groove-dev 0.27.8 → 0.27.12

package/node_modules/@groove-dev/daemon/src/api.js

@@ -4,13 +4,64 @@
 import express from 'express';
 import { resolve, dirname } from 'path';
 import { fileURLToPath } from 'url';
-import { existsSync, readFileSync, readdirSync, statSync, writeFileSync, mkdirSync, unlinkSync, renameSync, rmSync, createReadStream } from 'fs';
+import { existsSync, readFileSync, readdirSync, statSync, writeFileSync, mkdirSync, unlinkSync, renameSync, rmSync, createReadStream, copyFileSync } from 'fs';
 import { lookup as mimeLookup } from './mimetypes.js';
 import { listProviders, getProvider } from './providers/index.js';
 import { OllamaProvider } from './providers/ollama.js';
 import { validateAgentConfig } from './validate.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
+const isPro = process.env.GROOVE_EDITION === 'pro';
+
+let _subscriptionCache = { active: true, checkedAt: 0 };
+
+function proOnly(req, res, next) {
+  if (!isPro) {
+    return res.status(403).json({
+      error: 'Pro feature',
+      edition: 'community',
+      upgrade: 'https://groovedev.ai/pro',
+    });
+  }
+  if (!_subscriptionCache.active) {
+    return res.status(403).json({
+      error: 'Pro subscription required',
+      edition: 'pro',
+      subscriptionActive: false,
+      upgrade: 'https://groovedev.ai/pro',
+    });
+  }
+  next();
+}
+
+async function _executeApprovalRetry(daemon, approval) {
+  const rp = approval.retryPayload;
+  if (!rp) return;
+  try {
+    let resultText;
+    if (rp.type === 'integration_exec') {
+      const result = await daemon.mcpManager.execTool(rp.integrationId, rp.tool, rp.params);
+      resultText = JSON.stringify(result).slice(0, 2000);
+      daemon.audit.log('approval.autoRetry', { type: rp.type, integrationId: rp.integrationId, tool: rp.tool, agentId: rp.agentId, approvalId: approval.id });
+    } else if (rp.type === 'google_drive_upload') {
+      const result = await daemon.integrations.uploadToGoogleDrive(rp.filePath, {
+        name: rp.name, folderId: rp.folderId, convert: rp.convert !== false,
+      });
+      resultText = JSON.stringify(result).slice(0, 2000);
+      daemon.audit.log('approval.autoRetry', { type: rp.type, filePath: rp.filePath, agentId: rp.agentId, approvalId: approval.id });
+    } else {
+      return;
+    }
+    if (rp.agentId) {
+      await daemon.processes.sendMessage(rp.agentId, `Your ${rp.type === 'integration_exec' ? 'integration action' : 'upload'} was approved and executed successfully. Result: ${resultText}`);
+    }
+  } catch (err) {
+    console.log(`[Groove] Auto-retry for approval ${approval.id} failed: ${err.message}`);
+    if (rp.agentId) {
+      daemon.processes.sendMessage(rp.agentId, `Your ${rp.type === 'integration_exec' ? 'integration action' : 'upload'} was approved but execution failed: ${err.message}`).catch(() => {});
+    }
+  }
+}
 
 export function createApi(app, daemon) {
   // CORS — restrict to localhost + bound interface origins
@@ -493,6 +544,11 @@ export function createApi(app, daemon) {
     res.json(suggestion);
   });
 
+  // Edition
+  app.get('/api/edition', (req, res) => {
+    res.json({ edition: isPro ? 'pro' : 'community' });
+  });
+
   // Daemon status
   app.get('/api/status', (req, res) => {
     res.json({
@@ -503,6 +559,7 @@ export function createApi(app, daemon) {
       host: daemon.host,
       port: daemon.port,
       projectDir: daemon.projectDir,
+      edition: isPro ? 'pro' : 'community',
     });
   });
 
@@ -557,10 +614,15 @@ export function createApi(app, daemon) {
     });
   });
 
