npm - open-agents-ai - Versions diffs - 0.187.532 → 0.187.534 - Mend

open-agents-ai 0.187.532 → 0.187.534

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -526818,6 +526818,85 @@ Pick the SMALLEST concrete deliverable from the spec — typically the project e
           }
         }
       }
+      /**
+       * REG-66 Debug-Loop Detection (root-cause from batch535-midi, 2026-05-04).
+       *
+       * Empirical: midi run had 11x `npm run build 2>&1` + same 5 files re-read
+       * 5-6 times each + 22 BFC-61.G coercion BLOCKS — and ZERO of those blocks
+       * resulted in a creative edit. The agent was rationally stuck: it
+       * believed it needed to read more to debug, the build command kept
+       * giving the same error, and the standard "issue an edit" directive
+       * gave no traction because the agent had no concrete edit hypothesis.
+       *
+       * This method analyzes toolCallLog for the debug-loop signature:
+       *   - Same shell command stem repeated ≥5 times in the trailing window, OR
+       *   - Same file_read path re-read ≥4 times in the trailing window.
+       * Both indicate the agent is reading/running the same things hoping for
+       * different output. Without this signal we'd just keep telling the
+       * agent to "make an edit" — which is exactly what it can't think of.
+       *
+       * When detected, the BFC-61.G block message swaps to a PERTURB-strategy
+       * directive: stop reading, change ONE thing in the most-likely-culprit
+       * file even if you're uncertain, and let the new error signal guide
+       * the next iteration. This is real human debugging strategy ("perturb
+       * to disambiguate"), NOT reward-hacking — the agent still has to
+       * produce a real edit and the success criteria (todos done + build
+       * passing) are unchanged.
+       *
+       * @returns Detection result. `detected=false` → use standard message.
+       *          `detected=true` → use REG-66 perturb-strategy message;
+       *          `repeatedSample` carries the offending command/path for the
+       *          message body so the agent sees the specific pattern called out.
+       */
+      _detectDebugLoop(toolCallLog) {
+        if (process.env["OA_DISABLE_REG66"] === "1")
+          return { detected: false };
+        const WINDOW = 20;
+        const SHELL_REPEAT_THRESHOLD = 5;
+        const READ_REPEAT_THRESHOLD = 4;
+        const window2 = toolCallLog.slice(-WINDOW);
+        if (window2.length < SHELL_REPEAT_THRESHOLD)
+          return { detected: false };
+        const _editClasses = /* @__PURE__ */ new Set(["file_write", "file_edit", "batch_edit", "file_patch"]);
+        for (const c9 of window2) {
+          if (_editClasses.has(c9.name) && c9.success !== false)
+            return { detected: false };
+        }
+        const shellCounts = /* @__PURE__ */ new Map();
+        const readCounts = /* @__PURE__ */ new Map();
+        for (const c9 of window2) {
+          if (c9.name === "shell") {
+            const m2 = c9.argsKey.match(/(?:^|,)command=([^,]+)/);
+            if (m2 && m2[1]) {
+              const stem = m2[1].trim();
+              shellCounts.set(stem, (shellCounts.get(stem) ?? 0) + 1);
+            }
+          } else if (c9.name === "file_read" || c9.name === "file_explore") {
+            const m2 = c9.argsKey.match(/(?:^|,)path=([^,]+)/);
+            if (m2 && m2[1]) {
+              const stem = m2[1].trim();
+              readCounts.set(stem, (readCounts.get(stem) ?? 0) + 1);
+            }
+          }
+        }
+        let bestShell = null;
+        for (const [k, n2] of shellCounts) {
+          if (n2 >= SHELL_REPEAT_THRESHOLD && (!bestShell || n2 > bestShell[1]))
+            bestShell = [k, n2];
+        }
+        let bestRead = null;
+        for (const [k, n2] of readCounts) {
+          if (n2 >= READ_REPEAT_THRESHOLD && (!bestRead || n2 > bestRead[1]))
+            bestRead = [k, n2];
+        }
+        if (bestShell) {
+          return { detected: true, repeatedSample: bestShell[0], count: bestShell[1], kind: "shell" };
+        }
+        if (bestRead) {
+          return { detected: true, repeatedSample: bestRead[0], count: bestRead[1], kind: "read" };
+        }
+        return { detected: false };
+      }
       readSessionTodos() {
         try {
           const sid = process.env["OA_SESSION_ID"] || this._sessionId || "default";
@@ -528818,6 +528897,8 @@ TASK: ${task}` : task;
         try {
           if (this.options.subAgent)
             throw "skip-handoff-subagent";
+          if (process.env["OA_FRESH_SESSION"] === "1")
+            throw "skip-handoff-fresh";
           const oaDir = this._workingDirectory ? _pathJoin(this._workingDirectory, ".oa") : _pathJoin(process.cwd(), ".oa");
           const chainPairs = loadMessagePairsFromLog(oaDir, { currentTask: cleanedTask });
           if (chainPairs.length > 0) {
@@ -530749,7 +530830,32 @@ ${memoryLines.join("\n")}`
                   turn,
                   timestamp: (/* @__PURE__ */ new Date()).toISOString()
                 });
-                const reg61BlockMsg = [
+                const _dbgLoop = this._detectDebugLoop(toolCallLog);
+                const _debugLoopSampleSafe = (_dbgLoop.repeatedSample ?? "").slice(0, 120);
+                const reg61BlockMsg = _dbgLoop.detected ? [
+                  `[BLOCKED — REG-61 directive in effect — REG-66 DEBUG-LOOP detected]`,
