palmier 0.5.2 → 0.5.4

package/src/agents/agent-instructions.md

@@ -2,19 +2,19 @@ You are an AI agent executing a task on behalf of the user via the Palmier platf
 
 ## Reporting Output
 
-If you generate report or output files, print each file path on its own line using this exact format (no code block):
-`[PALMIER_REPORT] <filename>`
+If you generate report or output files, print each file path on its own line using this exact format:
+[PALMIER_REPORT] <filename>
 
 ## Completion
 
-When you are done, output exactly one of these markers as the very last line (no code block, no other text on the same line):
-- Success: `[PALMIER_TASK_SUCCESS]`
-- Failure: `[PALMIER_TASK_FAILURE]`
+When you are done, output exactly one of these markers as the very last line (no other text on the same line):
+[PALMIER_TASK_SUCCESS]
+[PALMIER_TASK_FAILURE]
 
 ## Permissions
 
-If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format (no code block):
-`[PALMIER_PERMISSION] <tool_name> | <description>`
+If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format:
+[PALMIER_PERMISSION] <tool_name> | <description>
 
 ## HTTP Endpoints
 

package/src/agents/shared-prompt.ts

@@ -14,7 +14,7 @@ const AGENT_INSTRUCTIONS_TEMPLATE = fs.readFileSync(
  * Agent instructions with the serve daemon's HTTP port and task ID baked in.
  */
 export function getAgentInstructions(taskId: string, skipPermissions?: boolean): string {
-  const port = loadConfig().httpPort ?? 7400;
+  const port = loadConfig().httpPort ?? 9966;
   let instructions = AGENT_INSTRUCTIONS_TEMPLATE
     .replace(/\{\{PORT\}\}/g, String(port))
     .replace(/\{\{TASK_ID\}\}/g, taskId);

package/src/client-store.ts

@@ -0,0 +1,68 @@
+import * as fs from "fs";
+import * as path from "path";
+import { randomBytes } from "crypto";
+import { CONFIG_DIR } from "./config.js";
+
+const CLIENTS_FILE = path.join(CONFIG_DIR, "clients.json");
+
+export interface ClientEntry {
+  token: string;
+  createdAt: string;
+  label?: string;
+}
+
+function readFile(): ClientEntry[] {
+  try {
+    if (!fs.existsSync(CLIENTS_FILE)) return [];
+    const raw = fs.readFileSync(CLIENTS_FILE, "utf-8");
+    return JSON.parse(raw) as ClientEntry[];
+  } catch {
+    return [];
+  }
+}
+
+function writeFile(clients: ClientEntry[]): void {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CLIENTS_FILE, JSON.stringify(clients, null, 2), "utf-8");
+}
+
+export function loadClients(): ClientEntry[] {
+  return readFile();
+}
+
+export function addClient(label?: string): ClientEntry {
+  const clients = readFile();
+  const entry: ClientEntry = {
+    token: randomBytes(32).toString("hex"),
+    createdAt: new Date().toISOString(),
+    ...(label ? { label } : {}),
+  };
+  clients.push(entry);
+  writeFile(clients);
+  return entry;
+}
+
+export function revokeClient(token: string): boolean {
+  const clients = readFile();
+  const idx = clients.findIndex((c) => c.token === token);
+  if (idx === -1) return false;
+  clients.splice(idx, 1);
+  writeFile(clients);
+  return true;
+}
+
+export function revokeAllClients(): number {
+  const clients = readFile();
+  const count = clients.length;
+  writeFile([]);
+  return count;
+}
+
+export function validateClient(token: string): boolean {
+  const clients = readFile();
+  return clients.some((c) => c.token === token);
+}
+
+export function hasClients(): boolean {
+  return readFile().length > 0;
+}

