palmier 0.7.6 → 0.7.8

package/palmier-server/server/src/nats-jwt.ts

@@ -0,0 +1,299 @@
+/**
+ * NATS JWT/NKey utilities for decentralized authentication.
+ *
+ * NATS supports a decentralized auth model where authorization is embedded in
+ * signed JWTs rather than managed in server config files. This means new hosts
+ * can be onboarded without restarting or reconfiguring the NATS server.
+ *
+ * Key hierarchy:
+ *
+ *   Operator (root of trust)
+ *     └─ signs Account JWT → embedded in NATS server config (one-time)
+ *          └─ Account (runtime signing key, held by palmier-server)
+ *               ├─ signs Host User JWTs → scoped to host.{id}.* subjects
+ *               ├─ signs PWA User JWTs  → scoped to RPC + pairing subjects
+ *               └─ signs Server User JWT → full access for relaying
+ *
+ * JWT format (NATS-specific, not standard JWT):
+ *   Header:    {"typ":"JWT","alg":"ed25519-nkey"}
+ *   Payload:   NATS claims (issuer, subject, permissions)
+ *   Signature: Ed25519(header.payload, signing_key)
+ *
+ * Subject permission model:
+ *
+ *   | Role              | Publish                  | Subscribe              |
+ *   |-------------------|--------------------------|------------------------|
+ *   | Host (X)          | host-event.X.>, host.X.> | host.X.>, pair.*       |
+ *   | PWA (pairing)     | pair.*                   | (none)                 |
+ *   | PWA (connected X) | host.X.rpc.>             | host-event.X.>         |
+ *   | Server            | > (full)                 | > (full)               |
+ *
+ * Request/reply inbox subjects (_INBOX.>) are allowed automatically via the
+ * `resp` field in the JWT claims.
+ */
+
+import { createOperator, createAccount, createUser, fromSeed, type KeyPair } from "nkeys.js";
+import crypto from "crypto";
+
+// ---------------------------------------------------------------------------
+// Base64url helpers
+// ---------------------------------------------------------------------------
+
+function base64urlEncode(data: Uint8Array): string {
+  return Buffer.from(data).toString("base64url");
+}
+
+function base64urlEncodeStr(str: string): string {
+  return Buffer.from(str, "utf-8").toString("base64url");
+}
+
+// ---------------------------------------------------------------------------
+// NKey seed ↔ string helpers
+// ---------------------------------------------------------------------------
+
+export function seedToString(seed: Uint8Array): string {
+  return new TextDecoder().decode(seed);
+}
+
+export function seedFromString(seed: string): Uint8Array {
+  return new TextEncoder().encode(seed);
+}
+
+// ---------------------------------------------------------------------------
+// JWT signing
+// ---------------------------------------------------------------------------
+
+/** Sign a NATS JWT: base64url(header).base64url(claims).base64url(ed25519_sig). */
+function signJwt(claims: Record<string, unknown>, signingKey: KeyPair): string {
+  const header = base64urlEncodeStr(JSON.stringify({ typ: "JWT", alg: "ed25519-nkey" }));
+  const payload = base64urlEncodeStr(JSON.stringify(claims));
+  const sigInput = new TextEncoder().encode(`${header}.${payload}`);
+  const signature = base64urlEncode(signingKey.sign(sigInput));
+  return `${header}.${payload}.${signature}`;
+}
+
+// ---------------------------------------------------------------------------
+// Account JWT
+// ---------------------------------------------------------------------------
+
+/** Create an Operator JWT (self-signed). Used in the NATS server `operator` field. */
+export function createOperatorJwt(operatorSeed: string): string {
+  const operatorKp = fromSeed(seedFromString(operatorSeed));
+  const claims = {
+    jti: crypto.randomUUID().replace(/-/g, ""),
+    iat: Math.floor(Date.now() / 1000),
+    iss: operatorKp.getPublicKey(),
+    name: "palmier-operator",
+    sub: operatorKp.getPublicKey(),
+    nats: {
+      type: "operator",
+      version: 2,
+    },
+  };
+  const jwt = signJwt(claims, operatorKp);
+  operatorKp.clear();
+  return jwt;
+}
+
+/** Create an Account JWT signed by the operator. Embedded in NATS server config. */
+export function createAccountJwt(operatorSeed: string, accountPublicKey: string): string {
+  const operatorKp = fromSeed(seedFromString(operatorSeed));
+  const claims = {
+    jti: crypto.randomUUID().replace(/-/g, ""),
+    iat: Math.floor(Date.now() / 1000),
+    iss: operatorKp.getPublicKey(),
+    name: "palmier",
+    sub: accountPublicKey,
+    nats: {
+      limits: {
+        subs: -1,
+        data: -1,
+        payload: -1,
+        imports: -1,
+        exports: -1,
+        wildcards: true,
+        conn: -1,
+        leaf: -1,
+      },
+      type: "account",
+      version: 2,
+    },
+  };
+  const jwt = signJwt(claims, operatorKp);
+  operatorKp.clear();
+  return jwt;
+}
+
+// ---------------------------------------------------------------------------
+// User JWT (generic)
+// ---------------------------------------------------------------------------
+
+interface UserPermissions {
+  pub: { allow: string[] };
