neoagent 2.3.1-beta.2 → 2.3.1-beta.20

package/.env.example

@@ -6,6 +6,10 @@ PORT=3333
 NODE_ENV=production
 SESSION_SECRET=change-this-to-a-random-secret-in-production
 
+# Optional: dedicated key for encrypting local at-rest secrets (for example API_KEYS.json).
+# If unset, encryption falls back to SESSION_SECRET.
+# NEOAGENT_DATA_ENCRYPTION_KEY=
+
 # Public base URL used for OAuth callbacks and external links.
 # Example: https://agent.example.com
 PUBLIC_URL=
@@ -94,6 +98,18 @@ GOOGLE_AI_KEY=your-google-ai-key-here
 #   • MiniMax-M2.7 via the Anthropic-compatible MiniMax endpoint
 MINIMAX_API_KEY=your-minimax-api-key-here
 
+# GitHub Copilot OAuth token — used for:
+#   • Copilot-backed chat/coding models (gpt-5.3, gpt-4.1)
+# Set via: neoagent login github-copilot
+GITHUB_COPILOT_ACCESS_TOKEN=
+
+# OpenAI Codex OAuth token — used for:
+#   • Codex-backed chat/coding models (gpt-5.3-codex, gpt-4.1-codex)
+# Set via: neoagent login openai-codex
+OPENAI_CODEX_ACCESS_TOKEN=
+# Optional refresh token if your login flow returns it.
+OPENAI_CODEX_REFRESH_TOKEN=
+
 ########################################
 # Provider endpoint overrides
 ########################################
@@ -101,6 +117,10 @@ MINIMAX_API_KEY=your-minimax-api-key-here
 # OPENAI_BASE_URL=https://your-openai-compatible-endpoint/v1
 # ANTHROPIC_BASE_URL=https://your-anthropic-compatible-endpoint
 # XAI_BASE_URL=https://api.x.ai/v1
+# OPENAI_CODEX_BASE_URL=https://chatgpt.com/backend-api/codex
+# OPENAI_CODEX_EDITOR_VERSION=vscode/1.99.0
+# OPENAI_CODEX_EDITOR_PLUGIN_VERSION=neoagent/1.0.0
+# OPENAI_CODEX_USER_AGENT=NeoAgent/1.0.0
 
 ########################################
 # Official integrations
@@ -139,6 +159,21 @@ FIGMA_OAUTH_CLIENT_ID=your-figma-oauth-client-id
 FIGMA_OAUTH_CLIENT_SECRET=your-figma-oauth-client-secret
 FIGMA_OAUTH_REDIRECT_URI=
 
+# GitHub official integration OAuth client.
+# Redirect URI should match <PUBLIC_URL>/api/integrations/oauth/callback.
+# Prefer least-privilege OAuth scopes for your use case.
+# Read-oriented examples: public_repo (public repositories), repo:status (commit status), read:org (org membership).
+# Avoid broad blanket scopes unless explicitly required by a specific write workflow.
+GITHUB_OAUTH_CLIENT_ID=your-github-oauth-client-id
+GITHUB_OAUTH_CLIENT_SECRET=your-github-oauth-client-secret
+GITHUB_OAUTH_REDIRECT_URI=
+
+# Spotify official integration OAuth client.
+# Redirect URI should match <PUBLIC_URL>/api/integrations/oauth/callback.
+SPOTIFY_OAUTH_CLIENT_ID=your-spotify-oauth-client-id
+SPOTIFY_OAUTH_CLIENT_SECRET=your-spotify-oauth-client-secret
+SPOTIFY_OAUTH_REDIRECT_URI=
+
 ########################################
 # Tools and media services
 ########################################
@@ -163,6 +198,10 @@ DEEPGRAM_LANGUAGE=multi
 
 OLLAMA_URL=http://localhost:11434
 
+# Local screen OCR capture (macOS desktop context recorder).
+# Set to false to disable background screen capture/OCR polling.
+NEOAGENT_SCREEN_RECORDER_ENABLED=true
+
 ########################################
 # Messaging and voice integrations
 ########################################

package/README.md

@@ -22,6 +22,8 @@
 ```bash
 npm install -g neoagent
 neoagent install
+
+neoagent migrate
 ```
 
 ## Manage the Service

package/docs/capabilities.md

@@ -75,10 +75,10 @@ The agent tool `read_health_data` returns summaries and recent samples. It is de
 
