quoroom 0.1.8 → 0.1.11

package/README.md

@@ -8,7 +8,7 @@
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![npm version](https://img.shields.io/npm/v/quoroom)](https://www.npmjs.com/package/quoroom)
-[![Tests](https://img.shields.io/badge/tests-804%20passing-brightgreen)](#)
+[![Tests](https://img.shields.io/badge/tests-907%20passing-brightgreen)](#)
 [![GitHub stars](https://img.shields.io/github/stars/quoroom-ai/room)](https://github.com/quoroom-ai/room/stargazers)
 [![macOS](https://img.shields.io/badge/macOS-.pkg-000000?logo=apple&logoColor=white)](https://github.com/quoroom-ai/room/releases/latest)
 [![Windows](https://img.shields.io/badge/Windows-.exe-0078D4?logo=windows&logoColor=white)](https://github.com/quoroom-ai/room/releases/latest)
@@ -38,6 +38,7 @@ Official channels only:
 
 - `https://quoroom.ai`
 - `https://github.com/quoroom-ai`
+- Telegram: `@quoroom_ai_bot`
 
 If you see impersonation or scam activity, report it to `hello@quoroom.ai`.
 See `TRADEMARKS.md` for full trademark usage terms.
@@ -108,6 +109,12 @@ Quoroom is an open research project exploring autonomous agent collectives. Each
 
 **Dashboard** — React SPA served directly by your local Quoroom server at `http://localhost:3700` (or your configured port). Manage rooms, agents, goals, memory, wallet — all from the browser, with local-first data storage.
 
+**Cloud Mode** — Deploy to the cloud and control your room remotely. Same dashboard works in both local and cloud mode. Cloud instances auto-detect their environment, support JWT-based auth, and serve the UI over HTTPS with strict CORS. Connect your Claude or Codex subscription from the remote Settings panel.
+
+**Inbox** — Rooms can message the keeper and other rooms. Cross-room communication with reply threading. Agents escalate decisions, share updates, or request resources from neighboring rooms.
+
+**Credentials** — Secure credential storage for API keys and secrets. Agents list and retrieve credentials at runtime without exposing raw values in prompts or logs.
+
 **Auto-updates** — The server polls GitHub for new releases every 4 hours. When a new version is available, the dashboard shows a notification popup and a download row in Settings. One click downloads the installer for your platform directly — no browser redirect.
 
 ---
@@ -213,6 +220,7 @@ The room engine exposes an MCP server over stdio. All tools use the `quoroom_` p
 | `quoroom_pause_room` | Pause a running room |
 | `quoroom_restart_room` | Restart a paused room |
 | `quoroom_delete_room` | Delete a room |
+| `quoroom_configure_room` | Update room configuration |
 
 ### Quorum
 
@@ -304,6 +312,7 @@ The room engine exposes an MCP server over stdio. All tools use the `quoroom_` p
 | `quoroom_wallet_balance` | Check on-chain balance (USDC/USDT, all chains) |
 | `quoroom_wallet_send` | Send USDC or USDT on any supported chain |
 | `quoroom_wallet_history` | View transaction history |
+| `quoroom_wallet_topup` | Get wallet top-up URL |
 
 ### Identity
 
@@ -324,9 +333,32 @@ The room engine exposes an MCP server over stdio. All tools use the `quoroom_` p
 | `quoroom_station_stop` | Stop a running station |
 | `quoroom_station_exec` | Execute a command on a station |
 | `quoroom_station_logs` | View station logs |
-| `quoroom_station_deploy` | Deploy to a station |
-| `quoroom_station_domain` | Manage station domain |
 | `quoroom_station_delete` | Delete a station |
+| `quoroom_station_cancel` | Cancel a pending station |
+| `quoroom_station_create_crypto` | Provision a station with crypto payment |
+| `quoroom_station_renew_crypto` | Renew a station with crypto payment |
+
+### Inbox
+
+| Tool | Description |
+|------|-------------|
+| `quoroom_inbox_send_keeper` | Send a message to the keeper |
+| `quoroom_inbox_send_room` | Send a message to another room |
+| `quoroom_inbox_list` | List inbox messages |
+| `quoroom_inbox_reply` | Reply to a room message |
+
+### Credentials
+
+| Tool | Description |
+|------|-------------|
+| `quoroom_credentials_list` | List stored credentials |
+| `quoroom_credentials_get` | Get a credential value |
+
+### Resources
+
+| Tool | Description |
+|------|-------------|
+| `quoroom_resources_get` | Get local system resources (CPU, memory, disk) |
 
