npm - lazyclaw - Versions diffs - 3.99.15 → 3.99.17 - Mend

lazyclaw 3.99.15 → 3.99.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/cli.mjs CHANGED Viewed

@@ -1455,7 +1455,10 @@ function _attachGhostAutocomplete(rl) {
 function _renderBanner(version) {
   const W = 30;
   const accent = (s) => `\x1b[38;5;208m${s}\x1b[0m`;
-  const dim    = (s) => `\x1b[2m${s}\x1b[0m`;
+  // 24-bit color so the mascot reads in the same warm orange as the
+  // dist/index.html SVG (#d97757). Falls back gracefully on terminals
+  // that ignore truecolor — the glyphs are visible regardless.
+  const orange = (s) => `\x1b[38;2;217;119;87m${s}\x1b[0m`;
   // Inner content of each banner row — DO NOT pad here, the wrapper
   // does it. Backslashes are JS-escaped so each `\\` renders as one
   // literal `\` in the output.
@@ -1466,16 +1469,18 @@ function _renderBanner(version) {
     '  |_\\__,_/__\\_, |_|',
     '  LazyClaw  |__/  ' + String(version || '?.?.?').padEnd(10).slice(0, 10),
   ];
-  // Sleepy-cat mascot on the right, lined up with the busiest part
-  // of the wordmark. Three rows of ASCII art + "zz" trail. Plain
-  // ASCII (no box-drawing on the cat) so it lands well in any font.
+  // Pixel-art mascot mirrored from the lazyclaude SPA's #claudeMascot
+  // SVG (orange rectangles → block characters). Squashed to 5 rows so
+  // it lines up with `inner` in the banner. Eye sockets are left blank
+  // (the SVG fills them with #000); a hollow gap reads as eyes against
+  // the orange body in any monospace font.
   const mascot = [
     '',
-    '',
-    '   /\\_/\\',
-    '  ( -.- )  ' + dim('z z'),
-    '   > ^ <    ' + dim('z'),
-    '',
+    orange('   ██      ██'),
+    orange('  ██████████████'),
+    orange('  ██  ') + '██' + orange('  ') + '██' + orange('  ██'),
+    orange('  ██████████████'),
+    orange('   ██      ██'),
     '',
   ];
   const banner = [
@@ -2483,16 +2488,50 @@ async function cmdChat(flags = {}) {
 // `dashboard` is the discoverable name and it auto-opens the browser
 // (which the bare daemon doesn't, since most daemon callers are
 // scripts).
+// Best-effort port-occupant kill — macOS / Linux only. Returns true when
+// at least one PID was signalled. Used by cmdDashboard so a leftover
+// listener from a previous run doesn't crash the launch with EADDRINUSE.
+// Mirrors the Python server's auto-kill behaviour described in CLAUDE.md.
+async function _killPortOccupant(port) {
+  if (process.platform === 'win32') return false;
+  const { spawn } = await import('node:child_process');
+  return new Promise((resolve) => {
+    let lsof;
+    try {
+      lsof = spawn('lsof', ['-ti', `tcp:${port}`], { stdio: ['ignore', 'pipe', 'ignore'] });
+    } catch (_) { return resolve(false); }
+    let buf = '';
+    lsof.stdout.on('data', (d) => { buf += d.toString('utf8'); });
+    lsof.on('error', () => resolve(false));
+    lsof.on('close', () => {
+      const pids = buf.trim().split(/\s+/).map((s) => parseInt(s, 10)).filter(Number.isFinite);
+      if (!pids.length) return resolve(false);
+      // SIGTERM first so node has a chance to clean up; SIGKILL the
+      // holdouts after a short grace window.
+      for (const pid of pids) {
+        try { process.kill(pid, 'SIGTERM'); } catch (_) { /* gone already */ }
+      }
+      setTimeout(() => {
+        for (const pid of pids) {
+          try { process.kill(pid, 'SIGKILL'); } catch (_) { /* gone */ }
+        }
+        resolve(true);
+      }, 200);
+    });
+  });
+}
 async function cmdDashboard(flags = {}) {
   await ensureRegistry();
   const sessionsMod = await import('./sessions.mjs');
   const { startDaemon } = await import('./daemon.mjs');
   const port = flags.port !== undefined ? parseInt(flags.port, 10) : 19600;
   const cfgDir = path.dirname(configPath());
-  const d = await startDaemon({
+  const daemonOpts = {
     port,
     once: false,
     readConfig,
+    writeConfig,
     sessionsDirGetter: () => cfgDir,
     sessionsMod,
     version: () => readVersionFromRepo(),
@@ -2506,7 +2545,34 @@ async function cmdDashboard(flags = {}) {
     responseCache: null,
     logger: null,
     costCap: null,
-  });
+  };
+  let d;
+  try {
+    d = await startDaemon(daemonOpts);
+  } catch (err) {
+    if (err?.code !== 'EADDRINUSE') throw err;
+    // Port is held by a leftover dashboard / daemon. Try to free it
+    // (lsof + kill on macOS/Linux); on failure, fall back to a random
+    // port so the user always gets a working dashboard rather than a
+    // crash trace.
+    const portInUse = port;
+    process.stderr.write(`  ⚠ port ${portInUse} is in use — likely a previous dashboard didn't shut down.\n`);
+    const killed = await _killPortOccupant(portInUse);
+    if (killed) {
+      process.stderr.write(`  ✓ freed port ${portInUse} (killed prior listener) — retrying…\n`);
+      // Short pause so the OS releases the port before we re-listen.
+      await new Promise(r => setTimeout(r, 250));
+      try { d = await startDaemon(daemonOpts); }
+      catch (err2) {
+        if (err2?.code !== 'EADDRINUSE') throw err2;
+        process.stderr.write(`  ⚠ still in use — falling back to a random port.\n`);
+        d = await startDaemon({ ...daemonOpts, port: 0 });
+      }
+    } else {
+      process.stderr.write(`  ⚠ couldn't free port ${portInUse} automatically — falling back to a random port.\n`);
+      d = await startDaemon({ ...daemonOpts, port: 0 });
+    }
+  }
   const url = `http://127.0.0.1:${d.port}/dashboard`;
   process.stdout.write(`🦞 LazyClaw dashboard listening at ${url}\n`);
   if (!flags['no-open']) {
@@ -2594,21 +2660,46 @@ async function cmdDaemon(flags) {
     || process.env.LAZYCLAW_WORKFLOW_STATE_DIR
     || '.workflow-state';
   const cfgDir = path.dirname(configPath());
-  const d = await startDaemon({
-    port: Number.isFinite(port) ? port : 0,
-    once,
-    readConfig,
-    sessionsDirGetter: () => cfgDir,
-    sessionsMod,
-    version: () => readVersionFromRepo(),
-    workflowStateDir: () => workflowStateDirValue,
-    authToken: authToken || undefined,
-    allowedOrigins,
-    rateLimit,
-    responseCache,
-    logger,
-    costCap: costCapOrNull,
-  });
+  let d;
+  try {
+    d = await startDaemon({
+      port: Number.isFinite(port) ? port : 0,
+      once,
+      readConfig,
+      // `lazyclaw daemon` exposes mutation endpoints (POST /providers,
+      // PUT /rates/<key>, etc.) only when an auth token is configured
+      // — without one the daemon is loopback-only but still untrusted
+      // (any process on the box can hit it). dashboard subcommand sets
+      // writeConfig unconditionally because it always runs as the user.
+      writeConfig: authToken ? writeConfig : undefined,
+      sessionsDirGetter: () => cfgDir,
+      sessionsMod,
+      version: () => readVersionFromRepo(),
+      workflowStateDir: () => workflowStateDirValue,
+      authToken: authToken || undefined,
+      allowedOrigins,
+      rateLimit,
+      responseCache,
+      logger,
+      costCap: costCapOrNull,
+    });
+  } catch (err) {
+    // `lazyclaw daemon` exits cleanly on EADDRINUSE with a readable
+    // message instead of the historical unhandled-error stack trace.
+    // Unlike `lazyclaw dashboard`, daemon doesn't auto-kill the prior
+    // listener — bare daemon callers are usually scripts that expect
+    // exact port semantics, so we surface the failure and let them
+    // choose (re-run with --port 0 for random, or kill the holdout).