 NeoAgent has two separate integration layers:
 
-- Official integrations expose structured tools for Google Workspace, Microsoft 365, Notion, Slack, Figma, Home Assistant, Weather, Spotify, and a separate personal WhatsApp connection.
+- Official integrations expose structured tools for Google Workspace, Microsoft 365, Notion, Slack, Figma, Home Assistant, Trello, Weather, Spotify, and a separate personal WhatsApp connection.
 - Messaging platforms let the agent talk through WhatsApp, Telegram, Discord, Slack, Google Chat, Teams, Matrix, Signal, iMessage/BlueBubbles, IRC, Twitch, LINE, Mattermost, configurable webhook bridges, and Telnyx Voice.
 
-Official integration examples include Gmail thread search and send mail, Google Calendar events, Drive upload/download/export/share links, Docs create/append/replace, Sheets read/update/append/create, Microsoft Outlook/Calendar/OneDrive/Teams tools, Notion search/page/block/database tools, Slack conversation/message tools, Figma file/node/comment/image tools, Home Assistant entity/config reads and service calls, Weather current/forecast tools plus weather-event task triggers, Spotify playback/search/control tools, and a personal WhatsApp integration with isolated chat read/send tools and per-account read-only versus read/write access.
+Official integration examples include Gmail thread search and send mail, Google Calendar events, Drive upload/download/export/share links, Docs create/append/replace, Sheets read/update/append/create, Microsoft Outlook/Calendar/OneDrive/Teams tools, Notion search/page/block/database tools, Slack conversation/message tools, Figma file/node/comment/image tools, Home Assistant entity/config reads and service calls, Trello board/list/card/comment/search tools, Weather current/forecast tools plus weather-event task triggers, Spotify playback/search/control tools, and a personal WhatsApp integration with isolated chat read/send tools and per-account read-only versus read/write access.
 
 Messaging examples include Telegram and Discord messages, Slack channel replies, Matrix room messages, Google Chat and Teams webhook delivery, Signal bridge delivery, iMessage/BlueBubbles sends, WhatsApp text and media sends, Telnyx inbound voice, Telnyx outbound calls, and scheduled-task call delivery.
 

package/docs/configuration.md

@@ -68,7 +68,7 @@ Recording insight generation is controlled in app AI settings with `auto_recordi
 
 ## Official Integrations
 
-Official integrations use OAuth or provider-native account linking and expose structured tools to the agent. The built-in registry currently covers Google Workspace, Notion, Microsoft 365, Slack, Figma, Home Assistant, Weather, Spotify, and personal WhatsApp.
+Official integrations use OAuth or provider-native account linking and expose structured tools to the agent. The built-in registry currently covers Google Workspace, Notion, Microsoft 365, Slack, Figma, Home Assistant, Trello, Weather, Spotify, and personal WhatsApp.
 
 All OAuth callbacks default to `PUBLIC_URL + /api/integrations/oauth/callback` unless you set a provider-specific redirect URI.
 
@@ -90,14 +90,22 @@ All OAuth callbacks default to `PUBLIC_URL + /api/integrations/oauth/callback` u
 | `FIGMA_OAUTH_CLIENT_ID` | Figma OAuth client ID |
 | `FIGMA_OAUTH_CLIENT_SECRET` | Figma OAuth client secret |
 | `FIGMA_OAUTH_REDIRECT_URI` | Optional Figma OAuth callback URL |
-| `HOME_ASSISTANT_BASE_URL` | Home Assistant base URL, for example `https://ha.example.com` |
-| `HOME_ASSISTANT_OAUTH_CLIENT_ID` | Home Assistant OAuth client ID |
-| `HOME_ASSISTANT_OAUTH_CLIENT_SECRET` | Home Assistant OAuth client secret |
-| `HOME_ASSISTANT_OAUTH_REDIRECT_URI` | Optional Home Assistant OAuth callback URL |
+| `HOME_ASSISTANT_BASE_URL` | Optional fallback Home Assistant base URL. Users can configure this per account in Official Integrations. |
+| `HOME_ASSISTANT_OAUTH_CLIENT_ID` | Optional fallback Home Assistant OAuth client ID. |
+| `HOME_ASSISTANT_OAUTH_CLIENT_SECRET` | Optional fallback Home Assistant OAuth client secret. |
+| `HOME_ASSISTANT_OAUTH_REDIRECT_URI` | Optional fallback Home Assistant OAuth callback URL. |
+| `HOME_ASSISTANT_ALLOW_PRIVATE_BASE_URL` | Optional safety override. Set to `1` only if you intentionally allow Home Assistant base URLs on localhost/private networks. |
+| `TRELLO_API_KEY` | Not used. Trello is configured per user in Official Integrations. |
+| `TRELLO_TOKEN` | Not used. Trello is configured per user in Official Integrations. |
 | `SPOTIFY_OAUTH_CLIENT_ID` | Spotify OAuth client ID |
 | `SPOTIFY_OAUTH_CLIENT_SECRET` | Spotify OAuth client secret |
 | `SPOTIFY_OAUTH_REDIRECT_URI` | Optional Spotify OAuth callback URL |
 