-  app.post('/api/approvals/:id/approve', (req, res) => {
+  app.post('/api/approvals/:id/approve', async (req, res) => {
     const result = daemon.supervisor.approve(req.params.id);
     if (!result) return res.status(404).json({ error: 'Approval not found' });
     daemon.audit.log('approval.approve', { id: req.params.id });
+    if (result.retryPayload) {
+      _executeApprovalRetry(daemon, result).catch((err) => {
+        console.log(`[Groove] Approval auto-retry failed: ${err.message}`);
+      });
+    }
     res.json(result);
   });
 
@@ -774,7 +836,7 @@ export function createApi(app, daemon) {
         if (entry.endsWith('.md') && !entry.startsWith('.')) {
           const fullPath = resolve(dir, entry);
           if (statSync(fullPath).isFile()) {
-            files.push({ name: entry, path: entry, size: statSync(fullPath).size });
+            files.push({ name: entry, path: entry, size: statSync(fullPath).size, source: 'project' });
           }
         }
       }
@@ -784,13 +846,37 @@ export function createApi(app, daemon) {
           if (entry.endsWith('.md')) {
             const fullPath = resolve(grooveDir, entry);
             if (statSync(fullPath).isFile()) {
-              files.push({ name: entry, path: `.groove/${entry}`, size: statSync(fullPath).size });
+              files.push({ name: entry, path: `.groove/${entry}`, size: statSync(fullPath).size, source: 'project' });
             }
           }
         }
       }
     } catch { /* dir might not exist */ }
 
+    // Include personality file from .groove/personalities/
+    try {
+      const personalityFile = resolve(daemon.grooveDir, 'personalities', `${agent.name}.md`);
+      if (existsSync(personalityFile)) {
+        const size = statSync(personalityFile).size;
+        files.unshift({ name: 'personality.md', path: '__personality__', size, source: 'personality' });
+      }
+    } catch { /* ignore */ }
+
+    // Include user-created agent files from .groove/agent-files/<name>/
+    try {
+      const agentFilesDir = resolve(daemon.grooveDir, 'agent-files', agent.name);
+      if (existsSync(agentFilesDir)) {
+        for (const entry of readdirSync(agentFilesDir)) {
+          if (entry.endsWith('.md')) {
+            const fullPath = resolve(agentFilesDir, entry);
+            if (statSync(fullPath).isFile()) {
+              files.push({ name: entry, path: `__user__/${entry}`, size: statSync(fullPath).size, source: 'user' });
+            }
+          }
+        }
+      }
+    } catch { /* ignore */ }
+
     res.json({ files, workingDir: dir });
   });
 
@@ -803,6 +889,22 @@ export function createApi(app, daemon) {
     const relPath = req.query.path;
     if (!relPath || relPath.includes('..')) return res.status(400).json({ error: 'Invalid path' });
 
+    if (relPath === '__personality__') {
+      const personalityFile = resolve(daemon.grooveDir, 'personalities', `${agent.name}.md`);
+      if (existsSync(personalityFile)) {
+        return res.json({ content: readFileSync(personalityFile, 'utf8') });
+      }
+      return res.json({ content: '' });
+    }
+
+    if (relPath.startsWith('__user__/')) {
+      const fileName = relPath.slice('__user__/'.length);
+      if (!fileName || fileName.includes('/') || fileName.includes('..')) return res.status(400).json({ error: 'Invalid path' });
+      const filePath = resolve(daemon.grooveDir, 'agent-files', agent.name, fileName);
+      if (existsSync(filePath)) return res.json({ content: readFileSync(filePath, 'utf8') });
+      return res.json({ content: '' });
+    }
+
     const fullPath = resolve(dir, relPath);
     if (!fullPath.startsWith(dir)) return res.status(400).json({ error: 'Path traversal' });
 
@@ -824,6 +926,24 @@ export function createApi(app, daemon) {
     if (!relPath || relPath.includes('..')) return res.status(400).json({ error: 'Invalid path' });
     if (typeof content !== 'string') return res.status(400).json({ error: 'Content required' });
 
