siclaw 0.1.2 → 0.1.4

package/dist/gateway/rpc-methods.js

@@ -21,8 +21,8 @@ import { ModelConfigRepository } from "./db/repositories/model-config-repo.js";
 import { CredentialRepository } from "./db/repositories/credential-repo.js";
 import { WorkspaceRepository } from "./db/repositories/workspace-repo.js";
 import { SystemConfigRepository } from "./db/repositories/system-config-repo.js";
-import { EnvironmentRepository } from "./db/repositories/env-repo.js";
-import { UserEnvConfigRepository } from "./db/repositories/user-env-config-repo.js";
+import { ClusterRepository } from "./db/repositories/cluster-repo.js";
+import { UserClusterConfigRepository } from "./db/repositories/user-cluster-config-repo.js";
 import { getLabelsForSkill, batchGetLabels, listAllLabels } from "./skill-labels.js";
 import { McpServerRepository } from "./db/repositories/mcp-server-repo.js";
 import { SkillFileWriter } from "./skills/file-writer.js";
@@ -31,11 +31,16 @@ import { ScriptEvaluator } from "./skills/script-evaluator.js";
 import { SkillVersionRepository } from "./db/repositories/skill-version-repo.js";
 import { createTwoFilesPatch } from "diff";
 import yaml from "js-yaml";
+import { CRON_LIMITS } from "../cron/cron-limits.js";
+import { parseCronExpression, getAverageIntervalMs } from "../cron/cron-matcher.js";
 import { buildSkillBundle } from "./skills/skill-bundle.js";
 import { buildRedactionConfig, redactText } from "./output-redactor.js";
 import { RESOURCE_DESCRIPTORS } from "../shared/resource-sync.js";
 import { sql, gte, sum, count } from "drizzle-orm";
 import { sessionStats } from "./db/schema.js";
+import { KnowledgeDocRepository } from "./db/repositories/knowledge-doc-repo.js";
+import { resolveUnderDir } from "../shared/path-utils.js";
+import { loadConfig } from "../core/config.js";
 function requireAuth(context) {
     const userId = context.auth?.userId;
     if (!userId)
@@ -69,7 +74,58 @@ function apiServerHostMatch(kubeconfigServer, envApiServer) {
         return false;
     }
 }
-export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, activePromptUsers, agentBoxTlsOptions, resourceNotifier, metricsAggregator, cronService) {
+// ── Feedback enrichment helpers ──────────────────────
+/**
+ * Read the session-feedback SKILL.md content, stripping YAML frontmatter.
+ * Uses import.meta.url to resolve the package root (works in both dev and K8s).
+ */
+const _feedbackModDir = path.dirname(fileURLToPath(import.meta.url));
+const _feedbackPkgRoot = path.resolve(_feedbackModDir, "..", "..");
+let _feedbackSkillCache = null;
+async function readFeedbackSkillContent() {
+    if (_feedbackSkillCache)
+        return _feedbackSkillCache;
+    const skillPath = path.join(_feedbackPkgRoot, "skills", "core", "session-feedback", "SKILL.md");
+    const raw = await fs.promises.readFile(skillPath, "utf-8");
+    // Strip YAML frontmatter (between --- delimiters)
+    const stripped = raw.replace(/^---[\s\S]*?---\s*/, "").trim();
+    _feedbackSkillCache = stripped;
+    return stripped;
+}
+/**
+ * Build a markdown timeline of the session's diagnostic activity.
+ */
+async function buildSessionTimeline(chatRepo, sessionId) {
+    const msgs = await chatRepo.getMessages(sessionId, { limit: 200 });
+    if (msgs.length === 0)
+        return "_No messages in this session._";
+    const lines = [];
+    let stepNum = 0;
+    for (const msg of msgs) {
+        if (msg.role === "user") {
+            // Skip feedback sentinel messages from timeline
+            if (msg.content.startsWith("[Feedback]"))
+                continue;
+            stepNum++;
+            const preview = msg.content.length > 100 ? msg.content.slice(0, 100) + "..." : msg.content;
+            lines.push(`${stepNum}. **User**: ${preview}`);
+        }
+        else if (msg.role === "tool" && msg.toolName) {
+            stepNum++;
+            const outcome = msg.outcome ?? "unknown";
+            const duration = msg.durationMs != null ? ` (${msg.durationMs}ms)` : "";
+            lines.push(`${stepNum}. **Tool** \`${msg.toolName}\`: ${outcome}${duration}`);
+        }
+        else if (msg.role === "assistant") {
+            // Summarize assistant messages briefly
+            const preview = msg.content.length > 100 ? msg.content.slice(0, 100) + "..." : msg.content;
+            stepNum++;
+            lines.push(`${stepNum}. **Assistant**: ${preview}`);
+        }
+    }
+    return lines.join("\n");
+}
+export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, activePromptUsers, agentBoxTlsOptions, resourceNotifier, metricsAggregator, cronService, knowledgeIndexer) {
     const methods = new Map();
     // Initialize repositories (null-safe — methods check before use)
     const chatRepo = db ? new ChatRepository(db) : null;
@@ -86,9 +142,10 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
     const workspaceRepo = db ? new WorkspaceRepository(db) : null;
     const sysConfigRepo = db ? new SystemConfigRepository(db) : null;
     const mcpRepo = db ? new McpServerRepository(db) : null;
+    const knowledgeDocRepo = db ? new KnowledgeDocRepository(db) : null;
     const skillContentRepo = db ? new SkillContentRepository(db) : null;
-    const envRepo = db ? new EnvironmentRepository(db) : null;
-    const userEnvConfigRepo = db ? new UserEnvConfigRepository(db) : null;
+    const clusterRepo = db ? new ClusterRepository(db) : null;
+    const userClusterConfigRepo = db ? new UserClusterConfigRepository(db) : null;
     const scriptEvaluator = new ScriptEvaluator(modelConfigRepo);
     /** Resolve workspaceId for a session from DB */
     async function resolveSessionWorkspace(sessionId) {
@@ -366,12 +423,14 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
                 content: message,
             });
             await chatRepo.incrementMessageCount(sessionId);
-            // Update session metadata (title/preview)
-            const title = message.length > 40 ? message.slice(0, 40) + "..." : message;
-            await chatRepo.updateSessionMeta(sessionId, {
-                title,
-                preview: message.slice(0, 100),
-            });
+            // Update session metadata (title/preview) — skip for feedback sentinel
+            if (!message.startsWith("[Feedback]")) {
+                const title = message.length > 40 ? message.slice(0, 40) + "..." : message;
+                await chatRepo.updateSessionMeta(sessionId, {
+                    title,
+                    preview: message.slice(0, 100),
+                });
+            }
         }
         if (!sessionId)
             throw new Error("Failed to create session");
@@ -417,8 +476,30 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             podEnv,
         });
         const client = new AgentBoxClient(handle.endpoint, 30000, agentBoxTlsOptions);
+        // === Feedback enrichment (system-level) ===
+        let promptText = message;
+        if (message.startsWith("[Feedback]") && !chatRepo) {
+            throw new Error("Feedback requires a database connection (not available in TUI mode).");
+        }
+        if (message.startsWith("[Feedback]") && chatRepo) {