+Home Assistant and Trello no longer require server-side setup. Each user can open Official Integrations and enter their own provider-specific credentials in the Flutter UI.
+For safety, local/private Home Assistant targets are blocked by default unless `HOME_ASSISTANT_ALLOW_PRIVATE_BASE_URL=1` is set on the server.
+
+Trello uses each user’s own API key and token. Those values are stored securely per user and are never added to server environment variables.
+
 Weather integration uses Open-Meteo public endpoints and does not require OAuth environment variables.
 
 ## Messaging

package/docs/integrations.md

@@ -14,10 +14,13 @@ The built-in registry includes:
 | Slack | Conversations, history, posting, search, user info, and Slack Web API requests |
 | Figma | Current user, files, nodes, rendered images, comments, and Figma REST requests |
 | Home Assistant | Entity/config reads, service calls, and Home Assistant REST API requests |
+| Trello | Boards, lists, cards, comments, search, and Trello REST API requests |
 | Weather | Keyless Open-Meteo current weather and forecast tools |
 | Spotify | Playback state, recently played, search, and playback controls |
 
-OAuth app credentials are configured through server environment variables. Account connections are created in the Flutter UI under **Integrations**. Connected tools are exposed to the agent as structured tools, so prefer them over browser automation when they can do the job.
+OAuth app credentials are configured through server environment variables for most providers. Home Assistant and Trello can also be configured per-user in the Flutter **Integrations** UI without any server-side setup. Account connections are created in the Flutter UI under **Integrations**. Connected tools are exposed to the agent as structured tools, so prefer them over browser automation when they can do the job.
+
+Trello uses a user-supplied API key and token instead of OAuth. Those values are stored per user in the encrypted integration config store, and Trello does not need any server environment variables.
 
 Weather note: the Weather integration uses Open-Meteo public APIs and does not require OAuth client credentials.
 

package/lib/manager.js

@@ -542,6 +542,40 @@ async function cmdSetup() {
   const normalizedDeploymentMode = parseDeploymentMode(deploymentMode);
   const normalizedReleaseChannel = parseReleaseChannel(releaseChannel) || 'stable';
 