+                  ``,
+                  `Pattern: ${_dbgLoop.kind === "shell" ? "shell command" : "file"} "${_debugLoopSampleSafe}" was used ${_dbgLoop.count}× in the trailing window with ZERO creative edits landing. You are stuck in a debug loop where re-running / re-reading is producing no new information.`,
+                  ``,
+                  `STOP DEBUGGING. PERTURB.`,
+                  ``,
+                  `Strategy when stuck like this (real human debuggers do this):`,
+                  `  1. Pick the source file most likely implicated by the recurring failure (probably in src/, the one most-imported by failing tests).`,
+                  `  2. Pick ONE plausible cause — most-recently-modified line, most-complex function, most-likely-misnamed import, most-likely off-by-one.`,
+                  `  3. Make a SPECULATIVE edit that changes that thing — even if you are NOT certain it'll fix the bug. The point is to get a NEW error signal that disambiguates.`,
+                  `  4. Re-run the failing command. If the error CHANGED, you've learned something. If it's identical, you've ruled out one hypothesis.`,
+                  ``,
+                  `This is NOT random guessing — it's targeted hypothesis falsification. Reading the same files 5+ times has already proven uninformative; only a state change will move the system.`,
+                  ``,
+                  `Issue EXACTLY ONE of: file_write / file_edit / batch_edit / file_patch on a single concrete change. The exact CHOICE of edit matters less than NOT continuing to re-read.`,
+                  ``,
+                  `Allowed bypasses (will not be blocked but will not clear the directive either):`,
+                  `  • web_search    — search the EXACT recurring error string`,
+                  `  • task_complete — exit if you genuinely cannot identify any plausible perturbation`,
+                  `  • ask_user      — escalate to human (if available)`,
+                  ``,
+                  `Once you make a real edit, the directive clears and you'll see the new test result.`
+                ].join("\n") : [
                   `[BLOCKED — REG-61 directive in effect]`,
                   ``,
                   `A REG-61 FIRST-EDIT NUDGE was issued earlier and has not yet been satisfied. The directive: your next tool call MUST be a creative edit. You issued '${tc.name}' instead, which is a read/explore/shell call. This call has been BLOCKED.`,
@@ -530777,12 +530883,12 @@ ${memoryLines.join("\n")}`
                 });
                 this.emit({
                   type: "status",
-                  content: `REG-61 COERCION BLOCK — rejected '${tc.name}' at turn ${turn}; gate stays active until creative edit dispatches`,
+                  content: `REG-61 COERCION BLOCK — rejected '${tc.name}' at turn ${turn}; gate stays active until creative edit dispatches${_dbgLoop.detected ? `; REG-66 debug-loop variant (${_dbgLoop.kind} "${_debugLoopSampleSafe.slice(0, 60)}" ${_dbgLoop.count}×)` : ""}`,
                   timestamp: (/* @__PURE__ */ new Date()).toISOString()
                 });
                 this._tagSyntheticFailure({
                   mode: "step_repetition",
-                  rationale: `REG-61 perpetual coercion block on '${tc.name}' — agent ignored FIRST-EDIT NUDGE`
+                  rationale: `REG-61 perpetual coercion block on '${tc.name}' — agent ignored FIRST-EDIT NUDGE${_dbgLoop.detected ? " (debug-loop variant)" : ""}`
                 });
                 return { tc, output: reg61BlockMsg };
               }
@@ -585450,6 +585556,7 @@ async function tryRouteV1(ctx3) {
     const m2 = /^\/v1\/keys\/([^/]+)$/.exec(pathname);
     if (m2 && method === "DELETE") return handleRevokeKey(ctx3, decodeURIComponent(m2[1]));
   }
+  if (pathname === "/v1/share/generate" && method === "POST") return handleGenerateShare(ctx3);
   if (pathname === "/v1/tools" && method === "GET") {
     return handleListTools(ctx3);
   }
@@ -586591,6 +586698,75 @@ async function handleMintKey(ctx3) {
   }
   return true;
 }
+async function handleGenerateShare(ctx3) {
+  const { req: req2, res, requestId } = ctx3;
+  const reqAuth = req2;
+  if (reqAuth._authScope !== "admin") {
+    sendProblem(res, problemDetails({
+      type: P.forbidden,
+      status: 403,
+      title: "Admin scope required",
+      detail: "Generating a share URL mints a runtime key, which requires 'admin' scope.",
+      instance: requestId
+    }));
+    return true;
+  }
+  try {
+    const body = await parseJsonBodyStrict(req2).catch(() => null) ?? {};
+    const label = typeof body["label"] === "string" && body["label"] ? String(body["label"]).slice(0, 100) : `share-${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}`;
+    const scope = typeof body["scope"] === "string" && ["read", "run", "admin"].includes(body["scope"]) ? body["scope"] : "run";
+    const owner = `share:${label}`;
+    const { mintKey: mintKey2 } = await Promise.resolve().then(() => (init_runtime_keys(), runtime_keys_exports));
+    const rec = mintKey2({
+      scope,
+      owner,
+      profile: null
+    });
+    const hostHeader = String(req2.headers["host"] || "").trim();
+    const fallbackHost = process.env["OA_HOST"] || "127.0.0.1:11435";
+    let hostPort = hostHeader || fallbackHost;
+    hostPort = hostPort.replace(/^https?:\/\//i, "");
+    const colonIdx = hostPort.lastIndexOf(":");
+    const host = colonIdx > 0 ? hostPort.slice(0, colonIdx) : hostPort;