+            try {
+                const skillContent = await readFeedbackSkillContent();
+                const timeline = await buildSessionTimeline(chatRepo, sessionId);
+                promptText = [
+                    "## Session Feedback Instructions\n",
+                    skillContent,
+                    "\n## Current Session Diagnostic Timeline\n",
+                    timeline,
+                    "\n---\nThe user has requested a feedback session. Begin the interactive review now.",
+                ].join("\n");
+            }
+            catch (err) {
+                const reason = err instanceof Error ? err.message : String(err);
+                throw new Error(`Feedback system unavailable: ${reason}`);
+            }
+        }
         // Send prompt
-        const result = await client.prompt({ sessionId, text: message, modelProvider, modelId, brainType, modelConfig, credentials });
+        const result = await client.prompt({ sessionId, text: promptText, modelProvider, modelId, brainType, modelConfig, credentials });
         console.log(`[rpc] prompt sent → sessionId=${result.sessionId}`);
         // Build redaction config from credential payload + model secrets (sanitize outbound WS stream)
         const sensitiveStrings = [];
@@ -943,7 +1024,6 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         }
         // Fallback: read from settings.json mcpServers (CLI / no-DB mode)
         try {
-            const { loadConfig } = await import("../core/config.js");
             const config = loadConfig();
             const servers = [];
             for (const [name, serverConfig] of Object.entries(config.mcpServers ?? {})) {
@@ -1041,6 +1121,155 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         await notifyMcpChange();
         return { id, enabled: newEnabled };
     });
+    // ── Knowledge Base ────────────────────────────────
+    const knowledgeDir = path.resolve(process.cwd(), loadConfig().paths.knowledgeDir);
+    methods.set("kb.list", async (_params, context) => {
+        requireAdmin(context);
+        if (!knowledgeDocRepo)
+            throw new Error("Database not available");
+        const rows = await knowledgeDocRepo.list();
+        return {
+            docs: rows.map((r) => ({
+                id: r.id,
+                name: r.name,
+                filePath: r.filePath,
+                sizeBytes: r.sizeBytes,
+                chunkCount: r.chunkCount,
+                uploadedBy: r.uploadedBy,
+                createdAt: r.createdAt?.toISOString(),
+                updatedAt: r.updatedAt?.toISOString(),
+            })),
+        };
+    });
+    methods.set("kb.get", async (params, context) => {
+        requireAdmin(context);
+        if (!knowledgeDocRepo)
+            throw new Error("Database not available");
+        const id = params.id;
+        if (!id)
+            throw new Error("Missing required param: id");
+        const doc = await knowledgeDocRepo.getById(id);
+        if (!doc)
+            throw new Error("Document not found");
+        // Read file content (path traversal protected)
+        const fullPath = resolveUnderDir(knowledgeDir, doc.filePath);
+        let content = "";
+        if (fs.existsSync(fullPath)) {
+            content = fs.readFileSync(fullPath, "utf-8");
+        }
+        else {
+            console.warn(`[kb-rpc] kb.get: file missing on disk for doc id=${id} path=${doc.filePath}`);
+        }
+        return {
+            id: doc.id,
+            name: doc.name,
+            filePath: doc.filePath,
+            sizeBytes: doc.sizeBytes,
+            chunkCount: doc.chunkCount,
+            uploadedBy: doc.uploadedBy,
+            createdAt: doc.createdAt?.toISOString(),
+            updatedAt: doc.updatedAt?.toISOString(),
+            content,
+        };
+    });
+    methods.set("kb.upload", async (params, context) => {
+        requireAdmin(context);
+        if (!knowledgeDocRepo)
+            throw new Error("Database not available");
+        const name = params.name;
+        const content = params.content;
+        if (!name)
+            throw new Error("Missing required param: name");
+        if (!content)
+            throw new Error("Missing required param: content");
+        // Size limit: 5MB
+        const MAX_CONTENT_SIZE = 5 * 1024 * 1024;
+        const sizeBytes = Buffer.byteLength(content, "utf-8");
+        if (sizeBytes > MAX_CONTENT_SIZE) {
+            throw new Error(`Content too large: ${(sizeBytes / 1024 / 1024).toFixed(1)}MB exceeds 5MB limit`);
+        }
+        // Generate unique ID first, then build filename with ID prefix to avoid TOCTOU races
+        const docId = crypto.randomBytes(12).toString("hex");
+        let sanitized = name
+            .replace(/[^a-zA-Z0-9_\-. ]/g, "_")
+            .replace(/\s+/g, "_")
+            .replace(/_+/g, "_")
+            .replace(/^_|_$/g, "");
+        if (!sanitized)
+            sanitized = "document";
+        const baseName = sanitized.endsWith(".md") ? sanitized.slice(0, -3) : sanitized;
+        const filePath = `${baseName}_${docId.slice(0, 8)}.md`;
+        if (!fs.existsSync(knowledgeDir)) {
+            fs.mkdirSync(knowledgeDir, { recursive: true });
+        }
+        const fullPath = resolveUnderDir(knowledgeDir, filePath);
+        // Write file, then insert DB record (clean up file on DB failure)
+        fs.writeFileSync(fullPath, content, "utf-8");
+        try {
+            await knowledgeDocRepo.create({
+                id: docId,
+                name,
+                filePath,
+                sizeBytes,
+                uploadedBy: context.auth?.userId,
+            });
+        }
+        catch (err) {
+            // Clean up orphaned file on DB insert failure
+            try {
+                fs.unlinkSync(fullPath);
+            }
+            catch { /* best-effort cleanup */ }
+            throw err;
+        }
+        console.log(`[kb-rpc] kb.upload: name=${name}, file=${filePath}, size=${sizeBytes}, by=${context.auth?.username}`);
+        // Sync indexer and update chunk count
+        if (knowledgeIndexer) {
+            try {
+                await knowledgeIndexer.sync();
+                const chunkCount = knowledgeIndexer.countChunksByFile(filePath);
+                await knowledgeDocRepo.updateChunkCount(docId, chunkCount);
+            }
+            catch (err) {
+                console.warn("[kb-rpc] Knowledge indexer sync failed:", err);
+            }
+        }
+        return { id: docId, name };
+    });
+    methods.set("kb.delete", async (params, context) => {
+        requireAdmin(context);
+        if (!knowledgeDocRepo)
+            throw new Error("Database not available");
+        const id = params.id;
+        if (!id)
+            throw new Error("Missing required param: id");
+        const doc = await knowledgeDocRepo.getById(id);
+        if (!doc)
+            throw new Error("Document not found");
+        // Delete metadata first (authoritative source of truth)
+        await knowledgeDocRepo.delete(id);
+        console.log(`[kb-rpc] kb.delete: id=${id}, name=${doc.name}, by=${context.auth?.username}`);