+  const githubOauthClientId = await askSecret(
+    'GitHub OAuth client ID',
+    current.GITHUB_OAUTH_CLIENT_ID || ''
+  );
+  const githubOauthClientSecret = await askSecret(
+    'GitHub OAuth client secret',
+    current.GITHUB_OAUTH_CLIENT_SECRET || ''
+  );
+  const githubOauthRedirectUri = await ask(
+    'GitHub OAuth redirect URI',
+    current.GITHUB_OAUTH_REDIRECT_URI || ''
+  );
+
+  const homeAssistantOauthClientId = await askSecret(
+    'Home Assistant OAuth client ID',
+    current.HOME_ASSISTANT_OAUTH_CLIENT_ID || ''
+  );
+  const homeAssistantOauthClientSecret = await askSecret(
+    'Home Assistant OAuth client secret',
+    current.HOME_ASSISTANT_OAUTH_CLIENT_SECRET || ''
+  );
+  const homeAssistantOauthRedirectUri = await ask(
+    'Home Assistant OAuth redirect URI',
+    current.HOME_ASSISTANT_OAUTH_REDIRECT_URI || ''
+  );
+  const homeAssistantBaseUrl = await ask(
+    'Home Assistant base URL (e.g., https://ha.example.com)',
+    current.HOME_ASSISTANT_BASE_URL || ''
+  );
+  const homeAssistantAllowPrivateUrl = current.HOME_ASSISTANT_ALLOW_PRIVATE_BASE_URL === '1' ? 'true' : await ask(
+    'Allow local/private Home Assistant base URLs? (true/false)',
+    'false'
+  );
+
   const lines = [
     `NODE_ENV=production`,
     `PORT=${port}`,
@@ -576,6 +610,14 @@ async function cmdSetup() {
     figmaOauthClientId ? `FIGMA_OAUTH_CLIENT_ID=${figmaOauthClientId}` : '',
     figmaOauthClientSecret ? `FIGMA_OAUTH_CLIENT_SECRET=${figmaOauthClientSecret}` : '',
     figmaOauthRedirectUri ? `FIGMA_OAUTH_REDIRECT_URI=${figmaOauthRedirectUri}` : '',
+    githubOauthClientId ? `GITHUB_OAUTH_CLIENT_ID=${githubOauthClientId}` : '',
+    githubOauthClientSecret ? `GITHUB_OAUTH_CLIENT_SECRET=${githubOauthClientSecret}` : '',
+    githubOauthRedirectUri ? `GITHUB_OAUTH_REDIRECT_URI=${githubOauthRedirectUri}` : '',
+    homeAssistantOauthClientId ? `HOME_ASSISTANT_OAUTH_CLIENT_ID=${homeAssistantOauthClientId}` : '',
+    homeAssistantOauthClientSecret ? `HOME_ASSISTANT_OAUTH_CLIENT_SECRET=${homeAssistantOauthClientSecret}` : '',
+    homeAssistantOauthRedirectUri ? `HOME_ASSISTANT_OAUTH_REDIRECT_URI=${homeAssistantOauthRedirectUri}` : '',
+    homeAssistantBaseUrl ? `HOME_ASSISTANT_BASE_URL=${homeAssistantBaseUrl}` : '',
+    String(homeAssistantAllowPrivateUrl || '').trim().toLowerCase() === 'true' ? `HOME_ASSISTANT_ALLOW_PRIVATE_BASE_URL=1` : '',
     deepgramApiKey ? `DEEPGRAM_API_KEY=${deepgramApiKey}` : '',
     deepgramBaseUrl ? `DEEPGRAM_BASE_URL=${deepgramBaseUrl}` : '',
     deepgramModel ? `DEEPGRAM_MODEL=${deepgramModel}` : '',
@@ -674,6 +716,172 @@ async function cmdMigrate(args = []) {
   });
 }
 