 ### Settings
 
@@ -351,6 +383,13 @@ npm run test:watch       # Watch mode
 npm run test:e2e         # End-to-end tests (Playwright)
 ```
 
+### Docker (cloud runtime)
+
+```bash
+docker build -t quoroom .
+docker run -p 3700:3700 quoroom
+```
+
 ## Releasing
 
 Use the release runbook: [`docs/RELEASE_RUNBOOK.md`](docs/RELEASE_RUNBOOK.md)
@@ -365,19 +404,19 @@ room/
 │   ├── mcp/               # MCP server (stdio)
 │   │   ├── server.ts      # Tool registration
 │   │   ├── db.ts          # Database initialization
-│   │   └── tools/         # 13 tool modules
+│   │   └── tools/         # 17 tool modules
 │   ├── server/            # HTTP/WebSocket API server
-│   │   ├── index.ts       # Server bootstrap
+│   │   ├── index.ts       # Server bootstrap (local + cloud mode)
 │   │   ├── router.ts      # Request router
-│   │   ├── auth.ts        # Dual-token auth + CORS
+│   │   ├── auth.ts        # Dual-token auth + CORS + cloud JWT
 │   │   ├── access.ts      # Role-based access control
 │   │   ├── ws.ts          # WebSocket real-time events
-│   │   └── routes/        # REST API routes
+│   │   └── routes/        # REST API routes (20 modules)
 │   ├── ui/                # React SPA dashboard
 │   │   ├── App.tsx        # Root component
-│   │   ├── components/    # UI components
+│   │   ├── components/    # UI components (32 modules)
 │   │   ├── hooks/         # React hooks
-│   │   └── lib/           # API client, auth, WebSocket
+│   │   └── lib/           # API client, auth, storage, WebSocket
 │   └── shared/            # Core engine
 │       ├── agent-loop.ts       # Worker agent loop with rate limiting
 │       ├── agent-executor.ts   # Claude Code CLI execution
@@ -389,15 +428,17 @@ room/
 │       ├── identity.ts         # ERC-8004 on-chain identity
 │       ├── station.ts          # Cloud provisioning
 │       ├── task-runner.ts      # Task execution engine
+│       ├── model-provider.ts   # Multi-provider LLM support
+│       ├── cloud-sync.ts       # Cloud registration + heartbeat
 │       ├── db-queries.ts       # Database query layer
 │       ├── schema.ts           # SQLite schema (WAL mode)
 │       ├── embeddings.ts       # Vector embeddings (all-MiniLM-L6-v2)
-│       ├── cloud-sync.ts      # Cloud registration + heartbeat
-│       └── __tests__/          # Test suite
+│       └── __tests__/          # Test suite (907 tests)
 ├── e2e/                    # Playwright end-to-end tests
 ├── scripts/
 │   └── build-mcp.js       # esbuild bundling
-└── docs/                   # Media assets
+├── Dockerfile              # Cloud runtime image
+└── docs/                   # Media assets + architecture docs
 ```
 
 **Tech stack**: TypeScript (strict), React, Tailwind CSS, better-sqlite3, sqlite-vec, viem, MCP SDK, HuggingFace Transformers, node-cron, zod, esbuild, Vite, Vitest