+  sub: { allow: string[] };
+}
+
+/**
+ * Create a User JWT signed by the account key.
+ * _INBOX.> is added to subscribe permissions so request/reply works.
+ * Unlimited values (-1) for subs/data/payload mean no artificial caps.
+ */
+function createUserJwt(
+  accountSeed: string,
+  userPublicKey: string,
+  name: string,
+  permissions: UserPermissions,
+): string {
+  const accountKp = fromSeed(seedFromString(accountSeed));
+  const claims = {
+    jti: crypto.randomUUID().replace(/-/g, ""),
+    iat: Math.floor(Date.now() / 1000),
+    iss: accountKp.getPublicKey(),
+    name,
+    sub: userPublicKey,
+    nats: {
+      pub: { allow: [...permissions.pub.allow, "_INBOX.>"] },
+      sub: { allow: [...permissions.sub.allow, "_INBOX.>"] },
+      subs: -1,
+      data: -1,
+      payload: -1,
+      type: "user",
+      version: 2,
+    },
+  };
+  const jwt = signJwt(claims, accountKp);
+  accountKp.clear();
+  return jwt;
+}
+
+// ---------------------------------------------------------------------------
+// Role-specific JWT generators
+// ---------------------------------------------------------------------------
+
+export interface NatsCredentials {
+  jwt: string;
+  nkeySeed: string;
+}
+
+/**
+ * Create credentials for a host daemon, scoped to the host's own subjects.
+ *
+ * A host with id X can only:
+ *   - Publish to: host-event.X.> (task events), host.X.> (FCM requests, push)
+ *   - Subscribe to: host.X.> (RPC, device responses), pair.* (during pairing)
+ *
+ * It cannot access any other host's subjects.
+ */
+export function createHostCredentials(accountSeed: string, hostId: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), `host-${hostId}`, {
+    pub: { allow: [`host-event.${hostId}.>`, `host.${hostId}.>`] },
+    sub: { allow: [`host.${hostId}.>`, "pair.*"] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+/**
+ * Create pairing-only credentials for the PWA. Used during the pairing flow
+ * before the PWA knows which host it will connect to.
+ *
+ * Minimal permissions:
+ *   - Publish to: pair.* (send pairing request)
+ *   - Subscribe to: (none — reply inbox handled by `resp`)
+ */
+export function createPairingCredentials(accountSeed: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), "pwa-pairing", {
+    pub: { allow: ["pair.*"] },
+    sub: { allow: [] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+/**
+ * Create host-scoped credentials for a PWA client after pairing.
+ *
+ * Scoped to a single host:
+ *   - Publish to: host.{hostId}.rpc.> (send RPC to paired host)
+ *   - Subscribe to: host-event.{hostId}.> (receive task events from paired host)
+ *
+ * A PWA client cannot see events or send RPC to any other host.
+ */
+export function createPwaCredentials(accountSeed: string, hostId: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), `pwa-${hostId}`, {
+    pub: { allow: [`host.${hostId}.rpc.>`] },
+    sub: { allow: [`host-event.${hostId}.>`] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+/**
+ * Create credentials for the palmier server itself (full access for relaying).
+ */
+export function createServerCredentials(accountSeed: string): NatsCredentials {
+  const userKp = createUser();
+  const jwt = createUserJwt(accountSeed, userKp.getPublicKey(), "server", {
+    pub: { allow: [">"] },
+    sub: { allow: [">"] },
+  });
+  const nkeySeed = seedToString(userKp.getSeed());
+  userKp.clear();
+  return { jwt, nkeySeed };
+}
+
+// ---------------------------------------------------------------------------
+// Setup: generate operator + account keys and NATS config
+// ---------------------------------------------------------------------------
+
+export interface NatsSetupResult {
+  operatorSeed: string;
+  operatorPublicKey: string;
+  accountSeed: string;
+  accountPublicKey: string;
+  operatorJwt: string;
+  accountJwt: string;
+  natsConfig: string;
+}
+
+/**
+ * Generate all keys and the NATS server config snippet for JWT auth.
+ * Run once during initial deployment, then store seeds as env vars.
+ *
+ * The `operator` field in nats.conf requires a full JWT (not a public key) —
+ * NATS treats non-JWT strings as file paths.
+ */
+export function generateNatsSetup(): NatsSetupResult {
+  const operatorKp = createOperator();
+  const accountKp = createAccount();
+
+  const operatorSeed = seedToString(operatorKp.getSeed());
+  const operatorPublicKey = operatorKp.getPublicKey();
+  const accountSeed = seedToString(accountKp.getSeed());
+  const accountPublicKey = accountKp.getPublicKey();
+
+  const operatorJwt = createOperatorJwt(operatorSeed);
+  const accountJwt = createAccountJwt(operatorSeed, accountPublicKey);
+
+  const natsConfig = [
+    `# NATS JWT auth configuration`,
+    `# Generated by palmier nats-setup`,
+    ``,
+    `operator: ${operatorJwt}`,
+    `resolver: MEMORY`,
+    `resolver_preload: {`,
+    `  ${accountPublicKey}: ${accountJwt}`,
+    `}`,
+  ].join("\n");
+
+  operatorKp.clear();
+  accountKp.clear();
+
+  return { operatorSeed, operatorPublicKey, accountSeed, accountPublicKey, operatorJwt, accountJwt, natsConfig };
+}

