palmier 0.5.2 → 0.5.3

package/README.md

@@ -46,9 +46,9 @@ All `palmier` commands should be run from a dedicated Palmier root directory (e.
 |---|---|
 | `palmier init` | Interactive setup wizard |
 | `palmier pair` | Generate an OTP code to pair a new device |
-| `palmier sessions list` | List active session tokens |
-| `palmier sessions revoke <token>` | Revoke a specific session token |
-| `palmier sessions revoke-all` | Revoke all session tokens |
+| `palmier clients list` | List active client tokens |
+| `palmier clients revoke <token>` | Revoke a specific client token |
+| `palmier clients revoke-all` | Revoke all client tokens |
 | `palmier info` | Show host connection info (address, mode) |
 | `palmier serve` | Run the persistent RPC handler (default command) |
 | `palmier restart` | Restart the palmier serve daemon |
@@ -70,17 +70,17 @@ Local access (`http://localhost:<port>`) works immediately — no pairing needed
 
 For LAN or server mode, run `palmier pair` on the host to generate an OTP code. Enter it in the PWA — either at `http://<host-ip>:<port>` (LAN mode) or `https://app.palmier.me` (server mode).
 
-### Managing sessions
+### Managing clients
 
 ```bash
 # List all paired devices
-palmier sessions list
+palmier clients list
 
 # Revoke a specific device's access
-palmier sessions revoke <token>
+palmier clients revoke <token>
 
-# Revoke all sessions (unpair all devices)
-palmier sessions revoke-all
+# Revoke all clients (unpair all devices)
+palmier clients revoke-all
 ```
 
 The `init` command:
@@ -126,7 +126,7 @@ palmier restart
 ## How It Works
 
 - The host runs as a **background daemon** (systemd user service on Linux, Registry Run key on Windows), staying alive via `palmier serve`.
-- **Device access** — localhost is always trusted (no pairing needed). LAN and server mode devices communicate via direct HTTP or NATS respectively, and must pair via OTP to get a session token.
+- **Device access** — localhost is always trusted (no pairing needed). LAN and server mode devices communicate via direct HTTP or NATS respectively, and must pair via OTP to get a client token.
 - **Tasks** are stored locally as Markdown files in a `tasks/` directory. Each task has a name, prompt, execution plan, and optional schedules (cron schedules or one-time dates).
 - **Plan generation** is automatic — when you create or update a task, the host invokes your chosen agent CLI to generate an execution plan and name.
 - **Schedules** are backed by systemd timers (Linux) or Task Scheduler (Windows). You can enable/disable them without deleting the task, and any task can still be run manually at any time.

package/dist/agents/agent-instructions.md

@@ -2,19 +2,19 @@ You are an AI agent executing a task on behalf of the user via the Palmier platf
 
 ## Reporting Output
 
-If you generate report or output files, print each file path on its own line using this exact format (no code block):
-`[PALMIER_REPORT] <filename>`
+If you generate report or output files, print each file path on its own line using this exact format:
+[PALMIER_REPORT] <filename>
 
 ## Completion
 
-When you are done, output exactly one of these markers as the very last line (no code block, no other text on the same line):
-- Success: `[PALMIER_TASK_SUCCESS]`
-- Failure: `[PALMIER_TASK_FAILURE]`
+When you are done, output exactly one of these markers as the very last line (no other text on the same line):
+[PALMIER_TASK_SUCCESS]
+[PALMIER_TASK_FAILURE]
 
 ## Permissions
 
-If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format (no code block):
-`[PALMIER_PERMISSION] <tool_name> | <description>`
+If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format:
+[PALMIER_PERMISSION] <tool_name> | <description>
 
 ## HTTP Endpoints
 

package/dist/agents/shared-prompt.js

@@ -8,7 +8,7 @@ const AGENT_INSTRUCTIONS_TEMPLATE = fs.readFileSync(path.join(__dirname, "agent-
  * Agent instructions with the serve daemon's HTTP port and task ID baked in.
  */
 export function getAgentInstructions(taskId, skipPermissions) {
-    const port = loadConfig().httpPort ?? 7400;
+    const port = loadConfig().httpPort ?? 9966;
     let instructions = AGENT_INSTRUCTIONS_TEMPLATE
         .replace(/\{\{PORT\}\}/g, String(port))
         .replace(/\{\{TASK_ID\}\}/g, taskId);

package/dist/client-store.d.ts

@@ -0,0 +1,12 @@
+export interface ClientEntry {
+    token: string;
+    createdAt: string;
+    label?: string;
+}
+export declare function loadClients(): ClientEntry[];
+export declare function addClient(label?: string): ClientEntry;
+export declare function revokeClient(token: string): boolean;
+export declare function revokeAllClients(): number;
+export declare function validateClient(token: string): boolean;
+export declare function hasClients(): boolean;
+//# sourceMappingURL=client-store.d.ts.map

package/dist/client-store.js

@@ -0,0 +1,57 @@
+import * as fs from "fs";
+import * as path from "path";
+import { randomBytes } from "crypto";
+import { CONFIG_DIR } from "./config.js";
+const CLIENTS_FILE = path.join(CONFIG_DIR, "clients.json");
+function readFile() {
+    try {
+        if (!fs.existsSync(CLIENTS_FILE))
+            return [];
+        const raw = fs.readFileSync(CLIENTS_FILE, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return [];
+    }
+}
+function writeFile(clients) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(CLIENTS_FILE, JSON.stringify(clients, null, 2), "utf-8");
+}
+export function loadClients() {
+    return readFile();
+}
+export function addClient(label) {
+    const clients = readFile();
+    const entry = {
+        token: randomBytes(32).toString("hex"),
+        createdAt: new Date().toISOString(),
+        ...(label ? { label } : {}),
+    };
+    clients.push(entry);
+    writeFile(clients);
+    return entry;
+}
+export function revokeClient(token) {
+    const clients = readFile();
+    const idx = clients.findIndex((c) => c.token === token);
+    if (idx === -1)
+        return false;
+    clients.splice(idx, 1);
+    writeFile(clients);
+    return true;
+}
+export function revokeAllClients() {
+    const clients = readFile();
+    const count = clients.length;
+    writeFile([]);
+    return count;
+}
+export function validateClient(token) {
+    const clients = readFile();
+    return clients.some((c) => c.token === token);
+}
+export function hasClients() {
+    return readFile().length > 0;
+}
+//# sourceMappingURL=client-store.js.map

