metame-cli 1.4.33 → 1.5.0

package/scripts/daemon-agent-commands.js

@@ -28,8 +28,26 @@ function createAgentCommandHandler(deps) {
     attachOrCreateSession,
     agentFlowTtlMs,
     agentBindTtlMs,
+    getDefaultEngine = () => 'claude',
   } = deps;
 
+  function normalizeEngineName(name) {
+    const n = String(name || '').trim().toLowerCase();
+    return n === 'codex' ? 'codex' : getDefaultEngine();
+  }
+
+  function inferEngineByCwd(cfg, cwd) {
+    if (!cfg || !cfg.projects || !cwd) return null;
+    const targetCwd = normalizeCwd(cwd);
+    for (const proj of Object.values(cfg.projects || {})) {
+      if (!proj || !proj.cwd) continue;
+      if (normalizeCwd(proj.cwd) === targetCwd) {
+        return normalizeEngineName(proj.engine);
+      }
+    }
+    return null;
+  }
+
   // Pending activations have no TTL — they persist until consumed.
   // The creating chatId is stored to prevent self-activation.
 
@@ -127,7 +145,12 @@ function createAgentCommandHandler(deps) {
       const action = res.data.isNewProject ? '绑定成功' : '重新绑定';
       const displayCwd = String(res.data.cwd || '').replace(HOME, '~');
       if (res.data.cwd && typeof attachOrCreateSession === 'function') {
-        attachOrCreateSession(chatId, normalizeCwd(res.data.cwd), p.name || agentName || res.data.projectKey || '');
+        attachOrCreateSession(
+          chatId,
+          normalizeCwd(res.data.cwd),
+          p.name || agentName || res.data.projectKey || '',
+          p.engine || getDefaultEngine()
+        );
       }
       await bot.sendMessage(chatId, `${icon} ${p.name || agentName} ${action}\n目录: ${displayCwd}`);
       return { ok: true, data: res.data };
@@ -140,7 +163,7 @@ function createAgentCommandHandler(deps) {
     }
     const fallbackCwd = (fallback.data && fallback.data.cwd) || agentCwd;
     if (fallbackCwd && typeof attachOrCreateSession === 'function') {
-      attachOrCreateSession(chatId, normalizeCwd(fallbackCwd), agentName || '');
+      attachOrCreateSession(chatId, normalizeCwd(fallbackCwd), agentName || '', getDefaultEngine());
     }
     return {
       ok: true,
@@ -163,9 +186,9 @@ function createAgentCommandHandler(deps) {
 
   async function createAgentViaUnifiedApi(chatId, name, dir, roleDesc, opts = {}) {
     // Default: skip binding the creating chat — let the target group activate via /activate
-    const { skipChatBinding = true } = opts;
+    const { skipChatBinding = true, engine = null } = opts;
     if (agentTools && typeof agentTools.createNewWorkspaceAgent === 'function') {
-      const res = await agentTools.createNewWorkspaceAgent(name, dir, roleDesc, chatId, { skipChatBinding });
+      const res = await agentTools.createNewWorkspaceAgent(name, dir, roleDesc, chatId, { skipChatBinding, engine });
       if (res.ok && skipChatBinding && res.data && res.data.projectKey) {
         storePendingActivation(res.data.projectKey, name, res.data.cwd, chatId);
       }
@@ -273,10 +296,14 @@ function createAgentCommandHandler(deps) {
       const cwd = fullMatch.projectPath || (getSession(chatId) && getSession(chatId).cwd) || HOME;
 
