npm - siclaw - Versions diffs - 0.1.0 → 0.1.2 - Mend

siclaw 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (270) hide show

package/README.md +75 -114
package/dist/agentbox/gateway-client.d.ts +2 -1
package/dist/agentbox/gateway-client.js +6 -2
package/dist/agentbox/gateway-client.js.map +1 -1
package/dist/agentbox/http-server.js +184 -19
package/dist/agentbox/http-server.js.map +1 -1
package/dist/agentbox/resource-handlers.d.ts +1 -0
package/dist/agentbox/resource-handlers.js +23 -23
package/dist/agentbox/resource-handlers.js.map +1 -1
package/dist/agentbox/session.js +85 -5
package/dist/agentbox/session.js.map +1 -1
package/dist/agentbox-main.d.ts +2 -1
package/dist/agentbox-main.js +65 -18
package/dist/agentbox-main.js.map +1 -1
package/dist/cli-credentials.d.ts +1 -0
package/dist/cli-credentials.js +109 -0
package/dist/cli-credentials.js.map +1 -0
package/dist/cli-first-run.d.ts +11 -0
package/dist/cli-first-run.js +99 -0
package/dist/cli-first-run.js.map +1 -0
package/dist/cli-main.js +33 -11
package/dist/cli-main.js.map +1 -1
package/dist/cli-setup.d.ts +5 -11
package/dist/cli-setup.js +12 -225
package/dist/cli-setup.js.map +1 -1
package/dist/core/agent-factory.d.ts +4 -0
package/dist/core/agent-factory.js +102 -151
package/dist/core/agent-factory.js.map +1 -1
package/dist/core/config.d.ts +10 -3
package/dist/core/config.js +11 -95
package/dist/core/config.js.map +1 -1
package/dist/core/extensions/deep-investigation.d.ts +2 -1
package/dist/core/extensions/deep-investigation.js +144 -24
package/dist/core/extensions/deep-investigation.js.map +1 -1
package/dist/core/extensions/setup.d.ts +8 -0
package/dist/core/extensions/setup.js +669 -0
package/dist/core/extensions/setup.js.map +1 -0
package/dist/core/llm-proxy.js +7 -3
package/dist/core/llm-proxy.js.map +1 -1
package/dist/core/mcp-client.d.ts +0 -10
package/dist/core/mcp-client.js +0 -65
package/dist/core/mcp-client.js.map +1 -1
package/dist/core/prompt.d.ts +1 -1
package/dist/core/prompt.js +42 -5
package/dist/core/prompt.js.map +1 -1
package/dist/core/provider-presets.d.ts +14 -0
package/dist/core/provider-presets.js +81 -0
package/dist/core/provider-presets.js.map +1 -0
package/dist/cron/cron-coordinator.d.ts +2 -0
package/dist/cron/cron-coordinator.js +46 -14
package/dist/cron/cron-coordinator.js.map +1 -1
package/dist/cron/cron-executor.js +33 -8
package/dist/cron/cron-executor.js.map +1 -1
package/dist/cron/cron-scheduler.d.ts +1 -1
package/dist/cron/gateway-client.d.ts +5 -0
package/dist/cron/gateway-client.js +43 -8
package/dist/cron/gateway-client.js.map +1 -1
package/dist/cron-main.js +39 -9
package/dist/cron-main.js.map +1 -1
package/dist/gateway/agentbox/client.d.ts +11 -0
package/dist/gateway/agentbox/client.js +18 -0
package/dist/gateway/agentbox/client.js.map +1 -1
package/dist/gateway/agentbox/k8s-spawner.d.ts +11 -2
package/dist/gateway/agentbox/k8s-spawner.js +95 -52
package/dist/gateway/agentbox/k8s-spawner.js.map +1 -1
package/dist/gateway/agentbox/local-spawner.d.ts +1 -1
package/dist/gateway/agentbox/local-spawner.js +4 -2
package/dist/gateway/agentbox/local-spawner.js.map +1 -1
package/dist/gateway/agentbox/manager.d.ts +0 -10
package/dist/gateway/agentbox/manager.js +11 -30
package/dist/gateway/agentbox/manager.js.map +1 -1
package/dist/gateway/agentbox/types.d.ts +6 -4
package/dist/gateway/cron/cron-service.d.ts +49 -0
package/dist/gateway/cron/cron-service.js +259 -0
package/dist/gateway/cron/cron-service.js.map +1 -0
package/dist/gateway/db/init-schema.js +44 -0
package/dist/gateway/db/init-schema.js.map +1 -1
package/dist/gateway/db/migrate-sqlite.js +73 -4
package/dist/gateway/db/migrate-sqlite.js.map +1 -1
package/dist/gateway/db/repositories/chat-repo.d.ts +56 -2
package/dist/gateway/db/repositories/chat-repo.js +132 -2
package/dist/gateway/db/repositories/chat-repo.js.map +1 -1
package/dist/gateway/db/repositories/config-repo.d.ts +31 -2
package/dist/gateway/db/repositories/config-repo.js +57 -7
package/dist/gateway/db/repositories/config-repo.js.map +1 -1
package/dist/gateway/db/repositories/env-repo.d.ts +14 -0
package/dist/gateway/db/repositories/env-repo.js +15 -2
package/dist/gateway/db/repositories/env-repo.js.map +1 -1
package/dist/gateway/db/repositories/model-config-repo.d.ts +1 -1
package/dist/gateway/db/repositories/model-config-repo.js +26 -12
package/dist/gateway/db/repositories/model-config-repo.js.map +1 -1
package/dist/gateway/db/repositories/skill-repo.d.ts +0 -5
package/dist/gateway/db/repositories/skill-review-repo.d.ts +1 -0
package/dist/gateway/db/repositories/skill-review-repo.js +4 -1
package/dist/gateway/db/repositories/skill-review-repo.js.map +1 -1
package/dist/gateway/db/repositories/skill-version-repo.js +0 -1
package/dist/gateway/db/repositories/skill-version-repo.js.map +1 -1
package/dist/gateway/db/repositories/system-config-repo.d.ts +1 -1
package/dist/gateway/db/repositories/system-config-repo.js +2 -1
package/dist/gateway/db/repositories/system-config-repo.js.map +1 -1
package/dist/gateway/db/repositories/user-env-config-repo.d.ts +13 -0
