open-agents-ai 0.187.533 → 0.187.534

package/dist/index.js

@@ -528897,6 +528897,8 @@ TASK: ${task}` : task;
         try {
           if (this.options.subAgent)
             throw "skip-handoff-subagent";
+          if (process.env["OA_FRESH_SESSION"] === "1")
+            throw "skip-handoff-fresh";
           const oaDir = this._workingDirectory ? _pathJoin(this._workingDirectory, ".oa") : _pathJoin(process.cwd(), ".oa");
           const chainPairs = loadMessagePairsFromLog(oaDir, { currentTask: cleanedTask });
           if (chainPairs.length > 0) {
@@ -585554,6 +585556,7 @@ async function tryRouteV1(ctx3) {
     const m2 = /^\/v1\/keys\/([^/]+)$/.exec(pathname);
     if (m2 && method === "DELETE") return handleRevokeKey(ctx3, decodeURIComponent(m2[1]));
   }
+  if (pathname === "/v1/share/generate" && method === "POST") return handleGenerateShare(ctx3);
   if (pathname === "/v1/tools" && method === "GET") {
     return handleListTools(ctx3);
   }
@@ -586695,6 +586698,75 @@ async function handleMintKey(ctx3) {
   }
   return true;
 }
+async function handleGenerateShare(ctx3) {
+  const { req: req2, res, requestId } = ctx3;
+  const reqAuth = req2;
+  if (reqAuth._authScope !== "admin") {
+    sendProblem(res, problemDetails({
+      type: P.forbidden,
+      status: 403,
+      title: "Admin scope required",
+      detail: "Generating a share URL mints a runtime key, which requires 'admin' scope.",
+      instance: requestId
+    }));
+    return true;
+  }
+  try {
+    const body = await parseJsonBodyStrict(req2).catch(() => null) ?? {};
+    const label = typeof body["label"] === "string" && body["label"] ? String(body["label"]).slice(0, 100) : `share-${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}`;
+    const scope = typeof body["scope"] === "string" && ["read", "run", "admin"].includes(body["scope"]) ? body["scope"] : "run";
+    const owner = `share:${label}`;
+    const { mintKey: mintKey2 } = await Promise.resolve().then(() => (init_runtime_keys(), runtime_keys_exports));
+    const rec = mintKey2({
+      scope,
+      owner,
+      profile: null
+    });
+    const hostHeader = String(req2.headers["host"] || "").trim();
+    const fallbackHost = process.env["OA_HOST"] || "127.0.0.1:11435";
+    let hostPort = hostHeader || fallbackHost;
+    hostPort = hostPort.replace(/^https?:\/\//i, "");
+    const colonIdx = hostPort.lastIndexOf(":");
+    const host = colonIdx > 0 ? hostPort.slice(0, colonIdx) : hostPort;
+    const portStr = colonIdx > 0 ? hostPort.slice(colonIdx + 1) : "11435";
+    const port = parseInt(portStr, 10) || 11435;
+    const fullKey = rec.key || "";
+    const keyPrefix2 = fullKey.slice(0, 12);
+    if (!fullKey) {
+      sendProblem(res, problemDetails({
+        type: P.internalError,
+        status: 500,
+        title: "Key generation succeeded but no secret returned",
+        detail: "mintKey() did not include the full secret in its response.",
+        instance: requestId
+      }));
+      return true;
+    }
+    const scheme = String(req2.headers["x-forwarded-proto"] || (req2.socket?.encrypted ? "https" : "http"));
+    const shareUrl = `oa-share://${hostPort}#${fullKey}`;
+    const plainUrl = `${scheme}://${hostPort}/?oa-key=${encodeURIComponent(fullKey)}&oa-share-label=${encodeURIComponent(label)}`;
+    sendJson(res, 201, {
+      shareUrl,
+      plainUrl,
+      host,
+      port,
+      key: fullKey,
+      keyPrefix: keyPrefix2,
+      label,
+      issuedAt: rec.created || (/* @__PURE__ */ new Date()).toISOString(),
+      _note: "This is the ONLY response that contains the full key. Hand off the URL now."