package/src/commands/clients.ts

@@ -0,0 +1,29 @@
+import { loadClients, revokeClient, revokeAllClients } from "../client-store.js";
+
+export async function clientsListCommand(): Promise<void> {
+  const clients = loadClients();
+  if (clients.length === 0) {
+    console.log("No active clients.");
+    return;
+  }
+
+  console.log(`${clients.length} active client(s):\n`);
+  for (const c of clients) {
+    const label = c.label ? ` (${c.label})` : "";
+    console.log(`  ${c.token}${label}  created ${c.createdAt}`);
+  }
+}
+
+export async function clientsRevokeCommand(token: string): Promise<void> {
+  if (revokeClient(token)) {
+    console.log("Client revoked.");
+  } else {
+    console.error("Client not found.");
+    process.exit(1);
+  }
+}
+
+export async function clientsRevokeAllCommand(): Promise<void> {
+  const count = revokeAllClients();
+  console.log(`Revoked ${count} client(s).`);
+}

package/src/commands/info.ts

@@ -1,12 +1,12 @@
 import { loadConfig } from "../config.js";
-import { loadSessions } from "../session-store.js";
+import { loadClients } from "../client-store.js";
 
 /**
  * Print host connection info for setting up clients.
  */
 export async function infoCommand(): Promise<void> {
   const config = loadConfig();
-  const sessions = loadSessions();
+  const clients = loadClients();
 
   console.log(`Host ID:      ${config.hostId}`);
   console.log(`Project root: ${config.projectRoot}`);
@@ -18,10 +18,10 @@ export async function infoCommand(): Promise<void> {
     console.log(`Agents:       (none detected — run \`palmier agents\`)`);
   }
 
-  // Sessions
-  console.log(`Sessions:     ${sessions.length} active`);
+  // Clients
+  console.log(`Clients:      ${clients.length} active`);
 
-  if (sessions.length === 0) {
+  if (clients.length === 0) {
     console.log("");
     console.log("No paired clients. Run `palmier pair` to connect a device.");
   }

package/src/commands/init.ts

@@ -44,7 +44,7 @@ export async function initCommand(): Promise<void> {
     const lanAnswer = await ask("Enable LAN access (direct HTTP from local network)? (y/N): ");
     const lanEnabled = lanAnswer.trim().toLowerCase() === "y";
 
-    let httpPort = 7400;
+    let httpPort = 9966;
     const portLabel = lanEnabled ? "HTTP port for local and LAN access" : "HTTP port for local access";
     const portAnswer = await ask(`${portLabel} (default ${httpPort}): `);
     const parsed = parseInt(portAnswer.trim(), 10);

package/src/commands/pair.ts

@@ -2,7 +2,7 @@ import * as http from "node:http";
 import { StringCodec } from "nats";
 import { loadConfig } from "../config.js";
 import { connectNats } from "../nats-client.js";
-import { addSession } from "../session-store.js";
+import { addClient } from "../client-store.js";
 import type { HostConfig } from "../types.js";
 
 const CODE_CHARS = "ABCDEFGHJKMNPQRSTUVWXYZ23456789"; // no O/0/I/1/L
@@ -17,10 +17,10 @@ export function generatePairingCode(): string {
 }
 
 function buildPairResponse(config: HostConfig, label?: string) {
-  const session = addSession(label);
+  const client = addClient(label);
   return {
     hostId: config.hostId,
-    sessionToken: session.token,
+    clientToken: client.token,
   };
 }
 
@@ -67,7 +67,7 @@ function httpPairRegister(port: number, code: string): Promise<boolean> {
 export async function pairCommand(): Promise<void> {
   const config = loadConfig();
   const code = generatePairingCode();
-  const httpPort = config.httpPort ?? 7400;
+  const httpPort = config.httpPort ?? 9966;
 
   let paired = false;
 