+async function cmdLogin(args = []) {
+  const provider = args[0];
+  if (provider !== 'github-copilot' && provider !== 'openai-codex') {
+    throw new Error(`Unsupported login provider: ${provider || 'none'}. Available: github-copilot, openai-codex`);
+  }
+
+  if (provider === 'github-copilot') {
+    heading('GitHub Copilot Login');
+    const clientId = '01ab8ac9400c4e429b23';
+    logInfo('Requesting device code from GitHub...');
+
+    const reqRes = await fetch('https://github.com/login/device/code', {
+      method: 'POST',
+      headers: { 'Accept': 'application/json', 'Content-Type': 'application/json' },
+      body: JSON.stringify({ client_id: clientId, scope: 'user:email' })
+    });
+
+    if (!reqRes.ok) {
+      throw new Error(`Failed to request device code: HTTP ${reqRes.status}`);
+    }
+
+    const { device_code, user_code, verification_uri, interval } = await reqRes.json();
+
+    console.log(`\n  ${COLORS.cyan}Please visit:${COLORS.reset} ${verification_uri}`);
+    console.log(`  ${COLORS.cyan}And enter the code:${COLORS.reset} ${COLORS.bold}${user_code}${COLORS.reset}\n`);
+    
+    logInfo('Waiting for authorization (timeout in 15m)...');
+    const startTime = Date.now();
+    const timeoutMs = 15 * 60 * 1000;
+    let currentPollInterval = (interval || 5) * 1000;
+
+    while (Date.now() - startTime < timeoutMs) {
+      await new Promise((r) => setTimeout(r, currentPollInterval));
+      const tokenRes = await fetch('https://github.com/login/oauth/access_token', {
+        method: 'POST',
+        headers: { 'Accept': 'application/json', 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          client_id: clientId,
+          device_code,
+          grant_type: 'urn:ietf:params:oauth:grant-type:device_code'
+        })
+      });
+
+      if (!tokenRes.ok) {
+        const errorText = await tokenRes.text().catch(() => 'Unknown error');
+        throw new Error(`GitHub token request failed: HTTP ${tokenRes.status} - ${errorText}`);
+      }
+
+      const data = await tokenRes.json();
+      if (data.access_token) {
+        upsertEnvValue('GITHUB_COPILOT_ACCESS_TOKEN', data.access_token);
+        logOk('Successfully authenticated and saved GitHub Copilot access token to .env');
+        logInfo('Applying updated provider credentials by restarting NeoAgent...');
+        cmdRestart();
+        return;
+      } else if (data.error === 'authorization_pending') {
+        // Continue polling
+      } else if (data.error === 'slow_down') {
+        currentPollInterval += 5000;
+      } else if (data.error) {
+        throw new Error(`Authentication failed: ${data.error_description || data.error}`);
+      }
+    }
+    throw new Error('GitHub authentication timed out after 15 minutes.');
+  } else if (provider === 'openai-codex') {
+    heading('OpenAI Codex Login');
+    const clientId = 'app_EMoamEEZ73f0CkXaXp7hrann';
+    logInfo('Requesting device code from OpenAI...');
+
+    const reqRes = await fetch('https://auth.openai.com/api/accounts/deviceauth/usercode', {
+      method: 'POST',
+      headers: { 'Accept': 'application/json', 'Content-Type': 'application/json' },
+      body: JSON.stringify({ client_id: clientId, scope: 'openid profile email offline_access model.request model.read model.create' })
+    });
+
+    if (!reqRes.ok) {
+      throw new Error(`Failed to request device code: HTTP ${reqRes.status}`);
+    }
+
+    const data = await reqRes.json();
+    const { device_auth_id, interval } = data;
+    const user_code = data.user_code || data.usercode;
+    const verification_uri = 'https://auth.openai.com/codex/device';
+
+    console.log(`\n  ${COLORS.cyan}Please visit:${COLORS.reset} ${verification_uri}`);
+    console.log(`  ${COLORS.cyan}And enter the code:${COLORS.reset} ${COLORS.bold}${user_code}${COLORS.reset}\n`);
+
+    logInfo('Waiting for authorization (timeout in 15m)...');
+    const startTime = Date.now();
+    const timeoutMs = 15 * 60 * 1000;
+    let currentPollInterval = (interval || 5) * 1000;
+    let authorizationCode = null;
+    let codeVerifier = null;
+
+    while (Date.now() - startTime < timeoutMs) {
+      await new Promise((r) => setTimeout(r, currentPollInterval));
+      const tokenRes = await fetch('https://auth.openai.com/api/accounts/deviceauth/token', {
+        method: 'POST',
+        headers: { 'Accept': 'application/json', 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          device_auth_id: device_auth_id,
+          user_code: user_code
+        })
+      });
+
+      if (tokenRes.status === 403 || tokenRes.status === 404) {
+        // These statuses are returned by OpenAI while authorization is pending
+        continue;
+      }
+
+      if (!tokenRes.ok) {
+        const errorText = await tokenRes.text().catch(() => 'Unknown error');
+        throw new Error(`OpenAI token request failed: HTTP ${tokenRes.status} - ${errorText}`);
+      }
+
+      const pollData = await tokenRes.json();
+      if (pollData.authorization_code && pollData.code_verifier) {
+        authorizationCode = pollData.authorization_code;
+        codeVerifier = pollData.code_verifier;
+        break;
+      } else if (pollData.error === 'authorization_pending') {
+        // Continue polling
+      } else if (pollData.error === 'slow_down') {
+        currentPollInterval += 5000;
+      } else if (pollData.error) {
+        throw new Error(`Authentication failed: ${pollData.error_description || pollData.error}`);
+      }
+    }
+
+    if (!authorizationCode || !codeVerifier) {
+      throw new Error('OpenAI authentication timed out after 15 minutes.');
+    }
+
+    logInfo('Exchanging authorization code for access token...');
+    const exchangeRes = await fetch('https://auth.openai.com/oauth/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: authorizationCode,
+        redirect_uri: 'https://auth.openai.com/deviceauth/callback',
+        client_id: clientId,
+        code_verifier: codeVerifier
+      })
+    });
+
+    if (!exchangeRes.ok) {
+      const errorText = await exchangeRes.text().catch(() => 'Unknown error');
+      throw new Error(`OpenAI token exchange failed: HTTP ${exchangeRes.status} - ${errorText}`);
+    }
+
+    const exchangeData = await exchangeRes.json();
+    if (exchangeData.access_token) {
+      upsertEnvValue('OPENAI_CODEX_ACCESS_TOKEN', exchangeData.access_token);
+      if (exchangeData.refresh_token) {
+        upsertEnvValue('OPENAI_CODEX_REFRESH_TOKEN', exchangeData.refresh_token);
+      }
+      logOk('Successfully authenticated and saved OpenAI Codex tokens to .env');
+      logInfo('Applying updated provider credentials by restarting NeoAgent...');
+      cmdRestart();
+    } else {
+      throw new Error('OpenAI token exchange succeeded but did not return an access token.');
+    }
+  }
+}
+
 function installDependencies() {
   heading('Dependencies');
   runOrThrow('npm', ['install', '--omit=dev', '--no-audit', '--no-fund'], {
@@ -864,7 +1072,15 @@ function cmdRestart() {
   heading(`Restart ${APP_NAME}`);
   buildBundledWebClientIfPossible();
   cmdStop();
-  cmdStart();
+}
+
+async function cmdRebuildWeb() {
+  heading(`Rebuild Flutter Web Client`);
+  if (fs.existsSync(WEB_CLIENT_DIR)) {
+    fs.rmSync(WEB_CLIENT_DIR, { recursive: true, force: true });
+    logOk('Removed old web client build');
+  }
+  buildBundledWebClientIfPossible();
 }
 