+        // Then delete file from disk (best-effort, path traversal protected)
+        try {
+            const fullPath = resolveUnderDir(knowledgeDir, doc.filePath);
+            if (fs.existsSync(fullPath)) {
+                fs.unlinkSync(fullPath);
+            }
+        }
+        catch (err) {
+            console.warn(`[kb-rpc] kb.delete: file cleanup failed for ${doc.filePath}:`, err);
+        }
+        // Sync indexer to remove orphaned chunks
+        if (knowledgeIndexer) {
+            try {
+                await knowledgeIndexer.sync();
+            }
+            catch (err) {
+                console.warn("[kb-rpc] Knowledge indexer sync failed after delete:", err);
+            }
+        }
+        return { ok: true };
+    });
     methods.set("chat.steer", async (params, context) => {
         const userId = requireAuth(context);
         const text = params.text;
@@ -1479,12 +1708,15 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         const userId = requireAuth(context);
         const username = context.auth.username;
         const name = params.name;
-        const description = params.description;
         const type = params.type;
         const specs = params.specs;
         const rawScripts = params.scripts;
         if (!name)
             throw new Error("Missing required param: name");
+        // Auto-extract description from specs frontmatter; fall back to explicit param
+        const description = specs
+            ? skillWriter.parseFrontmatter(specs).description || params.description
+            : params.description;
         // Resolve scripts: if content is missing, copy from user uploads directory
         let scripts;
         if (rawScripts && rawScripts.length > 0) {
@@ -1721,28 +1953,34 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         const specs = params.specs;
         const rawScripts = params.scripts;
         // Resolve scripts: if content is missing, try DB then uploads dir then existing skill files
+        // NOTE: an explicit empty array means "delete all scripts" — do NOT fall back to existing
         let scripts;
-        if (rawScripts && rawScripts.length > 0) {
-            const uploadsDir = path.join(skillsDir, "user", userId, "uploads");
-            let existingFiles = null;
-            if (skillContentRepo) {
-                existingFiles = await skillContentRepo.read(skillId, "working");
+        if (Array.isArray(rawScripts)) {
+            if (rawScripts.length === 0) {
+                scripts = [];
             }
-            const existingScriptsMap = new Map((existingFiles?.scripts ?? []).map((s) => [s.name, s.content]));
-            scripts = rawScripts.map((s) => {
-                if (s.content)
-                    return { name: s.name, content: s.content };
-                // Try existing skill scripts
-                const existing = existingScriptsMap.get(s.name);
-                if (existing)
-                    return { name: s.name, content: existing };
-                // Try uploads directory
-                const uploadPath = path.join(uploadsDir, s.name);
-                if (fs.existsSync(uploadPath)) {
-                    return { name: s.name, content: fs.readFileSync(uploadPath, "utf-8") };
+            else {
+                const uploadsDir = path.join(skillsDir, "user", userId, "uploads");
+                let existingFiles = null;
+                if (skillContentRepo) {
+                    existingFiles = await skillContentRepo.read(skillId, "working");
                 }
-                throw new Error(`Script "${s.name}" content not found`);
-            });
+                const existingScriptsMap = new Map((existingFiles?.scripts ?? []).map((s) => [s.name, s.content]));
+                scripts = rawScripts.map((s) => {
+                    if (s.content)
+                        return { name: s.name, content: s.content };
+                    // Try existing skill scripts
+                    const existing = existingScriptsMap.get(s.name);
+                    if (existing)
+                        return { name: s.name, content: existing };
+                    // Try uploads directory
+                    const uploadPath = path.join(uploadsDir, s.name);
+                    if (fs.existsSync(uploadPath)) {
+                        return { name: s.name, content: fs.readFileSync(uploadPath, "utf-8") };
+                    }
+                    throw new Error(`Script "${s.name}" content not found`);
+                });
+            }
         }
         // Save content to DB
         if (skillContentRepo) {
@@ -1756,8 +1994,15 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         }
         // Update DB metadata (name and dirName are immutable after creation)
         const updates = {};
-        if (params.description !== undefined)
+        // Auto-extract description from specs frontmatter
+        if (specs) {
+            const extracted = skillWriter.parseFrontmatter(specs).description;
+            if (extracted)
+                updates.description = extracted;
+        }
+        else if (params.description !== undefined) {
             updates.description = params.description;
+        }
         if (params.type)
             updates.type = params.type;
         if (params.labels !== undefined) {
@@ -1800,6 +2045,11 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         // Clean up version records
         if (skillVersionRepo)
             await skillVersionRepo.deleteForSkill(skillId);
+        // Clean up orphaned notifications (approval/contribution requests)
+        if (notifRepo) {
+            await notifRepo.dismissByTypeAndRelatedId("skill_review_requested", skillId);
+            await notifRepo.dismissByTypeAndRelatedId("contribution_review_requested", skillId);
+        }
         // Delete from DB (CASCADE deletes skill_contents)
         await skillRepo.deleteById(skillId);
         // Notify reload
@@ -1849,9 +2099,12 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         const meta = await skillRepo.getById(skillId);
         if (!meta)
             throw new Error("Skill not found");
-        // Personal skills: only author can view diffs
+        // Personal skills: only author or reviewer can view diffs
         if (meta.scope === "personal" && meta.authorId !== userId) {
-            throw new Error("Skill not found");
+            const isReviewer = context.auth?.username === "admin" ||
+                (permRepo ? await permRepo.hasPermission(userId, "skill_reviewer") : false);
+            if (!isReviewer)
+                throw new Error("Skill not found");
         }
         /** Build a unified diff string for specs + all scripts between two SkillFiles */
         function buildFullDiff(oldFiles, newFiles, oldPrefix, newPrefix) {
@@ -2342,14 +2595,60 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         const description = params.description;
         const schedule = params.schedule;
         const status = params.status ?? "active";
+        const skillId = params.skillId;