       const state2 = loadState();
+      const cfgForEngine = loadConfig();
+      const engineByTargetCwd = inferEngineByCwd(cfgForEngine, cwd);
+      const currentEngine = normalizeEngineName(state2.sessions[chatId] && state2.sessions[chatId].engine);
       state2.sessions[chatId] = {
         id: sessionId,
         cwd,
         started: true,
+        engine: engineByTargetCwd || currentEngine,
       };
       saveState(state2);
       const name = fullMatch.customTitle;
@@ -485,7 +512,36 @@ function createAgentCommandHandler(deps) {
             }
           }
         }
-        // No pending activation at all — guide to manual bind
+        // No pending activation — fall back to scanning daemon.yaml for unbound projects
+        const allBoundKeys = new Set(Object.values({
+          ...(cfg.telegram ? cfg.telegram.chat_agent_map : {}),
+          ...(cfg.feishu ? cfg.feishu.chat_agent_map : {}),
+        }));
+        const unboundProjects = Object.entries(cfg.projects || {})
+          .filter(([key, p]) => p && p.cwd && !allBoundKeys.has(key))
+          .map(([key, p]) => ({ key, name: p.name || key, cwd: p.cwd, icon: p.icon || '🤖' }));
+
+        if (unboundProjects.length === 1) {
+          // Exactly one unbound project — auto-bind using project KEY (not display name)
+          // to ensure toProjectKey() resolves to the correct existing key in daemon.yaml
+          const proj = unboundProjects[0];
+          const bindRes2 = await bindViaUnifiedApi(bot, chatId, proj.key, proj.cwd);
+          if (bindRes2.ok) pendingActivations && pendingActivations.delete(proj.key);
+          return true;
+        }
+
+        if (unboundProjects.length > 1) {
+          // Multiple unbound projects — show pick list using project keys
+          const lines = ['请选择要激活的 Agent：', ''];
+          for (const p of unboundProjects) {
+            lines.push(`${p.icon} ${p.name}  →  \`/agent bind ${p.key} ${p.cwd}\``);
+          }
+          lines.push('\n发送对应命令即可绑定此群。');
+          await bot.sendMessage(chatId, lines.join('\n'));
+          return true;
+        }
+
+        // Truly nothing to activate
         await bot.sendMessage(chatId,
           '没有待激活的 Agent。\n\n如果已创建过 Agent，直接用:\n`/agent bind <名称> <目录>`\n即可绑定，不需要重新创建。'
         );
@@ -517,4 +573,6 @@ function createAgentCommandHandler(deps) {
   return { handleAgentCommand };
 }
 
-module.exports = { createAgentCommandHandler };
+module.exports = {
+  createAgentCommandHandler,
+};

package/scripts/daemon-agent-tools.js

@@ -31,13 +31,17 @@ function createAgentTools(deps) {
     return (String(agentName || '').replace(/[^a-zA-Z0-9_]/g, '_').toLowerCase() || String(chatId));
   }
 
+  function normalizeEngine(engine) {
+    return String(engine || '').trim().toLowerCase() === 'codex' ? 'codex' : 'claude';
+  }
+
   function ensureAdapterConfig(cfg, adapterKey) {
     if (!cfg[adapterKey]) cfg[adapterKey] = {};
     if (!cfg[adapterKey].allowed_chat_ids) cfg[adapterKey].allowed_chat_ids = [];
     if (!cfg[adapterKey].chat_agent_map) cfg[adapterKey].chat_agent_map = {};
   }
 
-  async function bindAgentToChat(chatId, agentName, workspaceDir, { force = false } = {}) {
+  async function bindAgentToChat(chatId, agentName, workspaceDir, { force = false, engine = null } = {}) {
     try {
       const safeName = sanitizeText(agentName, 120);
       if (!safeName) return { ok: false, error: 'agentName is required' };
@@ -49,6 +53,7 @@ function createAgentTools(deps) {
 
       const projectKey = toProjectKey(safeName, chatId);
       let resolvedDir = resolveWorkspaceDir(workspaceDir);
+      const normalizedEngine = engine ? normalizeEngine(engine) : null;
 
       if (!resolvedDir) {
         const existing = cfg.projects[projectKey];
@@ -80,7 +85,12 @@ function createAgentTools(deps) {
       cfg[adapterKey].chat_agent_map[String(chatId)] = projectKey;
       const existed = !!cfg.projects[projectKey];
       if (!existed) {
-        cfg.projects[projectKey] = { name: safeName, cwd: resolvedDir, nicknames: [safeName] };
+        cfg.projects[projectKey] = {
+          name: safeName,
+          cwd: resolvedDir,
+          nicknames: [safeName],
+          ...(normalizedEngine === 'codex' ? { engine: 'codex' } : {}),
+        };
       } else {
         const nicknames = Array.isArray(cfg.projects[projectKey].nicknames)
           ? cfg.projects[projectKey].nicknames
@@ -91,6 +101,7 @@ function createAgentTools(deps) {
           name: safeName,
           cwd: resolvedDir,
           nicknames,
+          ...(normalizedEngine === 'codex' ? { engine: 'codex' } : {}),
         };
       }
 