package/dist/gateway/db/repositories/user-env-config-repo.js +11 -0
package/dist/gateway/db/repositories/user-env-config-repo.js.map +1 -1
package/dist/gateway/db/repositories/workspace-repo.d.ts +3 -2
package/dist/gateway/db/repositories/workspace-repo.js +6 -2
package/dist/gateway/db/repositories/workspace-repo.js.map +1 -1
package/dist/gateway/db/schema-mysql.d.ts +473 -51
package/dist/gateway/db/schema-mysql.js +35 -4
package/dist/gateway/db/schema-mysql.js.map +1 -1
package/dist/gateway/db/schema-sqlite.d.ts +522 -57
package/dist/gateway/db/schema-sqlite.js +38 -6
package/dist/gateway/db/schema-sqlite.js.map +1 -1
package/dist/gateway/db/schema.d.ts +471 -51
package/dist/gateway/db/schema.js +1 -1
package/dist/gateway/db/schema.js.map +1 -1
package/dist/gateway/metrics-aggregator.d.ts +65 -0
package/dist/gateway/metrics-aggregator.js +244 -0
package/dist/gateway/metrics-aggregator.js.map +1 -0
package/dist/gateway/plugins/channel-bridge.d.ts +4 -1
package/dist/gateway/plugins/channel-bridge.js +78 -86
package/dist/gateway/plugins/channel-bridge.js.map +1 -1
package/dist/gateway/rpc-methods.d.ts +4 -2
package/dist/gateway/rpc-methods.js +962 -163
package/dist/gateway/rpc-methods.js.map +1 -1
package/dist/gateway/security/cert-manager.d.ts +2 -2
package/dist/gateway/security/cert-manager.js +4 -2
package/dist/gateway/security/cert-manager.js.map +1 -1
package/dist/gateway/server.d.ts +4 -8
package/dist/gateway/server.js +297 -261
package/dist/gateway/server.js.map +1 -1
package/dist/gateway/skills/file-writer.js +17 -11
package/dist/gateway/skills/file-writer.js.map +1 -1
package/dist/gateway/skills/script-evaluator.js +12 -9
package/dist/gateway/skills/script-evaluator.js.map +1 -1
package/dist/gateway/web/dist/assets/index-0p17ZeTP.js +740 -0
package/dist/gateway/web/dist/assets/index-9eP6nPUq.js +741 -0
package/dist/gateway/web/dist/assets/index-9eP6nPUq.js.map +1 -0
package/dist/gateway/web/dist/assets/index-CAmSY91d.js +675 -0
package/dist/gateway/web/dist/assets/index-DMFEh8Pp.css +1 -0
package/dist/gateway/web/dist/assets/index-DyowBCEj.css +1 -0
package/dist/gateway/web/dist/assets/index-PDK5JJDO.css +1 -0
package/dist/gateway/web/dist/index.html +2 -2
package/dist/gateway-main.js +27 -10
package/dist/gateway-main.js.map +1 -1
package/dist/memory/embeddings.js +5 -4
package/dist/memory/embeddings.js.map +1 -1
package/dist/memory/indexer.d.ts +23 -3
package/dist/memory/indexer.js +235 -23
package/dist/memory/indexer.js.map +1 -1
package/dist/memory/schema.js +15 -1
package/dist/memory/schema.js.map +1 -1
package/dist/memory/types.d.ts +18 -0
package/dist/memory/types.js +6 -1
package/dist/memory/types.js.map +1 -1
package/dist/shared/detect-language.d.ts +12 -0
package/dist/shared/detect-language.js +78 -0
package/dist/shared/detect-language.js.map +1 -0
package/dist/shared/diagnostic-events.d.ts +70 -0
package/dist/shared/diagnostic-events.js +38 -0
package/dist/shared/diagnostic-events.js.map +1 -0
package/dist/shared/local-collector.d.ts +56 -0
package/dist/shared/local-collector.js +284 -0
package/dist/shared/local-collector.js.map +1 -0
package/dist/shared/metrics-types.d.ts +64 -0
package/dist/shared/metrics-types.js +25 -0
package/dist/shared/metrics-types.js.map +1 -0
package/dist/shared/metrics.d.ts +19 -0
package/dist/shared/metrics.js +185 -0
package/dist/shared/metrics.js.map +1 -0
package/dist/shared/path-utils.d.ts +15 -0
package/dist/shared/path-utils.js +23 -0
package/dist/shared/path-utils.js.map +1 -0
package/dist/shared/retry.d.ts +35 -0
package/dist/shared/retry.js +61 -0
package/dist/shared/retry.js.map +1 -0
package/dist/tools/command-sets.d.ts +18 -2
package/dist/tools/command-sets.js +207 -32
package/dist/tools/command-sets.js.map +1 -1
package/dist/tools/command-validator.d.ts +56 -0
package/dist/tools/command-validator.js +357 -0
package/dist/tools/command-validator.js.map +1 -0
package/dist/tools/create-skill.js +26 -1
package/dist/tools/create-skill.js.map +1 -1
package/dist/tools/credential-list.js +1 -23
package/dist/tools/credential-list.js.map +1 -1
package/dist/tools/credential-manager.d.ts +98 -0
package/dist/tools/credential-manager.js +313 -0
package/dist/tools/credential-manager.js.map +1 -0
package/dist/tools/deep-search/engine.js +184 -127
package/dist/tools/deep-search/engine.js.map +1 -1
package/dist/tools/deep-search/prompts.d.ts +10 -2
package/dist/tools/deep-search/prompts.js +37 -36
package/dist/tools/deep-search/prompts.js.map +1 -1
package/dist/tools/deep-search/schemas.d.ts +87 -0
package/dist/tools/deep-search/schemas.js +85 -0
package/dist/tools/deep-search/schemas.js.map +1 -0
package/dist/tools/deep-search/sub-agent.d.ts +21 -0
package/dist/tools/deep-search/sub-agent.js +153 -4
package/dist/tools/deep-search/sub-agent.js.map +1 -1
package/dist/tools/deep-search/tool.js +1 -0
package/dist/tools/deep-search/tool.js.map +1 -1
package/dist/tools/deep-search/types.d.ts +2 -0
package/dist/tools/deep-search/types.js.map +1 -1
package/dist/tools/dp-tools.js +29 -5
package/dist/tools/dp-tools.js.map +1 -1
