ error: 'senderId, payload, and signature are required' });
+      }
+      const result = daemon.federation.ambassadors.receivePouch(senderId, payload, signature);
+      res.json(result);
+    } catch (err) {
+      res.status(403).json({ error: err.message });
+    }
+  });
+
+  app.get('/api/federation/pouch/log', proOnly, (req, res) => {
+    const limit = Math.min(parseInt(req.query.limit, 10) || 50, 200);
+    res.json(daemon.federation.ambassadors?.getPouchLog(limit) || []);
+  });
+
+  // Send a pouch message to a peer (local agents/GUI call this)
+  app.post('/api/federation/pouch/send', proOnly, async (req, res) => {
+    try {
+      const { peerId, contract } = req.body;
+      if (!peerId || !contract) {
+        return res.status(400).json({ error: 'peerId and contract are required' });
+      }
+      const result = await daemon.federation.ambassadors.sendPouch(peerId, contract);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Accept incoming pairing request from a remote daemon
+  app.post('/api/federation/pair', (req, res) => {
+    try {
+      const callerIp = req.ip?.replace('::ffff:', '') || req.socket?.remoteAddress?.replace('::ffff:', '') || '';
+      const { id, name, port, publicKey } = req.body;
+      if (!id || !publicKey) {
+        return res.status(400).json({ error: 'id and publicKey are required' });
+      }
+      const result = daemon.federation.acceptPairing({ id, name, port, publicKey }, callerIp);
+      res.json(result);
+    } catch (err) {
+      res.status(403).json({ error: err.message });
+    }
+  });
+
+  // Legacy contract endpoints (kept for backward compat)
+  app.post('/api/federation/contract', (req, res) => {
+    try {
+      const callerIp = req.ip?.replace('::ffff:', '') || req.socket?.remoteAddress?.replace('::ffff:', '') || '';
+      if (!callerIp || !daemon.federation.isWhitelisted(callerIp)) {
+        return res.status(403).json({ error: 'Caller IP not whitelisted' });
+      }
       const { senderId, payload, signature } = req.body;
       if (!senderId || !payload || !signature) {
         return res.status(400).json({ error: 'senderId, payload, and signature are required' });
@@ -2650,7 +2979,6 @@ Keep responses concise. Help them think, don't lecture them about the system the
     }
   });
 
-  // Send a contract to a peer (local agents call this)
   app.post('/api/federation/contract/send', proOnly, async (req, res) => {
     try {
       const { peerId, contract } = req.body;
@@ -2863,9 +3191,9 @@ Keep responses concise. Help them think, don't lecture them about the system the
     }
   });
 
-  app.delete('/api/tunnels/:id', proOnly, (req, res) => {
+  app.delete('/api/tunnels/:id', proOnly, async (req, res) => {
     try {
-      daemon.tunnelManager.delete(req.params.id);
+      await daemon.tunnelManager.delete(req.params.id);
       res.json({ ok: true });
     } catch (err) {
       res.status(400).json({ error: err.message });
@@ -2925,6 +3253,169 @@ Keep responses concise. Help them think, don't lecture them about the system the
     res.json(s);
   });
 