+    if (relPath === '__personality__') {
+      const personalityDir = resolve(daemon.grooveDir, 'personalities');
+      mkdirSync(personalityDir, { recursive: true });
+      writeFileSync(resolve(personalityDir, `${agent.name}.md`), content || '', { mode: 0o600 });
+      daemon.audit.log('personality.update', { name: agent.name, agentId: agent.id });
+      return res.json({ saved: true });
+    }
+
+    if (relPath.startsWith('__user__/')) {
+      const fileName = relPath.slice('__user__/'.length);
+      if (!fileName || fileName.includes('/') || fileName.includes('..')) return res.status(400).json({ error: 'Invalid path' });
+      const agentFilesDir = resolve(daemon.grooveDir, 'agent-files', agent.name);
+      mkdirSync(agentFilesDir, { recursive: true });
+      writeFileSync(resolve(agentFilesDir, fileName), content || '', { mode: 0o600 });
+      daemon.audit.log('mdfile.write.user', { agentId: agent.id, name: fileName });
+      return res.json({ saved: true });
+    }
+
     const fullPath = resolve(dir, relPath);
     if (!fullPath.startsWith(dir)) return res.status(400).json({ error: 'Path traversal' });
 
@@ -836,6 +956,24 @@ export function createApi(app, daemon) {
     }
   });
 
+  // Create a new MD file for an agent
+  app.post('/api/agents/:id/mdfiles/create', (req, res) => {
+    const agent = daemon.registry.get(req.params.id);
+    if (!agent) return res.status(404).json({ error: 'Agent not found' });
+    let name = req.body?.name;
+    if (!name || typeof name !== 'string') return res.status(400).json({ error: 'name required' });
+    name = name.replace(/[^a-zA-Z0-9_-]/g, '-').slice(0, 64);
+    if (!name) return res.status(400).json({ error: 'Invalid name' });
+    if (!name.endsWith('.md')) name += '.md';
+    const agentFilesDir = resolve(daemon.grooveDir, 'agent-files', agent.name);
+    mkdirSync(agentFilesDir, { recursive: true });
+    const filePath = resolve(agentFilesDir, name);
+    if (existsSync(filePath)) return res.status(409).json({ error: 'File already exists' });
+    writeFileSync(filePath, '', { mode: 0o600 });
+    daemon.audit.log('mdfile.create', { agentId: agent.id, name });
+    res.json({ name, path: `__user__/${name}` });
+  });
+
   // Rotation stats
   app.get('/api/rotation', (req, res) => {
     res.json({
@@ -1145,6 +1283,34 @@ Keep responses concise. Help them think, don't lecture them about the system the
     res.json({ id: agent.id, skills });
   });
 
+  // --- Agent Repos (attach/detach) ---
+
+  app.post('/api/agents/:agentId/repos/:importId', (req, res) => {
+    const agent = daemon.registry.get(req.params.agentId);
+    if (!agent) return res.status(404).json({ error: 'Agent not found' });
+    const importId = req.params.importId;
+    const manifest = daemon.repoImporter.getImport(importId);
+    if (!manifest || manifest.status !== 'active') {
+      return res.status(400).json({ error: 'Repo not found or not active' });
+    }
+    const repos = agent.repos || [];
+    if (repos.includes(importId)) {
+      return res.json({ id: agent.id, repos });
+    }
+    daemon.registry.update(agent.id, { repos: [...repos, importId] });
+    daemon.audit.log('repo.attach', { agentId: agent.id, importId });
+    res.json({ id: agent.id, repos: [...repos, importId] });
+  });
+
+  app.delete('/api/agents/:agentId/repos/:importId', (req, res) => {
+    const agent = daemon.registry.get(req.params.agentId);
+    if (!agent) return res.status(404).json({ error: 'Agent not found' });
+    const repos = (agent.repos || []).filter((r) => r !== req.params.importId);
+    daemon.registry.update(agent.id, { repos });
+    daemon.audit.log('repo.detach', { agentId: agent.id, importId: req.params.importId });
+    res.json({ id: agent.id, repos });
+  });
+
   // --- Integrations ---
 
