palmier 0.5.2 → 0.5.4

package/README.md

@@ -46,9 +46,9 @@ All `palmier` commands should be run from a dedicated Palmier root directory (e.
 |---|---|
 | `palmier init` | Interactive setup wizard |
 | `palmier pair` | Generate an OTP code to pair a new device |
-| `palmier sessions list` | List active session tokens |
-| `palmier sessions revoke <token>` | Revoke a specific session token |
-| `palmier sessions revoke-all` | Revoke all session tokens |
+| `palmier clients list` | List active client tokens |
+| `palmier clients revoke <token>` | Revoke a specific client token |
+| `palmier clients revoke-all` | Revoke all client tokens |
 | `palmier info` | Show host connection info (address, mode) |
 | `palmier serve` | Run the persistent RPC handler (default command) |
 | `palmier restart` | Restart the palmier serve daemon |
@@ -70,17 +70,17 @@ Local access (`http://localhost:<port>`) works immediately — no pairing needed
 
 For LAN or server mode, run `palmier pair` on the host to generate an OTP code. Enter it in the PWA — either at `http://<host-ip>:<port>` (LAN mode) or `https://app.palmier.me` (server mode).
 
-### Managing sessions
+### Managing clients
 
 ```bash
 # List all paired devices
-palmier sessions list
+palmier clients list
 
 # Revoke a specific device's access
-palmier sessions revoke <token>
+palmier clients revoke <token>
 
-# Revoke all sessions (unpair all devices)
-palmier sessions revoke-all
+# Revoke all clients (unpair all devices)
+palmier clients revoke-all
 ```
 
 The `init` command:
@@ -126,7 +126,7 @@ palmier restart
 ## How It Works
 
 - The host runs as a **background daemon** (systemd user service on Linux, Registry Run key on Windows), staying alive via `palmier serve`.
-- **Device access** — localhost is always trusted (no pairing needed). LAN and server mode devices communicate via direct HTTP or NATS respectively, and must pair via OTP to get a session token.
+- **Device access** — localhost is always trusted (no pairing needed). LAN and server mode devices communicate via direct HTTP or NATS respectively, and must pair via OTP to get a client token.
 - **Tasks** are stored locally as Markdown files in a `tasks/` directory. Each task has a name, prompt, execution plan, and optional schedules (cron schedules or one-time dates).
 - **Plan generation** is automatic — when you create or update a task, the host invokes your chosen agent CLI to generate an execution plan and name.
 - **Schedules** are backed by systemd timers (Linux) or Task Scheduler (Windows). You can enable/disable them without deleting the task, and any task can still be run manually at any time.

package/dist/agents/agent-instructions.md

@@ -2,19 +2,19 @@ You are an AI agent executing a task on behalf of the user via the Palmier platf
 
 ## Reporting Output
 
-If you generate report or output files, print each file path on its own line using this exact format (no code block):
-`[PALMIER_REPORT] <filename>`
+If you generate report or output files, print each file path on its own line using this exact format:
+[PALMIER_REPORT] <filename>
 
 ## Completion
 
-When you are done, output exactly one of these markers as the very last line (no code block, no other text on the same line):
-- Success: `[PALMIER_TASK_SUCCESS]`
-- Failure: `[PALMIER_TASK_FAILURE]`
+When you are done, output exactly one of these markers as the very last line (no other text on the same line):
+[PALMIER_TASK_SUCCESS]
+[PALMIER_TASK_FAILURE]
 
 ## Permissions
 
-If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format (no code block):
-`[PALMIER_PERMISSION] <tool_name> | <description>`
+If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format:
+[PALMIER_PERMISSION] <tool_name> | <description>
 