+    });
+  } catch (err) {
+    sendProblem(res, problemDetails({
+      type: P.internalError,
+      status: 500,
+      title: "Share URL generation failed",
+      detail: err instanceof Error ? err.message : String(err),
+      instance: requestId
+    }));
+  }
+  return true;
+}
 async function handleRevokeKey(ctx3, prefix) {
   const { req: req2, res, requestId } = ctx3;
   const reqAuth = req2;
@@ -589011,7 +589083,7 @@ body { display:flex; flex-direction:column; height:100vh; margin:0; overflow:hid
     <span id="sidebar-status-dot" style="width:8px;height:8px;border-radius:50%;background:var(--color-fg-faint);flex-shrink:0" title="Backend connection"></span>
     <span id="sidebar-status-text" style="flex:1;white-space:nowrap;overflow:hidden;text-overflow:ellipsis">connecting...</span>
     <button id="sidebar-update-btn" onclick="doUpdate()" style="display:none;background:var(--color-warning);border:none;color:#000;padding:2px 6px;border-radius:var(--radius-sm);font-size:0.6rem;cursor:pointer;font-weight:600">update</button>
-    <button id="sidebar-key-btn" onclick="document.getElementById('key-modal').style.display='flex'" title="Set API key" style="background:transparent;border:1px solid var(--color-border);color:var(--color-fg-muted);padding:2px 6px;border-radius:var(--radius-sm);font-size:0.6rem;cursor:pointer">key</button>
+    <button id="sidebar-key-btn" onclick="openKeyModal()" title="Set API key / share access" style="background:transparent;border:1px solid var(--color-border);color:var(--color-fg-muted);padding:2px 6px;border-radius:var(--radius-sm);font-size:0.6rem;cursor:pointer">key</button>
   </div>
 
   <!-- Resize handle -->
@@ -589343,14 +589415,21 @@ body { display:flex; flex-direction:column; height:100vh; margin:0; overflow:hid
 </div>
 
 <div id="key-modal">
-  <form class="modal" onsubmit="event.preventDefault(); saveKey();" autocomplete="off">
-    <h3>API Key</h3>
-    <input id="key-input" type="password" placeholder="Bearer token (leave empty if auth disabled)" autocomplete="new-password">
-    <div>
+  <form class="modal" onsubmit="event.preventDefault(); saveKey();" autocomplete="off" style="min-width:480px">
+    <h3>API Key &amp; Sharing</h3>
+    <div style="position:relative">
+      <input id="key-input" type="password" placeholder="Bearer token (leave empty if auth disabled, or paste an oa-share:// URL to connect remote)" autocomplete="new-password" oninput="onKeyInputChange(this.value)" onfocus="showRecentKeysDropdown()" onblur="setTimeout(hideRecentKeysDropdown, 150)">
+      <div id="key-recent-dropdown" style="display:none;position:absolute;top:100%;left:0;right:0;background:var(--color-bg-elevated);border:1px solid var(--color-border);border-radius:var(--radius-sm);max-height:180px;overflow-y:auto;z-index:10;font-size:0.78rem;margin-top:2px"></div>
+    </div>
+    <p id="key-input-hint" style="font-size:0.7rem;color:var(--color-fg-muted);margin:4px 0 8px">Tip: paste an <code>oa-share://host:port#key</code> URL or <code>http://host:port/?oa-key=…</code> to connect to a remote OA instance.</p>
+    <div style="display:flex;gap:6px;flex-wrap:wrap">
       <button type="submit">save</button>
       <button type="button" onclick="clearKey()">clear</button>
+      <button type="button" onclick="generateShareUrl()" title="Generate a share URL that lets a remote OA instance connect to this one">share access</button>
       <button type="button" onclick="closeKeyModal()">cancel</button>
     </div>
+    <div id="share-result" style="display:none;margin-top:14px;padding:10px;background:var(--color-bg-elevated);border:1px solid var(--color-border);border-radius:var(--radius-sm);font-size:0.78rem"></div>
+    <div id="remote-state" style="display:none;margin-top:14px;padding:10px;background:var(--color-bg-elevated);border:1px solid var(--color-accent);border-radius:var(--radius-sm);font-size:0.78rem"></div>
   </form>
 </div>
 
@@ -590472,6 +590551,15 @@ async function sendMessage() {
       messageWithContext = filesBlock + text;
     }
 
+    // FRESH-SESSION: pull the one-shot fresh flag the newChatSession()
+    // handler set. Consumed (cleared) here so subsequent sends within
+    // this same session don't keep claiming "fresh" and miss legitimate
+    // mid-session handoff.