+    const portStr = colonIdx > 0 ? hostPort.slice(colonIdx + 1) : "11435";
+    const port = parseInt(portStr, 10) || 11435;
+    const fullKey = rec.key || "";
+    const keyPrefix2 = fullKey.slice(0, 12);
+    if (!fullKey) {
+      sendProblem(res, problemDetails({
+        type: P.internalError,
+        status: 500,
+        title: "Key generation succeeded but no secret returned",
+        detail: "mintKey() did not include the full secret in its response.",
+        instance: requestId
+      }));
+      return true;
+    }
+    const scheme = String(req2.headers["x-forwarded-proto"] || (req2.socket?.encrypted ? "https" : "http"));
+    const shareUrl = `oa-share://${hostPort}#${fullKey}`;
+    const plainUrl = `${scheme}://${hostPort}/?oa-key=${encodeURIComponent(fullKey)}&oa-share-label=${encodeURIComponent(label)}`;
+    sendJson(res, 201, {
+      shareUrl,
+      plainUrl,
+      host,
+      port,
+      key: fullKey,
+      keyPrefix: keyPrefix2,
+      label,
+      issuedAt: rec.created || (/* @__PURE__ */ new Date()).toISOString(),
+      _note: "This is the ONLY response that contains the full key. Hand off the URL now."
+    });
+  } catch (err) {
+    sendProblem(res, problemDetails({
+      type: P.internalError,
+      status: 500,
+      title: "Share URL generation failed",
+      detail: err instanceof Error ? err.message : String(err),
+      instance: requestId
+    }));
+  }
+  return true;
+}
 async function handleRevokeKey(ctx3, prefix) {
   const { req: req2, res, requestId } = ctx3;
   const reqAuth = req2;
@@ -588907,7 +589083,7 @@ body { display:flex; flex-direction:column; height:100vh; margin:0; overflow:hid
     <span id="sidebar-status-dot" style="width:8px;height:8px;border-radius:50%;background:var(--color-fg-faint);flex-shrink:0" title="Backend connection"></span>
     <span id="sidebar-status-text" style="flex:1;white-space:nowrap;overflow:hidden;text-overflow:ellipsis">connecting...</span>
     <button id="sidebar-update-btn" onclick="doUpdate()" style="display:none;background:var(--color-warning);border:none;color:#000;padding:2px 6px;border-radius:var(--radius-sm);font-size:0.6rem;cursor:pointer;font-weight:600">update</button>
-    <button id="sidebar-key-btn" onclick="document.getElementById('key-modal').style.display='flex'" title="Set API key" style="background:transparent;border:1px solid var(--color-border);color:var(--color-fg-muted);padding:2px 6px;border-radius:var(--radius-sm);font-size:0.6rem;cursor:pointer">key</button>
+    <button id="sidebar-key-btn" onclick="openKeyModal()" title="Set API key / share access" style="background:transparent;border:1px solid var(--color-border);color:var(--color-fg-muted);padding:2px 6px;border-radius:var(--radius-sm);font-size:0.6rem;cursor:pointer">key</button>
   </div>
   <!-- Resize handle -->
@@ -589239,14 +589415,21 @@ body { display:flex; flex-direction:column; height:100vh; margin:0; overflow:hid
 </div>
 <div id="key-modal">
-  <form class="modal" onsubmit="event.preventDefault(); saveKey();" autocomplete="off">
-    <h3>API Key</h3>
-    <input id="key-input" type="password" placeholder="Bearer token (leave empty if auth disabled)" autocomplete="new-password">
-    <div>
+  <form class="modal" onsubmit="event.preventDefault(); saveKey();" autocomplete="off" style="min-width:480px">
+    <h3>API Key &amp; Sharing</h3>
+    <div style="position:relative">
+      <input id="key-input" type="password" placeholder="Bearer token (leave empty if auth disabled, or paste an oa-share:// URL to connect remote)" autocomplete="new-password" oninput="onKeyInputChange(this.value)" onfocus="showRecentKeysDropdown()" onblur="setTimeout(hideRecentKeysDropdown, 150)">
+      <div id="key-recent-dropdown" style="display:none;position:absolute;top:100%;left:0;right:0;background:var(--color-bg-elevated);border:1px solid var(--color-border);border-radius:var(--radius-sm);max-height:180px;overflow-y:auto;z-index:10;font-size:0.78rem;margin-top:2px"></div>
+    </div>
+    <p id="key-input-hint" style="font-size:0.7rem;color:var(--color-fg-muted);margin:4px 0 8px">Tip: paste an <code>oa-share://host:port#key</code> URL or <code>http://host:port/?oa-key=…</code> to connect to a remote OA instance.</p>
+    <div style="display:flex;gap:6px;flex-wrap:wrap">
       <button type="submit">save</button>
       <button type="button" onclick="clearKey()">clear</button>
+      <button type="button" onclick="generateShareUrl()" title="Generate a share URL that lets a remote OA instance connect to this one">share access</button>
       <button type="button" onclick="closeKeyModal()">cancel</button>
     </div>
+    <div id="share-result" style="display:none;margin-top:14px;padding:10px;background:var(--color-bg-elevated);border:1px solid var(--color-border);border-radius:var(--radius-sm);font-size:0.78rem"></div>
+    <div id="remote-state" style="display:none;margin-top:14px;padding:10px;background:var(--color-bg-elevated);border:1px solid var(--color-accent);border-radius:var(--radius-sm);font-size:0.78rem"></div>
   </form>
 </div>
@@ -590368,6 +590551,15 @@ async function sendMessage() {
       messageWithContext = filesBlock + text;
     }
+    // FRESH-SESSION: pull the one-shot fresh flag the newChatSession()
+    // handler set. Consumed (cleared) here so subsequent sends within
+    // this same session don't keep claiming "fresh" and miss legitimate
+    // mid-session handoff.