   // Google OAuth routes MUST come before parameterized :id routes
@@ -1336,12 +1502,18 @@ Keep responses concise. Help them think, don't lecture them about the system the
             tool,
             params: paramsSummary,
             description: `${entry.name}: ${tool}`,
+          }, {
+            type: 'integration_exec',
+            integrationId,
+            tool,
+            params: params || {},
+            agentId: agentId || null,
           });
           daemon.audit.log('integration.exec.blocked', { integrationId, tool, approvalId: approval.id, agentId });
           return res.status(202).json({
             requiresApproval: true,
             approvalId: approval.id,
-            message: `Tool "${tool}" requires approval. Retry with this approvalId once approved.`,
+            message: `Tool "${tool}" requires approval. The user will be prompted automatically. You will receive the result once approved — do not retry.`,
           });
         }
       }
@@ -1390,12 +1562,19 @@ Keep responses concise. Help them think, don't lecture them about the system the
             filePath,
             name: name || filePath.split('/').pop(),
             description: `Upload to Google Drive: ${name || filePath.split('/').pop()}`,
+          }, {
+            type: 'google_drive_upload',
+            filePath,
+            name: name || filePath.split('/').pop(),
+            folderId: folderId || null,
+            convert: convert !== false,
+            agentId: agentId || null,
           });
           daemon.audit.log('integration.upload.blocked', { filePath, approvalId: approval.id, agentId });
           return res.status(202).json({
             requiresApproval: true,
             approvalId: approval.id,
-            message: `Upload requires approval. Retry with this approvalId once approved.`,
+            message: `Upload requires approval. The user will be prompted automatically. You will receive the result once approved — do not retry.`,
           });
         }
       }
@@ -2036,27 +2215,27 @@ Keep responses concise. Help them think, don't lecture them about the system the
     for (const agent of agents) {
       if (agent.workingDir) {
         const p = resolve(agent.workingDir, '.groove', 'recommended-team.json');
-        if (existsSync(p)) return p;
+        if (existsSync(p)) return { path: p, teamId: agent.teamId || null, agentId: agent.id || null };
       }
     }
     // Fallback to daemon's .groove dir
     const p = resolve(daemon.grooveDir, 'recommended-team.json');
-    if (existsSync(p)) return p;
+    if (existsSync(p)) return { path: p, teamId: null, agentId: null };
     return null;
   }
 
   app.get('/api/recommended-team', (req, res) => {
-    const teamPath = findRecommendedTeam();
-    if (!teamPath) {
+    const found = findRecommendedTeam();
+    if (!found) {
       return res.json({ exists: false, agents: [] });
     }
     try {
-      const raw = JSON.parse(readFileSync(teamPath, 'utf8'));
+      const raw = JSON.parse(readFileSync(found.path, 'utf8'));
       // Support both old format (bare array) and new format ({ projectDir, agents })
       if (Array.isArray(raw)) {
-        res.json({ exists: true, agents: raw });
+        res.json({ exists: true, agents: raw, teamId: found.teamId });
       } else if (raw && Array.isArray(raw.agents)) {
-        res.json({ exists: true, agents: raw.agents, projectDir: raw.projectDir || null });
+        res.json({ exists: true, agents: raw.agents, projectDir: raw.projectDir || null, teamId: found.teamId });
       } else {
         res.json({ exists: false, agents: [] });
       }
@@ -2066,12 +2245,12 @@ Keep responses concise. Help them think, don't lecture them about the system the
   });
 
   app.post('/api/recommended-team/launch', async (req, res) => {
-    const teamPath = findRecommendedTeam();
-    if (!teamPath) {
+    const found = findRecommendedTeam();
+    if (!found) {
       return res.status(404).json({ error: 'No recommended team found. Run a planner first.' });
     }
     try {
-      const raw = JSON.parse(readFileSync(teamPath, 'utf8'));
+      const raw = JSON.parse(readFileSync(found.path, 'utf8'));
 