package/dist/commands/clients.d.ts

@@ -0,0 +1,4 @@
+export declare function clientsListCommand(): Promise<void>;
+export declare function clientsRevokeCommand(token: string): Promise<void>;
+export declare function clientsRevokeAllCommand(): Promise<void>;
+//# sourceMappingURL=clients.d.ts.map

package/dist/commands/clients.js

@@ -0,0 +1,27 @@
+import { loadClients, revokeClient, revokeAllClients } from "../client-store.js";
+export async function clientsListCommand() {
+    const clients = loadClients();
+    if (clients.length === 0) {
+        console.log("No active clients.");
+        return;
+    }
+    console.log(`${clients.length} active client(s):\n`);
+    for (const c of clients) {
+        const label = c.label ? ` (${c.label})` : "";
+        console.log(`  ${c.token}${label}  created ${c.createdAt}`);
+    }
+}
+export async function clientsRevokeCommand(token) {
+    if (revokeClient(token)) {
+        console.log("Client revoked.");
+    }
+    else {
+        console.error("Client not found.");
+        process.exit(1);
+    }
+}
+export async function clientsRevokeAllCommand() {
+    const count = revokeAllClients();
+    console.log(`Revoked ${count} client(s).`);
+}
+//# sourceMappingURL=clients.js.map

package/dist/commands/info.js

@@ -1,11 +1,11 @@
 import { loadConfig } from "../config.js";
-import { loadSessions } from "../session-store.js";
+import { loadClients } from "../client-store.js";
 /**
  * Print host connection info for setting up clients.
  */
 export async function infoCommand() {
     const config = loadConfig();
-    const sessions = loadSessions();
+    const clients = loadClients();
     console.log(`Host ID:      ${config.hostId}`);
     console.log(`Project root: ${config.projectRoot}`);
     // Detected agents
@@ -15,9 +15,9 @@ export async function infoCommand() {
     else {
         console.log(`Agents:       (none detected — run \`palmier agents\`)`);
     }
-    // Sessions
-    console.log(`Sessions:     ${sessions.length} active`);
-    if (sessions.length === 0) {
+    // Clients
+    console.log(`Clients:      ${clients.length} active`);
+    if (clients.length === 0) {
         console.log("");
         console.log("No paired clients. Run `palmier pair` to connect a device.");
     }

package/dist/commands/init.js

@@ -33,7 +33,7 @@ export async function initCommand() {
         // LAN mode
         const lanAnswer = await ask("Enable LAN access (direct HTTP from local network)? (y/N): ");
         const lanEnabled = lanAnswer.trim().toLowerCase() === "y";
-        let httpPort = 7400;
+        let httpPort = 9966;
         const portLabel = lanEnabled ? "HTTP port for local and LAN access" : "HTTP port for local access";
         const portAnswer = await ask(`${portLabel} (default ${httpPort}): `);
         const parsed = parseInt(portAnswer.trim(), 10);

package/dist/commands/pair.js

@@ -2,7 +2,7 @@ import * as http from "node:http";
 import { StringCodec } from "nats";
 import { loadConfig } from "../config.js";
 import { connectNats } from "../nats-client.js";
-import { addSession } from "../session-store.js";
+import { addClient } from "../client-store.js";
 const CODE_CHARS = "ABCDEFGHJKMNPQRSTUVWXYZ23456789"; // no O/0/I/1/L
 const CODE_LENGTH = 6;
 export const PAIRING_EXPIRY_MS = 5 * 60 * 1000; // 5 minutes
@@ -12,10 +12,10 @@ export function generatePairingCode() {
     return Array.from(bytes, (b) => CODE_CHARS[b % CODE_CHARS.length]).join("");
 }
 function buildPairResponse(config, label) {
-    const session = addSession(label);
+    const client = addClient(label);
     return {
         hostId: config.hostId,
-        sessionToken: session.token,
+        clientToken: client.token,
     };
 }
 /**
@@ -56,7 +56,7 @@ function httpPairRegister(port, code) {
 export async function pairCommand() {
     const config = loadConfig();
     const code = generatePairingCode();
-    const httpPort = config.httpPort ?? 7400;
+    const httpPort = config.httpPort ?? 9966;
     let paired = false;
     function onPaired() {
         paired = true;

package/dist/commands/run.js

@@ -39,7 +39,7 @@ async function invokeAgentWithRetries(ctx, invokeTask) {
         console.log(`[invoke] ${command} ${displayArgs.join(" ")}${stdin ? ` (stdin: ${truncate(stdin, 100)})` : ""}`);
         const result = await spawnCommand(command, args, {
             cwd: getRunDir(ctx.taskDir, ctx.runId),
-            env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+            env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
             echoStdout: true,
             resolveOnFailure: true,
             stdin,
@@ -248,7 +248,7 @@ async function runCommandTriggeredMode(ctx) {
     await publishHostEvent(ctx.nc, ctx.config.hostId, ctx.taskId, { event_type: "result-updated", run_id: ctx.runId });
     const child = spawnStreamingCommand(commandStr, {
         cwd: getRunDir(ctx.taskDir, ctx.runId),
-        env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+        env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
     });
     let linesProcessed = 0;
     let invocationsSucceeded = 0;
@@ -365,7 +365,7 @@ async function publishTaskEvent(nc, config, taskDir, taskId, eventType, taskName
     await publishHostEvent(nc, config.hostId, taskId, payload);
 }
 async function requestPermission(config, task, taskDir, requiredPermissions) {
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     const res = await fetch(`http://localhost:${port}/request-permission`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -387,7 +387,7 @@ async function requestPermission(config, task, taskDir, requiredPermissions) {
     return response;
 }
 async function requestConfirmation(config, task, taskDir) {
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     const res = await fetch(`http://localhost:${port}/request-confirmation`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -414,7 +414,8 @@ export function parseReportFiles(output) {
     let match;
     while ((match = regex.exec(output)) !== null) {
         const name = match[1].trim();
-        if (name)
+        // Skip placeholder examples echoed from the prompt (e.g. "<filename>")
+        if (name && !name.startsWith("<"))
             files.push(name);
     }
     return files;
@@ -429,6 +430,9 @@ export function parsePermissions(output) {
     let match;
     while ((match = regex.exec(output)) !== null) {
         const raw = match[1].trim();
+        // Skip placeholder examples echoed from the prompt (e.g. "<tool_name> | <description>")
+        if (raw.startsWith("<"))
+            continue;
         const sep = raw.indexOf("|");
         if (sep !== -1) {
             perms.push({ name: raw.slice(0, sep).trim(), description: raw.slice(sep + 1).trim() });

