svamp-cli 0.2.51 → 0.2.53

package/bin/skills/html-output/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: html-output
-version: 0.1.0
-description: Render rich inline visual output in chat by wrapping a self-contained HTML document in <html-output>...</html-output>. The Svamp client renders it as a sandboxed iframe.
+version: 0.4.0
+description: Render rich inline visual output in chat. Write an HTML file (or point at a URL) and emit a single self-closing `<html-output src="..." />` tag — the Svamp client renders it as a sandboxed iframe.
 tags:
   - svamp
   - html
@@ -13,93 +13,209 @@ license: MIT
 
 # HTML Output
 
-Wrap a self-contained HTML document in `<html-output>...</html-output>` and the Svamp client renders it inline as a sandboxed iframe — like a Jupyter cell output. Use this when an answer is genuinely better as a visual: layout, charts, diagrams, prototypes, animations. **Default to markdown for ordinary answers.**
+Render rich visual output by writing an HTML file (or pointing at a running server's URL) and emitting a single self-closing tag:
 
-## When to use it
+```
+<html-output src="./outputs/dashboard.html" title="Dashboard" />
+```
+
+The client reads the file, inlines relative refs (`./image.png` etc.) as data URIs, and renders it in a sandboxed iframe — like a Jupyter cell output. **Default to plain markdown for ordinary answers.**
 
-Reach for `<html-output>` when:
-- Comparing options visually (cards, side-by-side panels)
-- Showing structured data with rich formatting (timelines, dashboards, leaderboards)
-- Demonstrating an idea with animation or interaction (prototypes, motion sketches)
-- Explaining a concept where a diagram beats a paragraph
-- Producing a polished one-shot artifact (a poster, a card, a decision tree)
+## Strategy: which mechanism?
 
-Skip it when:
-- A markdown table or list is enough
-- The user just wants prose, code, or a quick answer
-- The content is plain text — wrapping it in HTML adds no value
+Three options, pick the lightest that works:
 
-## Minimal example
+| Mechanism | When |
+|---|---|
+| **Inline `<html-output src="./viz.html" />`** | Self-contained visualization. Cards, charts, animations, prototypes. Files live on disk; the chat marker is tiny. |
+| **URL `<html-output src="https://my-app.example.com/" height="540" />`** | Embed a live server you're running, or any external site. Like a Canvas panel inline. |
+| **Standalone server (`svamp serve` / `svamp service expose`)** | Real apps with backend, database, multi-user state. Post the URL as a normal markdown link. |
 
+**Decision tree:**
+1. Need a backend / database / persistent state? → standalone server.
+2. Iterating on a single artifact (HTML file, dashboard, dataviz)? → write to file, emit `<html-output src="..." />`.
+3. Want to embed a running server inline (preview a dev server, show a deployed app)? → URL src.
+
+## Attributes
+
+```html
+<html-output
+    src="./outputs/viz.html"     <!-- REQUIRED: relative file path or absolute URL -->
+    title="Dashboard"            <!-- header label; defaults to filename -->
+    height="540"                 <!-- fixed pixel height (10..4000); default = auto-size for files -->
+    bare                         <!-- no border/header (controls float on hover) -->
+    wide                         <!-- extend beyond bubble width -->
+    mode="card"                  <!-- show as a preview card; click → open in new tab -->
+    description="..."            <!-- card summary -->
+    poster="./outputs/thumb.png" <!-- card thumbnail -->
+/>
 ```
-<html-output>
-<!doctype html>
-<html><head>
-  <meta charset="utf-8">
-  <script src="https://cdn.tailwindcss.com"></script>
-</head><body class="p-6 bg-slate-50">
-  <div class="max-w-md mx-auto bg-white rounded-2xl shadow p-6">
-    <h1 class="text-xl font-semibold text-slate-900">Hello</h1>
-    <p class="text-slate-600 mt-2">Rendered inside a sandboxed iframe.</p>
-  </div>
-</body></html>
-</html-output>
+
+All except `src` are optional.
+
+**When to set each:**
+- `title` — short name for the artifact ("3D scene", "Sales dashboard"). Helps when iterating (the deprecation pill names it).
+- `height` — fixed when the content has no natural document height (Three.js scenes, video, fullscreen apps, URL embeds). For URL src, defaults to 540px since auto-resize doesn't work cross-origin.
+- `bare` — for posters, hero animations, or fullscreen apps where the chrome is distracting.
+- `wide` — for content that needs more horizontal space than a chat bubble.
+- `mode="card"` — for fullscreen-only outputs that look bad squeezed into chat. Renders as a click-to-open card.
+- `description`, `poster` — only used in card mode.
+
+## Writing the file
+
+Use the standard Write tool. Two storage conventions:
+
+**Disposable (chat-related, ephemeral):** save under `.svamp/<sessionId>/outputs/`. Not tracked by git. Cleaned up with the session.
+```
+.svamp/<sessionId>/outputs/dashboard.html
+.svamp/<sessionId>/outputs/3d-scene.html
+```
+
+**Persistent (project artifact):** save under `./outputs/`, `./reports/`, or wherever the project keeps these. Tracked in git if relevant.
+```
+./outputs/sales-report.html
+./reports/quarterly.html
 ```
 
-The opening tag may include `wide` to hint a full-width layout: `<html-output wide>`.
+Pick disposable when the output is throwaway (one-off charts, scratch demos). Pick persistent when the artifact has lasting value (final reports, deliverables).
+
+## Iteration
+
+When you iterate on the same artifact, **edit the file in place** and emit a new `<html-output src="..." />` tag. The client auto-detects that two blocks share a `src` and:
+- Renders only the **latest** block inline.
+- Collapses older ones into a "Newer version below ↓" pill that scrolls to the latest on click.
+
+This means you can iterate freely without polluting the chat with stale renders.
+
+## Sharing
+
+To share with a colleague, run `svamp serve`:
+
+```bash
+# Owner-only (default — they need to log in via Hypha)
+svamp serve dashboard ./outputs
+
+# Public link (anyone with the URL)
+svamp serve dashboard ./outputs --public
+
+# Restrict to specific emails
+svamp serve dashboard ./outputs --access alice@x.com,bob@y.com
+```
+
+Post the resulting URL as a normal markdown link. The svamp client doesn't manage shares — `svamp serve` is the dedicated tool.
 