       // Support both old format (bare array) and new format ({ projectDir, agents })
       let agentConfigs;
@@ -2092,8 +2271,8 @@ Keep responses concise. Help them think, don't lecture them about the system the
       const baseDir = daemon.config?.defaultWorkingDir || daemon.projectDir;
 
       // Use the planner's teamId so launched agents join the correct team.
-      // Accept explicit teamId from request body, or find the most recent planner agent.
-      let launchTeamId = req.body?.teamId || null;
+      // Priority: explicit from frontend > agent that wrote the file > most recent planner > default
+      let launchTeamId = req.body?.teamId || found.teamId || null;
       if (!launchTeamId) {
         const planners = daemon.registry.getAll()
           .filter((a) => a.role === 'planner')
@@ -2171,6 +2350,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
               permission: config.permission || existing.permission || 'auto',
               workingDir: existing.workingDir || projectWorkingDir,
               name: existing.name,
+              integrationApproval: config.integrationApproval || existing.integrationApproval || undefined,
             });
             validated.teamId = defaultTeamId;
             const newAgent = await daemon.processes.spawn(validated);
@@ -2192,6 +2372,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
               permission: config.permission || 'auto',
               workingDir: config.workingDir || projectWorkingDir,
               name: config.name || undefined,
+              integrationApproval: config.integrationApproval || undefined,
             });
             validated.teamId = defaultTeamId;
             const agent = await daemon.processes.spawn(validated);
@@ -2412,17 +2593,17 @@ Keep responses concise. Help them think, don't lecture them about the system the
   // --- Federation ---
 
   // Federation status
-  app.get('/api/federation', (req, res) => {
+  app.get('/api/federation', proOnly, (req, res) => {
     res.json(daemon.federation.getStatus());
   });
 
   // List peers
-  app.get('/api/federation/peers', (req, res) => {
+  app.get('/api/federation/peers', proOnly, (req, res) => {
     res.json(daemon.federation.getPeers());
   });
 
   // Initiate pairing (local CLI calls this with the remote URL)
-  app.post('/api/federation/initiate', async (req, res) => {
+  app.post('/api/federation/initiate', proOnly, async (req, res) => {
     try {
       const { remoteUrl } = req.body;
       if (!remoteUrl || typeof remoteUrl !== 'string') {
@@ -2436,7 +2617,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
   });
 
   // Accept pairing (remote daemon calls this during key exchange)
-  app.post('/api/federation/pair', (req, res) => {
+  app.post('/api/federation/pair', proOnly, (req, res) => {
     try {
       const result = daemon.federation.acceptPairing(req.body);
       res.json(result);
@@ -2446,7 +2627,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
   });
 
   // Unpair a peer
-  app.delete('/api/federation/peers/:id', (req, res) => {
+  app.delete('/api/federation/peers/:id', proOnly, (req, res) => {
     try {
       daemon.federation.unpair(req.params.id);
       res.json({ ok: true });
@@ -2456,7 +2637,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
   });
 
   // Receive a signed contract from a peer
-  app.post('/api/federation/contract', (req, res) => {
+  app.post('/api/federation/contract', proOnly, (req, res) => {
     try {
       const { senderId, payload, signature } = req.body;
       if (!senderId || !payload || !signature) {
@@ -2470,7 +2651,7 @@ Keep responses concise. Help them think, don't lecture them about the system the
   });
 
   // Send a contract to a peer (local agents call this)
-  app.post('/api/federation/contract/send', async (req, res) => {
+  app.post('/api/federation/contract/send', proOnly, async (req, res) => {
     try {
       const { peerId, contract } = req.body;
       if (!peerId || !contract) {
@@ -2490,6 +2671,260 @@ Keep responses concise. Help them think, don't lecture them about the system the
     res.json(daemon.audit.recent(limit));
   });
 