package/dist/tools/exec-utils.d.ts +85 -0
package/dist/tools/exec-utils.js +294 -0
package/dist/tools/exec-utils.js.map +1 -0
package/dist/tools/fork-skill.js +14 -2
package/dist/tools/fork-skill.js.map +1 -1
package/dist/tools/investigation-feedback.d.ts +3 -0
package/dist/tools/investigation-feedback.js +71 -0
package/dist/tools/investigation-feedback.js.map +1 -0
package/dist/tools/manage-schedule.js +16 -6
package/dist/tools/manage-schedule.js.map +1 -1
package/dist/tools/netns-script.js +27 -281
package/dist/tools/netns-script.js.map +1 -1
package/dist/tools/node-exec.d.ts +2 -14
package/dist/tools/node-exec.js +18 -225
package/dist/tools/node-exec.js.map +1 -1
package/dist/tools/node-script.js +14 -168
package/dist/tools/node-script.js.map +1 -1
package/dist/tools/pod-exec.d.ts +1 -1
package/dist/tools/pod-exec.js +10 -26
package/dist/tools/pod-exec.js.map +1 -1
package/dist/tools/pod-nsenter-exec.js +21 -225
package/dist/tools/pod-nsenter-exec.js.map +1 -1
package/dist/tools/pod-script.js +10 -19
package/dist/tools/pod-script.js.map +1 -1
package/dist/tools/restricted-bash.d.ts +1 -17
package/dist/tools/restricted-bash.js +38 -252
package/dist/tools/restricted-bash.js.map +1 -1
package/dist/tools/run-skill.d.ts +3 -1
package/dist/tools/run-skill.js +21 -1
package/dist/tools/run-skill.js.map +1 -1
package/dist/tools/script-resolver.d.ts +3 -1
package/dist/tools/script-resolver.js +74 -30
package/dist/tools/script-resolver.js.map +1 -1
package/dist/tools/update-skill.js +17 -6
package/dist/tools/update-skill.js.map +1 -1
package/package.json +8 -6
package/siclaw.mjs +10 -1
package/skills/core/cluster-events/SKILL.md +1 -1
package/skills/core/deep-investigation/SKILL.md +11 -0
package/skills/core/deployment-rollout-debug/SKILL.md +1 -1
package/skills/core/dns-debug/SKILL.md +1 -0
package/skills/core/meta.json +12 -1
package/skills/core/networkpolicy-debug/SKILL.md +332 -0
package/skills/core/node-logs/scripts/get-node-logs.sh +19 -9
package/skills/core/pod-pending-debug/SKILL.md +1 -0
package/skills/core/quota-debug/SKILL.md +203 -0
package/skills/core/service-debug/SKILL.md +1 -0
package/skills/core/statefulset-debug/SKILL.md +280 -0
package/skills/core/volcano-diagnose-pod/SKILL.md +196 -0
package/skills/core/volcano-diagnose-pod/scripts/diagnose-pod.sh +175 -0
package/skills/core/volcano-gang-scheduling/SKILL.md +299 -0
package/skills/core/volcano-job-diagnose/SKILL.md +319 -0
package/skills/core/volcano-job-diagnose/scripts/diagnose-job.sh +253 -0
package/skills/core/volcano-node-resources/SKILL.md +334 -0
package/skills/core/volcano-node-resources/scripts/get-node-resources.sh +281 -0
package/skills/core/volcano-queue-diagnose/SKILL.md +294 -0
package/skills/core/volcano-queue-diagnose/scripts/diagnose-queue.sh +283 -0
package/skills/core/volcano-resource-insufficient/SKILL.md +315 -0
package/skills/core/volcano-scheduler-config/SKILL.md +371 -0
package/skills/core/volcano-scheduler-config/scripts/get-scheduler-config.sh +297 -0
package/skills/core/volcano-scheduler-logs/SKILL.md +241 -0
package/skills/core/volcano-scheduler-logs/scripts/get-scheduler-logs.sh +159 -0
package/skills/platform/create-skill/SKILL.md +35 -3
package/skills/platform/manage-skill/SKILL.md +9 -2
package/skills/platform/update-skill/SKILL.md +17 -6

package/README.md CHANGED Viewed

@@ -4,31 +4,37 @@
 # Siclaw
-**AI Agent platform for SRE — the collaborative AI foundation for your team**
+**Read-only investigation copilot for SRE teams**
+[![npm](https://img.shields.io/npm/v/siclaw?logo=npm)](https://www.npmjs.com/package/siclaw)
 [![CI](https://github.com/scitix/siclaw/actions/workflows/ci.yml/badge.svg)](https://github.com/scitix/siclaw/actions/workflows/ci.yml)
 [![Node.js](https://img.shields.io/badge/Node.js-%3E%3D22-339933?logo=node.js&logoColor=white)](https://nodejs.org/)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.9-3178C6?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
+[![Slack](https://img.shields.io/badge/Slack-Join%20Community-4A154B?logo=slack&logoColor=white)](https://join.slack.com/t/siclaw-scitix/shared_invite/zt-3rrsoc2ic-JIfbfvT1_04sqgQorSRfmw)
+[Website](https://www.siclaw.ai) | [Documentation](https://docs.siclaw.ai) | [Slack](https://join.slack.com/t/siclaw-scitix/shared_invite/zt-3rrsoc2ic-JIfbfvT1_04sqgQorSRfmw)
 </div>
 ---
-Siclaw is an AI Agent platform for DevOps / SRE, inspired by [OpenClaw](https://github.com/openclaw) and designed to be the collaborative AI foundation for engineering teams. Unlike general-purpose coding agents, Siclaw is built for **read-only infrastructure diagnostics** — the agent observes, analyzes, and reports, but never mutates your environment directly. When remediation is needed, Siclaw integrates with your existing change management systems to execute changes through established, auditable workflows. Describe a problem in plain language and the agent runs kubectl, reads logs, traces network paths, and delivers a root-cause analysis — from a terminal, a web UI, or your team's IM workspace.
