npm - rogerrat - Versions diffs - 1.4.1 → 1.19.0 - Mend

rogerrat 1.4.1 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/account-ui.js CHANGED Viewed

@@ -5,6 +5,9 @@ export function accountHtml() {
 <meta charset="utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>rogerrat — account</title>
+<!-- Loaded for the "Pair phone" QR modal. Stays out of every other page; failure
+     is recoverable — the URL itself is still shown and can be opened directly. -->
+<script src="https://unpkg.com/qrcode@1.5.4/build/qrcode.min.js" defer></script>
 <link rel="icon" type="image/svg+xml" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'><rect width='32' height='32' rx='6' fill='%231a1a1a'/><path d='M 9 7 Q 16 4 23 7' stroke='%23d6541f' stroke-width='1.5' fill='none' stroke-linecap='round'/><ellipse cx='11' cy='14' rx='2' ry='3' fill='%23f4ede0' transform='rotate(-15 11 14)'/><ellipse cx='21' cy='14' rx='2' ry='3' fill='%23f4ede0' transform='rotate(15 21 14)'/><ellipse cx='16' cy='22' rx='8' ry='6.5' fill='%23f4ede0'/><circle cx='13' cy='21' r='1.2' fill='%231a1a1a'/><circle cx='19' cy='21' r='1.2' fill='%231a1a1a'/><ellipse cx='16' cy='25' rx='1.5' ry='1' fill='%23d6541f'/></svg>" />
 <style>
   :root {
@@ -55,6 +58,25 @@ export function accountHtml() {
   .empty { text-align: center; padding: 28px; color: var(--dim); font-size: 13px; }
   footer { margin-top: 48px; padding-top: 20px; border-top: 1px solid var(--line); color: var(--dim); font-size: 12px; }
   footer a { color: var(--dim); }
+  /* Pair-phone modal — used to build a /remote/<id> URL with creds in the fragment */
+  .modal-backdrop {
+    position: fixed; inset: 0; background: rgba(26,26,26,0.55); z-index: 1000;
+    display: flex; align-items: center; justify-content: center; padding: 16px;
+  }
+  .modal-panel {
+    background: var(--paper); border: 2px solid var(--ink); padding: 20px 22px;
+    max-width: 500px; width: 100%; max-height: 90vh; overflow-y: auto;
+  }
+  .modal-head { display: flex; align-items: baseline; justify-content: space-between; margin-bottom: 4px; gap: 12px; }
+  .modal-head h2 { margin: 0; font-size: 17px; }
+  .modal-head .x { background: transparent; color: var(--dim); border: none; padding: 4px 8px; font-size: 18px; cursor: pointer; }
+  #pair-url { background: var(--bg); border: 1px dashed var(--warn); padding: 10px 12px;
+              font-size: 11px; margin: 0; overflow-wrap: anywhere; white-space: pre-wrap;
+              user-select: all; max-height: 90px; overflow-y: auto; }
+  #pair-qr { background: white; padding: 14px; text-align: center; min-height: 240px;
+             border: 1px solid var(--line); }
+  #pair-qr svg { max-width: 100%; height: auto; display: block; margin: 0 auto; }
 </style>
 </head>
 <body>
@@ -194,6 +216,16 @@ export function accountHtml() {
         <tbody id="ident-rows"><tr><td colspan="3" class="empty">No identities yet.</td></tr></tbody>
       </table>
     </div>
+    <div id="reveal" class="card reveal" hidden>
+      <strong>Save these now.</strong> They are shown ONLY on this screen. You will not see them again after navigation.