@@ -175,8 +186,9 @@ ${safeDelta}
     }
   }
 
-  async function createNewWorkspaceAgent(agentName, workspaceDir, roleDescription, chatId, { skipChatBinding = false } = {}) {
+  async function createNewWorkspaceAgent(agentName, workspaceDir, roleDescription, chatId, { skipChatBinding = false, engine = null } = {}) {
     let bindData;
+    const normalizedEngine = engine ? normalizeEngine(engine) : null;
 
     if (skipChatBinding) {
       // Create the project entry without touching chat_agent_map
@@ -192,7 +204,16 @@ ${safeDelta}
       const projectKey = toProjectKey(safeName, chatId);
       const existed = !!cfg.projects[projectKey];
       if (!existed) {
-        cfg.projects[projectKey] = { name: safeName, cwd: resolvedDir, nicknames: [safeName] };
+        cfg.projects[projectKey] = {
+          name: safeName,
+          cwd: resolvedDir,
+          nicknames: [safeName],
+          ...(normalizedEngine === 'codex' ? { engine: 'codex' } : {}),
+        };
+        writeConfigSafe(cfg);
+        backupConfig();
+      } else if (normalizedEngine === 'codex') {
+        cfg.projects[projectKey] = { ...cfg.projects[projectKey], engine: 'codex' };
         writeConfigSafe(cfg);
         backupConfig();
       }
@@ -204,7 +225,7 @@ ${safeDelta}
         project: cfg.projects[projectKey],
       };
     } else {
-      const bindResult = await bindAgentToChat(chatId, agentName, workspaceDir);
+      const bindResult = await bindAgentToChat(chatId, agentName, workspaceDir, { engine: normalizedEngine });
       if (!bindResult.ok) return bindResult;
       bindData = bindResult.data;
     }

package/scripts/daemon-bridges.js

@@ -1,5 +1,8 @@
 'use strict';
 
+let userAcl = null;
+try { userAcl = require('./daemon-user-acl'); } catch { /* optional */ }
+
 function createBridgeStarter(deps) {
   const {
     fs,
@@ -15,6 +18,52 @@ function createBridgeStarter(deps) {
     pendingActivations,  // optional — used to show smart activation hint
   } = deps;
 
+  async function sendAclReply(bot, chatId, text) {
+    if (!text) return;
+    try {
+      if (bot.sendMarkdown) await bot.sendMarkdown(chatId, text);
+      else await bot.sendMessage(chatId, text.replace(/[*_`]/g, ''));
+    } catch { /* non-fatal */ }
+  }
+
+  function normalizeSenderId(senderId) {
+    if (senderId === undefined || senderId === null) return null;
+    const text = String(senderId).trim();
+    return text || null;
+  }
+
+  async function applyUserAcl({ bot, chatId, text, config, senderId, bypassAcl }) {
+    const trimmed = String(text || '').trim();
+    const normalizedSenderId = normalizeSenderId(senderId);
+    if (!trimmed || bypassAcl || !userAcl) {
+      return { blocked: false, readOnly: false, senderId: normalizedSenderId };
+    }
+
+    let userCtx;
+    try {
+      userCtx = userAcl.resolveUserCtx(normalizedSenderId, config || {});
+    } catch {
+      return { blocked: false, readOnly: false, senderId: normalizedSenderId };
+    }
+
+    const userCmd = userAcl.handleUserCommand(trimmed, userCtx);
+    if (userCmd && userCmd.handled) {
+      await sendAclReply(bot, chatId, userCmd.reply);
+      return { blocked: true, readOnly: !!userCtx.readOnly, senderId: normalizedSenderId };
+    }
+
+    const publicCmds = Array.isArray(userAcl.PUBLIC_COMMANDS) ? userAcl.PUBLIC_COMMANDS : [];
+    const isPublic = publicCmds.includes(trimmed.toLowerCase());
+    const action = userAcl.classifyCommandAction(trimmed);
+    const allowed = isPublic || (typeof userCtx.can === 'function' && userCtx.can(action));
+    if (!allowed) {
+      await sendAclReply(bot, chatId, `⚠️ 当前权限不足（角色: ${userCtx.role}）\n命令类型: ${action}\n请联系管理员授权。`);
+      return { blocked: true, readOnly: true, senderId: normalizedSenderId };
+    }
+
+    return { blocked: false, readOnly: !!userCtx.readOnly, senderId: normalizedSenderId };
+  }
+
   // Returns the best pending activation for a given chatId (excludes self-created)
   function getPendingActivationForChat(chatId) {
     if (!pendingActivations || pendingActivations.size === 0) return null;
@@ -67,12 +116,26 @@ function createBridgeStarter(deps) {
             if (update.callback_query) {
               const cb = update.callback_query;
               const chatId = cb.message && cb.message.chat.id;
+              const senderId = cb.from && cb.from.id ? String(cb.from.id) : null;
               bot.answerCallback(cb.id).catch(() => { });
               if (chatId && cb.data) {
                 const liveCfg = loadConfig();
                 const allowedIds = (liveCfg.telegram && liveCfg.telegram.allowed_chat_ids) || [];
                 if (!allowedIds.includes(chatId)) continue;
-                handleCommand(bot, chatId, cb.data, liveCfg, executeTaskByName).catch(e => {
+                const isBindCmd = cb.data.startsWith('/agent bind')
+                  || cb.data.startsWith('/agent-bind-dir')
+                  || cb.data.startsWith('/browse bind')
+                  || cb.data === '/activate';
+                const acl = await applyUserAcl({
+                  bot,
+                  chatId,
+                  text: cb.data,
+                  config: liveCfg,
+                  senderId,
+                  bypassAcl: !allowedIds.includes(chatId) && !!isBindCmd,
+                });
+                if (acl.blocked) continue;
+                handleCommand(bot, chatId, cb.data, liveCfg, executeTaskByName, acl.senderId, acl.readOnly).catch(e => {
                   log('ERROR', `Telegram callback handler error: ${e.message}`);
                 });
               }
@@ -83,6 +146,7 @@ function createBridgeStarter(deps) {
 
