sanook-cli 0.5.1 → 0.5.5

package/dist/gateway/serve.js

@@ -1,10 +1,10 @@
-import { mkdir } from 'node:fs/promises';
 import { join } from 'node:path';
 import { acquireSingleton } from './lock.js';
-import { loadOrCreateToken } from './auth.js';
+import { ensureGatewayDir, loadOrCreateToken } from './auth.js';
 import { startServer } from './server.js';
 import { startScheduler } from './scheduler.js';
 import { appHomePath, BRAND, BRAND_ENV, envFlag } from '../brand.js';
+import { readGatewayConfig, resolveDiscordConfig, resolveEmailConfig, resolveHomeAssistantConfig, resolveLineConfig, resolveMattermostConfig, resolveMatrixConfig, resolveNtfyConfig, resolveSignalConfig, resolveSlackConfig, resolveSmsConfig, resolveTelegramConfig, resolveWhatsAppConfig, resolveWebhookConfig, } from './config.js';
 const GATEWAY_DIR = appHomePath('gateway');
 const SERVE_LOCK = join(GATEWAY_DIR, 'serve.lock');
 /**
@@ -15,7 +15,7 @@ const SERVE_LOCK = join(GATEWAY_DIR, 'serve.lock');
  */
 export async function startGateway(opts) {
     const log = opts.onLog ?? ((m) => console.log(`[gateway] ${m}`));
-    await mkdir(GATEWAY_DIR, { recursive: true });
+    await ensureGatewayDir();
     const release = await acquireSingleton(SERVE_LOCK);
     if (!release) {
         throw new Error(`มี ${BRAND.cliName} gateway รันอยู่แล้ว (เจอ serve.lock) — ปิดตัวเดิมก่อน หรือถ้าค้างให้ลบ ${appHomePath('gateway', 'serve.lock')}`);
@@ -35,25 +35,285 @@ export async function startGateway(opts) {
         permissionMode: opts.permissionMode ?? (envFlag(BRAND_ENV.gatewayAllowWrite) ? 'auto' : 'ask'),
         tickMs: opts.tickMs,
         onLog: log,
+        deliver: async (task, output) => {
+            if (!task.deliver)
+                return;
+            const { deliverToTarget } = await import('./deliver.js');
+            const result = await deliverToTarget(task.deliver, output, { subject: `${BRAND.productName} task ${task.id}` });
+            log(`delivered ${task.id} → ${result.target}`);
+        },
     });
-    // Telegram channel (ถ้าตั้ง TELEGRAM_BOT_TOKEN) — long-polling, ไม่ต้อง public URL
+    // Telegram channel (env หรือ ~/.sanook/gateway/config.json) — long-polling, ไม่ต้อง public URL
     let stopTelegram;
-    if (process.env.TELEGRAM_BOT_TOKEN) {
+    let stopDiscord;
+    let stopSlack;
+    let stopMattermost;
+    let stopHomeAssistant;
+    let stopEmail;
+    let stopNtfy;
+    let stopSignal;
+    let stopMatrix;
+    const gatewayConfig = await readGatewayConfig();
+    const telegram = resolveTelegramConfig(gatewayConfig);
+    if (telegram.enabled && telegram.token) {
         const { startTelegram, parseAllowedChats } = await import('./telegram.js');
         stopTelegram = startTelegram({
-            token: process.env.TELEGRAM_BOT_TOKEN,
+            token: telegram.token,
             model: opts.model,
             budgetUsd: opts.budgetUsd,
-            allowedChatIds: parseAllowedChats(process.env.TELEGRAM_ALLOWED_CHATS),
+            allowedChatIds: process.env.TELEGRAM_ALLOWED_CHATS ? parseAllowedChats(process.env.TELEGRAM_ALLOWED_CHATS) : telegram.allowedChatIds,
+            allowWrite: telegram.allowWrite,
             onLog: log,
         });
         // หมายเหตุ: log "เริ่มแล้ว" อยู่ใน startTelegram (success path) — ถ้า fail-closed จะ log "ไม่เริ่ม" แทน
     }
+    const discord = resolveDiscordConfig(gatewayConfig);
+    if (discord.enabled && discord.token) {
+        const { startDiscord } = await import('./discord.js');
+        try {
+            stopDiscord = startDiscord({
+                token: discord.token,
+                model: opts.model,
+                budgetUsd: opts.budgetUsd,
+                allowedChannelIds: discord.allowedChannelIds,