package/out/mcp/api-server.js

@@ -9382,7 +9382,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "quoroom",
-      version: "0.1.8",
+      version: "0.1.11",
       description: "Autonomous AI agent collective engine \u2014 Queen, Workers, Quorum",
       main: "./out/mcp/server.js",
       bin: {
@@ -9404,16 +9404,28 @@ var require_package = __commonJS({
         build: "npm run typecheck && npm run build:mcp && npm run build:ui",
         "build:mcp": "node scripts/build-mcp.js",
         "build:ui": "vite build --config src/ui/vite.config.ts",
-        dev: `sh -c 'trap "kill 0" INT TERM EXIT; npm run dev:room & npm run dev:cloud & wait'`,
-        "dev:room": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
-        "dev:cloud": "cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai' npm start",
+        "kill:ports": "node scripts/kill-ports.js",
+        "kill:dev-ports": "npm run kill:ports -- 4700 3710",
+        "dev:links": "node scripts/dev-links.js",
+        dev: `sh -c 'npm run kill:dev-ports && trap "kill 0" INT TERM EXIT; npm run dev:links & npm run dev:room & npm run dev:cloud & wait'`,
+        "dev:room": "sh -c 'export QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1; npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700'",
+        "dev:room:isolated": "sh -c 'export QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1; npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700'",
+        "dev:room:shared": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+        "doctor:split": "node scripts/doctor-split.js",
+        "dev:isolated": `sh -c 'npm run kill:dev-ports && trap "kill 0" INT TERM EXIT; npm run dev:links & npm run dev:room:isolated & npm run dev:cloud & wait'`,
+        "dev:cloud": `sh -c 'npm run kill:ports -- 3710 && cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='"'"'http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai'"'"' npm start'`,
         "dev:ui": "vite --config src/ui/vite.config.ts",
         "seed:style-demo": "node scripts/seed-style-demo.js",
         typecheck: "tsc --noEmit",
         test: "npm run rebuild:native:node && vitest run --pool=forks --passWithNoTests",
         "test:watch": "npm run rebuild:native:node && vitest --pool=forks",
+        "test:quick": "npm run typecheck && npm run test",
+        "test:smart-e2e": "git diff --cached --name-only | grep -qE '^(src/ui/|src/server/|e2e/|playwright)' && npm run test:e2e || echo 'No UI/server changes \u2014 skipping E2E'",
         "test:e2e": "npm run build && npx playwright test",
         "test:e2e:ui": "npm run build && npx playwright test e2e/ui.test.ts",
+        "test:e2e:setup": "npm run build && npx playwright test e2e/setup-flow.test.ts",
+        "test:e2e:setup:headed": "npm run build && npx playwright test e2e/setup-flow.test.ts --headed --project=chromium",
+        "test:e2e:providers": "npm run build && npx playwright test e2e/provider-flows.test.ts",
         "rebuild:native:node": `node -e "try{require('better-sqlite3')(':memory:').close()}catch{process.exit(1)}" || npx --yes node-gyp rebuild --directory=node_modules/better-sqlite3`,
         prepublishOnly: "npm run build:mcp"
       },
@@ -10453,9 +10465,6 @@ function getCloudAllowedOrigins() {
   const origins = configured.length > 0 ? configured : DEFAULT_CLOUD_ALLOWED_ORIGINS;
   return new Set(origins.map(normalizeOrigin).filter(Boolean));
 }
-function getCloudUserToken() {
-  return (process.env.QUOROOM_CLOUD_USER_TOKEN || "").trim();
-}
 function getCloudJwtSecret() {
   return (process.env.QUOROOM_CLOUD_JWT_SECRET || "").trim();
 }
@@ -10554,9 +10563,9 @@ function generateToken(dataDir) {
       return agentToken;
     }
   }
-  agentToken = dataDir ? readLegacyAgentToken(dataDir) ?? import_node_crypto.default.randomBytes(32).toString("hex") : import_node_crypto.default.randomBytes(32).toString("hex");
+  agentToken = dataDir && !isCloudDeployment() ? readLegacyAgentToken(dataDir) ?? import_node_crypto.default.randomBytes(32).toString("hex") : import_node_crypto.default.randomBytes(32).toString("hex");