+Siclaw is an open-source AI agent for DevOps and SRE teams. It is built for **read-only infrastructure diagnostics**: gather evidence, form hypotheses, validate them, and return a clear root-cause analysis without changing your environment directly. Describe a problem in plain language and Siclaw investigates it from the terminal, the web UI, or your team's chat channels.
+<div align="center">
+<img src="docs/assets/demo.gif" alt="Siclaw Demo" width="800" />
+<p><em>Deep investigation: diagnosing a CrashLoopBackOff in seconds</em></p>
+</div>
 ## Features
-- **Deep Investigation** — Hypothesis-driven 4-phase diagnostic engine (context gathering → hypothesis generation → parallel validation → root-cause conclusion), bringing Deep Research to SRE with cross-system, multi-dimensional fault analysis
-- **Investigation Memory** — Accumulates structured knowledge from every deep investigation into a local hybrid store (vector + full-text); surfaces relevant past experience during hypothesis generation so the agent gets smarter with every incident resolved
-- **Security Governance** — Strict permission layer between agent and infrastructure: read-only by default, command whitelist, write operations require per-item approval, credentials isolated by workspace — zero accidental mutations in production
-- **Team Collaboration** — Multi-workspace, multi-user management (SSO/OAuth2), isolated AgentBox sandboxes per user, designed for multi-team, multi-environment enterprise scenarios
-- **Alert-Driven Operations** — Webhook triggers connect to your existing monitoring stack (Prometheus, PagerDuty, custom), automatically launching agent investigations when alerts fire
-- **Scheduled Tasks** — Cron-based recurring jobs for routine health checks, periodic diagnostics, or any agent task — manageable via Web UI or natural language
-- **Skill System** — AI-generated diagnostic skills with automated risk-level review, supporting creation, forking, and hot-reload via Web UI or natural language — organize across core / team / personal tiers to codify your team's operational expertise into reusable, shareable runbooks
-- **Extensible** — [MCP](https://modelcontextprotocol.io) tool servers for custom data source integrations
-- **Multi-Channel Access** — Terminal TUI, Web UI, or IM bots (Slack, Discord, Telegram, Lark)
+- **Deep Investigation** — A 4-phase workflow for evidence gathering, hypothesis testing, and root-cause analysis
+- **Investigation Memory** — Learns from past incidents to improve future investigations
+- **Read-Only by Default** — Investigates and recommends next steps without changing your environment directly
+- **Team Workflows** — Shared web UI, credentials, channels, triggers, and scheduled patrols
+- **Reusable Skills** — Turn repeated diagnostic playbooks into reviewable runbooks
+- **Extensible** — Connect external tools and data sources through [MCP](https://modelcontextprotocol.io)
+- **Multi-Channel Access** — Use Siclaw from the terminal, web UI, or chat channels
 ## Architecture
@@ -43,28 +49,33 @@ Siclaw is an AI Agent platform for DevOps / SRE, inspired by [OpenClaw](https://
 - **Node.js >= 22.12.0** — [Download](https://nodejs.org/)
 - **npm** — Comes with Node.js
-- **kubectl** + **kubeconfig** — Required for Kubernetes diagnostics only ([Install guide](https://kubernetes.io/docs/tasks/tools/)); not needed for TUI or Local Server mode without K8s access
+- **kubectl** — Optional, only needed if you want Siclaw to investigate Kubernetes clusters
 ## Quick Start
-Siclaw supports three deployment profiles. Pick the one that fits your use case.
+Siclaw supports three deployment profiles. For local usage, start from a dedicated working directory because Siclaw stores most runtime data in `.siclaw/` relative to where you launch it.
+```bash
+mkdir -p ~/siclaw-work
+cd ~/siclaw-work
+```
 ### 1. TUI Mode — Personal, local, lowest barrier
 Run the agent directly in your terminal. No server, no database. All operations are read-only by default — safe to run on your workstation.
 ```bash
-# Install
-npm install siclaw
+# Install globally
+npm install -g siclaw
 # Run (interactive — prompts for LLM provider on first launch)
-npx siclaw
+siclaw
 # Single-shot
-npx siclaw --prompt "Why is pod nginx-abc in CrashLoopBackOff?"
+siclaw --prompt "Why is pod nginx-abc in CrashLoopBackOff?"
 # Continue last session
-npx siclaw --continue
+siclaw --continue
 ```
 <details>
@@ -72,7 +83,7 @@ npx siclaw --continue
 ```bash
 git clone https://github.com/scitix/siclaw.git && cd siclaw
-npm ci && npm run build
+npm ci && npm run build:web && npm run build
 npm link                 # register `siclaw` command globally
 siclaw                   # TUI mode
@@ -87,17 +98,18 @@ siclaw --prompt "..."    # single-shot mode
 ### 2. Local Server — VM or laptop, recommended for daily use
-A lightweight web UI backed by SQLite. No MySQL, no Docker required — just start the server and configure everything in the browser. Siclaw enforces strict read-only access by default (command whitelist, no write operations without approval), so you can safely deploy it on your own workstation without worrying about unintended changes to your clusters.
+A lightweight web UI backed by SQLite. No MySQL, no Docker required.
 ```bash
-npm install siclaw
+npm install -g siclaw
-# Start the server (SQLite database is created automatically)
-npx siclaw local
+# Start the server
+siclaw local
 # Open http://localhost:3000
 # Login: admin / admin (default credentials)
-# Go to Settings to configure your LLM provider
+# Configure providers in Models
+# Import kubeconfigs in Credentials
 ```
 <details>
@@ -105,7 +117,7 @@ npx siclaw local
 ```bash
 git clone https://github.com/scitix/siclaw.git && cd siclaw
-npm ci && npm run build && npm run build:web
+npm ci && npm run build:web && npm run build
 npm link                 # register `siclaw` command globally
 siclaw local             # start local server
@@ -115,43 +127,47 @@ siclaw local             # start local server
 </details>
-The server uses SQLite by default and auto-generates a JWT secret on first run. All configuration — LLM providers, models, credentials — is done through the **Settings** page in the web UI.