+                defaultChannelId: discord.defaultChannelId,
+                allowWrite: discord.allowWrite,
+                onLog: log,
+            });
+        }
+        catch (e) {
+            log(`Discord ไม่เริ่ม: ${e.message}`);
+        }
+    }
+    const slack = resolveSlackConfig(gatewayConfig);
+    if (slack.enabled && slack.botToken) {
+        if (!slack.appToken) {
+            log('Slack ไม่เริ่ม: ต้องตั้ง SLACK_APP_TOKEN หรือ gateway setup slack --app-token สำหรับ Socket Mode');
+        }
+        else {
+            const { startSlack } = await import('./slack.js');
+            try {
+                stopSlack = await startSlack({
+                    botToken: slack.botToken,
+                    appToken: slack.appToken,
+                    model: opts.model,
+                    budgetUsd: opts.budgetUsd,
+                    allowedChannelIds: slack.allowedChannelIds,
+                    defaultChannelId: slack.defaultChannelId,
+                    allowWrite: slack.allowWrite,
+                    onLog: log,
+                });
+            }
+            catch (e) {
+                log(`Slack ไม่เริ่ม: ${e.message}`);
+            }
+        }
+    }
+    const mattermost = resolveMattermostConfig(gatewayConfig);
+    if (mattermost.enabled && (mattermost.serverUrl || mattermost.token || mattermost.homeChannel || mattermost.allowedUsers.length || mattermost.allowedChannels.length)) {
+        if (!mattermost.serverUrl) {
+            log('Mattermost ไม่เริ่ม: ต้องตั้ง MATTERMOST_URL เช่น https://mm.example.com');
+        }
+        else if (!mattermost.token) {
+            log('Mattermost ไม่เริ่ม: ต้องตั้ง MATTERMOST_TOKEN');
+        }
+        else if (!mattermost.allowAllUsers && !mattermost.allowedUsers.length) {
+            log('Mattermost ไม่เริ่ม: ต้องตั้ง MATTERMOST_ALLOWED_USERS เพื่อ fail-closed');
+        }
+        else {
+            const { startMattermost } = await import('./mattermost.js');
+            try {
+                stopMattermost = await startMattermost({
+                    config: mattermost,
+                    model: opts.model,
+                    budgetUsd: opts.budgetUsd,
+                    permissionMode: opts.permissionMode ?? (envFlag(BRAND_ENV.gatewayAllowWrite) ? 'auto' : 'ask'),
+                    onLog: log,
+                });
+            }
+            catch (e) {
+                log(`Mattermost ไม่เริ่ม: ${e.message}`);
+            }
+        }
+    }
+    const homeassistant = resolveHomeAssistantConfig(gatewayConfig);
+    if (homeassistant.enabled && (homeassistant.token || homeassistant.homeChannel || homeassistant.watchAll || homeassistant.watchDomains.length || homeassistant.watchEntities.length)) {
+        if (!homeassistant.token) {
+            log('Home Assistant ไม่เริ่ม: ต้องตั้ง HASS_TOKEN');
+        }
+        else {
+            const { startHomeAssistant } = await import('./homeassistant.js');
+            try {
+                stopHomeAssistant = startHomeAssistant({
+                    config: homeassistant,
+                    model: opts.model,
+                    budgetUsd: opts.budgetUsd,
+                    permissionMode: opts.permissionMode ?? (envFlag(BRAND_ENV.gatewayAllowWrite) ? 'auto' : 'ask'),
+                    onLog: log,
+                });
+            }
+            catch (e) {
+                log(`Home Assistant ไม่เริ่ม: ${e.message}`);
+            }
+        }
+    }
+    const email = resolveEmailConfig(gatewayConfig);
+    if (email.enabled && email.address) {
+        if (!email.password || !email.imapHost || !email.smtpHost) {
+            log('Email ไม่เริ่ม: ต้องตั้ง password, imapHost และ smtpHost ให้ครบ');
+        }
