morpheus-cli 0.9.33 → 0.9.40

package/dist/channels/telegram.js

@@ -1408,7 +1408,7 @@ export class TelegramAdapter {
     }
     async handleStartCommand(ctx, user) {
         const welcomeMessage = `
-Hello, @${user}! I am ${this.config.get().agent.name}, ${this.config.get().agent.personality}.
+Hello, @${user}! I am ${this.config.get().agent.name},
 
 I am your local AI operator/agent. Here are the commands you can use:
 

package/dist/cli/commands/start.js

@@ -23,6 +23,7 @@ import { TaskWorker } from '../../runtime/tasks/worker.js';
 import { TaskNotifier } from '../../runtime/tasks/notifier.js';
 import { ChronosWorker } from '../../runtime/chronos/worker.js';
 import { ChronosRepository } from '../../runtime/chronos/repository.js';
+import { OAuthManager } from '../../runtime/oauth/manager.js';
 import { SkillRegistry } from '../../runtime/skills/index.js';
 import { MCPToolCache } from '../../runtime/tools/cache.js';
 import { SmithRegistry } from '../../runtime/smiths/registry.js';
@@ -244,6 +245,12 @@ export const startCommand = new Command('start')
                 // Use CLI port if provided and valid, otherwise fallback to config or default
                 const port = parseInt(options.port) || config.ui.port || 3333;
                 httpServer.start(port);
+                // Initialize OAuth manager with the HTTP port (needed for redirect URI)
+                const oauthManager = OAuthManager.getInstance(port);
+                oauthManager.setNotifyFn(async (serverName, url) => {
+                    const msg = `🔐 MCP *${serverName}* requires OAuth authorization.\n\nClick to authenticate:\n${url.toString()}`;
+                    ChannelRegistry.broadcast(msg);
+                });
             }
             catch (e) {
                 display.log(chalk.red(`Failed to start Web UI: ${e.message}`), { source: 'Zaion' });

package/dist/config/paths.js

@@ -22,4 +22,5 @@ export const PATHS = {
     trinityDb: path.join(MORPHEUS_ROOT, 'memory', 'trinity.db'),
     satiDb: path.join(MORPHEUS_ROOT, 'memory', 'sati-memory.db'),
     linkDb: path.join(MORPHEUS_ROOT, 'memory', 'link.db'),
+    oauthTokens: path.join(MORPHEUS_ROOT, 'oauth-tokens.json'),
 };

package/dist/config/schemas.js

@@ -154,6 +154,12 @@ export const ConfigSchema = z.object({
         retention: z.string().default(DEFAULT_CONFIG.logging.retention),
     }).default(DEFAULT_CONFIG.logging),
 });
+export const OAuth2ConfigSchema = z.object({
+    grant_type: z.enum(['client_credentials', 'authorization_code']).default('authorization_code'),
+    client_id: z.string().optional(),
+    client_secret: z.string().optional(),
+    scope: z.string().optional(),
+});
 export const MCPServerConfigSchema = z.discriminatedUnion('transport', [
     z.object({
         transport: z.literal('stdio'),
@@ -166,6 +172,7 @@ export const MCPServerConfigSchema = z.discriminatedUnion('transport', [
         transport: z.literal('http'),
         url: z.string().url('Valid URL is required for http transport'),
         headers: z.record(z.string(), z.string()).optional().default({}),
+        oauth2: OAuth2ConfigSchema.optional(),
         args: z.array(z.string()).optional().default([]),
         env: z.record(z.string(), z.string()).optional().default({}),
         _comment: z.string().optional(),