   userToken = import_node_crypto.default.randomBytes(32).toString("hex");
-  if (dataDir) writePersistedTokens(dataDir, agentToken, userToken);
+  if (dataDir && !isCloudDeployment()) writePersistedTokens(dataDir, agentToken, userToken);
   return agentToken;
 }
 function getUserToken() {
@@ -10572,10 +10581,10 @@ function validateToken(authHeader) {
     const cloudRole = validateCloudJwt(provided);
     if (cloudRole) return cloudRole;
   }
-  if (isCloudDeployment() && tokenEquals(getCloudUserToken(), provided)) return "user";
   return null;
 }
 function writeTokenFile(dataDir, token, port) {
+  if (isCloudDeployment()) return;
   (0, import_node_fs.mkdirSync)(dataDir, { recursive: true });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.token"), token, { mode: 384 });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.port"), String(port));
@@ -26026,7 +26035,7 @@ var cachedVersion = null;
 function getVersion3() {
   if (cachedVersion) return cachedVersion;
   try {
-    cachedVersion = require_package().version;
+    cachedVersion = true ? "0.1.11" : null.version;
   } catch {
     cachedVersion = "unknown";
   }
@@ -26227,12 +26236,12 @@ function registerStatusRoutes(router) {
     const ollama = await checkOllama();
     const resources = getResources();
     const deploymentMode = getDeploymentMode();
+    const isCloud = deploymentMode === "cloud";
     return {
       data: {
         version: getVersion3(),
         uptime: Math.floor((Date.now() - startedAt) / 1e3),
-        dataDir,
-        dbPath,
+        ...!isCloud && { dataDir, dbPath },
         claude,
         codex,
         ollama,
@@ -27745,6 +27754,39 @@ function serveStatic(staticDir, pathname, res) {
     res.end("Not Found");
   }
 }
+var RATE_LIMIT_WINDOW_MS = 6e4;
+var RATE_LIMIT_READ = 300;
+var RATE_LIMIT_WRITE = 120;
+var rateBuckets = /* @__PURE__ */ new Map();
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, bucket] of rateBuckets) {
+    if (now >= bucket.resetAt) rateBuckets.delete(key);
+  }
+}, 12e4).unref();
+function checkRateLimit2(ip, method) {
+  const isWrite = method !== "GET" && method !== "HEAD" && method !== "OPTIONS";
+  const limit = isWrite ? RATE_LIMIT_WRITE : RATE_LIMIT_READ;
+  const key = `${ip}:${isWrite ? "w" : "r"}`;
+  const now = Date.now();
+  let bucket = rateBuckets.get(key);
+  if (!bucket || now >= bucket.resetAt) {
+    bucket = { count: 0, resetAt: now + RATE_LIMIT_WINDOW_MS };
+    rateBuckets.set(key, bucket);
+  }
+  bucket.count++;
+  if (bucket.count > limit) {
+    const retryAfter = Math.ceil((bucket.resetAt - now) / 1e3);
+    return { allowed: false, retryAfter };
+  }
+  return { allowed: true, retryAfter: 0 };
+}
+var CLOUD_SECURITY_HEADERS = {
+  "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+  "X-Content-Type-Options": "nosniff",
+  "X-Frame-Options": "DENY",
+  "Referrer-Policy": "strict-origin-when-cross-origin"
+};
 function createApiServer(options = {}) {
   const db2 = options.db ?? getServerDatabase();
   const port = options.port ?? DEFAULT_PORT;
@@ -27769,7 +27811,20 @@ function createApiServer(options = {}) {
     const responseHeaders = {
       "Content-Type": "application/json"
     };
+    if (isCloudDeployment()) {
+      Object.assign(responseHeaders, CLOUD_SECURITY_HEADERS);
+    }
     setCorsHeaders(origin, responseHeaders);
+    if (isCloudDeployment() && pathname.startsWith("/api/")) {
+      const clientIp = req.socket.remoteAddress || "unknown";
+      const rl = checkRateLimit2(clientIp, req.method || "GET");
+      if (!rl.allowed) {
+        responseHeaders["Retry-After"] = String(rl.retryAfter);
+        res.writeHead(429, responseHeaders);
+        res.end(JSON.stringify({ error: "Too many requests" }));
+        return;
+      }
+    }
     const isSameOrigin = origin && req.headers.host && (() => {
       try {
         return new import_node_url.URL(origin).host === req.headers.host;