+        else {
+            const { startEmail } = await import('./email.js');
+            stopEmail = startEmail({
+                address: email.address,
+                password: email.password,
+                imapHost: email.imapHost,
+                imapPort: email.imapPort,
+                smtpHost: email.smtpHost,
+                smtpPort: email.smtpPort,
+                homeAddress: email.homeAddress,
+                allowedUsers: email.allowedUsers,
+                allowAllUsers: email.allowAllUsers,
+                pollIntervalSeconds: email.pollIntervalSeconds,
+                model: opts.model,
+                budgetUsd: opts.budgetUsd,
+                allowWrite: false,
+                onLog: log,
+            });
+        }
+    }
+    const line = resolveLineConfig(gatewayConfig);
+    if (line.enabled && line.channelAccessToken) {
+        if (!line.channelSecret) {
+            log('LINE webhook ไม่เริ่ม: ต้องตั้ง LINE_CHANNEL_SECRET หรือ gateway setup line --channel-secret');
+        }
+        else if (!line.homeChannel && !line.allowedUsers.length && !line.allowedGroups.length && !line.allowedRooms.length && !line.allowAllUsers) {
+            log('LINE webhook ไม่เริ่ม: ต้องตั้ง home channel หรือ allowlist เพื่อ fail-closed');
+        }
+        else {
+            const publicBase = line.publicUrl ? `${line.publicUrl.replace(/\/+$/, '')}/line/webhook` : `http://127.0.0.1:${opts.port}/line/webhook`;
+            log(`LINE: webhook ready at ${publicBase}`);
+        }
+    }
+    const sms = resolveSmsConfig(gatewayConfig);
+    if (sms.enabled && (sms.accountSid || sms.authToken || sms.phoneNumber)) {
+        if (!sms.accountSid || !sms.authToken || !sms.phoneNumber) {
+            log('SMS webhook ไม่เริ่ม: ต้องตั้ง TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN และ TWILIO_PHONE_NUMBER ให้ครบ');
+        }
+        else if (!sms.insecureNoSignature && !sms.webhookUrl) {
+            log('SMS webhook ไม่เริ่ม: ต้องตั้ง SMS_WEBHOOK_URL ให้ตรงกับ Twilio Console เพื่อ verify signature');
+        }
+        else if (!sms.homeChannel && !sms.allowedUsers.length && !sms.allowAllUsers) {
+            log('SMS webhook ไม่เริ่ม: ต้องตั้ง home channel หรือ allowlist เพื่อ fail-closed');
+        }
+        else {
+            const publicBase = sms.webhookUrl || `http://127.0.0.1:${opts.port}/sms/webhook`;
+            log(`SMS: Twilio webhook ready at ${publicBase}`);
+        }
+    }
+    const ntfy = resolveNtfyConfig(gatewayConfig);
+    if (ntfy.enabled && (ntfy.topic || ntfy.publishTopic || ntfy.homeChannel || ntfy.token)) {
+        if (!ntfy.topic) {
+            log('ntfy ไม่เริ่ม: ต้องตั้ง NTFY_TOPIC หรือ gateway setup ntfy --topic สำหรับ inbound subscribe');
+        }
+        else if (!ntfy.allowAllUsers && ![ntfy.topic, ntfy.homeChannel, ...ntfy.allowedUsers].filter(Boolean).includes(ntfy.topic)) {
+            log('ntfy ไม่เริ่ม: ต้องตั้ง NTFY_ALLOWED_USERS ให้รวม topic หรือระบุ --allow-all-users เพื่อ fail-closed');
+        }
+        else {
+            const { startNtfy } = await import('./ntfy.js');
+            stopNtfy = startNtfy({
+                config: ntfy,
+                model: opts.model,
+                budgetUsd: opts.budgetUsd,
+                permissionMode: opts.permissionMode ?? (envFlag(BRAND_ENV.gatewayAllowWrite) ? 'auto' : 'ask'),
+                onLog: log,
+            });
+        }
+    }
+    const signal = resolveSignalConfig(gatewayConfig);
+    if (signal.enabled && (signal.account || signal.homeChannel || signal.allowedUsers.length || signal.groupAllowedUsers.length)) {
+        if (!signal.account) {
+            log('Signal ไม่เริ่ม: ต้องตั้ง SIGNAL_ACCOUNT หรือ gateway setup signal --account <+E.164>');