package/palmier-server/server/src/nats-setup.ts

@@ -0,0 +1,48 @@
+/**
+ * One-time setup script for NATS JWT authentication.
+ *
+ * Run this once when deploying Palmier for the first time (or when rotating keys).
+ * It generates the cryptographic keys and config needed for NATS to enforce
+ * per-host subject isolation.
+ *
+ * Usage:
+ *   cd server && pnpm nats-setup
+ *
+ * What it generates:
+ *
+ *   Operator NKey pair
+ *     └─ Signs the Account JWT (one-time). Store the seed securely as a backup —
+ *        you only need it again if you regenerate the account JWT.
+ *
+ *   Account NKey pair
+ *     └─ Signs User JWTs at runtime. The server uses NATS_ACCOUNT_SEED to create
+ *        scoped credentials for each host (during registration) and each PWA session.
+ *
+ *   Account JWT
+ *     └─ Embedded in the NATS server config (resolver_preload). Tells the NATS server
+ *        to trust User JWTs signed by this account key.
+ *
+ *   NATS config snippet
+ *     └─ Drop-in replacement for the authorization block in nats.conf.
+ *
+ * See PRODUCTION.md for the full deployment flow.
+ */
+
+import { generateNatsSetup } from "./nats-jwt.js";
+
+const setup = generateNatsSetup();
+
+console.log("=== NATS JWT Auth Setup ===\n");
+
+console.log("NATS_ACCOUNT_SEED (add to server/.env):\n");
+console.log(`  ${setup.accountSeed}\n`);
+
+console.log("nats.conf auth section (replace any existing auth block):\n");
+console.log(setup.natsConfig);
+console.log();
+
+console.log("Keys (store securely, do not commit):\n");
+console.log(`  Operator seed:       ${setup.operatorSeed}`);
+console.log(`  Operator public key: ${setup.operatorPublicKey}`);
+console.log(`  Account seed:        ${setup.accountSeed}`);
+console.log(`  Account public key:  ${setup.accountPublicKey}`);

package/palmier-server/server/src/nats.ts

@@ -1,4 +1,5 @@
-import { connect, NatsConnection } from "nats";
+import { connect, jwtAuthenticator, NatsConnection } from "nats";
+import { createServerCredentials, seedFromString } from "./nats-jwt.js";
 
 let nc: NatsConnection | null = null;
 