package/src/commands/run.ts

@@ -70,7 +70,7 @@ async function invokeAgentWithRetries(
     console.log(`[invoke] ${command} ${displayArgs.join(" ")}${stdin ? ` (stdin: ${truncate(stdin, 100)})` : ""}`);
     const result = await spawnCommand(command, args, {
       cwd: getRunDir(ctx.taskDir, ctx.runId),
-      env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+      env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
       echoStdout: true,
       resolveOnFailure: true,
       stdin,
@@ -309,7 +309,7 @@ async function runCommandTriggeredMode(
 
   const child = spawnStreamingCommand(commandStr, {
     cwd: getRunDir(ctx.taskDir, ctx.runId),
-    env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+    env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
   });
 
   let linesProcessed = 0;
@@ -449,7 +449,7 @@ async function requestPermission(
   taskDir: string,
   requiredPermissions: RequiredPermission[],
 ): Promise<"granted" | "granted_all" | "aborted"> {
-  const port = config.httpPort ?? 7400;
+  const port = config.httpPort ?? 9966;
   const res = await fetch(`http://localhost:${port}/request-permission`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
@@ -477,7 +477,7 @@ async function requestConfirmation(
   task: ParsedTask,
   taskDir: string,
 ): Promise<boolean> {
-  const port = config.httpPort ?? 7400;
+  const port = config.httpPort ?? 9966;
   const res = await fetch(`http://localhost:${port}/request-confirmation`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
@@ -505,7 +505,8 @@ export function parseReportFiles(output: string): string[] {
   let match;
   while ((match = regex.exec(output)) !== null) {
     const name = match[1].trim();
-    if (name) files.push(name);
+    // Skip placeholder examples echoed from the prompt (e.g. "<filename>")
+    if (name && !name.startsWith("<")) files.push(name);
   }
   return files;
 }
@@ -520,6 +521,8 @@ export function parsePermissions(output: string): RequiredPermission[] {
   let match;
   while ((match = regex.exec(output)) !== null) {
     const raw = match[1].trim();
+    // Skip placeholder examples echoed from the prompt (e.g. "<tool_name> | <description>")
+    if (raw.startsWith("<")) continue;
     const sep = raw.indexOf("|");
     if (sep !== -1) {
       perms.push({ name: raw.slice(0, sep).trim(), description: raw.slice(sep + 1).trim() });

package/src/commands/serve.ts

@@ -114,7 +114,7 @@ export async function serveCommand(): Promise<void> {
   }, POLL_INTERVAL_MS);
 
   const handleRpc = createRpcHandler(config, nc);
-  const httpPort = config.httpPort ?? 7400;
+  const httpPort = config.httpPort ?? 9966;
 
   // Start NATS transport (loops forever, fire-and-forget)
   if (nc) {

package/src/events.ts

@@ -23,7 +23,7 @@ export async function publishHostEvent(
   }
 
   const config = loadConfig();
-  const port = config.httpPort ?? 7400;
+  const port = config.httpPort ?? 9966;
   try {
     await fetch(`http://localhost:${port}/event`, {
       method: "POST",

package/src/index.ts

@@ -12,7 +12,7 @@ import { serveCommand } from "./commands/serve.js";
 
 import { pairCommand } from "./commands/pair.js";
 import { restartCommand } from "./commands/restart.js";
-import { sessionsListCommand, sessionsRevokeCommand, sessionsRevokeAllCommand } from "./commands/sessions.js";
+import { clientsListCommand, clientsRevokeCommand, clientsRevokeAllCommand } from "./commands/clients.js";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, "../package.json"), "utf-8"));
@@ -68,29 +68,29 @@ program
   });
 
 
-const sessionsCmd = program
-  .command("sessions")
-  .description("Manage paired client sessions");
+const clientsCmd = program
+  .command("clients")
+  .description("Manage paired clients");
 
-sessionsCmd
+clientsCmd
   .command("list")
-  .description("List active sessions")
+  .description("List active clients")
   .action(async () => {
-    await sessionsListCommand();
+    await clientsListCommand();
   });
 