+      <div id="reveal-body"></div>
+      <div class="reveal-actions">
+        <button data-action="download">⬇ Download .txt</button>
+        <button data-action="copy">⎘ Copy</button>
+        <button id="reveal-pair-btn" hidden>📱 Pair phone now</button>
+      </div>
+    </div>
   </div>
   <footer>
@@ -201,6 +233,55 @@ export function accountHtml() {
   </footer>
 </div>
+<!-- Pair-phone modal: builds a /remote/<id> URL with the channel token + identity
+     in the URL fragment, renders the QR client-side. Token & key are never sent
+     to a third-party renderer. -->
+<div id="pair-modal" class="modal-backdrop" hidden>
+  <div class="modal-panel">
+    <div class="modal-head">
+      <h2>Pair phone with a channel</h2>
+      <button id="pair-close" class="x" aria-label="close">✕</button>
+    </div>
+    <p class="sub">Builds a URL your phone can open. The token + identity_key live in the URL fragment (after <code>#</code>) — so they never reach the server logs or referrers. Treat the URL like a password.</p>
+    <label>Channel</label>
+    <input id="pair-channel" type="text" readonly style="background:var(--bg);color:var(--dim)" />
+    <label style="margin-top:12px">Channel token <span style="color:var(--dim);text-transform:none;letter-spacing:0">(shown once when you created the channel)</span></label>
+    <input id="pair-token" type="password" autocomplete="off" placeholder="paste the join_token" />
+    <p style="font-size:11px;color:var(--dim);margin:14px 0 4px;text-transform:uppercase;letter-spacing:0.06em">Authentication — one of:</p>
+    <label>identity_key <span style="color:var(--dim);text-transform:none;letter-spacing:0">(required if channel has require_identity=true)</span></label>
+    <input id="pair-key" type="password" autocomplete="off" placeholder="(optional)" />
+    <label style="margin-top:8px">or callsign</label>
+    <input id="pair-cs" type="text" autocomplete="off" placeholder="phone" />
+    <label style="margin-top:12px">Owner password <span style="color:var(--dim);text-transform:none;letter-spacing:0">(optional — for trusted channels, flips the phone's session to "human-authorized")</span></label>
+    <input id="pair-pw" type="password" autocomplete="off" placeholder="(optional)" />
+    <p id="pair-err" class="err" hidden></p>
+    <div class="row" style="margin-top:16px">
+      <button id="pair-gen">Generate pair link</button>
+      <span id="pair-status" style="font-size:12px;color:var(--dim)"></span>
+    </div>
+    <div id="pair-output" hidden style="margin-top:18px">
+      <label>Pair URL</label>
+      <pre id="pair-url"></pre>
+      <div class="row" style="margin:8px 0 16px">
+        <button id="pair-copy" class="ghost">⎘ Copy</button>
+        <a id="pair-open" target="_blank" rel="noopener" class="ghost" style="padding:10px 18px;background:transparent;color:var(--dim);border:1px solid var(--line);font-family:inherit;font-size:14px;text-decoration:none;cursor:pointer">↗ Open here</a>
+      </div>
+      <label>QR (scan with phone camera)</label>
+      <div id="pair-qr">QR will appear here…</div>
+      <p style="font-size:11px;color:var(--dim);margin-top:8px"><strong>⚠</strong> Anyone with this URL can drive the agent on this channel. Don't paste it into anything other than your phone.</p>
+    </div>
+  </div>
+</div>
 <script>
   const KEY = 'rogerrat_account_session';
   let session = sessionStorage.getItem(KEY) || '';
@@ -226,6 +307,10 @@ export function accountHtml() {
   function showReveal(filename, text) {
     revealPayload = { filename, text };
     $('reveal-body').innerHTML = '<pre>' + esc(text) + '</pre>';
+    // Default: hide the channel-only "Pair phone" action. Channel-create
+    // unhides + wires it after this call.
+    const pb = $('reveal-pair-btn');
+    if (pb) { pb.hidden = true; pb.onclick = null; }
     $('reveal').hidden = false;
   }
@@ -355,12 +440,18 @@ export function accountHtml() {
         '<td><span style="color:' + trustColor + '">' + trustLabel + '</span></td>' +
         '<td>' + c.agent_count + '</td>' +
         '<td>' + ago + '</td>' +
-        '<td style="text-align:right"><button class="danger" data-ch="' + esc(c.id) + '">Delete</button></td>' +
+        '<td style="text-align:right;white-space:nowrap">' +
+          '<button class="ghost" data-pair="' + esc(c.id) + '" style="font-size:12px;padding:4px 10px;margin-right:6px" title="Build a phone pair URL + QR for this channel">📱 Pair</button>' +
+          '<button class="danger" data-ch="' + esc(c.id) + '">Delete</button>' +
+        '</td>' +
       '</tr>';
     }).join('');
-    tbody.querySelectorAll('button.danger').forEach(btn => {
+    tbody.querySelectorAll('button[data-ch]').forEach(btn => {
       btn.addEventListener('click', () => deleteChannel(btn.dataset.ch));
     });
+    tbody.querySelectorAll('button[data-pair]').forEach(btn => {
+      btn.addEventListener('click', () => openPairModal(btn.dataset.pair));
+    });
   }
   function fmtAgo(ts) {
@@ -605,8 +696,19 @@ export function accountHtml() {
         lines.push('⚠ The owner_password lets joining peers prove human authorization (unlocks trusted-mode trust). Share out-of-band only with peers you actually invited.');
       }
       $('new-owner-password').value = '';
+      // Cache the join_token in this browser session so the "Pair phone" modal
+      // on this channel's row auto-fills the token field. sessionStorage clears
+      // on tab close, so we don't persist the secret beyond the current visit.