+    let _freshPending = false;
+    try {
+      _freshPending = localStorage.getItem('oa.freshSessionPending') === '1';
+      if (_freshPending) localStorage.removeItem('oa.freshSessionPending');
+    } catch {}
     const body = {
       session_id: chatSessionId,
       model: modelSelect.value,
@@ -590481,6 +590569,10 @@ async function sendMessage() {
       // Pass the user-selected workspace as working_directory so the
       // agent subprocess operates in the right cwd.
       ...(chatWorkingDir ? { working_directory: chatWorkingDir } : {}),
+      // FRESH-SESSION: tell the daemon to skip cross-task handoff
+      // injection on this turn. Daemon plumbs it to OA_FRESH_SESSION=1
+      // for the agent subprocess; runner's handoff block respects it.
+      ...(_freshPending ? { fresh: true } : {}),
     };
 
     const response = await fetch('/v1/chat', {
@@ -590788,8 +590880,33 @@ document.getElementById('key-btn').onclick = () => {
   document.getElementById('key-input').value = apiKey;
 };
 function saveKey() {
-  apiKey = document.getElementById('key-input').value;
+  const raw = document.getElementById('key-input').value || '';
+  // SHARE: detect oa-share://host:port#key OR http(s)://host:port/?oa-key=...
+  const parsed = parseShareInput(raw);
+  if (parsed) {
+    // Pasting a share URL → switch into REMOTE mode and reload page
+    // against the remote origin with the key in localStorage.
+    saveRecentKey({ key: parsed.key, host: parsed.host, label: parsed.label || ('remote ' + parsed.host) });
+    try {
+      localStorage.setItem('oa.remoteHost', parsed.host);
+      localStorage.setItem('oa.remoteScheme', parsed.scheme || 'http');
+      localStorage.setItem('oa-api-key', parsed.key);
+    } catch {}
+    // Redirect to the remote host's UI with the key carried in localStorage
+    // (the remote origin uses its own localStorage so we set on first
+    // load there). We open the remote UI in a new tab to preserve the
+    // local session.
+    const remoteUrl = (parsed.scheme || 'http') + '://' + parsed.host + '/?oa-key=' + encodeURIComponent(parsed.key) + '&oa-share-label=' + encodeURIComponent(parsed.label || '');
+    window.open(remoteUrl, '_blank');
+    closeKeyModal();
+    return;
+  }
+  apiKey = raw;
   localStorage.setItem('oa-api-key', apiKey);
+  // Track this key in the recent-keys list so future paste autocompletes it.
+  if (apiKey) {
+    saveRecentKey({ key: apiKey, host: location.host, label: 'local ' + location.host });
+  }
   closeKeyModal();
   loadModels();
 }
@@ -590802,8 +590919,296 @@ function clearKey() {
 }
 function closeKeyModal() {
   document.getElementById('key-modal').classList.remove('visible');
+  const sr = document.getElementById('share-result'); if (sr) sr.style.display = 'none';
+}
+function openKeyModal() {
+  document.getElementById('key-modal').classList.add('visible');
+  document.getElementById('key-input').value = apiKey;
+  // Refresh the remote-state hint based on current localStorage.