-sessionsCmd
+clientsCmd
   .command("revoke <token>")
-  .description("Revoke a session by token")
+  .description("Revoke a client by token")
   .action(async (token: string) => {
-    await sessionsRevokeCommand(token);
+    await clientsRevokeCommand(token);
   });
 
-sessionsCmd
+clientsCmd
   .command("revoke-all")
-  .description("Revoke all sessions")
+  .description("Revoke all clients")
   .action(async () => {
-    await sessionsRevokeAllCommand();
+    await clientsRevokeAllCommand();
   });
 
 // No subcommand → default to serve

package/src/platform/windows.ts

@@ -10,7 +10,6 @@ import { getTaskDir, readTaskStatus } from "../task.js";
 const TASK_PREFIX = "\\Palmier\\PalmierTask-";
 const DAEMON_TASK_NAME = "PalmierDaemon";
 const DAEMON_PID_FILE = path.join(CONFIG_DIR, "daemon.pid");
-const DAEMON_VBS_FILE = path.join(CONFIG_DIR, "daemon.vbs");
 
 
 const DOW_NAMES = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"];
@@ -68,6 +67,12 @@ export function buildTaskXml(tr: string, triggers: string[]): string {
   return [
     `<?xml version="1.0" encoding="UTF-16"?>`,
     `<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">`,
+    `  <Principals>`,
+    `    <Principal>`,
+    `      <LogonType>S4U</LogonType>`,
+    `      <RunLevel>LeastPrivilege</RunLevel>`,
+    `    </Principal>`,
+    `  </Principals>`,
     `  <Settings>`,
     `    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>`,
     `    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>`,
@@ -93,22 +98,16 @@ export class WindowsPlatform implements PlatformService {
   installDaemon(config: HostConfig): void {
     const script = process.argv[1] || "palmier";
 
-    // Create the Task Scheduler entry for the daemon
+    // Create the Task Scheduler entry for the daemon (BootTrigger starts it at system boot)
     this.ensureDaemonTask(script);
 
-    // Registry Run key triggers the Task Scheduler entry on logon,
-    // so the daemon always runs outside any session's job object.
-    const regValue = `schtasks /run /tn "\\Palmier\\${DAEMON_TASK_NAME}"`;
+    // Remove old Registry Run key if upgrading
     try {
       execFileSync("reg", [
-        "add", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
-        "/v", DAEMON_TASK_NAME, "/t", "REG_SZ", "/d", regValue, "/f",
+        "delete", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
+        "/v", DAEMON_TASK_NAME, "/f",
       ], { encoding: "utf-8", stdio: "pipe" });
-      console.log(`Registry Run key "${DAEMON_TASK_NAME}" installed (runs at logon).`);
-    } catch (err) {
-      console.error(`Warning: failed to install registry run entry: ${err}`);
-      console.error("You may need to start palmier serve manually.");
-    }
+    } catch { /* key may not exist */ }
 
     // Start the daemon now
     this.startDaemonTask();
@@ -152,26 +151,30 @@ export class WindowsPlatform implements PlatformService {
     this.startDaemonTask();
   }
 
