lody 0.43.1 → 0.44.0

package/dist/index.js

@@ -36820,7 +36820,7 @@ Mongoose Error Code: ${error2.code}` : ""}`
     return client;
   }
   const name = "lody";
-  const version$4 = "0.43.1";
+  const version$4 = "0.44.0";
   const description = "Lody Agent CLI tool for managing remote command execution";
   const type = "module";
   const main$3 = "dist/index.js";
@@ -36863,7 +36863,7 @@ Mongoose Error Code: ${error2.code}` : ""}`
     "node": ">=18.0.0"
   };
   const optionalDependencies = {
-    "acp-extension-claude": "0.25.0",
+    "@agentclientprotocol/claude-agent-acp": "0.29.0",
     "acp-extension-codex": "0.11.1"
   };
   const devDependencies = {
@@ -64620,34 +64620,78 @@ Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.
     SITE_URL = "https://lody.ai";
     SITE_APP_BASE_PATH = process.env["SITE_APP_BASE_PATH"] ?? "";
   };
+  const MACHINE_ID_FILE_NAME = "machine-id";
+  function getMachineIdFilePath() {
+    return path__default.join(os__default.homedir(), ".lody", MACHINE_ID_FILE_NAME);
+  }
+  function isRunningInDocker() {
+    try {
+      if (fs__default.existsSync("/.dockerenv")) {
+        return true;
+      }
+      const cgroup = fs__default.readFileSync("/proc/self/cgroup", "utf-8");
+      return cgroup.includes("docker") || /[0-9a-f]{64}/.test(cgroup);
+    } catch {
+      return false;
+    }
+  }
   function getSystemMachineId() {
     try {
+      const inDocker = isRunningInDocker();
+      if (inDocker) {
+        const machineIdPath = getMachineIdFilePath();
+        if (fs__default.existsSync(machineIdPath)) {
+          const id = fs__default.readFileSync(machineIdPath, "utf-8").trim();
+          if (id) return id;
+        }
+      }
+      let baseId = null;
       if (process.platform === "linux") {
         if (fs__default.existsSync("/etc/machine-id")) {
-          return fs__default.readFileSync("/etc/machine-id", "utf-8").trim();
-        }
-        if (fs__default.existsSync("/var/lib/dbus/machine-id")) {
-          return fs__default.readFileSync("/var/lib/dbus/machine-id", "utf-8").trim();
+          baseId = fs__default.readFileSync("/etc/machine-id", "utf-8").trim();
+        } else if (fs__default.existsSync("/var/lib/dbus/machine-id")) {
+          baseId = fs__default.readFileSync("/var/lib/dbus/machine-id", "utf-8").trim();
         }
       } else if (process.platform === "darwin") {
         try {
           const uuid2 = execSync("ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID", {
             encoding: "utf-8"
           }).match(/"IOPlatformUUID" = "(.+)"/)?.[1];
-          return uuid2 || null;
+          baseId = uuid2 ?? null;
         } catch {
-          return null;
+          baseId = null;
         }
       } else if (process.platform === "win32") {
         try {
           const uuid2 = execSync("wmic csproduct get UUID", {
             encoding: "utf-8"
           }).split("\n")[1]?.trim();
-          return uuid2 || null;
+          baseId = uuid2 ?? null;
+        } catch {
+          baseId = null;
+        }
+      }
+      if (!baseId) return null;
+      if (inDocker) {
+        const suffix = require$$3$4.randomUUID().replace(/-/g, "").slice(0, 12);
+        const dockerMachineId = `${baseId}-docker-${suffix}`;
+        try {
+          const machineIdPath = getMachineIdFilePath();
+          fs__default.mkdirSync(path__default.dirname(machineIdPath), {
+            recursive: true
+          });
+          fs__default.writeFileSync(machineIdPath, dockerMachineId, "utf-8");
+          if (process.platform !== "win32") {
+            try {
+              fs__default.chmodSync(machineIdPath, 384);
+            } catch {
+            }
+          }
         } catch {
-          return null;
         }
+        return dockerMachineId;
       }
+      return baseId;
     } catch {
     }
     return null;
@@ -66603,6 +66647,8 @@ Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.
     if (!normalizedSegment) return "";
     return `/${normalizedSegment}`;
   }
+  const LODY_FULL_ACCESS_MODE_ID = "lodyFullAccess";
+  const isFullAccessModeId = (modeId) => modeId === LODY_FULL_ACCESS_MODE_ID || modeId === "bypassPermissions" || modeId === "full-access";
   const ACP_CAPABILITY_CACHE_VERSION = 1;
   const getAcpCapabilityCacheKey = (cliType, agentType) => `${cliType}:${agentType}`;
   const getAcpCapabilityCacheStaleReason = (entry2, expectedSourceVersion) => {
@@ -66618,6 +66664,37 @@ Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.