+  refreshKeyModalRemoteState();
+}
+window.openKeyModal = openKeyModal;
+
+// ─── Share URL parsing ─────────────────────────────────────────────────
+// Accepts BOTH:
+//   oa-share://[peerId@]host:port#key
+//   http(s)://host:port/?oa-key=KEY[&oa-share-label=LABEL]
+// Returns { host, key, scheme?, label? } or null when the input is a plain key.
+function parseShareInput(raw) {
+  const v = String(raw || '').trim();
+  if (!v) return null;
+  // oa-share scheme — use a custom parser since URL() doesn't always honor it.
+  if (v.toLowerCase().startsWith('oa-share://')) {
+    const after = v.slice('oa-share://'.length);
+    const hashIdx = after.indexOf('#');
+    if (hashIdx < 0) return null;
+    const hostPart = after.slice(0, hashIdx);
+    const key = after.slice(hashIdx + 1);
+    if (!hostPart || !key) return null;
+    // Strip optional peerId@ prefix (forward-compat for libp2p tunneling).
+    const atIdx = hostPart.indexOf('@');
+    const host = atIdx >= 0 ? hostPart.slice(atIdx + 1) : hostPart;
+    return { host, key, scheme: 'http' };
+  }
+  // http(s) URL with ?oa-key=...
+  if (/^https?:\\/\\//i.test(v)) {
+    try {
+      const u = new URL(v);
+      const k = u.searchParams.get('oa-key');
+      if (!k) return null;
+      const label = u.searchParams.get('oa-share-label') || '';
+      return { host: u.host, key: k, scheme: u.protocol.replace(':', ''), label };
+    } catch { return null; }
+  }
+  return null;
+}
+
+function onKeyInputChange(v) {
+  const hint = document.getElementById('key-input-hint');
+  if (!hint) return;
+  const parsed = parseShareInput(v);
+  if (parsed) {
+    hint.innerHTML = '✓ detected share URL — host <code>' + escapeHtml(parsed.host) + '</code>; clicking save will open the remote UI with this key';
+    hint.style.color = 'var(--color-success)';
+  } else {
+    hint.innerHTML = 'Tip: paste an <code>oa-share://host:port#key</code> URL or <code>http://host:port/?oa-key=…</code> to connect to a remote OA instance.';
+    hint.style.color = 'var(--color-fg-muted)';
+  }
+  showRecentKeysDropdown();
 }
 
+// Tiny HTML escape — same as the one used in connections settings.
+function escapeHtml(s) {
+  return String(s || '').replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#39;');
+}
+
+// ─── Recent keys (localStorage history with autocomplete dropdown) ──
+const _OA_RECENT_KEYS_LS = 'oa.recentKeys';
+const _OA_RECENT_KEYS_MAX = 10;
+function loadRecentKeys() {
+  try {
+    const raw = localStorage.getItem(_OA_RECENT_KEYS_LS);
+    if (!raw) return [];
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed) ? parsed : [];
+  } catch { return []; }
+}
+function saveRecentKey(rec) {
+  if (!rec || !rec.key) return;
+  let list = loadRecentKeys();
+  // Move existing entry with same key to top; otherwise prepend.