package/out/mcp/cli.js

@@ -49800,7 +49800,7 @@ var server_exports = {};
 async function main() {
   const server = new McpServer({
     name: "quoroom",
-    version: true ? "0.1.8" : "0.0.0"
+    version: true ? "0.1.11" : "0.0.0"
   });
   registerMemoryTools(server);
   registerSchedulerTools(server);
@@ -49934,9 +49934,6 @@ function getCloudAllowedOrigins() {
   const origins = configured.length > 0 ? configured : DEFAULT_CLOUD_ALLOWED_ORIGINS;
   return new Set(origins.map(normalizeOrigin).filter(Boolean));
 }
-function getCloudUserToken() {
-  return (process.env.QUOROOM_CLOUD_USER_TOKEN || "").trim();
-}
 function getCloudJwtSecret() {
   return (process.env.QUOROOM_CLOUD_JWT_SECRET || "").trim();
 }
@@ -50035,9 +50032,9 @@ function generateToken(dataDir) {
       return agentToken;
     }
   }
-  agentToken = dataDir ? readLegacyAgentToken(dataDir) ?? import_node_crypto2.default.randomBytes(32).toString("hex") : import_node_crypto2.default.randomBytes(32).toString("hex");
+  agentToken = dataDir && !isCloudDeployment() ? readLegacyAgentToken(dataDir) ?? import_node_crypto2.default.randomBytes(32).toString("hex") : import_node_crypto2.default.randomBytes(32).toString("hex");
   userToken = import_node_crypto2.default.randomBytes(32).toString("hex");
-  if (dataDir) writePersistedTokens(dataDir, agentToken, userToken);
+  if (dataDir && !isCloudDeployment()) writePersistedTokens(dataDir, agentToken, userToken);
   return agentToken;
 }
 function getUserToken() {
@@ -50053,10 +50050,10 @@ function validateToken(authHeader) {
     const cloudRole = validateCloudJwt(provided);
     if (cloudRole) return cloudRole;
   }
-  if (isCloudDeployment() && tokenEquals(getCloudUserToken(), provided)) return "user";
   return null;
 }
 function writeTokenFile(dataDir, token, port) {
+  if (isCloudDeployment()) return;
   (0, import_node_fs.mkdirSync)(dataDir, { recursive: true });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.token"), token, { mode: 384 });
   (0, import_node_fs.writeFileSync)((0, import_node_path.join)(dataDir, "api.port"), String(port));
@@ -50744,7 +50741,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "quoroom",
-      version: "0.1.8",
+      version: "0.1.11",
       description: "Autonomous AI agent collective engine \u2014 Queen, Workers, Quorum",
       main: "./out/mcp/server.js",
       bin: {
@@ -50766,16 +50763,28 @@ var require_package = __commonJS({
         build: "npm run typecheck && npm run build:mcp && npm run build:ui",
         "build:mcp": "node scripts/build-mcp.js",
         "build:ui": "vite build --config src/ui/vite.config.ts",
-        dev: `sh -c 'trap "kill 0" INT TERM EXIT; npm run dev:room & npm run dev:cloud & wait'`,
-        "dev:room": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
-        "dev:cloud": "cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai' npm start",
+        "kill:ports": "node scripts/kill-ports.js",
+        "kill:dev-ports": "npm run kill:ports -- 4700 3710",
+        "dev:links": "node scripts/dev-links.js",
+        dev: `sh -c 'npm run kill:dev-ports && trap "kill 0" INT TERM EXIT; npm run dev:links & npm run dev:room & npm run dev:cloud & wait'`,
+        "dev:room": "sh -c 'export QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1; npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700'",
+        "dev:room:isolated": "sh -c 'export QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1; npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700'",
+        "dev:room:shared": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+        "doctor:split": "node scripts/doctor-split.js",
+        "dev:isolated": `sh -c 'npm run kill:dev-ports && trap "kill 0" INT TERM EXIT; npm run dev:links & npm run dev:room:isolated & npm run dev:cloud & wait'`,
+        "dev:cloud": `sh -c 'npm run kill:ports -- 3710 && cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='"'"'http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai'"'"' npm start'`,
         "dev:ui": "vite --config src/ui/vite.config.ts",
         "seed:style-demo": "node scripts/seed-style-demo.js",
         typecheck: "tsc --noEmit",
         test: "npm run rebuild:native:node && vitest run --pool=forks --passWithNoTests",
         "test:watch": "npm run rebuild:native:node && vitest --pool=forks",
+        "test:quick": "npm run typecheck && npm run test",
+        "test:smart-e2e": "git diff --cached --name-only | grep -qE '^(src/ui/|src/server/|e2e/|playwright)' && npm run test:e2e || echo 'No UI/server changes \u2014 skipping E2E'",
         "test:e2e": "npm run build && npx playwright test",