@@ -6,14 +7,21 @@ export async function connectNats(): Promise<NatsConnection> {
   if (nc) return nc;
 
   const url = process.env.NATS_URL || "nats://localhost:4222";
-  const token = process.env.NATS_TOKEN;
+  const accountSeed = process.env.NATS_ACCOUNT_SEED;
+
+  if (!accountSeed) {
+    throw new Error("NATS_ACCOUNT_SEED is required for JWT auth");
+  }
+
+  // Generate server credentials with full access
+  const creds = createServerCredentials(accountSeed);
 
   nc = await connect({
     servers: url,
-    ...(token ? { token } : {}),
+    authenticator: jwtAuthenticator(creds.jwt, seedFromString(creds.nkeySeed)),
   });
 
-  console.log(`Connected to NATS at ${url}`);
+  console.log(`Connected to NATS at ${url} (JWT auth)`);
   return nc;
 }
 

package/palmier-server/server/src/routes/device.ts

@@ -197,4 +197,28 @@ router.post("/ringer-response", async (req: Request, res: Response) => {
   }
 });
 
+// POST /api/device/email-response - Receive email response from Android, relay to host via NATS
+router.post("/email-response", async (req: Request, res: Response) => {
+  try {
+    const { requestId, hostId, result } = req.body;
+
+    if (!requestId || !hostId) {
+      res.status(400).json({ error: "requestId and hostId are required" });
+      return;
+    }
+
+    const conn = await getNatsConnection();
+    const sc = StringCodec();
+    conn.publish(
+      `host.${hostId}.email.${requestId}`,
+      sc.encode(JSON.stringify(result)),
+    );
+
+    res.json({ ok: true });
+  } catch (err) {
+    console.error("Device email response relay error:", err);
+    res.status(500).json({ error: "Internal server error" });
+  }
+});
+
 export default router;

package/palmier-server/server/src/routes/hosts.ts

@@ -1,6 +1,7 @@
 import { Router, Request, Response } from "express";
 import type { Router as RouterType } from "express";
 import { pool } from "../db.js";
+import { createHostCredentials } from "../nats-jwt.js";
 
 const router: RouterType = Router();
 
@@ -9,6 +10,13 @@ const router: RouterType = Router();
 // so re-initializing a host doesn't create a duplicate entry.
 router.post("/register", async (req: Request, res: Response) => {
   try {
+    const accountSeed = process.env.NATS_ACCOUNT_SEED;
+    if (!accountSeed) {
+      console.error("NATS_ACCOUNT_SEED not configured");
+      res.status(500).json({ error: "Server NATS auth not configured" });
+      return;
+    }
+
     const requestedId: string | undefined = req.body?.hostId;
 
     let hostId: string;
@@ -26,15 +34,18 @@ router.post("/register", async (req: Request, res: Response) => {
       hostId = result.rows[0].id;
     }
 
+    // Generate per-host NATS credentials (scoped to this host's subjects)
+    const creds = createHostCredentials(accountSeed, hostId);
+
     const natsUrl = process.env.NATS_HOST_URL || process.env.NATS_URL || "nats://localhost:4222";
     const natsWsUrl = process.env.NATS_WS_URL || "";
-    const natsToken = process.env.NATS_TOKEN || "";
 
     res.status(201).json({
       hostId,
       natsUrl,
       natsWsUrl,
-      natsToken,
+      natsJwt: creds.jwt,
+      natsNkeySeed: creds.nkeySeed,
     });
   } catch (err) {
     console.error("Register host error:", err);

package/palmier-server/spec.md

@@ -59,9 +59,9 @@ Each host machine is provisioned via `palmier init`, an interactive wizard that
 `palmier init` is an interactive wizard that:
 
 1. Detects installed agent CLIs.
-2. Asks whether to enable LAN access and which HTTP port to use (default 9966).
+2. Asks whether to enable LAN access and which HTTP port to use (default 7256).
 3. Shows a summary of task storage directory, local access URL, LAN URL (if enabled), detected agents, and any existing tasks to recover. Asks for confirmation before proceeding.
-4. Registers with the Palmier server via `POST <url>/api/hosts/register` — server returns `{ hostId, natsUrl, natsWsUrl, natsToken }`.
+4. Registers with the Palmier server via `POST <url>/api/hosts/register` — server returns `{ hostId, natsUrl, natsWsUrl, natsJwt, natsNkeySeed }`.
 5. Saves config to `~/.config/palmier/host.json` (includes `httpPort`, `lanEnabled`, NATS credentials).
 6. Installs a systemd user service (Linux) or Task Scheduler entry (Windows) and auto-enters pair mode.
 