     return void 0;
   };
   const isBuiltinAgentType = (agentType) => agentType === "claude" || agentType === "codex";
+  const isAllowPermissionKind = (kind) => typeof kind === "string" && kind.startsWith("allow");
+  const isDenyOrRejectPermissionKind = (kind) => typeof kind === "string" && (kind.startsWith("deny") || kind.startsWith("reject"));
+  const getPermissionOptionKind = (option2) => option2.kind;
+  function selectAutoApprovePermissionDecision(options) {
+    const selected = options.find((option2) => getPermissionOptionKind(option2) === "allow_always") ?? options.find((option2) => getPermissionOptionKind(option2) === "allow_once") ?? options.find((option2) => isAllowPermissionKind(getPermissionOptionKind(option2)));
+    if (selected) {
+      return {
+        outcome: {
+          outcome: "selected",
+          optionId: selected.optionId
+        },
+        option: selected,
+        reason: "allow"
+      };
+    }
+    const fallback2 = options.find((option2) => {
+      const kind = getPermissionOptionKind(option2);
+      return typeof kind === "string" && !isDenyOrRejectPermissionKind(kind);
+    });
+    if (fallback2) {
+      return {
+        outcome: {
+          outcome: "selected",
+          optionId: fallback2.optionId
+        },
+        option: fallback2,
+        reason: "fallback"
+      };
+    }
+    return null;
+  }
   function getBuiltinTitleGenerationDefaults(agentType) {
     if (agentType === "claude") {
       return {
@@ -76319,6 +76396,37 @@ ${tailedOutput}` : null;
         machineId
       });
     }
+    async loginWithApiKey(apiKey, machineName) {
+      const accessToken = apiKey.trim();
+      if (!accessToken) {
+        return {
+          success: false,
+          error: "Missing API key for --auth login"
+        };
+      }
+      const validation2 = await this.validateToken(accessToken);
+      if (!validation2.valid || !validation2.user || !validation2.userId) {
+        return {
+          success: false,
+          error: "Invalid API key. Generate a new key and retry."
+        };
+      }
+      const machineId = getSystemMachineId() || v4();
+      const authInfo = {
+        token: accessToken,
+        user: validation2.user,
+        machine: {
+          machineName,
+          machineId
+        }
+      };
+      await saveAuthInfo(accessToken, authInfo.user, authInfo.machine);
+      setSentryUser(authInfo.user);
+      return {
+        success: true,
+        ...authInfo
+      };
+    }
     async login(machineName) {
       const machineId = getSystemMachineId() || v4();
       this.logger.debug(`[device-auth] siteUrl=${this.siteUrl} serverUrl=${this.serverUrl}`);
@@ -76629,6 +76737,25 @@ ${tailedOutput}` : null;
       machine: loginResult.machine
     };
   }
+  async function performLoginWithApiKey(authClient, logger2, options) {
+    const machineNameOverride = options.machineName?.trim();
+    const machineName = machineNameOverride || os__default.hostname();
+    logger2.info("Using provided API key for non-interactive login.");
+    logger2.info("  Machine Name: " + chalk.cyan(machineName));
+    const loginResult = await authClient.loginWithApiKey(options.apiKey, machineName);
+    if (!loginResult.success) {
+      return {
+        success: false,
+        error: loginResult.error
+      };
+    }
+    return {
+      success: true,
+      token: loginResult.token,
+      user: loginResult.user,
+      machine: loginResult.machine
+    };
+  }
   const version$1 = "1.25.4";
   var lookup = [];
   var revLookup = [];
@@ -88969,12 +89096,11 @@ ${val.stack}`;
       const flock = this.metaFlock;
       const currentVersion = flock.version();
       if (this.lastPersistedVersion && this.versionsEqual(currentVersion, this.lastPersistedVersion)) return;
-      const fullBundle = flock.exportJson();
-      const encoded = Flock.fromJson(fullBundle, flock.peerId()).exportFile();
       if (!this.storage) {
         this.lastPersistedVersion = currentVersion;
         return;
       }
+      const encoded = flock.exportFile();
       await this.storage.save({
         type: "meta",
         update: encoded
@@ -104038,7 +104164,7 @@ stream:${scope2.streamId}`;
   const DEFAULT_GATEWAY_BASE_URL = "https://streams-api.loro.dev";
   const JSON_RPC_VERSION$1 = "2.0";
   const LORO_STREAMS_RPC_VERSION = "1";
-  const LORO_STREAMS_RPC_RETENTION_SECONDS = 3600;
+  const LORO_STREAMS_RPC_RETENTION_SECONDS = 86400;
   const LORO_RPC_REQUEST_STREAM_SEGMENT = "rpc:req";
   const getLoroMachineRpcRequestStreamId = (workspaceId, machineId) => `${workspaceId}:${LORO_RPC_REQUEST_STREAM_SEGMENT}:${machineId}`;
   const normalizeLoroGatewayBaseUrl = (baseUrl) => {
@@ -105181,8 +105307,9 @@ stream:${scope2.streamId}`;
     const filtered = stripToolCallContentForHistory(kind ?? null, content);
     return filtered.length ? filtered : void 0;
   };
-  const ensurePermissionRequestOnToolCall = async (doc, requestId, request, model) => {
+  const ensurePermissionRequestOnToolCall = async (doc, requestId, request, _model) => {
     const toolCallId = request.toolCall.toolCallId;
+    let persisted = false;
     await doc.updateHistory((history) => {
       let updated = false;
       history.forEach((entry2) => {
@@ -105197,25 +105324,23 @@ stream:${scope2.streamId}`;
           return content;
         });
         if (entryUpdated) {
+          persisted = true;