+        }
+        else if (!signal.allowAllUsers && !signal.homeChannel && !signal.allowedUsers.length && !signal.groupAllowedUsers.length) {
+            log('Signal ไม่เริ่ม: ต้องตั้ง home channel หรือ allowlist เพื่อ fail-closed');
+        }
+        else {
+            const { startSignal } = await import('./signal.js');
+            stopSignal = startSignal({
+                config: signal,
+                model: opts.model,
+                budgetUsd: opts.budgetUsd,
+                permissionMode: opts.permissionMode ?? (envFlag(BRAND_ENV.gatewayAllowWrite) ? 'auto' : 'ask'),
+                onLog: log,
+            });
+        }
+    }
+    const whatsapp = resolveWhatsAppConfig(gatewayConfig);
+    if (whatsapp.enabled && (whatsapp.phoneNumberId || whatsapp.accessToken || whatsapp.homeChannel || whatsapp.allowedUsers.length)) {
+        if (!whatsapp.phoneNumberId || !whatsapp.accessToken) {
+            log('WhatsApp Cloud webhook ไม่เริ่ม: ต้องตั้ง WHATSAPP_CLOUD_PHONE_NUMBER_ID และ WHATSAPP_CLOUD_ACCESS_TOKEN ให้ครบ');
+        }
+        else if (!whatsapp.appSecret) {
+            log('WhatsApp Cloud webhook ไม่เริ่ม: ต้องตั้ง WHATSAPP_CLOUD_APP_SECRET เพื่อ verify X-Hub-Signature-256');
+        }
+        else if (!whatsapp.verifyToken) {
+            log('WhatsApp Cloud webhook ไม่เริ่ม: ต้องตั้ง WHATSAPP_CLOUD_VERIFY_TOKEN สำหรับ Meta webhook verify handshake');
+        }
+        else if (!whatsapp.homeChannel && !whatsapp.allowedUsers.length && !whatsapp.allowAllUsers) {
+            log('WhatsApp Cloud webhook ไม่เริ่ม: ต้องตั้ง home channel หรือ allowlist เพื่อ fail-closed');
+        }
+        else {
+            const publicBase = whatsapp.publicUrl ? `${whatsapp.publicUrl.replace(/\/+$/, '')}/whatsapp/webhook` : `http://127.0.0.1:${opts.port}/whatsapp/webhook`;
+            log(`WhatsApp Cloud: webhook ready at ${publicBase}`);
+        }
+    }
+    const matrix = resolveMatrixConfig(gatewayConfig);
+    if (matrix.enabled && (matrix.homeserver || matrix.accessToken || matrix.userId || matrix.homeRoom || matrix.allowedUsers.length || matrix.allowedRooms.length)) {
+        if (!matrix.homeserver) {
+            log('Matrix ไม่เริ่ม: ต้องตั้ง MATRIX_HOMESERVER เช่น https://matrix.org');
+        }
+        else if (!matrix.accessToken && (!matrix.userId || !matrix.password)) {
+            log('Matrix ไม่เริ่ม: ต้องตั้ง MATRIX_ACCESS_TOKEN หรือ MATRIX_USER_ID/MATRIX_PASSWORD');
+        }
+        else if (!matrix.allowAllUsers && !matrix.allowedUsers.length) {
+            log('Matrix ไม่เริ่ม: ต้องตั้ง MATRIX_ALLOWED_USERS เพื่อ fail-closed');
+        }
+        else {
+            const { startMatrix } = await import('./matrix.js');
+            stopMatrix = startMatrix({
+                config: matrix,
+                model: opts.model,
+                budgetUsd: opts.budgetUsd,
+                permissionMode: opts.permissionMode ?? (envFlag(BRAND_ENV.gatewayAllowWrite) ? 'auto' : 'ask'),
+                onLog: log,
+            });
+        }
+    }
+    const webhooks = resolveWebhookConfig(gatewayConfig);
+    if (webhooks.enabled) {
+        const routes = Object.keys(webhooks.routes);
+        if (!routes.length) {
+            log('Webhooks เปิดอยู่ แต่ยังไม่มี route — เพิ่มด้วย sanook webhook subscribe <name>');
+        }
+        else {
+            const base = webhooks.publicUrl ? `${webhooks.publicUrl.replace(/\/+$/, '')}/webhooks` : `http://127.0.0.1:${opts.port}/webhooks`;
+            log(`Webhooks: ${routes.length} route(s) ready at ${base}/<route>`);
+        }
+    }
     log(`scheduler tick ทุก ${(opts.tickMs ?? 60_000) / 1000}s · token: ${appHomePath('gateway', 'token')} (chmod 600)`);