+  // --- Onboarding (Electron wizard) ---
+
+  const INSTALLABLE_PROVIDERS = {
+    'claude-code': '@anthropic-ai/claude-code',
+    'codex': '@openai/codex',
+    'gemini': '@google/gemini-cli',
+  };
+
+  app.get('/api/onboarding/status', (req, res) => {
+    const providers = listProviders();
+    const enriched = providers.map((p) => {
+      const hasKey = daemon.credentials.hasKey(p.id);
+      let authStatus = 'not-configured';
+      if (p.authType === 'subscription') {
+        authStatus = p.installed ? 'authenticated' : 'not-configured';
+      } else if (p.authType === 'api-key') {
+        authStatus = hasKey ? 'key-set' : 'not-configured';
+        if (p.authStatus?.authenticated) authStatus = 'authenticated';
+      } else if (p.authType === 'local') {
+        authStatus = p.installed ? 'authenticated' : 'not-configured';
+      }
+      return {
+        id: p.id,
+        displayName: p.name,
+        installed: p.installed,
+        authType: p.authType,
+        authStatus,
+        hasKey,
+        models: p.models,
+        installCommand: p.installCommand,
+        installable: !!INSTALLABLE_PROVIDERS[p.id],
+      };
+    });
+
+    const dismissed = !!(daemon.config.onboardingDismissed);
+    const hasReadyProvider = enriched.some((p) =>
+      p.installed && (p.authStatus === 'authenticated' || p.authStatus === 'key-set'),
+    );
+
+    res.json({
+      complete: dismissed || hasReadyProvider,
+      dismissed,
+      providers: enriched,
+      defaultProvider: daemon.config.defaultProvider || 'claude-code',
+      defaultModel: daemon.config.defaultModel || null,
+    });
+  });
+
+  app.post('/api/onboarding/dismiss', async (req, res) => {
+    daemon.config.onboardingDismissed = true;
+    const { saveConfig } = await import('./firstrun.js');
+    saveConfig(daemon.grooveDir, daemon.config);
+    daemon.audit.log('onboarding.dismiss', {});
+    daemon.broadcast({ type: 'onboarding:dismissed' });
+    res.json({ ok: true });
+  });
+
+  app.post('/api/onboarding/install-provider', (req, res) => {
+    const { provider } = req.body;
+    if (!provider || typeof provider !== 'string') {
+      return res.status(400).json({ error: 'provider is required' });
+    }
+    const pkg = INSTALLABLE_PROVIDERS[provider];
+    if (!pkg) {
+      return res.status(400).json({ error: `Provider '${provider}' is not installable via npm. Valid: ${Object.keys(INSTALLABLE_PROVIDERS).join(', ')}` });
+    }
+
+    res.setHeader('Content-Type', 'application/x-ndjson');
+    res.setHeader('Transfer-Encoding', 'chunked');
+    res.setHeader('Cache-Control', 'no-cache');
+
+    const write = (obj) => {
+      try { res.write(JSON.stringify(obj) + '\n'); } catch { /* client disconnected */ }
+    };
+
+    write({ status: 'installing', output: `Installing ${pkg}...`, progress: 0 });
+
+    const proc = spawn('npm', ['install', '-g', pkg], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env: { ...process.env, NODE_ENV: undefined },
+    });
+
+    let output = '';
+    let errOutput = '';
+
+    proc.stdout.on('data', (data) => {
+      output += data.toString();
+      write({ status: 'installing', output: data.toString().trim(), progress: 50 });
+    });
+
+    proc.stderr.on('data', (data) => {
+      errOutput += data.toString();
+      const line = data.toString().trim();
+      if (line) write({ status: 'installing', output: line, progress: 50 });
+    });
+
+    proc.on('close', (code) => {
+      const providerObj = getProvider(provider);
+      const installed = providerObj ? providerObj.constructor.isInstalled() : false;
+
+      if (code === 0 && installed) {
+        write({ status: 'complete', output: `${pkg} installed successfully`, progress: 100, installed: true });
+        daemon.audit.log('onboarding.installProvider', { provider, pkg, success: true });
+        daemon.broadcast({ type: 'onboarding:provider-installed', provider });
+      } else {
+        const reason = code !== 0
+          ? (errOutput || output).slice(-500)
+          : 'Install succeeded but provider binary not found in PATH';
+        write({ status: 'error', output: reason, progress: 100, installed: false });
+        daemon.audit.log('onboarding.installProvider', { provider, pkg, success: false, code });
+      }
+      res.end();
+    });
+
+    proc.on('error', (err) => {
+      write({ status: 'error', output: `Failed to start npm: ${err.message}`, progress: 100, installed: false });
+      res.end();
+    });
+
+    req.on('close', () => {
+      try { proc.kill(); } catch { /* already exited */ }
+    });
+  });
+
+  app.post('/api/onboarding/set-default', async (req, res) => {
+    const { provider, model } = req.body;
+    const validProviders = ['claude-code', 'codex', 'gemini', 'ollama'];
+    if (!provider || !validProviders.includes(provider)) {
+      return res.status(400).json({ error: `Invalid provider. Valid: ${validProviders.join(', ')}` });
+    }
+
+    daemon.config.defaultProvider = provider;
+    if (model && typeof model === 'string' && model.length <= 100) {
+      daemon.config.defaultModel = model.trim();
+    }
+    const { saveConfig } = await import('./firstrun.js');
+    saveConfig(daemon.grooveDir, daemon.config);
+    daemon.audit.log('onboarding.setDefault', { provider, model: model || null });
+    daemon.broadcast({ type: 'onboarding:default-changed', provider, model });
+    res.json({ ok: true });
+  });
+
+  // --- Project Directory ---
+
+  app.post('/api/project-dir', async (req, res) => {
+    const { dir } = req.body;
+    if (!dir || typeof dir !== 'string') return res.status(400).json({ error: 'dir required' });
+    if (/[\0\n\r]/.test(dir)) return res.status(400).json({ error: 'Invalid characters in path' });
+    const { existsSync, statSync } = await import('fs');
+    const { resolve, isAbsolute } = await import('path');
+    const resolved = resolve(dir);
+    if (!isAbsolute(resolved)) return res.status(400).json({ error: 'Path must be absolute' });
+    if (!existsSync(resolved) || !statSync(resolved).isDirectory()) {
+      return res.status(400).json({ error: 'Directory does not exist' });
+    }
+    daemon.config.defaultWorkingDir = resolved;
+    const { saveConfig } = await import('./firstrun.js');
+    saveConfig(daemon.grooveDir, daemon.config);
+    daemon.broadcast({ type: 'config:updated', data: { defaultWorkingDir: resolved } });
+    daemon.audit.log('project.dir.change', { dir: resolved });
+    res.json({ ok: true, dir: resolved });
+  });
+
   // --- Config ---
 