package/dist/commands/serve.js

@@ -99,7 +99,7 @@ export async function serveCommand() {
         });
     }, POLL_INTERVAL_MS);
     const handleRpc = createRpcHandler(config, nc);
-    const httpPort = config.httpPort ?? 7400;
+    const httpPort = config.httpPort ?? 9966;
     // Start NATS transport (loops forever, fire-and-forget)
     if (nc) {
         startNatsTransport(config, handleRpc, nc);

package/dist/events.js

@@ -14,7 +14,7 @@ export async function publishHostEvent(nc, hostId, taskId, payload) {
         console.log(`[nats] ${subject} →`, payload);
     }
     const config = loadConfig();
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     try {
         await fetch(`http://localhost:${port}/event`, {
             method: "POST",

package/dist/index.js

@@ -10,7 +10,7 @@ import { runCommand } from "./commands/run.js";
 import { serveCommand } from "./commands/serve.js";
 import { pairCommand } from "./commands/pair.js";
 import { restartCommand } from "./commands/restart.js";
-import { sessionsListCommand, sessionsRevokeCommand, sessionsRevokeAllCommand } from "./commands/sessions.js";
+import { clientsListCommand, clientsRevokeCommand, clientsRevokeAllCommand } from "./commands/clients.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, "../package.json"), "utf-8"));
 const program = new Command();
@@ -54,26 +54,26 @@ program
     .action(async () => {
     await pairCommand();
 });
-const sessionsCmd = program
-    .command("sessions")
-    .description("Manage paired client sessions");
-sessionsCmd
+const clientsCmd = program
+    .command("clients")
+    .description("Manage paired clients");
+clientsCmd
     .command("list")
-    .description("List active sessions")
+    .description("List active clients")
     .action(async () => {
-    await sessionsListCommand();
+    await clientsListCommand();
 });
-sessionsCmd
+clientsCmd
     .command("revoke <token>")
-    .description("Revoke a session by token")
+    .description("Revoke a client by token")
     .action(async (token) => {
-    await sessionsRevokeCommand(token);
+    await clientsRevokeCommand(token);
 });
-sessionsCmd
+clientsCmd
     .command("revoke-all")
-    .description("Revoke all sessions")
+    .description("Revoke all clients")
     .action(async () => {
-    await sessionsRevokeAllCommand();
+    await clientsRevokeAllCommand();
 });
 // No subcommand → default to serve
 if (process.argv.length <= 2) {

package/dist/rpc-handler.js

@@ -10,7 +10,7 @@ import { getPlatform } from "./platform/index.js";
 import { spawnCommand } from "./spawn-command.js";
 import crossSpawn from "cross-spawn";
 import { getAgent } from "./agents/agent.js";
-import { validateSession } from "./session-store.js";
+import { validateClient } from "./client-store.js";
 import { publishHostEvent } from "./events.js";
 import { currentVersion, performUpdate } from "./update-checker.js";
 import { parseReportFiles, parseTaskOutcome, stripPalmierMarkers } from "./commands/run.js";
@@ -140,8 +140,8 @@ export function createRpcHandler(config, nc) {
         };
     }
     async function handleRpc(request) {
-        // Session token validation: skip for trusted localhost requests
-        if (!request.localhost && (!request.sessionToken || !validateSession(request.sessionToken))) {
+        // Client token validation: skip for trusted localhost requests
+        if (!request.localhost && (!request.clientToken || !validateClient(request.clientToken))) {
             return { error: "Unauthorized" };
         }
         switch (request.method) {
@@ -212,8 +212,11 @@ export function createRpcHandler(config, nc) {
                     existing.frontmatter.triggers_enabled = params.triggers_enabled;
                 if (params.requires_confirmation !== undefined)
                     existing.frontmatter.requires_confirmation = params.requires_confirmation;
-                if (params.yolo_mode !== undefined)
+                if (params.yolo_mode !== undefined) {
                     existing.frontmatter.yolo_mode = params.yolo_mode || undefined;
+                    if (params.yolo_mode)
+                        delete existing.frontmatter.permissions;
+                }
                 if (params.command !== undefined) {
                     if (params.command) {
                         existing.frontmatter.command = params.command;