 ## HTTP Endpoints
 

package/dist/agents/shared-prompt.js

@@ -8,7 +8,7 @@ const AGENT_INSTRUCTIONS_TEMPLATE = fs.readFileSync(path.join(__dirname, "agent-
  * Agent instructions with the serve daemon's HTTP port and task ID baked in.
  */
 export function getAgentInstructions(taskId, skipPermissions) {
-    const port = loadConfig().httpPort ?? 7400;
+    const port = loadConfig().httpPort ?? 9966;
     let instructions = AGENT_INSTRUCTIONS_TEMPLATE
         .replace(/\{\{PORT\}\}/g, String(port))
         .replace(/\{\{TASK_ID\}\}/g, taskId);

package/dist/client-store.d.ts

@@ -0,0 +1,12 @@
+export interface ClientEntry {
+    token: string;
+    createdAt: string;
+    label?: string;
+}
+export declare function loadClients(): ClientEntry[];
+export declare function addClient(label?: string): ClientEntry;
+export declare function revokeClient(token: string): boolean;
+export declare function revokeAllClients(): number;
+export declare function validateClient(token: string): boolean;
+export declare function hasClients(): boolean;
+//# sourceMappingURL=client-store.d.ts.map

package/dist/client-store.js

@@ -0,0 +1,57 @@
+import * as fs from "fs";
+import * as path from "path";
+import { randomBytes } from "crypto";
+import { CONFIG_DIR } from "./config.js";
+const CLIENTS_FILE = path.join(CONFIG_DIR, "clients.json");
+function readFile() {
+    try {
+        if (!fs.existsSync(CLIENTS_FILE))
+            return [];
+        const raw = fs.readFileSync(CLIENTS_FILE, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return [];
+    }
+}
+function writeFile(clients) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(CLIENTS_FILE, JSON.stringify(clients, null, 2), "utf-8");
+}
+export function loadClients() {
+    return readFile();
+}
+export function addClient(label) {
+    const clients = readFile();
+    const entry = {
+        token: randomBytes(32).toString("hex"),
+        createdAt: new Date().toISOString(),
+        ...(label ? { label } : {}),
+    };
+    clients.push(entry);
+    writeFile(clients);
+    return entry;
+}
+export function revokeClient(token) {
+    const clients = readFile();
+    const idx = clients.findIndex((c) => c.token === token);
+    if (idx === -1)
+        return false;
+    clients.splice(idx, 1);
+    writeFile(clients);
+    return true;
+}
+export function revokeAllClients() {
+    const clients = readFile();
+    const count = clients.length;
+    writeFile([]);
+    return count;
+}
+export function validateClient(token) {
+    const clients = readFile();
+    return clients.some((c) => c.token === token);
+}
+export function hasClients() {
+    return readFile().length > 0;
+}
+//# sourceMappingURL=client-store.js.map

package/dist/commands/clients.d.ts

@@ -0,0 +1,4 @@
+export declare function clientsListCommand(): Promise<void>;
+export declare function clientsRevokeCommand(token: string): Promise<void>;
+export declare function clientsRevokeAllCommand(): Promise<void>;
+//# sourceMappingURL=clients.d.ts.map

package/dist/commands/clients.js

@@ -0,0 +1,27 @@
+import { loadClients, revokeClient, revokeAllClients } from "../client-store.js";
+export async function clientsListCommand() {
+    const clients = loadClients();
+    if (clients.length === 0) {
+        console.log("No active clients.");
+        return;
+    }
+    console.log(`${clients.length} active client(s):\n`);
+    for (const c of clients) {
+        const label = c.label ? ` (${c.label})` : "";
+        console.log(`  ${c.token}${label}  created ${c.createdAt}`);
+    }
+}
+export async function clientsRevokeCommand(token) {
+    if (revokeClient(token)) {
+        console.log("Client revoked.");
+    }
+    else {
+        console.error("Client not found.");
+        process.exit(1);
+    }
+}
+export async function clientsRevokeAllCommand() {
+    const count = revokeAllClients();
+    console.log(`Revoked ${count} client(s).`);
+}
+//# sourceMappingURL=clients.js.map