@@ -116,7 +116,8 @@ The **RPC method is derived from the NATS subject**, not the message body. The h
 
 | Method | Params | Description |
 |---|---|---|
-| `task.list` | *(none)* | List all tasks with frontmatter, created_at, and current status. Returns `agents` array of detected CLIs, `host_platform`, and `version`. |
+| `host.info` | *(none)* | Bootstrap metadata fetched once per connection. Returns `{ agents, version, host_platform, capability_tokens, pending_prompts }`. `pending_prompts` is an array of prompts already waiting when the PWA reconnects (each `{ key, type, params?, meta? }`), so modals can render without replaying events. |
+| `task.list` | *(none)* | List all tasks with frontmatter, created_at, and current status. |
 | `task.get` | `id` | Get a single task with frontmatter and current status. |
 | `task.create` | `user_prompt`, `agent`, `triggers?`, `triggers_enabled?`, `requires_confirmation?`, `yolo_mode?`, `foreground_mode?`, `command?` | Create a new task with auto-generated name (30s timeout for prompts > 50 chars), install system timers if triggers present. |
 | `task.update` | `id`, `user_prompt?`, `agent?`, `triggers?`, `triggers_enabled?`, `requires_confirmation?`, `yolo_mode?`, `foreground_mode?`, `command?` | Update an existing task. Regenerates name if `user_prompt` or `agent` changed. Reinstall timers as needed. |
@@ -273,21 +274,32 @@ The PWA connects to **one host at a time**. A host menu (hamburger drawer) lets
 
 1. PWA loads. If no hosts are paired, it shows an empty state with a "Pair Host" button.
 
-2. If hosts are paired, PWA fetches NATS credentials from `GET /api/config` (returns `{ natsWsUrl, natsToken }`) and connects to NATS via WebSocket.
+2. If hosts are paired, PWA fetches host-scoped NATS credentials from `GET /api/nats-credentials/<hostId>` (returns `{ natsWsUrl, natsJwt, natsNkeySeed }`) and connects to NATS via WebSocket using JWT auth. The credentials are scoped to the paired host's subjects only.
 
-3. PWA sends a `task.list` request to `host.<host_id>.rpc.task.list` using NATS request-reply, including the `clientToken` in the payload.
+3. PWA sends a `task.list` request to `host.<host_id>.rpc.task.list` using NATS request-reply, including the `clientToken` in the payload. The PWA uses the response for bootstrap metadata (agents, host platform, version, capability tokens) that both the Sessions tab's composer and the Tasks tab depend on.
 
-4. If the host responds, it returns `{ tasks: [...] }` — an array of **flat task objects** (frontmatter fields spread to the top level) and displays the task list. If the request fails with NATS 503 ("no responders"), the PWA shows an empty task list — this is not treated as an error.
+4. PWA lands on the Sessions tab and fetches run history via `taskrun.list`. If the host responds to `task.list`, it returns `{ tasks: [...] }` — an array of **flat task objects** (frontmatter fields spread to the top level) used by the Tasks tab. If the request fails with NATS 503 ("no responders"), the PWA shows an empty state — this is not treated as an error.
 
 5. PWA registers the service worker and subscribes the browser for Web Push notifications (via `pushManager.subscribe` with the server's VAPID public key). The push subscription is sent to `POST /api/push/subscribe` with the `hostId` so the server can relay notifications to the device.
 
 6. PWA discovers pending confirmations from the `task.list` RPC response — tasks with a pending confirmation, permission, or input request are shown as interactive modals. The PWA responds by calling the `task.user_input` RPC on the host, which resolves the in-memory pending request held by the serve daemon. The `run` process (blocked on an HTTP call to the serve daemon) receives the response and proceeds or exits accordingly.
 
