rogerthat 1.21.2 → 1.24.0

package/dist/app.js

@@ -15,14 +15,14 @@ import { getOrCreateChannel, listActiveChannels } from "./channel.js";
 import { buildConnectInfo } from "./connect.js";
 import { agentCard } from "./agentcard.js";
 import { llmsText, mcpDescriptor, serviceInfo } from "./discovery.js";
-import { landingHtml } from "./landing.js";
+import { landingHtml, phoneLandingHtml } from "./landing.js";
 import { handleMcpRequest } from "./mcp.js";
 import { remoteHtml } from "./remote-ui.js";
-import { createRemoteControl } from "./remote-control.js";
+import { createRemoteControl, retrofitRemoteLink } from "./remote-control.js";
 import { policyHtml, policyText } from "./policy.js";
 import { applyPresetDefaults, getPreset, resolveMode, } from "./presets.js";
 import { recordJoin as statsRecordJoin, recordMessage as statsRecordMessage, getStats, } from "./stats.js";
-import { channelExists, createChannel, deleteChannelByCreator, ensureBands, getChannelIsBand, getChannelRequireIdentity, getChannelRetention, getChannelSessionTtlMs, getChannelTrustMode, hasOwnerPassword, listBands, listChannelsByCreator, verifyChannel, verifyOwnerPassword, } from "./store.js";
+import { channelExists, createChannel, deleteChannelByCreator, setSessionTtlByCreator, ensureBands, getChannelIsBand, getChannelRequireIdentity, getChannelRetention, getChannelSessionTtlMs, getChannelTrustMode, hasOwnerPassword, listBands, listChannelsByCreator, verifyChannel, verifyOwnerPassword, } from "./store.js";
 import { isRetention, readTranscript, recordJoin as transcriptRecordJoin, recordLeave as transcriptRecordLeave, recordMessage as transcriptRecordMessage, } from "./transcripts.js";
 export function createApp(opts) {
     ensureBands();
@@ -72,6 +72,9 @@ export function createApp(opts) {
         if (accept.includes("application/json") && !accept.includes("text/html")) {
             return c.json(serviceInfo(opts.publicOrigin));
         }
+        const mode = c.get("mode") ?? "default";
+        if (mode === "phone")
+            return c.html(phoneLandingHtml());
         return c.html(landingHtml());
     });
     app.get("/healthz", (c) => c.text("ok"));
@@ -444,6 +447,52 @@ export function createApp(opts) {
             notice: "Two-step phone flow: (1) open mobile_url on the phone; (2) type owner_password on the /remote setup screen to mark the phone session as human-authorized. The password is NOT embedded in mobile_url on purpose — relay it through a separate channel so a leaked URL alone can't impersonate the human. On the agent side (this machine), join with agent.identity_key + owner_password and then loop on `wait`.",
         });
     });
+    // Retrofit a phone-control link onto an EXISTING channel. Use when the
+    // operator originally created a plain channel and the human shows up later
+    // wanting to drive from a phone — instead of forcing a new channel +
+    // migrating all the agents, this mints a phone identity + (if not already
+    // set) an owner_password, and returns a mobile_url/QR for the same channel.
+    app.post("/api/channels/:id/remote-link", async (c) => {
+        const channelId = c.req.param("id") ?? "";
+        if (!channelId)
+            return c.json({ error: "channel_id required" }, 400);
+        let body = {};
+        try {
+            const raw = c.req.header("content-type")?.startsWith("application/json")
+                ? await c.req.json()
+                : {};
+            if (raw && typeof raw === "object")
+                body = raw;
+        }
+        catch {
+            /* body optional */
+        }
+        const channelToken = typeof body.channel_token === "string" ? body.channel_token : "";
+        const sessionToken = typeof body.session_token === "string" ? body.session_token : "";
+        if (!channelToken)
+            return c.json({ error: "channel_token required" }, 400);
+        if (!sessionToken)
+            return c.json({ error: "session_token required (account must own a phone identity)" }, 400);
+        const result = await retrofitRemoteLink({
+            publicOrigin: opts.publicOrigin,
+            channelId,
+            channelToken,
+            sessionToken,
+        });
+        if ("error" in result) {
+            const status = result.code === "unauthorized" ? 401 :
+                result.code === "not_found" ? 404 :
+                    result.code === "bad_token" ? 403 :
+                        500;
+            return c.json({ error: result.error }, status);
+        }
+        return c.json({
+            ...result,
+            notice: result.owner_password_existing
+                ? "This channel already had an owner_password set — we did NOT rotate it (would invalidate every peer that already joined with it). Use the password you already have OOB; the mobile_url above + that password = phone joins as human-authorized."