package/dist/transports/http-transport.js

@@ -1,7 +1,7 @@
 import * as http from "node:http";
 import * as os from "os";
 import { StringCodec } from "nats";
-import { validateSession, addSession } from "../session-store.js";
+import { validateClient, addClient } from "../client-store.js";
 import { registerPending } from "../pending-requests.js";
 import * as fs from "node:fs";
 import { getTaskDir, parseTaskFile, spliceUserMessage } from "../task.js";
@@ -115,9 +115,9 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
         const auth = req.headers.authorization;
         if (!auth || !auth.startsWith("Bearer "))
             return false;
-        return validateSession(auth.slice(7));
+        return validateClient(auth.slice(7));
     }
-    function extractSessionToken(req) {
+    function extractClientToken(req) {
         const auth = req.headers.authorization;
         if (!auth || !auth.startsWith("Bearer "))
             return undefined;
@@ -368,11 +368,11 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                     sendJson(res, 401, { error: "Invalid code" });
                     return;
                 }
-                const session = addSession(label);
+                const client = addClient(label);
                 const ip = detectLanIp();
                 const response = {
                     hostId: config.hostId,
-                    sessionToken: session.token,
+                    clientToken: client.token,
                     directUrl: `http://${ip}:${port}`,
                 };
                 clearTimeout(pending.timer);
@@ -449,10 +449,10 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                 sendJson(res, 400, { error: "Invalid JSON" });
                 return;
             }
-            const sessionToken = extractSessionToken(req);
+            const clientToken = extractClientToken(req);
             console.log(`[http] RPC: ${method}`);
             try {
-                const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
+                const response = await handleRpc({ method, params, clientToken, localhost: isLocalhost(req) });
                 console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
                 sendJson(res, 200, response);
             }

package/dist/transports/nats-transport.js

@@ -39,13 +39,13 @@ export async function startNatsTransport(config, handleRpc, nc) {
                 }
             }
         }
-        // Extract sessionToken from params (PWA includes it in the payload)
-        const sessionToken = typeof params.sessionToken === "string" ? params.sessionToken : undefined;
-        delete params.sessionToken;
+        // Extract clientToken from params (PWA includes it in the payload)
+        const clientToken = typeof params.clientToken === "string" ? params.clientToken : undefined;
+        delete params.clientToken;
         console.log(`[nats] RPC: ${method}`);
         let response;
         try {
-            response = await handleRpc({ method, params, sessionToken });
+            response = await handleRpc({ method, params, clientToken });
         }
         catch (err) {
             console.error(`[nats] RPC error (${method}):`, err);

package/dist/types.d.ts

@@ -67,8 +67,8 @@ export interface ConversationMessage {
 export interface RpcMessage {
     method: string;
     params: Record<string, unknown>;
-    sessionToken?: string;
-    /** Trusted localhost request — skip session validation. */
+    clientToken?: string;
+    /** Trusted localhost request — skip client validation. */
     localhost?: boolean;
 }
 //# sourceMappingURL=types.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "palmier",
-  "version": "0.5.2",
+  "version": "0.5.3",
   "description": "Palmier host CLI - provisions, executes tasks, and serves NATS RPC",
   "license": "Apache-2.0",
   "author": "Hongxu Cai",

package/src/agents/agent-instructions.md

@@ -2,19 +2,19 @@ You are an AI agent executing a task on behalf of the user via the Palmier platf
 
 ## Reporting Output
 
-If you generate report or output files, print each file path on its own line using this exact format (no code block):
-`[PALMIER_REPORT] <filename>`
+If you generate report or output files, print each file path on its own line using this exact format:
+[PALMIER_REPORT] <filename>
 
 ## Completion
 
-When you are done, output exactly one of these markers as the very last line (no code block, no other text on the same line):
-- Success: `[PALMIER_TASK_SUCCESS]`
-- Failure: `[PALMIER_TASK_FAILURE]`
+When you are done, output exactly one of these markers as the very last line (no other text on the same line):
+[PALMIER_TASK_SUCCESS]
+[PALMIER_TASK_FAILURE]
 
 ## Permissions
 
-If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format (no code block):
-`[PALMIER_PERMISSION] <tool_name> | <description>`
+If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format:
+[PALMIER_PERMISSION] <tool_name> | <description>
 
 ## HTTP Endpoints
 

package/src/agents/shared-prompt.ts

@@ -14,7 +14,7 @@ const AGENT_INSTRUCTIONS_TEMPLATE = fs.readFileSync(
  * Agent instructions with the serve daemon's HTTP port and task ID baked in.
  */
 export function getAgentInstructions(taskId: string, skipPermissions?: boolean): string {
-  const port = loadConfig().httpPort ?? 7400;
+  const port = loadConfig().httpPort ?? 9966;
   let instructions = AGENT_INSTRUCTIONS_TEMPLATE
     .replace(/\{\{PORT\}\}/g, String(port))
     .replace(/\{\{TASK_ID\}\}/g, taskId);

package/src/client-store.ts

@@ -0,0 +1,68 @@
+import * as fs from "fs";
+import * as path from "path";
+import { randomBytes } from "crypto";
+import { CONFIG_DIR } from "./config.js";
+
+const CLIENTS_FILE = path.join(CONFIG_DIR, "clients.json");
+
+export interface ClientEntry {
+  token: string;
+  createdAt: string;
+  label?: string;
+}
+
+function readFile(): ClientEntry[] {
+  try {
+    if (!fs.existsSync(CLIENTS_FILE)) return [];
+    const raw = fs.readFileSync(CLIENTS_FILE, "utf-8");
+    return JSON.parse(raw) as ClientEntry[];
+  } catch {
+    return [];
+  }
+}
+
+function writeFile(clients: ClientEntry[]): void {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CLIENTS_FILE, JSON.stringify(clients, null, 2), "utf-8");
+}
+
+export function loadClients(): ClientEntry[] {
+  return readFile();
+}
+
+export function addClient(label?: string): ClientEntry {
+  const clients = readFile();
+  const entry: ClientEntry = {
+    token: randomBytes(32).toString("hex"),
+    createdAt: new Date().toISOString(),
+    ...(label ? { label } : {}),
+  };
+  clients.push(entry);
+  writeFile(clients);
+  return entry;
+}
+
+export function revokeClient(token: string): boolean {
+  const clients = readFile();
+  const idx = clients.findIndex((c) => c.token === token);
+  if (idx === -1) return false;
+  clients.splice(idx, 1);
+  writeFile(clients);
+  return true;
+}
+
+export function revokeAllClients(): number {
+  const clients = readFile();
+  const count = clients.length;
+  writeFile([]);
+  return count;
+}
+
+export function validateClient(token: string): boolean {
+  const clients = readFile();
+  return clients.some((c) => c.token === token);
+}
+
+export function hasClients(): boolean {
+  return readFile().length > 0;
+}