+    if (err?.code === 'EADDRINUSE') {
+      process.stderr.write(
+        `lazyclaw daemon: port ${port} is in use.\n` +
+        `  Re-run with --port 0 for a random port, or free the port:\n` +
+        `    lsof -ti tcp:${port} | xargs kill -9\n`
+      );
+      process.exit(2);
+    }
+    throw err;
+  }
   // Print the bound port immediately so test/script callers can pick it up
   // even when we asked for port 0. Indicate auth presence (not the token)
   // and the allowed-origin count (not the values, just whether browser

package/daemon.mjs CHANGED Viewed

@@ -245,6 +245,7 @@ function isOriginAllowed(req, allowedOrigins) {
 /**
  * @param {{
  *   readConfig: () => Record<string, unknown>,
+ *   writeConfig?: (cfg: Record<string, unknown>) => void,
  *   sessionsDirGetter: () => string,
  *   sessionsMod: typeof import('./sessions.mjs'),
  *   version: () => string,
@@ -256,6 +257,12 @@ function isOriginAllowed(req, allowedOrigins) {
  *   logger?: ReturnType<typeof createLogger> | null,
  *   costCap?: Record<string, number> | null,
  * }} ctx
+ *
+ * `writeConfig` is optional; when omitted the mutation endpoints (POST
+ * /providers, DELETE /providers/<name>, PUT/DELETE /rates/<key>, PUT
+ * /config/<key>) reject with 405 Method Not Allowed. The CLI's
+ * `cmdDashboard` always supplies it; bare `lazyclaw daemon --once` callers
+ * can opt out by leaving it undefined.
  */
 export function makeHandler(ctx) {
   const authToken = ctx.authToken || null;
@@ -373,10 +380,12 @@ export function makeHandler(ctx) {
       const route = `${req.method} ${url.pathname}`;
       const sessionMatch = url.pathname.match(/^\/sessions\/([^/]+)$/);
       const providerMatch = url.pathname.match(/^\/providers\/([^/]+)$/);
+      const providerTestMatch = url.pathname.match(/^\/providers\/([^/]+)\/test$/);
       const sessionExportMatch = url.pathname.match(/^\/sessions\/([^/]+)\/export$/);
       const skillMatch = url.pathname.match(/^\/skills\/([^/]+)$/);
       const workflowMatch = url.pathname.match(/^\/workflows\/([^/]+)$/);
       const configKeyMatch = url.pathname.match(/^\/config\/([^/]+)$/);
+      const ratesKeyMatch = url.pathname.match(/^\/rates\/([^/]+)$/);
       switch (true) {
         case route === 'GET /' || route === 'GET /dashboard': {
           // Serve the lazyclaw-only web dashboard (a single static
@@ -487,9 +496,25 @@ export function makeHandler(ctx) {
         }
         case route === 'GET /providers': {
           // ?filter=<substr>&limit=<N> mirror v3.33+ list flags.
+          // The dashboard reads `custom` / `builtinOpenAICompat` / `endpoint`
+          // / `docs` to render the right pills + tooltips; CLI callers only
+          // need `name` / `requiresApiKey` / `suggestedModels` and ignore
+          // the extras (additive change, no migration).
           let out = Object.keys(PROVIDERS).map(name => {
             const meta = PROVIDER_INFO[name] || { name };
-            return { name, requiresApiKey: !!meta.requiresApiKey, defaultModel: meta.defaultModel || null, suggestedModels: meta.suggestedModels || [] };
+            return {
+              name,
+              requiresApiKey: !!meta.requiresApiKey,
+              defaultModel: meta.defaultModel || null,
+              suggestedModels: meta.suggestedModels || [],
+              endpoint: meta.endpoint || null,
+              docs: meta.docs || null,
+              custom: !!meta.custom,
+              builtinOpenAICompat: !!meta.builtinOpenAICompat,
+              baseUrl: meta.baseUrl || null,
+              envKey: meta.envKey || null,
+              keyPrefix: meta.keyPrefix || null,
+            };
           });
           const filter = url.searchParams.get('filter');
           if (filter) {
@@ -569,6 +594,100 @@ export function makeHandler(ctx) {
             results,
           });
         }
+        case req.method === 'GET' && !!providerTestMatch: {
+          // GET /providers/<name>/test — single-provider 1-token reachability
+          // probe. Same shape as one entry of GET /providers/test, but the
+          // endpoint stops on the first failure and exposes the reply body
+          // (truncated) so the dashboard can show a real signal of life.
+          const name = providerTestMatch[1];
+          const provider = PROVIDERS[name];
+          if (!provider) return writeJson(res, 404, { error: `unknown provider: ${name}` });
+          const cfg = ctx.readConfig();
+          const apiKey = cfg['api-key'] || '';
+          const meta = PROVIDER_INFO[name] || {};
+          const model = url.searchParams.get('model') || cfg.model || meta.defaultModel || 'unknown';
+          const prompt = url.searchParams.get('prompt') || 'ping';
+          const t0 = Date.now();
+          try {
+            let reply = '';
+            const stream = provider.sendMessage([{ role: 'user', content: prompt }], { apiKey, model });
+            for await (const chunk of stream) {
+              if (typeof chunk === 'string') reply += chunk;
+            }
+            return writeJson(res, reply.length > 0 ? 200 : 503, {
+              ok: reply.length > 0,
+              name, model,
+              durationMs: Date.now() - t0,
+              replyLength: reply.length,
+              reply: reply.slice(0, 500),
+            });
+          } catch (err) {
+            return writeJson(res, 503, {
+              ok: false, name, model,
+              durationMs: Date.now() - t0,
+              error: err?.message || String(err),
+              code: err?.code || null,
+            });
+          }
+        }
+        case route === 'POST /providers': {
+          // Register or overwrite a custom OpenAI-compatible provider.
+          // Body: { name, baseUrl, apiKey?, defaultModel? }. Persists into
+          // cfg.customProviders[] and hot-registers via the registry's
+          // registerCustomProviders() so the new entry is callable in this
+          // same process. 405 when the daemon was started without
+          // writeConfig (read-only mode). The same name as a built-in
+          // OpenAI-compat alias is allowed and overrides the built-in.
+          if (typeof ctx.writeConfig !== 'function') {
+            return writeJson(res, 405, { error: 'mutation disabled — daemon was started without writeConfig' });
+          }
+          let body;
+          try { body = await readJson(req); }
+          catch (e) { return writeJson(res, 400, { error: e?.message || String(e) }); }
+          const reg = await import('./providers/registry.mjs');
+          let name;
+          try { name = reg.validateCustomProviderName(body.name); }
+          catch (e) { return writeJson(res, 400, { error: e.message }); }
+          if (!body.baseUrl || typeof body.baseUrl !== 'string' || !/^https?:\/\//i.test(body.baseUrl)) {
+            return writeJson(res, 400, { error: 'baseUrl must be a string starting with http:// or https://' });
+          }
+          const cfg = ctx.readConfig();
+          cfg.customProviders = Array.isArray(cfg.customProviders) ? cfg.customProviders : [];
+          const idx = cfg.customProviders.findIndex((p) => p && p.name === name);
+          const entry = {
+            name,
+            baseUrl: String(body.baseUrl).replace(/\/+$/, ''),
+            apiKey: body.apiKey || undefined,
+            defaultModel: body.defaultModel || undefined,
+          };
+          if (idx >= 0) cfg.customProviders[idx] = { ...cfg.customProviders[idx], ...entry };
+          else cfg.customProviders.push(entry);
+          ctx.writeConfig(cfg);
+          try { reg.registerCustomProviders(cfg); } catch { /* keep going */ }
+          const overridesBuiltin = typeof reg.isBuiltinOpenAICompatName === 'function'
+            ? reg.isBuiltinOpenAICompatName(name)
+            : false;
+          return writeJson(res, 200, { ok: true, name, baseUrl: entry.baseUrl, overridesBuiltin });
+        }
+        case req.method === 'DELETE' && !!providerMatch && providerMatch[1] !== 'test': {
+          // DELETE /providers/<name> — drop a custom registration. Idempotent:
+          // 200 with `removed: false` when the name wasn't a custom entry.
+          // Built-in providers can't be deleted; their PROVIDERS row is
+          // restored on next process boot if the user previously overrode it.