     return () => {
         stopServer();
         stopScheduler();
         stopTelegram?.();
+        stopDiscord?.();
+        stopSlack?.();
+        stopMattermost?.();
+        stopHomeAssistant?.();
+        stopEmail?.();
+        stopNtfy?.();
+        stopSignal?.();
+        stopMatrix?.();
         release(); // ปล่อย single-instance lock (sync — ทันก่อน process.exit ตัด event loop)
     };
 }

package/dist/gateway/server.js

@@ -1,6 +1,7 @@
 import { createServer } from 'node:http';
 import { listTasks, enqueueTask } from './ledger.js';
 import { parseSchedule } from './schedule.js';
+import { formatTarget, parseSendTarget } from './targets.js';
 import { tokenMatches } from './auth.js';
 import { runAgent } from '../loop.js';
 import { redactKey } from '../providers/keys.js';
@@ -9,21 +10,111 @@ function send(res, status, body) {
     res.writeHead(status, { 'content-type': 'application/json' });
     res.end(JSON.stringify(body));
 }
+function sendRaw(res, status, contentType, body) {
+    res.writeHead(status, { 'content-type': contentType });
+    res.end(body);
+}
+function sendSse(res, body) {
+    res.write(`data: ${typeof body === 'string' ? body : JSON.stringify(body)}\n\n`);
+}
+export function optionalString(value) {
+    if (typeof value !== 'string')
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed || undefined;
+}
+export function parseBearerToken(authorization) {
+    if (!authorization)
+        return undefined;
+    const tokenMatch = /^Bearer +(\S+)$/i.exec(authorization);
+    if (!tokenMatch)
+        return undefined;
+    return tokenMatch[1];
+}
+export function parseWebhookRouteName(pathname) {
+    if (!pathname.startsWith('/webhooks/'))
+        return undefined;
+    try {
+        const routeName = decodeURIComponent(pathname.slice('/webhooks/'.length)).replace(/^\/+|\/+$/g, '');
+        return /^[a-zA-Z0-9][a-zA-Z0-9_-]{0,63}$/.test(routeName) ? routeName : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+export function parseOptionalSchedule(value, now) {
+    if (value == null)
+        return { schedule: null };
+    if (typeof value !== 'string')
+        return { schedule: null, invalid: 'ต้องเป็นข้อความ' };
+    const scheduleText = optionalString(value);
+    if (!scheduleText)
+        return { schedule: null };
+    const schedule = parseSchedule(scheduleText, now);
+    return schedule ? { schedule } : { schedule: null, invalid: scheduleText };
+}
+export function parseRequiredTaskSpec(value) {
+    if (typeof value !== 'string') {
+        return value == null ? { invalid: 'ต้องมี spec' } : { invalid: 'spec ต้องเป็นข้อความ' };
+    }
+    const spec = value.trim();
+    return spec ? { spec } : { invalid: 'ต้องมี spec' };
+}
+export function parseOptionalDeliverTarget(value) {
+    if (value == null)
+        return {};
+    if (typeof value !== 'string')
+        return { invalid: 'deliver ต้องเป็นข้อความ' };
+    const deliverText = optionalString(value);
+    if (!deliverText)
+        return {};
+    try {
+        return { deliver: formatTarget(parseSendTarget(deliverText)) };
+    }
+    catch (e) {
+        return { invalid: e.message };
+    }
+}
+export function parseOptionalTaskModel(value) {
+    if (value == null)
+        return {};
+    if (typeof value !== 'string')
+        return { invalid: 'model ต้องเป็นข้อความ' };
+    const model = optionalString(value);
+    return model ? { model } : {};
+}
 const MAX_BODY = 1_000_000; // 1MB กัน memory blowup
+/** error ที่พก HTTP status — ให้ client เห็น 400/413 (client error) แทน 500 (server error) */
+class HttpError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+    }
+}
 async function readBody(req) {
+    const raw = await readRawBody(req);