 ## Rendering environment
 
-- **Sandbox**: `allow-scripts allow-popups`. Scripts run, but the iframe is null-origin and cannot read parent cookies, storage, or DOM.
-- **No network**: CSP forbids `fetch` / `connect-src`. CDN links via `<script src>` and `<link href>` work because the browser fetches them directly. `fetch()` from inside JS does NOT.
-- **Relative file refs**: `src="./image.png"` and `href="./style.css"` are resolved against the session's working directory and inlined as `data:` URIs. Reference any file the agent has already created — no extra serving setup needed. Total inlined assets are capped at ~5 MB per block.
-- **Auto-resize**: the iframe sizes itself to its content. Don't set fixed `height: 100vh` on body — it will create empty space.
-- **Links**: `<a href="...">` opens in a new tab.
-- **Persistence**: there is no `localStorage` worth using (opaque origin, not shared with the next render). Treat each render as ephemeral.
+- **Sandbox**: `allow-scripts allow-popups`. Scripts run; the iframe is null-origin and cannot read parent cookies/storage/DOM.
+- **Fullscreen**: enabled — both the parent's fullscreen button and `document.documentElement.requestFullscreen()` work.
+- **Network**: `connect-src https: wss:` — `fetch()` to HTTPS URLs and WebSocket to wss:// work. HTTP is blocked.
+- **Nested iframes**: forbidden (`frame-src 'none'`) — anti-phishing.
+- **Relative refs**: in file mode, `src=`/`href=` paths inside the HTML resolve against the HTML file's directory and are inlined as `data:` URIs (5 MB cap total). In URL mode, the iframe loads the URL directly and resolves refs natively.
+- **Auto-resize**: file mode injects a ResizeObserver that posts height to the parent. URL mode can't auto-resize (cross-origin) — set `height="..."`.
+- **Removed files**: if a file is deleted, the renderer shows a "Removed: ./path" pill.
+
+## Theming
+
+The Svamp client injects the user's current theme into file-mode iframes as CSS custom properties on `<html>`, plus a `data-theme="dark|light"` attribute. Reference these to adapt automatically:
+
+```css
+:root {
+  --svamp-bg            /* base background */
+  --svamp-surface       /* card / elevated */
+  --svamp-surface-high  /* highest elevation */
+  --svamp-text          /* primary text */
+  --svamp-text-secondary
+  --svamp-accent        /* link / accent */
+  --svamp-divider       /* borders */
+}
+
+body { background: var(--svamp-bg); color: var(--svamp-text); }
+[data-theme="dark"] .hero { background: linear-gradient(...dark...); }
+```
+
+Theme updates push live via `postMessage` — no reload. URL mode does not get theme injection (we don't own the document).
+
+For a branded visualization with its own deliberate palette, hardcode your colors and ignore the variables.
+
+## Talking to agent-spawned servers
+
+If your iframe `fetch()`es from a server you've run via `svamp service expose`, the server **must** include CORS headers (the iframe origin is `null`):
+
+```
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Methods: *
+Access-Control-Allow-Headers: *
+```
+
+### FastAPI
+
+```python
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+app = FastAPI()
+app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["*"], allow_headers=["*"])
+```
+
+### Express
+
+```javascript
+import express from 'express';
+import cors from 'cors';
+const app = express();
+app.use(cors());
+```
+
+### Plain Node http
+
+```javascript
+res.setHeader('Access-Control-Allow-Origin', '*');
+res.setHeader('Access-Control-Allow-Methods', '*');
+res.setHeader('Access-Control-Allow-Headers', '*');
+if (req.method === 'OPTIONS') return res.end();
+```
+
+If the iframe console shows `CORS error`, your server is missing one of these headers.
 
-## Style philosophy (from "the unreasonable effectiveness of HTML")
+## Style philosophy
 
-The goal is to lean on what HTML already does well — flow layout, typography, animation — without overengineering. A well-crafted card beats a wall of `<div>`s.
+Lean on what HTML does well — flow layout, typography, animation — without overengineering.
 
-- **Restrained palette.** Pick 1–2 accent colors, lots of neutrals. Slate / zinc / stone / gray ramps are good defaults.
-- **Type first.** Set a base font-size of 14–16px, generous line-height (~1.5), system-ui font stack unless you have a reason to load a webfont.
-- **Spacing rhythm.** Use a consistent scale (4 / 8 / 12 / 16 / 24 / 32 / 48 px). Tailwind's spacing scale is ready-made.
-- **Borders or shadows, not both.** Pick one to separate cards from the background.
-- **Animation conveys, not decorates.** A 200–400 ms ease-out on entry signals state change. Anything longer is noise.
-- **Mobile-first.** Default to a single column; widen at `md:` (768px+) only when there's information that benefits from columns.
+- **Restrained palette.** 1–2 accent colors, lots of neutrals. Slate / zinc / stone ramps work well.
+- **Type first.** 14–16px base, 1.5 line-height, system-ui font.
+- **Spacing rhythm.** 4 / 8 / 12 / 16 / 24 / 32 / 48 (Tailwind's scale).
+- **Borders or shadows, not both.**
+- **Animation conveys, not decorates.** 200–400 ms ease-out on entry; longer is noise.
+- **Mobile-first.** Single column by default; widen at `md:` only when columns add information.
 