+      try { sessionStorage.setItem('rogerrat_chtok_' + data.channel_id, data.join_token); } catch {}
       showReveal('rogerrat-channel-' + data.channel_id + '.txt', lines.join('\\n'));
       loadChannels();
+      // Surface the pair-phone action right after creation — the token is in
+      // memory, so the modal can pre-fill it without the user re-pasting.
+      const pairBtn = $('reveal-pair-btn');
+      if (pairBtn) {
+        pairBtn.hidden = false;
+        pairBtn.onclick = () => openPairModal(data.channel_id, { token: data.join_token });
+      }
     } catch (e) {
       $('channel-err').textContent = 'Error: ' + e.message;
     }
@@ -699,6 +801,93 @@ export function accountHtml() {
     }
   }
+  // ─── Pair-phone modal ──────────────────────────────────────────────────
+  function openPairModal(channelId, prefill) {
+    $('pair-channel').value = channelId;
+    // Auto-fill token from this-session cache (set on channel creation), or
+    // accept an explicit prefill that wins over the cache.
+    let tok = '';
+    try { tok = sessionStorage.getItem('rogerrat_chtok_' + channelId) || ''; } catch {}
+    if (prefill && prefill.token) tok = prefill.token;
+    $('pair-token').value = tok;
+    $('pair-key').value = (prefill && prefill.key) || '';
+    $('pair-cs').value = (prefill && prefill.cs) || '';
+    $('pair-pw').value = (prefill && prefill.pw) || '';
+    $('pair-output').hidden = true;
+    $('pair-err').hidden = true;
+    $('pair-status').textContent = '';
+    $('pair-modal').hidden = false;
+    // Focus the first empty field so the user can paste immediately
+    setTimeout(() => {
+      const first = !$('pair-token').value
+        ? $('pair-token')
+        : (!$('pair-key').value && !$('pair-cs').value ? $('pair-key') : null);
+      if (first) first.focus();
+    }, 30);
+  }
+  function closePairModal() { $('pair-modal').hidden = true; }
+  $('pair-close').addEventListener('click', closePairModal);
+  $('pair-modal').addEventListener('click', (e) => {
+    // Click outside the panel (on the backdrop) closes the modal.
+    if (e.target === $('pair-modal')) closePairModal();
+  });
+  document.addEventListener('keydown', (e) => {
+    if (e.key === 'Escape' && !$('pair-modal').hidden) closePairModal();
+  });
+  $('pair-gen').addEventListener('click', () => {
+    const channelId = $('pair-channel').value;
+    const t = $('pair-token').value.trim();
+    const k = $('pair-key').value.trim();
+    const cs = $('pair-cs').value.trim();
+    const pw = $('pair-pw').value;
+    const err = $('pair-err');
+    err.hidden = true; err.textContent = '';
+    if (!t) { err.hidden = false; err.textContent = 'Channel token is required.'; return; }
+    if (!k && !cs) { err.hidden = false; err.textContent = 'Provide either an identity_key or a callsign.'; return; }
+    const params = new URLSearchParams();
+    params.set('t', t);
+    if (k) params.set('k', k);
+    if (cs) params.set('cs', cs);
+    if (pw) params.set('p', pw);
+    const url = location.origin + '/remote/' + encodeURIComponent(channelId) + '#' + params.toString();
+    $('pair-url').textContent = url;
+    $('pair-open').setAttribute('href', url);
+    $('pair-output').hidden = false;
+    // Render QR client-side. If the qrcode lib failed to load (offline / CDN
+    // blocked), fall back to showing just the URL — the page is still useful.
