leedab 0.2.6 → 0.3.1

package/README.md

@@ -2,7 +2,7 @@
 
 **Living OS. An autonomous AI agent that runs on your machine.**
 
-LeedAB installs on any Mac, Windows, or Linux computer and becomes an AI agent for your enterprise. It talks to your team on WhatsApp and Telegram, learns your operations, uses your computer like a team member would, and keeps every byte of data on your hardware.
+LeedAB installs on any Mac, Windows, or Linux computer and becomes an AI agent for your enterprise. It talks to your team on WhatsApp, Telegram, and Microsoft Teams, learns your operations, uses your computer like a team member would, and keeps every byte of data on your hardware.
 
 ## Install
 
@@ -20,43 +20,49 @@ You'll need a license key. Get one at [leedab.com](https://www.leedab.com).
 
 ## What you get
 
-- **Messaging** - your team talks to the agent on WhatsApp, Telegram, or Slack. No new app to learn.
+- **Messaging** - your team talks to the agent on WhatsApp, Telegram, or Microsoft Teams. No new app to learn.
+- **Pre-built workflows** - one-click runs for credit notes, deduction reconciliation, attendance imports, delay detection, and more. Tailored to your license pack.
+- **Specialised agents** - a roster of operators (COO, Procurement, CX, Finance, Sales, People, Concierge) tuned to your vertical. Founder packs unlock the full 26-agent internal team.
 - **Computer use** - the agent opens browsers, reads screens, navigates apps, and fills forms.
 - **Memory** - persistent across conversations. It learns your business and never starts from scratch.
 - **Credential vault** - AES-256-GCM encrypted. The agent logs into services using stored credentials.
-- **Dashboard** - web console at `localhost:3000` with agent status, sessions, and team management.
+- **Dashboard** - web console at `localhost:3000` with operators, sessions, workflows, and admin.
 - **Local-first** - files, credentials, memory, and logs stay on your machine.
 
 ## Commands
 
 ```
-leedab onboard          Setup wizard
-leedab start            Start the agent and dashboard
-leedab terminal         Chat with the agent in terminal
-leedab stop             Stop the agent
-leedab configure model  Change LLM provider or model
-leedab vault add <svc>  Store credentials for a service
-leedab pairing add      Add users to channel allowlist
-leedab team add <name>  Add a team member
-leedab sessions         View conversation sessions
-leedab --help           All commands
+leedab onboard              Setup wizard
+leedab start                Start the agent and dashboard
+leedab dashboard            Open the dashboard in your browser
+leedab terminal             Chat with the agent in terminal
+leedab stop                 Stop the agent
+leedab license              Show license details — tier, seats, status
+leedab configure model      Change LLM provider or model
+leedab vault add <svc>      Store credentials for a service
+leedab pairing add <ch> <u> Add users to a channel allowlist
+leedab channels             List configured channels
+leedab team add <name>      Add a team member
+leedab sessions             View conversation sessions
+leedab --help               All commands
 ```
 
 ## Requirements
 
 - macOS, Windows, or Linux
 - A license key from [leedab.com](https://www.leedab.com)
-- An LLM API key (Anthropic, OpenAI, Google, DeepSeek, or OpenRouter)
+- An LLM API key (Anthropic, OpenAI, Google, DeepSeek, OpenRouter, or Amazon Bedrock)
 
 The one-liner installer handles Node.js and all dependencies for you.
 
 ## Security
 
-- All data stored locally in `.leedab/`
+- All data stored locally in `~/.leedab/`
 - Credentials encrypted with AES-256-GCM
 - Per-channel allowlists control who can message the agent
-- Team roles with admin, operator, and viewer access
+- Team roles with owner, admin, and member access
 - Full audit log of every interaction
+- License payload signed (Ed25519) and verified locally so a tampered cache can't elevate tier
 