   app.get('/api/config', (req, res) => {
@@ -2935,6 +3426,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
     const ALLOWED_KEYS = [
       'port', 'journalistInterval', 'rotationThreshold', 'autoRotation',
       'qcThreshold', 'maxAgents', 'defaultProvider', 'defaultWorkingDir',
+      'onboardingDismissed', 'defaultModel',
     ];
     for (const key of Object.keys(req.body)) {
       if (!ALLOWED_KEYS.includes(key)) {
@@ -2948,8 +3440,35 @@ Keep responses concise. Help them think, don't lecture them about the system the
     res.json(daemon.config);
   });
 
+  // --- Toys ---
+
+  app.get('/api/toys', (req, res) => {
+    const category = req.query.category;
+    if (category && (typeof category !== 'string' || category.length > 30)) {
+      return res.status(400).json({ error: 'Invalid category' });
+    }
+    res.json(daemon.toys.list(category || undefined));
+  });
+
+  app.get('/api/toys/:id', (req, res) => {
+    const toy = daemon.toys.get(req.params.id);
+    if (!toy) return res.status(404).json({ error: 'Toy not found' });
+    res.json(toy);
+  });
+
+  app.post('/api/toys/:id/launch', async (req, res) => {
+    try {
+      const { apiKey, starterPrompt } = req.body || {};
+      const result = await daemon.toys.launch(req.params.id, { apiKey, starterPrompt });
+      daemon.audit.log('toy.launch', { toyId: req.params.id, teamId: result.team.id });
+      res.status(201).json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
   // Serve GUI static files (built GUI) — no-cache headers to prevent stale bundles
-  const guiPath = resolve(__dirname, '../../gui/dist');
+  const guiPath = process.env.GROOVE_GUI_PATH || resolve(__dirname, '../../gui/dist');
   app.use(express.static(guiPath, { etag: false, maxAge: 0, lastModified: false }));
   app.use((req, res, next) => {
     if (!req.path.startsWith('/api/')) {