+  // --- Repo Import ---
+
+  app.post('/api/repos/preview', async (req, res) => {
+    try {
+      const { repoUrl } = req.body;
+      if (!repoUrl || typeof repoUrl !== 'string') {
+        return res.status(400).json({ error: 'repoUrl is required (string)' });
+      }
+      const result = await daemon.repoImporter.preview(repoUrl);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/repos/import', async (req, res) => {
+    try {
+      const { repoUrl, targetPath, createTeam, teamName } = req.body;
+      if (!repoUrl || typeof repoUrl !== 'string') {
+        return res.status(400).json({ error: 'repoUrl is required (string)' });
+      }
+      if (!targetPath || typeof targetPath !== 'string') {
+        return res.status(400).json({ error: 'targetPath is required (string)' });
+      }
+
+      // Resolve shell shortcuts — GUI sends ~/... and ./...
+      let resolvedPath = targetPath;
+      if (resolvedPath.startsWith('~/') || resolvedPath === '~') {
+        resolvedPath = resolve(process.env.HOME || '/tmp', resolvedPath.slice(2));
+      } else if (!resolvedPath.startsWith('/')) {
+        resolvedPath = resolve(daemon.projectDir, resolvedPath);
+      }
+
+      const result = await daemon.repoImporter.import(repoUrl, resolvedPath, {});
+
+      let teamId = null;
+      if (createTeam) {
+        try {
+          const team = daemon.teams.create(teamName || result.stackInfo?.name || 'imported-repo');
+          teamId = team.id;
+          const manifest = daemon.repoImporter.getImport(result.importId);
+          if (manifest) {
+            manifest.teamId = teamId;
+            daemon.repoImporter._saveManifest(manifest);
+          }
+        } catch { /* team creation is optional */ }
+      }
+
+      // Spawn setup agent
+      let agentId = null;
+      try {
+        const setupPrompt = daemon.repoImporter.generateSetupPrompt(resolvedPath, result.stackInfo, '');
+        const agent = await daemon.processes.spawn({
+          role: 'fullstack',
+          name: `setup-${result.importId.slice(0, 4)}`,
+          workingDir: resolvedPath,
+          prompt: setupPrompt,
+          provider: daemon.config?.defaultProvider || 'claude-code',
+        });
+        agentId = agent.id;
+        const manifest = daemon.repoImporter.getImport(result.importId);
+        if (manifest) {
+          manifest.agents.push(agentId);
+          daemon.repoImporter._saveManifest(manifest);
+        }
+      } catch { /* agent spawn is best-effort */ }
+
+      res.json({ importId: result.importId, path: result.path, agentId, teamId });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.get('/api/repos/imported', (req, res) => {
+    res.json(daemon.repoImporter.getImported());
+  });
+
+  app.get('/api/repos/:id', (req, res) => {
+    const manifest = daemon.repoImporter.getImport(req.params.id);
+    if (!manifest) return res.status(404).json({ error: 'Import not found' });
+    res.json(manifest);
+  });
+
+  app.get('/api/repos/:id/sandbox', (req, res) => {
+    const manifest = daemon.repoImporter.getImport(req.params.id);
+    if (!manifest) return res.status(404).json({ error: 'Import not found' });
+    res.json(manifest);
+  });
+
+  app.post('/api/repos/:id/process', (req, res) => {
+    try {
+      const { pid, command } = req.body;
+      daemon.repoImporter.recordProcess(req.params.id, pid, command);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/repos/:id/remove', async (req, res) => {
+    try {
+      await daemon.repoImporter.softRemove(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/repos/:id/nuke', async (req, res) => {
+    try {
+      const deleteFiles = req.query.deleteFiles !== 'false';
+      await daemon.repoImporter.hardNuke(req.params.id, { deleteFiles });
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // --- Personalities ---
+
+  app.get('/api/personalities', (req, res) => {
+    const dir = resolve(daemon.grooveDir, 'personalities');
+    mkdirSync(dir, { recursive: true });
+    try {
+      const files = readdirSync(dir).filter(f => f.endsWith('.md'));
+      const personalities = files.map(f => ({
+        name: f.replace(/\.md$/, ''),
+      }));