package/dist/commands/info.js

@@ -1,11 +1,11 @@
 import { loadConfig } from "../config.js";
-import { loadSessions } from "../session-store.js";
+import { loadClients } from "../client-store.js";
 /**
  * Print host connection info for setting up clients.
  */
 export async function infoCommand() {
     const config = loadConfig();
-    const sessions = loadSessions();
+    const clients = loadClients();
     console.log(`Host ID:      ${config.hostId}`);
     console.log(`Project root: ${config.projectRoot}`);
     // Detected agents
@@ -15,9 +15,9 @@ export async function infoCommand() {
     else {
         console.log(`Agents:       (none detected — run \`palmier agents\`)`);
     }
-    // Sessions
-    console.log(`Sessions:     ${sessions.length} active`);
-    if (sessions.length === 0) {
+    // Clients
+    console.log(`Clients:      ${clients.length} active`);
+    if (clients.length === 0) {
         console.log("");
         console.log("No paired clients. Run `palmier pair` to connect a device.");
     }

package/dist/commands/init.js

@@ -33,7 +33,7 @@ export async function initCommand() {
         // LAN mode
         const lanAnswer = await ask("Enable LAN access (direct HTTP from local network)? (y/N): ");
         const lanEnabled = lanAnswer.trim().toLowerCase() === "y";
-        let httpPort = 7400;
+        let httpPort = 9966;
         const portLabel = lanEnabled ? "HTTP port for local and LAN access" : "HTTP port for local access";
         const portAnswer = await ask(`${portLabel} (default ${httpPort}): `);
         const parsed = parseInt(portAnswer.trim(), 10);

package/dist/commands/pair.js

@@ -2,7 +2,7 @@ import * as http from "node:http";
 import { StringCodec } from "nats";
 import { loadConfig } from "../config.js";
 import { connectNats } from "../nats-client.js";
-import { addSession } from "../session-store.js";
+import { addClient } from "../client-store.js";
 const CODE_CHARS = "ABCDEFGHJKMNPQRSTUVWXYZ23456789"; // no O/0/I/1/L
 const CODE_LENGTH = 6;
 export const PAIRING_EXPIRY_MS = 5 * 60 * 1000; // 5 minutes
@@ -12,10 +12,10 @@ export function generatePairingCode() {
     return Array.from(bytes, (b) => CODE_CHARS[b % CODE_CHARS.length]).join("");
 }
 function buildPairResponse(config, label) {
-    const session = addSession(label);
+    const client = addClient(label);
     return {
         hostId: config.hostId,
-        sessionToken: session.token,
+        clientToken: client.token,
     };
 }
 /**
@@ -56,7 +56,7 @@ function httpPairRegister(port, code) {
 export async function pairCommand() {
     const config = loadConfig();
     const code = generatePairingCode();
-    const httpPort = config.httpPort ?? 7400;
+    const httpPort = config.httpPort ?? 9966;
     let paired = false;
     function onPaired() {
         paired = true;

package/dist/commands/run.js

@@ -39,7 +39,7 @@ async function invokeAgentWithRetries(ctx, invokeTask) {
         console.log(`[invoke] ${command} ${displayArgs.join(" ")}${stdin ? ` (stdin: ${truncate(stdin, 100)})` : ""}`);
         const result = await spawnCommand(command, args, {
             cwd: getRunDir(ctx.taskDir, ctx.runId),
-            env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+            env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
             echoStdout: true,
             resolveOnFailure: true,
             stdin,
@@ -248,7 +248,7 @@ async function runCommandTriggeredMode(ctx) {
     await publishHostEvent(ctx.nc, ctx.config.hostId, ctx.taskId, { event_type: "result-updated", run_id: ctx.runId });
     const child = spawnStreamingCommand(commandStr, {
         cwd: getRunDir(ctx.taskDir, ctx.runId),
-        env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+        env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
     });
     let linesProcessed = 0;
     let invocationsSucceeded = 0;
@@ -365,7 +365,7 @@ async function publishTaskEvent(nc, config, taskDir, taskId, eventType, taskName
     await publishHostEvent(nc, config.hostId, taskId, payload);
 }
 async function requestPermission(config, task, taskDir, requiredPermissions) {
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     const res = await fetch(`http://localhost:${port}/request-permission`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -387,7 +387,7 @@ async function requestPermission(config, task, taskDir, requiredPermissions) {
     return response;
 }
 async function requestConfirmation(config, task, taskDir) {
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     const res = await fetch(`http://localhost:${port}/request-confirmation`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -414,7 +414,8 @@ export function parseReportFiles(output) {
     let match;
     while ((match = regex.exec(output)) !== null) {
         const name = match[1].trim();
-        if (name)
+        // Skip placeholder examples echoed from the prompt (e.g. "<filename>")
+        if (name && !name.startsWith("<"))
             files.push(name);
     }
     return files;
@@ -429,6 +430,9 @@ export function parsePermissions(output) {
     let match;
     while ((match = regex.exec(output)) !== null) {
         const raw = match[1].trim();
+        // Skip placeholder examples echoed from the prompt (e.g. "<tool_name> | <description>")
+        if (raw.startsWith("<"))
+            continue;
         const sep = raw.indexOf("|");
         if (sep !== -1) {
             perms.push({ name: raw.slice(0, sep).trim(), description: raw.slice(sep + 1).trim() });