+    const qr = $('pair-qr');
+    qr.innerHTML = 'rendering…';
+    if (typeof window.QRCode !== 'undefined' && typeof window.QRCode.toString === 'function') {
+      window.QRCode.toString(url, { type: 'svg', errorCorrectionLevel: 'M', margin: 1, width: 256 }, (e, svg) => {
+        if (e) { qr.textContent = 'QR render failed: ' + (e.message || e); return; }
+        qr.innerHTML = svg;
+      });
+    } else {
+      qr.textContent = 'QR library failed to load. The URL above carries the same data — copy it to your phone manually.';
+    }
+  });
+  $('pair-copy').addEventListener('click', () => {
+    const url = $('pair-url').textContent;
+    if (!url) return;
+    const done = () => {
+      const b = $('pair-copy');
+      const prev = b.textContent;
+      b.textContent = '✓ Copied';
+      setTimeout(() => { b.textContent = prev; }, 1500);
+    };
+    if (navigator.clipboard && navigator.clipboard.writeText) {
+      navigator.clipboard.writeText(url).then(done).catch(() => {
+        $('pair-status').textContent = 'copy failed — select the URL and copy manually';
+      });
+    } else {
+      $('pair-status').textContent = 'clipboard API unavailable — select the URL and copy manually';
+    }
+  });
   loadAccount();
 </script>
 </body>

package/dist/app.js CHANGED Viewed

@@ -3,7 +3,8 @@ import { readFileSync } from "node:fs";
 import { dirname, join as joinPath } from "node:path";
 import { fileURLToPath } from "node:url";
 import { Hono } from "hono";
-import { ChannelError, setSessionTtlLookup, startPeriodicGc } from "./channel.js";
+import { streamSSE } from "hono/streaming";
+import { ChannelError, isPriority, setSessionTtlLookup, startPeriodicGc, } from "./channel.js";
 import { attachEmail, confirmEmailRecovery, createAccount, createIdentity, deleteIdentity, getAccount, getAccountIdsByIdentityCallsign, listIdentities, recoverAccount, removeEmail, requestEmailRecovery, verifyEmailCode, verifyIdentity, verifySession, } from "./accounts.js";
 import { createChannelWebhook, createWebhook, deleteChannelWebhook, deleteWebhook, deliver, getActiveWebhooksForAccount, getActiveWebhooksForChannel, listChannelWebhooks, listWebhooks, } from "./webhooks.js";
 import { buildRecoveryEmail, buildVerifyEmail, emailEnabled, sendEmail } from "./email.js";
@@ -16,7 +17,10 @@ import { agentCard } from "./agentcard.js";
 import { llmsText, mcpDescriptor, serviceInfo } from "./discovery.js";
 import { landingHtml } from "./landing.js";
 import { handleMcpRequest } from "./mcp.js";
+import { remoteHtml } from "./remote-ui.js";
+import { createRemoteControl } from "./remote-control.js";
 import { policyHtml, policyText } from "./policy.js";
+import { applyPresetDefaults, getPreset, resolveMode, } from "./presets.js";
 import { recordJoin as statsRecordJoin, recordMessage as statsRecordMessage, getStats, } from "./stats.js";
 import { channelExists, createChannel, deleteChannelByCreator, ensureBands, getChannelIsBand, getChannelRequireIdentity, getChannelRetention, getChannelSessionTtlMs, getChannelTrustMode, hasOwnerPassword, listBands, listChannelsByCreator, verifyChannel, verifyOwnerPassword, } from "./store.js";
 import { isRetention, readTranscript, recordJoin as transcriptRecordJoin, recordLeave as transcriptRecordLeave, recordMessage as transcriptRecordMessage, } from "./transcripts.js";
@@ -25,6 +29,16 @@ export function createApp(opts) {
     setSessionTtlLookup(getChannelSessionTtlMs);
     startPeriodicGc();
     const app = new Hono();
+    // Mode resolution from the Host header. Subdomains like `team.rogerrat.chat`
+    // map to preset modes (team/park/live/go); anything else is "default" (the
+    // canonical rogerrat.chat, full unfiltered context). Stamped on the context
+    // so downstream handlers (channel creation, /llms.txt, MCP tool descriptions,
+    // agent_prompt) can adapt.