 ## Templates
 
-### 1. Comparison card (Tailwind)
+### 1. Comparison card (Tailwind via CDN)
 
 ```html
 <!doctype html>
 <html><head>
   <meta charset="utf-8">
   <script src="https://cdn.tailwindcss.com"></script>
-</head><body class="p-6 bg-slate-50">
+</head><body class="p-6">
   <div class="grid md:grid-cols-2 gap-4 max-w-3xl mx-auto">
-    <div class="bg-white rounded-2xl border border-slate-200 p-5">
-      <h2 class="font-semibold text-slate-900">Option A</h2>
-      <p class="text-sm text-slate-600 mt-1">Short, fast, fewer features.</p>
-      <ul class="mt-3 text-sm text-slate-700 space-y-1">
-        <li>• Lower setup cost</li>
-        <li>• Easy to reverse</li>
-      </ul>
+    <div class="rounded-2xl p-5" style="background: var(--svamp-surface); border: 1px solid var(--svamp-divider); color: var(--svamp-text);">
+      <h2 class="font-semibold">Option A</h2>
+      <p class="text-sm mt-1" style="color: var(--svamp-text-secondary);">Short, fast, fewer features.</p>
     </div>
-    <div class="bg-white rounded-2xl border-2 border-emerald-500 p-5 relative">
-      <span class="absolute -top-2 right-4 bg-emerald-500 text-white text-xs px-2 py-0.5 rounded">Recommended</span>
-      <h2 class="font-semibold text-slate-900">Option B</h2>
-      <p class="text-sm text-slate-600 mt-1">More work upfront; better long-term.</p>
-      <ul class="mt-3 text-sm text-slate-700 space-y-1">
-        <li>• Sustainable</li>
-        <li>• Composable</li>
-      </ul>
+    <div class="rounded-2xl p-5 relative" style="background: var(--svamp-surface); border: 2px solid var(--svamp-accent); color: var(--svamp-text);">
+      <span class="absolute -top-2 right-4 text-white text-xs px-2 py-0.5 rounded" style="background: var(--svamp-accent);">Recommended</span>
+      <h2 class="font-semibold">Option B</h2>
+      <p class="text-sm mt-1" style="color: var(--svamp-text-secondary);">More work upfront; better long-term.</p>
     </div>
   </div>
 </body></html>
 ```
 
+Then write it to `./outputs/comparison.html` and emit:
+```
+<html-output src="./outputs/comparison.html" title="Comparison" />
+```
+
 ### 2. Animated entry (no JS framework)
 
 ```html
@@ -107,80 +223,108 @@ The goal is to lean on what HTML already does well — flow layout, typography,
 <html><head>
   <meta charset="utf-8">
   <style>
-    body { margin: 0; padding: 32px; font-family: system-ui; background: #0f172a; color: #f1f5f9; }
-    .card { opacity: 0; transform: translateY(8px); animation: fade .4s ease-out forwards; }
+    body { margin: 0; padding: 32px; font-family: system-ui; background: var(--svamp-bg); color: var(--svamp-text); }
+    .card { opacity: 0; transform: translateY(8px); animation: fade .4s ease-out forwards; background: var(--svamp-surface); border-radius: 12px; padding: 16px 20px; margin-bottom: 12px; }
     .card:nth-child(2) { animation-delay: .1s; }
     .card:nth-child(3) { animation-delay: .2s; }
     @keyframes fade { to { opacity: 1; transform: none; } }
-    .card { background: #1e293b; border-radius: 12px; padding: 16px 20px; margin-bottom: 12px; }
-    .card h3 { margin: 0 0 4px; font-size: 15px; }
-    .card p { margin: 0; color: #94a3b8; font-size: 13px; }
+    .card p { margin: 4px 0 0; color: var(--svamp-text-secondary); font-size: 13px; }
+    .card h3 { margin: 0; font-size: 15px; }
   </style>
 </head><body>
-  <div class="card"><h3>Step 1</h3><p>First, gather inputs.</p></div>
-  <div class="card"><h3>Step 2</h3><p>Then transform them.</p></div>
-  <div class="card"><h3>Step 3</h3><p>Finally, persist the result.</p></div>
+  <div class="card"><h3>Step 1</h3><p>Gather inputs.</p></div>
+  <div class="card"><h3>Step 2</h3><p>Transform them.</p></div>
+  <div class="card"><h3>Step 3</h3><p>Persist the result.</p></div>
 </body></html>
 ```
 
-### 3. Chart from inline data (Chart.js CDN)
+### 3. Full-bleed 3D scene (fixed height, immersive)
 
 ```html
 <!doctype html>
-<html><head>
-  <meta charset="utf-8">
-  <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
-</head><body style="font-family: system-ui; padding: 16px;">
-  <canvas id="c" height="240"></canvas>
+<html><head><meta charset="utf-8">
+<script src="https://cdn.jsdelivr.net/npm/three@0.160.0/build/three.min.js"></script>
+<style>html,body{margin:0;height:100%;overflow:hidden;background:#0f172a;}canvas{display:block;}</style>
+</head><body>
   <script>
-    new Chart(document.getElementById('c'), {
-      type: 'bar',
-      data: { labels: ['A','B','C','D'], datasets: [{ label: 'Count', data: [12, 19, 7, 14], backgroundColor: '#0ea5e9' }] },
-      options: { plugins: { legend: { display: false } } },
-    });
+    const w = innerWidth, h = innerHeight;
+    const scene = new THREE.Scene();
+    const camera = new THREE.PerspectiveCamera(45, w/h, 0.1, 100);
+    camera.position.z = 4;
+    const renderer = new THREE.WebGLRenderer({antialias:true});
+    renderer.setSize(w, h);
+    document.body.appendChild(renderer.domElement);
+    scene.add(new THREE.AmbientLight(0xffffff, .6));
+    const light = new THREE.DirectionalLight(0xffffff, 1); light.position.set(2,2,2); scene.add(light);
+    const cube = new THREE.Mesh(new THREE.BoxGeometry(1,1,1), new THREE.MeshStandardMaterial({color: 0x5eead4}));
+    scene.add(cube);
+    function loop(t){ cube.rotation.y = t*0.0006; cube.rotation.x = t*0.0004; renderer.render(scene, camera); requestAnimationFrame(loop); }
+    requestAnimationFrame(loop);
   </script>
 </body></html>
 ```
 