+          if (typeof ctx.writeConfig !== 'function') {
+            return writeJson(res, 405, { error: 'mutation disabled' });
+          }
+          const name = providerMatch[1];
+          const cfg = ctx.readConfig();
+          if (!Array.isArray(cfg.customProviders) || cfg.customProviders.length === 0) {
+            return writeJson(res, 200, { ok: true, name, removed: false });
+          }
+          const before = cfg.customProviders.length;
+          cfg.customProviders = cfg.customProviders.filter((p) => !(p && p.name === name));
+          const removed = cfg.customProviders.length < before;
+          if (removed) ctx.writeConfig(cfg);
+          return writeJson(res, 200, { ok: true, name, removed });
+        }
         case route === 'GET /rates': {
           // Read-only view of cfg.rates so a dashboard's cost panel
           // can render the configured cards without shelling to the
@@ -608,6 +727,42 @@ export function makeHandler(ctx) {
           // fields without shelling to the CLI.
           return writeJson(res, 200, RATE_CARD_SHAPE);
         }
+        case req.method === 'PUT' && !!ratesKeyMatch && ratesKeyMatch[1] !== 'validate' && ratesKeyMatch[1] !== 'shape': {
+          // PUT /rates/<key> — set a rate card. Body is the card object
+          // ({ in, out, "cache-read"?, "cache-create"?, currency? }). The
+          // payload is merged into cfg.rates and validated as a whole;
+          // 422 on validation failure. 405 when writeConfig is unset.
+          if (typeof ctx.writeConfig !== 'function') {
+            return writeJson(res, 405, { error: 'mutation disabled' });
+          }
+          const key = decodeURIComponent(ratesKeyMatch[1]);
+          let body;
+          try { body = await readJson(req); }
+          catch (e) { return writeJson(res, 400, { error: e?.message || String(e) }); }
+          if (!body || typeof body !== 'object') return writeJson(res, 400, { error: 'body must be a JSON object' });
+          const cfg = ctx.readConfig();
+          cfg.rates = cfg.rates && typeof cfg.rates === 'object' ? cfg.rates : {};
+          cfg.rates[key] = body;
+          const v = validateRates(cfg.rates, PROVIDERS);
+          if (!v.ok) return writeJson(res, 422, v);
+          ctx.writeConfig(cfg);
+          return writeJson(res, 200, { ok: true, key, card: cfg.rates[key] });
+        }
+        case req.method === 'DELETE' && !!ratesKeyMatch && ratesKeyMatch[1] !== 'validate' && ratesKeyMatch[1] !== 'shape': {
+          // DELETE /rates/<key> — idempotent: 200 with `removed: false`
+          // when the card didn't exist.
+          if (typeof ctx.writeConfig !== 'function') {
+            return writeJson(res, 405, { error: 'mutation disabled' });
+          }
+          const key = decodeURIComponent(ratesKeyMatch[1]);
+          const cfg = ctx.readConfig();
+          if (!cfg.rates || typeof cfg.rates !== 'object' || !(key in cfg.rates)) {
+            return writeJson(res, 200, { ok: true, key, removed: false });
+          }
+          delete cfg.rates[key];
+          ctx.writeConfig(cfg);
+          return writeJson(res, 200, { ok: true, key, removed: true });
+        }
         case route === 'GET /status': {
           const cfg = ctx.readConfig();
           return writeJson(res, 200, {
@@ -654,6 +809,52 @@ export function makeHandler(ctx) {
           const value = key === 'api-key' ? maskApiKey(raw) : raw;
           return writeJson(res, 200, { key, value });
         }
+        case req.method === 'PUT' && !!configKeyMatch && configKeyMatch[1] !== 'validate': {
+          // PUT /config/<key>  body: { value: <any> }
+          // Mirror of `lazyclaw config set <key> <value>`. Re-validates the
+          // whole config after the write so we never persist a broken state.
+          // Nested cargo (customProviders / rates / authProfiles) goes
+          // through its own dedicated endpoint — guarded here so a
+          // dashboard PUT can't bypass schema validation.
+          if (typeof ctx.writeConfig !== 'function') {
+            return writeJson(res, 405, { error: 'mutation disabled' });
+          }
+          const key = configKeyMatch[1];
+          if (key === 'customProviders' || key === 'rates' || key === 'authProfiles') {
+            return writeJson(res, 400, {
+              error: `use the dedicated endpoint for "${key}" — POST /providers · PUT /rates/<key> · authProfiles via CLI`,
+            });
+          }
+          let body;
+          try { body = await readJson(req); }
+          catch (e) { return writeJson(res, 400, { error: e?.message || String(e) }); }
+          const value = body && Object.prototype.hasOwnProperty.call(body, 'value') ? body.value : undefined;
+          const cfg = ctx.readConfig();
+          if (value === null || value === undefined) delete cfg[key];
+          else cfg[key] = value;
+          const v = validateConfig(cfg, PROVIDERS);
+          if (!v.ok) return writeJson(res, 422, v);
+          ctx.writeConfig(cfg);
+          const stored = key === 'api-key' && typeof cfg[key] === 'string' ? maskApiKey(cfg[key]) : cfg[key];
+          return writeJson(res, 200, { ok: true, key, value: stored });
+        }
+        case req.method === 'DELETE' && !!configKeyMatch && configKeyMatch[1] !== 'validate': {
+          // DELETE /config/<key> — same as `lazyclaw config delete`.
+          // Idempotent: 200 with `removed: false` when the key wasn't
+          // present.
+          if (typeof ctx.writeConfig !== 'function') {
+            return writeJson(res, 405, { error: 'mutation disabled' });
+          }
+          const key = configKeyMatch[1];
+          if (key === 'customProviders' || key === 'rates' || key === 'authProfiles') {
+            return writeJson(res, 400, { error: `delete via the dedicated endpoint for "${key}"` });
+          }
+          const cfg = ctx.readConfig();
+          if (!(key in cfg)) return writeJson(res, 200, { ok: true, key, removed: false });
+          delete cfg[key];
+          ctx.writeConfig(cfg);
+          return writeJson(res, 200, { ok: true, key, removed: true });
+        }
         case route === 'GET /doctor': {
           // Mirror the CLI doctor output — same field set so any tool that
           // already knows how to read CLI doctor JSON can hit this endpoint.
@@ -1465,8 +1666,19 @@ export async function startDaemon(opts) {
       setImmediate(() => server.close());
     }
   });
-  return new Promise((resolve) => {
+  return new Promise((resolve, reject) => {
+    // EADDRINUSE (and other listen-time errors) used to crash the
+    // process — listen() emits 'error' before the success callback
+    // fires, and we never wired that channel. Capture it once so
+    // callers (cmdDashboard / cmdDaemon) can choose to kill the
+    // occupant or fall back to a random port.