 ## License
 

package/bin/leedab.js

@@ -11,7 +11,7 @@ import { startGateway, stopGateway } from "../dist/gateway.js";
 import { loadConfig, initConfig } from "../dist/config/index.js";
 import { setupChannels } from "../dist/channels/index.js";
 import { runOnboard } from "../dist/onboard/index.js";
-import { startDashboard } from "../dist/dashboard/server.js";
+import { startConsole, stopConsole } from "../dist/console-launcher.js";
 import { execBranded } from "../dist/brand.js";
 import { resolveOpenClawBin, openclawEnv } from "../dist/openclaw.js";
 import { addEntry, removeEntry, listEntries, encryptVault, decryptVault } from "../dist/vault.js";
@@ -203,7 +203,9 @@ program
       const { logPath } = await startGateway(config);
       clearInterval(rotate);
       spinner.succeed(chalk.green("LeedAB is live"));
-      await startDashboard(config, parseInt(opts.dashboardPort));
+
+      // Boot the Next.js console (apps/console).
+      const { logPath: consoleLogPath } = await startConsole(parseInt(opts.dashboardPort));
 
       const enabledChannels = Object.entries(config.channels)
         .filter(([_, v]) => v?.enabled)
@@ -214,12 +216,13 @@ program
       console.log();
       const dashUrl = `http://localhost:${opts.dashboardPort}`;
       const link = `\x1b]8;;${dashUrl}\x1b\\${dashUrl}\x1b]8;;\x1b\\`;
-      console.log(`  ${chalk.cyan(link)}    Dashboard`);
+      console.log(`  ${chalk.cyan(link)}    Console`);
       if (enabledChannels.length > 0) {
         console.log(`  ${chalk.green("Channels")}                 ${enabledChannels.join(", ")}`);
       }
       console.log();
-      console.log(chalk.dim(`  Logs: ${logPath}`));
+      console.log(chalk.dim(`  Gateway log: ${logPath}`));
+      console.log(chalk.dim(`  Console log: ${consoleLogPath}`));
       console.log();
     } catch (err) {
       clearInterval(rotate);
@@ -230,14 +233,14 @@ program
 
 program
   .command("dashboard")
-  .description("Open the setup dashboard (without starting the agent)")
+  .description("Open the LeedAB console (without starting the agent)")
   .option("-c, --config <path>", "Path to config file", resolve(STATE_DIR, "config.json"))
-  .option("-p, --port <port>", "Dashboard port", "3000")
+  .option("-p, --port <port>", "Console port", "3000")
   .action(async (opts) => {
     try {
-      const config = await loadConfig(opts.config);
-      console.log(chalk.bold("\n  LeedAB Dashboard\n"));
-      await startDashboard(config, parseInt(opts.port));
+      await loadConfig(opts.config);
+      console.log(chalk.bold("\n  LeedAB Console\n"));
+      await startConsole(parseInt(opts.port));
       console.log(chalk.dim("  Open the URL above in your browser.\n"));
     } catch (err) {
       console.error(chalk.red(`Failed: ${err.message}`));
@@ -283,6 +286,7 @@ program
   .command("stop")
   .description("Stop the LeedAB agent")
   .action(async () => {
+    await stopConsole().catch(() => {});
     await stopGateway();
     console.log(chalk.green("LeedAB agent stopped."));
   });

package/dist/console-launcher.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Start the console subprocess on the given port. Resolves once the
+ * subprocess is alive (we don't poll the port; `next start` exits on its
+ * own if the port is taken or the build is missing, so a process-error
+ * would surface there).
+ */
+export declare function startConsole(port?: number): Promise<{
+    url: string;
+    logPath: string;
+}>;
+export declare function stopConsole(): Promise<void>;