-### 4. Image gallery referencing session files
+Emit:
+```
+<html-output src="./outputs/3d.html" title="3D viewer" height="540" mode="card" poster="./outputs/3d-thumb.png" description="Click to launch the rotating cube demo" />
+```
+
+### 4. Live data from agent-spawned API
 
 ```html
 <!doctype html>
 <html><head>
   <meta charset="utf-8">
-  <style>
-    body { margin: 0; padding: 16px; font-family: system-ui; }
-    .grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(160px, 1fr)); gap: 12px; }
-    figure { margin: 0; }
-    img { width: 100%; aspect-ratio: 4/3; object-fit: cover; border-radius: 8px; display: block; }
-    figcaption { font-size: 12px; color: #64748b; margin-top: 4px; }
-  </style>
-</head><body>
-  <div class="grid">
-    <figure><img src="./outputs/sample_01.png"><figcaption>Sample 01</figcaption></figure>
-    <figure><img src="./outputs/sample_02.png"><figcaption>Sample 02</figcaption></figure>
-    <figure><img src="./outputs/sample_03.png"><figcaption>Sample 03</figcaption></figure>
-  </div>
+  <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
+</head><body style="font-family:system-ui;padding:16px;background:var(--svamp-bg);color:var(--svamp-text)">
+  <h2 style="margin:0 0 12px">Live sales</h2>
+  <canvas id="c" height="240"></canvas>
+  <script>
+    fetch('https://sales-api-xxx.svamp.dev/last7days')
+      .then(r => r.json())
+      .then(rows => new Chart(document.getElementById('c'), {
+        type: 'line',
+        data: { labels: rows.map(r => r.day), datasets: [{label: 'Revenue', data: rows.map(r => r.usd), borderColor: '#0ea5e9'}] },
+      }));
+  </script>
 </body></html>
 ```
 
-The `./outputs/sample_01.png` style refs are resolved by the Svamp client and inlined as `data:` URIs at render time.
+Run server first:
+```bash
+# Server must include CORS headers — see "Talking to agent-spawned servers" above
+svamp service expose sales-api --port 8000
+```
+
+Then emit:
+```
+<html-output src="./outputs/sales-dashboard.html" title="Sales (live)" />
+```
+
+### 5. URL embed (CanvasPanel-style)
+
+For a running dev server, deployed app, or external site:
+
+```
+<html-output src="https://my-app.example.com/" title="My app" height="640" />
+```
+
+No file needed. Auto-resize doesn't work for URL embeds — set `height` explicitly.
 
 ## Anti-patterns
 
-- **Don't wrap whole answers in HTML.** Use markdown for prose. `<html-output>` is for the visual part.
-- **Don't `fetch()` from external APIs.** It's blocked. Pre-compute the data and embed it inline as JSON in a `<script>` tag.
-- **Don't try to navigate the parent.** `top.location` won't work; nothing will happen. Use `<a target="_blank">` for outbound links.
-- **Don't open multiple `<html-output>` blocks back-to-back** for content that could be one. One iframe = one mental object for the user.
-- **Don't rely on `localStorage` / `sessionStorage`.** Each render gets a fresh opaque origin.
-- **Don't load huge assets** (>5 MB total). The block won't render past the cap.
-- **Don't omit `<!doctype html>`** in the iframe body. Without it the browser drops into quirks mode and CSS misbehaves.
-
-## Quick checklist
-
-Before emitting `<html-output>`, ask:
-1. Would this be just as clear in markdown? (If yes, skip.)
-2. Is the document self-contained — no external `fetch`, no missing assets?
-3. Are relative paths real files I've already produced?
-4. Did I include `<!doctype html>` and a `<meta charset>`?
-5. Is the visual restrained — purposeful color, consistent spacing, one font?
+- **Don't put HTML inline** — `<html-output>...HTML body...</html-output>` is not supported. Always use `src="./file.html"`.
+- **Don't fetch from non-CORS endpoints.** If you don't control the server, the iframe can't reach it. Pre-compute and embed.
+- **Don't omit `<!doctype html>`** in your HTML file. Quirks mode breaks CSS.
+- **Don't open multiple `<html-output>`s back-to-back** for content that could be one. One artifact = one file = one tag.
+- **Don't write huge files** (>5 MB total inlined assets). The block won't render past the cap.
+- **Don't put visualization assets in git** when they're disposable — use `.svamp/<sessionId>/outputs/`.
+
+## Checklist
+
+Before emitting `<html-output src="..." />`:
+1. Did you actually write the file? (Use the Write tool.)
+2. Is the path relative to the session cwd, OR an absolute `https://` URL?
+3. For fullscreen-only content, set `mode="card"` with a `poster`.
+4. For URL embeds or canvas-heavy content, set `height="..."`.
+5. If iterating, reuse the same `src` so older blocks collapse.