package/src/commands/clients.ts

@@ -0,0 +1,29 @@
+import { loadClients, revokeClient, revokeAllClients } from "../client-store.js";
+
+export async function clientsListCommand(): Promise<void> {
+  const clients = loadClients();
+  if (clients.length === 0) {
+    console.log("No active clients.");
+    return;
+  }
+
+  console.log(`${clients.length} active client(s):\n`);
+  for (const c of clients) {
+    const label = c.label ? ` (${c.label})` : "";
+    console.log(`  ${c.token}${label}  created ${c.createdAt}`);
+  }
+}
+
+export async function clientsRevokeCommand(token: string): Promise<void> {
+  if (revokeClient(token)) {
+    console.log("Client revoked.");
+  } else {
+    console.error("Client not found.");
+    process.exit(1);
+  }
+}
+
+export async function clientsRevokeAllCommand(): Promise<void> {
+  const count = revokeAllClients();
+  console.log(`Revoked ${count} client(s).`);
+}

package/src/commands/info.ts

@@ -1,12 +1,12 @@
 import { loadConfig } from "../config.js";
-import { loadSessions } from "../session-store.js";
+import { loadClients } from "../client-store.js";
 
 /**
  * Print host connection info for setting up clients.
  */
 export async function infoCommand(): Promise<void> {
   const config = loadConfig();
-  const sessions = loadSessions();
+  const clients = loadClients();
 
   console.log(`Host ID:      ${config.hostId}`);
   console.log(`Project root: ${config.projectRoot}`);
@@ -18,10 +18,10 @@ export async function infoCommand(): Promise<void> {
     console.log(`Agents:       (none detected — run \`palmier agents\`)`);
   }
 
-  // Sessions
-  console.log(`Sessions:     ${sessions.length} active`);
+  // Clients
+  console.log(`Clients:      ${clients.length} active`);
 
-  if (sessions.length === 0) {
+  if (clients.length === 0) {
     console.log("");
     console.log("No paired clients. Run `palmier pair` to connect a device.");
   }

package/src/commands/init.ts

@@ -44,7 +44,7 @@ export async function initCommand(): Promise<void> {
     const lanAnswer = await ask("Enable LAN access (direct HTTP from local network)? (y/N): ");
     const lanEnabled = lanAnswer.trim().toLowerCase() === "y";
 
-    let httpPort = 7400;
+    let httpPort = 9966;
     const portLabel = lanEnabled ? "HTTP port for local and LAN access" : "HTTP port for local access";
     const portAnswer = await ask(`${portLabel} (default ${httpPort}): `);
     const parsed = parseInt(portAnswer.trim(), 10);

package/src/commands/pair.ts

@@ -2,7 +2,7 @@ import * as http from "node:http";
 import { StringCodec } from "nats";
 import { loadConfig } from "../config.js";
 import { connectNats } from "../nats-client.js";
-import { addSession } from "../session-store.js";
+import { addClient } from "../client-store.js";
 import type { HostConfig } from "../types.js";
 
 const CODE_CHARS = "ABCDEFGHJKMNPQRSTUVWXYZ23456789"; // no O/0/I/1/L
@@ -17,10 +17,10 @@ export function generatePairingCode(): string {
 }
 
 function buildPairResponse(config: HostConfig, label?: string) {
-  const session = addSession(label);
+  const client = addClient(label);
   return {
     hostId: config.hostId,
-    sessionToken: session.token,
+    clientToken: client.token,
   };
 }
 
@@ -67,7 +67,7 @@ function httpPairRegister(port: number, code: string): Promise<boolean> {
 export async function pairCommand(): Promise<void> {
   const config = loadConfig();
   const code = generatePairingCode();
-  const httpPort = config.httpPort ?? 7400;
+  const httpPort = config.httpPort ?? 9966;
 
   let paired = false;
 

package/src/commands/run.ts

@@ -70,7 +70,7 @@ async function invokeAgentWithRetries(
     console.log(`[invoke] ${command} ${displayArgs.join(" ")}${stdin ? ` (stdin: ${truncate(stdin, 100)})` : ""}`);
     const result = await spawnCommand(command, args, {
       cwd: getRunDir(ctx.taskDir, ctx.runId),
-      env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+      env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
       echoStdout: true,
       resolveOnFailure: true,
       stdin,
@@ -309,7 +309,7 @@ async function runCommandTriggeredMode(
 
   const child = spawnStreamingCommand(commandStr, {
     cwd: getRunDir(ctx.taskDir, ctx.runId),
-    env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+    env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
   });
 
   let linesProcessed = 0;
@@ -449,7 +449,7 @@ async function requestPermission(
   taskDir: string,
   requiredPermissions: RequiredPermission[],
 ): Promise<"granted" | "granted_all" | "aborted"> {
-  const port = config.httpPort ?? 7400;
+  const port = config.httpPort ?? 9966;
   const res = await fetch(`http://localhost:${port}/request-permission`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
@@ -477,7 +477,7 @@ async function requestConfirmation(
   task: ParsedTask,
   taskDir: string,
 ): Promise<boolean> {
-  const port = config.httpPort ?? 7400;
+  const port = config.httpPort ?? 9966;
   const res = await fetch(`http://localhost:${port}/request-confirmation`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
@@ -505,7 +505,8 @@ export function parseReportFiles(output: string): string[] {
   let match;
   while ((match = regex.exec(output)) !== null) {
     const name = match[1].trim();
-    if (name) files.push(name);
+    // Skip placeholder examples echoed from the prompt (e.g. "<filename>")
+    if (name && !name.startsWith("<")) files.push(name);
   }
   return files;
 }
@@ -520,6 +521,8 @@ export function parsePermissions(output: string): RequiredPermission[] {
   let match;
   while ((match = regex.exec(output)) !== null) {
     const raw = match[1].trim();
+    // Skip placeholder examples echoed from the prompt (e.g. "<tool_name> | <description>")
+    if (raw.startsWith("<")) continue;
     const sep = raw.indexOf("|");
     if (sep !== -1) {
       perms.push({ name: raw.slice(0, sep).trim(), description: raw.slice(sep + 1).trim() });

package/src/commands/serve.ts

@@ -114,7 +114,7 @@ export async function serveCommand(): Promise<void> {
   }, POLL_INTERVAL_MS);
 
   const handleRpc = createRpcHandler(config, nc);
-  const httpPort = config.httpPort ?? 7400;
+  const httpPort = config.httpPort ?? 9966;
 