-### 4.2 Task Creation & Update
+### 4.2 UI Layout: Sessions & Tasks Tabs
 
-1. User clicks the "Describe your new task..." placeholder in the task list view, which opens the task form directly.
+The PWA has two tabs: **Sessions** (default, at `/`) and **Tasks** (secondary, at `/tasks`). Sessions is the primary workflow — it lists all run history across tasks (a "session" is a single run) and includes a session composer at the top of the list.
 
-2. User enters a prompt, selects an agent, configures triggers (UI translates human-readable times to cron formats) and confirmation settings, and clicks "Create" (or "Update" for existing tasks).
+* **Session composer:** An inline textarea with an agent picker, a yolo-mode toggle, and a round play button. Entering text and clicking play dispatches `task.run_oneoff`, starting an immediate unsaved session. The composer never opens a dialog; typing is direct. When the textarea has content, navigating away (tab switch, host switch, browser reload, clicking a session row) triggers a confirmation dialog so the draft isn't lost silently.
+* **Tasks tab:** Lists saved tasks (scheduled or reusable). The "Describe your new task..." card opens the full task form, which is used only to create/edit saved or scheduled tasks — it has no Run button (run one-offs via the session composer instead). The form's primary action is "Save" (no schedule) or "Schedule" (when triggers are configured).
+
+Bootstrap data (agents, host version, host platform, capability tokens) is fetched once per connection at the Dashboard level via `host.info` — independent of which tab is active. `task.list` is called lazily on the Tasks tab mount; `taskrun.list` is called lazily on the Sessions tab mount. Neither list RPC carries bootstrap metadata.
+
+Dashboard owns the always-on NATS event subscription and renders pending `confirm-request` / `permission-request` / `input-request` modals via React portal, so prompts surface regardless of which tab is active. Initial pending prompts (those already open when the PWA connects) are seeded from `host.info`'s `pending_prompts` field — each entry carries the display context (`description`, `agent_name`, `task_name`) needed to render the modal cold, since the task list is no longer available at bootstrap.
+
+### 4.3 Task Creation & Update
+
+1. User clicks the "Describe your new task..." placeholder in the Tasks tab, which opens the task form directly.
+
+2. User enters a prompt, selects an agent, configures triggers (UI translates human-readable times to cron formats) and confirmation settings, and clicks "Save" (no schedule) or "Schedule" (with triggers).
 
 3. PWA sends `task.create` (or `task.update`) via NATS request-reply to Host (45s timeout). For prompts > 50 chars, the host generates a concise task name by running the configured agent CLI in non-interactive mode (e.g., `claude -p "Generate a concise 3-6 word name for this task..."`). For shorter prompts, the prompt is used directly as the name.
 
@@ -299,16 +311,17 @@ The PWA connects to **one host at a time**. A host menu (hamburger drawer) lets
 
 7. **OS Integration:** Host translates triggers into a systemd user timer (`~/.config/systemd/user/palmier-task-<task-id>.timer` and `.service`). The `.service` runs `palmier run <task-id>`, which executes the task as a background process. Host runs `systemctl --user daemon-reload` and enables the timer.
 
-### 4.3 On-Demand Execution
+### 4.4 On-Demand Execution
 
 Any task that is not currently running can be executed immediately:
 
-* **PWA:** A "Run Now" button is shown on each task card when the task is not already running. Clicking it sends a `task.run` request via NATS request-reply to the Host, which starts execution via the system scheduler (`systemctl --user start` on Linux, `schtasks /run` on Windows).
+* **PWA (saved task):** A "Run Now" button is shown on each task card when the task is not already running. Clicking it sends a `task.run` request via NATS request-reply to the Host, which starts execution via the system scheduler (`systemctl --user start` on Linux, `schtasks /run` on Windows).
+* **PWA (one-off session):** The session composer on the Sessions tab sends `task.run_oneoff` with `{ user_prompt, agent, yolo_mode }`. The host creates an ephemeral task, runs it, and returns `{ task_id, run_id }`; the PWA navigates to the run detail view.
 * **CLI:** `palmier run <task-id>` executes the task directly (outside the system scheduler).
 
 Both paths follow the same execution loop described in §5.2 (including confirmation checks if configured). The system scheduler prevents concurrent runs of the same task — if the service/task is already active, the start command is a no-op.
 