package/dist/{agentCommands-CAFgfQ4n.mjs → agentCommands-CmaybHHk.mjs}

@@ -148,7 +148,7 @@ async function sessionBroadcast(action, args) {
   console.log(`Broadcast sent: ${action}`);
 }
 async function connectToMachineService() {
-  const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+  const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
   return connectAndGetMachine();
 }
 async function inboxSend(targetSessionId, opts) {
@@ -165,7 +165,7 @@ async function inboxSend(targetSessionId, opts) {
   }
   const { server, machine } = await connectToMachineService();
   try {
-    const { resolveSessionId } = await import('./commands-Cvnsb6dT.mjs');
+    const { resolveSessionId } = await import('./commands-CY_yS6CZ.mjs');
     const sessions = await machine.listSessions();
     const match = resolveSessionId(sessions, targetSessionId);
     const fullTargetId = match.sessionId;

package/dist/cli.mjs

@@ -1,4 +1,4 @@
-import { s as startDaemon, b as stopDaemon, d as daemonStatus } from './run-vAhBIn3O.mjs';
+import { s as startDaemon, b as stopDaemon, d as daemonStatus } from './run-CPIINXWC.mjs';
 import 'os';
 import 'fs/promises';
 import 'fs';
@@ -43,7 +43,7 @@ async function main() {
         console.error(`svamp daemon restart: ${err.message || err}`);
         process.exit(1);
       }
-      const { restartDaemon } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.u; });
+      const { restartDaemon } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.u; });
       await restartDaemon();
       process.exit(0);
     }
@@ -279,7 +279,7 @@ async function main() {
       console.error("svamp service: Service commands are not available in sandboxed sessions.");
       process.exit(1);
     }
-    const { handleServiceCommand } = await import('./commands-DacnFYI4.mjs');
+    const { handleServiceCommand } = await import('./commands-ErfU1raO.mjs');
     await handleServiceCommand();
   } else if (subcommand === "serve") {
     const { isSandboxed: isSandboxedServe } = await import('./sandboxDetect-DNTcbgWD.mjs');
@@ -287,7 +287,7 @@ async function main() {
       console.error("svamp serve: Serve commands are not available in sandboxed sessions.");
       process.exit(1);
     }
-    const { handleServeCommand } = await import('./serveCommands-C8CXxLXP.mjs');
+    const { handleServeCommand } = await import('./serveCommands-ThiCkJKF.mjs');
     await handleServeCommand();
     process.exit(0);
   } else if (subcommand === "process" || subcommand === "proc") {
@@ -296,7 +296,7 @@ async function main() {
       console.error("svamp process: Process commands are not available in sandboxed sessions.");
       process.exit(1);
     }
-    const { processCommand } = await import('./commands-oleDMsAo.mjs');
+    const { processCommand } = await import('./commands-BXNmL7Vw.mjs');
     let machineId;
     const processArgs = args.slice(1);
     const mIdx = processArgs.findIndex((a) => a === "--machine" || a === "-m");
@@ -314,7 +314,7 @@ async function main() {
   } else if (!subcommand || subcommand === "start") {
     await handleInteractiveCommand();
   } else if (subcommand === "--version" || subcommand === "-v") {
-    const pkg = await import('./package-DRkMQ0BC.mjs').catch(() => ({ default: { version: "unknown" } }));
+    const pkg = await import('./package-CdGJdYjj.mjs').catch(() => ({ default: { version: "unknown" } }));
     console.log(`svamp version: ${pkg.default.version}`);
   } else {
     console.error(`Unknown command: ${subcommand}`);
@@ -323,7 +323,7 @@ async function main() {
   }
 }
 async function handleInteractiveCommand() {
-  const { runInteractive } = await import('./run-w2M-elyq.mjs');
+  const { runInteractive } = await import('./run-D2qdA8Hw.mjs');
   const interactiveArgs = subcommand === "start" ? args.slice(1) : args;
   let directory = process.cwd();
   let resumeSessionId;
@@ -368,7 +368,7 @@ async function handleAgentCommand() {
     return;
   }
   if (agentArgs[0] === "list") {
-    const { KNOWN_ACP_AGENTS, KNOWN_MCP_AGENTS: KNOWN_MCP_AGENTS2 } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.p; });
+    const { KNOWN_ACP_AGENTS, KNOWN_MCP_AGENTS: KNOWN_MCP_AGENTS2 } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.p; });
     console.log("Known agents:");
     for (const [name, config2] of Object.entries(KNOWN_ACP_AGENTS)) {
       console.log(`  ${name.padEnd(12)} ${config2.command} ${config2.args.join(" ")}  (ACP)`);
@@ -380,7 +380,7 @@ async function handleAgentCommand() {
     console.log('Use "svamp agent -- <command> [args]" for a custom ACP agent.');
     return;
   }
-  const { resolveAcpAgentConfig, KNOWN_MCP_AGENTS } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.p; });
+  const { resolveAcpAgentConfig, KNOWN_MCP_AGENTS } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.p; });
   let cwd = process.cwd();
   const filteredArgs = [];
   for (let i = 0; i < agentArgs.length; i++) {
@@ -404,12 +404,12 @@ async function handleAgentCommand() {
   console.log(`Starting ${config.agentName} agent in ${cwd}...`);
   let backend;
   if (KNOWN_MCP_AGENTS[config.agentName]) {
-    const { CodexMcpBackend } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.q; });
+    const { CodexMcpBackend } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.q; });
     backend = new CodexMcpBackend({ cwd, log: logFn });
   } else {
-    const { AcpBackend } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.o; });
-    const { GeminiTransport } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.G; });
-    const { DefaultTransport } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.D; });
+    const { AcpBackend } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.o; });
+    const { GeminiTransport } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.G; });
+    const { DefaultTransport } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.D; });
     const transportHandler = config.agentName === "gemini" ? new GeminiTransport() : new DefaultTransport(config.agentName);
     backend = new AcpBackend({
       agentName: config.agentName,
@@ -536,7 +536,7 @@ async function handleSessionCommand() {
       process.exit(1);
     }
   }
-  const { sessionList, sessionSpawn, sessionStop, sessionInfo, sessionMessages, sessionAttach, sessionMachines, sessionSend, sessionWait, sessionShare, sessionRalphStart, sessionRalphCancel, sessionRalphStatus, sessionInboxSend, sessionInboxList, sessionInboxRead, sessionInboxReply, sessionInboxClear } = await import('./commands-Cvnsb6dT.mjs');
+  const { sessionList, sessionSpawn, sessionStop, sessionInfo, sessionMessages, sessionAttach, sessionMachines, sessionSend, sessionWait, sessionShare, sessionRalphStart, sessionRalphCancel, sessionRalphStatus, sessionInboxSend, sessionInboxList, sessionInboxRead, sessionInboxReply, sessionInboxClear } = await import('./commands-CY_yS6CZ.mjs');
   const parseFlagStr = (flag, shortFlag) => {
     for (let i = 1; i < sessionArgs.length; i++) {
       if ((sessionArgs[i] === flag || shortFlag) && i + 1 < sessionArgs.length) {
@@ -596,7 +596,7 @@ async function handleSessionCommand() {
         allowDomain.push(sessionArgs[++i]);
       }
     }
-    const { parseShareArg } = await import('./commands-Cvnsb6dT.mjs');
+    const { parseShareArg } = await import('./commands-CY_yS6CZ.mjs');
     const shareEntries = share.map((s) => parseShareArg(s));
     await sessionSpawn(agent, dir, targetMachineId, {
       message,
@@ -682,7 +682,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session approve <session-id> [request-id] [--json]");
       process.exit(1);
     }
-    const { sessionApprove } = await import('./commands-Cvnsb6dT.mjs');