           writeEntryItems(entry2, nextContents);
         }
       });
       if (!updated) {
-        history.push({
-          id: v4(),
-          role: "assistant",
-          items: [
+        const latestEntry = history[history.length - 1];
+        if (latestEntry?.role === "assistant" && latestEntry.finished !== true && typeof latestEntry.endedAt !== "number") {
+          persisted = true;
+          writeEntryItems(latestEntry, [
+            ...readEntryItems(latestEntry),
             buildToolCallFromPermissionRequest(requestId, request)
-          ],
-          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-          read: void 0,
-          userId: void 0,
-          modelInfo: model,
-          fileDiff: []
-        });
+          ]);
+        }
       }
       return history;
     });
+    return persisted;
   };
   const updatePermissionOutcomeInHistory = async (doc, requestId, outcome, _logger) => {
     await doc.updateHistory((history) => {
@@ -106300,9 +106425,9 @@ stream:${scope2.streamId}`;
   };
   const BuiltinACPSetting = {
     claude: {
-      packageName: "acp-extension-claude",
-      version: "0.25.0",
-      binName: "acp-extension-claude"
+      packageName: "@agentclientprotocol/claude-agent-acp",
+      version: "0.29.0",
+      binName: "claude-agent-acp"
     },
     codex: {
       packageName: "acp-extension-codex",
@@ -106454,7 +106579,10 @@ stream:${scope2.streamId}`;
     if (fs__default.existsSync(path__default.join(installScopedNodeModules, "package.json"))) {
       return true;
     }
-    const installNodeModulesRoot = path__default.dirname(packageRoot);
+    let installNodeModulesRoot = path__default.dirname(packageRoot);
+    if (path__default.basename(installNodeModulesRoot).startsWith("@")) {
+      installNodeModulesRoot = path__default.dirname(installNodeModulesRoot);
+    }
     const hoistedDependencyPath = path__default.join(installNodeModulesRoot, ...depSegments);
     return fs__default.existsSync(path__default.join(hoistedDependencyPath, "package.json"));
   }
@@ -107830,6 +107958,19 @@ main().catch(() => {});
     return `!node "${helperPath}"`;
   };
   const SAFE_SESSION_ID_RE$1 = /^[A-Za-z0-9][A-Za-z0-9_-]{0,127}$/;
+  const COMMON_BASE_BRANCH_NAMES = /* @__PURE__ */ new Set([
+    "main",
+    "master",
+    "dev",
+    "develop",
+    "development",
+    "trunk",
+    "release",
+    "staging",
+    "stage",
+    "prod",
+    "production"
+  ]);
   function assertSafeSessionId$1(sessionId) {
     if (!SAFE_SESSION_ID_RE$1.test(sessionId)) {
       throw new Error(`Invalid sessionId ${JSON.stringify(sessionId)}: expected /^[A-Za-z0-9][A-Za-z0-9_-]{0,127}$/`);
@@ -108517,6 +108658,23 @@ path=/${options.repoFullName}.git
     getDefaultSessionBranchName(sessionId) {
       return `session/${sessionId.slice(0, 8)}`;
     }
+    normalizeBranchName(branchName) {
+      return branchName.trim().replace(/^refs\/heads\//, "").replace(/^origin\//, "");
+    }
+    isCommonBaseBranchName(branchName) {
+      const normalized = this.normalizeBranchName(branchName).toLowerCase();
+      if (!normalized) {
+        return false;
+      }
+      if (COMMON_BASE_BRANCH_NAMES.has(normalized)) {
+        return true;
+      }
+      return normalized.startsWith("release/") || normalized.startsWith("releases/");
+    }
+    shouldReuseExistingBaseBranch(branchName) {
+      const trimmed = branchName?.trim();
+      return !!trimmed && !this.isCommonBaseBranchName(trimmed);
+    }
     async hasLocalBranch(branchName) {
       const sanitized = branchName.trim();
       if (!sanitized) {
@@ -108544,6 +108702,33 @@ path=/${options.repoFullName}.git
       }
       return null;
     }
+    async resolveReusableBaseBranch(baseBranch) {
+      const trimmed = baseBranch?.trim();
+      if (!this.shouldReuseExistingBaseBranch(trimmed)) {
+        return null;
+      }
+      if (await this.hasLocalBranch(trimmed)) {
+        return {
+          branchName: trimmed
+        };
+      }
+      const remoteBranch = `origin/${trimmed}`;
+      if (this.repoUrl && await this.hasCommitish(remoteBranch)) {
+        return {
+          branchName: trimmed,
+          startPoint: remoteBranch
+        };
+      }
+      return null;
+    }
+    shouldPreserveRemovedBranch(branchName, options) {
+      const baseBranchName = options?.baseBranchName?.trim();
+      return !!baseBranchName && branchName === baseBranchName && this.shouldReuseExistingBaseBranch(baseBranchName);
+    }
+    isBranchAlreadyCheckedOutError(error2) {
+      const message = formatErrorMessage(error2).toLowerCase();
+      return message.includes("is already checked out at");
+    }
     async createWorktree(sessionId, baseBranch, restoreBranchName) {
       return withRepoLock(this.repoId, async () => {
         assertSafeSessionId$1(sessionId);
@@ -108551,6 +108736,7 @@ path=/${options.repoFullName}.git
         const worktreePath = this.getWorktreeHostPath(sessionId);
         const branchName = this.getDefaultSessionBranchName(sessionId);
         const resolvedBase = await this.resolveBaseRef(baseBranch);
+        const reusableBaseBranch = await this.resolveReusableBaseBranch(baseBranch);
         if (fs$4.existsSync(worktreePath)) {
           this.ensureWorktreeGitdirIsRelative(sessionId);
           const info2 = await this.getWorktreeInfo(sessionId);
@@ -108566,6 +108752,40 @@ path=/${options.repoFullName}.git