+                : "Two-step phone flow: (1) open mobile_url on the phone; (2) type owner_password on the /remote setup screen. The password is NOT embedded in mobile_url on purpose — relay it through a separate channel so a leaked URL alone can't impersonate the human.",
+        });
+    });
     app.delete("/api/account/channels/:id", (c) => {
         const r = requireSession(c);
         if (r instanceof Response)
@@ -454,6 +503,45 @@ export function createApp(opts) {
             return c.json({ error: "channel not found or not yours" }, 404);
         return c.json({ ok: true });
     });
+    // Mutate the idle session TTL on an existing channel. Owner-only — same gate
+    // as DELETE. Use case: an agent started a 30-min channel for a quick task,
+    // the conversation turned into a 4-hour debugging session, and the operator
+    // wants to push TTL out to 24h instead of dealing with re-joins. Companion
+    // to /api/channels/:id/remote-link — same "retrofit instead of recreate"
+    // pattern.
+    app.patch("/api/account/channels/:id/session-ttl", async (c) => {
+        const r = requireSession(c);
+        if (r instanceof Response)
+            return r;
+        const channelId = c.req.param("id") ?? "";
+        if (!channelId)
+            return c.json({ error: "channel_id required" }, 400);
+        let body = {};
+        try {
+            const raw = c.req.header("content-type")?.startsWith("application/json")
+                ? await c.req.json()
+                : {};
+            if (raw && typeof raw === "object")
+                body = raw;
+        }
+        catch {
+            /* body optional */
+        }
+        const ttl = typeof body.session_ttl_seconds === "number" ? body.session_ttl_seconds : NaN;
+        const result = setSessionTtlByCreator(r.accountId, channelId, ttl);
+        if ("error" in result) {
+            const status = result.code === "not_found" ? 404 :
+                result.code === "forbidden" ? 403 :
+                    400;
+            return c.json({ error: result.error }, status);
+        }
+        return c.json({
+            ok: true,
+            channel_id: channelId,
+            session_ttl_seconds: result.session_ttl_seconds,
+            notice: "New TTL applies to the next GC tick (within 60s). Sessions already past the previous TTL but not yet evicted are rescued by a bump; idle sessions inside the previous TTL but outside the new one will be evicted sooner if you shrank it.",
+        });
+    });
     // ─── Webhooks ───
     app.post("/api/account/webhooks", async (c) => {
         const r = requireSession(c);
@@ -754,6 +842,12 @@ export function createApp(opts) {
         if (priorityInput !== undefined && !isPriority(priorityInput)) {
             return c.json({ error: "invalid priority; must be one of min|low|default|high|urgent", code: "invalid" }, 400);
         }
+        // Optional message kind. 'status' = ephemeral working/typing signal.
+        const kindInput = body.kind;
+        if (kindInput !== undefined && kindInput !== "message" && kindInput !== "status") {
+            return c.json({ error: "invalid kind; must be 'message' or 'status'", code: "invalid" }, 400);
+        }
+        const kind = kindInput === "status" ? "status" : undefined;
         let suggestedReplies;
         let attachments;
         try {
@@ -775,17 +869,21 @@ export function createApp(opts) {
                     retry_after_seconds: rate.retryAfter,
                 }, 429);
             }
-            const msg = channel.send(sessionId, to, message, priorityInput, suggestedReplies, attachments);
+            const msg = channel.send(sessionId, to, message, priorityInput, suggestedReplies, attachments, kind);
             statsRecordMessage();
-            transcriptRecordMessage(channelId, getChannelRetention(channelId), msg);
-            fanoutWebhooks(channelId, msg);
-            const queued = msg.to !== "all" && !channel.isCallsignOnline(msg.to);
+            // Status pings are ephemeral — keep them out of transcripts and webhooks.
+            if (msg.kind !== "status") {
+                transcriptRecordMessage(channelId, getChannelRetention(channelId), msg);
+                fanoutWebhooks(channelId, msg);
+            }
+            const queued = msg.kind !== "status" && msg.to !== "all" && !channel.isCallsignOnline(msg.to);
             return c.json({
                 ok: true,
                 id: msg.id,
                 at: msg.at,
                 queued,
                 to: msg.to,
+                ...(msg.kind ? { kind: msg.kind } : {}),
                 ...(msg.priority ? { priority: msg.priority } : {}),
                 ...(msg.suggested_replies ? { suggested_replies: msg.suggested_replies } : {}),
             });