+    const onError = (err) => {
+      server.off('error', onError);
+      reject(err);
+    };
+    server.once('error', onError);
     server.listen(opts.port ?? 0, '127.0.0.1', () => {
+      server.off('error', onError);
       const addr = server.address();
       const port = typeof addr === 'object' && addr ? addr.port : 0;
       resolve({

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "lazyclaw",
-  "version": "3.99.15",
+  "version": "3.99.17",
   "description": "Lazy, elegant terminal CLI for chatting with Claude / OpenAI / Gemini / Ollama and orchestrating multi-step LLM workflows. Banner-on-launch, slash-command ghost autocomplete, persistent sessions, local HTTP gateway.",
   "keywords": [
     "claude",

package/web/dashboard.html CHANGED Viewed

@@ -41,8 +41,25 @@
       align-items: center;
       gap: 14px;
     }
-    .logo { font-weight: 700; font-size: 16px; color: var(--accent); }
+    .logo { font-weight: 700; font-size: 16px; color: var(--accent); display: flex; align-items: center; gap: 10px; }
+    .logo .mascot { width: 36px; height: 32px; flex: none; }
     .ver  { color: var(--dim); font-size: 11px; }
+    /* lazyclaude pixel-mascot — copied verbatim from dist/index.html so the
+       lazyclaw web dashboard wears the same character as the larger SPA. */
+    .mascot .mj-body   { animation: mj-jump 1s ease-in-out infinite; transform-origin: center bottom; }
+    .mascot .mj-shadow { animation: mj-sh   1s ease-in-out infinite; }
+    .mascot .mj-la     { animation: mj-wl   1s ease-in-out infinite; transform-origin: right center; }
+    .mascot .mj-ra     { animation: mj-wr   1s ease-in-out infinite; transform-origin: left center; }
+    .mascot .mj-le     { animation: mj-ear  1s ease-in-out infinite; transform-origin: center bottom; }
+    .mascot .mj-re     { animation: mj-ear  1s ease-in-out infinite .1s; transform-origin: center bottom; }
+    @keyframes mj-jump { 0%, 100% { transform: translateY(0) scaleY(1) scaleX(1); } 30% { transform: translateY(-10px) scaleY(1.1) scaleX(.95); } 50% { transform: translateY(-12px) scaleY(1.05) scaleX(.98); } 80% { transform: translateY(-3px) scaleY(.95) scaleX(1.05); } }
+    @keyframes mj-sh   { 0%, 100% { transform: scaleX(1); opacity: .25; } 50% { transform: scaleX(.4); opacity: .08; } }
+    @keyframes mj-wl   { 0%, 100% { transform: rotate(0); } 50% { transform: rotate(-25deg); } }
+    @keyframes mj-wr   { 0%, 100% { transform: rotate(0); } 50% { transform: rotate(25deg); } }
+    @keyframes mj-ear  { 0%, 100% { transform: scaleY(1); } 40% { transform: scaleY(1.2); } 60% { transform: scaleY(.85); } }
+    @media (prefers-reduced-motion: reduce) {
+      .mascot .mj-body, .mascot .mj-shadow, .mascot .mj-la, .mascot .mj-ra, .mascot .mj-le, .mascot .mj-re { animation: none; }
+    }
     nav.tabs {
       display: flex;
       gap: 2px;
@@ -221,6 +238,35 @@
     .banner.err  { border-color: rgba(239, 68, 68, 0.4); background: rgba(239, 68, 68, 0.06); }
     .banner ul { margin: 6px 0 0 18px; padding: 0; }
     .banner li { font-size: 12px; }
+    /* Modal — used by session/workflow/skill detail views, the rate-card
+       editor, and the custom-provider form. One stacking layer; only one
+       open at a time. */
+    .modal-backdrop { position: fixed; inset: 0; background: rgba(0,0,0,0.65); display: none; align-items: center; justify-content: center; z-index: 100; padding: 20px; }
+    .modal-backdrop.open { display: flex; }
+    .modal { background: var(--card); border: 1px solid var(--border); border-radius: 10px; max-width: min(720px, 96vw); width: 100%; max-height: 86vh; display: flex; flex-direction: column; box-shadow: 0 20px 60px rgba(0,0,0,0.5); }
+    .modal-head { padding: 14px 18px; border-bottom: 1px solid var(--border); display: flex; align-items: center; gap: 10px; }
+    .modal-head h3 { margin: 0; font-size: 16px; font-weight: 600; flex: 1; }
+    .modal-close { background: none; border: 0; color: var(--dim); cursor: pointer; font-size: 20px; line-height: 1; padding: 4px 8px; }
+    .modal-close:hover { color: var(--text); }
+    .modal-body { padding: 16px 18px; overflow-y: auto; flex: 1; }
+    .modal-foot { padding: 12px 18px; border-top: 1px solid var(--border); display: flex; gap: 8px; justify-content: flex-end; }
+    .clickable { cursor: pointer; }
+    .clickable:hover { background: rgba(217, 119, 87, 0.05); }
+    .turn { padding: 8px 12px; border-radius: 6px; margin-bottom: 8px; white-space: pre-wrap; word-wrap: break-word; font-size: 13px; }
+    .turn.user      { background: rgba(217, 119, 87, 0.10); border: 1px solid rgba(217, 119, 87, 0.25); }
+    .turn.assistant { background: rgba(74, 222, 128, 0.06); border: 1px solid rgba(74, 222, 128, 0.18); }
+    .turn.system    { background: rgba(245, 158, 11, 0.06); border: 1px solid rgba(245, 158, 11, 0.20); }
+    .turn .role-tag { display: block; color: var(--dim); font-size: 10px; text-transform: uppercase; letter-spacing: 0.05em; margin-bottom: 4px; }
+    .form-row { display: flex; flex-direction: column; gap: 4px; margin-bottom: 12px; }
+    .form-row label { color: var(--dim); font-size: 11px; text-transform: uppercase; letter-spacing: 0.05em; }
+    .form-row input, .form-row textarea { background: var(--bg); border: 1px solid var(--border); color: var(--text); padding: 8px 10px; border-radius: 6px; font: inherit; font-size: 13px; }
+    .form-row textarea { resize: vertical; min-height: 80px; font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; font-size: 12px; }
+    .row-actions { display: flex; gap: 6px; align-items: center; margin-left: auto; }
+    button.btn-sm { font-size: 12px; padding: 4px 10px; }
+    button.btn-danger { background: rgba(239,68,68,0.15); color: #ffb4b4; border: 1px solid rgba(239,68,68,0.3); }
+    button.btn-danger:hover { background: rgba(239,68,68,0.25); }
+    .markdown { font-size: 13px; line-height: 1.55; }
+    .markdown pre { font-size: 12px; }
     @media (max-width: 480px) {
       main { padding: 14px; }
       .grid { grid-template-columns: 1fr; }
@@ -239,7 +285,24 @@
 </head>
 <body>
   <header>
-    <div class="logo">🦞 LazyClaw</div>
+    <div class="logo">
+      <svg class="mascot" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 90" aria-hidden="true">
+        <ellipse class="mj-shadow" cx="50" cy="82" rx="22" ry="5" fill="#000"/>
+        <g class="mj-body">
+          <rect class="mj-le" x="22" y="10" width="8" height="14" fill="#d97757"/>
+          <rect class="mj-re" x="70" y="10" width="8" height="14" fill="#d97757"/>
+          <rect x="18" y="24" width="64" height="4" fill="#d97757"/>
+          <rect x="14" y="28" width="72" height="32" fill="#d97757"/>
+          <rect x="30" y="34" width="8" height="10" fill="#000"/>
+          <rect x="62" y="34" width="8" height="10" fill="#000"/>
+          <rect class="mj-la" x="2"  y="36" width="12" height="8" fill="#d97757"/>
+          <rect class="mj-ra" x="86" y="36" width="12" height="8" fill="#d97757"/>
+          <rect x="24" y="60" width="12" height="14" fill="#d97757"/>
+          <rect x="64" y="60" width="12" height="14" fill="#d97757"/>
+        </g>
+      </svg>
+      <span>LazyClaw</span>
+    </div>
     <div class="ver" id="version">…</div>
   </header>
@@ -283,6 +346,11 @@
     <section id="tab-providers">
       <h2>Providers</h2>
+      <div class="toolbar">
+        <button class="btn" onclick="openAddProviderModal()">+ Add custom OpenAI-compat</button>
+        <button class="btn btn-secondary" onclick="LOADERS.providers()">Refresh</button>
+        <span class="dim" id="providers-meta"></span>
+      </div>
       <div id="providers-list"><div class="empty">Loading…</div></div>
     </section>
@@ -312,6 +380,7 @@
     <section id="tab-rates">
       <h2>Rates</h2>
       <div class="toolbar">
+        <button class="btn" onclick="openRateCardModal()">+ Add / edit rate card</button>
         <input type="search" id="rates-filter" placeholder="filter by provider/model">
         <button class="btn btn-secondary" onclick="LOADERS.rates()">Refresh</button>
         <span class="dim" id="rates-meta"></span>
@@ -342,6 +411,7 @@
     <section id="tab-config">
       <h2>Config</h2>
       <div class="toolbar">
+        <button class="btn" onclick="openConfigEditModal()">+ Set key</button>
         <button class="btn btn-secondary" onclick="LOADERS.config()">Refresh</button>
         <span class="dim" id="config-meta"></span>
       </div>
@@ -359,6 +429,18 @@
     <span id="footer-url"></span>
   </footer>
+  <!-- Shared modal — opened by openModal({title, bodyHtml, footHtml}). -->
+  <div id="modal-backdrop" class="modal-backdrop" onclick="if(event.target===this)closeModal()">
+    <div class="modal" role="dialog" aria-modal="true">
+      <div class="modal-head">
+        <h3 id="modal-title"></h3>
+        <button class="modal-close" onclick="closeModal()" aria-label="Close">×</button>
+      </div>
+      <div class="modal-body" id="modal-body"></div>
+      <div class="modal-foot" id="modal-foot"></div>
+    </div>
+  </div>
   <script>
     // Tab switching ────────────────────────────────────────────────
     const tabs = document.querySelectorAll('nav.tabs button');
@@ -394,6 +476,25 @@
     function escHtml(s) {
       return String(s ?? '').replace(/[&<>"']/g, (c) => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[c]));
     }
+    // ── Shared modal ────────────────────────────────────────────────
+    // openModal({ title, bodyHtml, footHtml }) renders into the markup
+    // declared at the bottom of <body> and shows the backdrop. ESC and
+    // backdrop click close. Only one modal is open at a time — calling
+    // openModal while another is already open replaces its contents.