+      res.json({ personalities });
+    } catch {
+      res.json({ personalities: [] });
+    }
+  });
+
+  app.get('/api/personalities/:name', (req, res) => {
+    const name = req.params.name.replace(/[^a-zA-Z0-9_-]/g, '');
+    if (!name) return res.status(400).json({ error: 'Invalid name' });
+    const file = resolve(daemon.grooveDir, 'personalities', `${name}.md`);
+    if (!existsSync(file)) return res.status(404).json({ error: 'Personality not found' });
+    res.json({ name, content: readFileSync(file, 'utf8') });
+  });
+
+  app.put('/api/personalities/:name', (req, res) => {
+    const name = req.params.name.replace(/[^a-zA-Z0-9_-]/g, '');
+    if (!name) return res.status(400).json({ error: 'Invalid name' });
+    const content = typeof req.body?.content === 'string' ? req.body.content.slice(0, 10000) : '';
+    const dir = resolve(daemon.grooveDir, 'personalities');
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(resolve(dir, `${name}.md`), content, { mode: 0o600 });
+    daemon.audit.log('personality.update', { name });
+    res.json({ name, content });
+  });
+
+  app.post('/api/personalities/:name/clone', (req, res) => {
+    const source = req.params.name.replace(/[^a-zA-Z0-9_-]/g, '');
+    const target = (req.body?.name || '').replace(/[^a-zA-Z0-9_-]/g, '');
+    if (!source || !target) return res.status(400).json({ error: 'Source and target name required' });
+    const dir = resolve(daemon.grooveDir, 'personalities');
+    const sourceFile = resolve(dir, `${source}.md`);
+    if (!existsSync(sourceFile)) return res.status(404).json({ error: 'Source personality not found' });
+    copyFileSync(sourceFile, resolve(dir, `${target}.md`));
+    daemon.audit.log('personality.clone', { source, target });
+    res.json({ name: target, clonedFrom: source });
+  });
+
+  // --- Tunnels (Remote Access) ---
+
+  app.get('/api/tunnels', proOnly, (req, res) => {
+    res.json(daemon.tunnelManager.getSaved());
+  });
+
+  app.post('/api/tunnels', proOnly, (req, res) => {
+    try {
+      const { name, host, user, port, sshKeyPath, autoStart, autoConnect } = req.body;
+      if (!name || typeof name !== 'string') return res.status(400).json({ error: 'name is required (string)' });
+      if (!host || typeof host !== 'string') return res.status(400).json({ error: 'host is required (string)' });
+      const result = daemon.tunnelManager.save({ name, host, user, port, sshKeyPath, autoStart, autoConnect });
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.patch('/api/tunnels/:id', proOnly, (req, res) => {
+    try {
+      const result = daemon.tunnelManager.update(req.params.id, req.body);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/tunnels/:id', proOnly, (req, res) => {
+    try {
+      daemon.tunnelManager.delete(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/tunnels/:id/test', proOnly, async (req, res) => {
+    try {
+      const result = await daemon.tunnelManager.test(req.params.id);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/tunnels/:id/connect', proOnly, async (req, res) => {
+    try {
+      const result = await daemon.tunnelManager.connect(req.params.id);
+      res.json(result);
+    } catch (err) {
+      const body = { error: err.message };
+      if (err.testResult) body.testResult = err.testResult;
+      res.status(400).json(body);
+    }
+  });
+
+  app.post('/api/tunnels/:id/disconnect', proOnly, async (req, res) => {
+    try {
+      await daemon.tunnelManager.disconnect(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/tunnels/:id/install', proOnly, async (req, res) => {
+    try {
+      const result = await daemon.tunnelManager.remoteInstall(req.params.id);
+      res.json(result);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/tunnels/:id/start', proOnly, async (req, res) => {
+    try {
+      await daemon.tunnelManager.autoStart(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.get('/api/tunnels/:id/status', proOnly, (req, res) => {
+    const s = daemon.tunnelManager.getStatus(req.params.id);
+    if (!s) return res.status(404).json({ error: 'Remote not found' });
+    res.json(s);
+  });
+
   // --- Config ---
 
   app.get('/api/config', (req, res) => {