package/dist/commands/serve.js

@@ -99,7 +99,7 @@ export async function serveCommand() {
         });
     }, POLL_INTERVAL_MS);
     const handleRpc = createRpcHandler(config, nc);
-    const httpPort = config.httpPort ?? 7400;
+    const httpPort = config.httpPort ?? 9966;
     // Start NATS transport (loops forever, fire-and-forget)
     if (nc) {
         startNatsTransport(config, handleRpc, nc);

package/dist/events.js

@@ -14,7 +14,7 @@ export async function publishHostEvent(nc, hostId, taskId, payload) {
         console.log(`[nats] ${subject} →`, payload);
     }
     const config = loadConfig();
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     try {
         await fetch(`http://localhost:${port}/event`, {
             method: "POST",

package/dist/index.js

@@ -10,7 +10,7 @@ import { runCommand } from "./commands/run.js";
 import { serveCommand } from "./commands/serve.js";
 import { pairCommand } from "./commands/pair.js";
 import { restartCommand } from "./commands/restart.js";
-import { sessionsListCommand, sessionsRevokeCommand, sessionsRevokeAllCommand } from "./commands/sessions.js";
+import { clientsListCommand, clientsRevokeCommand, clientsRevokeAllCommand } from "./commands/clients.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, "../package.json"), "utf-8"));
 const program = new Command();
@@ -54,26 +54,26 @@ program
     .action(async () => {
     await pairCommand();
 });
-const sessionsCmd = program
-    .command("sessions")
-    .description("Manage paired client sessions");
-sessionsCmd
+const clientsCmd = program
+    .command("clients")
+    .description("Manage paired clients");
+clientsCmd
     .command("list")
-    .description("List active sessions")
+    .description("List active clients")
     .action(async () => {
-    await sessionsListCommand();
+    await clientsListCommand();
 });
-sessionsCmd
+clientsCmd
     .command("revoke <token>")
-    .description("Revoke a session by token")
+    .description("Revoke a client by token")
     .action(async (token) => {
-    await sessionsRevokeCommand(token);
+    await clientsRevokeCommand(token);
 });
-sessionsCmd
+clientsCmd
     .command("revoke-all")
-    .description("Revoke all sessions")
+    .description("Revoke all clients")
     .action(async () => {
-    await sessionsRevokeAllCommand();
+    await clientsRevokeAllCommand();
 });
 // No subcommand → default to serve
 if (process.argv.length <= 2) {

package/dist/platform/windows.d.ts

@@ -20,7 +20,7 @@ export declare function buildTaskXml(tr: string, triggers: string[]): string;
 export declare class WindowsPlatform implements PlatformService {
     installDaemon(config: HostConfig): void;
     restartDaemon(): Promise<void>;
-    /** Create or update the Task Scheduler entry for the daemon. */
+    /** Create or update the Task Scheduler entry for the daemon (requires elevation for S4U). */
     private ensureDaemonTask;
     /** Start the daemon via Task Scheduler (runs outside any session's job object). */
     private startDaemonTask;