+    let _freshPending = false;
+    try {
+      _freshPending = localStorage.getItem('oa.freshSessionPending') === '1';
+      if (_freshPending) localStorage.removeItem('oa.freshSessionPending');
+    } catch {}
     const body = {
       session_id: chatSessionId,
       model: modelSelect.value,
@@ -590377,6 +590569,10 @@ async function sendMessage() {
       // Pass the user-selected workspace as working_directory so the
       // agent subprocess operates in the right cwd.
       ...(chatWorkingDir ? { working_directory: chatWorkingDir } : {}),
+      // FRESH-SESSION: tell the daemon to skip cross-task handoff
+      // injection on this turn. Daemon plumbs it to OA_FRESH_SESSION=1
+      // for the agent subprocess; runner's handoff block respects it.
+      ...(_freshPending ? { fresh: true } : {}),
     };
     const response = await fetch('/v1/chat', {
@@ -590684,8 +590880,33 @@ document.getElementById('key-btn').onclick = () => {
   document.getElementById('key-input').value = apiKey;
 };
 function saveKey() {
-  apiKey = document.getElementById('key-input').value;
+  const raw = document.getElementById('key-input').value || '';
+  // SHARE: detect oa-share://host:port#key OR http(s)://host:port/?oa-key=...
+  const parsed = parseShareInput(raw);
+  if (parsed) {
+    // Pasting a share URL → switch into REMOTE mode and reload page
+    // against the remote origin with the key in localStorage.
+    saveRecentKey({ key: parsed.key, host: parsed.host, label: parsed.label || ('remote ' + parsed.host) });
+    try {
+      localStorage.setItem('oa.remoteHost', parsed.host);
+      localStorage.setItem('oa.remoteScheme', parsed.scheme || 'http');
+      localStorage.setItem('oa-api-key', parsed.key);
+    } catch {}
+    // Redirect to the remote host's UI with the key carried in localStorage
+    // (the remote origin uses its own localStorage so we set on first
+    // load there). We open the remote UI in a new tab to preserve the
+    // local session.
+    const remoteUrl = (parsed.scheme || 'http') + '://' + parsed.host + '/?oa-key=' + encodeURIComponent(parsed.key) + '&oa-share-label=' + encodeURIComponent(parsed.label || '');
+    window.open(remoteUrl, '_blank');
+    closeKeyModal();
+    return;
+  }
+  apiKey = raw;
   localStorage.setItem('oa-api-key', apiKey);
+  // Track this key in the recent-keys list so future paste autocompletes it.
+  if (apiKey) {
+    saveRecentKey({ key: apiKey, host: location.host, label: 'local ' + location.host });
+  }
   closeKeyModal();
   loadModels();
 }
@@ -590698,8 +590919,296 @@ function clearKey() {
 }
 function closeKeyModal() {
   document.getElementById('key-modal').classList.remove('visible');
+  const sr = document.getElementById('share-result'); if (sr) sr.style.display = 'none';
+}
+function openKeyModal() {
+  document.getElementById('key-modal').classList.add('visible');
+  document.getElementById('key-input').value = apiKey;
+  // Refresh the remote-state hint based on current localStorage.
+  refreshKeyModalRemoteState();
+}
+window.openKeyModal = openKeyModal;
+// ─── Share URL parsing ─────────────────────────────────────────────────
+// Accepts BOTH:
+//   oa-share://[peerId@]host:port#key
+//   http(s)://host:port/?oa-key=KEY[&oa-share-label=LABEL]
+// Returns { host, key, scheme?, label? } or null when the input is a plain key.
+function parseShareInput(raw) {
+  const v = String(raw || '').trim();
+  if (!v) return null;
+  // oa-share scheme — use a custom parser since URL() doesn't always honor it.