package/dist/http/api.js

@@ -24,6 +24,7 @@ import { createDangerRouter } from './routers/danger.js';
 import { createLinkRouter } from './routers/link.js';
 import { createAgentsRouter } from './routers/agents.js';
 import { createDisplayRouter } from './routers/display.js';
+import { createModelPresetsRouter } from './routers/model-presets.js';
 import { getActiveEnvOverrides } from '../config/precedence.js';
 import { hotReloadConfig, getRestartRequiredChanges } from '../runtime/hot-reload.js';
 import { AuditRepository } from '../runtime/audit/repository.js';
@@ -61,6 +62,10 @@ export function createApiRouter(oracle, chronosWorker) {
     router.use('/agents', createAgentsRouter());
     // Mount Display Stream router
     router.use('/display', createDisplayRouter());
+    // Mount Model Presets router
+    router.use('/model-presets', createModelPresetsRouter());
+    // NOTE: OAuth router is mounted in server.ts BEFORE auth middleware
+    // so the callback endpoint is publicly accessible (browser redirect).
     // --- Session Management ---
     router.get('/sessions', async (req, res) => {
         try {

package/dist/http/routers/model-presets.js

@@ -0,0 +1,169 @@
+import { Router } from 'express';
+import { z } from 'zod';
+import { randomUUID } from 'crypto';
+import { SQLiteChatMessageHistory } from '../../runtime/memory/sqlite.js';
+import { encrypt, safeDecrypt, looksLikeEncrypted, canEncrypt } from '../../runtime/trinity-crypto.js';
+const PresetBodySchema = z.object({
+    name: z.string().min(1).max(100).trim(),
+    provider: z.string().min(1),
+    model: z.string().min(1),
+    api_key: z.string().optional().nullable(),
+    base_url: z.string().optional().nullable(),
+    temperature: z.number().min(0).max(2).optional().nullable(),
+    max_tokens: z.number().int().positive().optional().nullable(),
+});
+function isNameConflict(err) {
+    const msg = String(err?.message ?? '');
+    return msg.includes('UNIQUE constraint failed: model_presets.name');
+}
+export function createModelPresetsRouter() {
+    const router = Router();
+    // GET /api/model-presets — list all (api_key masked)
+    router.get('/', (req, res) => {
+        const h = new SQLiteChatMessageHistory({ sessionId: 'presets-api' });
+        try {
+            const rows = h.listModelPresets();
+            const result = rows.map(({ api_key, ...rest }) => ({
+                ...rest,
+                has_api_key: !!api_key,
+            }));
+            res.json(result);
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+        finally {
+            h.close();
+        }
+    });
+    // GET /api/model-presets/:id/decrypt — returns decrypted api_key (must be before /:id)
+    router.get('/:id/decrypt', (req, res) => {
+        const h = new SQLiteChatMessageHistory({ sessionId: 'presets-api' });
+        try {
+            const preset = h.getModelPreset(req.params.id);
+            if (!preset)
+                return res.status(404).json({ error: 'Preset not found.' });
+            if (!preset.api_key)
+                return res.json({ api_key: null });
+            if (looksLikeEncrypted(preset.api_key)) {
+                if (!canEncrypt()) {
+                    return res.json({ api_key: null, error: 'MORPHEUS_SECRET is not set — cannot decrypt.' });
+                }
+                return res.json({ api_key: safeDecrypt(preset.api_key) });
+            }
+            // Plaintext stored (MORPHEUS_SECRET was not set when saved)
+            res.json({ api_key: preset.api_key });
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+        finally {
+            h.close();
+        }
+    });
+    // GET /api/model-presets/:id — single preset (api_key masked)
+    router.get('/:id', (req, res) => {
+        const h = new SQLiteChatMessageHistory({ sessionId: 'presets-api' });
+        try {
+            const preset = h.getModelPreset(req.params.id);
+            if (!preset)