+    const { sessionApprove } = await import('./commands-CY_yS6CZ.mjs');
     const approveReqId = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
     await sessionApprove(sessionArgs[1], approveReqId, targetMachineId, {
       json: hasFlag("--json")
@@ -692,7 +692,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session deny <session-id> [request-id] [--json]");
       process.exit(1);
     }
-    const { sessionDeny } = await import('./commands-Cvnsb6dT.mjs');
+    const { sessionDeny } = await import('./commands-CY_yS6CZ.mjs');
     const denyReqId = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
     await sessionDeny(sessionArgs[1], denyReqId, targetMachineId, {
       json: hasFlag("--json")
@@ -728,7 +728,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session set-title <title>");
       process.exit(1);
     }
-    const { sessionSetTitle } = await import('./agentCommands-CAFgfQ4n.mjs');
+    const { sessionSetTitle } = await import('./agentCommands-CmaybHHk.mjs');
     await sessionSetTitle(title);
   } else if (sessionSubcommand === "set-link") {
     const url = sessionArgs[1];
@@ -737,7 +737,7 @@ async function handleSessionCommand() {
       process.exit(1);
     }
     const label = sessionArgs[2] && !sessionArgs[2].startsWith("--") ? sessionArgs[2] : void 0;
-    const { sessionSetLink } = await import('./agentCommands-CAFgfQ4n.mjs');
+    const { sessionSetLink } = await import('./agentCommands-CmaybHHk.mjs');
     await sessionSetLink(url, label);
   } else if (sessionSubcommand === "notify") {
     const message = sessionArgs[1];
@@ -746,7 +746,7 @@ async function handleSessionCommand() {
       process.exit(1);
     }
     const level = parseFlagStr("--level") || "info";
-    const { sessionNotify } = await import('./agentCommands-CAFgfQ4n.mjs');
+    const { sessionNotify } = await import('./agentCommands-CmaybHHk.mjs');
     await sessionNotify(message, level);
   } else if (sessionSubcommand === "broadcast") {
     const action = sessionArgs[1];
@@ -754,7 +754,7 @@ async function handleSessionCommand() {
       console.error("Usage: svamp session broadcast <action> [args...]\nActions: open-canvas <url> [label], close-canvas, toast <message>");
       process.exit(1);
     }
-    const { sessionBroadcast } = await import('./agentCommands-CAFgfQ4n.mjs');
+    const { sessionBroadcast } = await import('./agentCommands-CmaybHHk.mjs');
     await sessionBroadcast(action, sessionArgs.slice(2).filter((a) => !a.startsWith("--")));
   } else if (sessionSubcommand === "inbox") {
     const inboxSubcmd = sessionArgs[1];
@@ -765,7 +765,7 @@ async function handleSessionCommand() {
         process.exit(1);
       }
       if (agentSessionId) {
-        const { inboxSend } = await import('./agentCommands-CAFgfQ4n.mjs');
+        const { inboxSend } = await import('./agentCommands-CmaybHHk.mjs');
         await inboxSend(sessionArgs[2], {
           body: sessionArgs[3],
           subject: parseFlagStr("--subject"),
@@ -780,7 +780,7 @@ async function handleSessionCommand() {
       }
     } else if (inboxSubcmd === "list" || inboxSubcmd === "ls") {
       if (agentSessionId && !sessionArgs[2]) {
-        const { inboxList } = await import('./agentCommands-CAFgfQ4n.mjs');
+        const { inboxList } = await import('./agentCommands-CmaybHHk.mjs');
         await inboxList({
           unread: hasFlag("--unread"),
           limit: parseFlagInt("--limit"),
@@ -802,7 +802,7 @@ async function handleSessionCommand() {
         process.exit(1);
       }
       if (agentSessionId && !sessionArgs[3]) {
-        const { inboxList } = await import('./agentCommands-CAFgfQ4n.mjs');
+        const { inboxList } = await import('./agentCommands-CmaybHHk.mjs');
         await sessionInboxRead(agentSessionId, sessionArgs[2], targetMachineId);
       } else if (sessionArgs[3]) {
         await sessionInboxRead(sessionArgs[2], sessionArgs[3], targetMachineId);
@@ -812,7 +812,7 @@ async function handleSessionCommand() {
       }
     } else if (inboxSubcmd === "reply") {
       if (agentSessionId && sessionArgs[2] && sessionArgs[3] && !sessionArgs[4]) {
-        const { inboxReply } = await import('./agentCommands-CAFgfQ4n.mjs');
+        const { inboxReply } = await import('./agentCommands-CmaybHHk.mjs');
         await inboxReply(sessionArgs[2], sessionArgs[3]);
       } else if (sessionArgs[2] && sessionArgs[3] && sessionArgs[4]) {
         await sessionInboxReply(sessionArgs[2], sessionArgs[3], sessionArgs[4], targetMachineId);
@@ -848,7 +848,7 @@ async function handleMachineCommand() {
     return;
   }
   if (machineSubcommand === "share") {
-    const { machineShare } = await import('./commands-Cvnsb6dT.mjs');
+    const { machineShare } = await import('./commands-CY_yS6CZ.mjs');
     let machineId;
     const shareArgs = [];
     for (let i = 1; i < machineArgs.length; i++) {
@@ -878,7 +878,7 @@ async function handleMachineCommand() {
     }
     await machineShare(machineId, { add, remove, list, configPath, showConfig });
   } else if (machineSubcommand === "exec") {
-    const { machineExec } = await import('./commands-Cvnsb6dT.mjs');
+    const { machineExec } = await import('./commands-CY_yS6CZ.mjs');
     let machineId;
     let cwd;
     const cmdParts = [];
@@ -898,7 +898,7 @@ async function handleMachineCommand() {
     }
     await machineExec(machineId, command, cwd);
   } else if (machineSubcommand === "info") {
-    const { machineInfo } = await import('./commands-Cvnsb6dT.mjs');
+    const { machineInfo } = await import('./commands-CY_yS6CZ.mjs');
     let machineId;
     for (let i = 1; i < machineArgs.length; i++) {
       if ((machineArgs[i] === "--machine" || machineArgs[i] === "-m") && i + 1 < machineArgs.length) {
@@ -918,10 +918,10 @@ async function handleMachineCommand() {
         level = machineArgs[++i];
       }
     }
-    const { machineNotify } = await import('./agentCommands-CAFgfQ4n.mjs');
+    const { machineNotify } = await import('./agentCommands-CmaybHHk.mjs');
     await machineNotify(message, level);
   } else if (machineSubcommand === "ls") {
-    const { machineLs } = await import('./commands-Cvnsb6dT.mjs');
+    const { machineLs } = await import('./commands-CY_yS6CZ.mjs');
     let machineId;
     let showHidden = false;
     let path;
@@ -1388,7 +1388,7 @@ async function applyClaudeAuthFlags(argv) {
       "--use-hypha-proxy, --use-claude-login, and --anthropic-base-url/--anthropic-api-key are mutually exclusive"
     );
   }
-  const mod = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.t; });
+  const mod = await import('./run-CPIINXWC.mjs').then(function (n) { return n.t; });
   if (hasHypha) {
     mod.setClaudeAuthHyphaProxy();
     console.log("Claude auth configured: hypha-proxy (uses HYPHA_TOKEN live at each spawn).");
@@ -1426,7 +1426,7 @@ async function applyDaemonShareFlag(argv) {
     }
   }
   if (collected.length === 0) return;
-  const { updateEnvFile } = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.t; });
+  const { updateEnvFile } = await import('./run-CPIINXWC.mjs').then(function (n) { return n.t; });
   const seen = /* @__PURE__ */ new Set();
   const deduped = collected.filter((e) => {
     const k = e.toLowerCase();
@@ -1439,7 +1439,7 @@ async function applyDaemonShareFlag(argv) {
 }
 async function handleDaemonAuthCommand(argv) {
   const sub = (argv[0] || "status").toLowerCase();
-  const mod = await import('./run-vAhBIn3O.mjs').then(function (n) { return n.t; });
+  const mod = await import('./run-CPIINXWC.mjs').then(function (n) { return n.t; });
   if (sub === "--help" || sub === "-h" || sub === "help") {
     console.log(`
 svamp daemon auth \u2014 Configure how Claude subprocesses authenticate