             const msg = update.message;
             const chatId = msg.chat.id;
+            const senderId = msg.from && msg.from.id ? String(msg.from.id) : null;
 
             const liveCfg = loadConfig();
             const allowedIds = (liveCfg.telegram && liveCfg.telegram.allowed_chat_ids) || [];
@@ -93,7 +157,8 @@ function createBridgeStarter(deps) {
               || trimmedText.startsWith('/browse bind')
               || trimmedText === '/activate'
             );
-            if (!allowedIds.includes(chatId) && !isBindCmd) {
+            const isAllowedChat = allowedIds.includes(chatId);
+            if (!isAllowedChat && !isBindCmd) {
               log('WARN', `Rejected message from unauthorized chat: ${chatId}`);
               bot.sendMessage(chatId, unauthorizedMsg(chatId)).catch(() => {});
               continue;
@@ -108,6 +173,15 @@ function createBridgeStarter(deps) {
               const fileId = msg.document ? msg.document.file_id : msg.photo[msg.photo.length - 1].file_id;
               const fileName = msg.document ? msg.document.file_name : `photo_${Date.now()}.jpg`;
               const caption = msg.caption || '';
+              const acl = await applyUserAcl({
+                bot,
+                chatId,
+                text: caption || '[file-upload]',
+                config: liveCfg,
+                senderId,
+                bypassAcl: !isAllowedChat && !!isBindCmd,
+              });
+              if (acl.blocked) continue;
 
               const session = getSession(chatId);
               const cwd = session?.cwd || HOME;
@@ -123,7 +197,7 @@ function createBridgeStarter(deps) {
                   ? `User uploaded a file to the project: ${destPath}\nUser says: "${caption}"`
                   : `User uploaded a file to the project: ${destPath}\nAcknowledge receipt. Only read the file if the user asks you to.`;
 