+  if (v.toLowerCase().startsWith('oa-share://')) {
+    const after = v.slice('oa-share://'.length);
+    const hashIdx = after.indexOf('#');
+    if (hashIdx < 0) return null;
+    const hostPart = after.slice(0, hashIdx);
+    const key = after.slice(hashIdx + 1);
+    if (!hostPart || !key) return null;
+    // Strip optional peerId@ prefix (forward-compat for libp2p tunneling).
+    const atIdx = hostPart.indexOf('@');
+    const host = atIdx >= 0 ? hostPart.slice(atIdx + 1) : hostPart;
+    return { host, key, scheme: 'http' };
+  }
+  // http(s) URL with ?oa-key=...
+  if (/^https?:\\/\\//i.test(v)) {
+    try {
+      const u = new URL(v);
+      const k = u.searchParams.get('oa-key');
+      if (!k) return null;
+      const label = u.searchParams.get('oa-share-label') || '';
+      return { host: u.host, key: k, scheme: u.protocol.replace(':', ''), label };
+    } catch { return null; }
+  }
+  return null;
+}
+function onKeyInputChange(v) {
+  const hint = document.getElementById('key-input-hint');
+  if (!hint) return;
+  const parsed = parseShareInput(v);
+  if (parsed) {
+    hint.innerHTML = '✓ detected share URL — host <code>' + escapeHtml(parsed.host) + '</code>; clicking save will open the remote UI with this key';
+    hint.style.color = 'var(--color-success)';
+  } else {
+    hint.innerHTML = 'Tip: paste an <code>oa-share://host:port#key</code> URL or <code>http://host:port/?oa-key=…</code> to connect to a remote OA instance.';
+    hint.style.color = 'var(--color-fg-muted)';
+  }
+  showRecentKeysDropdown();
+}
+// Tiny HTML escape — same as the one used in connections settings.
+function escapeHtml(s) {
+  return String(s || '').replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#39;');
 }
+// ─── Recent keys (localStorage history with autocomplete dropdown) ──
+const _OA_RECENT_KEYS_LS = 'oa.recentKeys';
+const _OA_RECENT_KEYS_MAX = 10;
+function loadRecentKeys() {
+  try {
+    const raw = localStorage.getItem(_OA_RECENT_KEYS_LS);
+    if (!raw) return [];
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed) ? parsed : [];
+  } catch { return []; }
+}
+function saveRecentKey(rec) {
+  if (!rec || !rec.key) return;
+  let list = loadRecentKeys();
+  // Move existing entry with same key to top; otherwise prepend.
+  list = list.filter(r => r.key !== rec.key);
+  list.unshift({ ...rec, lastUsed: new Date().toISOString() });
+  if (list.length > _OA_RECENT_KEYS_MAX) list = list.slice(0, _OA_RECENT_KEYS_MAX);
+  try { localStorage.setItem(_OA_RECENT_KEYS_LS, JSON.stringify(list)); } catch {}
+}
+function deleteRecentKey(key) {
+  let list = loadRecentKeys().filter(r => r.key !== key);
+  try { localStorage.setItem(_OA_RECENT_KEYS_LS, JSON.stringify(list)); } catch {}
+  showRecentKeysDropdown();
+}
+window.deleteRecentKey = deleteRecentKey;
+function showRecentKeysDropdown() {
+  const dd = document.getElementById('key-recent-dropdown');
+  if (!dd) return;
+  const recents = loadRecentKeys();
+  const inp = document.getElementById('key-input');
+  const filter = (inp && inp.value || '').toLowerCase();
+  const matches = recents.filter(r => {
+    if (!filter) return true;
+    return (r.key || '').toLowerCase().includes(filter)
+        || (r.host || '').toLowerCase().includes(filter)
+        || (r.label || '').toLowerCase().includes(filter);
+  });
+  if (matches.length === 0) { dd.style.display = 'none'; return; }
+  dd.innerHTML = matches.map(r => {
+    const k = String(r.key || '');
+    const masked = k.length > 12 ? k.slice(0, 4) + '…' + k.slice(-4) : k;
+    const host = escapeHtml(r.host || '');
+    const label = escapeHtml(r.label || '');
+    const keySafe = k.replace(/\\\\/g, '\\\\\\\\').replace(/'/g, "\\\\'");
+    return '<div class="oa-rec-key" style="display:flex;align-items:center;gap:8px;padding:6px 10px;cursor:pointer;border-bottom:1px solid var(--color-border)" '
+      + 'onclick="useRecentKey(\\'' + keySafe + '\\')" '
+      + 'onmouseover="this.style.background=\\'var(--color-bg-hover)\\'" '
+      + 'onmouseout="this.style.background=\\'transparent\\'">'
+      + '<span style="flex:1;font-family:var(--font-mono);font-size:0.78rem"><span style="color:var(--color-fg-muted)">' + (host || 'local') + '</span> · <code>' + masked + '</code></span>'
+      + '<span style="font-size:0.7rem;color:var(--color-fg-muted)">' + label + '</span>'
+      + '<button type="button" onclick="event.stopPropagation();deleteRecentKey(\\'' + keySafe + '\\')" '
+      +   'title="Forget this key" '
+      +   'style="background:transparent;border:none;color:var(--color-fg-muted);cursor:pointer;font-size:1rem;padding:0 4px">&times;</button>'
+      + '</div>';
+  }).join('');
+  dd.style.display = 'block';
+}