+    function openModal({ title, bodyHtml, footHtml }) {
+      document.getElementById('modal-title').textContent = title || '';
+      document.getElementById('modal-body').innerHTML = bodyHtml || '';
+      document.getElementById('modal-foot').innerHTML = footHtml || '';
+      document.getElementById('modal-backdrop').classList.add('open');
+    }
+    function closeModal() {
+      document.getElementById('modal-backdrop').classList.remove('open');
+      document.getElementById('modal-body').innerHTML = '';
+      document.getElementById('modal-foot').innerHTML = '';
+    }
+    document.addEventListener('keydown', (e) => {
+      if (e.key === 'Escape' && document.getElementById('modal-backdrop').classList.contains('open')) closeModal();
+    });
     function fmtDuration(ms) {
       if (!Number.isFinite(ms) || ms < 0) return '—';
       const s = Math.floor(ms / 1000);
@@ -422,9 +523,27 @@
     LOADERS.chat = async function loadChat() {
       try {
         const r = await api('/providers');
+        // GET /providers returns a bare array; older drafts wrapped it
+        // as { providers: [...] }. Accept both so the dashboard works
+        // against any daemon version users might happen to be running.
+        const arr = Array.isArray(r) ? r : (r.providers || []);
         const sel = document.getElementById('chat-assignee');
         sel.innerHTML = '';
-        for (const p of r.providers || []) {
+        if (arr.length === 0) {
+          const opt = document.createElement('option');
+          opt.value = ''; opt.textContent = '(no providers — run lazyclaw onboard)';
+          sel.appendChild(opt);
+          return;
+        }
+        // Preselect the configured default when possible so the user
+        // doesn't have to scroll through the list before sending the
+        // first message.
+        let defaultStatus = null;
+        try { defaultStatus = await api('/status'); } catch { /* keep going */ }
+        const defaultProv = defaultStatus?.provider || null;
+        const defaultModel = defaultStatus?.model || null;
+        const defaultValue = defaultProv && defaultModel ? `${defaultProv}:${defaultModel}` : defaultProv;
+        for (const p of arr) {
           const ms = (p.suggestedModels || []);
           if (!ms.length) {
             const opt = document.createElement('option');
@@ -439,6 +558,18 @@
             sel.appendChild(opt);
           }
         }
+        if (defaultValue) {
+          // Try exact match first (provider:model); fall back to any
+          // option starting with `<provider>:` if the configured model
+          // isn't in the suggested list.
+          const exact = Array.from(sel.options).find((o) => o.value === defaultValue);
+          if (exact) sel.value = defaultValue;
+          else {
+            const prefix = (defaultProv || '') + ':';
+            const byProv = Array.from(sel.options).find((o) => o.value.startsWith(prefix) || o.value === defaultProv);
+            if (byProv) sel.value = byProv.value;
+          }
+        }
       } catch (e) {
         document.getElementById('chat-meta').textContent = '⚠ ' + e.message;
       }
@@ -457,20 +588,76 @@
         root.innerHTML = '';
         arr.forEach((s) => {
           const div = document.createElement('div');
-          div.className = 'card row';
+          div.className = 'card row clickable';
           const id = s.id || s.sessionId || s.name || JSON.stringify(s);
           const turns = s.turns ?? s.turnCount ?? '';
           const updated = s.updatedAt || s.mtime || '';
-          div.innerHTML = `<div class="name">${id}</div>
+          div.innerHTML = `<div class="name">${escHtml(id)}</div>
             <div class="dim">${turns ? turns + ' turns' : ''}</div>
-            <div class="dim" style="margin-left:auto;">${updated}</div>`;
+            <div class="dim row-actions">${escHtml(updated)}</div>
+            <button class="btn btn-secondary btn-sm" data-action="view">View</button>
+            <button class="btn btn-secondary btn-sm" data-action="export">Export</button>
+            <button class="btn btn-danger btn-sm" data-action="delete">Delete</button>`;
+          div.addEventListener('click', (e) => {
+            const action = e.target.closest('button')?.dataset.action;
+            if (action === 'export') return openSessionExport(id);
+            if (action === 'delete') return deleteSession(id);
+            return openSessionDetail(id);
+          });
           root.appendChild(div);
         });
       } catch (e) {
-        root.innerHTML = `<div class="empty">⚠ ${e.message}</div>`;
+        root.innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
       }
     };
+    async function openSessionDetail(id) {
+      openModal({ title: `Session — ${id}`, bodyHtml: '<div class="empty">Loading…</div>' });
+      try {
+        const r = await api('/sessions/' + encodeURIComponent(id));
+        const turns = r.turns || r.entries || r;
+        if (!Array.isArray(turns) || turns.length === 0) {
+          document.getElementById('modal-body').innerHTML = '<div class="empty">Empty session.</div>';
+          return;
+        }
+        const html = turns.map((t) => {
+          const role = (t.role || 'note').toLowerCase();
+          const content = String(t.content ?? t.text ?? '');
+          const ts = t.ts || t.timestamp || '';
+          return `<div class="turn ${escHtml(role)}">
+            <span class="role-tag">${escHtml(role)}${ts ? ' · ' + escHtml(ts) : ''}</span>${escHtml(content)}
+          </div>`;
+        }).join('');
+        document.getElementById('modal-body').innerHTML = html;
+      } catch (e) {
+        document.getElementById('modal-body').innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
+      }
+    }
+    async function openSessionExport(id) {
+      openModal({ title: `Export — ${id}`, bodyHtml: '<div class="empty">Loading…</div>' });
+      try {
+        const r = await fetch('/sessions/' + encodeURIComponent(id) + '/export?format=md');
+        const text = await r.text();
+        document.getElementById('modal-body').innerHTML = `<pre>${escHtml(text)}</pre>`;
+        document.getElementById('modal-foot').innerHTML = `
+          <button class="btn btn-secondary" onclick="navigator.clipboard.writeText(${JSON.stringify(text)}); this.textContent='Copied!'; setTimeout(()=>this.textContent='Copy markdown',1200)">Copy markdown</button>
+          <button class="btn" onclick="closeModal()">Close</button>`;
+      } catch (e) {
+        document.getElementById('modal-body').innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
+      }
+    }
+    async function deleteSession(id) {
+      if (!confirm(`Delete session "${id}"?\nTurn log will be permanently removed.`)) return;
+      try {
+        await fetch('/sessions/' + encodeURIComponent(id), { method: 'DELETE' });
+        LOADERS.sessions();
+      } catch (e) {
+        alert('Delete failed: ' + e.message);
+      }
+    }
     LOADERS.skills = async function loadSkills() {
       const root = document.getElementById('skills-list');
       root.innerHTML = '<div class="empty">Loading…</div>';
@@ -484,25 +671,60 @@
         root.innerHTML = '';
         arr.forEach((s) => {
           const div = document.createElement('div');
-          div.className = 'card';
+          div.className = 'card clickable';
           div.innerHTML = `<div class="row" style="border:0;padding:0;">
-              <div class="name">${s.name}</div>
-              <div class="dim" style="margin-left:auto;">${(s.bytes ?? '')} bytes</div>
+              <div class="name">${escHtml(s.name)}</div>
+              <div class="dim row-actions">${(s.bytes ?? '')} bytes</div>
+              <button class="btn btn-secondary btn-sm" data-action="view">View</button>
+              <button class="btn btn-danger btn-sm" data-action="delete">Delete</button>
             </div>
-            <div class="dim" style="margin-top:6px;">${s.summary || ''}</div>`;
+            <div class="dim" style="margin-top:6px;">${escHtml(s.summary || '')}</div>`;
+          div.addEventListener('click', (e) => {
+            const action = e.target.closest('button')?.dataset.action;
+            if (action === 'delete') return deleteSkill(s.name);
+            return openSkillDetail(s.name);
+          });
           root.appendChild(div);
         });
       } catch (e) {
-        root.innerHTML = `<div class="empty">⚠ ${e.message}</div>`;
+        root.innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
       }
     };
+    async function openSkillDetail(name) {
+      openModal({ title: `Skill — ${name}`, bodyHtml: '<div class="empty">Loading…</div>' });
+      try {
+        // GET /skills/<name> returns the markdown body as text/markdown.