             worktreePath,
             existingBranchName
           ], this.bareGitDir);
+        } else if (reusableBaseBranch) {
+          this.logger.debug(`[${this.repoId}] Creating worktree from selected branch: ${reusableBaseBranch.branchName}`);
+          try {
+            if (reusableBaseBranch.startPoint) {
+              await this.runGit([
+                "worktree",
+                "add",
+                "-b",
+                reusableBaseBranch.branchName,
+                worktreePath,
+                reusableBaseBranch.startPoint
+              ], this.bareGitDir);
+            } else {
+              await this.runGit([
+                "worktree",
+                "add",
+                worktreePath,
+                reusableBaseBranch.branchName
+              ], this.bareGitDir);
+            }
+          } catch (error2) {
+            if (!this.isBranchAlreadyCheckedOutError(error2)) {
+              throw error2;
+            }
+            this.logger.debug(`[${this.repoId}] Selected branch already checked out; creating session branch instead (branch=${branchName} base=${resolvedBase})`);
+            await this.runGit([
+              "worktree",
+              "add",
+              "-b",
+              branchName,
+              worktreePath,
+              resolvedBase
+            ], this.bareGitDir);
+          }
         } else {
           this.logger.debug(`[${this.repoId}] Creating new worktree (sessionId=${sessionId} branch=${branchName} base=${resolvedBase}): ${worktreePath}`);
           await this.runGit([
@@ -108614,7 +108834,7 @@ path=/${options.repoFullName}.git
         isClean
       };
     }
-    async removeWorktree(sessionId, force = false, branchName) {
+    async removeWorktree(sessionId, force = false, branchName, options) {
       return withRepoLock(this.repoId, async () => {
         const resolvedBranchName = await this.removeWorktreeInternal(sessionId, {
           force,
@@ -108622,6 +108842,10 @@ path=/${options.repoFullName}.git
           branchName
         });
         if (resolvedBranchName) {
+          if (this.shouldPreserveRemovedBranch(resolvedBranchName, options)) {
+            this.logger.debug(`[${this.repoId}] Preserving reused base branch after worktree removal: ${resolvedBranchName}`);
+            return;
+          }
           await this.cleanupBranch(resolvedBranchName);
         }
       });
@@ -108897,6 +109121,7 @@ path=/${options.repoFullName}.git
       pendingContextWindowHandlers: /* @__PURE__ */ new Set(),
       pendingUsageHandlers: /* @__PURE__ */ new Set(),
       permissionWaitMs: 0,
+      autoApprovePermissions: false,
       pendingUnread: false,
       heartbeat: null,
       lastActivityMs: Date.now(),
@@ -120291,6 +120516,15 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
       if (dispatchAction.type !== "dispatch") {
         return;
       }
+      const requesterUserId = nextUserTurn.userId ?? freshMeta.userId;
+      const access = await this.deps.canUseMachine({
+        sessionId,
+        requesterUserId
+      });
+      if (!access.allowed) {
+        await this.markDispatchAccessDenied(sessionId, sessionDoc, nextUserTurn.id, access.reason);
+        return;
+      }
       if (dispatchAction.mode === "create") {
         const createRequest = await this.buildCreateRequestFromHistoryEntry(freshMeta, nextUserTurn);
         await this.deps.executionService.startSession(createRequest);
@@ -120299,6 +120533,38 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
         await this.deps.executionService.continueSession(chatRequest);
       }
     }
+    getAccessDeniedMessage(reason) {
+      switch (reason) {
+        case "requester_not_member":
+          return "The requester is not a member of this workspace.";
+        case "machine_not_registered":
+          return "This machine is not registered for workspace access.";
+        case "not_visible":
+          return "This machine is private to its owner.";
+        case "access_unavailable":
+          return "Machine access could not be verified.";
+      }
+    }
+    async markDispatchAccessDenied(sessionId, sessionDoc, userTurnId, reason) {
+      const message = this.getAccessDeniedMessage(reason);
+      this.deps.logger.warn(`[${sessionId}] Refusing dispatch: ${message}`);
+      await sessionDoc.updateHistory((history) => history.map((entry2) => entry2.id === userTurnId && entry2.role === "user" ? {
+        ...entry2,
+        status: "failed",
+        read: getLegacyReadForSessionHistoryStatus("failed")
+      } : entry2));
+      await this.deps.workspaceDocument.repo.upsertDocMeta?.(getSessionRoomId(sessionId), {
+        latestUserMsgId: userTurnId,
+        lastHandledUserMsgId: userTurnId,
+        processingUserMsgId: void 0,
+        dispatchError: {
+          code: "machine_access_denied",
+          message,
+          at: getServerNow()
+        }
+      });
+      await sessionDoc.setStatus(SessionStatusFactory.idle());
+    }
     async maybeHandleCancelRequest(sessionId) {
       const sessionDoc = await this.deps.workspaceDocument.getOrCreateSessionDoc(sessionId);
       const meta = await sessionDoc.getMetaState();
@@ -120869,6 +121135,121 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
       }
     }
   }
+  const WorkspaceSummarySchema = object({
+    id: string$2(),
+    name: string$2(),
+    slug: string$2().nullable(),
+    role: string$2()