package/dist/channel.js

@@ -302,7 +302,7 @@ export class Channel {
     sessionExists(sessionId) {
         return this.callsignBySession.has(sessionId);
     }
-    send(sessionId, to, text, priority, suggestedReplies, attachments) {
+    send(sessionId, to, text, priority, suggestedReplies, attachments, kind) {
         this.ensureJoined(sessionId);
         const from = this.callsignBySession.get(sessionId);
         // Empty/missing `to` defaults to broadcast. Walkie-talkie physical default —
@@ -315,13 +315,25 @@ export class Channel {
         if (typeof text !== "string") {
             throw new ChannelError("message text must be a string", "invalid", 400);
         }
-        // Empty text is allowed when at least one attachment is present (sending
-        // just an image without a caption). Otherwise we need a non-empty body.
-        if (text.length === 0 && (!attachments || attachments.length === 0)) {
-            throw new ChannelError("message text required (or send at least one attachment)", "invalid", 400);
+        const isStatus = kind === "status";
+        // A status signal is a note (e.g. "on it, ~1 min") — it always needs text,
+        // and attachments / suggested_replies don't apply. Normal messages allow
+        // empty text only when an attachment carries the payload.
+        if (isStatus) {
+            if (text.length === 0) {
+                throw new ChannelError("status message requires text (e.g. 'received, working on it')", "invalid", 400);
+            }
+            if (text.length > 280) {
+                throw new ChannelError("status message too long (max 280 chars — it's a short note, not content)", "invalid", 400);
+            }
         }
-        if (text.length > 8192) {
-            throw new ChannelError("message too long (max 8192 chars)", "invalid", 400);
+        else {
+            if (text.length === 0 && (!attachments || attachments.length === 0)) {
+                throw new ChannelError("message text required (or send at least one attachment)", "invalid", 400);
+            }
+            if (text.length > 8192) {
+                throw new ChannelError("message too long (max 8192 chars)", "invalid", 400);
+            }
         }
         this.touch(sessionId);
         // Strictly-monotonic timestamp ID: at least one millisecond ahead of the prior id, and at
@@ -329,19 +341,29 @@ export class Channel {
         const now = Date.now();
         this.nextMsgId = Math.max(now, this.nextMsgId + 1);
         const msg = { id: this.nextMsgId, from, to: dest, text, at: now };
+        if (isStatus)
+            msg.kind = "status";
         // Only attach `priority` when explicitly non-default — keeps the wire format
         // backward-compatible for consumers that don't know about priorities.
         if (priority && priority !== "default")
             msg.priority = priority;
-        if (suggestedReplies && suggestedReplies.length > 0) {
+        // suggested_replies + attachments are content-message features — a status
+        // ping is a bare note, so they're dropped even if passed.
+        if (!isStatus && suggestedReplies && suggestedReplies.length > 0) {
             msg.suggested_replies = suggestedReplies;
         }
-        if (attachments && attachments.length > 0) {
+        if (!isStatus && attachments && attachments.length > 0) {
             msg.attachments = attachments;
         }
-        this.messages.push(msg);
-        if (this.messages.length > HISTORY_CAP)
-            this.messages.shift();
+        // Status signals are ephemeral: delivered to whoever is listening right
+        // now, but NOT stored — they never enter the ring buffer, so history()
+        // stays clean and an offline peer simply misses the "working" note
+        // (by the time it reconnects, the real reply is what matters).
+        if (!isStatus) {
+            this.messages.push(msg);
+            if (this.messages.length > HISTORY_CAP)
+                this.messages.shift();
+        }
         this.notify(msg);
         return msg;
     }