+    app.use("*", async (c, next) => {
+        const mode = resolveMode(c.req.header("host"));
+        c.set("mode", mode);
+        await next();
+    });
     app.use("*", async (c, next) => {
         await next();
         c.header("X-Content-Type-Options", "nosniff");
@@ -83,7 +97,10 @@ export function createApp(opts) {
     app.get("/robots.txt", (c) => c.text(`User-agent: *\nDisallow: /admin\nDisallow: /api/\nAllow: /\n\nSitemap: ${opts.publicOrigin}/llms.txt\n`));
     app.get("/api/stats", (c) => c.json(getStats()));
     app.get("/api/v1/info", (c) => c.json(serviceInfo(opts.publicOrigin)));
-    app.get("/llms.txt", (c) => c.text(llmsText(opts.publicOrigin)));
+    app.get("/llms.txt", (c) => {
+        const mode = c.get("mode") ?? "default";
+        return c.text(llmsText(opts.publicOrigin, mode));
+    });
     app.get("/.well-known/mcp.json", (c) => c.json(mcpDescriptor(opts.publicOrigin)));
     app.get("/.well-known/agent.json", (c) => c.json(agentCard(opts.publicOrigin, "1.1.0")));
     // Fix the broken /docs/* links from the nav — redirect to llms.txt (the canonical agent doc).
@@ -91,6 +108,21 @@ export function createApp(opts) {
     app.get("/docs/*", (c) => c.redirect("/llms.txt", 302));
     app.get("/account", (c) => c.html(accountHtml()));
     app.get("/policy", (c) => c.html(policyHtml(opts.publicOrigin)));
+    // Mobile-first remote-control chat. Drives an agent that's already joined
+    // the same channel and looping on `wait`. Credentials are passed via the
+    // URL fragment (#t=…&k=…&cs=…) — fragment never reaches the server, so the
+    // bearer/identity_key don't end up in nginx logs or referrers.
+    app.get("/remote/:channelId", (c) => {
+        const id = c.req.param("channelId");
+        if (!channelExists(id)) {
+            return c.html(`<!doctype html><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/>` +
+                `<title>not found</title><body style="font-family:ui-monospace,Menlo,monospace;background:#f4ede0;padding:24px;color:#1a1a1a">` +
+                `<h1 style="font-size:18px">Channel not found</h1>` +
+                `<p style="color:#7a6f5f;font-size:14px">No channel <code>${id.replace(/[<>&]/g, "")}</code> on this server. The pair link may be stale or wrong.</p>` +
+                `<p><a href="/account" style="color:#d6541f">→ go to /account</a></p></body>`, 404);
+        }
+        return c.html(remoteHtml(id));
+    });
     app.get("/policy.txt", (c) => c.text(policyText(opts.publicOrigin)));
     // ─── Accounts (passwordless, recovery-token based) ───
     function requireSession(c) {
@@ -295,12 +327,11 @@ export function createApp(opts) {
         if (retentionInput !== undefined && !isRetention(retentionInput)) {
             return c.json({ error: "invalid retention; must be one of none|metadata|prompts|full" }, 400);
         }
-        const requireIdentity = body.require_identity === true;
+        const requireIdentityInput = body.require_identity;
         const trustModeInput = body.trust_mode;
         if (trustModeInput !== undefined && trustModeInput !== "untrusted" && trustModeInput !== "trusted") {
             return c.json({ error: "invalid trust_mode; must be 'untrusted' or 'trusted'" }, 400);
         }
-        const trustMode = trustModeInput === "trusted" ? "trusted" : "untrusted";
         const ownerPasswordInput = body.owner_password;
         let ownerPassword;
         if (ownerPasswordInput !== undefined) {
@@ -312,12 +343,30 @@ export function createApp(opts) {
                 ownerPassword = trimmed;
         }
         const sessionTtlSecondsInput = body.session_ttl_seconds;
-        let sessionTtlSeconds;
         if (sessionTtlSecondsInput !== undefined) {
             if (typeof sessionTtlSecondsInput !== "number" || !Number.isFinite(sessionTtlSecondsInput)) {
                 return c.json({ error: "session_ttl_seconds must be a positive number ≤ 86400 (24h)" }, 400);
             }
-            sessionTtlSeconds = sessionTtlSecondsInput;
+        }
+        // Apply preset defaults from the subdomain (mode resolved by the host
+        // middleware). Body fields always win — operators with `?preset=` flags
+        // disabled or curl users passing explicit values aren't surprised.