+    if (!raw)
+        return {};
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        throw new HttpError(400, 'invalid JSON body'); // Bad Request — ไม่ leak ข้อความ parser
+    }
+    return parsed && typeof parsed === 'object' ? parsed : {};
+}
+async function readRawBody(req) {
     const chunks = [];
     let size = 0;
     for await (const c of req) {
         size += c.length;
         if (size > MAX_BODY)
-            throw new Error('request body ใหญ่เกิน');
+            throw new HttpError(413, 'request body ใหญ่เกิน'); // Payload Too Large
         chunks.push(c);
     }
-    const raw = Buffer.concat(chunks).toString('utf8');
-    if (!raw)
-        return {};
-    const parsed = JSON.parse(raw);
-    return parsed && typeof parsed === 'object' ? parsed : {};
+    return Buffer.concat(chunks).toString('utf8');
 }
 /**
  * gateway HTTP — bind 127.0.0.1 เท่านั้น (loopback, ไม่ expose ออกเน็ต), ทุก endpoint ยกเว้น /health ต้อง bearer token
@@ -33,7 +124,7 @@ async function readBody(req) {
 export function startServer(opts) {
     const server = createServer((req, res) => {
         // redact กัน API key/secret รั่วใน error response (provider error อาจฝัง key)
-        void handle(req, res, opts).catch((err) => send(res, 500, { error: redactKey(err.message ?? String(err)) }));
+        void handle(req, res, opts).catch((err) => send(res, err.status ?? 500, { error: redactKey(err.message ?? String(err)) }));
     });
     // '127.0.0.1' = loopback only — สำคัญ: ห้าม 0.0.0.0 (จะเปิดให้ทั้ง LAN)
     server.listen(opts.port, '127.0.0.1', () => opts.onLog?.(`http://127.0.0.1:${opts.port} (loopback)`));
@@ -45,9 +136,102 @@ async function handle(req, res, opts) {
     if (req.method === 'GET' && url.pathname === '/health') {
         return send(res, 200, { ok: true, service: BRAND.gatewayServiceName });
     }
+    if (req.method === 'GET' && url.pathname === '/line/webhook/health') {
+        return send(res, 200, { status: 'ok', platform: 'line' });
+    }
+    if (req.method === 'GET' && url.pathname === '/sms/webhook/health') {
+        return send(res, 200, { status: 'ok', platform: 'sms' });
+    }
+    if (req.method === 'GET' && url.pathname === '/whatsapp/webhook/health') {
+        const { readGatewayConfig, resolveWhatsAppConfig } = await import('./config.js');
+        const whatsapp = resolveWhatsAppConfig(await readGatewayConfig());
+        return send(res, 200, {
+            status: 'ok',
+            platform: 'whatsapp',
+            phone_number_id_configured: Boolean(whatsapp.phoneNumberId),
+            access_token_configured: Boolean(whatsapp.accessToken),
+            app_secret_configured: Boolean(whatsapp.appSecret),
+            verify_token_configured: Boolean(whatsapp.verifyToken),
+        });
+    }
+    if (req.method === 'GET' && url.pathname === '/webhooks/health') {
+        return send(res, 200, { status: 'ok', platform: 'webhook' });
+    }
+    if (req.method === 'POST' && url.pathname === '/line/webhook') {
+        const rawBody = await readRawBody(req);
+        const signature = Array.isArray(req.headers['x-line-signature']) ? req.headers['x-line-signature'][0] : req.headers['x-line-signature'];
+        const { readGatewayConfig, resolveLineConfig } = await import('./config.js');
+        const { handleLineWebhook } = await import('./line.js');
+        const result = await handleLineWebhook({
+            rawBody,
+            signature,
+            config: resolveLineConfig(await readGatewayConfig()),
+            model: opts.defaultModel,
+            budgetUsd: opts.budgetUsd,
+            permissionMode: opts.permissionMode ?? 'ask',
+            onLog: opts.onLog,
+        });
+        return send(res, result.status, result.body);