         "test:e2e:ui": "npm run build && npx playwright test e2e/ui.test.ts",
+        "test:e2e:setup": "npm run build && npx playwright test e2e/setup-flow.test.ts",
+        "test:e2e:setup:headed": "npm run build && npx playwright test e2e/setup-flow.test.ts --headed --project=chromium",
+        "test:e2e:providers": "npm run build && npx playwright test e2e/provider-flows.test.ts",
         "rebuild:native:node": `node -e "try{require('better-sqlite3')(':memory:').close()}catch{process.exit(1)}" || npx --yes node-gyp rebuild --directory=node_modules/better-sqlite3`,
         prepublishOnly: "npm run build:mcp"
       },
@@ -52517,7 +52526,7 @@ var init_updateChecker = __esm({
 function getVersion3() {
   if (cachedVersion) return cachedVersion;
   try {
-    cachedVersion = require_package().version;
+    cachedVersion = true ? "0.1.11" : null.version;
   } catch {
     cachedVersion = "unknown";
   }
@@ -52713,12 +52722,12 @@ function registerStatusRoutes(router) {
     const ollama = await checkOllama();
     const resources = getResources();
     const deploymentMode = getDeploymentMode();
+    const isCloud = deploymentMode === "cloud";
     return {
       data: {
         version: getVersion3(),
         uptime: Math.floor((Date.now() - startedAt) / 1e3),
-        dataDir,
-        dbPath,
+        ...!isCloud && { dataDir, dbPath },
         claude,
         codex,
         ollama,
@@ -57952,6 +57961,23 @@ function serveStatic(staticDir, pathname, res) {
     res.end("Not Found");
   }
 }
+function checkRateLimit2(ip, method) {
+  const isWrite = method !== "GET" && method !== "HEAD" && method !== "OPTIONS";
+  const limit = isWrite ? RATE_LIMIT_WRITE : RATE_LIMIT_READ;
+  const key = `${ip}:${isWrite ? "w" : "r"}`;
+  const now = Date.now();
+  let bucket = rateBuckets.get(key);
+  if (!bucket || now >= bucket.resetAt) {
+    bucket = { count: 0, resetAt: now + RATE_LIMIT_WINDOW_MS };
+    rateBuckets.set(key, bucket);
+  }
+  bucket.count++;
+  if (bucket.count > limit) {
+    const retryAfter = Math.ceil((bucket.resetAt - now) / 1e3);
+    return { allowed: false, retryAfter };
+  }
+  return { allowed: true, retryAfter: 0 };
+}
 function createApiServer(options = {}) {
   const db3 = options.db ?? getServerDatabase();
   const port = options.port ?? DEFAULT_PORT;
@@ -57976,7 +58002,20 @@ function createApiServer(options = {}) {
     const responseHeaders = {
       "Content-Type": "application/json"
     };
+    if (isCloudDeployment()) {
+      Object.assign(responseHeaders, CLOUD_SECURITY_HEADERS);
+    }
     setCorsHeaders(origin, responseHeaders);
+    if (isCloudDeployment() && pathname.startsWith("/api/")) {
+      const clientIp = req.socket.remoteAddress || "unknown";
+      const rl = checkRateLimit2(clientIp, req.method || "GET");
+      if (!rl.allowed) {
+        responseHeaders["Retry-After"] = String(rl.retryAfter);
+        res.writeHead(429, responseHeaders);
+        res.end(JSON.stringify({ error: "Too many requests" }));
+        return;
+      }
+    }
     const isSameOrigin = origin && req.headers.host && (() => {
       try {
         return new import_node_url.URL(origin).host === req.headers.host;
@@ -58210,7 +58249,7 @@ function startServer(options = {}) {
     process.exit(0);
   });
 }
-var import_node_http, import_node_https2, import_node_url, import_node_fs3, import_node_path4, import_node_os5, import_node_child_process6, DEFAULT_PORT, DEFAULT_BIND_HOST_LOCAL, DEFAULT_BIND_HOST_CLOUD, MIME_TYPES;
+var import_node_http, import_node_https2, import_node_url, import_node_fs3, import_node_path4, import_node_os5, import_node_child_process6, DEFAULT_PORT, DEFAULT_BIND_HOST_LOCAL, DEFAULT_BIND_HOST_CLOUD, MIME_TYPES, RATE_LIMIT_WINDOW_MS, RATE_LIMIT_READ, RATE_LIMIT_WRITE, rateBuckets, CLOUD_SECURITY_HEADERS;
 var init_server4 = __esm({
   "src/server/index.ts"() {
     "use strict";
@@ -58254,6 +58293,22 @@ var init_server4 = __esm({
       ".webp": "image/webp",
       ".webmanifest": "application/manifest+json"
     };
+    RATE_LIMIT_WINDOW_MS = 6e4;
+    RATE_LIMIT_READ = 300;
+    RATE_LIMIT_WRITE = 120;
+    rateBuckets = /* @__PURE__ */ new Map();
+    setInterval(() => {
+      const now = Date.now();
+      for (const [key, bucket] of rateBuckets) {
+        if (now >= bucket.resetAt) rateBuckets.delete(key);
+      }
+    }, 12e4).unref();
+    CLOUD_SECURITY_HEADERS = {
+      "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+      "X-Content-Type-Options": "nosniff",
+      "X-Frame-Options": "DENY",
+      "Referrer-Policy": "strict-origin-when-cross-origin"
+    };
   }
 });
 