+        const mode = c.get("mode") ?? "default";
+        const presetMerged = applyPresetDefaults(mode, {
+            retention: retentionInput,
+            require_identity: requireIdentityInput === true ? true : requireIdentityInput === false ? false : undefined,
+            trust_mode: trustModeInput,
+            session_ttl_seconds: sessionTtlSecondsInput,
+        });
+        const retention = presetMerged.retention;
+        const requireIdentity = presetMerged.require_identity;
+        const trustMode = presetMerged.trust_mode;
+        const sessionTtlSeconds = presetMerged.session_ttl_seconds;
+        // Auto-mint owner_password for presets that opt in (e.g. `go.`): gives
+        // "trusted-authorized" trust posture without an identity dance.
+        const preset = getPreset(mode);
+        if (!ownerPassword && preset?.autoMintOwnerPassword) {
+            ownerPassword = randomUUID().replace(/-/g, "").slice(0, 16);
         }
         let creatorAccountId;
         const auth = c.req.header("authorization") ?? c.req.header("Authorization") ?? "";
@@ -331,7 +380,7 @@ export function createApp(opts) {
             }
         }
         const result = createChannel({
-            retention: retentionInput,
+            retention,
             require_identity: requireIdentity,
             trust_mode: trustMode,
             session_ttl_seconds: sessionTtlSeconds,
@@ -340,13 +389,13 @@ export function createApp(opts) {
         });
         if ("error" in result)
             return c.json(result, 400);
-        const { id, token, retention, require_identity, trust_mode, session_ttl_seconds, creator_account_id, has_owner_password } = result;
+        const { id, token, retention: createdRetention, require_identity: createdRequireIdentity, trust_mode: createdTrustMode, session_ttl_seconds: createdTtl, creator_account_id, has_owner_password, } = result;
         return c.json({
-            ...buildConnectInfo(id, token, opts.publicOrigin, { ownerPassword, trustMode }),
-            retention,
-            require_identity,
-            trust_mode,
-            session_ttl_seconds,
+            ...buildConnectInfo(id, token, opts.publicOrigin, { ownerPassword, trustMode, mode }),
+            retention: createdRetention,
+            require_identity: createdRequireIdentity,
+            trust_mode: createdTrustMode,
+            session_ttl_seconds: createdTtl,
             creator_account_id,
             has_owner_password,
             owner_password: ownerPassword ?? null,
@@ -362,6 +411,33 @@ export function createApp(opts) {
         }));
         return c.json({ channels: channelList });
     });
+    // One-shot bootstrap for the "drive the agent from my phone" flow. Creates
+    // a private trusted channel + two identities (one for the agent on this
+    // machine, one for the phone) and returns a mobile_url with creds in the
+    // URL fragment. If the caller passes a session_token, the channel is bound
+    // to that account; otherwise a fresh anonymous account is minted (the
+    // recovery_token comes back so the caller can keep it if they want).