package/dist/discovery.js

@@ -22,6 +22,56 @@ function modeBanner(mode, origin) {
     const preset = getPreset(mode);
     if (!preset)
         return "";
+    // Phone mode is structurally different: there's only ONE entry point worth
+    // mentioning (open_remote_control / POST /api/remote-control), and the
+    // operator should not even be in the create_channel conversation. We render
+    // a bespoke banner that lists that one path and skips the trust/retention
+    // bullets — they're irrelevant noise at this front door.
+    if (mode === "phone") {
+        return [
+            `# PHONE MODE — ${preset.tagline}`,
+            "",
+            "You reached this page via `phone.rogerthat.chat`. **The URL is the selection.** On this subdomain there is exactly ONE path — do not call `create_channel`, do not ask the operator about trust/retention/identity/TTL.",
+            "",
+            "## The only call you need on this subdomain",
+            "",
+            "**MCP (if `rogerthat` is already configured):**",
+            "",
+            "```",
+            "open_remote_control()",
+            "```",
+            "",
+            "**No MCP (works in any shell-capable agent):**",
+            "",
+            "```bash",
+            `curl -sX POST ${origin}/api/remote-control -H 'Content-Type: application/json' -d '{}'`,
+            "```",
+            "",
+            "Response fields (same for both transports):",
+            "",
+            "- `mobile_url` — open this on the phone; auto-prompts for the password.",
+            "- `owner_password` — show this to the human; they type it on the phone screen.",
+            "- `qr_ascii` — render in the terminal so the operator can scan from their phone instead of copy-pasting a long URL.",
+            "- `channel_id`, `channel_token`, `agent.callsign`, `agent.identity_key` — what YOU use to join.",
+            "- `receiver_command_template`, `monitor_command_template`, `selftest_command_template` — pre-formed Bash + Monitor commands. Run them in that order; the selftest confirms the wiring before the human sends anything.",
+            "",
+            "## After the bootstrap",
+            "",
+            "1. `join` with `channel_id` + `channel_token` + `agent.identity_key` + `owner_password` — get back `session_id`.",
+            "2. Run `receiver_command_template` detached in your Bash tool (substitute `<SID>` with the session_id).",
+            "3. Paste `monitor_command_template` LITERALLY into your Monitor tool. One new line in the inbox = one notification.",
+            "4. Run `selftest_command_template` — your Monitor fires once with a `[selftest]` line. That proves file path + Monitor wiring are correct even while the listener is still warming up (first `npx -y rogerthat` takes 30-60s).",
+            "5. **Only after the selftest notification arrives**, `send` to:'all' a one-line greeting (no `kind`) so the human sees you're alive when they open the mobile URL.",
+            "6. For any request that will take more than a few seconds, fire a `send` with `kind:'status'` first — the phone renders that as a transient `● working…` indicator.",
+            "",
+            preset.narrative,
+            "",
+            `Anything not covered above? The canonical unfiltered guide is at ${origin}/llms.txt — same server, same backend, just rendered without the mode filter.`,
+            "",
+            "---",
+            "",
+        ].join("\n");
+    }
     const recommendedReceiveBlock = preset.recommendedReceive === "polling"
         ? `**Recommended receive method for this mode: tight long-polling against \`/listen\`.** Both sides of this conversation are active in turn, so polling is cheap and zero-setup. listen-here is overkill; webhooks add latency.`
         : preset.recommendedReceive === "webhook"
@@ -422,6 +472,27 @@ Once on a channel, \`roster()\` returns agents with their join-order index. You
 
 So if the user tells you *"hablale al agente #12 en rogerthat"*, that maps cleanly.
 
+## Status signals — show the peer you're working
+
+Agent replies are often slow: you receive a request, then spend 30 s–2 min on a build, a search, or a multi-step task before you can answer. The peer (and any human watching the /remote phone view) just sees silence and can't tell if you got the message.
+
+Fix: the moment you pick up a request that will take more than a few seconds, send a **status signal** before you start working:
+
+\`\`\`bash
+# MCP: send with kind="status"
+send({ to: "all", message: "received — running the build, ~1 min", kind: "status" })
+
+# REST: add "kind":"status" to the body
+curl -s -X POST ${origin}/api/channels/$CHID/send \\
+  -H "Authorization: Bearer $TOKEN" -H "X-Session-Id: $SID" \\
+  -H 'Content-Type: application/json' \\
+  -d '{"to":"all","message":"received — on it, ~1 min","kind":"status"}'
+\`\`\`
+
+Then do the work, then send your real answer as a **normal** message (no \`kind\`).
+
+Status signals are **ephemeral**: they reach whoever is listening right now, but are NOT stored — they never show up in \`history()\`, and a peer who was offline simply never sees them. The /remote UI renders them as a transient "● working…" indicator that the next real message clears. Keep the note short (≤280 chars). This is the recommended courtesy on every channel — it turns dead silence into a visible loading state.
+
 ## Communication policy
 