+                return res.status(404).json({ error: 'Preset not found.' });
+            const { api_key, ...rest } = preset;
+            res.json({ ...rest, has_api_key: !!api_key });
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+        finally {
+            h.close();
+        }
+    });
+    // POST /api/model-presets — create
+    router.post('/', (req, res) => {
+        const parsed = PresetBodySchema.safeParse(req.body);
+        if (!parsed.success)
+            return res.status(400).json({ error: parsed.error.issues });
+        const { name, provider, model, api_key, base_url, temperature, max_tokens } = parsed.data;
+        const h = new SQLiteChatMessageHistory({ sessionId: 'presets-api' });
+        try {
+            const now = new Date().toISOString();
+            let storedKey = null;
+            if (api_key) {
+                storedKey = canEncrypt() ? encrypt(api_key) : api_key;
+            }
+            const id = randomUUID();
+            h.upsertModelPreset({ id, name, provider, model, api_key: storedKey, base_url: base_url ?? null, temperature: temperature ?? null, max_tokens: max_tokens ?? null, created_at: now, updated_at: now });
+            res.status(201).json({ id, success: true });
+        }
+        catch (err) {
+            if (isNameConflict(err))
+                return res.status(409).json({ error: 'A preset with that name already exists.' });
+            res.status(500).json({ error: err.message });
+        }
+        finally {
+            h.close();
+        }
+    });
+    // PUT /api/model-presets/:id — update
+    router.put('/:id', (req, res) => {
+        const parsed = PresetBodySchema.safeParse(req.body);
+        if (!parsed.success)
+            return res.status(400).json({ error: parsed.error.issues });
+        const h = new SQLiteChatMessageHistory({ sessionId: 'presets-api' });
+        try {
+            const existing = h.getModelPreset(req.params.id);
+            if (!existing)
+                return res.status(404).json({ error: 'Preset not found.' });
+            const { name, provider, model, api_key, base_url, temperature, max_tokens } = parsed.data;
+            // api_key update logic:
+            // - absent from body (undefined): keep existing
+            // - null or "": clear
+            // - non-empty string: encrypt and replace
+            let storedKey = existing.api_key ?? null;
+            if ('api_key' in req.body) {
+                if (!api_key) {
+                    storedKey = null; // clear
+                }
+                else {
+                    storedKey = canEncrypt() ? encrypt(api_key) : api_key;
+                }
+            }
+            h.upsertModelPreset({
+                id: req.params.id,
+                name, provider, model,
+                api_key: storedKey,
+                base_url: base_url ?? null,
+                temperature: temperature ?? null,
+                max_tokens: max_tokens ?? null,
+                created_at: existing.created_at,
+                updated_at: new Date().toISOString(),
+            });
+            res.json({ success: true });
+        }
+        catch (err) {
+            if (isNameConflict(err))
+                return res.status(409).json({ error: 'A preset with that name already exists.' });
+            res.status(500).json({ error: err.message });
+        }
+        finally {
+            h.close();
+        }
+    });
+    // DELETE /api/model-presets/:id
+    router.delete('/:id', (req, res) => {
+        const h = new SQLiteChatMessageHistory({ sessionId: 'presets-api' });
+        try {
+            const changes = h.deleteModelPreset(req.params.id);
+            if (changes === 0)
+                return res.status(404).json({ error: 'Preset not found.' });
+            res.json({ success: true });
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+        finally {
+            h.close();
+        }
+    });
+    return router;
+}