+  list = list.filter(r => r.key !== rec.key);
+  list.unshift({ ...rec, lastUsed: new Date().toISOString() });
+  if (list.length > _OA_RECENT_KEYS_MAX) list = list.slice(0, _OA_RECENT_KEYS_MAX);
+  try { localStorage.setItem(_OA_RECENT_KEYS_LS, JSON.stringify(list)); } catch {}
+}
+function deleteRecentKey(key) {
+  let list = loadRecentKeys().filter(r => r.key !== key);
+  try { localStorage.setItem(_OA_RECENT_KEYS_LS, JSON.stringify(list)); } catch {}
+  showRecentKeysDropdown();
+}
+window.deleteRecentKey = deleteRecentKey;
+
+function showRecentKeysDropdown() {
+  const dd = document.getElementById('key-recent-dropdown');
+  if (!dd) return;
+  const recents = loadRecentKeys();
+  const inp = document.getElementById('key-input');
+  const filter = (inp && inp.value || '').toLowerCase();
+  const matches = recents.filter(r => {
+    if (!filter) return true;
+    return (r.key || '').toLowerCase().includes(filter)
+        || (r.host || '').toLowerCase().includes(filter)
+        || (r.label || '').toLowerCase().includes(filter);
+  });
+  if (matches.length === 0) { dd.style.display = 'none'; return; }
+  dd.innerHTML = matches.map(r => {
+    const k = String(r.key || '');
+    const masked = k.length > 12 ? k.slice(0, 4) + '…' + k.slice(-4) : k;
+    const host = escapeHtml(r.host || '');
+    const label = escapeHtml(r.label || '');
+    const keySafe = k.replace(/\\\\/g, '\\\\\\\\').replace(/'/g, "\\\\'");
+    return '<div class="oa-rec-key" style="display:flex;align-items:center;gap:8px;padding:6px 10px;cursor:pointer;border-bottom:1px solid var(--color-border)" '
+      + 'onclick="useRecentKey(\\'' + keySafe + '\\')" '
+      + 'onmouseover="this.style.background=\\'var(--color-bg-hover)\\'" '
+      + 'onmouseout="this.style.background=\\'transparent\\'">'
+      + '<span style="flex:1;font-family:var(--font-mono);font-size:0.78rem"><span style="color:var(--color-fg-muted)">' + (host || 'local') + '</span> · <code>' + masked + '</code></span>'
+      + '<span style="font-size:0.7rem;color:var(--color-fg-muted)">' + label + '</span>'
+      + '<button type="button" onclick="event.stopPropagation();deleteRecentKey(\\'' + keySafe + '\\')" '
+      +   'title="Forget this key" '
+      +   'style="background:transparent;border:none;color:var(--color-fg-muted);cursor:pointer;font-size:1rem;padding:0 4px">&times;</button>'
+      + '</div>';
+  }).join('');
+  dd.style.display = 'block';
+}
+function hideRecentKeysDropdown() {
+  const dd = document.getElementById('key-recent-dropdown');
+  if (dd) dd.style.display = 'none';
+}
+function useRecentKey(k) {
+  const inp = document.getElementById('key-input');
+  if (inp) {
+    inp.value = k;
+    inp.focus();
+    onKeyInputChange(k);
+  }
+  hideRecentKeysDropdown();
+}
+window.useRecentKey = useRecentKey;
+
+// ─── Generate share URL ────────────────────────────────────────────────
+async function generateShareUrl() {
+  const out = document.getElementById('share-result');
+  if (!out) return;
+  out.style.display = 'block';
+  out.innerHTML = '<div style="color:var(--color-fg-muted)">generating…</div>';
+  try {
+    const r = await fetch('/v1/share/generate', {
+      method: 'POST',
+      headers: { ...headers(), 'Content-Type': 'application/json' },
+      body: JSON.stringify({ scope: 'run' }),
+    });
+    if (r.status === 403) {
+      out.innerHTML = '<div style="color:var(--color-error)">✗ admin scope required — your current key does not have permission to mint share URLs. Set an admin-scope key first.</div>';
+      return;
+    }
+    if (r.status >= 400) {