+  });
+  const WorkspaceGitHubRepositorySchema = object({
+    id: number$3(),
+    name: string$2(),
+    fullName: string$2(),
+    private: boolean()
+  });
+  const WorkspaceListResultSchema = discriminatedUnion("valid", [
+    object({
+      valid: literal(false),
+      userId: _null(),
+      workspaces: array$3(WorkspaceSummarySchema)
+    }),
+    object({
+      valid: literal(true),
+      userId: string$2(),
+      workspaces: array$3(WorkspaceSummarySchema)
+    })
+  ]);
+  const RegisterSessionOwnerResultSchema = object({
+    success: literal(true),
+    existing: boolean()
+  });
+  const RegisterMachineAccessResultSchema = object({
+    success: literal(true),
+    existing: boolean(),
+    sharedWithTeam: boolean()
+  });
+  const MachineAccessCheckResultSchema = discriminatedUnion("allowed", [
+    object({
+      allowed: literal(true)
+    }),
+    object({
+      allowed: literal(false),
+      reason: _enum([
+        "requester_not_member",
+        "machine_not_registered",
+        "not_visible"
+      ])
+    })
+  ]);
+  const WorkspaceGitHubRepositoryListResultSchema = discriminatedUnion("valid", [
+    object({
+      valid: literal(false),
+      repositories: array$3(WorkspaceGitHubRepositorySchema)
+    }),
+    object({
+      valid: literal(true),
+      repositories: array$3(WorkspaceGitHubRepositorySchema)
+    })
+  ]);
+  function createAuthConvexClient() {
+    if (!LODY_AUTH_URL) {
+      throw new Error("LODY_AUTH_URL is not defined.");
+    }
+    return new ConvexHttpClient(LODY_AUTH_URL);
+  }
+  async function listWorkspacesForToken(token2) {
+    const client = createAuthConvexClient();
+    const raw = await client.query(api.deviceAuth.listMyWorkspacesForCliToken, {
+      token: token2
+    });
+    const parsed = WorkspaceListResultSchema.parse(raw);
+    if (!parsed.valid) {
+      throw new Error("CLI token is invalid or expired. Run `lody login` again.");
+    }
+    return parsed.workspaces;
+  }
+  async function listWorkspaceGitHubRepositoriesForCliToken(input2) {
+    const client = createAuthConvexClient();
+    const raw = await client.query(api.github.listWorkspaceRepositoriesForCliToken, {
+      cliToken: input2.token,
+      workspaceId: input2.workspaceId
+    });
+    const parsed = WorkspaceGitHubRepositoryListResultSchema.parse(raw);
+    if (!parsed.valid) {
+      throw new Error("CLI token is invalid or expired. Run `lody login` again.");
+    }
+    return parsed.repositories;
+  }
+  async function registerSessionOwnerForCliToken(input2) {
+    const client = createAuthConvexClient();
+    const raw = await client.mutation(api.sessions.registerSessionOwnerFromCliToken, {
+      cliToken: input2.token,
+      workspaceId: input2.workspaceId,
+      sessionId: input2.sessionId,
+      cliType: input2.cliType,
+      repoFullName: input2.repoFullName
+    });
+    return RegisterSessionOwnerResultSchema.parse(raw);
+  }
+  async function registerMachineAccessForCliToken(input2) {
+    const client = createAuthConvexClient();
+    const raw = await client.mutation(api.machines.upsertMachineRegistrationFromCliToken, {
+      cliToken: input2.token,
+      workspaceId: input2.workspaceId,
+      machineId: input2.machineId
+    });
+    return RegisterMachineAccessResultSchema.parse(raw);
+  }
+  async function canUseMachineForCliToken(input2) {
+    const client = createAuthConvexClient();
+    const raw = await client.query(api.machines.canUseMachineFromCliToken, {
+      cliToken: input2.token,
+      workspaceId: input2.workspaceId,
+      machineId: input2.machineId,
+      requesterUserId: input2.requesterUserId
+    });
+    return MachineAccessCheckResultSchema.parse(raw);
+  }
   const SESSION_IMAGE_MIME_TYPE_BY_EXTENSION = {
     png: "image/png",
     jpg: "image/jpeg",
@@ -121013,7 +121394,23 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
         workspaceId: this.workspaceId,
         workspaceDocument: this.workspaceDocument,
         sessionManager: this.sessionManager,
-        executionService: this.executionService
+        executionService: this.executionService,
+        canUseMachine: async ({ requesterUserId, sessionId }) => {
+          try {
+            return await canUseMachineForCliToken({
+              token: this.token,
+              workspaceId: this.workspaceId,
+              machineId: this.machineId,
+              requesterUserId
+            });
+          } catch (error2) {
+            this.logger.error(`[${sessionId}] Failed to verify machine access: ${formatErrorMessage(error2)}`);
+            return {
+              allowed: false,
+              reason: "access_unavailable"
+            };
+          }
+        }
       });
       this.setupSessionEventHandlers();
       this.setupArchiveWatcher();
@@ -121313,13 +121710,25 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
       }
       const modeId = config2.modeId;
       const modelId = config2.modelId;
+      const agentConfigOptions = session.agentClient.getConfigOptions?.() ?? [];
+      const modeConfigId = agentConfigOptions.find((o) => o.category === "mode")?.id ?? "mode";
+      const modelConfigId = agentConfigOptions.find((o) => o.category === "model")?.id ?? "model";
+      const configModeId = config2.configOptionValues?.[modeConfigId];
+      const effectiveModeId = modeId ?? configModeId;
+      const autoApprovePermissions = isFullAccessModeId(effectiveModeId);