package/dist/console-launcher.js

@@ -0,0 +1,184 @@
+// Spawn the LeedAB console (Next.js app at apps/console) as a subprocess.
+// `leedab start` and `leedab dashboard` use this to swap the legacy
+// src/dashboard server for the modern Next.js admin UI.
+//
+// Production-only: requires a built `.next` directory (`npm run build`
+// inside apps/console). For dev, run `npm run dev` from apps/console
+// directly — that gives hot reload and is independent of the gateway.
+import { spawn } from "node:child_process";
+import { createWriteStream, existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { mkdir } from "node:fs/promises";
+import { resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { STATE_DIR } from "./paths.js";
+let consoleProcess = null;
+// Cross-process handle for `leedab stop`. The leedab start process and the
+// leedab stop process are different OS processes, so an in-memory ref to
+// the spawned console isn't enough — stop reads the PID from this file.
+const PID_FILE = resolve(STATE_DIR, "console.pid");
+function writePidFile(pid) {
+    try {
+        writeFileSync(PID_FILE, String(pid), "utf8");
+    }
+    catch {
+        // best-effort — losing the pid file just means leedab stop falls back
+        // to the in-process handle, which is correct in the common case.
+    }
+}
+function readPidFile() {
+    try {
+        const raw = readFileSync(PID_FILE, "utf8").trim();
+        const pid = Number.parseInt(raw, 10);
+        return Number.isFinite(pid) && pid > 0 ? pid : null;
+    }
+    catch {
+        return null;
+    }
+}
+function clearPidFile() {
+    try {
+        unlinkSync(PID_FILE);
+    }
+    catch {
+        // already gone, fine
+    }
+}
+function isAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Walk up from this module to find the leedab repo root. */
+function findRepoRoot() {
+    let dir = dirname(fileURLToPath(import.meta.url));
+    for (let i = 0; i < 10; i++) {
+        const pkgPath = resolve(dir, "package.json");
+        if (existsSync(pkgPath)) {
+            try {
+                const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+                if (pkg.name === "leedab")
+                    return dir;
+            }
+            catch {
+                // ignore unreadable / non-JSON
+            }
+        }
+        const parent = resolve(dir, "..");
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    throw new Error("Could not locate the leedab repo root from the console launcher.");
+}
+function consoleDir() {
+    return resolve(findRepoRoot(), "apps", "console");
+}
+/**
+ * Start the console subprocess on the given port. Resolves once the
+ * subprocess is alive (we don't poll the port; `next start` exits on its
+ * own if the port is taken or the build is missing, so a process-error
+ * would surface there).
+ */
+export async function startConsole(port = 3000) {
+    const dir = consoleDir();
+    const buildDir = resolve(dir, ".next");
+    if (!existsSync(buildDir)) {
+        throw new Error(`Console build not found at ${buildDir}.\n` +
+            `Run \`cd ${dir} && npm run build\` once, then retry.`);
+    }
+    const nextBin = resolve(dir, "node_modules", ".bin", "next");
+    if (!existsSync(nextBin)) {
+        throw new Error(`Next.js binary not found at ${nextBin}.\n` +
+            `Run \`cd ${dir} && npm install\` first.`);
+    }
+    const logDir = resolve(STATE_DIR, "logs");
+    await mkdir(logDir, { recursive: true });
+    const today = new Date().toISOString().slice(0, 10);
+    const logPath = resolve(logDir, `console-${today}.log`);
+    const logStream = createWriteStream(logPath, { flags: "a" });
+    // If a previous run left a stale pid, clear it before spawning so a
+    // failed start doesn't leave us pointing at a dead process.
+    const stale = readPidFile();
+    if (stale && !isAlive(stale))
+        clearPidFile();
+    consoleProcess = spawn(nextBin, ["start", "-H", "127.0.0.1", "-p", String(port)], {
+        cwd: dir,
+        env: {
+            ...process.env,
+            LEEDAB_STATE_DIR: STATE_DIR,
+            NODE_ENV: "production",
+        },
+        stdio: ["inherit", "pipe", "pipe"],
+    });
+    if (consoleProcess.pid)
+        writePidFile(consoleProcess.pid);
+    if (consoleProcess.stdout)
+        consoleProcess.stdout.pipe(logStream);
+    if (consoleProcess.stderr)
+        consoleProcess.stderr.pipe(logStream);
+    consoleProcess.on("error", (err) => {
+        console.error(`Console process error: ${err.message}`);
+    });
+    consoleProcess.on("exit", () => {
+        // If the subprocess crashed or was killed externally, drop the pid
+        // file so the next stop/start sequence isn't confused.
+        clearPidFile();
+    });
+    // Clean up on parent SIGTERM/SIGINT alongside the gateway.
+    const cleanup = () => {
+        if (consoleProcess) {
+            consoleProcess.kill("SIGTERM");
+            consoleProcess = null;
+        }
+        clearPidFile();
+    };
+    process.once("SIGTERM", cleanup);
+    process.once("SIGINT", cleanup);
+    return { url: `http://localhost:${port}`, logPath };
+}
+export async function stopConsole() {
+    // Same-process path first: if we hold the handle, kill directly.
+    if (consoleProcess) {
+        consoleProcess.kill("SIGTERM");
+        consoleProcess = null;
+        clearPidFile();
+        return;
+    }
+    // Cross-process path (`leedab stop` from a different terminal): signal
+    // the PID we wrote at start time. If it's already gone or was reaped,
+    // clear the stale file and return cleanly.
+    const pid = readPidFile();
+    if (!pid)
+        return;
+    if (!isAlive(pid)) {
+        clearPidFile();
+        return;
+    }
+    try {
+        process.kill(pid, "SIGTERM");
+    }
+    catch {
+        // already gone in the race window — fine.
+    }
+    // Give next a moment to flush + exit; if it's still alive after the
+    // grace window, escalate to SIGKILL so the operator isn't left with a
+    // zombie they have to hunt with `lsof`.
+    for (let i = 0; i < 20; i++) {
+        if (!isAlive(pid))
+            break;
+        await new Promise((r) => setTimeout(r, 250));
+    }
+    if (isAlive(pid)) {
+        try {
+            process.kill(pid, "SIGKILL");
+        }
+        catch {
+            // already gone
+        }
+    }
+    clearPidFile();
+}