+function hideRecentKeysDropdown() {
+  const dd = document.getElementById('key-recent-dropdown');
+  if (dd) dd.style.display = 'none';
+}
+function useRecentKey(k) {
+  const inp = document.getElementById('key-input');
+  if (inp) {
+    inp.value = k;
+    inp.focus();
+    onKeyInputChange(k);
+  }
+  hideRecentKeysDropdown();
+}
+window.useRecentKey = useRecentKey;
+// ─── Generate share URL ────────────────────────────────────────────────
+async function generateShareUrl() {
+  const out = document.getElementById('share-result');
+  if (!out) return;
+  out.style.display = 'block';
+  out.innerHTML = '<div style="color:var(--color-fg-muted)">generating…</div>';
+  try {
+    const r = await fetch('/v1/share/generate', {
+      method: 'POST',
+      headers: { ...headers(), 'Content-Type': 'application/json' },
+      body: JSON.stringify({ scope: 'run' }),
+    });
+    if (r.status === 403) {
+      out.innerHTML = '<div style="color:var(--color-error)">✗ admin scope required — your current key does not have permission to mint share URLs. Set an admin-scope key first.</div>';
+      return;
+    }
+    if (r.status >= 400) {
+      const err = await r.json().catch(() => ({}));
+      out.innerHTML = '<div style="color:var(--color-error)">✗ HTTP ' + r.status + (err.detail ? ' — ' + escapeHtml(err.detail) : '') + '</div>';
+      return;
+    }
+    const j = await r.json();
+    const safeShare = escapeHtml(j.shareUrl || '');
+    const safePlain = escapeHtml(j.plainUrl || '');
+    out.innerHTML =
+      '<div style="font-weight:500;margin-bottom:6px;color:var(--color-success)">✓ Share URL generated — hand off to remote</div>' +
+      '<div style="margin:6px 0">' +
+        '<label style="display:block;font-size:0.7rem;color:var(--color-fg-muted);margin-bottom:2px">oa-share URL (compact, recommended for OA-to-OA)</label>' +
+        '<div style="display:flex;gap:6px;align-items:center">' +
+          '<input readonly value="' + safeShare + '" style="flex:1;background:var(--color-bg-input);border:1px solid var(--color-border);color:var(--color-fg);padding:5px 8px;border-radius:var(--radius-sm);font-family:var(--font-mono);font-size:0.74rem">' +
+          '<button type="button" onclick="copyShareUrl(\\'oa-share\\')" style="font-size:0.74rem">copy</button>' +
+        '</div>' +
+      '</div>' +
+      '<div style="margin:6px 0">' +
+        '<label style="display:block;font-size:0.7rem;color:var(--color-fg-muted);margin-bottom:2px">plain URL (works in any browser, no scheme handler needed)</label>' +
+        '<div style="display:flex;gap:6px;align-items:center">' +
+          '<input readonly value="' + safePlain + '" style="flex:1;background:var(--color-bg-input);border:1px solid var(--color-border);color:var(--color-fg);padding:5px 8px;border-radius:var(--radius-sm);font-family:var(--font-mono);font-size:0.74rem">' +
+          '<button type="button" onclick="copyShareUrl(\\'plain\\')" style="font-size:0.74rem">copy</button>' +
+        '</div>' +
+      '</div>' +
+      '<p style="font-size:0.68rem;color:var(--color-fg-muted);margin:6px 0 0">Note: this URL contains the full secret. Anyone with it can use this OA. To revoke: open Advanced settings → keys → revoke the prefix <code>' + escapeHtml(j.keyPrefix || '') + '</code>.</p>';
+    // Stash for the copy buttons + add to recent.
+    window.__oaLastShareUrl = j.shareUrl;
+    window.__oaLastPlainUrl = j.plainUrl;
+    saveRecentKey({ key: j.key, host: j.host + ':' + j.port, label: j.label || ('shared ' + j.host) });
+  } catch (e) {
+    out.innerHTML = '<div style="color:var(--color-error)">✗ ' + escapeHtml(e && e.message ? e.message : String(e)) + '</div>';
+  }
+}
+function copyShareUrl(which) {
+  const v = which === 'plain' ? window.__oaLastPlainUrl : window.__oaLastShareUrl;
+  if (!v) return;
+  if (navigator.clipboard && navigator.clipboard.writeText) {
+    navigator.clipboard.writeText(v).then(
+      () => { /* ok */ },
+      () => { fallbackCopy(v); }
+    );
+  } else {
+    fallbackCopy(v);
+  }
+}
+function fallbackCopy(v) {
+  const ta = document.createElement('textarea');
+  ta.value = v; document.body.appendChild(ta); ta.select();
+  try { document.execCommand('copy'); } catch {}
+  document.body.removeChild(ta);
+}
+window.generateShareUrl = generateShareUrl;
+window.copyShareUrl = copyShareUrl;
+// ─── Remote-state helpers (visual indicator on the key button) ───────
+// When localStorage carries oa.remoteHost we are in REMOTE mode: the
+// key was loaded from an oa-share URL or via on-load ?oa-key=. The key
+// button shows a "remote" badge and clicking expands to show host+key
+// inline with a "close connection" button that severs and shuffles the
+// key into recents.