 function cmdUninstall() {
@@ -962,6 +1178,8 @@ function cmdUpdate(args = []) {
   }
   const versionBefore = currentInstalledVersionLabel();
   let versionAfter = versionBefore;
+  const githubInstallRef = releaseChannel === 'beta' ? '#beta' : '';
+  const githubInstallSpec = `git+https://github.com/NeoLabs-Systems/NeoAgent.git${githubInstallRef}`;
 
   if (fs.existsSync(path.join(APP_DIR, '.git')) && commandExists('git')) {
     const current = runQuiet('git', ['rev-parse', '--short', 'HEAD']);
@@ -982,17 +1200,16 @@ function cmdUpdate(args = []) {
       buildBundledWebClientIfPossible();
     }
   } else {
-    const npmTag = resolvePreferredNpmTag(releaseChannel);
-    logWarn(`No git repo detected; attempting npm global update from ${npmTag}.`);
+    logWarn(`No git repo detected; attempting npm global update from ${githubInstallSpec}.`);
     if (commandExists('npm')) {
       try {
         backupRuntimeData();
-        runOrThrow('npm', ['install', '-g', `neoagent@${npmTag}`, '--force'], {
+        runOrThrow('npm', ['install', '-g', githubInstallSpec, '--force'], {
           env: withInstallEnv()
         });
-        logOk('npm global update completed (forced reinstall)');
+        logOk('npm global update completed (forced reinstall from GitHub)');
       } catch {
-        logWarn(`npm global update failed. Run: npm install -g neoagent@${npmTag} --force`);
+        logWarn(`npm global update failed. Run: npm install -g ${githubInstallSpec} --force`);
       }
     } else {
       logWarn('npm not found. Cannot perform global update.');
@@ -1062,7 +1279,8 @@ async function cmdEnv(args = []) {
 function printHelp() {
   console.log(`${APP_NAME} manager`);
   console.log('Usage: neoagent <command>');
-  console.log('Commands: install | setup | env | channel | update | restart | start | stop | status | logs | uninstall | migrate');
+  console.log('Commands: install | setup | env | channel | update | restart | rebuild-web | start | stop | status | logs | uninstall | migrate | login');
+  console.log('Login usage: neoagent login github-copilot | neoagent login openai-codex');
   console.log('Channel usage: neoagent channel | neoagent channel stable | neoagent channel beta');
   console.log('Update usage: neoagent update | neoagent update stable | neoagent update beta');
   console.log('Env usage: neoagent env list | neoagent env get PORT | neoagent env set PORT 3333 | neoagent env unset PORT');
@@ -1094,6 +1312,9 @@ async function runCLI(argv) {
     case 'restart':
       cmdRestart();
       break;
+    case 'rebuild-web':
+      await cmdRebuildWeb();
+      break;
     case 'start':
       cmdStart();
       break;
@@ -1112,6 +1333,9 @@ async function runCLI(argv) {
     case 'migrate':
       await cmdMigrate(argv.slice(1));
       break;
+    case 'login':
+      await cmdLogin(argv.slice(1));
+      break;
     case 'help':
     case '--help':
     case '-h':