+On first startup, Siclaw creates a local admin account:
+- Username: `admin`
+- Password: `admin`
+Set `SICLAW_ADMIN_PASSWORD` before first launch if you want a different bootstrap password.
 ### 3. Kubernetes — Team / enterprise
-Full multi-user deployment with isolated AgentBox pods, SSO, and IM channels. Just prepare a MySQL database and deploy with Helm:
+Production deployment uses Helm plus three container images: `gateway`, `agentbox`, and `cron`.
+Build and push images if you are using your own registry:
 ```bash
-helm upgrade --install siclaw ./helm/siclaw \
-  --namespace siclaw --create-namespace \
-  --set database.url="mysql://user:pass@host:3306/siclaw"
+make docker REGISTRY=registry.example.com/myteam TAG=latest
+make push REGISTRY=registry.example.com/myteam TAG=latest
 ```
-<details>
-<summary><b>Using a custom image registry</b></summary>
-If you need to build and push images to your own registry:
+Then deploy the chart with a MySQL URL:
 ```bash
-# Build and push images
-make docker push REGISTRY=registry.example.com/myteam
-# Deploy with custom registry
 helm upgrade --install siclaw ./helm/siclaw \
-  --namespace siclaw --create-namespace \
-  --set image.registry="registry.example.com/myteam" \
+  --namespace siclaw \
+  --create-namespace \
+  --set image.registry=registry.example.com/myteam \
+  --set image.tag=latest \
   --set database.url="mysql://user:pass@host:3306/siclaw"
 ```
-</details>
-See [`helm/siclaw/`](helm/siclaw/) for values reference, and [`k8s/README.md`](k8s/README.md) for the full deployment guide.
+The default chart exposes the Gateway Service on service port `80` and NodePort `31000`.
 ## Configuration
-### settings.json (TUI mode)
+### TUI / CLI
+- TUI reads `.siclaw/config/settings.json`
+- The first-run wizard can generate this file for you
+- Kubernetes credentials should be imported through `/setup`
+- Investigation reports are written to `~/.siclaw/reports/`
-Minimal example — copy `settings.example.json` to `.siclaw/config/settings.json`:
+Minimal example:
 ```json
 {
@@ -159,82 +175,28 @@ Minimal example — copy `settings.example.json` to `.siclaw/config/settings.jso
     "default": {
       "baseUrl": "https://api.openai.com/v1",
       "apiKey": "sk-YOUR-KEY",
+      "api": "openai-completions",
       "models": [{ "id": "gpt-4o", "name": "GPT-4o" }]
     }
   }
 }
 ```
-<details>
-<summary><b>Full settings.json reference</b></summary>
-```json
-{
-  "providers": {
-    "provider-name": {
-      "baseUrl": "https://api.example.com/v1",
-      "apiKey": "your-key",
-      "api": "openai-completions",
-      "authHeader": true,
-      "models": [
-        {
-          "id": "model-id",
-          "name": "Display Name",
-          "reasoning": false,
-          "contextWindow": 128000,
-          "maxTokens": 16384,
-          "cost": { "input": 2.5, "output": 10.0, "cacheRead": 0.5, "cacheWrite": 3.0 }
-        }
-      ]
-    }
-  },
-  "default": { "provider": "provider-name", "modelId": "model-id" },
-  "embedding": {
-    "baseUrl": "https://api.example.com/v1",
-    "apiKey": "your-key",
-    "model": "BAAI/bge-m3",
-    "dimensions": 1024
-  },
-  "mcpServers": {
-    "server-name": {
-      "command": "npx",
-      "args": ["-y", "@some/mcp-server"]
-    }
-  },
-  "debugImage": "busybox:latest",
-  "debug": false
-}
-```
-</details>
-<details>
-<summary><b>IM Channels — Slack / Discord / Telegram / Lark</b></summary>
-### Slack
-Configure a Slack bot in **Settings > Channels**. You'll need:
-- Bot token and signing secret from the [Slack API](https://api.slack.com/apps)
-### Discord
+### Local Server / Kubernetes
-Configure a Discord bot in **Settings > Channels**. You'll need:
-- Bot token from the [Discord Developer Portal](https://discord.com/developers/applications)
-- Scopes: `bot`, `messages.read`
+- Configure providers in the **Models** page
+- Import kubeconfigs, API tokens, and SSH credentials in **Credentials**
+- Configure Slack, Lark, Discord, and Telegram in **Channels**
+- Create inbound webhook endpoints in **Triggers**
+- Configure MCP servers in **MCP Servers**
-### Telegram
+## Documentation
-Configure a Telegram bot in **Settings > Channels**. You'll need:
-- Bot token from [@BotFather](https://t.me/BotFather)
-### Lark
-Configure a Lark bot in **Settings > Channels** of the web UI. You'll need:
-- App ID and App Secret from the [Lark Open Platform](https://open.larksuite.com/)
-- Event subscription URL: `https://your-domain/api/channels/feishu/event`
-- Scopes: `im:message`, `im:message.group_at_msg`, `im:resource`
-</details>
+- [Getting Started](https://docs.siclaw.ai/start/getting-started)
+- [CLI & Local Server](https://docs.siclaw.ai/install/cli)
+- [Kubernetes Deployment](https://docs.siclaw.ai/install/kubernetes)
+- [LLM Providers](https://docs.siclaw.ai/configuration/providers)
+- [MCP Servers](https://docs.siclaw.ai/configuration/mcp)
 ## Tech Stack
@@ -252,11 +214,10 @@ Configure a Lark bot in **Settings > Channels** of the web UI. You'll need:
 ## Community
+- [Slack](https://join.slack.com/t/siclaw-scitix/shared_invite/zt-3rrsoc2ic-JIfbfvT1_04sqgQorSRfmw) — Chat with the team and other users
 - [GitHub Issues](https://github.com/scitix/siclaw/issues) — Bug reports and feature requests
 - [GitHub Discussions](https://github.com/scitix/siclaw/discussions) — Questions, ideas, and general discussion
-<!-- TODO: Add Discord invite link once server is created -->
 ## Contributing
 See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, architecture overview, and pull request guidelines.