+      this.store.get(sessionId).autoApprovePermissions = autoApprovePermissions;
+      this.logger.debug(`[${sessionId}] applyAcpModeAndModel: autoApprovePermissions=${autoApprovePermissions}`);
       if (modeId) {
-        this.logger.debug(`[${sessionId}] applyAcpModeAndModel: setting mode (modeId=${modeId})`);
-        try {
-          await session.agentClient.setSessionMode?.(acpSessionId, modeId);
-          this.logger.debug(`[${sessionId}] applyAcpModeAndModel: mode set complete`);
-        } catch (err2) {
-          this.logger.debug(`[${sessionId}] applyAcpModeAndModel: setSessionMode failed for "${modeId}", skipping (mode may not be supported by agent): ${err2}`);
+        if (modeId === LODY_FULL_ACCESS_MODE_ID) {
+          this.logger.debug(`[${sessionId}] applyAcpModeAndModel: using Lody Full Access mode without sending setSessionMode to agent`);
+        } else {
+          this.logger.debug(`[${sessionId}] applyAcpModeAndModel: setting mode (modeId=${modeId})`);
+          try {
+            await session.agentClient.setSessionMode?.(acpSessionId, modeId);
+            this.logger.debug(`[${sessionId}] applyAcpModeAndModel: mode set complete`);
+          } catch (err2) {
+            this.logger.debug(`[${sessionId}] applyAcpModeAndModel: setSessionMode failed for "${modeId}", skipping (mode may not be supported by agent): ${err2}`);
+          }
         }
       }
       if (modelId) {
@@ -121332,12 +121741,9 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
         }
       }
       if (config2.configOptionValues && session.agentClient) {
-        const agentConfigOptions = session.agentClient.getConfigOptions();
-        const modeConfigId = agentConfigOptions.find((o) => o.category === "mode")?.id;
-        const modelConfigId = agentConfigOptions.find((o) => o.category === "model")?.id;
         for (const [configId, value] of Object.entries(config2.configOptionValues)) {
           if (configId === modeConfigId) {
-            if (!modeId) {
+            if (!modeId && value !== LODY_FULL_ACCESS_MODE_ID) {
               this.logger.debug(`[${sessionId}] applyAcpModeAndModel: setting mode via setSessionMode from configOption (${configId}=${value})`);
               try {
                 await session.agentClient.setSessionMode?.(acpSessionId, value);
@@ -121650,6 +122056,7 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
           needToArchiveSessions: {},
           raceLimits: {}
         });
+        await this.registerMachineAccess();
         this.logger.debug("Machine re-registered in machine meta");
       } catch (error2) {
         this.logger.error(`Failed to ensure machine registration after reconnect: ${error2}`);
@@ -121927,6 +122334,7 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
       }
       const repoFullName = sessionMeta?.project?.kind === "local" ? void 0 : sessionMeta?.repoFullName ?? (request && typeof request === "object" && "repoFullName" in request ? request.repoFullName : void 0);
       const branchName = sessionMeta?.branchName ?? (request && typeof request === "object" && "branchName" in request ? request.branchName : void 0);
+      const baseBranchName = sessionMeta?.baseBranch?.trim() || void 0;
       if (repoFullName) {
         try {
           const repoId = deriveRepoIdFromGitHubRepo$1(repoFullName);
@@ -121934,7 +122342,9 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
             repoId,
             logger: this.logger
           });
-          await worktreeManager.removeWorktree(sessionId, true, branchName);
+          await worktreeManager.removeWorktree(sessionId, true, branchName, {
+            baseBranchName
+          });
         } catch (error2) {
           this.logger.debug(`[${sessionId}] Failed to remove worktree: ${formatErrorMessage(error2)}`);
         }
@@ -122286,6 +122696,17 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
       this.store.beginTurn(sessionId, turnId);
       return turnId;
     }
+    async registerMachineAccess() {
+      try {
+        await registerMachineAccessForCliToken({
+          token: this.token,
+          workspaceId: this.workspaceId,
+          machineId: this.machineId
+        });
+      } catch (error2) {
+        this.logger.error(`Failed to register machine access: ${formatErrorMessage(error2)}`);
+      }
+    }
     registerMachine() {
       void (async () => {
         const supportsStreamsRpc = !!this.machineRpcServer;
@@ -122310,6 +122731,7 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
           lastSeen: machineMeta?.lastSeen,
           raceLimits: machineMeta?.raceLimits ?? {}
         });
+        await this.registerMachineAccess();
         this.startMachineHeartbeat();
         this.logger.debug(`Machine registered with name: ${this.machineName}`);
       })().catch((error2) => {
@@ -122686,6 +123108,22 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
         cpuUsagePercent
       };
     }
+    tryAutoApprovePermission(sessionId, request) {
+      const state2 = this.store.get(sessionId);
+      if (!state2.autoApprovePermissions) {
+        return null;
+      }
+      const decision = selectAutoApprovePermissionDecision(request.options);
+      if (!decision) {
+        this.logger.debug(`[${sessionId}] Full Access auto-approval skipped because no allow or fallback-safe option was available`);
+        return null;