-  /** Create or update the Task Scheduler entry for the daemon. */
+  /** Create or update the Task Scheduler entry for the daemon (requires elevation for S4U). */
   private ensureDaemonTask(script: string): void {
-    const vbs = `CreateObject("WScript.Shell").Run """${process.execPath}"" ""${script}"" serve", 0, False`;
-    fs.writeFileSync(DAEMON_VBS_FILE, vbs, "utf-8");
-
-    const wscript = `${process.env.SYSTEMROOT || "C:\\Windows"}\\System32\\wscript.exe`;
     const tn = `\\Palmier\\${DAEMON_TASK_NAME}`;
-    const tr = `"${wscript}" "${DAEMON_VBS_FILE}"`;
-    const xml = buildTaskXml(tr, [`<TimeTrigger><StartBoundary>2000-01-01T00:00:00</StartBoundary></TimeTrigger>`]);
+    const tr = `"${process.execPath}" "${script}" serve`;
+    const xml = buildTaskXml(tr, [`<BootTrigger><Enabled>true</Enabled></BootTrigger>`]);
     const xmlPath = path.join(CONFIG_DIR, "daemon-task.xml");
     try {
       const bom = Buffer.from([0xFF, 0xFE]);
       fs.writeFileSync(xmlPath, Buffer.concat([bom, Buffer.from(xml, "utf16le")]));
-      execFileSync("schtasks", ["/create", "/tn", tn, "/xml", xmlPath, "/f"], { encoding: "utf-8", windowsHide: true, stdio: "pipe" });
+      // S4U LogonType requires elevation — spawn schtasks via RunAs
+      const args = `/create /tn "${tn}" /xml "${xmlPath}" /f`;
+      execFileSync("powershell", [
+        "-Command", `Start-Process -Verb RunAs -Wait -FilePath schtasks -ArgumentList '${args}'`,
+      ], { encoding: "utf-8", windowsHide: true, stdio: "pipe" });
     } catch (err: unknown) {
       const e = err as { stderr?: string };
       console.error(`Failed to create daemon task: ${e.stderr || err}`);
     } finally {
       try { fs.unlinkSync(xmlPath); } catch { /* ignore */ }
     }
+
+    // Cleanup old VBS launcher if upgrading
+    const oldVbs = path.join(CONFIG_DIR, "daemon.vbs");
+    try { fs.unlinkSync(oldVbs); } catch { /* ignore */ }
   }
 
   /** Start the daemon via Task Scheduler (runs outside any session's job object). */
@@ -190,14 +193,7 @@ export class WindowsPlatform implements PlatformService {
     const taskId = task.frontmatter.id;
     const tn = schtasksTaskName(taskId);
     const script = process.argv[1] || "palmier";
-
-    // Write a VBS launcher so the task runs without a visible console window
-    const vbsPath = path.join(CONFIG_DIR, `task-${taskId}.vbs`);
-    const vbs = `CreateObject("WScript.Shell").Run """${process.execPath}"" ""${script}"" run ${taskId}", 0, True`;
-    fs.writeFileSync(vbsPath, vbs, "utf-8");
-
-    const wscript = `${process.env.SYSTEMROOT || "C:\\Windows"}\\System32\\wscript.exe`;
-    const tr = `"${wscript}" "${vbsPath}"`;
+    const tr = `"${process.execPath}" "${script}" run ${taskId}`;
 
     // Build trigger XML elements
     const triggerElements: string[] = [];
@@ -217,6 +213,8 @@ export class WindowsPlatform implements PlatformService {
 
     // Write XML and register via schtasks — gives us full control over
     // settings like MultipleInstancesPolicy that schtasks flags don't expose.
+    // S4U LogonType ensures no console window. Works without elevation
+    // because the daemon (which calls this) runs elevated.
     const xml = buildTaskXml(tr, triggerElements);
     const xmlPath = path.join(CONFIG_DIR, `task-${taskId}.xml`);
     try {
@@ -232,6 +230,9 @@ export class WindowsPlatform implements PlatformService {
     } finally {
       try { fs.unlinkSync(xmlPath); } catch { /* ignore */ }
     }
+
+    // Cleanup old VBS launcher if upgrading
+    try { fs.unlinkSync(path.join(CONFIG_DIR, `task-${taskId}.vbs`)); } catch { /* ignore */ }
   }
 
   removeTaskTimer(taskId: string): void {
@@ -241,7 +242,6 @@ export class WindowsPlatform implements PlatformService {
     } catch {
       // Task might not exist — that's fine
     }
-    try { fs.unlinkSync(path.join(CONFIG_DIR, `task-${taskId}.vbs`)); } catch { /* ignore */ }
   }
 