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "neoagent",
-  "version": "2.3.1-beta.2",
+  "version": "2.3.1-beta.20",
   "description": "Proactive personal AI agent with no limits",
   "license": "MIT",
   "main": "server/index.js",
@@ -80,6 +80,7 @@
     "socket.io": "^4.8.1",
     "telegraf": "^4.16.3",
     "telnyx": "^5.51.0",
+    "tesseract.js": "^7.0.0",
     "uuid": "^11.1.0",
     "ws": "^8.19.0"
   },

package/server/db/database.js

@@ -272,6 +272,17 @@ db.exec(`
     FOREIGN KEY (agent_id) REFERENCES agents(id) ON DELETE SET NULL
   );
 
+  CREATE TABLE IF NOT EXISTS integration_provider_configs (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    provider_key TEXT NOT NULL,
+    config_json TEXT DEFAULT '{}',
+    created_at TEXT DEFAULT (datetime('now')),
+    updated_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+    UNIQUE(user_id, provider_key)
+  );
+
   CREATE TABLE IF NOT EXISTS browser_extension_pairing_requests (
     id TEXT PRIMARY KEY,
     user_id INTEGER,
@@ -651,6 +662,40 @@ db.exec(`
   CREATE INDEX IF NOT EXISTS idx_recording_chunks_source ON recording_chunks(source_id, sequence_index);
   CREATE INDEX IF NOT EXISTS idx_recording_segments_session ON recording_transcript_segments(session_id, start_ms, created_at);
 
+  CREATE TABLE IF NOT EXISTS screen_history (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    timestamp TEXT DEFAULT (datetime('now')),
+    app_name TEXT,
+    text_content TEXT,
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+  );
+
+  CREATE TABLE IF NOT EXISTS notification_history (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    app_package TEXT,
+    title TEXT,
+    body TEXT,
+    timestamp TEXT DEFAULT (datetime('now')),
+    action_taken TEXT,
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+  );
+
+  CREATE TABLE IF NOT EXISTS geofences (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    label TEXT,
+    latitude REAL NOT NULL,
+    longitude REAL NOT NULL,
+    radius_meters INTEGER NOT NULL,
+    trigger_action TEXT,
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_screen_history_user ON screen_history(user_id, timestamp DESC);
+  CREATE INDEX IF NOT EXISTS idx_notification_history_user ON notification_history(user_id, timestamp DESC);
+
   CREATE TABLE IF NOT EXISTS artifacts (
     id TEXT PRIMARY KEY,
     user_id INTEGER NOT NULL,
@@ -676,6 +721,29 @@ db.exec(`
 
 try {
   db.exec(`
+    CREATE VIRTUAL TABLE IF NOT EXISTS screen_history_fts USING fts5(
+      text_content,
+      app_name,
+      timestamp UNINDEXED,
+      user_id UNINDEXED,
+      tokenize = 'porter unicode61'
+    );
+
+    CREATE TRIGGER IF NOT EXISTS screen_history_fts_ai AFTER INSERT ON screen_history BEGIN
+      INSERT INTO screen_history_fts(rowid, text_content, app_name, timestamp, user_id)
+      VALUES (new.id, COALESCE(new.text_content, ''), COALESCE(new.app_name, ''), new.timestamp, new.user_id);
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS screen_history_fts_ad AFTER DELETE ON screen_history BEGIN
+      DELETE FROM screen_history_fts WHERE rowid = old.id;
+    END;
+
+    CREATE TRIGGER IF NOT EXISTS screen_history_fts_au AFTER UPDATE ON screen_history BEGIN
+      DELETE FROM screen_history_fts WHERE rowid = old.id;
+      INSERT INTO screen_history_fts(rowid, text_content, app_name, timestamp, user_id)
+      VALUES (new.id, COALESCE(new.text_content, ''), COALESCE(new.app_name, ''), new.timestamp, new.user_id);
+    END;
+
     CREATE VIRTUAL TABLE IF NOT EXISTS conversation_history_fts USING fts5(
       content,
       role UNINDEXED,