package/dist/http/routers/oauth.js

@@ -0,0 +1,93 @@
+import { Router } from 'express';
+import { OAuthManager } from '../../runtime/oauth/manager.js';
+import { MCPToolCache } from '../../runtime/tools/cache.js';
+import { DisplayManager } from '../../runtime/display.js';
+const display = DisplayManager.getInstance();
+export function createOAuthRouter() {
+    const router = Router();
+    /**
+     * GET /api/oauth/callback?code=...&state=...
+     * Receives the OAuth redirect after user authorizes in their browser.
+     */
+    router.get('/callback', async (req, res) => {
+        const { code, state } = req.query;
+        if (!code || typeof code !== 'string') {
+            res.status(400).send(renderHtml('Authorization Failed', 'Missing authorization code. Please try again.', false));
+            return;
+        }
+        try {
+            const oauthManager = OAuthManager.getInstance();
+            const result = await oauthManager.finishAuth(code, state);
+            display.log(`OAuth callback: '${result.serverName}' authorized (${result.toolCount} tools)`, {
+                level: 'info',
+                source: 'OAuth',
+            });
+            // Trigger MCP tool reload in background
+            MCPToolCache.getInstance().reload().catch(err => {
+                display.log(`Failed to reload MCP tools after OAuth: ${err}`, {
+                    level: 'warning',
+                    source: 'OAuth',
+                });
+            });
+            res.send(renderHtml('Authorization Successful', `MCP server <strong>${result.serverName}</strong> has been authorized. ` +
+                `${result.toolCount} tools are now available. You can close this window.`, true));
+        }
+        catch (error) {
+            display.log(`OAuth callback failed: ${error.message}`, {
+                level: 'warning',
+                source: 'OAuth',
+            });
+            res.status(500).send(renderHtml('Authorization Failed', `Error: ${error.message}`, false));
+        }
+    });
+    /**
+     * GET /api/oauth/status
+     * Returns OAuth status for all MCP servers with OAuth data.
+     */
+    router.get('/status', async (_req, res) => {
+        try {
+            const oauthManager = OAuthManager.getInstance();
+            const statuses = oauthManager.getStatus();
+            res.json({ servers: statuses });
+        }
+        catch (error) {
+            res.status(500).json({ error: error.message });
+        }
+    });
+    /**
+     * DELETE /api/oauth/tokens/:name
+     * Revoke and remove stored OAuth token for an MCP server.
+     */
+    router.delete('/tokens/:name', async (req, res) => {
+        try {
+            const oauthManager = OAuthManager.getInstance();
+            oauthManager.revokeToken(req.params.name);
+            res.json({ ok: true, message: `Token revoked for '${req.params.name}'` });
+        }
+        catch (error) {
+            res.status(500).json({ error: error.message });
+        }
+    });
+    return router;
+}
+function renderHtml(title, message, success) {
+    const color = success ? '#22c55e' : '#ef4444';
+    const icon = success ? '&#10003;' : '&#10007;';
+    return `<!DOCTYPE html>
+<html><head><title>Morpheus OAuth - ${title}</title>
+<style>
+  body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center;
+         min-height: 100vh; margin: 0; background: #0a0a0a; color: #e0e0e0; }
+  .card { text-align: center; padding: 2rem; border: 1px solid ${color}; border-radius: 12px;
+          max-width: 400px; background: #111; }
+  .icon { font-size: 3rem; color: ${color}; margin-bottom: 1rem; }
+  h1 { font-size: 1.25rem; margin: 0 0 1rem; }
+  p { color: #999; line-height: 1.5; margin: 0; }
+  strong { color: #e0e0e0; }
+</style></head>
+<body><div class="card">
+  <div class="icon">${icon}</div>
+  <h1>${title}</h1>
+  <p>${message}</p>
+</div></body></html>`;
+}

package/dist/http/server.js

@@ -9,6 +9,7 @@ import { createApiRouter } from './api.js';
 import { createWebhooksRouter } from './webhooks-router.js';
 import { authMiddleware } from './middleware/auth.js';
 import { WebhookDispatcher } from '../runtime/webhooks/dispatcher.js';
+import { createOAuthRouter } from './routers/oauth.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export class HttpServer {
@@ -55,6 +56,9 @@ export class HttpServer {
         // The trigger endpoint is public (validated via x-api-key header internally).
         // All other webhook management endpoints apply authMiddleware internally.
         this.app.use('/api/webhooks', createWebhooksRouter());
+        // OAuth callback — public (browser redirect from OAuth provider, no API key).
+        // Status/revoke endpoints remain auth-guarded inside the /api block.
+        this.app.use('/api/oauth', createOAuthRouter());
         this.app.use('/api', authMiddleware, createApiRouter(this.oracle, this.chronosWorker));
         // Serve static frontend from compiled output
         const uiPath = path.resolve(__dirname, '../ui');

package/dist/runtime/memory/sqlite.js

@@ -207,6 +207,19 @@ export class SQLiteChatMessageHistory extends BaseListChatMessageHistory {
           ('google', 'gemini-1.5-pro', 1.25, 5.0),
           ('google', 'gemini-1.5-flash', 0.075, 0.3);
 