package/dist/gateway.js

@@ -25,6 +25,10 @@ export async function startGateway(config) {
     await seedWorkspace();
     // Auto-approve all tool executions (enterprise local deployment)
     await ensureAutoApprove(bin, env);
+    // Make sure the OpenAI-compat /v1/chat/completions HTTP endpoint is on.
+    // The Next.js console proxies every chat through it, and OpenClaw ships
+    // it disabled by default.
+    await ensureChatCompletionsEndpoint(stateDir);
     // Register channels before starting gateway
     await registerChannels(bin, stateDir, config);
     // Start gateway, pipe output to log file instead of terminal
@@ -129,6 +133,41 @@ async function registerChannels(bin, stateDir, config) {
         }
     }
 }
+/**
+ * Idempotently flip `gateway.http.endpoints.chatCompletions.enabled` to true
+ * in ~/.leedab/openclaw.json. The console (Next.js, apps/console) proxies
+ * every chat call through that endpoint, and OpenClaw ships it disabled.
+ *
+ * Safe to run on every startGateway: if the file is missing (first run
+ * before onboard) we no-op; if the flag is already true we don't write.
+ */
+async function ensureChatCompletionsEndpoint(stateDir) {
+    const configPath = resolve(stateDir, "openclaw.json");
+    let raw;
+    try {
+        raw = await readFile(configPath, "utf-8");
+    }
+    catch {
+        // No openclaw.json yet — onboard hasn't run. Skip; openclaw will create
+        // the file and a subsequent `leedab start` will flip the flag.
+        return;
+    }
+    let cfg;
+    try {
+        cfg = JSON.parse(raw);
+    }
+    catch {
+        return;
+    }
+    cfg.gateway = cfg.gateway ?? {};
+    cfg.gateway.http = cfg.gateway.http ?? {};
+    cfg.gateway.http.endpoints = cfg.gateway.http.endpoints ?? {};
+    cfg.gateway.http.endpoints.chatCompletions = cfg.gateway.http.endpoints.chatCompletions ?? {};
+    if (cfg.gateway.http.endpoints.chatCompletions.enabled === true)
+        return;
+    cfg.gateway.http.endpoints.chatCompletions.enabled = true;
+    await writeFile(configPath, JSON.stringify(cfg, null, 2) + "\n");
+}
 /**
  * Set up exec-approvals so the agent can run tools without prompting.
  * Safe for local enterprise deployments where the admin controls the box.