+      const err = await r.json().catch(() => ({}));
+      out.innerHTML = '<div style="color:var(--color-error)">✗ HTTP ' + r.status + (err.detail ? ' — ' + escapeHtml(err.detail) : '') + '</div>';
+      return;
+    }
+    const j = await r.json();
+    const safeShare = escapeHtml(j.shareUrl || '');
+    const safePlain = escapeHtml(j.plainUrl || '');
+    out.innerHTML =
+      '<div style="font-weight:500;margin-bottom:6px;color:var(--color-success)">✓ Share URL generated — hand off to remote</div>' +
+      '<div style="margin:6px 0">' +
+        '<label style="display:block;font-size:0.7rem;color:var(--color-fg-muted);margin-bottom:2px">oa-share URL (compact, recommended for OA-to-OA)</label>' +
+        '<div style="display:flex;gap:6px;align-items:center">' +
+          '<input readonly value="' + safeShare + '" style="flex:1;background:var(--color-bg-input);border:1px solid var(--color-border);color:var(--color-fg);padding:5px 8px;border-radius:var(--radius-sm);font-family:var(--font-mono);font-size:0.74rem">' +
+          '<button type="button" onclick="copyShareUrl(\\'oa-share\\')" style="font-size:0.74rem">copy</button>' +
+        '</div>' +
+      '</div>' +
+      '<div style="margin:6px 0">' +
+        '<label style="display:block;font-size:0.7rem;color:var(--color-fg-muted);margin-bottom:2px">plain URL (works in any browser, no scheme handler needed)</label>' +
+        '<div style="display:flex;gap:6px;align-items:center">' +
+          '<input readonly value="' + safePlain + '" style="flex:1;background:var(--color-bg-input);border:1px solid var(--color-border);color:var(--color-fg);padding:5px 8px;border-radius:var(--radius-sm);font-family:var(--font-mono);font-size:0.74rem">' +
+          '<button type="button" onclick="copyShareUrl(\\'plain\\')" style="font-size:0.74rem">copy</button>' +
+        '</div>' +
+      '</div>' +
+      '<p style="font-size:0.68rem;color:var(--color-fg-muted);margin:6px 0 0">Note: this URL contains the full secret. Anyone with it can use this OA. To revoke: open Advanced settings → keys → revoke the prefix <code>' + escapeHtml(j.keyPrefix || '') + '</code>.</p>';
+    // Stash for the copy buttons + add to recent.
+    window.__oaLastShareUrl = j.shareUrl;
+    window.__oaLastPlainUrl = j.plainUrl;
+    saveRecentKey({ key: j.key, host: j.host + ':' + j.port, label: j.label || ('shared ' + j.host) });
+  } catch (e) {
+    out.innerHTML = '<div style="color:var(--color-error)">✗ ' + escapeHtml(e && e.message ? e.message : String(e)) + '</div>';
+  }
+}
+function copyShareUrl(which) {
+  const v = which === 'plain' ? window.__oaLastPlainUrl : window.__oaLastShareUrl;
+  if (!v) return;
+  if (navigator.clipboard && navigator.clipboard.writeText) {
+    navigator.clipboard.writeText(v).then(
+      () => { /* ok */ },
+      () => { fallbackCopy(v); }
+    );
+  } else {
+    fallbackCopy(v);
+  }
+}
+function fallbackCopy(v) {
+  const ta = document.createElement('textarea');
+  ta.value = v; document.body.appendChild(ta); ta.select();
+  try { document.execCommand('copy'); } catch {}
+  document.body.removeChild(ta);
+}
+window.generateShareUrl = generateShareUrl;
+window.copyShareUrl = copyShareUrl;
+
+// ─── Remote-state helpers (visual indicator on the key button) ───────
+// When localStorage carries oa.remoteHost we are in REMOTE mode: the
+// key was loaded from an oa-share URL or via on-load ?oa-key=. The key
+// button shows a "remote" badge and clicking expands to show host+key
+// inline with a "close connection" button that severs and shuffles the
+// key into recents.