+        CREATE TABLE IF NOT EXISTS model_presets (
+          id          TEXT PRIMARY KEY,
+          name        TEXT UNIQUE NOT NULL,
+          provider    TEXT NOT NULL,
+          model       TEXT NOT NULL,
+          api_key     TEXT,
+          base_url    TEXT,
+          temperature REAL,
+          max_tokens  INTEGER,
+          created_at  TEXT NOT NULL,
+          updated_at  TEXT NOT NULL
+        );
+
       `);
             this.migrateTable();
         }
@@ -268,52 +281,90 @@ export class SQLiteChatMessageHistory extends BaseListChatMessageHistory {
         catch (error) {
             console.warn(`[SQLite] model_pricing migration failed: ${error}`);
         }
+        // Ensure model_presets table exists for databases created before this feature
+        try {
+            this.db.exec(`
+        CREATE TABLE IF NOT EXISTS model_presets (
+          id          TEXT PRIMARY KEY,
+          name        TEXT UNIQUE NOT NULL,
+          provider    TEXT NOT NULL,
+          model       TEXT NOT NULL,
+          api_key     TEXT,
+          base_url    TEXT,
+          temperature REAL,
+          max_tokens  INTEGER,
+          created_at  TEXT NOT NULL,
+          updated_at  TEXT NOT NULL
+        )
+      `);
+        }
+        catch (error) {
+            console.warn(`[SQLite] model_presets migration failed: ${error}`);
+        }
     }
     /**
      * Removes orphaned ToolMessages and incomplete tool-call groups that can
-     * appear when the LIMIT clause truncates the message window mid-sequence.
+     * appear when the LIMIT clause truncates the message window mid-sequence,
+     * or when a previous session ended mid-execution leaving dangling tool calls.
      *
-     * Messages arrive in DESC order (newest first). An orphaned ToolMessage at
-     * the end of this array means its parent AIMessage (with tool_calls) was
-     * outside the window. We also strip AIMessages whose tool_calls have no
-     * corresponding ToolMessage responses in the window.
+     * Handles both ends of the window:
+     *   START — orphaned ToolMessages / AIMessages whose tool responses were cut off
+     *   END   — AIMessages with unanswered tool_calls (session ended mid-execution),
+     *            which would cause Gemini to reject the next human turn
      */
     sanitizeMessageWindow(messages) {
         if (messages.length === 0)
             return messages;
         // Work in chronological order (reverse of DESC) for easier reasoning.
         const chrono = [...messages].reverse();
-        // Drop leading ToolMessages that have no preceding AIMessage with matching tool_calls.
+        // ── START sanitization ─────────────────────────────────────────────────
+        // Drop leading ToolMessages that have no preceding AIMessage with tool_calls.
         let startIdx = 0;
         while (startIdx < chrono.length && chrono[startIdx] instanceof ToolMessage) {
             startIdx++;
         }
-        // Also drop a leading AIMessage that has tool_calls but whose ToolMessage
+        // Drop a leading AIMessage that has tool_calls but whose ToolMessage
         // responses were trimmed (they would have been before it in the DB).
         if (startIdx < chrono.length && chrono[startIdx] instanceof AIMessage) {
             const ai = chrono[startIdx];
             if (ai.tool_calls && ai.tool_calls.length > 0) {
-                // Check if ALL tool_call responses exist after this AIMessage
                 const toolCallIds = ai.tool_calls.map((tc) => tc.id).filter(Boolean);
                 const remaining = chrono.slice(startIdx + 1);
-                let allFound = true;
-                for (let i = 0; i < toolCallIds.length; i++) {
-                    const hasResponse = remaining.some((m) => m instanceof ToolMessage && m.tool_call_id === toolCallIds[i]);
-                    if (!hasResponse) {
-                        allFound = false;