+      }
+      if (decision.reason === "fallback") {
+        const kind = decision.option.kind;
+        this.logger.warn(`[${sessionId}] Full Access auto-approval selected a non-standard permission option (optionId=${decision.option.optionId}, kind=${String(kind)})`);
+      }
+      return decision.outcome;
+    }
     async handleAgentPermissionRequest(sessionId, requestId, request, model) {
       const toolTitle = request.toolCall.title?.trim();
       const toolKind = typeof request.toolCall.kind === "string" ? request.toolCall.kind.trim() : void 0;
@@ -122696,10 +123134,10 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
       let sessionTitle;
       let metaUserId;
       let historyUserId;
+      let permissionRequestPersisted = false;
       try {
-        await ensurePermissionRequestOnToolCall(doc, requestId, request, model);
+        permissionRequestPersisted = await ensurePermissionRequestOnToolCall(doc, requestId, request, model);
         await doc.setLastMessageAt();
-        await doc.setStatus(SessionStatusFactory.requestPermission(requestId, request.toolCall.toolCallId, request.toolCall.title ?? void 0));
         const meta = await doc.getMetaState();
         sessionTitle = meta?.title;
         metaUserId = meta?.userId;
@@ -122716,6 +123154,31 @@ ${this.stack.split("\n").slice(1).join("\n")}` : this.toString();
       } catch (error2) {
         this.logger.error(`[${sessionId}] Failed to append permission request to history: ${formatErrorMessage(error2)}`);
       }
+      const autoApproveOutcome = this.tryAutoApprovePermission(sessionId, request);
+      if (autoApproveOutcome) {
+        try {
+          await updatePermissionOutcomeInHistory(doc, requestId, autoApproveOutcome, this.logger);
+        } catch (error2) {
+          this.logger.error(`[${sessionId}] Failed to persist auto-approved permission outcome: ${formatErrorMessage(error2)}`);
+        }
+        this.logger.info(`[${sessionId}] Permission auto-approved by Full Access for ${permissionLabel}: optionId=${autoApproveOutcome.outcome === "selected" ? autoApproveOutcome.optionId : "cancelled"}`);
+        return {
+          outcome: autoApproveOutcome
+        };
+      }
+      if (!permissionRequestPersisted) {
+        this.logger.warn(`[${sessionId}] Permission request ${requestId} for tool call ${request.toolCall.toolCallId} could not be attached to an active assistant entry; cancelling to avoid waiting for an unobservable permission outcome`);
+        return {
+          outcome: {
+            outcome: "cancelled"
+          }
+        };
+      }
+      try {
+        await doc.setStatus(SessionStatusFactory.requestPermission(requestId, request.toolCall.toolCallId, request.toolCall.title ?? void 0));
+      } catch (error2) {
+        this.logger.error(`[${sessionId}] Failed to mark session as waiting for permission: ${formatErrorMessage(error2)}`);
+      }
       if (this.notificationService) {
         const workspaceSlug = this.workspaceSlug?.trim() || this.workspaceId;
         const userId = historyUserId ?? metaUserId ?? this.userId;
@@ -133469,7 +133932,7 @@ Received ${signal}, shutting down gracefully...` : "\nShutting down gracefully..
       ];
     }
     return previous.concat(value);
-  }).option("--debug", "enable debug output").option("--heartbeat-log", "output current timestamp every 5 seconds").action(async (options) => {
+  }).option("--debug", "enable debug output").option("--heartbeat-log", "output current timestamp every 5 seconds").option("--auth <api-key>", "Use a CLI API key for non-interactive authentication").action(async (options) => {
     createHybridLogger({
       level: options.debug ? "debug" : "info"
     });
@@ -133497,6 +133960,7 @@ Received ${signal}, shutting down gracefully...` : "\nShutting down gracefully..
     runtimeStateReporter.setStartupStage("bootstrap");
     const electronBootstrapEnabled = process.env[ELECTRON_BOOTSTRAP_ENV] === "1";
     const electronSessionToken = process.env[ELECTRON_SESSION_TOKEN_ENV]?.trim();
+    const providedAuth = options.auth?.trim();
     const cliAvailability = {
       claude: checkClaude(),
       codex: checkCodex()
@@ -133543,7 +134007,25 @@ Received ${signal}, shutting down gracefully...` : "\nShutting down gracefully..
     let machineId;
     let machineName;
     const existingAuth = authClient.getAuthInfo();
-    if (existingAuth) {
+    if (options.auth !== void 0 && !providedAuth) {
+      logger2.error("Missing API key for --auth.");
+      process.exit(1);
+    }
+    if (providedAuth) {
+      const loginResult = await performLoginWithApiKey(authClient, logger2, {
+        apiKey: providedAuth,
+        machineName: defaultMachineName
+      });
+      if (!loginResult.success) {
+        logger2.error(`Login failed: ${loginResult.error}`);
+        process.exit(1);
+      }
+      token2 = loginResult.token;
+      userId = loginResult.user.id;
+      machineId = loginResult.machine.machineId;
+      machineName = loginResult.machine.machineName;
+      logger2.success("Login successful via --auth.");
+    } else if (existingAuth) {
       logger2.debug("Found existing authentication, checking validity...");
       const validation2 = await authClient.validateToken(existingAuth.token);
       if (validation2.valid) {
@@ -133703,13 +134185,36 @@ Received ${signal}, shutting down gracefully...` : "\nShutting down gracefully..