+function refreshKeyModalRemoteState() {
+  const remote = (function() {
+    try { return localStorage.getItem('oa.remoteHost') || ''; } catch { return ''; }
+  })();
+  const stateBox = document.getElementById('remote-state');
+  const btn = document.getElementById('sidebar-key-btn');
+  if (remote && btn) {
+    btn.textContent = 'remote';
+    btn.style.background = 'var(--color-accent)';
+    btn.style.color = '#fff';
+    btn.style.borderColor = 'var(--color-accent)';
+    btn.title = 'connected to remote ' + remote + ' — click to view / disconnect';
+  } else if (btn) {
+    btn.textContent = 'key';
+    btn.style.background = 'transparent';
+    btn.style.color = 'var(--color-fg-muted)';
+    btn.style.borderColor = 'var(--color-border)';
+    btn.title = 'set API key / share access';
+  }
+  if (!stateBox) return;
+  if (remote) {
+    const safeRemote = escapeHtml(remote);
+    stateBox.style.display = 'block';
+    stateBox.innerHTML =
+      '<div style="font-weight:500;color:var(--color-accent)">REMOTE connection active</div>' +
+      '<div style="margin-top:4px;font-size:0.74rem">host <code>' + safeRemote + '</code></div>' +
+      '<div style="margin-top:8px"><button type="button" onclick="closeRemoteConnection()" style="background:var(--color-error);color:#fff;border:none;padding:4px 10px;border-radius:var(--radius-sm);cursor:pointer;font-size:0.74rem">close connection</button></div>';
+  } else {
+    stateBox.style.display = 'none';
+  }
+}
+function closeRemoteConnection() {
+  // Move current remote key into recents BEFORE clearing.
+  let savedKey = '';
+  let savedHost = '';
+  try {
+    savedKey = localStorage.getItem('oa-api-key') || '';
+    savedHost = localStorage.getItem('oa.remoteHost') || '';
+  } catch {}
+  if (savedKey) {
+    saveRecentKey({ key: savedKey, host: savedHost, label: 'recent remote ' + savedHost });
+  }
+  try {
+    localStorage.removeItem('oa.remoteHost');
+    localStorage.removeItem('oa.remoteScheme');
+    localStorage.removeItem('oa-api-key');
+  } catch {}
+  apiKey = '';
+  refreshKeyModalRemoteState();
+  // Reload to drop any cached state from the remote target.
+  location.reload();
+}
+window.closeRemoteConnection = closeRemoteConnection;
+
+// ─── On-load: ?oa-key=... pickup ───────────────────────────────────────
+// When the page loads with an oa-key query param (i.e. someone clicked
+// a share URL), capture the key into localStorage, mark this as a
+// remote session (host = this origin), and clean the URL.
+(function pickupShareKeyFromUrl() {
+  try {
+    const u = new URL(location.href);
+    const k = u.searchParams.get('oa-key');
+    if (!k) return;
+    const label = u.searchParams.get('oa-share-label') || '';
+    localStorage.setItem('oa-api-key', k);
+    // Origin-based remote: when the page loaded from a different host
+    // than the user's "home" OA, that's a remote session by definition.
+    localStorage.setItem('oa.remoteHost', location.host);
+    localStorage.setItem('oa.remoteScheme', location.protocol.replace(':', ''));
+    saveRecentKey({ key: k, host: location.host, label: label || ('remote ' + location.host) });
+    // Strip the key from the URL so it isn't visible / browser-history'd.
+    u.searchParams.delete('oa-key');
+    u.searchParams.delete('oa-share-label');
+    history.replaceState({}, '', u.pathname + (u.search || '') + (u.hash || ''));
+  } catch {}
+})();
+
 // Tab switching
 const allPanels = ['chat-container','agent-panel','jobs-panel','config-panel','activity-panel','projects-panel','voice-panel'];
 function switchTab(tab) {
@@ -591536,6 +591941,11 @@ function newChatSession() {
   switchSession('');
   const sel = document.getElementById('chat-session-select');
   if (sel) sel.value = '';
+  // FRESH-SESSION: mark the next chat send as fresh so the daemon skips
+  // cross-task handoff injection (which previously bled prior session
+  // context into the new chat regardless of the browser's reset).
+  // Cleared inside the chat send handler after one use.