package/dist/index.d.ts

@@ -2,5 +2,5 @@ export { startGateway, stopGateway } from "./gateway.js";
 export { loadConfig, initConfig } from "./config/index.js";
 export { setupChannels } from "./channels/index.js";
 export { runOnboard } from "./onboard/index.js";
-export { startDashboard } from "./dashboard/server.js";
+export { startConsole, stopConsole } from "./console-launcher.js";
 export type { LeedABConfig } from "./config/schema.js";

package/dist/index.js

@@ -2,4 +2,4 @@ export { startGateway, stopGateway } from "./gateway.js";
 export { loadConfig, initConfig } from "./config/index.js";
 export { setupChannels } from "./channels/index.js";
 export { runOnboard } from "./onboard/index.js";
-export { startDashboard } from "./dashboard/server.js";
+export { startConsole, stopConsole } from "./console-launcher.js";

package/dist/license.d.ts

@@ -6,6 +6,8 @@ export interface LicenseInfo {
     seatsUsed: number;
     maxSeats: number;
     validatedAt: string;
+    expiresAt?: string;
+    signature?: string;
     email?: string;
     name?: string;
     orgName?: string;

package/dist/license.js

@@ -38,6 +38,8 @@ export async function validateLicenseKey(key) {
         seatsUsed: data.seats_used ?? 0,
         maxSeats: data.max_seats ?? 1,
         validatedAt: new Date().toISOString(),
+        expiresAt: data.expires_at ?? undefined,
+        signature: data.signature ?? undefined,
         email: data.email ?? undefined,
         name: data.name ?? undefined,
         orgName: data.org_name ?? undefined,

package/dist/onboard/steps/provider.d.ts

@@ -5,6 +5,12 @@ export interface ProviderResult {
 }
 /**
  * Write the chosen model into .leedab/openclaw.json so the gateway actually uses it.
+ *
+ * Allowlist also gets every sibling model for the chosen provider, so the console's
+ * per-agent defaultModel (which can vary across COO, Procurement, CX, etc.) is
+ * accepted without re-onboarding. A single-model allowlist forces every agent to
+ * the same backend and surfaces as "Model X is not allowed for agent main" the
+ * first time a workflow routes through a non-primary agent.
  */
-export declare function updateOpenClawModel(openclawModel: string): Promise<void>;
+export declare function updateOpenClawModel(openclawModel: string, providerValue?: string): Promise<void>;
 export declare function onboardProvider(): Promise<ProviderResult | null>;