         const existingId = params.id;
         const workspaceId = params.workspaceId;
+        // ── Validation chain ──────────────────────────
+        // 1. Syntax validation
+        parseCronExpression(schedule);
+        // 2. Ownership check on update
+        let existingJob = null;
+        if (existingId) {
+            existingJob = await configRepo.getCronJobById(existingId);
+            if (!existingJob)
+                throw new Error("Job not found");
+            if (existingJob.userId !== userId)
+                throw new Error("Forbidden");
+        }
+        // 3. Interval check (skip if updating without changing schedule)
+        const scheduleChanged = !existingJob || existingJob.schedule !== schedule;
+        if (scheduleChanged) {
+            const { avg, min } = getAverageIntervalMs(schedule, CRON_LIMITS.INTERVAL_SAMPLE_COUNT);
+            if (min < CRON_LIMITS.ABSOLUTE_MIN_GAP_MS) {
+                const floorMin = Math.round(CRON_LIMITS.ABSOLUTE_MIN_GAP_MS / 60_000);
+                throw new Error(`Schedule has burst firing: minimum gap between executions must be at least ${floorMin} minutes`);
+            }
+            if (avg < CRON_LIMITS.MIN_INTERVAL_MS) {
+                const limitMin = Math.round(CRON_LIMITS.MIN_INTERVAL_MS / 60_000);
+                throw new Error(`Schedule interval too short: minimum ${limitMin} minutes between executions`);
+            }
+        }
+        // 4. Active job quota
+        if (status === "active") {
+            const activeCount = await configRepo.countActiveJobsByUser(userId);
+            // If updating an already-active job, it's already counted
+            const alreadyCounted = existingJob?.status === "active" ? 1 : 0;
+            if (activeCount - alreadyCounted >= CRON_LIMITS.MAX_ACTIVE_JOBS_PER_USER) {
+                throw new Error(`Active job limit reached (max ${CRON_LIMITS.MAX_ACTIVE_JOBS_PER_USER})`);
+            }
+        }
+        // 5. Skill ownership validation
+        if (skillId && skillRepo) {
+            const skill = await skillRepo.getById(skillId);
+            if (!skill)
+                throw new Error(`Skill not found: ${skillId}`);
+            // Allow builtin + team skills for everyone; personal skills only for the author
+            if (skill.scope === "personal" && skill.authorId !== userId) {
+                throw new Error("Forbidden: cannot use another user's personal skill");
+            }
+        }
+        // ── Persist ───────────────────────────────────
         const id = await configRepo.saveCronJob(userId, {
             id: existingId,
             name,
             description,
             schedule,
-            skillId: params.skillId,
+            skillId,
             status,
             workspaceId: workspaceId ?? null,
         });
@@ -2360,7 +2659,7 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             else {
                 cronService.addOrUpdate({
                     id, userId, name, description: description ?? null, schedule, status,
-                    skillId: params.skillId ?? null, assignedTo: null,
+                    skillId: skillId ?? null, assignedTo: null,
                     lastRunAt: null, lastResult: null, lockedBy: null, lockedAt: null,
                     workspaceId: workspaceId ?? null,
                 });
@@ -2408,6 +2707,24 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             throw new Error("Job not found");
         if (job.userId !== userId)
             throw new Error("Forbidden");
+        // ── Rate-limit checks when activating ──────────
+        if (status === "active" && job.status !== "active") {
+            // Interval check (prevents re-activating a high-frequency job)
+            const { avg, min } = getAverageIntervalMs(job.schedule, CRON_LIMITS.INTERVAL_SAMPLE_COUNT);
+            if (min < CRON_LIMITS.ABSOLUTE_MIN_GAP_MS) {
+                const floorMin = Math.round(CRON_LIMITS.ABSOLUTE_MIN_GAP_MS / 60_000);
+                throw new Error(`Schedule has burst firing: minimum gap between executions must be at least ${floorMin} minutes`);
+            }
+            if (avg < CRON_LIMITS.MIN_INTERVAL_MS) {
+                const limitMin = Math.round(CRON_LIMITS.MIN_INTERVAL_MS / 60_000);
+                throw new Error(`Schedule interval too short: minimum ${limitMin} minutes between executions`);
+            }
+            // Active job quota
+            const activeCount = await configRepo.countActiveJobsByUser(userId);
+            if (activeCount >= CRON_LIMITS.MAX_ACTIVE_JOBS_PER_USER) {
+                throw new Error(`Active job limit reached (max ${CRON_LIMITS.MAX_ACTIVE_JOBS_PER_USER})`);
+            }
+        }
         // Update status
         await configRepo.saveCronJob(userId, {
             id,
@@ -2631,6 +2948,11 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         // Clean up votes
         if (voteRepo)
             await voteRepo.deleteForSkill(skillId);
+        // Clean up orphaned notifications (approval/contribution requests for deleted team skill)
+        if (notifRepo) {
+            await notifRepo.dismissByTypeAndRelatedId("skill_review_requested", skillId);
+            await notifRepo.dismissByTypeAndRelatedId("contribution_review_requested", skillId);
+        }
         // Notify author
         const authorId = sourceSkill?.authorId ?? meta.authorId;
         if (notifRepo && authorId) {
@@ -2696,11 +3018,14 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             throw new Error("Missing required param: id");
         if (!skillReviewRepo)
             return { reviews: [] };
-        // Personal skills: only author can view reviews
+        // Personal skills: only author or reviewer can view reviews
         if (skillRepo) {
             const meta = await skillRepo.getById(skillId);
             if (meta && meta.scope === "personal" && meta.authorId !== userId) {
-                throw new Error("Skill not found");
+                const isReviewer = context.auth?.username === "admin" ||
+                    (permRepo ? await permRepo.hasPermission(userId, "skill_reviewer") : false);
+                if (!isReviewer)
+                    throw new Error("Skill not found");
             }
         }
         const reviews = await skillReviewRepo.listForSkill(skillId);
@@ -2734,6 +3059,11 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             contributionStatus: "none",
             stagingVersion: 0,
         });
+        // Clean up orphaned notifications (approval/contribution requests)
+        if (notifRepo) {
+            await notifRepo.dismissByTypeAndRelatedId("skill_review_requested", skillId);
+            await notifRepo.dismissByTypeAndRelatedId("contribution_review_requested", skillId);
+        }
         notifySkillReload(userId);
         return { status: "withdrawn", wasNew: false };
     });
@@ -2947,7 +3277,7 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         if (!name)
             throw new Error("Missing required param: name");
         if (type === "kubeconfig") {