package/dist/platform/windows.js

@@ -6,7 +6,6 @@ import { getTaskDir, readTaskStatus } from "../task.js";
 const TASK_PREFIX = "\\Palmier\\PalmierTask-";
 const DAEMON_TASK_NAME = "PalmierDaemon";
 const DAEMON_PID_FILE = path.join(CONFIG_DIR, "daemon.pid");
-const DAEMON_VBS_FILE = path.join(CONFIG_DIR, "daemon.vbs");
 const DOW_NAMES = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"];
 /**
  * Convert a cron expression or "once" trigger to Task Scheduler XML trigger elements.
@@ -55,6 +54,12 @@ export function buildTaskXml(tr, triggers) {
     return [
         `<?xml version="1.0" encoding="UTF-16"?>`,
         `<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">`,
+        `  <Principals>`,
+        `    <Principal>`,
+        `      <LogonType>S4U</LogonType>`,
+        `      <RunLevel>LeastPrivilege</RunLevel>`,
+        `    </Principal>`,
+        `  </Principals>`,
         `  <Settings>`,
         `    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>`,
         `    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>`,
@@ -77,22 +82,16 @@ function schtasksTaskName(taskId) {
 export class WindowsPlatform {
     installDaemon(config) {
         const script = process.argv[1] || "palmier";
-        // Create the Task Scheduler entry for the daemon
+        // Create the Task Scheduler entry for the daemon (BootTrigger starts it at system boot)
         this.ensureDaemonTask(script);
-        // Registry Run key triggers the Task Scheduler entry on logon,
-        // so the daemon always runs outside any session's job object.
-        const regValue = `schtasks /run /tn "\\Palmier\\${DAEMON_TASK_NAME}"`;
+        // Remove old Registry Run key if upgrading
         try {
             execFileSync("reg", [
-                "add", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
-                "/v", DAEMON_TASK_NAME, "/t", "REG_SZ", "/d", regValue, "/f",
+                "delete", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
+                "/v", DAEMON_TASK_NAME, "/f",
             ], { encoding: "utf-8", stdio: "pipe" });
-            console.log(`Registry Run key "${DAEMON_TASK_NAME}" installed (runs at logon).`);
-        }
-        catch (err) {
-            console.error(`Warning: failed to install registry run entry: ${err}`);
-            console.error("You may need to start palmier serve manually.");
         }
+        catch { /* key may not exist */ }
         // Start the daemon now
         this.startDaemonTask();
         console.log("\nHost initialization complete!");
@@ -133,19 +132,20 @@ export class WindowsPlatform {
         }
         this.startDaemonTask();
     }
-    /** Create or update the Task Scheduler entry for the daemon. */
+    /** Create or update the Task Scheduler entry for the daemon (requires elevation for S4U). */
     ensureDaemonTask(script) {
-        const vbs = `CreateObject("WScript.Shell").Run """${process.execPath}"" ""${script}"" serve", 0, False`;
-        fs.writeFileSync(DAEMON_VBS_FILE, vbs, "utf-8");
-        const wscript = `${process.env.SYSTEMROOT || "C:\\Windows"}\\System32\\wscript.exe`;
         const tn = `\\Palmier\\${DAEMON_TASK_NAME}`;
-        const tr = `"${wscript}" "${DAEMON_VBS_FILE}"`;
-        const xml = buildTaskXml(tr, [`<TimeTrigger><StartBoundary>2000-01-01T00:00:00</StartBoundary></TimeTrigger>`]);
+        const tr = `"${process.execPath}" "${script}" serve`;
+        const xml = buildTaskXml(tr, [`<BootTrigger><Enabled>true</Enabled></BootTrigger>`]);
         const xmlPath = path.join(CONFIG_DIR, "daemon-task.xml");
         try {
             const bom = Buffer.from([0xFF, 0xFE]);
             fs.writeFileSync(xmlPath, Buffer.concat([bom, Buffer.from(xml, "utf16le")]));
-            execFileSync("schtasks", ["/create", "/tn", tn, "/xml", xmlPath, "/f"], { encoding: "utf-8", windowsHide: true, stdio: "pipe" });
+            // S4U LogonType requires elevation — spawn schtasks via RunAs
+            const args = `/create /tn "${tn}" /xml "${xmlPath}" /f`;
+            execFileSync("powershell", [
+                "-Command", `Start-Process -Verb RunAs -Wait -FilePath schtasks -ArgumentList '${args}'`,
+            ], { encoding: "utf-8", windowsHide: true, stdio: "pipe" });
         }
         catch (err) {
             const e = err;
@@ -157,6 +157,12 @@ export class WindowsPlatform {
             }
             catch { /* ignore */ }
         }
+        // Cleanup old VBS launcher if upgrading
+        const oldVbs = path.join(CONFIG_DIR, "daemon.vbs");
+        try {
+            fs.unlinkSync(oldVbs);
+        }
+        catch { /* ignore */ }
     }
     /** Start the daemon via Task Scheduler (runs outside any session's job object). */
     startDaemonTask() {
@@ -174,12 +180,7 @@ export class WindowsPlatform {
         const taskId = task.frontmatter.id;
         const tn = schtasksTaskName(taskId);
         const script = process.argv[1] || "palmier";
-        // Write a VBS launcher so the task runs without a visible console window
-        const vbsPath = path.join(CONFIG_DIR, `task-${taskId}.vbs`);
-        const vbs = `CreateObject("WScript.Shell").Run """${process.execPath}"" ""${script}"" run ${taskId}", 0, True`;
-        fs.writeFileSync(vbsPath, vbs, "utf-8");
-        const wscript = `${process.env.SYSTEMROOT || "C:\\Windows"}\\System32\\wscript.exe`;
-        const tr = `"${wscript}" "${vbsPath}"`;
+        const tr = `"${process.execPath}" "${script}" run ${taskId}`;
         // Build trigger XML elements
         const triggerElements = [];
         if (task.frontmatter.triggers_enabled) {
@@ -198,6 +199,8 @@ export class WindowsPlatform {
         }
         // Write XML and register via schtasks — gives us full control over
         // settings like MultipleInstancesPolicy that schtasks flags don't expose.
+        // S4U LogonType ensures no console window. Works without elevation
+        // because the daemon (which calls this) runs elevated.
         const xml = buildTaskXml(tr, triggerElements);
         const xmlPath = path.join(CONFIG_DIR, `task-${taskId}.xml`);
         try {
@@ -218,6 +221,11 @@ export class WindowsPlatform {
             }
             catch { /* ignore */ }
         }
+        // Cleanup old VBS launcher if upgrading
+        try {
+            fs.unlinkSync(path.join(CONFIG_DIR, `task-${taskId}.vbs`));
+        }
+        catch { /* ignore */ }
     }
     removeTaskTimer(taskId) {
         const tn = schtasksTaskName(taskId);
@@ -227,10 +235,6 @@ export class WindowsPlatform {
         catch {
             // Task might not exist — that's fine
         }
-        try {
-            fs.unlinkSync(path.join(CONFIG_DIR, `task-${taskId}.vbs`));
-        }
-        catch { /* ignore */ }
     }
     async startTask(taskId) {
         const tn = schtasksTaskName(taskId);