package/server/http/middleware.js

@@ -88,7 +88,18 @@ function buildHelmetOptions({ secureCookies }) {
   return {
     strictTransportSecurity: false,
     crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: { policy: 'same-site' },
     originAgentCluster: false,
+    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+    permissionsPolicy: {
+      features: {
+        camera: ['self'],
+        geolocation: ['self'],
+        microphone: ['self'],
+        payment: [],
+        usb: [],
+      },
+    },
     contentSecurityPolicy: {
       directives: {
         defaultSrc: ["'self'"],
@@ -154,6 +165,16 @@ function applyHttpMiddleware(app, { secureCookies, trustProxy, sessionMiddleware
     const path = `${value}`.split('?')[0];
     return path === '/socket.io/' || path === '/socket.io' || path.startsWith('/socket.io/');
   };
+  const isStateChangingMethod = (method = '') => ['POST', 'PUT', 'PATCH', 'DELETE'].includes(String(method).toUpperCase());
+  const extractOriginFromReferer = (referer = '') => {
+    const value = String(referer || '').trim();
+    if (!value) return '';
+    try {
+      return new URL(value).origin;
+    } catch {
+      return '';
+    }
+  };
   const requestPath = (req) => req.originalUrl || req.url || req.path || '';
   const applyOnlyToRecordingChunk = (handler) => (req, res, next) => (
     isRecordingChunkPath(requestPath(req)) ? handler(req, res, next) : next()
@@ -187,6 +208,35 @@ function applyHttpMiddleware(app, { secureCookies, trustProxy, sessionMiddleware
       });
     })
   );
+  app.use((req, res, next) => {
+    const path = `${req.originalUrl || req.url || req.path || ''}`.split('?')[0];
+    if (path.startsWith('/api/')) {
+      res.setHeader('Cache-Control', 'no-store, max-age=0');
+      res.setHeader('Pragma', 'no-cache');
+      res.setHeader('Expires', '0');
+    }
+    next();
+  });
+  app.use((req, res, next) => {
+    const path = `${req.originalUrl || req.url || req.path || ''}`.split('?')[0];
+    if (!path.startsWith('/api/')) return next();
+    if (!isStateChangingMethod(req.method)) return next();
+
+    const origin = String(req.get('origin') || '').trim() || extractOriginFromReferer(req.get('referer'));
+    if (!origin) return next();
+
+    const allowBrowserExtensionOrigin = isBrowserExtensionCorsPath(path);
+    return validateOrigin(origin, (error) => {
+      if (error) {
+        logRequestSummary('warn', req, 'blocked state-changing request due to invalid origin', { origin });
+        return res.status(403).json({ error: 'Origin not allowed' });
+      }
+      return next();
+    }, {
+      allowChromeExtension: allowBrowserExtensionOrigin,
+      allowMissingOrigin: false,
+    });
+  });
   app.use((req, res, next) => {
     const startedAt = Date.now();
 

package/server/http/routes.js

@@ -26,7 +26,9 @@ const routeRegistry = [
   { basePath: '/api/desktop', modulePath: '../routes/desktop' },
   { basePath: '/api/recordings', modulePath: '../routes/recordings' },
   { basePath: '/api/voice-assistant', modulePath: '../routes/voice_assistant' },
-  { basePath: '/api/mobile/health', modulePath: '../routes/mobile-health' }
+  { basePath: '/api/mobile/health', modulePath: '../routes/mobile-health' },
+  { basePath: '/api/screen-history', modulePath: '../routes/screenHistory' },
+  { basePath: '/api/triggers', modulePath: '../routes/triggers' }
 ];
 
 function registerApiRoutes(app) {

package/server/index.js

@@ -97,6 +97,7 @@ if (!configuredSessionSecret()) {
 }
 
 const app = express();
+app.disable('x-powered-by');
 const httpServer = createServer(app);
 const io = createSocketServer(httpServer, { validateOrigin });
 app.locals.httpRuntimeConfig = {

package/server/public/.last_build_id

@@ -1 +1 @@
-dc2ac3821de37958afef0c20433c5630
+6a766d17dbfd039c552814519add74f6