+    }
+    if (req.method === 'POST' && url.pathname === '/sms/webhook') {
+        const rawBody = await readRawBody(req);
+        const signature = Array.isArray(req.headers['x-twilio-signature']) ? req.headers['x-twilio-signature'][0] : req.headers['x-twilio-signature'];
+        const { readGatewayConfig, resolveSmsConfig } = await import('./config.js');
+        const { handleSmsWebhook } = await import('./sms.js');
+        const result = await handleSmsWebhook({
+            rawBody,
+            signature,
+            config: resolveSmsConfig(await readGatewayConfig()),
+            model: opts.defaultModel,
+            budgetUsd: opts.budgetUsd,
+            permissionMode: opts.permissionMode ?? 'ask',
+            onLog: opts.onLog,
+        });
+        return sendRaw(res, result.status, result.contentType, result.body);
+    }
+    if (req.method === 'GET' && url.pathname === '/whatsapp/webhook') {
+        const { readGatewayConfig, resolveWhatsAppConfig } = await import('./config.js');
+        const { handleWhatsAppChallenge } = await import('./whatsapp.js');
+        const result = handleWhatsAppChallenge(resolveWhatsAppConfig(await readGatewayConfig()), url.searchParams);
+        return sendRaw(res, result.status, result.contentType, result.body);
+    }
+    if (req.method === 'POST' && url.pathname === '/whatsapp/webhook') {
+        const rawBody = await readRawBody(req);
+        const signature = Array.isArray(req.headers['x-hub-signature-256']) ? req.headers['x-hub-signature-256'][0] : req.headers['x-hub-signature-256'];
+        const { readGatewayConfig, resolveWhatsAppConfig } = await import('./config.js');
+        const { handleWhatsAppWebhook } = await import('./whatsapp.js');
+        const result = await handleWhatsAppWebhook({
+            rawBody,
+            signature,
+            config: resolveWhatsAppConfig(await readGatewayConfig()),
+            model: opts.defaultModel,
+            budgetUsd: opts.budgetUsd,
+            permissionMode: opts.permissionMode ?? 'ask',
+            onLog: opts.onLog,
+        });
+        return send(res, result.status, result.body);
+    }
+    if (req.method === 'POST' && url.pathname.startsWith('/webhooks/')) {
+        const routeName = parseWebhookRouteName(url.pathname);
+        if (!routeName)
+            return send(res, 400, { error: 'invalid_webhook_route' });
+        const rawBody = await readRawBody(req);
+        const { readGatewayConfig, resolveWebhookConfig } = await import('./config.js');
+        const { handleWebhookRequest } = await import('./webhooks.js');
+        const result = await handleWebhookRequest({
+            routeName,
+            rawBody,
+            headers: req.headers,
+            config: resolveWebhookConfig(await readGatewayConfig()),
+            model: opts.defaultModel,
+            budgetUsd: opts.budgetUsd,
+            permissionMode: opts.permissionMode ?? 'ask',
+            onLog: opts.onLog,
+        });
+        return send(res, result.status, result.body);
+    }
     // ทุก endpoint อื่น → bearer token
-    const auth = req.headers.authorization ?? '';
-    const provided = auth.startsWith('Bearer ') ? auth.slice(7) : undefined;
+    const provided = parseBearerToken(req.headers.authorization);
     if (!tokenMatches(opts.token, provided)) {
         return send(res, 401, { error: 'unauthorized' });
     }
@@ -63,8 +247,51 @@ async function handle(req, res, opts) {
         const history = msgs
             .slice(0, lastUserIdx)
             .map((m) => ({ role: m.role, content: m.content }));
-        const model = typeof body.model === 'string' && body.model ? body.model : opts.defaultModel;
-        const { text } = await runAgent({
