instar 0.8.6 → 0.8.8

package/.vercel/README.txt

@@ -0,0 +1,11 @@
+> Why do I have a folder named ".vercel" in my project?
+The ".vercel" folder is created when you link a directory to a Vercel project.
+
+> What does the "project.json" file contain?
+The "project.json" file contains:
+- The ID of the Vercel project that you linked ("projectId")
+- The ID of the user or team your Vercel project is owned by ("orgId")
+
+> Should I commit the ".vercel" folder?
+No, you should not share the ".vercel" folder with anyone.
+Upon creation, it will be automatically added to your ".gitignore" file.

package/.vercel/project.json

@@ -0,0 +1 @@
+{"projectId":"prj_evM5LcItYL3IAmw8zNvEPGrHeaya","orgId":"team_dHctwIDcV3X9ydapQlCPHFGI","projectName":"claude-agent-kit"}

package/dashboard/index.html

@@ -401,11 +401,149 @@
       margin-top: 8px;
     }
 
+    /* Mobile back button */
+    .back-btn {
+      display: none;
+      padding: 6px 12px;
+      border-radius: 6px;
+      border: 1px solid var(--border);
+      background: var(--bg);
+      color: var(--text);
+      font-size: 13px;
+      cursor: pointer;
+      margin-right: 8px;
+    }
+
+    .back-btn:hover { background: var(--bg-hover); }
+
     /* Scrollbar */
     ::-webkit-scrollbar { width: 6px; }
     ::-webkit-scrollbar-track { background: transparent; }
     ::-webkit-scrollbar-thumb { background: #333; border-radius: 3px; }
     ::-webkit-scrollbar-thumb:hover { background: #444; }
+
+    /* ── Mobile responsive ─────────────────────────────────── */
+    @media (max-width: 768px) {
+      .app {
+        grid-template-columns: 1fr;
+      }
+
+      .sidebar {
+        border-right: none;
+        border-bottom: 1px solid var(--border);
+      }
+
+      /* In mobile, sidebar and main toggle visibility */
+      .app.terminal-active .sidebar {
+        display: none;
+      }
+
+      .app:not(.terminal-active) .main {
+        display: none;
+      }
+
+      .app.terminal-active .back-btn {
+        display: inline-block;
+      }
+
+      /* Larger tap targets */
+      .session-item {
+        padding: 14px 12px;
+        margin-bottom: 4px;
+      }
+
+      .session-name {
+        font-size: 15px;
+      }
+
+      .session-meta {
+        font-size: 12px;
+        margin-top: 4px;
+      }
+
+      .action-btn {
+        padding: 8px 14px;
+        font-size: 14px;
+      }
+
+      .terminal-actions {
+        gap: 4px;
+        flex-wrap: wrap;
+      }
+
+      .terminal-header {
+        padding: 8px 12px;
+        flex-wrap: wrap;
+        gap: 8px;
+      }
+
+      .terminal-header .session-info {
+        flex: 1;
+        min-width: 0;
+      }
+
+      .terminal-header .session-info h3 {
+        font-size: 13px;
+        white-space: nowrap;
+        overflow: hidden;
+        text-overflow: ellipsis;
+      }
+
+      /* Input bar — stack on very small screens */
+      .input-bar {
+        padding: 8px;
+        gap: 6px;
+      }
+
+      .input-bar input {
+        font-size: 16px; /* Prevents iOS zoom on focus */
+        padding: 10px 12px;
+      }
+
+      .input-bar button {
+        padding: 10px 14px;
+        font-size: 14px;
+      }
+
+      /* Terminal font smaller on mobile */
+      .terminal-container {
+        padding: 2px;
+      }
+
+      /* Auth box responsive */
+      .auth-box {
+        width: calc(100vw - 32px);
+        max-width: 360px;
+        padding: 24px;
+      }
+
+      .auth-box input {
+        font-size: 16px; /* Prevents iOS zoom */
+        padding: 12px 14px;
+      }
+
+      .auth-box button {
+        padding: 12px;
+        font-size: 15px;
+      }
+
+      /* Header compact */
+      .header {
+        padding: 10px 14px;
+      }
+
+      .header h1 {
+        font-size: 15px;
+      }
+
+      .header .logo {
+        font-size: 18px;
+      }
+
+      .sidebar-header {
+        padding: 12px 14px;
+      }
+    }
   </style>
 </head>
 <body>
@@ -413,8 +551,8 @@
   <div class="auth-overlay" id="authOverlay">
     <div class="auth-box">
       <h2>Instar Dashboard</h2>
-      <p>Enter your auth token to connect</p>
-      <input type="password" id="tokenInput" placeholder="Bearer token..." autofocus>
+      <p>Enter your PIN to connect</p>
+      <input type="password" id="pinInput" placeholder="PIN..." autofocus inputmode="numeric">
       <button onclick="authenticate()">Connect</button>
       <div class="auth-error" id="authError" style="display:none"></div>
     </div>
@@ -455,6 +593,7 @@
       <div id="terminalView" style="display:none">
         <div class="terminal-header">
           <div class="session-info">
+            <button class="back-btn" onclick="goBack()" title="Back to sessions">&larr;</button>
             <h3 id="termSessionName">—</h3>
             <span class="model-badge" id="termModelBadge" style="display:none"></span>
           </div>
@@ -488,17 +627,35 @@
 