       throw error2;
     }
   }
-  const loginCommand = new Command("login").description("Login to Lody using device authorization flow").option("-d, --debug", "enable debug output").option("--machine-name <name>", "Machine name to register (defaults to hostname)").action(async (options) => {
+  const loginCommand = new Command("login").description("Login to Lody using device authorization flow or an API key").option("-d, --debug", "enable debug output").option("--machine-name <name>", "Machine name to register (defaults to hostname)").option("--auth <api-key>", "Use a CLI API key for non-interactive login").action(async (options) => {
     if (options.debug) {
       rootLogger.setDebug(true);
     }
     const logger2 = getLogger("login");
     const authClient = new AuthClient(logger2);
+    const providedAuth = options.auth?.trim();
     try {
+      if (options.auth !== void 0 && !providedAuth) {
+        logger2.error("Missing API key for --auth.");
+        process.exit(1);
+      }
+      if (providedAuth) {
+        const result2 = await performLoginWithApiKey(authClient, logger2, {
+          apiKey: providedAuth,
+          machineName: options.machineName
+        });
+        if (result2.success) {
+          logger2.success("\n" + chalk.green("\u2713") + " Successfully logged in!");
+          logger2.info("  User: " + chalk.cyan(result2.user.name || result2.user.email));
+          logger2.info("  Email: " + chalk.cyan(result2.user.email));
+        } else {
+          await reportError("login", result2.error, {
+            message: "Login failed using --auth",
+            logger: logger2
+          });
+          process.exit(1);
+        }
+        return;
+      }
       const existingAuth = authClient.getAuthInfo();
       if (existingAuth) {
         logger2.debug("Found existing authentication, checking validity...");
@@ -159300,84 +159805,6 @@ ${page}${helpTipBottom}${choiceDescription}${ansiEscapes.cursorHide}`;
     restoreDefaultPrompts,
     Separator
   };
-  const WorkspaceSummarySchema = object({
-    id: string$2(),
-    name: string$2(),
-    slug: string$2().nullable(),
-    role: string$2()
-  });
-  const WorkspaceGitHubRepositorySchema = object({
-    id: number$3(),
-    name: string$2(),
-    fullName: string$2(),
-    private: boolean()
-  });
-  const WorkspaceListResultSchema = discriminatedUnion("valid", [
-    object({
-      valid: literal(false),
-      userId: _null(),
-      workspaces: array$3(WorkspaceSummarySchema)
-    }),
-    object({
-      valid: literal(true),
-      userId: string$2(),
-      workspaces: array$3(WorkspaceSummarySchema)
-    })
-  ]);
-  const RegisterSessionOwnerResultSchema = object({
-    success: literal(true),
-    existing: boolean()
-  });
-  const WorkspaceGitHubRepositoryListResultSchema = discriminatedUnion("valid", [
-    object({
-      valid: literal(false),
-      repositories: array$3(WorkspaceGitHubRepositorySchema)
-    }),
-    object({
-      valid: literal(true),
-      repositories: array$3(WorkspaceGitHubRepositorySchema)
-    })
-  ]);
-  function createAuthConvexClient() {
-    if (!LODY_AUTH_URL) {
-      throw new Error("LODY_AUTH_URL is not defined.");
-    }
-    return new ConvexHttpClient(LODY_AUTH_URL);
-  }
-  async function listWorkspacesForToken(token2) {
-    const client = createAuthConvexClient();
-    const raw = await client.query(api.deviceAuth.listMyWorkspacesForCliToken, {
-      token: token2
-    });
-    const parsed = WorkspaceListResultSchema.parse(raw);
-    if (!parsed.valid) {
-      throw new Error("CLI token is invalid or expired. Run `lody login` again.");
-    }
-    return parsed.workspaces;
-  }
-  async function listWorkspaceGitHubRepositoriesForCliToken(input2) {
-    const client = createAuthConvexClient();
-    const raw = await client.query(api.github.listWorkspaceRepositoriesForCliToken, {
-      cliToken: input2.token,
-      workspaceId: input2.workspaceId
-    });
-    const parsed = WorkspaceGitHubRepositoryListResultSchema.parse(raw);
-    if (!parsed.valid) {
-      throw new Error("CLI token is invalid or expired. Run `lody login` again.");
-    }
-    return parsed.repositories;
-  }
-  async function registerSessionOwnerForCliToken(input2) {
-    const client = createAuthConvexClient();
-    const raw = await client.mutation(api.sessions.registerSessionOwnerFromCliToken, {
-      cliToken: input2.token,
-      workspaceId: input2.workspaceId,
-      sessionId: input2.sessionId,
-      cliType: input2.cliType,
-      repoFullName: input2.repoFullName
-    });
-    return RegisterSessionOwnerResultSchema.parse(raw);
-  }
   const SESSION_CONTROL_PATH = "/session-control";
   const LOCAL_CONTROL_HEADER = "x-lody-local-control";
   const DEFAULT_LOCAL_CONTROL_TIMEOUT_MS = 3e4;
@@ -163250,7 +163677,7 @@ ${entry2.text}`).join("\n\n");
   }
   function resolveBuiltinFullAccessModeId(cliType, agentType) {
     if (cliType !== "builtin") {
-      return void 0;
+      return LODY_FULL_ACCESS_MODE_ID;
     }
     if (agentType === "claude") {
       return "bypassPermissions";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lody",
-  "version": "0.43.1",
+  "version": "0.44.0",
   "description": "Lody Agent CLI tool for managing remote command execution",
   "type": "module",
   "main": "dist/index.js",
@@ -20,7 +20,7 @@
     "node": ">=18.0.0"
   },
   "optionalDependencies": {
-    "acp-extension-claude": "0.25.0",
+    "@agentclientprotocol/claude-agent-acp": "0.29.0",
     "acp-extension-codex": "0.11.1"
   },
   "devDependencies": {
@@ -56,7 +56,7 @@
     "jiti": "^2.6.1",
     "loro-crdt": "^1.11.0",
     "loro-mirror": "1.2.1",
-    "loro-repo": "^0.16.4",
+    "loro-repo": "^0.16.5",
     "ora": "^8.2.0",
     "prettier": "^3.6.2",
     "proxy-from-env": "^1.1.0",
@@ -72,11 +72,11 @@
     "winston-transport": "^4.7.1",
     "ws": "^8.18.3",
     "zod": "^4.1.5",
+    "@lody/cli-supervisor": "0.0.1",
     "@lody/convex": "0.0.1",
     "@lody/loro-streams-rpc": "0.0.1",
     "@lody/shared": "0.0.1",
-    "loro-code": "0.0.1",
-    "@lody/cli-supervisor": "0.0.1"
+    "loro-code": "0.0.1"
   },
   "files": [
     "dist",