   // Start NATS transport (loops forever, fire-and-forget)
   if (nc) {

package/src/events.ts

@@ -23,7 +23,7 @@ export async function publishHostEvent(
   }
 
   const config = loadConfig();
-  const port = config.httpPort ?? 7400;
+  const port = config.httpPort ?? 9966;
   try {
     await fetch(`http://localhost:${port}/event`, {
       method: "POST",

package/src/index.ts

@@ -12,7 +12,7 @@ import { serveCommand } from "./commands/serve.js";
 
 import { pairCommand } from "./commands/pair.js";
 import { restartCommand } from "./commands/restart.js";
-import { sessionsListCommand, sessionsRevokeCommand, sessionsRevokeAllCommand } from "./commands/sessions.js";
+import { clientsListCommand, clientsRevokeCommand, clientsRevokeAllCommand } from "./commands/clients.js";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, "../package.json"), "utf-8"));
@@ -68,29 +68,29 @@ program
   });
 
 
-const sessionsCmd = program
-  .command("sessions")
-  .description("Manage paired client sessions");
+const clientsCmd = program
+  .command("clients")
+  .description("Manage paired clients");
 
-sessionsCmd
+clientsCmd
   .command("list")
-  .description("List active sessions")
+  .description("List active clients")
   .action(async () => {
-    await sessionsListCommand();
+    await clientsListCommand();
   });
 
-sessionsCmd
+clientsCmd
   .command("revoke <token>")
-  .description("Revoke a session by token")
+  .description("Revoke a client by token")
   .action(async (token: string) => {
-    await sessionsRevokeCommand(token);
+    await clientsRevokeCommand(token);
   });
 
-sessionsCmd
+clientsCmd
   .command("revoke-all")
-  .description("Revoke all sessions")
+  .description("Revoke all clients")
   .action(async () => {
-    await sessionsRevokeAllCommand();
+    await clientsRevokeAllCommand();
   });
 
 // No subcommand → default to serve

package/src/rpc-handler.ts

@@ -11,7 +11,7 @@ import { getPlatform } from "./platform/index.js";
 import { spawnCommand } from "./spawn-command.js";
 import crossSpawn from "cross-spawn";
 import { getAgent } from "./agents/agent.js";
-import { validateSession } from "./session-store.js";
+import { validateClient } from "./client-store.js";
 import { publishHostEvent } from "./events.js";
 import { currentVersion, performUpdate } from "./update-checker.js";
 import { parseReportFiles, parseTaskOutcome, stripPalmierMarkers } from "./commands/run.js";
@@ -166,8 +166,8 @@ export function createRpcHandler(config: HostConfig, nc?: NatsConnection) {
   }
 
   async function handleRpc(request: RpcMessage): Promise<unknown> {
-    // Session token validation: skip for trusted localhost requests
-    if (!request.localhost && (!request.sessionToken || !validateSession(request.sessionToken))) {
+    // Client token validation: skip for trusted localhost requests
+    if (!request.localhost && (!request.clientToken || !validateClient(request.clientToken))) {
       return { error: "Unauthorized" };
     }
 
@@ -259,7 +259,10 @@ export function createRpcHandler(config: HostConfig, nc?: NatsConnection) {
         if (params.triggers_enabled !== undefined) existing.frontmatter.triggers_enabled = params.triggers_enabled;
         if (params.requires_confirmation !== undefined)
           existing.frontmatter.requires_confirmation = params.requires_confirmation;
-        if (params.yolo_mode !== undefined) existing.frontmatter.yolo_mode = params.yolo_mode || undefined;
+        if (params.yolo_mode !== undefined) {
+          existing.frontmatter.yolo_mode = params.yolo_mode || undefined;
+          if (params.yolo_mode) delete existing.frontmatter.permissions;
+        }
         if (params.command !== undefined) {
           if (params.command) {
             existing.frontmatter.command = params.command;

package/src/transports/http-transport.ts

@@ -1,7 +1,7 @@
 import * as http from "node:http";
 import * as os from "os";
 import { StringCodec, type NatsConnection } from "nats";
-import { validateSession, addSession } from "../session-store.js";
+import { validateClient, addClient } from "../client-store.js";
 import { registerPending } from "../pending-requests.js";
 import * as fs from "node:fs";
 import { getTaskDir, parseTaskFile, spliceUserMessage } from "../task.js";
@@ -145,10 +145,10 @@ export async function startHttpTransport(
   function checkAuth(req: http.IncomingMessage): boolean {
     const auth = req.headers.authorization;
     if (!auth || !auth.startsWith("Bearer ")) return false;
-    return validateSession(auth.slice(7));
+    return validateClient(auth.slice(7));
   }
 
-  function extractSessionToken(req: http.IncomingMessage): string | undefined {
+  function extractClientToken(req: http.IncomingMessage): string | undefined {
     const auth = req.headers.authorization;
     if (!auth || !auth.startsWith("Bearer ")) return undefined;
     return auth.slice(7);
@@ -394,11 +394,11 @@ export async function startHttpTransport(
         const pending = pendingPairs.get(code);
         if (!pending) { sendJson(res, 401, { error: "Invalid code" }); return; }
 
-        const session = addSession(label);
+        const client = addClient(label);
         const ip = detectLanIp();
         const response: Record<string, unknown> = {
           hostId: config.hostId,
-          sessionToken: session.token,
+          clientToken: client.token,
           directUrl: `http://${ip}:${port}`,
         };
 
@@ -476,11 +476,11 @@ export async function startHttpTransport(
         }
       } catch { sendJson(res, 400, { error: "Invalid JSON" }); return; }
 