-### 4.4 Task Deletion
+### 4.5 Task Deletion
 
 1. PWA sends `task.delete` via NATS request-reply.
 
@@ -430,8 +443,9 @@ All endpoints are served over HTTPS. No user authentication is required — the
 
 | Method | Path | Description |
 |--------|------|-------------|
-| `POST` | `/api/hosts/register` | Register a new host. Returns `{ hostId, natsUrl, natsWsUrl, natsToken }`. Rate-limited by IP. |
-| `GET`  | `/api/config` | Returns NATS WebSocket credentials for the PWA: `{ natsWsUrl, natsToken }`. |
+| `POST` | `/api/hosts/register` | Register a new host. Returns `{ hostId, natsUrl, natsWsUrl, natsJwt, natsNkeySeed }` with host-scoped NATS credentials. |
+| `GET`  | `/api/config` | Returns pairing-only NATS credentials: `{ natsWsUrl, natsJwt, natsNkeySeed }`. JWT can only publish to `pair.*`. |
+| `GET`  | `/api/nats-credentials/:hostId` | Returns host-scoped NATS credentials for PWA: `{ natsWsUrl, natsJwt, natsNkeySeed }`. JWT scoped to one host's RPC + events. |
 | `POST` | `/api/push/subscribe` | Register a push subscription. Body: `{ hostId, endpoint, keys: { p256dh, auth } }`. |
 | `DELETE` | `/api/push/subscribe` | Unregister a push subscription. Body: `{ hostId, endpoint }`. |
 | `GET`  | `/api/push/vapid-key` | Returns the server's VAPID public key for push subscription. |

package/src/agents/agent.ts

@@ -44,6 +44,9 @@ export interface AgentTool {
    *  If false, the permissions section is omitted from agent instructions. */
   supportsPermissions: boolean;
 
+  /** Whether this agent supports yolo mode (auto-approve all tools). */
+  supportsYolo: boolean;
+
   /** Detect whether the agent CLI is available and perform any agent-specific
    *  initialization. Returns true if the agent was detected and initialized successfully. */
   init(): Promise<boolean>;
@@ -93,6 +96,7 @@ export interface DetectedAgent {
   key: string;
   label: string;
   supportsPermissions: boolean;
+  supportsYolo: boolean;
 }
 
 export async function detectAgents(): Promise<DetectedAgent[]> {
@@ -100,7 +104,7 @@ export async function detectAgents(): Promise<DetectedAgent[]> {
   for (const [key, agent] of Object.entries(agentRegistry)) {
     const label = agentLabels[key] ?? key;
     const ok = await agent.init();
-    if (ok) detected.push({ key, label, supportsPermissions: agent.supportsPermissions });
+    if (ok) detected.push({ key, label, supportsPermissions: agent.supportsPermissions, supportsYolo: agent.supportsYolo });
   }
   return detected;
 }

package/src/agents/aider.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class Aider implements AgentTool {
   supportsPermissions = false;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "aider", args: ["--message", prompt] };
   }

package/src/agents/claude.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class ClaudeAgent implements AgentTool {
   supportsPermissions = true;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "claude", args: ["-p", prompt] };
   }

package/src/agents/cline.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class Cline implements AgentTool {
   supportsPermissions = false;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "cline ", args: ["--yolo", "-p", prompt] };
   }

package/src/agents/codex.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class CodexAgent implements AgentTool {
   supportsPermissions = true;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "codex", args: ["exec", "--skip-git-repo-check", prompt] };
   }

package/src/agents/copilot.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class CopilotAgent implements AgentTool {
   supportsPermissions = false;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "copilot", args: ["-p", prompt] };
   }

package/src/agents/cursor.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class Cursor implements AgentTool {
   supportsPermissions = false;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "cursor", args: ["-p", prompt] };
   }

package/src/agents/deepagents.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class DeepAgents implements AgentTool {
   supportsPermissions = false;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "deepagents", args: ["--non-interactive", prompt] };
   }

package/src/agents/droid.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class DroidAgent implements AgentTool {
   supportsPermissions = false;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "droid", args: ["exec", prompt] };
   }

package/src/agents/gemini.ts

@@ -6,6 +6,7 @@ import { SHELL } from "../platform/index.js";
 
 export class GeminiAgent implements AgentTool {
   supportsPermissions = true;
+  supportsYolo = true;
   getPromptCommandLine(prompt: string): CommandLine {
     return { command: "gemini", args: ["--prompt", prompt] };
   }