-            throw new Error("Kubeconfig credentials are now managed via Environments. Use userEnvConfig.set instead.");
+            throw new Error("Kubeconfig credentials are now managed via Clusters. Use userClusterConfig.set instead.");
         }
         if (!type || !CREDENTIAL_TYPES.includes(type)) {
             throw new Error(`Invalid credential type. Must be one of: ${CREDENTIAL_TYPES.join(", ")}`);
@@ -2998,12 +3328,12 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         return { status: "deleted" };
     });
     // ─────────────────────────────────────────────────
-    // Environment Methods (admin-only)
+    // Cluster Methods (admin-only)
     // ─────────────────────────────────────────────────
-    methods.set("environment.list", async (_params, context) => {
+    methods.set("cluster.list", async (_params, context) => {
         const userId = requireAuth(context);
-        if (!envRepo)
-            return { environments: [], isAdmin: false };
+        if (!clusterRepo)
+            return { clusters: [], isAdmin: false };
         const isAdmin = isAdminUser(context);
         // Check testOnly
         let isTestOnly = false;
@@ -3011,20 +3341,22 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             const dbUser = await userRepo.getById(userId);
             isTestOnly = dbUser?.testOnly ?? false;
         }
-        const allEnvs = await envRepo.list();
-        const visibleEnvs = isTestOnly ? allEnvs.filter((e) => e.isTest) : allEnvs;
+        const allClusters = await clusterRepo.list();
+        const visibleClusters = isTestOnly ? allClusters.filter((e) => e.isTest) : allClusters;
         // Fetch user's kubeconfig status
-        const userConfigs = userEnvConfigRepo ? await userEnvConfigRepo.listForUser(userId) : [];
-        const configMap = new Map(userConfigs.map((c) => [c.envId, c]));
+        const userConfigs = userClusterConfigRepo ? await userClusterConfigRepo.listForUser(userId) : [];
+        const configMap = new Map(userConfigs.map((c) => [c.clusterId, c]));
         return {
             isAdmin,
-            environments: visibleEnvs.map((e) => ({
+            clusters: visibleClusters.map((e) => ({
                 id: e.id,
                 name: e.name,
+                infraContext: e.infraContext ?? null,
                 isTest: e.isTest,
                 apiServer: e.apiServer,
                 allowedServers: e.allowedServers ? e.allowedServers.split(",").map((s) => s.trim()).filter(Boolean) : [],
                 hasDefaultKubeconfig: !!e.defaultKubeconfig,
+                debugImage: e.debugImage ?? null,
                 hasUserKubeconfig: configMap.has(e.id),
                 userConfigUpdatedAt: configMap.get(e.id)?.updatedAt?.toISOString?.() ?? configMap.get(e.id)?.updatedAt ?? null,
                 createdBy: e.createdBy,
@@ -3033,16 +3365,18 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             })),
         };
     });
-    methods.set("environment.create", async (params, context) => {
+    methods.set("cluster.create", async (params, context) => {
         const userId = requireAdmin(context);
-        if (!envRepo)
+        if (!clusterRepo)
             throw new Error("Database not available");
         const name = params.name;
+        const infraContext = params.infraContext ?? null;
         const isTest = params.isTest;
         const apiServer = params.apiServer;
         const rawAllowedServers = params.allowedServers;
         const allowedServers = Array.isArray(rawAllowedServers) ? rawAllowedServers.join(", ") : rawAllowedServers;
         const defaultKubeconfig = params.defaultKubeconfig;
+        const debugImage = params.debugImage?.trim() || null;
         if (!name)
             throw new Error("Missing required param: name");
         if (!apiServer)
@@ -3062,20 +3396,21 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         if (defaultKubeconfig && !isTest) {
             throw new Error("defaultKubeconfig can only be set for test environments");
         }
-        const id = await envRepo.save({ name, isTest, apiServer, allowedServers: allowedServers || null, defaultKubeconfig: defaultKubeconfig ?? null }, userId);
+        const id = await clusterRepo.save({ name, infraContext, isTest, apiServer, allowedServers: allowedServers || null, defaultKubeconfig: defaultKubeconfig ?? null, debugImage }, userId);
         return { id, name };
     });
-    methods.set("environment.update", async (params, context) => {
+    methods.set("cluster.update", async (params, context) => {
         requireAdmin(context);
-        if (!envRepo)
+        if (!clusterRepo)
             throw new Error("Database not available");
         const id = params.id;
         if (!id)
             throw new Error("Missing required param: id");
-        const existing = await envRepo.getById(id);
+        const existing = await clusterRepo.getById(id);
         if (!existing)
-            throw new Error("Environment not found");
+            throw new Error("Cluster not found");
         const name = params.name ?? existing.name;
+        const infraContext = params.infraContext !== undefined ? params.infraContext : existing.infraContext;
         const apiServer = params.apiServer ?? existing.apiServer;
         const isTest = params.isTest !== undefined ? params.isTest : existing.isTest;
         const rawAllowed = params.allowedServers;
@@ -3083,6 +3418,7 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             ? (Array.isArray(rawAllowed) ? rawAllowed.join(", ") : rawAllowed)
             : existing.allowedServers;
         let defaultKubeconfig = params.defaultKubeconfig !== undefined ? params.defaultKubeconfig : existing.defaultKubeconfig;
+        const debugImage = params.debugImage !== undefined ? (params.debugImage?.trim() || null) : existing.debugImage;
         if (!apiServer?.trim()) {
             throw new Error("apiServer must be a non-empty string");
         }
@@ -3106,10 +3442,10 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             throw new Error("defaultKubeconfig can only be set for test environments");
         }
         const oldApiServer = existing.apiServer;
-        await envRepo.save({ id, name, isTest, apiServer, allowedServers, defaultKubeconfig });
+        await clusterRepo.save({ id, name, infraContext, isTest, apiServer, allowedServers, defaultKubeconfig, debugImage });
         // If apiServer changed, invalidate mismatched user kubeconfigs
-        if (userEnvConfigRepo && apiServer !== oldApiServer) {
-            const fullConfigs = await userEnvConfigRepo.listFullForEnv(id);
+        if (userClusterConfigRepo && apiServer !== oldApiServer) {
+            const fullConfigs = await userClusterConfigRepo.listFullForCluster(id);
             const affectedUserIds = new Set();
             for (const cfg of fullConfigs) {
                 try {
@@ -3118,13 +3454,13 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
                     const servers = clusters.map((c) => c.cluster?.server).filter(Boolean);
                     const matches = servers.some((s) => apiServerHostMatch(s, apiServer));
                     if (!matches) {