-      const sessionToken = extractSessionToken(req);
+      const clientToken = extractClientToken(req);
       console.log(`[http] RPC: ${method}`);
 
       try {
-        const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
+        const response = await handleRpc({ method, params, clientToken, localhost: isLocalhost(req) });
         console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
         sendJson(res, 200, response);
       } catch (err) {

package/src/transports/nats-transport.ts

@@ -50,15 +50,15 @@ export async function startNatsTransport(
       }
     }
 
-    // Extract sessionToken from params (PWA includes it in the payload)
-    const sessionToken = typeof params.sessionToken === "string" ? params.sessionToken : undefined;
-    delete params.sessionToken;
+    // Extract clientToken from params (PWA includes it in the payload)
+    const clientToken = typeof params.clientToken === "string" ? params.clientToken : undefined;
+    delete params.clientToken;
 
     console.log(`[nats] RPC: ${method}`);
 
     let response: unknown;
     try {
-      response = await handleRpc({ method, params, sessionToken });
+      response = await handleRpc({ method, params, clientToken });
     } catch (err) {
       console.error(`[nats] RPC error (${method}):`, err);
       response = { error: String(err) };

package/src/types.ts

@@ -9,7 +9,7 @@ export interface HostConfig {
   // Detected agent CLIs
   agents?: Array<{ key: string; label: string }>;
 
-  // HTTP server port (default 7400)
+  // HTTP server port (default 9966)
   httpPort?: number;
   // Whether to accept non-localhost HTTP connections
   lanEnabled?: boolean;
@@ -79,7 +79,7 @@ export interface ConversationMessage {
 export interface RpcMessage {
   method: string;
   params: Record<string, unknown>;
-  sessionToken?: string;
-  /** Trusted localhost request — skip session validation. */
+  clientToken?: string;
+  /** Trusted localhost request — skip client validation. */
   localhost?: boolean;
 }

package/test/agent-instructions.test.ts

@@ -1,29 +1,46 @@
 import { describe, it } from "node:test";
 import assert from "node:assert/strict";
-import { getAgentInstructions } from "../src/agents/shared-prompt.js";
+import * as fs from "fs";
+import * as path from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const templatePath = path.join(__dirname, "..", "src", "agents", "agent-instructions.md");
+const template = fs.readFileSync(templatePath, "utf-8");
+
+/** Minimal replica of getAgentInstructions that doesn't need host.json */
+function buildInstructions(taskId: string, skipPermissions?: boolean): string {
+  let instructions = template
+    .replace(/\{\{PORT\}\}/g, "9966")
+    .replace(/\{\{TASK_ID\}\}/g, taskId);
+  if (skipPermissions) {
+    instructions = instructions.replace(/## Permissions\r?\n[\s\S]*?(?=## |\r?\n---)/m, "");
+  }
+  return instructions;
+}
 
 describe("getAgentInstructions", () => {
   it("includes Permissions section by default", () => {
-    const result = getAgentInstructions("test-task-id");
+    const result = buildInstructions("test-task-id");
     assert.match(result, /## Permissions/);
     assert.match(result, /PALMIER_PERMISSION/);
   });
 
   it("strips Permissions section when skipPermissions is true", () => {
-    const result = getAgentInstructions("test-task-id", true);
+    const result = buildInstructions("test-task-id", true);
     assert.doesNotMatch(result, /## Permissions/);
     assert.doesNotMatch(result, /PALMIER_PERMISSION/);
   });
 
   it("preserves other sections when Permissions is stripped", () => {
-    const result = getAgentInstructions("test-task-id", true);
+    const result = buildInstructions("test-task-id", true);
     assert.match(result, /## Reporting Output/);
     assert.match(result, /## Completion/);
     assert.match(result, /## HTTP Endpoints/);
   });
 
   it("replaces template variables", () => {
-    const result = getAgentInstructions("my-task-123");
+    const result = buildInstructions("my-task-123");
     assert.match(result, /my-task-123/);
     assert.doesNotMatch(result, /\{\{TASK_ID\}\}/);
     assert.doesNotMatch(result, /\{\{PORT\}\}/);

package/test/agent-output-parsing.test.ts

@@ -38,6 +38,11 @@ describe("parseReportFiles", () => {
   it("trims whitespace from file names", () => {
     assert.deepEqual(parseReportFiles("[PALMIER_REPORT]   report.md  "), ["report.md"]);
   });
+
+  it("ignores placeholder examples from echoed prompt", () => {
+    const output = "[PALMIER_REPORT] <filename>\n[PALMIER_REPORT] actual-report.md";
+    assert.deepEqual(parseReportFiles(output), ["actual-report.md"]);
+  });
 });
 
 describe("parsePermissions", () => {
@@ -57,5 +62,12 @@ describe("parsePermissions", () => {
   it("returns empty array when no permissions", () => {
     assert.deepEqual(parsePermissions("no permissions"), []);
   });
+
+  it("ignores placeholder examples from echoed prompt", () => {
+    const output = "[PALMIER_PERMISSION] <tool_name> | <description>\n[PALMIER_PERMISSION] Read | Read files";
+    const perms = parsePermissions(output);
+    assert.equal(perms.length, 1);
+    assert.deepEqual(perms[0], { name: "Read", description: "Read files" });
+  });
 });
 

package/dist/commands/sessions.d.ts

@@ -1,4 +0,0 @@
-export declare function sessionsListCommand(): Promise<void>;
-export declare function sessionsRevokeCommand(token: string): Promise<void>;
-export declare function sessionsRevokeAllCommand(): Promise<void>;
-//# sourceMappingURL=sessions.d.ts.map