+    app.post("/api/remote-control", async (c) => {
+        let body = {};
+        try {
+            const raw = c.req.header("content-type")?.startsWith("application/json") ? await c.req.json() : {};
+            if (raw && typeof raw === "object")
+                body = raw;
+        }
+        catch {
+            /* body optional */
+        }
+        const sessionToken = typeof body.session_token === "string" ? body.session_token : undefined;
+        const result = await createRemoteControl({ publicOrigin: opts.publicOrigin, sessionToken });
+        if ("error" in result) {
+            const status = result.code === "unauthorized" ? 401 : 500;
+            return c.json({ error: result.error }, status);
+        }
+        return c.json({
+            ...result,
+            notice: "Two-step phone flow: (1) open mobile_url on the phone; (2) type owner_password on the /remote setup screen to mark the phone session as human-authorized. The password is NOT embedded in mobile_url on purpose — relay it through a separate channel so a leaked URL alone can't impersonate the human. On the agent side (this machine), join with agent.identity_key + owner_password and then loop on `wait`.",
+        });
+    });
     app.delete("/api/account/channels/:id", (c) => {
         const r = requireSession(c);
         if (r instanceof Response)
@@ -667,6 +743,11 @@ export function createApp(opts) {
         const to = String(body.to ?? "");
         // Accept either `message` or `text` (transcripts return `text`, so clients reasonably try both).
         const message = String(body.message ?? body.text ?? "");
+        // Optional ntfy-style priority. Server stores it; receivers decide what to do.
+        const priorityInput = body.priority;
+        if (priorityInput !== undefined && !isPriority(priorityInput)) {
+            return c.json({ error: "invalid priority; must be one of min|low|default|high|urgent", code: "invalid" }, 400);
+        }
         const channel = getOrCreateChannel(channelId);
         try {
             const isBand = getChannelIsBand(channelId);
@@ -679,12 +760,19 @@ export function createApp(opts) {
                     retry_after_seconds: rate.retryAfter,
                 }, 429);
             }
-            const msg = channel.send(sessionId, to, message);
+            const msg = channel.send(sessionId, to, message, priorityInput);
             statsRecordMessage();
             transcriptRecordMessage(channelId, getChannelRetention(channelId), msg);
             fanoutWebhooks(channelId, msg);
             const queued = msg.to !== "all" && !channel.isCallsignOnline(msg.to);
-            return c.json({ ok: true, id: msg.id, at: msg.at, queued, to: msg.to });
+            return c.json({
+                ok: true,
+                id: msg.id,
+                at: msg.at,
+                queued,
+                to: msg.to,
+                ...(msg.priority ? { priority: msg.priority } : {}),
+            });
         }
         catch (e) {
             return handleChannelError(c, e);
@@ -713,6 +801,138 @@ export function createApp(opts) {
             return handleChannelError(c, e);
         }
     });
+    // Wait: the canonical idle action. Same semantics as listen but with a longer
+    // ceiling (up to 5 min) and an explicit meta_hint nudge on empty returns —
+    // designed for agents that should sit waiting for a peer.
+    app.get("/api/channels/:id/wait", async (c) => {
+        const channelId = c.req.param("id");
+        const denied = requireChannelBearer(c, channelId);
+        if (denied)
+            return denied;
+        const sessionId = getSessionId(c);
+        if (!sessionId)
+            return c.json({ error: "X-Session-Id header required (returned by /join)", code: "invalid" }, 400);
+        const timeoutSec = Math.max(1, Math.min(300, Number(c.req.query("timeout") ?? 120)));
+        const sinceRaw = c.req.query("since");
+        const since = sinceRaw !== undefined ? Number(sinceRaw) : undefined;
+        if (sinceRaw !== undefined && !Number.isFinite(since)) {
+            return c.json({ error: "since must be a numeric message id", code: "invalid" }, 400);
+        }
+        const channel = getOrCreateChannel(channelId);
+        try {
+            const msgs = await channel.listen(sessionId, timeoutSec * 1000, since);
+            const empty = msgs.length === 0;
+            return c.json({
+                messages: msgs,
+                timed_out: empty,
+                roster: channel.roster(),
+                meta_hint: empty
+                    ? "No new messages this round. Call /wait again — keep looping while you're waiting for a peer. If they seem fully offline, send anyway: messages queue per-callsign and deliver on their next listen/wait."
+                    : `${msgs.length} new message${msgs.length === 1 ? "" : "s"}. After acting, call /wait again to hear replies.`,
+            });
+        }
+        catch (e) {
+            return handleChannelError(c, e);
+        }
+    });
+    // Stream: SSE push of incoming messages. Stays open until the client disconnects.
+    // Unlike /listen and /wait this is NOT turn-based — designed for `npx rogerrat
+    // listen-here` and any always-on consumer that wants zero polling cost. The session
+    // stays alive for as long as the connection is held (streamer counts as activity
+    // for the GC, so a parked agent with an open stream is never reaped).