-                        await userEnvConfigRepo.remove(cfg.userId, id);
+                        await userClusterConfigRepo.remove(cfg.userId, id);
                         affectedUserIds.add(cfg.userId);
                     }
                 }
                 catch {
                     // If kubeconfig can't be parsed, remove it as invalid
-                    await userEnvConfigRepo.remove(cfg.userId, id);
+                    await userClusterConfigRepo.remove(cfg.userId, id);
                     affectedUserIds.add(cfg.userId);
                 }
             }
@@ -3135,25 +3471,25 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         }
         return { status: "updated" };
     });
-    methods.set("environment.delete", async (params, context) => {
+    methods.set("cluster.delete", async (params, context) => {
         requireAdmin(context);
-        if (!envRepo)
+        if (!clusterRepo)
             throw new Error("Database not available");
         const id = params.id;
         if (!id)
             throw new Error("Missing required param: id");
-        const existing = await envRepo.getById(id);
+        const existing = await clusterRepo.getById(id);
         if (!existing)
-            throw new Error("Environment not found");
+            throw new Error("Cluster not found");
         // Collect affected users before cleanup
         const affectedUserIds = new Set();
-        if (userEnvConfigRepo) {
-            const envConfigs = await userEnvConfigRepo.listForEnv(id);
+        if (userClusterConfigRepo) {
+            const envConfigs = await userClusterConfigRepo.listForCluster(id);
             for (const c of envConfigs)
                 affectedUserIds.add(c.userId);
-            await userEnvConfigRepo.removeAllForEnv(id);
+            await userClusterConfigRepo.removeAllForCluster(id);
         }
-        await envRepo.delete(id);
+        await clusterRepo.delete(id);
         // Push updated credentials to all affected users
         for (const uid of affectedUserIds) {
             pushCredentialsToUser(uid);
@@ -3161,54 +3497,54 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         return { status: "deleted" };
     });
     // ─────────────────────────────────────────────────
-    // User Environment Config Methods (kubeconfig upload)
+    // User Cluster Config Methods (kubeconfig upload)
     // ─────────────────────────────────────────────────
-    methods.set("userEnvConfig.list", async (_params, context) => {
+    methods.set("userClusterConfig.list", async (_params, context) => {
         const userId = requireAuth(context);
-        if (!envRepo || !userEnvConfigRepo)
+        if (!clusterRepo || !userClusterConfigRepo)
             return { configs: [] };
-        // Fetch all environments and user's configs
-        const allEnvs = await envRepo.list();
-        const userConfigs = await userEnvConfigRepo.listForUser(userId);
+        // Fetch all clusters and user's configs
+        const allClusters = await clusterRepo.list();
+        const userConfigs = await userClusterConfigRepo.listForUser(userId);
         // Check if user is testOnly
         let isTestOnly = false;
         if (userRepo) {
             const dbUser = await userRepo.getById(userId);
             isTestOnly = dbUser?.testOnly ?? false;
         }
-        // Filter out production environments for testOnly users
-        const visibleEnvs = isTestOnly ? allEnvs.filter((e) => e.isTest) : allEnvs;
-        const configMap = new Map(userConfigs.map((c) => [c.envId, c]));
+        // Filter out production clusters for testOnly users
+        const visibleClusters = isTestOnly ? allClusters.filter((e) => e.isTest) : allClusters;
+        const configMap = new Map(userConfigs.map((c) => [c.clusterId, c]));
         return {
-            configs: visibleEnvs.map((env) => ({
-                envId: env.id,
-                envName: env.name,
-                isTest: env.isTest,
-                apiServer: env.apiServer,
-                hasKubeconfig: configMap.has(env.id),
-                updatedAt: configMap.get(env.id)?.updatedAt ?? null,
+            configs: visibleClusters.map((cls) => ({
+                clusterId: cls.id,
+                clusterName: cls.name,
+                isTest: cls.isTest,
+                apiServer: cls.apiServer,
+                hasKubeconfig: configMap.has(cls.id),
+                updatedAt: configMap.get(cls.id)?.updatedAt ?? null,
             })),
         };
     });
-    methods.set("userEnvConfig.set", async (params, context) => {
+    methods.set("userClusterConfig.set", async (params, context) => {
         const userId = requireAuth(context);
-        if (!envRepo || !userEnvConfigRepo)
+        if (!clusterRepo || !userClusterConfigRepo)
             throw new Error("Database not available");
-        const envId = params.envId;
+        const clusterId = params.clusterId;
         const kubeconfig = params.kubeconfig;
-        if (!envId)
-            throw new Error("Missing required param: envId");
+        if (!clusterId)
+            throw new Error("Missing required param: clusterId");
         if (!kubeconfig)
             throw new Error("Missing required param: kubeconfig");
-        // Fetch environment
-        const env = await envRepo.getById(envId);
-        if (!env)
-            throw new Error("Environment not found");
+        // Fetch cluster
+        const cluster = await clusterRepo.getById(clusterId);
+        if (!cluster)
+            throw new Error("Cluster not found");
         // testOnly user check
         if (userRepo) {
             const dbUser = await userRepo.getById(userId);
-            if (dbUser?.testOnly && !env.isTest) {
-                throw new Error("Test-only users cannot configure production environments");
+            if (dbUser?.testOnly && !cluster.isTest) {
+                throw new Error("Test-only users cannot configure production clusters");
             }
         }
         // Parse and validate kubeconfig YAML
@@ -3220,23 +3556,23 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             throw new Error("Invalid kubeconfig: YAML parse error");
         }
         // Validate apiServer appears in kubeconfig clusters
-        const clusters = parsed?.clusters ?? [];
-        const servers = clusters.map((c) => c.cluster?.server).filter(Boolean);
-        if (!servers.some((s) => apiServerHostMatch(s, env.apiServer))) {
-            throw new Error(`Kubeconfig does not contain a cluster matching apiServer "${env.apiServer}"`);
+        const kubeClusters = parsed?.clusters ?? [];
+        const servers = kubeClusters.map((c) => c.cluster?.server).filter(Boolean);
+        if (!servers.some((s) => apiServerHostMatch(s, cluster.apiServer))) {
+            throw new Error(`Kubeconfig does not contain a cluster matching apiServer "${cluster.apiServer}"`);
         }
-        await userEnvConfigRepo.set(userId, envId, kubeconfig);
+        await userClusterConfigRepo.set(userId, clusterId, kubeconfig);
         pushCredentialsToUser(userId);
         return { status: "saved" };