     // ── Auth ─────────────────────────────────────────────────
     function authenticate() {
-      token = document.getElementById('tokenInput').value.trim();
-      if (!token) {
-        showAuthError('Please enter a token');
+      const pin = document.getElementById('pinInput').value.trim();
+      if (!pin) {
+        showAuthError('Please enter a PIN');
         return;
       }
 
-      // Test token by hitting /health with auth
-      const port = window.location.port || location.port;
-      fetch(`/health`, {
-        headers: { 'Authorization': `Bearer ${token}` }
+      // Try PIN-based unlock first, fall back to direct token auth
+      fetch('/dashboard/unlock', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ pin }),
       })
+        .then(r => {
+          if (r.ok) return r.json();
+          if (r.status === 429) throw new Error('Too many attempts. Try again later.');
+          if (r.status === 403) return r.json().then(d => { throw new Error(d.error || 'Incorrect PIN'); });
+          // No PIN endpoint (404) — try as raw token
+          return null;
+        })
+        .then(data => {
+          if (data && data.token) {
+            token = data.token;
+          } else {
+            // Fall back: treat input as raw Bearer token
+            token = pin;
+          }
+          // Verify the token works
+          return fetch('/health', { headers: { 'Authorization': `Bearer ${token}` } });
+        })
         .then(r => {
           if (r.ok) {
             localStorage.setItem('instar_token', token);
@@ -506,10 +663,10 @@
             document.getElementById('app').style.display = 'grid';
             connectWebSocket();
           } else {
-            showAuthError('Invalid token');
+            showAuthError('Incorrect PIN');
           }
         })
-        .catch(() => showAuthError('Cannot connect to server'));
+        .catch(err => showAuthError(err.message || 'Cannot connect to server'));
     }
 
     function showAuthError(msg) {
@@ -522,7 +679,7 @@
     const stored = localStorage.getItem('instar_token');
     if (stored) {
       token = stored;
-      fetch(`/health`, { headers: { 'Authorization': `Bearer ${token}` } })
+      fetch('/health', { headers: { 'Authorization': `Bearer ${token}` } })
         .then(r => {
           if (r.ok) {
             document.getElementById('authOverlay').style.display = 'none';
@@ -533,8 +690,8 @@
         .catch(() => {});
     }
 
-    // Enter on token input
-    document.getElementById('tokenInput').addEventListener('keydown', e => {
+    // Enter on PIN input
+    document.getElementById('pinInput').addEventListener('keydown', e => {
       if (e.key === 'Enter') authenticate();
     });
 