package/dist/agentbox/gateway-client.d.ts CHANGED Viewed

@@ -16,6 +16,7 @@ export interface CronJob {
     description?: string | null;
     lastRunAt?: string | null;
     lastResult?: string | null;
+    workspaceId?: string | null;
 }
 export declare class GatewayClient {
     private gatewayUrl;
@@ -28,7 +29,7 @@ export declare class GatewayClient {
     /**
      * List cron jobs for a user
      */
-    listCronJobs(userId: string): Promise<CronJob[]>;
+    listCronJobs(userId: string, workspaceId?: string): Promise<CronJob[]>;
     /**
      * Return a GatewayClientLike adapter for use with resource handlers.
      * Keeps `request()` private while exposing a minimal interface.

package/dist/agentbox/gateway-client.js CHANGED Viewed

@@ -40,8 +40,12 @@ export class GatewayClient {
     /**
      * List cron jobs for a user
      */
-    async listCronJobs(userId) {
-        const data = await this.request(`/api/internal/cron-list?userId=${encodeURIComponent(userId)}`, "GET");
+    async listCronJobs(userId, workspaceId) {
+        let url = `/api/internal/cron-list?userId=${encodeURIComponent(userId)}`;
+        if (workspaceId) {
+            url += `&workspaceId=${encodeURIComponent(workspaceId)}`;
+        }
+        const data = await this.request(url, "GET");
         return data.jobs || [];
     }
     /**

package/dist/agentbox/gateway-client.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"gateway-client.js","sourceRoot":"","sources":["../../src/agentbox/gateway-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;~~AAiB7B~~,MAAM,OAAO,aAAa;IAChB,UAAU,CAAS;IACnB,UAAU,GAAgC,IAAI,CAAC;IAEvD,YAAY,OAA6B;QACvC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAEjF,gDAAgD;QAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,mBAAmB,CAAC;QAEzF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAE7C,mCAAmC;QACnC,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/E,IAAI,CAAC,UAAU,GAAG;gBAChB,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;gBAC/B,GAAG,EAAE,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC;gBAC7B,EAAE,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAC3B,kBAAkB,EAAE,IAAI,EAAE,+BAA+B;aAC1D,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,oDAAoD,QAAQ,EAAE,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,qDAAqD,QAAQ,uBAAuB,CAAC,CAAC;QACrG,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QACjB,OAAO,IAAI,CAAC,OAAO,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,MAAc;~~QAC/B~~,~~MAAM,~~IAAI,GAAG,MAAM,~~IAAI~~,CAAC,~~OAAO~~,CAAC,~~kCAAkC~~,kBAAkB,CAAC,~~MAAM~~,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;~~QACvG~~,OAAO,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACH,YAAY;QACV,OAAO;YACL,OAAO,EAAE,CAAC,CAAS,EAAE,CAAiB,EAAE,CAAW,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY,EAAE,SAAyB,KAAK,EAAE,IAAU;QACtE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAE1C,MAAM,cAAc,GAAyB;gBAC3C,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtC,IAAI,EAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM;gBAC/B,MAAM;gBACN,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,GAAG,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;aACvD,CAAC;YAEF,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,GAAQ,EAAE,EAAE;gBACtD,IAAI,IAAI,GAAG,EAAE,CAAC;gBAEd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBAC/B,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC3B,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;wBAC3B,IAAI,CAAC;4BACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;4BAC9B,OAAO,CAAC,IAAI,CAAC,CAAC;wBAChB,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,MAAM,CAAC,IAAI,KAAK,CAAC,kCAAkC,IAAI,EAAE,CAAC,CAAC,CAAC;wBAC9D,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC;oBACnE,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;gBAC7B,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE;gBACxB,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC;YAEH,IAAI,IAAI,EAAE,CAAC;gBACT,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAClC,CAAC;YAED,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}
1	+ {"version":3,"file":"gateway-client.js","sourceRoot":"","sources":["../../src/agentbox/gateway-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAkB7B,MAAM,OAAO,aAAa;IAChB,UAAU,CAAS;IACnB,UAAU,GAAgC,IAAI,CAAC;IAEvD,YAAY,OAA6B;QACvC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAEjF,gDAAgD;QAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,mBAAmB,CAAC;QAEzF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAE7C,mCAAmC;QACnC,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/E,IAAI,CAAC,UAAU,GAAG;gBAChB,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;gBAC/B,GAAG,EAAE,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC;gBAC7B,EAAE,EAAE,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;gBAC3B,kBAAkB,EAAE,IAAI,EAAE,+BAA+B;aAC1D,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,oDAAoD,QAAQ,EAAE,CAAC,CAAC;QAC9E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,qDAAqD,QAAQ,uBAAuB,CAAC,CAAC;QACrG,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QACjB,OAAO,IAAI,CAAC,OAAO,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,MAAc,EAAE,WAAoB;QACrD,IAAI,GAAG,GAAG,kCAAkC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;QACzE,IAAI,WAAW,EAAE,CAAC;YAChB,GAAG,IAAI,gBAAgB,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3D,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;OAGG;IACH,YAAY;QACV,OAAO;YACL,OAAO,EAAE,CAAC,CAAS,EAAE,CAAiB,EAAE,CAAW,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,IAAY,EAAE,SAAyB,KAAK,EAAE,IAAU;QACtE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAE1C,MAAM,cAAc,GAAyB;gBAC3C,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtC,IAAI,EAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM;gBAC/B,MAAM;gBACN,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,GAAG,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;aACvD,CAAC;YAEF,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,GAAQ,EAAE,EAAE;gBACtD,IAAI,IAAI,GAAG,EAAE,CAAC;gBAEd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;oBAC/B,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC3B,CAAC,CAAC,CAAC;gBAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;wBAC3B,IAAI,CAAC;4BACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;4BAC9B,OAAO,CAAC,IAAI,CAAC,CAAC;wBAChB,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,MAAM,CAAC,IAAI,KAAK,CAAC,kCAAkC,IAAI,EAAE,CAAC,CAAC,CAAC;wBAC9D,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC;oBACnE,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;gBAC7B,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE;gBACxB,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC;YAEH,IAAI,IAAI,EAAE,CAAC;gBACT,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAClC,CAAC;YAED,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/agentbox/http-server.js CHANGED Viewed