+        const { model: requestedModel, invalid: invalidModel } = parseOptionalTaskModel(body.model);
+        if (invalidModel)
+            return send(res, 400, { error: invalidModel });
+        const model = requestedModel ?? opts.defaultModel;
+        const runner = opts.runner ?? runAgent;
+        if (body.stream === true) {
+            res.writeHead(200, {
+                'content-type': 'text/event-stream; charset=utf-8',
+                'cache-control': 'no-cache, no-transform',
+                connection: 'keep-alive',
+            });
+            sendSse(res, {
+                object: 'chat.completion.chunk',
+                model,
+                choices: [{ index: 0, delta: { role: 'assistant' }, finish_reason: null }],
+            });
+            try {
+                await runner({
+                    model,
+                    prompt,
+                    history,
+                    maxSteps: 20,
+                    budgetUsd: opts.budgetUsd,
+                    permissionMode: opts.permissionMode ?? 'ask',
+                    onEvent: (e) => {
+                        if (e.type !== 'text' || !e.text)
+                            return;
+                        sendSse(res, {
+                            object: 'chat.completion.chunk',
+                            model,
+                            choices: [{ index: 0, delta: { content: e.text }, finish_reason: null }],
+                        });
+                    },
+                });
+                sendSse(res, { object: 'chat.completion.chunk', model, choices: [{ index: 0, delta: {}, finish_reason: 'stop' }] });
+                sendSse(res, '[DONE]');
+            }
+            catch (e) {
+                sendSse(res, { error: redactKey(e.message ?? String(e)) });
+                sendSse(res, '[DONE]');
+            }
+            res.end();
+            return;
+        }
+        const { text } = await runner({
             model,
             prompt,
             history,
@@ -83,17 +310,24 @@ async function handle(req, res, opts) {
     }
     if (req.method === 'POST' && url.pathname === '/tasks') {
         const body = await readBody(req);
-        const spec = String(body.spec ?? '').trim();
-        if (!spec)
-            return send(res, 400, { error: 'ต้องมี spec' });
-        const sched = body.schedule ? parseSchedule(String(body.schedule), Date.now()) : null;
-        if (body.schedule && !sched)
-            return send(res, 400, { error: `schedule ไม่ถูกต้อง: ${String(body.schedule)}` });
+        const specInput = parseRequiredTaskSpec(body.spec);
+        if ('invalid' in specInput)
+            return send(res, 400, { error: specInput.invalid });
+        const { schedule: sched, invalid } = parseOptionalSchedule(body.schedule, Date.now());
+        if (invalid)
+            return send(res, 400, { error: `schedule ไม่ถูกต้อง: ${invalid}` });
+        const { model, invalid: invalidModel } = parseOptionalTaskModel(body.model);
+        if (invalidModel)
+            return send(res, 400, { error: invalidModel });
+        const { deliver, invalid: invalidDeliver } = parseOptionalDeliverTarget(body.deliver);
+        if (invalidDeliver)
+            return send(res, 400, { error: invalidDeliver });
         const task = await enqueueTask({
             kind: sched?.recurring ? 'cron' : 'once',
-            spec,
+            spec: specInput.spec,
             schedule: sched?.recurring ? sched.normalized : undefined,
-            model: typeof body.model === 'string' ? body.model : undefined,
+            model,
+            deliver,
             runAt: sched?.runAt ?? Date.now(),
         });
         return send(res, 201, { task });