+function refreshKeyModalRemoteState() {
+  const remote = (function() {
+    try { return localStorage.getItem('oa.remoteHost') || ''; } catch { return ''; }
+  })();
+  const stateBox = document.getElementById('remote-state');
+  const btn = document.getElementById('sidebar-key-btn');
+  if (remote && btn) {
+    btn.textContent = 'remote';
+    btn.style.background = 'var(--color-accent)';
+    btn.style.color = '#fff';
+    btn.style.borderColor = 'var(--color-accent)';
+    btn.title = 'connected to remote ' + remote + ' — click to view / disconnect';
+  } else if (btn) {
+    btn.textContent = 'key';
+    btn.style.background = 'transparent';
+    btn.style.color = 'var(--color-fg-muted)';
+    btn.style.borderColor = 'var(--color-border)';
+    btn.title = 'set API key / share access';
+  }
+  if (!stateBox) return;
+  if (remote) {
+    const safeRemote = escapeHtml(remote);
+    stateBox.style.display = 'block';
+    stateBox.innerHTML =
+      '<div style="font-weight:500;color:var(--color-accent)">REMOTE connection active</div>' +
+      '<div style="margin-top:4px;font-size:0.74rem">host <code>' + safeRemote + '</code></div>' +
+      '<div style="margin-top:8px"><button type="button" onclick="closeRemoteConnection()" style="background:var(--color-error);color:#fff;border:none;padding:4px 10px;border-radius:var(--radius-sm);cursor:pointer;font-size:0.74rem">close connection</button></div>';
+  } else {
+    stateBox.style.display = 'none';
+  }
+}
+function closeRemoteConnection() {
+  // Move current remote key into recents BEFORE clearing.
+  let savedKey = '';
+  let savedHost = '';
+  try {
+    savedKey = localStorage.getItem('oa-api-key') || '';
+    savedHost = localStorage.getItem('oa.remoteHost') || '';
+  } catch {}
+  if (savedKey) {
+    saveRecentKey({ key: savedKey, host: savedHost, label: 'recent remote ' + savedHost });
+  }
+  try {
+    localStorage.removeItem('oa.remoteHost');
+    localStorage.removeItem('oa.remoteScheme');
+    localStorage.removeItem('oa-api-key');
+  } catch {}
+  apiKey = '';
+  refreshKeyModalRemoteState();
+  // Reload to drop any cached state from the remote target.
+  location.reload();
+}
+window.closeRemoteConnection = closeRemoteConnection;
+// ─── On-load: ?oa-key=... pickup ───────────────────────────────────────
+// When the page loads with an oa-key query param (i.e. someone clicked
+// a share URL), capture the key into localStorage, mark this as a
+// remote session (host = this origin), and clean the URL.
+(function pickupShareKeyFromUrl() {
+  try {
+    const u = new URL(location.href);
+    const k = u.searchParams.get('oa-key');
+    if (!k) return;
+    const label = u.searchParams.get('oa-share-label') || '';
+    localStorage.setItem('oa-api-key', k);
+    // Origin-based remote: when the page loaded from a different host
+    // than the user's "home" OA, that's a remote session by definition.
+    localStorage.setItem('oa.remoteHost', location.host);
+    localStorage.setItem('oa.remoteScheme', location.protocol.replace(':', ''));
+    saveRecentKey({ key: k, host: location.host, label: label || ('remote ' + location.host) });
+    // Strip the key from the URL so it isn't visible / browser-history'd.
+    u.searchParams.delete('oa-key');
+    u.searchParams.delete('oa-share-label');
+    history.replaceState({}, '', u.pathname + (u.search || '') + (u.hash || ''));
+  } catch {}
+})();
 // Tab switching
 const allPanels = ['chat-container','agent-panel','jobs-panel','config-panel','activity-panel','projects-panel','voice-panel'];
 function switchTab(tab) {
@@ -591432,6 +591941,11 @@ function newChatSession() {
   switchSession('');
   const sel = document.getElementById('chat-session-select');
   if (sel) sel.value = '';
+  // FRESH-SESSION: mark the next chat send as fresh so the daemon skips
+  // cross-task handoff injection (which previously bled prior session
+  // context into the new chat regardless of the browser's reset).
+  // Cleared inside the chat send handler after one use.