     });
-    methods.set("userEnvConfig.remove", async (params, context) => {
+    methods.set("userClusterConfig.remove", async (params, context) => {
         const userId = requireAuth(context);
-        if (!userEnvConfigRepo)
+        if (!userClusterConfigRepo)
             throw new Error("Database not available");
-        const envId = params.envId;
-        if (!envId)
-            throw new Error("Missing required param: envId");
-        await userEnvConfigRepo.remove(userId, envId);
+        const clusterId = params.clusterId;
+        if (!clusterId)
+            throw new Error("Missing required param: clusterId");
+        await userClusterConfigRepo.remove(userId, clusterId);
         pushCredentialsToUser(userId);
         return { status: "removed" };
     });
@@ -3313,14 +3649,14 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
                     throw new Error("Test-only users cannot create production workspaces");
                 }
             }
-            // If changing to "test", verify all bound environments are test
-            if (params.envType === "test" && envRepo && workspaceRepo) {
-                const boundEnvIds = await workspaceRepo.getEnvironments(id);
-                if (boundEnvIds.length > 0) {
-                    const boundEnvs = await envRepo.listByIds(boundEnvIds);
-                    const nonTest = boundEnvs.filter((e) => !e.isTest);
+            // If changing to "test", verify all bound clusters are test
+            if (params.envType === "test" && clusterRepo && workspaceRepo) {
+                const boundClusterIds = await workspaceRepo.getClusters(id);
+                if (boundClusterIds.length > 0) {
+                    const boundClusters = await clusterRepo.listByIds(boundClusterIds);
+                    const nonTest = boundClusters.filter((e) => !e.isTest);
                     if (nonTest.length > 0) {
-                        throw new Error(`Cannot change to test type: workspace has ${nonTest.length} non-test environment(s) bound. Unbind them first.`);
+                        throw new Error(`Cannot change to test type: workspace has ${nonTest.length} non-test cluster(s) bound. Unbind them first.`);
                     }
                 }
             }
@@ -3357,25 +3693,25 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         const ws = await workspaceRepo.getById(id);
         if (!ws || ws.userId !== userId)
             throw new Error("Workspace not found");
-        const [wsSkills, wsTools, wsCreds, wsEnvIds] = await Promise.all([
+        const [wsSkills, wsTools, wsCreds, wsClusterIds] = await Promise.all([
             workspaceRepo.getSkills(id),
             workspaceRepo.getTools(id),
             workspaceRepo.getCredentials(id),
-            workspaceRepo.getEnvironments(id),
+            workspaceRepo.getClusters(id),
         ]);
-        // Fetch full environment details for bound environments
-        let envDetails = [];
-        if (envRepo && wsEnvIds.length > 0) {
-            const envs = await envRepo.listByIds(wsEnvIds);
-            envDetails = envs.map((e) => ({ id: e.id, name: e.name, isTest: e.isTest, apiServer: e.apiServer }));
+        // Fetch full cluster details for bound clusters
+        let clusterDetails = [];
+        if (clusterRepo && wsClusterIds.length > 0) {
+            const cls = await clusterRepo.listByIds(wsClusterIds);
+            clusterDetails = cls.map((e) => ({ id: e.id, name: e.name, isTest: e.isTest, apiServer: e.apiServer }));
         }
         return {
             workspace: ws,
             skills: wsSkills,
             tools: wsTools,
             credentials: wsCreds,
-            environments: wsEnvIds,
-            environmentDetails: envDetails,
+            clusters: wsClusterIds,
+            clusterDetails,
         };
     });
     methods.set("workspace.setSkills", async (params, context) => {
@@ -3446,44 +3782,44 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
         pushCredentialsToUser(userId);
         return { status: "updated" };
     });
-    methods.set("workspace.setEnvironments", async (params, context) => {
+    methods.set("workspace.setClusters", async (params, context) => {
         const userId = requireAuth(context);
         if (!workspaceRepo)
             throw new Error("Database not available");
         const workspaceId = params.workspaceId;
-        const envIds = params.envIds;
-        if (!workspaceId || !Array.isArray(envIds))
+        const clusterIds = params.clusterIds;
+        if (!workspaceId || !Array.isArray(clusterIds))
             throw new Error("Missing required params");
         const ws = await workspaceRepo.getById(workspaceId);
         if (!ws || ws.userId !== userId)
             throw new Error("Workspace not found");
-        // Validate: if workspace is test, all bound environments must be test
-        if (envIds.length > 0 && !envRepo) {
-            throw new Error("Environment database not available");
-        }
-        if (envIds.length > 0 && envRepo) {
-            const envs = await envRepo.listByIds(envIds);
-            if (envs.length !== envIds.length) {
-                throw new Error("One or more environments not found");
+        // Validate: if workspace is test, all bound clusters must be test
+        if (clusterIds.length > 0 && !clusterRepo) {
+            throw new Error("Cluster database not available");
+        }
+        if (clusterIds.length > 0 && clusterRepo) {
+            const cls = await clusterRepo.listByIds(clusterIds);
+            if (cls.length !== clusterIds.length) {
+                throw new Error("One or more clusters not found");
             }
             if (ws.envType === "test") {
-                const nonTest = envs.filter((e) => !e.isTest);
+                const nonTest = cls.filter((e) => !e.isTest);
                 if (nonTest.length > 0) {
-                    throw new Error("Test workspaces can only bind test environments");
+                    throw new Error("Test workspaces can only bind test clusters");
                 }
             }
             // testOnly user check
             if (userRepo) {
                 const dbUser = await userRepo.getById(userId);
                 if (dbUser?.testOnly) {
-                    const nonTest = envs.filter((e) => !e.isTest);
+                    const nonTest = cls.filter((e) => !e.isTest);
                     if (nonTest.length > 0) {
-                        throw new Error("Test-only users cannot bind production environments");
+                        throw new Error("Test-only users cannot bind production clusters");
                     }
                 }
             }
         }
-        await workspaceRepo.setEnvironments(workspaceId, envIds);
+        await workspaceRepo.setClusters(workspaceId, clusterIds);
         // Push updated credentials to running AgentBox for this workspace
         pushCredentialsToUser(userId);
         return { status: "updated" };
@@ -3512,7 +3848,7 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
     /**
      * Build credential payload for a workspace.