+        const r = await fetch('/skills/' + encodeURIComponent(name));
+        if (!r.ok) throw new Error(`${r.status} ${r.statusText}`);
+        const text = await r.text();
+        document.getElementById('modal-body').innerHTML = `<pre class="markdown">${escHtml(text)}</pre>`;
+        document.getElementById('modal-foot').innerHTML = `
+          <button class="btn btn-secondary" onclick="navigator.clipboard.writeText(${JSON.stringify(text)}); this.textContent='Copied!'; setTimeout(()=>this.textContent='Copy',1200)">Copy</button>
+          <button class="btn" onclick="closeModal()">Close</button>`;
+      } catch (e) {
+        document.getElementById('modal-body').innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
+      }
+    }
+    async function deleteSkill(name) {
+      if (!confirm(`Remove skill "${name}"?`)) return;
+      try {
+        await fetch('/skills/' + encodeURIComponent(name), { method: 'DELETE' });
+        LOADERS.skills();
+      } catch (e) {
+        alert('Delete failed: ' + e.message);
+      }
+    }
     LOADERS.providers = async function loadProviders() {
       const root = document.getElementById('providers-list');
+      const meta = document.getElementById('providers-meta');
       root.innerHTML = '<div class="empty">Loading…</div>';
       try {
         const r = await api('/providers');
         const arr = r.providers || r;
+        meta.textContent = `${arr.length} registered`;
         root.innerHTML = '';
         arr.forEach((p) => {
           const div = document.createElement('div');
@@ -510,20 +732,132 @@
           const tag = p.requiresApiKey
             ? '<span class="pill warn">api key</span>'
             : '<span class="pill ok">no key</span>';
+          const customTag = p.custom ? ' <span class="pill" style="background:rgba(217,119,87,0.18);color:var(--accent);">custom</span>' : '';
+          const builtinCompat = p.builtinOpenAICompat ? ' <span class="pill" style="background:rgba(74,222,128,0.12);color:var(--ok);">openai-compat</span>' : '';
           const models = (p.suggestedModels || []).slice(0, 6).join(' · ') || '<span class="dim">(default)</span>';
+          const removeBtn = p.custom
+            ? `<button class="btn btn-danger btn-sm" data-action="remove">Remove</button>`
+            : '';
           div.innerHTML = `<div class="row" style="border:0;padding:0;">
-              <div class="name">${p.name}</div>${tag}
-              <div class="dim" style="margin-left:auto;">${p.endpoint || ''}</div>
+              <div class="name">${escHtml(p.name)}</div>${tag}${customTag}${builtinCompat}
+              <div class="dim row-actions">${escHtml(p.endpoint || '')}</div>
+              <button class="btn btn-secondary btn-sm" data-action="test">Test</button>
+              ${removeBtn}
             </div>
-            <div class="dim" style="margin-top:6px;">${p.docs || ''}</div>
-            <div style="margin-top:8px;font-size:12px;">${models}</div>`;
+            <div class="dim" style="margin-top:6px;">${escHtml(p.docs || '')}</div>
+            <div style="margin-top:8px;font-size:12px;">${models}</div>
+            <div class="dim" data-test-result style="margin-top:6px;font-size:11px;"></div>`;
+          div.addEventListener('click', async (e) => {
+            const btn = e.target.closest('button');
+            if (!btn) return;
+            if (btn.dataset.action === 'test') return testProvider(p.name, div);
+            if (btn.dataset.action === 'remove') return removeProvider(p.name);
+          });
           root.appendChild(div);
         });
       } catch (e) {
-        root.innerHTML = `<div class="empty">⚠ ${e.message}</div>`;
+        root.innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
       }
     };
+    async function testProvider(name, cardEl) {
+      const out = cardEl.querySelector('[data-test-result]');
+      out.textContent = '⏳ probing…';
+      out.style.color = 'var(--dim)';
+      try {
+        const r = await fetch('/providers/' + encodeURIComponent(name) + '/test');
+        const body = await r.json();
+        if (body.ok) {
+          out.style.color = 'var(--ok)';
+          const reply = (body.reply || '').replace(/\s+/g, ' ').slice(0, 120);
+          out.textContent = `✓ ok · ${body.model} · ${body.durationMs}ms${reply ? ' · ' + reply : ''}`;
+        } else {
+          out.style.color = 'var(--err)';
+          out.textContent = `✗ ${body.error || 'failed'} · ${body.code || r.status}`;
+        }
+      } catch (e) {
+        out.style.color = 'var(--err)';
+        out.textContent = '✗ ' + (e.message || String(e));
+      }
+    }
+    async function removeProvider(name) {
+      if (!confirm(`Remove custom provider "${name}"?`)) return;
+      try {
+        const r = await fetch('/providers/' + encodeURIComponent(name), { method: 'DELETE' });
+        const body = await r.json();
+        if (!r.ok) throw new Error(body.error || `${r.status}`);
+        LOADERS.providers();
+      } catch (e) {
+        alert('Remove failed: ' + e.message);
+      }
+    }
+    function openAddProviderModal() {
+      openModal({
+        title: 'Add custom OpenAI-compat provider',
+        bodyHtml: `
+          <div class="dim" style="margin-bottom:14px;font-size:12px;">
+            Works with any service that speaks the OpenAI v1 wire format
+            (vLLM · LM Studio · private gateways · self-hosted DeepInfra).
+            Built-in aliases (<code>nim</code>, <code>openrouter</code>, <code>groq</code>, …)
+            can be overridden by registering a custom entry of the same name.