+  try { localStorage.setItem('oa.freshSessionPending', '1'); } catch {}
 }
 function deleteChatSession() {
   if (!chatSessionId) return;
@@ -592295,6 +592809,7 @@ async function doUpdate() {
   try { pollMetrics(); } catch {}
   try { loadScheduled(); } catch {}
   try { loadServices(); } catch {}
+  try { refreshKeyModalRemoteState(); } catch {}
   btn.textContent = 'updated v' + newVersion;
   btn.style.background = '#1a3a1a';
@@ -593279,6 +593794,7 @@ $currentProject.subscribe((proj) => {
   try { if (typeof updateSessionSelect === 'function') updateSessionSelect(); } catch {}
   try { if (typeof updateAgentRunSelect === 'function') updateAgentRunSelect(); } catch {}
   try { if (typeof restoreChatSession === 'function') restoreChatSession(); } catch {}
+  try { if (typeof refreshKeyModalRemoteState === 'function') refreshKeyModalRemoteState(); } catch {}
 });
 // $selectedModel changes update the visible <select> if it's not
@@ -599758,6 +600274,15 @@ async function handleRequest(req2, res, ollamaUrl, verbose) {
       });
       return;
     }
+    if (pathname === "/favicon.ico" && method === "GET") {
+      const svg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><rect width="16" height="16" rx="3" fill="#b2920a"/><text x="50%" y="55%" font-size="11" font-family="monospace" font-weight="700" text-anchor="middle" dominant-baseline="middle" fill="#0b0b0b">oa</text></svg>';
+      res.writeHead(200, {
+        "Content-Type": "image/svg+xml",
+        "Cache-Control": "public, max-age=86400"
+      });
+      res.end(svg);
+      return;
+    }
     if (pathname === "/" && method === "GET" && req2.headers.accept?.includes("text/html")) {
       res.writeHead(200, {
         "Content-Type": "text/html; charset=utf-8",
@@ -600881,6 +601406,9 @@ ${historyLines}
       runEnv["OA_RUN_USER"] = req2._authUser || "anonymous";
       runEnv["OA_RUN_SCOPE"] = req2._authScope || "admin";
       runEnv["OA_SESSION_ID"] = session.id;
+      if (chatBody["fresh"] === true) {
+        runEnv["OA_FRESH_SESSION"] = "1";
+      }
       runEnv["OLLAMA_HOST"] = currentCfg.backendUrl || process.env["OLLAMA_HOST"] || "http://127.0.0.1:11434";
       if (currentCfg.apiKey) runEnv["OA_API_KEY_INHERIT"] = currentCfg.apiKey;
       const child = spawn25(process.execPath, [oaBin, ...args], {

package/npm-shrinkwrap.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
   "name": "open-agents-ai",
-  "version": "0.187.532",
+  "version": "0.187.534",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "open-agents-ai",
-      "version": "0.187.532",
+      "version": "0.187.534",
       "hasInstallScript": true,
       "license": "CC-BY-NC-4.0",
       "dependencies": {
@@ -2192,9 +2192,9 @@
       }
     },
     "node_modules/bare-url": {
-      "version": "2.4.2",
-      "resolved": "https://registry.npmjs.org/bare-url/-/bare-url-2.4.2.tgz",
-      "integrity": "sha512-/9a2j4ac6ckpmAHvod/ob7x439OAHst/drc2Clnq+reRYd/ovddwcF4LfoxHyNk5AuGBnPg+HqFjmE/Zpq6v0A==",
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bare-url/-/bare-url-2.4.3.tgz",
+      "integrity": "sha512-Kccpc7ACfXaxfeInfqKcZtW4pT5YBn1mesc4sCsun6sRwtbJ4h+sNOaksUpYEJUKfN65YWC6Bw2OJEFiKxq8nQ==",
       "license": "Apache-2.0",
       "optional": true,
       "dependencies": {
@@ -3132,9 +3132,9 @@
       }
     },
     "node_modules/express-rate-limit": {
-      "version": "8.4.1",
-      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.4.1.tgz",
-      "integrity": "sha512-NGVYwQSAyEQgzxX1iCM978PP9AdO/hW93gMcF6ZwQCm+rFvLsBH6w4xcXWTcliS8La5EPRN3p9wzItqBwJrfNw==",
+      "version": "8.5.0",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.5.0.tgz",
+      "integrity": "sha512-XKhFohWaSBdVJNTi5TaHziqnPkv04I9UQV6q1Wy7Ui6GGQZVW12ojDFwqer14EvCXxjvPG0CyWXx7cAXpALB4Q==",
       "license": "MIT",
       "dependencies": {
         "ip-address": "10.1.0"
@@ -3179,9 +3179,9 @@
       }
     },
     "node_modules/fast-uri": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.1.tgz",
-      "integrity": "sha512-h2r7rcm6Ee/J8o0LD5djLuFVcfbZxhvho4vvsbeV0aMvXjUgqv4YpxpkEx0d68l6+IleVfLAdVEfhR7QNMkGHQ==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz",
+      "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==",
       "funding": [
         {
           "type": "github",
@@ -3638,9 +3638,9 @@
       }
     },
     "node_modules/hono": {
-      "version": "4.12.16",
-      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.16.tgz",
-      "integrity": "sha512-jN0ZewiNAWSe5khM3EyCmBb250+b40wWbwNILNfEvq84VREWwOIkuUsFONk/3i3nqkz7Oe1PcpM2mwQEK2L9Kg==",
+      "version": "4.12.17",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.17.tgz",
+      "integrity": "sha512-FbJJNb/XgX7YW0hX/V8w5oYLztKEsRLykCMZWt1WdLtsfjzMvmoqWBA4H4t5norinq8/rh20oiZYr+WSl4UzAQ==",
       "license": "MIT",
       "engines": {
         "node": ">=16.9.0"

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "open-agents-ai",
-  "version": "0.187.532",
+  "version": "0.187.534",
   "description": "AI coding agent powered by open-source models (Ollama/vLLM) — interactive TUI with agentic tool-calling loop",
   "type": "module",
   "main": "./dist/index.js",