@@ -11,17 +11,44 @@ import { hasOpenAIProvider, ensureProxy } from "../core/llm-proxy.js";
 import { deepSearchEvents } from "../tools/deep-search/events.js";
 import { createChecklist, buildActivationMessage } from "../tools/dp-tools.js";
 import { loadConfig } from "../core/config.js";
+import { emitDiagnostic } from "../shared/diagnostic-events.js";
+import { checkMetricsAuth } from "../shared/metrics.js"; // also registers metrics subscriber (side-effect)
 import { GatewayClient } from "./gateway-client.js";
 import { getResourceHandler } from "./resource-handlers.js";
 import { RESOURCE_DESCRIPTORS } from "../shared/resource-sync.js";
+import { detectLanguage } from "../shared/detect-language.js";
+import { resolveUnderDir } from "../shared/path-utils.js";
 /**
  * Parse JSON body
  */
+const MAX_BODY_SIZE = 10 * 1024 * 1024; // 10MB
+const BODY_TIMEOUT_MS = 30_000; // 30s
 async function parseJsonBody(req) {
     return new Promise((resolve, reject) => {
         let body = "";
-        req.on("data", (chunk) => (body += chunk));
+        let size = 0;
+        let timedOut = false;
+        const timer = setTimeout(() => {
+            timedOut = true;
+            req.destroy();
+            reject(new Error("Body read timeout"));
+        }, BODY_TIMEOUT_MS);
+        req.on("data", (chunk) => {
+            if (timedOut)
+                return;
+            size += typeof chunk === "string" ? Buffer.byteLength(chunk) : chunk.length;
+            if (size > MAX_BODY_SIZE) {
+                clearTimeout(timer);
+                req.destroy();
+                reject(new Error(`Body exceeds ${MAX_BODY_SIZE} byte limit`));
+                return;
+            }
+            body += chunk;
+        });
         req.on("end", () => {
+            clearTimeout(timer);
+            if (timedOut)
+                return;
             try {
                 resolve(body ? JSON.parse(body) : {});
             }
@@ -29,7 +56,10 @@ async function parseJsonBody(req) {
                 reject(new Error("Invalid JSON"));
             }
         });
-        req.on("error", reject);
+        req.on("error", (err) => {
+            clearTimeout(timer);
+            reject(err);
+        });
     });
 }
 /**
@@ -91,7 +121,56 @@ export function createHttpServer(sessionManager) {
             handler,
         });
     }
+    // ── Credential materialization helper (shared by prompt and reload-credentials) ──
+    // Writes new files with .new suffix first, then atomically renames them into place.
+    // This prevents data loss if the process crashes between delete and write.
+    function materializeCredentials(payload, kubeconfigRef) {
+        const credDir = path.resolve(process.cwd(), loadConfig().paths.credentialsDir);
+        fs.mkdirSync(credDir, { recursive: true });
+        // Phase 1: Write new files with .new suffix (staging)
+        const stagedFiles = [];
+        for (const file of payload.files) {
+            const resolved = resolveUnderDir(credDir, file.name);
+            const staged = resolved + ".new";
+            fs.writeFileSync(staged, file.content, file.mode ? { mode: file.mode } : undefined);
+            stagedFiles.push(file.name);
+        }
+        // Stage manifest
+        const manifestPath = path.join(credDir, "manifest.json");
+        fs.writeFileSync(manifestPath + ".new", JSON.stringify(payload.manifest, null, 2));
+        // Phase 2: Remove old files
+        for (const entry of fs.readdirSync(credDir)) {
+            if (entry.endsWith(".new"))
+                continue; // skip staged files
+            fs.rmSync(path.join(credDir, entry), { recursive: true });
+        }
+        // Phase 3: Rename staged files into place (atomic per-file on same filesystem)
+        for (const file of payload.files) {
+            const resolved = resolveUnderDir(credDir, file.name);
+            fs.renameSync(resolved + ".new", resolved);
+        }
+        fs.renameSync(manifestPath + ".new", manifestPath);
+        kubeconfigRef.credentialsDir = credDir;
+        return payload.files.length;
+    }
     // ==================== Routes ====================
+    /**
+     * GET /metrics - Prometheus metrics endpoint
+     */
+    addRoute("GET", "/metrics", async (req, res) => {
+        if (!checkMetricsAuth(req, res))
+            return;
+        const { metricsRegistry } = await import("../shared/metrics.js");
+        res.writeHead(200, { "Content-Type": metricsRegistry.contentType });
+        res.end(await metricsRegistry.metrics());
+    });
+    /**
+     * GET /api/internal/metrics-snapshot - export metrics snapshot for Gateway pull (K8s mode)
+     */
+    addRoute("GET", "/api/internal/metrics-snapshot", async (_req, res) => {
+        const { localCollector } = await import("../shared/local-collector.js");
+        sendJson(res, 200, localCollector.exportSnapshot());
+    });
     /**
      * GET /health - health check
      */
@@ -128,22 +207,21 @@ export function createHttpServer(sessionManager) {
             return;
         }
         const managed = await sessionManager.getOrCreate(body.sessionId, body.mode, body.brainType);
-        // Materialize credential files from payload (sent by gateway in prompt body)
-        if (body.credentials?.files?.length) {
-            const credDir = path.resolve(process.cwd(), loadConfig().paths.credentialsDir);
-            fs.mkdirSync(credDir, { recursive: true });
-            // Clear existing files
-            for (const entry of fs.readdirSync(credDir)) {
-                fs.rmSync(path.join(credDir, entry), { recursive: true });
-            }
-            // Write credential files
-            for (const file of body.credentials.files) {
-                fs.writeFileSync(path.join(credDir, file.name), file.content, file.mode ? { mode: file.mode } : undefined);
-            }
-            // Write manifest
-            fs.writeFileSync(path.join(credDir, "manifest.json"), JSON.stringify(body.credentials.manifest, null, 2));
-            managed.kubeconfigRef.credentialsDir = credDir;
-            console.log(`[agentbox-http] Materialized ${body.credentials.files.length} credential files to ${credDir}`);
+        // Materialize credential files from payload (sent by gateway in prompt body).