package/dist/onboard/steps/provider.js

@@ -14,7 +14,7 @@ const PROVIDERS = [
         models: [
             { name: "Claude Opus 4.7    — most capable", value: "claude-opus-4-7", openclaw: "anthropic/claude-opus-4-7" },
             { name: "Claude Sonnet 4.6  — fast, capable (recommended)", value: "claude-sonnet-4-6", openclaw: "anthropic/claude-sonnet-4-6" },
-            { name: "Claude Haiku 4.5   — fastest, cheapest", value: "claude-haiku-4-5", openclaw: "anthropic/claude-haiku-4-5" },
+            { name: "Claude Haiku 4.5   — fastest, cheapest", value: "claude-haiku-4-5", openclaw: "anthropic/claude-haiku-4-5-20251001" },
         ],
     },
     {
@@ -56,7 +56,7 @@ const PROVIDERS = [
         models: [
             { name: "Claude Sonnet 4.6 via Bedrock", value: "anthropic.claude-sonnet-4-6", openclaw: "anthropic/claude-sonnet-4-6" },
             { name: "Claude Opus 4.7 via Bedrock", value: "anthropic.claude-opus-4-7", openclaw: "anthropic/claude-opus-4-7" },
-            { name: "Claude Haiku 4.5 via Bedrock", value: "anthropic.claude-haiku-4-5", openclaw: "anthropic/claude-haiku-4-5" },
+            { name: "Claude Haiku 4.5 via Bedrock", value: "anthropic.claude-haiku-4-5", openclaw: "anthropic/claude-haiku-4-5-20251001" },
         ],
     },
     {
@@ -163,8 +163,14 @@ async function passKeyToOpenClaw(flag, apiKey) {
 }
 /**
  * Write the chosen model into .leedab/openclaw.json so the gateway actually uses it.
+ *
+ * Allowlist also gets every sibling model for the chosen provider, so the console's
+ * per-agent defaultModel (which can vary across COO, Procurement, CX, etc.) is
+ * accepted without re-onboarding. A single-model allowlist forces every agent to
+ * the same backend and surfaces as "Model X is not allowed for agent main" the
+ * first time a workflow routes through a non-primary agent.
  */
-export async function updateOpenClawModel(openclawModel) {
+export async function updateOpenClawModel(openclawModel, providerValue) {
     const configPath = resolve(STATE_DIR, "openclaw.json");
     try {
         const raw = JSON.parse(await readFile(configPath, "utf-8"));
@@ -173,7 +179,17 @@ export async function updateOpenClawModel(openclawModel) {
         if (!raw.agents.defaults)
             raw.agents.defaults = {};
         raw.agents.defaults.model = { primary: openclawModel };
-        raw.agents.defaults.models = { [openclawModel]: {} };
+        const allowed = new Set([openclawModel]);
+        if (providerValue) {
+            const provider = PROVIDERS.find(p => p.value === providerValue);
+            if (provider)
+                for (const m of provider.models)
+                    allowed.add(m.openclaw);
+        }
+        const models = {};
+        for (const id of allowed)
+            models[id] = {};
+        raw.agents.defaults.models = models;
         await writeFile(configPath, JSON.stringify(raw, null, 2) + "\n");
     }
     catch {
@@ -203,7 +219,7 @@ export async function onboardProvider() {
             if (existing.provider.flag) {
                 await passKeyToOpenClaw(existing.provider.flag, apiKey);
             }
-            await updateOpenClawModel(model.openclaw);
+            await updateOpenClawModel(model.openclaw, existing.provider.value);
             console.log(chalk.green(`  Using ${existing.provider.name}. Model: ${model.value}`));
             return {
                 provider: existing.provider.value,
@@ -238,7 +254,7 @@ export async function onboardProvider() {
         }
         const bedrockProvider = PROVIDERS.find((p) => p.value === "bedrock");
         const model = await pickModel(bedrockProvider);
-        await updateOpenClawModel(model.openclaw);
+        await updateOpenClawModel(model.openclaw, "bedrock");
         return {
             provider: "bedrock",
             apiKey: "",
@@ -283,7 +299,7 @@ export async function onboardProvider() {
         await passKeyToOpenClaw(selected.flag, trimmedKey);
     }
     const model = await pickModel(selected);
-    await updateOpenClawModel(model.openclaw);
+    await updateOpenClawModel(model.openclaw, selected.value);
     console.log(chalk.green(`\n  Using ${selected.name}. Model: ${model.value}`));
     return {
         provider: selected.value,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "leedab",
-  "version": "0.2.6",
+  "version": "0.3.1",
   "description": "LeedAB — Your enterprise AI agent. Local-first, private by default.",
   "license": "SEE LICENSE IN LICENSE",
   "author": "LeedAB <hello@leedab.com>",
@@ -16,7 +16,7 @@
     "LICENSE"
   ],
   "scripts": {
-    "build": "tsc && rm -rf dist/dashboard/static dist/templates && cp -r src/dashboard/static dist/dashboard/static && cp -r src/templates dist/templates",
+    "build": "tsc && rm -rf dist/templates && cp -r src/templates dist/templates",
     "dev": "tsc --watch",
     "start": "node bin/leedab.js",
     "lint": "eslint src/",

package/dist/dashboard/routes.d.ts

@@ -1,17 +0,0 @@
-import { type IncomingMessage, type ServerResponse } from "node:http";
-import type { LeedABConfig } from "../config/schema.js";
-import { type ChannelName } from "../team/permissions.js";
-type RouteHandler = (req: IncomingMessage, res: ServerResponse, url: URL) => Promise<void>;
-export declare function createRoutes(config: LeedABConfig): Record<string, RouteHandler>;
-/**
- * Build the permission preamble injected into the agent prompt for a given
- * channel message. Returns null when we have nothing to add (unknown user
- * on a non-dashboard channel — the allowlist will already have rejected
- * those).
- *
- * This preamble is the sole workflow-permission gate. We trust the agent to
- * honor it. There is no server-side hard gate; admins restrict access by
- * naming the workflows a member may use in the team page.
- */
-export declare function buildPermissionPreamble(channel: ChannelName, userId: string): Promise<string | null>;
-export {};