package/dist/commands/sessions.js

@@ -1,27 +0,0 @@
-import { loadSessions, revokeSession, revokeAllSessions } from "../session-store.js";
-export async function sessionsListCommand() {
-    const sessions = loadSessions();
-    if (sessions.length === 0) {
-        console.log("No active sessions.");
-        return;
-    }
-    console.log(`${sessions.length} active session(s):\n`);
-    for (const s of sessions) {
-        const label = s.label ? ` (${s.label})` : "";
-        console.log(`  ${s.token}${label}  created ${s.createdAt}`);
-    }
-}
-export async function sessionsRevokeCommand(token) {
-    if (revokeSession(token)) {
-        console.log("Session revoked.");
-    }
-    else {
-        console.error("Session not found.");
-        process.exit(1);
-    }
-}
-export async function sessionsRevokeAllCommand() {
-    const count = revokeAllSessions();
-    console.log(`Revoked ${count} session(s).`);
-}
-//# sourceMappingURL=sessions.js.map

package/dist/session-store.d.ts

@@ -1,12 +0,0 @@
-export interface SessionEntry {
-    token: string;
-    createdAt: string;
-    label?: string;
-}
-export declare function loadSessions(): SessionEntry[];
-export declare function addSession(label?: string): SessionEntry;
-export declare function revokeSession(token: string): boolean;
-export declare function revokeAllSessions(): number;
-export declare function validateSession(token: string): boolean;
-export declare function hasSessions(): boolean;
-//# sourceMappingURL=session-store.d.ts.map

package/dist/session-store.js

@@ -1,57 +0,0 @@
-import * as fs from "fs";
-import * as path from "path";
-import { randomBytes } from "crypto";
-import { CONFIG_DIR } from "./config.js";
-const SESSIONS_FILE = path.join(CONFIG_DIR, "sessions.json");
-function readFile() {
-    try {
-        if (!fs.existsSync(SESSIONS_FILE))
-            return [];
-        const raw = fs.readFileSync(SESSIONS_FILE, "utf-8");
-        return JSON.parse(raw);
-    }
-    catch {
-        return [];
-    }
-}
-function writeFile(sessions) {
-    fs.mkdirSync(CONFIG_DIR, { recursive: true });
-    fs.writeFileSync(SESSIONS_FILE, JSON.stringify(sessions, null, 2), "utf-8");
-}
-export function loadSessions() {
-    return readFile();
-}
-export function addSession(label) {
-    const sessions = readFile();
-    const entry = {
-        token: randomBytes(32).toString("hex"),
-        createdAt: new Date().toISOString(),
-        ...(label ? { label } : {}),
-    };
-    sessions.push(entry);
-    writeFile(sessions);
-    return entry;
-}
-export function revokeSession(token) {
-    const sessions = readFile();
-    const idx = sessions.findIndex((s) => s.token === token);
-    if (idx === -1)
-        return false;
-    sessions.splice(idx, 1);
-    writeFile(sessions);
-    return true;
-}
-export function revokeAllSessions() {
-    const sessions = readFile();
-    const count = sessions.length;
-    writeFile([]);
-    return count;
-}
-export function validateSession(token) {
-    const sessions = readFile();
-    return sessions.some((s) => s.token === token);
-}
-export function hasSessions() {
-    return readFile().length > 0;
-}
-//# sourceMappingURL=session-store.js.map

package/src/commands/sessions.ts

@@ -1,29 +0,0 @@
-import { loadSessions, revokeSession, revokeAllSessions } from "../session-store.js";
-
-export async function sessionsListCommand(): Promise<void> {
-  const sessions = loadSessions();
-  if (sessions.length === 0) {
-    console.log("No active sessions.");
-    return;
-  }
-
-  console.log(`${sessions.length} active session(s):\n`);
-  for (const s of sessions) {
-    const label = s.label ? ` (${s.label})` : "";
-    console.log(`  ${s.token}${label}  created ${s.createdAt}`);
-  }
-}
-
-export async function sessionsRevokeCommand(token: string): Promise<void> {
-  if (revokeSession(token)) {
-    console.log("Session revoked.");
-  } else {
-    console.error("Session not found.");
-    process.exit(1);
-  }
-}
-
-export async function sessionsRevokeAllCommand(): Promise<void> {
-  const count = revokeAllSessions();
-  console.log(`Revoked ${count} session(s).`);
-}

package/src/session-store.ts

@@ -1,68 +0,0 @@
-import * as fs from "fs";
-import * as path from "path";
-import { randomBytes } from "crypto";
-import { CONFIG_DIR } from "./config.js";
-
-const SESSIONS_FILE = path.join(CONFIG_DIR, "sessions.json");
-
-export interface SessionEntry {
-  token: string;
-  createdAt: string;
-  label?: string;
-}
-
-function readFile(): SessionEntry[] {
-  try {
-    if (!fs.existsSync(SESSIONS_FILE)) return [];
-    const raw = fs.readFileSync(SESSIONS_FILE, "utf-8");
-    return JSON.parse(raw) as SessionEntry[];
-  } catch {
-    return [];
-  }
-}
-
-function writeFile(sessions: SessionEntry[]): void {
-  fs.mkdirSync(CONFIG_DIR, { recursive: true });
-  fs.writeFileSync(SESSIONS_FILE, JSON.stringify(sessions, null, 2), "utf-8");
-}
-
-export function loadSessions(): SessionEntry[] {
-  return readFile();
-}
-
-export function addSession(label?: string): SessionEntry {
-  const sessions = readFile();
-  const entry: SessionEntry = {
-    token: randomBytes(32).toString("hex"),
-    createdAt: new Date().toISOString(),
-    ...(label ? { label } : {}),
-  };
-  sessions.push(entry);
-  writeFile(sessions);
-  return entry;
-}
-
-export function revokeSession(token: string): boolean {
-  const sessions = readFile();
-  const idx = sessions.findIndex((s) => s.token === token);
-  if (idx === -1) return false;
-  sessions.splice(idx, 1);
-  writeFile(sessions);
-  return true;
-}
-
-export function revokeAllSessions(): number {
-  const sessions = readFile();
-  const count = sessions.length;
-  writeFile([]);
-  return count;
-}
-
-export function validateSession(token: string): boolean {
-  const sessions = readFile();
-  return sessions.some((s) => s.token === token);
-}
-
-export function hasSessions(): boolean {
-  return readFile().length > 0;
-}