+    //
+    // Query params:
+    //   - since=<msg_id>  resume from a known id (skips per-session cursor)
+    //
+    // Events emitted:
+    //   - event: hello    once, on connect, with channel metadata
+    //   - event: message  each delivered message (id, from, to, text, at)
+    //   - event: error    typed channel error before close (rare; pre-validated)
+    //   - :ping           comment line every 25s to defeat idle-proxy disconnects
+    app.get("/api/channels/:id/stream", (c) => {
+        const channelId = c.req.param("id");
+        const denied = requireChannelBearer(c, channelId);
+        if (denied)
+            return denied;
+        const sessionId = getSessionId(c);
+        if (!sessionId) {
+            return c.json({ error: "X-Session-Id header required (returned by /join)", code: "invalid" }, 400);
+        }
+        const sinceRaw = c.req.query("since");
+        const since = sinceRaw !== undefined ? Number(sinceRaw) : undefined;
+        if (sinceRaw !== undefined && !Number.isFinite(since)) {
+            return c.json({ error: "since must be a numeric message id", code: "invalid" }, 400);
+        }
+        const channel = getOrCreateChannel(channelId);
+        // Pre-validate session so we can return a real 4xx instead of streaming an error.
+        try {
+            channel.keepalive(sessionId);
+        }
+        catch (e) {
+            return handleChannelError(c, e);
+        }
+        const callsign = channel.callsignOf(sessionId);
+        return streamSSE(c, async (stream) => {
+            const queue = [];
+            let waker = null;
+            const wake = () => {
+                const w = waker;
+                waker = null;
+                if (w)
+                    w();
+            };
+            const detach = channel.addStreamListener(sessionId, (msg) => {
+                queue.push(msg);
+                wake();
+            });
+            // Drain backlog AFTER subscribing — both ops are sync so no race window.
+            const backlog = channel.drainSince(sessionId, since);
+            queue.unshift(...backlog);
+            const pingTimer = setInterval(() => {
+                stream.write(": ping\n\n").catch(() => { });
+            }, 25_000);
+            pingTimer.unref?.();
+            const abortSignal = c.req.raw.signal;
+            const onAbort = () => wake();
+            abortSignal.addEventListener("abort", onAbort);
+            try {
+                await stream.writeSSE({
+                    event: "hello",
+                    data: JSON.stringify({
+                        channel_id: channelId,
+                        callsign,
+                        roster: channel.roster(),
+                        backlog_count: backlog.length,
+                    }),
+                });
+                while (!abortSignal.aborted) {
+                    while (queue.length > 0) {
+                        const msg = queue.shift();
+                        await stream.writeSSE({
+                            event: "message",
+                            data: JSON.stringify(msg),
+                            id: String(msg.id),
+                        });
+                    }
+                    if (abortSignal.aborted)
+                        break;
+                    await new Promise((resolve) => {
+                        waker = resolve;
+                    });
+                }
+            }
+            catch (err) {
+                // Client disconnect surfaces as a write error — silent. Anything else, log.
+                if (!abortSignal.aborted)
+                    console.error(`[stream ${channelId}/${callsign}]`, err);
+            }
+            finally {
+                abortSignal.removeEventListener("abort", onAbort);
+                clearInterval(pingTimer);
+                detach();
+            }
+        });
+    });
     app.get("/api/channels/:id/stats", (c) => {
         const channelId = c.req.param("id");
         const denied = requireChannelBearer(c, channelId);
@@ -863,7 +1083,8 @@ export function createApp(opts) {
             return c.json({ jsonrpc: "2.0", id: null, error: { code: -32600, message: "invalid request" } }, 400);
         }
         const sessionId = c.req.header("mcp-session-id") ?? c.req.header("Mcp-Session-Id");
-        const result = await handleMcpRequest(channelId, body, sessionId, opts.publicOrigin);
+        const mcpMode = c.get("mode") ?? "default";
+        const result = await handleMcpRequest(channelId, body, sessionId, opts.publicOrigin, mcpMode);
         if (result.sessionId)
             c.header("Mcp-Session-Id", result.sessionId);
         if (result.body === null)