-                handleCommand(bot, chatId, prompt, liveCfg, executeTaskByName).catch(e => {
+                handleCommand(bot, chatId, prompt, liveCfg, executeTaskByName, acl.senderId, acl.readOnly).catch(e => {
                   log('ERROR', `Telegram file handler error: ${e.message}`);
                 });
               } catch (err) {
@@ -134,7 +208,17 @@ function createBridgeStarter(deps) {
             }
 
             if (msg.text) {
-              handleCommand(bot, chatId, msg.text.trim(), liveCfg, executeTaskByName).catch(e => {
+              const text = msg.text.trim();
+              const acl = await applyUserAcl({
+                bot,
+                chatId,
+                text,
+                config: liveCfg,
+                senderId,
+                bypassAcl: !isAllowedChat && !!isBindCmd,
+              });
+              if (acl.blocked) continue;
+              handleCommand(bot, chatId, text, liveCfg, executeTaskByName, acl.senderId, acl.readOnly).catch(e => {
                 log('ERROR', `Telegram handler error: ${e.message}`);
               });
             }
@@ -182,27 +266,24 @@ function createBridgeStarter(deps) {
           || trimmedText.startsWith('/browse bind')
           || trimmedText === '/activate'
         );
-        if (!allowedIds.includes(chatId) && !isBindCmd) {
+        const isAllowedChat = allowedIds.includes(chatId);
+        if (!isAllowedChat && !isBindCmd) {
           log('WARN', `Feishu: rejected message from ${chatId}`);
           const msg = unauthorizedMsg(chatId);
           (bot.sendMarkdown ? bot.sendMarkdown(chatId, msg) : bot.sendMessage(chatId, msg)).catch(() => {});
           return;
         }
 
-        const operatorIds = (liveCfg.feishu && liveCfg.feishu.operator_ids) || [];
-        if (operatorIds.length > 0 && senderId && !operatorIds.includes(senderId) && !isBindCmd) {
-          log('INFO', `Feishu: read-only message from non-operator ${senderId} in ${chatId}: ${(text || '').slice(0, 50)}`);
-          if (text && text.startsWith('/')) {
-            await (bot.sendMarkdown ? bot.sendMarkdown(chatId, '⚠️ 该操作需要授权，请联系管理员。') : bot.sendMessage(chatId, '⚠️ 该操作需要授权，请联系管理员。'));
-            return;
-          }
-          if (text) {
-            await handleCommand(bot, chatId, text, liveCfg, executeTaskByName, senderId, true);
-          }
-          return;
-        }
-
         if (fileInfo && fileInfo.fileKey) {
+          const acl = await applyUserAcl({
+            bot,
+            chatId,
+            text: text || '[file-upload]',
+            config: liveCfg,
+            senderId,
+            bypassAcl: !isAllowedChat && !!isBindCmd,
+          });
+          if (acl.blocked) return;
           log('INFO', `Feishu file from ${chatId}: ${fileInfo.fileName} (key: ${fileInfo.fileKey}, msgId: ${fileInfo.messageId}, type: ${fileInfo.msgType})`);
           const session = getSession(chatId);
           const cwd = session?.cwd || HOME;
@@ -218,7 +299,7 @@ function createBridgeStarter(deps) {
               ? `User uploaded a file to the project: ${destPath}\nUser says: "${text}"`
               : `User uploaded a file to the project: ${destPath}\nAcknowledge receipt. Only read the file if the user asks you to.`;
 
-            await handleCommand(bot, chatId, prompt, liveCfg, executeTaskByName);
+            await handleCommand(bot, chatId, prompt, liveCfg, executeTaskByName, acl.senderId, acl.readOnly);
           } catch (err) {
             log('ERROR', `Feishu file download failed: ${err.message}`);
             await bot.sendMessage(chatId, `❌ Download failed: ${err.message}`);
@@ -227,6 +308,15 @@ function createBridgeStarter(deps) {
         }
 
         if (text) {
+          const acl = await applyUserAcl({
+            bot,
+            chatId,
+            text,
+            config: liveCfg,
+            senderId,
+            bypassAcl: !isAllowedChat && !!isBindCmd,
+          });
+          if (acl.blocked) return;
           log('INFO', `Feishu message from ${chatId}: ${text.slice(0, 50)}`);
           const parentId = event?.message?.parent_id;
           if (parentId) {
@@ -238,7 +328,7 @@ function createBridgeStarter(deps) {
               log('INFO', `Session restored via reply: ${mapped.id.slice(0, 8)} (${path.basename(mapped.cwd)})`);
             }
           }
-          await handleCommand(bot, chatId, text, liveCfg, executeTaskByName, senderId);
+          await handleCommand(bot, chatId, text, liveCfg, executeTaskByName, acl.senderId, acl.readOnly);
         }
       });