@@ -674,7 +831,7 @@
         }
 
         const elapsed = formatElapsed(session.startedAt);
-        const model = session.model || 'sonnet';
+        const model = session.model || 'opus';
         const isActive = session.tmuxSession === activeSession;
 
         el.className = `session-item${isActive ? ' active' : ''}`;
@@ -698,6 +855,9 @@
 
       activeSession = tmuxSession;
 
+      // Mobile: show terminal, hide sidebar
+      document.getElementById('app').classList.add('terminal-active');
+
       // Update UI
       document.getElementById('noSession').style.display = 'none';
       document.getElementById('terminalView').style.display = 'flex';
@@ -757,7 +917,7 @@
           brightCyan: '#99f6e4',
           brightWhite: '#eee',
         },
-        fontSize: 13,
+        fontSize: window.innerWidth <= 768 ? 11 : 13,
         fontFamily: "'SF Mono', 'Fira Code', 'JetBrains Mono', 'Cascadia Code', monospace",
         cursorBlink: false,
         cursorStyle: 'underline',
@@ -790,6 +950,18 @@
       term.scrollToBottom();
     }
 
+    function goBack() {
+      // Mobile: go back to session list
+      if (activeSession) {
+        wsSend({ type: 'unsubscribe', session: activeSession });
+      }
+      activeSession = null;
+      document.getElementById('app').classList.remove('terminal-active');
+      document.getElementById('terminalView').style.display = 'none';
+      document.getElementById('noSession').style.display = 'flex';
+      renderSessionList();
+    }
+
     // ── Input ────────────────────────────────────────────────
     function sendInput() {
       const input = document.getElementById('termInput');

package/dist/cli.js

@@ -443,7 +443,7 @@ jobCmd
     .requiredOption('--schedule <cron>', 'Cron expression')
     .option('--description <desc>', 'Job description')
     .option('--priority <priority>', 'Priority (critical|high|medium|low)', 'medium')
-    .option('--model <model>', 'Model tier (opus|sonnet|haiku)', 'sonnet')
+    .option('--model <model>', 'Model tier (opus|sonnet|haiku)', 'opus')
     .option('--type <type>', 'Execution type (skill|prompt|script)', 'prompt')
     .option('--execute <value>', 'Execution value (skill name, prompt text, or script path)')
     .action(addJob);

package/dist/commands/init.js

@@ -970,7 +970,7 @@ function getDefaultJobs(port) {
             schedule: '0 */4 * * *',
             priority: 'medium',
             expectedDurationMinutes: 5,
-            model: 'sonnet',
+            model: 'opus',
             enabled: true,
             execute: {
                 type: 'prompt',
@@ -985,7 +985,7 @@ function getDefaultJobs(port) {
             schedule: '0 9 * * *',
             priority: 'low',
             expectedDurationMinutes: 3,
-            model: 'sonnet',
+            model: 'opus',
             enabled: true,
             execute: {
                 type: 'prompt',
@@ -1048,7 +1048,7 @@ function getDefaultJobs(port) {
             schedule: '0 */2 * * *',
             priority: 'medium',
             expectedDurationMinutes: 3,
-            model: 'sonnet',
+            model: 'opus',
             enabled: true,
             gate: `curl -sf http://localhost:${port}/health >/dev/null 2>&1`,
             execute: {
@@ -1088,7 +1088,7 @@ If everything looks healthy, exit silently. Only report issues.`,
             schedule: '0 */6 * * *',
             priority: 'medium',
             expectedDurationMinutes: 5,
-            model: 'sonnet',
+            model: 'opus',
             enabled: true,
             gate: `curl -sf http://localhost:${port}/evolution/proposals?status=proposed 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); exit(0 if len(d.get('proposals',[])) > 0 else 1)"`,
             execute: {
@@ -1117,7 +1117,7 @@ If no proposals need attention, exit silently.`,
             schedule: '0 */8 * * *',
             priority: 'low',
             expectedDurationMinutes: 3,
-            model: 'sonnet',
+            model: 'opus',
             enabled: true,
             gate: `curl -sf http://localhost:${port}/evolution/learnings?applied=false 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); exit(0 if len(d.get('learnings',[])) > 0 else 1)"`,
             execute: {