package/dist/rpc-handler.js

@@ -10,7 +10,7 @@ import { getPlatform } from "./platform/index.js";
 import { spawnCommand } from "./spawn-command.js";
 import crossSpawn from "cross-spawn";
 import { getAgent } from "./agents/agent.js";
-import { validateSession } from "./session-store.js";
+import { validateClient } from "./client-store.js";
 import { publishHostEvent } from "./events.js";
 import { currentVersion, performUpdate } from "./update-checker.js";
 import { parseReportFiles, parseTaskOutcome, stripPalmierMarkers } from "./commands/run.js";
@@ -140,8 +140,8 @@ export function createRpcHandler(config, nc) {
         };
     }
     async function handleRpc(request) {
-        // Session token validation: skip for trusted localhost requests
-        if (!request.localhost && (!request.sessionToken || !validateSession(request.sessionToken))) {
+        // Client token validation: skip for trusted localhost requests
+        if (!request.localhost && (!request.clientToken || !validateClient(request.clientToken))) {
             return { error: "Unauthorized" };
         }
         switch (request.method) {
@@ -212,8 +212,11 @@ export function createRpcHandler(config, nc) {
                     existing.frontmatter.triggers_enabled = params.triggers_enabled;
                 if (params.requires_confirmation !== undefined)
                     existing.frontmatter.requires_confirmation = params.requires_confirmation;
-                if (params.yolo_mode !== undefined)
+                if (params.yolo_mode !== undefined) {
                     existing.frontmatter.yolo_mode = params.yolo_mode || undefined;
+                    if (params.yolo_mode)
+                        delete existing.frontmatter.permissions;
+                }
                 if (params.command !== undefined) {
                     if (params.command) {
                         existing.frontmatter.command = params.command;