package/dist/{commands-oleDMsAo.mjs → commands-BXNmL7Vw.mjs}

@@ -1,11 +1,11 @@
 import { writeFileSync, readFileSync } from 'fs';
 import { resolve } from 'path';
-import { connectAndGetMachine } from './commands-Cvnsb6dT.mjs';
+import { connectAndGetMachine } from './commands-CY_yS6CZ.mjs';
 import 'node:fs';
 import 'node:child_process';
 import 'node:path';
 import 'node:os';
-import './run-vAhBIn3O.mjs';
+import './run-CPIINXWC.mjs';
 import 'os';
 import 'fs/promises';
 import 'url';

package/dist/{commands-Cvnsb6dT.mjs → commands-CY_yS6CZ.mjs}

@@ -2,7 +2,7 @@ import { existsSync, readFileSync } from 'node:fs';
 import { execSync } from 'node:child_process';
 import { resolve, join } from 'node:path';
 import os from 'node:os';
-import { n as normalizeAllowedUser, l as loadSecurityContextConfig, e as resolveSecurityContext, f as buildSecurityContextFromFlags, m as mergeSecurityContexts, c as connectToHypha, i as buildSessionShareUrl, j as buildMachineShareUrl } from './run-vAhBIn3O.mjs';
+import { n as normalizeAllowedUser, l as loadSecurityContextConfig, e as resolveSecurityContext, f as buildSecurityContextFromFlags, m as mergeSecurityContexts, c as connectToHypha, i as buildSessionShareUrl, j as buildMachineShareUrl } from './run-CPIINXWC.mjs';
 import 'os';
 import 'fs/promises';
 import 'fs';