+          </div>
+          <div class="form-row">
+            <label for="add-prov-name">Name (short id, e.g. "nim", "openrouter")</label>
+            <input id="add-prov-name" autofocus placeholder="e.g. my-vllm" />
+          </div>
+          <div class="form-row">
+            <label for="add-prov-baseurl">Base URL (must end in /v1)</label>
+            <input id="add-prov-baseurl" placeholder="https://integrate.api.nvidia.com/v1" />
+          </div>
+          <div class="form-row">
+            <label for="add-prov-apikey">API key (blank for auth-less endpoints)</label>
+            <input id="add-prov-apikey" type="password" placeholder="nvapi-…" />
+          </div>
+          <div class="form-row">
+            <label for="add-prov-model">Default model id (optional)</label>
+            <input id="add-prov-model" placeholder="meta/llama-3.1-405b-instruct" />
+          </div>
+          <div id="add-prov-status" class="dim" style="font-size:12px;"></div>
+        `,
+        footHtml: `
+          <button class="btn btn-secondary" onclick="closeModal()">Cancel</button>
+          <button class="btn" onclick="submitAddProvider()">Save</button>
+        `,
+      });
+    }
+    async function submitAddProvider() {
+      const name = document.getElementById('add-prov-name').value.trim();
+      const baseUrl = document.getElementById('add-prov-baseurl').value.trim();
+      const apiKey = document.getElementById('add-prov-apikey').value.trim();
+      const defaultModel = document.getElementById('add-prov-model').value.trim();
+      const status = document.getElementById('add-prov-status');
+      status.style.color = 'var(--dim)';
+      status.textContent = 'Saving…';
+      try {
+        const r = await fetch('/providers', {
+          method: 'POST',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify({ name, baseUrl, apiKey: apiKey || undefined, defaultModel: defaultModel || undefined }),
+        });
+        const body = await r.json();
+        if (!r.ok) {
+          status.style.color = 'var(--err)';
+          status.textContent = '✗ ' + (body.error || `${r.status} ${r.statusText}`);
+          return;
+        }
+        status.style.color = 'var(--ok)';
+        const overrideNote = body.overridesBuiltin ? ' (overrides built-in)' : '';
+        status.textContent = `✓ saved — ${body.name} → ${body.baseUrl}${overrideNote}`;
+        setTimeout(() => { closeModal(); LOADERS.providers(); }, 700);
+      } catch (e) {
+        status.style.color = 'var(--err)';
+        status.textContent = '✗ ' + (e.message || String(e));
+      }
+    }
     LOADERS.status = async function loadStatus() {
       const root = document.getElementById('status-card');
       root.innerHTML = '<div class="empty">Loading…</div>';
@@ -584,23 +918,79 @@
           if (sm.resumable)   tags.push('<span class="pill warn">resumable</span>');
           if (sm.done)        tags.push('<span class="pill ok">done</span>');
           const total = sm.total ?? '';
-          return `<tr>
+          return `<tr class="clickable" data-wf-id="${escHtml(s.sessionId)}">
             <td><code>${escHtml(s.sessionId)}</code></td>
             <td>${tags.join(' ') || '<span class="dim">—</span>'}</td>
             <td class="num">${sm.done ?? 0} / ${total}</td>
             <td class="num">${sm.failed ?? 0}</td>
             <td class="dim">${escHtml(s.updatedAt || s.startedAt || '')}</td>
+            <td><button class="btn btn-danger btn-sm" data-action="wf-delete">Delete</button></td>
           </tr>`;
         }).join('');
         list.innerHTML = `<table class="tbl">
-          <thead><tr><th>Session</th><th>State</th><th>Done / Total</th><th>Failed</th><th>Updated</th></tr></thead>
+          <thead><tr><th>Session</th><th>State</th><th>Done / Total</th><th>Failed</th><th>Updated</th><th></th></tr></thead>
           <tbody>${rows}</tbody>
         </table>`;
+        list.querySelectorAll('tr[data-wf-id]').forEach((tr) => {
+          tr.addEventListener('click', (e) => {
+            const id = tr.getAttribute('data-wf-id');
+            const action = e.target.closest('button')?.dataset.action;
+            if (action === 'wf-delete') return deleteWorkflow(id);
+            return openWorkflowDetail(id);
+          });
+        });
       } catch (e) {
         list.innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
       }
     };
+    async function openWorkflowDetail(id) {
+      openModal({ title: `Workflow — ${id}`, bodyHtml: '<div class="empty">Loading…</div>' });
+      try {
+        const r = await api('/workflows/' + encodeURIComponent(id));
+        const sm = r.summary || {};
+        const nodes = r.state?.nodeResults || r.nodeResults || {};
+        const nodeRows = Object.entries(nodes).map(([nid, n]) => {
+          const status = (n.status || '').toLowerCase();
+          const pillClass = status === 'failed' ? 'err' : (status === 'done' ? 'ok' : (status === 'running' ? 'warn' : ''));
+          const dur = n.durationMs != null ? fmtDuration(n.durationMs) : '—';
+          const out = String(n.output ?? n.error ?? '');
+          const truncated = out.length > 240 ? out.slice(0, 240) + '…' : out;
+          return `<tr>
+            <td><code>${escHtml(nid)}</code></td>
+            <td>${pillClass ? `<span class="pill ${pillClass}">${escHtml(status)}</span>` : escHtml(status || '—')}</td>
+            <td class="num">${dur}</td>
+            <td class="dim">${escHtml(truncated)}</td>
+          </tr>`;
+        }).join('');
+        const summaryHtml = `<div class="grid" style="margin-bottom:14px;">
+            <div class="stat"><div class="label">Total</div><div class="value">${sm.total ?? '—'}</div></div>
+            <div class="stat"><div class="label">Done</div><div class="value">${sm.done ?? 0}</div></div>
+            <div class="stat"><div class="label">Failed</div><div class="value" style="color:${sm.failed ? 'var(--err)' : 'inherit'}">${sm.failed ?? 0}</div></div>
+            <div class="stat"><div class="label">Running</div><div class="value">${sm.running ?? 0}</div></div>
+          </div>`;
+        const tableHtml = nodeRows
+          ? `<table class="tbl">
+              <thead><tr><th>Node</th><th>Status</th><th>Duration</th><th>Output / Error</th></tr></thead>
+              <tbody>${nodeRows}</tbody>
+            </table>`
+          : '<div class="empty">No node results yet.</div>';
+        document.getElementById('modal-body').innerHTML = summaryHtml + tableHtml;
+      } catch (e) {
+        document.getElementById('modal-body').innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
+      }
+    }
+    async function deleteWorkflow(id) {
+      if (!confirm(`Delete workflow session "${id}"?\nState file will be permanently removed.`)) return;
+      try {
+        await fetch('/workflows/' + encodeURIComponent(id), { method: 'DELETE' });
+        LOADERS.workflows();
+      } catch (e) {
+        alert('Delete failed: ' + e.message);
+      }
+    }
     // ── Rates ────────────────────────────────────────────────────
     document.getElementById('rates-filter').addEventListener('input', debounce(() => LOADERS.rates(), 250));
@@ -638,24 +1028,115 @@
         }
         const rows = entries.map(([key, card]) => {
           const c = card || {};
-          return `<tr>
+          return `<tr data-rate-key="${escHtml(key)}">
             <td><code>${escHtml(key)}</code></td>
             <td class="num">${c.in ?? '—'}</td>
             <td class="num">${c.out ?? '—'}</td>
             <td class="num">${c['cache-read'] ?? '—'}</td>
             <td class="num">${c['cache-create'] ?? '—'}</td>
             <td class="dim">${escHtml(c.currency || 'USD')} / 1M tok</td>
+            <td>
+              <button class="btn btn-secondary btn-sm" data-action="rate-edit">Edit</button>
+              <button class="btn btn-danger btn-sm" data-action="rate-delete">Delete</button>
+            </td>
           </tr>`;
         }).join('');
         root.innerHTML = `<table class="tbl">
-          <thead><tr><th>Provider / Model</th><th>In</th><th>Out</th><th>Cache read</th><th>Cache create</th><th>Unit</th></tr></thead>
+          <thead><tr><th>Provider / Model</th><th>In</th><th>Out</th><th>Cache read</th><th>Cache create</th><th>Unit</th><th></th></tr></thead>
           <tbody>${rows}</tbody>
         </table>`;
+        root.querySelectorAll('tr[data-rate-key]').forEach((tr) => {
+          const key = tr.getAttribute('data-rate-key');
+          const card = (rates || {})[key] || {};
+          tr.querySelector('[data-action="rate-edit"]')?.addEventListener('click', () => openRateCardModal(key, card));
+          tr.querySelector('[data-action="rate-delete"]')?.addEventListener('click', () => deleteRateCard(key));
+        });
       } catch (e) {
         root.innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
       }
     };
+    function openRateCardModal(existingKey = '', existingCard = {}) {
+      const c = existingCard || {};
+      openModal({
+        title: existingKey ? `Edit rate card — ${existingKey}` : 'Add rate card',
+        bodyHtml: `
+          <div class="dim" style="margin-bottom:12px;font-size:12px;">
+            Cost per 1M tokens (input / output / optional cache pricing).
+            Same shape as <code>lazyclaw rates set</code>. Saving the same
+            key overwrites the existing card.