package/dist/commands/job.js

@@ -26,7 +26,7 @@ export async function addJob(options) {
         schedule: options.schedule,
         priority: (options.priority || 'medium'),
         expectedDurationMinutes: 5,
-        model: (options.model || 'sonnet'),
+        model: (options.model || 'opus'),
         enabled: options.enabled !== false,
         execute: {
             type: (options.type || 'prompt'),

package/dist/core/Config.js

@@ -163,6 +163,7 @@ export function loadConfig(projectDir) {
             healthCheckIntervalMs: 30000,
         },
         authToken: fileConfig.authToken,
+        dashboardPin: fileConfig.dashboardPin,
         relationships: fileConfig.relationships || {
             relationshipsDir: path.join(stateDir, 'relationships'),
             maxRecentInteractions: 20,

package/dist/core/types.d.ts

@@ -615,6 +615,8 @@ export interface InstarConfig {
     monitoring: MonitoringConfig;
     /** Auth token for API access (generated during setup) */
     authToken?: string;
+    /** PIN for dashboard web access (simpler than authToken, used for mobile/remote login) */
+    dashboardPin?: string;
     /** Relationship tracking config */
     relationships?: RelationshipManagerConfig;
     /** Feedback loop config */

package/dist/server/AgentServer.js

@@ -10,6 +10,7 @@
 import express from 'express';
 import fs from 'node:fs';
 import path from 'node:path';
+import { createHash, timingSafeEqual } from 'node:crypto';
 import { fileURLToPath } from 'node:url';
 import { createRoutes } from './routes.js';
 import { corsMiddleware, authMiddleware, requestTimeout, errorHandler } from './middleware.js';
@@ -38,6 +39,50 @@ export class AgentServer {
             res.sendFile(path.join(dashboardDir, 'index.html'));
         });
         this.app.use('/dashboard', express.static(dashboardDir));
+        // PIN-based dashboard unlock — exchanges a short PIN for the auth token.
+        // Placed before auth middleware so the dashboard can call it without a token.
+        if (options.config.dashboardPin && options.config.authToken) {
+            const pinAttempts = new Map();
+            const MAX_ATTEMPTS = 5;
+            const WINDOW_MS = 5 * 60 * 1000; // 5-minute window
+            this.app.post('/dashboard/unlock', (req, res) => {
+                const ip = req.ip || req.socket.remoteAddress || 'unknown';
+                // Rate limit by IP
+                const now = Date.now();
+                let entry = pinAttempts.get(ip);
+                if (entry && now > entry.resetAt) {
+                    pinAttempts.delete(ip);
+                    entry = undefined;
+                }
+                if (entry && entry.count >= MAX_ATTEMPTS) {
+                    res.status(429).json({ error: 'Too many attempts. Try again later.' });
+                    return;
+                }
+                const { pin } = req.body;
+                if (!pin || typeof pin !== 'string') {
+                    res.status(400).json({ error: 'Missing PIN' });
+                    return;
+                }
+                const ha = createHash('sha256').update(pin).digest();
+                const hb = createHash('sha256').update(options.config.dashboardPin).digest();
+                if (!timingSafeEqual(ha, hb)) {
+                    // Track failed attempt
+                    if (!entry) {
+                        entry = { count: 0, resetAt: now + WINDOW_MS };
+                        pinAttempts.set(ip, entry);
+                    }
+                    entry.count++;
+                    const remaining = MAX_ATTEMPTS - entry.count;
+                    res.status(403).json({
+                        error: 'Incorrect PIN',
+                        attemptsRemaining: remaining,
+                    });
+                    return;
+                }
+                // PIN correct — return the auth token
+                res.json({ token: options.config.authToken });
+            });
+        }
         this.app.use(authMiddleware(options.config.authToken));
         this.app.use(requestTimeout(options.config.requestTimeoutMs));
         // Routes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.8.6",
+  "version": "0.8.8",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",