   async startTask(taskId: string): Promise<void> {

package/src/rpc-handler.ts

@@ -11,7 +11,7 @@ import { getPlatform } from "./platform/index.js";
 import { spawnCommand } from "./spawn-command.js";
 import crossSpawn from "cross-spawn";
 import { getAgent } from "./agents/agent.js";
-import { validateSession } from "./session-store.js";
+import { validateClient } from "./client-store.js";
 import { publishHostEvent } from "./events.js";
 import { currentVersion, performUpdate } from "./update-checker.js";
 import { parseReportFiles, parseTaskOutcome, stripPalmierMarkers } from "./commands/run.js";
@@ -166,8 +166,8 @@ export function createRpcHandler(config: HostConfig, nc?: NatsConnection) {
   }
 
   async function handleRpc(request: RpcMessage): Promise<unknown> {
-    // Session token validation: skip for trusted localhost requests
-    if (!request.localhost && (!request.sessionToken || !validateSession(request.sessionToken))) {
+    // Client token validation: skip for trusted localhost requests
+    if (!request.localhost && (!request.clientToken || !validateClient(request.clientToken))) {
       return { error: "Unauthorized" };
     }
 
@@ -259,7 +259,10 @@ export function createRpcHandler(config: HostConfig, nc?: NatsConnection) {
         if (params.triggers_enabled !== undefined) existing.frontmatter.triggers_enabled = params.triggers_enabled;
         if (params.requires_confirmation !== undefined)
           existing.frontmatter.requires_confirmation = params.requires_confirmation;
-        if (params.yolo_mode !== undefined) existing.frontmatter.yolo_mode = params.yolo_mode || undefined;
+        if (params.yolo_mode !== undefined) {
+          existing.frontmatter.yolo_mode = params.yolo_mode || undefined;
+          if (params.yolo_mode) delete existing.frontmatter.permissions;
+        }
         if (params.command !== undefined) {
           if (params.command) {
             existing.frontmatter.command = params.command;

package/src/transports/http-transport.ts

@@ -1,7 +1,7 @@
 import * as http from "node:http";
 import * as os from "os";
 import { StringCodec, type NatsConnection } from "nats";
-import { validateSession, addSession } from "../session-store.js";
+import { validateClient, addClient } from "../client-store.js";
 import { registerPending } from "../pending-requests.js";
 import * as fs from "node:fs";
 import { getTaskDir, parseTaskFile, spliceUserMessage } from "../task.js";
@@ -145,10 +145,10 @@ export async function startHttpTransport(
   function checkAuth(req: http.IncomingMessage): boolean {
     const auth = req.headers.authorization;
     if (!auth || !auth.startsWith("Bearer ")) return false;
-    return validateSession(auth.slice(7));
+    return validateClient(auth.slice(7));
   }
 
-  function extractSessionToken(req: http.IncomingMessage): string | undefined {
+  function extractClientToken(req: http.IncomingMessage): string | undefined {
     const auth = req.headers.authorization;
     if (!auth || !auth.startsWith("Bearer ")) return undefined;
     return auth.slice(7);
@@ -394,11 +394,11 @@ export async function startHttpTransport(
         const pending = pendingPairs.get(code);
         if (!pending) { sendJson(res, 401, { error: "Invalid code" }); return; }
 
-        const session = addSession(label);
+        const client = addClient(label);
         const ip = detectLanIp();
         const response: Record<string, unknown> = {
           hostId: config.hostId,
-          sessionToken: session.token,
+          clientToken: client.token,
           directUrl: `http://${ip}:${port}`,
         };
 
@@ -476,11 +476,11 @@ export async function startHttpTransport(
         }
       } catch { sendJson(res, 400, { error: "Invalid JSON" }); return; }
 