package/out/mcp/server.js

@@ -47101,7 +47101,7 @@ function registerResourceTools(server) {
 async function main() {
   const server = new McpServer({
     name: "quoroom",
-    version: true ? "0.1.8" : "0.0.0"
+    version: true ? "0.1.11" : "0.0.0"
   });
   registerMemoryTools(server);
   registerSchedulerTools(server);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "quoroom",
-  "version": "0.1.8",
+  "version": "0.1.11",
   "description": "Autonomous AI agent collective engine — Queen, Workers, Quorum",
   "main": "./out/mcp/server.js",
   "bin": {
@@ -22,16 +22,28 @@
     "build": "npm run typecheck && npm run build:mcp && npm run build:ui",
     "build:mcp": "node scripts/build-mcp.js",
     "build:ui": "vite build --config src/ui/vite.config.ts",
-    "dev": "sh -c 'trap \"kill 0\" INT TERM EXIT; npm run dev:room & npm run dev:cloud & wait'",
-    "dev:room": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
-    "dev:cloud": "cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai' npm start",
+    "kill:ports": "node scripts/kill-ports.js",
+    "kill:dev-ports": "npm run kill:ports -- 4700 3710",
+    "dev:links": "node scripts/dev-links.js",
+    "dev": "sh -c 'npm run kill:dev-ports && trap \"kill 0\" INT TERM EXIT; npm run dev:links & npm run dev:room & npm run dev:cloud & wait'",
+    "dev:room": "sh -c 'export QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1; npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700'",
+    "dev:room:isolated": "sh -c 'export QUOROOM_DATA_DIR=$HOME/.quoroom-dev QUOROOM_SKIP_MCP_REGISTER=1; npm run build:mcp && npm run build:ui && node scripts/dev-server.js --port 4700'",
+    "dev:room:shared": "npm run build:mcp && npm run build:ui && node scripts/dev-server.js",
+    "doctor:split": "node scripts/doctor-split.js",
+    "dev:isolated": "sh -c 'npm run kill:dev-ports && trap \"kill 0\" INT TERM EXIT; npm run dev:links & npm run dev:room:isolated & npm run dev:cloud & wait'",
+    "dev:cloud": "sh -c 'npm run kill:ports -- 3710 && cd ../cloud && PORT=3710 CLOUD_PUBLIC_URL=http://127.0.0.1:3710 CLOUD_ALLOWED_ORIGINS='\"'\"'http://127.0.0.1:3710,http://localhost:3710,http://localhost:5173,http://127.0.0.1:5173,https://quoroom.ai,https://www.quoroom.ai,https://app.quoroom.ai'\"'\"' npm start'",
     "dev:ui": "vite --config src/ui/vite.config.ts",
     "seed:style-demo": "node scripts/seed-style-demo.js",
     "typecheck": "tsc --noEmit",
     "test": "npm run rebuild:native:node && vitest run --pool=forks --passWithNoTests",
     "test:watch": "npm run rebuild:native:node && vitest --pool=forks",
+    "test:quick": "npm run typecheck && npm run test",
+    "test:smart-e2e": "git diff --cached --name-only | grep -qE '^(src/ui/|src/server/|e2e/|playwright)' && npm run test:e2e || echo 'No UI/server changes — skipping E2E'",
     "test:e2e": "npm run build && npx playwright test",
     "test:e2e:ui": "npm run build && npx playwright test e2e/ui.test.ts",
+    "test:e2e:setup": "npm run build && npx playwright test e2e/setup-flow.test.ts",
+    "test:e2e:setup:headed": "npm run build && npx playwright test e2e/setup-flow.test.ts --headed --project=chromium",
+    "test:e2e:providers": "npm run build && npx playwright test e2e/provider-flows.test.ts",
     "rebuild:native:node": "node -e \"try{require('better-sqlite3')(':memory:').close()}catch{process.exit(1)}\" || npx --yes node-gyp rebuild --directory=node_modules/better-sqlite3",
     "prepublishOnly": "npm run build:mcp"
   },