package/dist/transports/http-transport.js

@@ -1,7 +1,7 @@
 import * as http from "node:http";
 import * as os from "os";
 import { StringCodec } from "nats";
-import { validateSession, addSession } from "../session-store.js";
+import { validateClient, addClient } from "../client-store.js";
 import { registerPending } from "../pending-requests.js";
 import * as fs from "node:fs";
 import { getTaskDir, parseTaskFile, spliceUserMessage } from "../task.js";
@@ -115,9 +115,9 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
         const auth = req.headers.authorization;
         if (!auth || !auth.startsWith("Bearer "))
             return false;
-        return validateSession(auth.slice(7));
+        return validateClient(auth.slice(7));
     }
-    function extractSessionToken(req) {
+    function extractClientToken(req) {
         const auth = req.headers.authorization;
         if (!auth || !auth.startsWith("Bearer "))
             return undefined;
@@ -368,11 +368,11 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                     sendJson(res, 401, { error: "Invalid code" });
                     return;
                 }
-                const session = addSession(label);
+                const client = addClient(label);
                 const ip = detectLanIp();
                 const response = {
                     hostId: config.hostId,
-                    sessionToken: session.token,
+                    clientToken: client.token,
                     directUrl: `http://${ip}:${port}`,
                 };
                 clearTimeout(pending.timer);
@@ -449,10 +449,10 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                 sendJson(res, 400, { error: "Invalid JSON" });
                 return;
             }
-            const sessionToken = extractSessionToken(req);
+            const clientToken = extractClientToken(req);
             console.log(`[http] RPC: ${method}`);
             try {
-                const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
+                const response = await handleRpc({ method, params, clientToken, localhost: isLocalhost(req) });
                 console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
                 sendJson(res, 200, response);
             }

package/dist/transports/nats-transport.js

@@ -39,13 +39,13 @@ export async function startNatsTransport(config, handleRpc, nc) {
                 }
             }
         }
-        // Extract sessionToken from params (PWA includes it in the payload)
-        const sessionToken = typeof params.sessionToken === "string" ? params.sessionToken : undefined;
-        delete params.sessionToken;
+        // Extract clientToken from params (PWA includes it in the payload)
+        const clientToken = typeof params.clientToken === "string" ? params.clientToken : undefined;
+        delete params.clientToken;
         console.log(`[nats] RPC: ${method}`);
         let response;
         try {
-            response = await handleRpc({ method, params, sessionToken });
+            response = await handleRpc({ method, params, clientToken });
         }
         catch (err) {
             console.error(`[nats] RPC error (${method}):`, err);

package/dist/types.d.ts

@@ -67,8 +67,8 @@ export interface ConversationMessage {
 export interface RpcMessage {
     method: string;
     params: Record<string, unknown>;
-    sessionToken?: string;
-    /** Trusted localhost request — skip session validation. */
+    clientToken?: string;
+    /** Trusted localhost request — skip client validation. */
     localhost?: boolean;
 }
 //# sourceMappingURL=types.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "palmier",
-  "version": "0.5.2",
+  "version": "0.5.4",
   "description": "Palmier host CLI - provisions, executes tasks, and serves NATS RPC",
   "license": "Apache-2.0",
   "author": "Hongxu Cai",