-      const sessionToken = extractSessionToken(req);
+      const clientToken = extractClientToken(req);
       console.log(`[http] RPC: ${method}`);
 
       try {
-        const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
+        const response = await handleRpc({ method, params, clientToken, localhost: isLocalhost(req) });
         console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
         sendJson(res, 200, response);
       } catch (err) {

package/src/transports/nats-transport.ts

@@ -50,15 +50,15 @@ export async function startNatsTransport(
       }
     }
 
-    // Extract sessionToken from params (PWA includes it in the payload)
-    const sessionToken = typeof params.sessionToken === "string" ? params.sessionToken : undefined;
-    delete params.sessionToken;
+    // Extract clientToken from params (PWA includes it in the payload)
+    const clientToken = typeof params.clientToken === "string" ? params.clientToken : undefined;
+    delete params.clientToken;
 
     console.log(`[nats] RPC: ${method}`);
 
     let response: unknown;
     try {
-      response = await handleRpc({ method, params, sessionToken });
+      response = await handleRpc({ method, params, clientToken });
     } catch (err) {
       console.error(`[nats] RPC error (${method}):`, err);
       response = { error: String(err) };

package/src/types.ts

@@ -9,7 +9,7 @@ export interface HostConfig {
   // Detected agent CLIs
   agents?: Array<{ key: string; label: string }>;
 
-  // HTTP server port (default 7400)
+  // HTTP server port (default 9966)
   httpPort?: number;
   // Whether to accept non-localhost HTTP connections
   lanEnabled?: boolean;
@@ -79,7 +79,7 @@ export interface ConversationMessage {
 export interface RpcMessage {
   method: string;
   params: Record<string, unknown>;
-  sessionToken?: string;
-  /** Trusted localhost request — skip session validation. */
+  clientToken?: string;
+  /** Trusted localhost request — skip client validation. */
   localhost?: boolean;
 }

package/test/agent-instructions.test.ts

@@ -1,29 +1,46 @@
 import { describe, it } from "node:test";
 import assert from "node:assert/strict";
-import { getAgentInstructions } from "../src/agents/shared-prompt.js";
+import * as fs from "fs";
+import * as path from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const templatePath = path.join(__dirname, "..", "src", "agents", "agent-instructions.md");
+const template = fs.readFileSync(templatePath, "utf-8");
+
+/** Minimal replica of getAgentInstructions that doesn't need host.json */
+function buildInstructions(taskId: string, skipPermissions?: boolean): string {
+  let instructions = template
+    .replace(/\{\{PORT\}\}/g, "9966")
+    .replace(/\{\{TASK_ID\}\}/g, taskId);
+  if (skipPermissions) {
+    instructions = instructions.replace(/## Permissions\r?\n[\s\S]*?(?=## |\r?\n---)/m, "");
+  }
+  return instructions;
+}
 
 describe("getAgentInstructions", () => {
   it("includes Permissions section by default", () => {
-    const result = getAgentInstructions("test-task-id");
+    const result = buildInstructions("test-task-id");
     assert.match(result, /## Permissions/);
     assert.match(result, /PALMIER_PERMISSION/);
   });
 
   it("strips Permissions section when skipPermissions is true", () => {
-    const result = getAgentInstructions("test-task-id", true);
+    const result = buildInstructions("test-task-id", true);
     assert.doesNotMatch(result, /## Permissions/);
     assert.doesNotMatch(result, /PALMIER_PERMISSION/);
   });
 
   it("preserves other sections when Permissions is stripped", () => {
-    const result = getAgentInstructions("test-task-id", true);
+    const result = buildInstructions("test-task-id", true);
     assert.match(result, /## Reporting Output/);
     assert.match(result, /## Completion/);
     assert.match(result, /## HTTP Endpoints/);
   });
 
   it("replaces template variables", () => {
-    const result = getAgentInstructions("my-task-123");
+    const result = buildInstructions("my-task-123");
     assert.match(result, /my-task-123/);
     assert.doesNotMatch(result, /\{\{TASK_ID\}\}/);
     assert.doesNotMatch(result, /\{\{PORT\}\}/);