+  try { localStorage.setItem('oa.freshSessionPending', '1'); } catch {}
 }
 function deleteChatSession() {
   if (!chatSessionId) return;
@@ -592399,6 +592809,7 @@ async function doUpdate() {
   try { pollMetrics(); } catch {}
   try { loadScheduled(); } catch {}
   try { loadServices(); } catch {}
+  try { refreshKeyModalRemoteState(); } catch {}
 
   btn.textContent = 'updated v' + newVersion;
   btn.style.background = '#1a3a1a';
@@ -593383,6 +593794,7 @@ $currentProject.subscribe((proj) => {
   try { if (typeof updateSessionSelect === 'function') updateSessionSelect(); } catch {}
   try { if (typeof updateAgentRunSelect === 'function') updateAgentRunSelect(); } catch {}
   try { if (typeof restoreChatSession === 'function') restoreChatSession(); } catch {}
+  try { if (typeof refreshKeyModalRemoteState === 'function') refreshKeyModalRemoteState(); } catch {}
 });
 
 // $selectedModel changes update the visible <select> if it's not
@@ -600994,6 +601406,9 @@ ${historyLines}
       runEnv["OA_RUN_USER"] = req2._authUser || "anonymous";
       runEnv["OA_RUN_SCOPE"] = req2._authScope || "admin";
       runEnv["OA_SESSION_ID"] = session.id;
+      if (chatBody["fresh"] === true) {
+        runEnv["OA_FRESH_SESSION"] = "1";
+      }
       runEnv["OLLAMA_HOST"] = currentCfg.backendUrl || process.env["OLLAMA_HOST"] || "http://127.0.0.1:11434";
       if (currentCfg.apiKey) runEnv["OA_API_KEY_INHERIT"] = currentCfg.apiKey;
       const child = spawn25(process.execPath, [oaBin, ...args], {

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "open-agents-ai",
-  "version": "0.187.533",
+  "version": "0.187.534",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "open-agents-ai",
-      "version": "0.187.533",
+      "version": "0.187.534",
       "hasInstallScript": true,
       "license": "CC-BY-NC-4.0",
       "dependencies": {
@@ -2192,9 +2192,9 @@
       }
     },
     "node_modules/bare-url": {
-      "version": "2.4.2",
-      "resolved": "https://registry.npmjs.org/bare-url/-/bare-url-2.4.2.tgz",
-      "integrity": "sha512-/9a2j4ac6ckpmAHvod/ob7x439OAHst/drc2Clnq+reRYd/ovddwcF4LfoxHyNk5AuGBnPg+HqFjmE/Zpq6v0A==",
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bare-url/-/bare-url-2.4.3.tgz",
+      "integrity": "sha512-Kccpc7ACfXaxfeInfqKcZtW4pT5YBn1mesc4sCsun6sRwtbJ4h+sNOaksUpYEJUKfN65YWC6Bw2OJEFiKxq8nQ==",
       "license": "Apache-2.0",
       "optional": true,
       "dependencies": {
@@ -3179,9 +3179,9 @@
       }
     },
     "node_modules/fast-uri": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.1.tgz",
-      "integrity": "sha512-h2r7rcm6Ee/J8o0LD5djLuFVcfbZxhvho4vvsbeV0aMvXjUgqv4YpxpkEx0d68l6+IleVfLAdVEfhR7QNMkGHQ==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz",
+      "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==",
       "funding": [
         {
           "type": "github",
@@ -3638,9 +3638,9 @@
       }
     },
     "node_modules/hono": {
-      "version": "4.12.16",
-      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.16.tgz",
-      "integrity": "sha512-jN0ZewiNAWSe5khM3EyCmBb250+b40wWbwNILNfEvq84VREWwOIkuUsFONk/3i3nqkz7Oe1PcpM2mwQEK2L9Kg==",
+      "version": "4.12.17",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.17.tgz",
+      "integrity": "sha512-FbJJNb/XgX7YW0hX/V8w5oYLztKEsRLykCMZWt1WdLtsfjzMvmoqWBA4H4t5norinq8/rh20oiZYr+WSl4UzAQ==",
       "license": "MIT",
       "engines": {
         "node": ">=16.9.0"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "open-agents-ai",
-  "version": "0.187.533",
+  "version": "0.187.534",
   "description": "AI coding agent powered by open-source models (Ollama/vLLM) — interactive TUI with agentic tool-calling loop",
   "type": "module",
   "main": "./dist/index.js",