      *
-     * Kubeconfigs: sourced from environment-bound userEnvConfigs (NOT credentials table).
+     * Kubeconfigs: sourced from cluster-bound userClusterConfigs (NOT credentials table).
      * Other credentials: from credentials table, filtered by workspace envType.
      *   - prod workspace: all workspace-linked credentials
      *   - test workspace: NO non-kubeconfig credentials (SSH, API tokens hidden)
@@ -3520,11 +3856,6 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
      * Returns data only — does NOT write to disk. Agentbox materializes files locally.
      */
     async function buildCredentialPayload(userId, workspaceId, isDefault) {
-        // Ensure user agent-data directory exists (used as subPath mount for user data)
-        const agentDataDir = path.join(skillsDir, "user", userId, "agent-data");
-        if (!fs.existsSync(agentDataDir)) {
-            fs.mkdirSync(agentDataDir, { recursive: true });
-        }
         const manifest = [];
         const files = [];
         // ── Step 1: Determine workspace envType ──
@@ -3534,55 +3865,59 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
             if (ws)
                 envType = ws.envType ?? "prod";
         }
-        // ── Step 2: Kubeconfigs from environments ──
-        if (envRepo && userEnvConfigRepo) {
-            // Default workspace: all environments; non-default: only workspace-bound
-            let envs;
+        // ── Step 2: Kubeconfigs from clusters ──
+        if (clusterRepo && userClusterConfigRepo) {
+            // Default workspace: all clusters; non-default: only workspace-bound
+            let clusterList;
             if (isDefault) {
-                envs = await envRepo.list();
+                clusterList = await clusterRepo.list();
             }
             else if (workspaceRepo) {
-                const boundEnvIds = await workspaceRepo.getEnvironments(workspaceId);
-                envs = boundEnvIds.length > 0 ? await envRepo.listByIds(boundEnvIds) : [];
+                const boundClusterIds = await workspaceRepo.getClusters(workspaceId);
+                clusterList = boundClusterIds.length > 0 ? await clusterRepo.listByIds(boundClusterIds) : [];
             }
             else {
-                envs = [];
+                clusterList = [];
             }
-            if (envs.length > 0) {
-                for (const env of envs) {
-                    // Runtime filter: test workspace skips prod environments
-                    if (envType === "test" && !env.isTest)
+            if (clusterList.length > 0) {
+                for (const cls of clusterList) {
+                    // Runtime filter: test workspace skips prod clusters
+                    if (envType === "test" && !cls.isTest)
                         continue;
-                    // Get user's kubeconfig for this environment
-                    const userConfig = await userEnvConfigRepo.get(userId, env.id);
+                    // Get user's kubeconfig for this cluster
+                    const userConfig = await userClusterConfigRepo.get(userId, cls.id);
                     let kubeconfigContent = userConfig?.kubeconfig ?? null;
-                    // Fallback to defaultKubeconfig for test environments
-                    if (!kubeconfigContent && env.isTest && env.defaultKubeconfig) {
-                        kubeconfigContent = env.defaultKubeconfig;
+                    // Fallback to defaultKubeconfig for test clusters
+                    if (!kubeconfigContent && cls.isTest && cls.defaultKubeconfig) {
+                        kubeconfigContent = cls.defaultKubeconfig;
                     }
                     if (kubeconfigContent) {
-                        const safeName = env.name.replace(/[^a-zA-Z0-9_-]/g, "_");
+                        const safeName = cls.name.replace(/[^a-zA-Z0-9_-]/g, "_");
                         const filename = `${safeName}.kubeconfig`;
                         files.push({ name: filename, content: kubeconfigContent });
                         const fileNames = [filename];
                         let metadata;
                         try {
                             const kc = yaml.load(kubeconfigContent);
-                            const clusters = kc?.clusters ?? [];
+                            const kcClusters = kc?.clusters ?? [];
                             const contexts = kc?.contexts ?? [];
                             metadata = {
-                                clusters: clusters.map((c) => ({ name: c.name, server: c.cluster?.server })),
+                                clusters: kcClusters.map((c) => ({ name: c.name, server: c.cluster?.server })),
                                 contexts: contexts.map((c) => ({ name: c.name, cluster: c.context?.cluster, namespace: c.context?.namespace })),
                                 currentContext: kc?.["current-context"],
+                                ...(cls.debugImage ? { debugImage: cls.debugImage } : {}),
                             };
                         }
                         catch {
-                            // ignore parse errors
+                            // ignore parse errors — still attach debugImage if available
+                            if (cls.debugImage) {
+                                metadata = { debugImage: cls.debugImage };
+                            }
                         }
                         manifest.push({
-                            name: env.name,
+                            name: cls.name,
                             type: "kubeconfig",
-                            description: `Kubeconfig for environment: ${env.name}`,
+                            description: cls.infraContext || `Kubeconfig for cluster: ${cls.name}`,
                             files: fileNames,
                             ...(metadata ? { metadata } : {}),
                         });
@@ -3768,12 +4103,12 @@ export function createRpcMethods(agentBoxManager, broadcast, db, sendToUser, act
                 credentials[c.type] = (credentials[c.type] || 0) + 1;
             }
         }
-        if (envRepo && userEnvConfigRepo) {
-            const allEnvs = await envRepo.list();
+        if (clusterRepo && userClusterConfigRepo) {
+            const allEnvs = await clusterRepo.list();
             let kubeconfigCount = 0;
             for (const env of allEnvs) {
                 // Count if user has a personal kubeconfig, OR if it's a test env with a default kubeconfig
-                const userConfig = await userEnvConfigRepo.get(userId, env.id);
+                const userConfig = await userClusterConfigRepo.get(userId, env.id);
                 if (userConfig?.kubeconfig || (env.isTest && env.defaultKubeconfig)) {
                     kubeconfigCount++;
                 }