-                        break;
-                    }
-                }
+                const allFound = toolCallIds.every((id) => remaining.some((m) => m instanceof ToolMessage && m.tool_call_id === id));
                 if (!allFound)
                     startIdx++;
             }
         }
-        if (startIdx === 0) {
+        // ── END sanitization ───────────────────────────────────────────────────
+        // Walk backwards from the end and strip any trailing AIMessage that has
+        // unanswered tool_calls (session ended mid-execution). Gemini requires that
+        // a function_call turn is ALWAYS immediately followed by a function_response
+        // turn — a human turn after a dangling tool call causes a 400 error.
+        let endIdx = chrono.length;
+        while (endIdx > startIdx) {
+            const last = chrono[endIdx - 1];
+            if (!(last instanceof AIMessage))
+                break;
+            const ai = last;
+            if (!ai.tool_calls || ai.tool_calls.length === 0)
+                break;
+            // This AIMessage has tool_calls — check if all responses exist before it
+            const toolCallIds = ai.tool_calls.map((tc) => tc.id).filter(Boolean);
+            const before = chrono.slice(startIdx, endIdx - 1);
+            const allAnswered = toolCallIds.every((id) => before.some((m) => m instanceof ToolMessage && m.tool_call_id === id));
+            if (allAnswered)
+                break; // complete group — keep it
+            // Incomplete: strip this AIMessage and any trailing ToolMessages after it
+            endIdx--;
+            while (endIdx > startIdx && chrono[endIdx - 1] instanceof ToolMessage) {
+                endIdx--;
+            }
+        }
+        if (startIdx === 0 && endIdx === chrono.length) {
             // No sanitization needed — return original DESC order.
             return messages;
         }
-        // Return in the original DESC order (newest first), excluding trimmed messages.
-        const sanitized = chrono.slice(startIdx);
+        const sanitized = chrono.slice(startIdx, endIdx);
         sanitized.reverse();
         return sanitized;
     }
@@ -800,6 +851,32 @@ export class SQLiteChatMessageHistory extends BaseListChatMessageHistory {
         const result = this.db.prepare('DELETE FROM model_pricing WHERE provider = ? AND model = ?').run(provider, model);
         return result.changes;
     }
+    // --- Model Presets CRUD ---
+    listModelPresets() {
+        return this.db.prepare('SELECT id, name, provider, model, api_key, base_url, temperature, max_tokens, created_at, updated_at FROM model_presets ORDER BY name').all();
+    }
+    getModelPreset(id) {
+        return this.db.prepare('SELECT id, name, provider, model, api_key, base_url, temperature, max_tokens, created_at, updated_at FROM model_presets WHERE id = ?').get(id);
+    }
+    upsertModelPreset(entry) {
+        const now = new Date().toISOString();
+        this.db.prepare(`
+      INSERT INTO model_presets (id, name, provider, model, api_key, base_url, temperature, max_tokens, created_at, updated_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(id) DO UPDATE SET
+        name        = excluded.name,
+        provider    = excluded.provider,
+        model       = excluded.model,
+        api_key     = excluded.api_key,
+        base_url    = excluded.base_url,
+        temperature = excluded.temperature,
+        max_tokens  = excluded.max_tokens,
+        updated_at  = excluded.updated_at
+    `).run(entry.id, entry.name, entry.provider, entry.model, entry.api_key ?? null, entry.base_url ?? null, entry.temperature ?? null, entry.max_tokens ?? null, entry.created_at ?? now, now);
+    }
+    deleteModelPreset(id) {
+        return this.db.prepare('DELETE FROM model_presets WHERE id = ?').run(id).changes;
+    }
     /**
      * Clears all messages for the current session from the database.
      */