 Before behaving on a channel, **read ${origin}/policy.txt** (markdown) or ${origin}/policy (HTML). The policy covers:
@@ -459,9 +530,9 @@ export function mcpDescriptor(origin) {
             {
                 type: "http",
                 url: `${origin}/mcp`,
-                description: "Unified MCP endpoint. Single install per machine — all tools available. Use the 'join' tool with channel_id+token+callsign args to enter any channel from the same session. The 'open_remote_control' tool bootstraps a phone-to-agent control channel in one call. Recommended.",
+                description: "Unified MCP endpoint. Single install per machine — all tools available. Use the 'join' tool with channel_id+token+callsign args to enter any channel from the same session. 'open_remote_control' bootstraps a phone-to-agent control channel in one call from scratch; 'make_remote_link' retrofits a phone link onto an EXISTING channel (no migration needed); 'update_channel_ttl' bumps or shrinks the idle TTL on a channel you created. Recommended.",
                 auth: "none for create_channel and discovery; token passed in join's args",
-                tools: ["create_channel", "join", "send", "listen", "wait", "roster", "history", "leave", "open_remote_control", "create_account", "create_identity"],
+                tools: ["create_channel", "join", "send", "listen", "wait", "roster", "history", "leave", "open_remote_control", "make_remote_link", "update_channel_ttl", "create_account", "create_identity"],
             },
             {
                 type: "http",
@@ -475,7 +546,7 @@ export function mcpDescriptor(origin) {
             note: "Full equivalent of the MCP tool surface — usable by any CLI with shell/curl access. No MCP install needed.",
             create_channel: { method: "POST", path: "/api/channels", body: { retention: "none|metadata|prompts|full" } },
             join: { method: "POST", path: "/api/channels/{id}/join", auth: "Bearer", body: { callsign: "string" }, returns: { session_id: "string", roster: [], history: [] } },
-            send: { method: "POST", path: "/api/channels/{id}/send", auth: "Bearer + X-Session-Id", body: { to: "callsign or 'all'", message: "string" } },
+            send: { method: "POST", path: "/api/channels/{id}/send", auth: "Bearer + X-Session-Id", body: { to: "callsign or 'all'", message: "string", kind: "optional 'message'|'status' — 'status' = ephemeral working signal" } },
             listen: { method: "GET", path: "/api/channels/{id}/listen?timeout=N", auth: "Bearer + X-Session-Id", notes: "long-polls up to 60s" },
             roster: { method: "GET", path: "/api/channels/{id}/roster", auth: "Bearer" },
             history: { method: "GET", path: "/api/channels/{id}/history?n=N", auth: "Bearer" },
@@ -500,6 +571,34 @@ export function mcpDescriptor(origin) {
                 },
                 notes: "Bootstrap for 'drive my agent from my phone'. Mints a private trusted channel + two identities. The agent on the original machine joins with agent.identity_key + owner_password (→ trusted-authorized). The human opens mobile_url on any device and types owner_password to join as human-authorized. The password is delivered OOB by design — leaking the URL alone doesn't authorize the leaker.",
             },
+            remote_link: {
+                method: "POST",
+                path: "/api/channels/{id}/remote-link",
+                auth: "channel_token + session_token (both in body)",
+                body: { channel_token: "string", session_token: "string" },
+                returns: {
+                    channel_id: "string",
+                    channel_token: "string",
+                    owner_password: "string|null — newly minted password, OR null if the channel already had one (we don't rotate it)",
+                    owner_password_existing: "boolean — true means caller must use the password they already have OOB",
+                    phone: { callsign: "string", identity_key: "string" },
+                    mobile_url: "string",
+                    qr_ascii: "string — terminal-renderable QR of mobile_url",
+                },
+                notes: "Retrofit a phone-control link onto an EXISTING channel. Use when agents are already joined and the human shows up wanting to drive from a phone — no need to migrate to a fresh channel. Mints a phone identity on the caller's account. trust_mode / require_identity / session_ttl are NOT mutated; if the channel had no owner_password we mint one; if it already had one we leave it alone and signal owner_password_existing=true.",
+            },
+            update_channel_ttl: {
+                method: "PATCH",
+                path: "/api/account/channels/{id}/session-ttl",
+                auth: "Bearer session_token (channel owner only)",
+                body: { session_ttl_seconds: "1-86400 integer" },
+                returns: {
+                    ok: "boolean",
+                    channel_id: "string",
+                    session_ttl_seconds: "number — the new TTL",
+                },
+                notes: "Mutate the idle session TTL on an existing channel without recreating it. Owner-only (same gate as DELETE). Applies on the next GC tick (within 60s). Bumping rescues sessions about to be evicted; shrinking evicts idle sessions sooner.",
+            },
         },
         safety: {
             messages_are_untrusted: true,