+          </div>
+          <div class="form-row">
+            <label for="rate-key">Provider / model key</label>
+            <input id="rate-key" placeholder="anthropic/claude-opus-4-7" value="${escHtml(existingKey)}" ${existingKey ? 'readonly' : ''}/>
+          </div>
+          <div class="grid" style="grid-template-columns:1fr 1fr;gap:10px;margin-bottom:0;">
+            <div class="form-row"><label for="rate-in">Input (USD / 1M)</label><input id="rate-in" type="number" step="0.01" value="${c.in ?? ''}"/></div>
+            <div class="form-row"><label for="rate-out">Output (USD / 1M)</label><input id="rate-out" type="number" step="0.01" value="${c.out ?? ''}"/></div>
+            <div class="form-row"><label for="rate-cache-read">Cache read (optional)</label><input id="rate-cache-read" type="number" step="0.01" value="${c['cache-read'] ?? ''}"/></div>
+            <div class="form-row"><label for="rate-cache-create">Cache create (optional)</label><input id="rate-cache-create" type="number" step="0.01" value="${c['cache-create'] ?? ''}"/></div>
+            <div class="form-row"><label for="rate-currency">Currency</label><input id="rate-currency" value="${escHtml(c.currency || 'USD')}"/></div>
+          </div>
+          <div id="rate-status" class="dim" style="font-size:12px;margin-top:8px;"></div>
+        `,
+        footHtml: `
+          <button class="btn btn-secondary" onclick="closeModal()">Cancel</button>
+          <button class="btn" onclick="submitRateCard()">Save</button>
+        `,
+      });
+    }
+    async function submitRateCard() {
+      const key = document.getElementById('rate-key').value.trim();
+      const status = document.getElementById('rate-status');
+      if (!key) { status.style.color = 'var(--err)'; status.textContent = 'Key is required.'; return; }
+      const card = {
+        in: parseFloat(document.getElementById('rate-in').value) || 0,
+        out: parseFloat(document.getElementById('rate-out').value) || 0,
+        currency: document.getElementById('rate-currency').value.trim() || 'USD',
+      };
+      const cr = parseFloat(document.getElementById('rate-cache-read').value);
+      const cc = parseFloat(document.getElementById('rate-cache-create').value);
+      if (Number.isFinite(cr)) card['cache-read'] = cr;
+      if (Number.isFinite(cc)) card['cache-create'] = cc;
+      status.style.color = 'var(--dim)';
+      status.textContent = 'Saving…';
+      try {
+        const r = await fetch('/rates/' + encodeURIComponent(key), {
+          method: 'PUT',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify(card),
+        });
+        const body = await r.json();
+        if (!r.ok) {
+          status.style.color = 'var(--err)';
+          const issues = (body.issues || []).map(i => typeof i === 'string' ? i : JSON.stringify(i)).join('; ');
+          status.textContent = `✗ ${body.error || issues || `${r.status} ${r.statusText}`}`;
+          return;
+        }
+        status.style.color = 'var(--ok)';
+        status.textContent = `✓ saved`;
+        setTimeout(() => { closeModal(); LOADERS.rates(); }, 600);
+      } catch (e) {
+        status.style.color = 'var(--err)';
+        status.textContent = '✗ ' + (e.message || String(e));
+      }
+    }
+    async function deleteRateCard(key) {
+      if (!confirm(`Delete rate card "${key}"?`)) return;
+      try {
+        const r = await fetch('/rates/' + encodeURIComponent(key), { method: 'DELETE' });
+        if (!r.ok) {
+          const body = await r.json().catch(() => ({}));
+          throw new Error(body.error || `${r.status}`);
+        }
+        LOADERS.rates();
+      } catch (e) {
+        alert('Delete failed: ' + e.message);
+      }
+    }
     // ── Metrics ──────────────────────────────────────────────────
     LOADERS.metrics = async function loadMetrics() {
       const cards = document.getElementById('metrics-cards');
@@ -748,21 +1229,121 @@
           root.innerHTML = '<div class="empty">No config yet. Run <code>lazyclaw onboard</code>.</div>';
           return;
         }
+        const NESTED = new Set(['customProviders', 'rates', 'authProfiles', 'authActiveProfile']);
         const rows = keys.sort().map((k) => {
           const v = cfg[k];
           const display = v && typeof v === 'object' ? JSON.stringify(v) : String(v);
-          return `<tr><td><code>${escHtml(k)}</code></td><td>${escHtml(display)}</td></tr>`;
+          const nested = NESTED.has(k);
+          const editBtn = nested
+            ? `<span class="dim" style="font-size:11px;">use the dedicated tab</span>`
+            : `<button class="btn btn-secondary btn-sm" data-action="cfg-edit" data-key="${escHtml(k)}">Edit</button>
+               <button class="btn btn-danger btn-sm" data-action="cfg-delete" data-key="${escHtml(k)}">Delete</button>`;
+          return `<tr><td><code>${escHtml(k)}</code></td><td>${escHtml(display)}</td><td>${editBtn}</td></tr>`;
         }).join('');
         root.innerHTML = `<table class="tbl">
-          <thead><tr><th style="width:30%">Key</th><th>Value</th></tr></thead>
+          <thead><tr><th style="width:25%">Key</th><th>Value</th><th style="width:160px"></th></tr></thead>
           <tbody>${rows}</tbody>
         </table>`;
+        root.querySelectorAll('[data-action="cfg-edit"]').forEach((b) => {
+          b.addEventListener('click', () => openConfigEditModal(b.dataset.key, cfg[b.dataset.key]));
+        });
+        root.querySelectorAll('[data-action="cfg-delete"]').forEach((b) => {
+          b.addEventListener('click', () => deleteConfigKey(b.dataset.key));
+        });
         raw.textContent = JSON.stringify(cfg, null, 2);
       } catch (e) {
         root.innerHTML = `<div class="empty">⚠ ${escHtml(e.message)}</div>`;
       }
     };
+    function openConfigEditModal(existingKey = '', existingValue = '') {
+      // Stringify for the editor; objects/arrays become JSON, primitives stay
+      // raw. Submitter parses JSON when the value looks like JSON, else
+      // sends a string verbatim — same behaviour as `lazyclaw config set`.
+      let display = '';
+      if (typeof existingValue === 'string') display = existingValue;
+      else if (existingValue == null) display = '';
+      else display = JSON.stringify(existingValue, null, 2);
+      openModal({
+        title: existingKey ? `Edit config — ${existingKey}` : 'Set config key',
+        bodyHtml: `
+          <div class="dim" style="margin-bottom:12px;font-size:12px;">
+            Mirrors <code>lazyclaw config set &lt;key&gt; &lt;value&gt;</code>. Values that look like
+            JSON (start with <code>{</code> / <code>[</code> / <code>"</code> / <code>true</code> / <code>false</code> / a number)
+            are parsed; everything else is stored as a plain string. Nested
+            stores (<code>customProviders</code>, <code>rates</code>, <code>authProfiles</code>) have their own
+            tabs — this form rejects them.
+          </div>
+          <div class="form-row">
+            <label for="cfg-key">Key</label>
+            <input id="cfg-key" placeholder="provider · model · api-key · skills · …" value="${escHtml(existingKey)}" ${existingKey ? 'readonly' : ''}/>
+          </div>
+          <div class="form-row">
+            <label for="cfg-value">Value</label>
+            <textarea id="cfg-value" rows="6">${escHtml(display)}</textarea>
+          </div>
+          <div id="cfg-status" class="dim" style="font-size:12px;"></div>
+        `,
+        footHtml: `
+          <button class="btn btn-secondary" onclick="closeModal()">Cancel</button>
+          <button class="btn" onclick="submitConfigEdit()">Save</button>
+        `,
+      });
+    }
+    async function submitConfigEdit() {
+      const key = document.getElementById('cfg-key').value.trim();
+      const raw = document.getElementById('cfg-value').value;
+      const status = document.getElementById('cfg-status');
+      if (!key) { status.style.color = 'var(--err)'; status.textContent = 'Key is required.'; return; }
+      // Heuristic JSON parse — same surface as the CLI: try parse; if it
+      // throws, send the raw string. Numbers / true / false / null / objects /
+      // arrays / quoted strings end up correctly typed.
+      let value;
+      const trimmed = raw.trim();
+      if (trimmed === '') value = '';
+      else {
+        try { value = JSON.parse(trimmed); }
+        catch { value = raw; }
+      }
+      status.style.color = 'var(--dim)';
+      status.textContent = 'Saving…';
+      try {
+        const r = await fetch('/config/' + encodeURIComponent(key), {
+          method: 'PUT',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify({ value }),
+        });
+        const body = await r.json();
+        if (!r.ok) {
+          status.style.color = 'var(--err)';
+          const issues = (body.issues || []).map(i => typeof i === 'string' ? i : JSON.stringify(i)).join('; ');
+          status.textContent = `✗ ${body.error || issues || `${r.status} ${r.statusText}`}`;
+          return;
+        }
+        status.style.color = 'var(--ok)';
+        status.textContent = '✓ saved';
+        setTimeout(() => { closeModal(); LOADERS.config(); }, 600);
+      } catch (e) {
+        status.style.color = 'var(--err)';
+        status.textContent = '✗ ' + (e.message || String(e));
+      }
+    }
+    async function deleteConfigKey(key) {
+      if (!confirm(`Delete config key "${key}"?`)) return;
+      try {
+        const r = await fetch('/config/' + encodeURIComponent(key), { method: 'DELETE' });
+        if (!r.ok) {
+          const body = await r.json().catch(() => ({}));
+          throw new Error(body.error || `${r.status}`);
+        }
+        LOADERS.config();
+      } catch (e) {
+        alert('Delete failed: ' + e.message);
+      }
+    }
     // First load = chat tab.
     LOADERS.chat();