+        // Always call when credentials payload is present — even with empty files —
+        // so stale credential files from prior sessions are cleaned up.
+        if (body.credentials) {
+            try {
+                const count = materializeCredentials(body.credentials, managed.kubeconfigRef);
+                if (count > 0) {
+                    console.log(`[agentbox-http] Materialized ${count} credential files`);
+                }
+            }
+            catch (err) {
+                console.error(`[agentbox-http] Failed to materialize credentials for session ${managed.id}:`, err);
+                sendJson(res, 500, { error: "Failed to materialize credentials" });
+                return;
+            }
         }
         // Dynamically register provider config from gateway DB (before findModel)
         if (body.modelConfig && body.modelProvider && managed.brain.registerProvider) {
@@ -238,10 +316,52 @@ export function createHttpServer(sessionManager) {
                 console.log(`[agentbox-http] DP exited for SDK brain, session ${managed.id}`);
             }
         }
+        // --- Language detection: inject explicit instruction so model doesn't guess ---
+        const detectedLang = detectLanguage(body.text);
+        if (detectedLang !== "English") {
+            promptText = `[System: respond in ${detectedLang}]\n${promptText}`;
+        }
+        // Programmatically update PROFILE.md Language field (code-level, not model-dependent).
+        // Only update on non-English detection to avoid flapping: English is the default,
+        // so we only persist when the user actively uses another language.
+        if (detectedLang !== "English") {
+            try {
+                const cfg = loadConfig();
+                const userDataDir = process.env.SICLAW_USER_DATA_DIR || cfg.paths.userDataDir;
+                const profilePath = path.resolve(userDataDir, "memory", "PROFILE.md");
+                if (fs.existsSync(profilePath)) {
+                    const content = fs.readFileSync(profilePath, "utf-8");
+                    const currentLangMatch = content.match(/\*\*Language\*\*:\s*(.+)/i);
+                    const currentLang = currentLangMatch?.[1]?.trim();
+                    if (currentLang !== detectedLang) {
+                        const updated = content.replace(/(\*\*Language\*\*:\s*).+/i, `$1${detectedLang}`);
+                        fs.writeFileSync(profilePath, updated);
+                    }
+                }
+            }
+            catch { /* best-effort, don't block prompt */ }
+        }
         // Execute prompt asynchronously; notify SSE to close on completion
-        console.log(`[agentbox-http] Starting prompt for session ${managed.id}`);
+        console.log(`[agentbox-http] Starting prompt for session ${managed.id} [lang=${detectedLang}]`);
+        // Metrics: snapshot stats before prompt for delta calculation
+        const prevStats = managed.brain.getSessionStats();
+        const promptStartTime = Date.now();
+        let promptOutcome = "completed";
         const actuallyFinish = () => {
             managed._promptDone = true;
+            // Emit prompt metrics via diagnostic event bus
+            const currStats = managed.brain.getSessionStats();
+            const model = managed.brain.getModel();
+            emitDiagnostic({
+                type: "prompt_complete",
+                sessionId: managed.id,
+                prev: prevStats,
+                curr: currStats,
+                model,
+                durationMs: Date.now() - promptStartTime,
+                outcome: promptOutcome,
+                userId: sessionManager.userId,
+            });
             // Stop buffering
             if (managed._bufferUnsub) {
                 managed._bufferUnsub();
@@ -281,9 +401,11 @@ export function createHttpServer(sessionManager) {
         };
         managed.brain.prompt(promptText).then(() => {
             console.log(`[agentbox-http] Prompt completed for session ${managed.id}`);
+            promptOutcome = "completed";
             onPromptFinish();
         }).catch((err) => {
             console.error(`[agentbox-http] Prompt error for session ${managed.id}:`, err);
+            promptOutcome = "error";
             onPromptFinish();
         });
         sendJson(res, 200, { ok: true, sessionId: managed.id, brainType: managed.brainType });
@@ -528,6 +650,49 @@ export function createHttpServer(sessionManager) {
             }
         });
     }
+    /**
+     * POST /api/reload-credentials — push-based credential update from Gateway
+     *
+     * Accepts the same {manifest, files} payload as the prompt body's credentials
+     * field and re-materializes credential files on disk. This allows the Gateway
+     * to push credential changes (kubeconfig upload/delete, credential CRUD)
+     * without waiting for the next prompt.
+     */
+    addRoute("POST", "/api/reload-credentials", async (req, res) => {
+        const body = (await parseJsonBody(req));
+        if (!body.manifest) {
+            sendJson(res, 400, { error: "Missing 'manifest' field" });
+            return;
+        }
+        // Each AgentBox pod serves exactly one user (one-pod-per-workspace in K8s mode,
+        // one in-process instance per user in local mode). All sessions within this
+        // AgentBox belong to the same user, so updating any session's kubeconfigRef is correct.
+        const sessions = sessionManager.list();
+        const kubeconfigRef = sessions.length > 0
+            ? sessions[0].kubeconfigRef
+            : { credentialsDir: undefined };
+        const payload = { manifest: body.manifest, files: body.files ?? [] };
+        try {
+            // Use atomic materializeCredentials for both populate and clear paths
+            const count = materializeCredentials(payload, kubeconfigRef);
+            if (count > 0) {
+                console.log(`[agentbox-http] Credentials reloaded: ${count} files materialized`);
+            }
+            else {
+                console.log("[agentbox-http] Credentials cleared (empty payload)");
+            }
+        }
+        catch (err) {
+            console.error("[agentbox-http] Failed to reload credentials:", err);
+            sendJson(res, 500, { error: "Failed to materialize credentials" });
+            return;
+        }
+        // Update kubeconfigRef on all active sessions
+        for (const session of sessions) {
+            session.kubeconfigRef.credentialsDir = kubeconfigRef.credentialsDir;
+        }
+        sendJson(res, 200, { ok: true, count: payload.files.length });
+    });
     /**
      * GET /api/models - list available models (read from settings.json)
      */