package/dist/{commands-DacnFYI4.mjs → commands-ErfU1raO.mjs}

@@ -97,7 +97,7 @@ async function serviceServe(args) {
 }
 async function serviceList(_args) {
   try {
-    const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+    const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
     const { server, machine } = await connectAndGetMachine();
     try {
       const tunnels = await machine.tunnelList({});
@@ -126,7 +126,7 @@ async function serviceDelete(args) {
     process.exit(1);
   }
   try {
-    const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+    const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
     const { server, machine } = await connectAndGetMachine();
     try {
       await machine.tunnelStop({ name });

package/dist/index.mjs

@@ -1,4 +1,4 @@
-export { c as connectToHypha, d as daemonStatus, g as getHyphaServerUrl, r as registerMachineService, a as registerSessionService, s as startDaemon, b as stopDaemon } from './run-vAhBIn3O.mjs';
+export { c as connectToHypha, d as daemonStatus, g as getHyphaServerUrl, r as registerMachineService, a as registerSessionService, s as startDaemon, b as stopDaemon } from './run-CPIINXWC.mjs';
 import 'os';
 import 'fs/promises';
 import 'fs';

package/dist/{package-DRkMQ0BC.mjs → package-CdGJdYjj.mjs}

@@ -1,5 +1,5 @@
 var name = "svamp-cli";
-var version = "0.2.51";
+var version = "0.2.53";
 var description = "Svamp CLI — AI workspace daemon on Hypha Cloud";
 var author = "Amun AI AB";
 var license = "SEE LICENSE IN LICENSE";

package/dist/{run-vAhBIn3O.mjs → run-CPIINXWC.mjs}

@@ -6102,7 +6102,7 @@ You are running inside a Svamp session (id: ${sessionId}) on Hypha Cloud. Use th
 - \`svamp session set-link "<url>" "<label>"\` \u2014 surface any viewable artifact as a button
 - \`svamp session notify "<msg>" [--level info|warning|error]\` \u2014 send a user notification
 
-**Rich HTML output:** When visualization, layout, or animation helps the answer, wrap a self-contained HTML document in \`<html-output>...</html-output>\` and the Svamp client will render it inline as a sandboxed iframe. Inline all CSS/JS; relative \`src=\`/\`href=\` paths resolve to files in this session's directory. Default to markdown for ordinary answers. See the \`html-output\` skill for guidance.
+**Rich HTML output:** Write HTML to a file (\`.svamp/<sessionId>/outputs/\` for disposable, \`./outputs/\` for persistent) and emit \`<html-output src="./outputs/viz.html" title="..." />\` \u2014 the Svamp client renders it inline as a sandboxed iframe with theme CSS vars, auto-resize, and file inlining. Add \`mode="card" poster="./thumb.png" description="..."\` for fullscreen-only outputs (renders as click-to-open card). Use \`<html-output src="https://..." height="540" />\` to embed a live server. Run \`svamp serve <name> <dir>\` to share. Use a real backend server (\`svamp service expose\`) when you need persistence/auth. See the \`html-output\` skill.
 
 ## Parallel Agents
 
@@ -7351,7 +7351,7 @@ async function startDaemon(options) {
   const supervisor = new ProcessSupervisor(join(SVAMP_HOME, "processes"));
   await supervisor.init();
   const tunnels = /* @__PURE__ */ new Map();
-  const { ServeManager } = await import('./serveManager-WHmYr8v-.mjs');
+  const { ServeManager } = await import('./serveManager-Blsg_Pa9.mjs');
   const serveManager = new ServeManager(SVAMP_HOME, (msg) => logger.log(`[SERVE] ${msg}`), hyphaServerUrl);
   ensureAutoInstalledSkills(logger).catch(() => {
   });

package/dist/{run-w2M-elyq.mjs → run-D2qdA8Hw.mjs}

@@ -2,7 +2,7 @@ import{createRequire as _pkgrollCR}from"node:module";const require=_pkgrollCR(im
 import os from 'node:os';
 import { resolve, join } from 'node:path';
 import { existsSync, readFileSync, watch } from 'node:fs';
-import { c as connectToHypha, a as registerSessionService, k as generateHookSettings } from './run-vAhBIn3O.mjs';
+import { c as connectToHypha, a as registerSessionService, k as generateHookSettings } from './run-CPIINXWC.mjs';
 import { createServer } from 'node:http';
 import { spawn } from 'node:child_process';
 import { createInterface } from 'node:readline';

package/dist/{serveCommands-C8CXxLXP.mjs → serveCommands-ThiCkJKF.mjs}

@@ -54,7 +54,7 @@ async function handleServeCommand() {
   }
 }
 async function serveAdd(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+  const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
@@ -86,7 +86,7 @@ async function serveAdd(args, machineId) {
   }
 }
 async function serveApply(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+  const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
   const fs = await import('fs');
   const yaml = await import('yaml');
   const file = positionalArgs(args)[0];
@@ -171,7 +171,7 @@ async function serveApply(args, machineId) {
   }
 }
 async function serveRemove(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+  const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
   const pos = positionalArgs(args);
   const name = pos[0];
   if (!name) {
@@ -191,7 +191,7 @@ async function serveRemove(args, machineId) {
   }
 }
 async function serveList(args, machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+  const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
   const all = hasFlag(args, "--all", "-a");
   const json = hasFlag(args, "--json");
   const sessionId = getFlag(args, "--session");
@@ -224,7 +224,7 @@ async function serveList(args, machineId) {
   }
 }
 async function serveInfo(machineId) {
-  const { connectAndGetMachine } = await import('./commands-Cvnsb6dT.mjs');
+  const { connectAndGetMachine } = await import('./commands-CY_yS6CZ.mjs');
   const { machine, server } = await connectAndGetMachine(machineId);
   try {
     const info = await machine.serveInfo();

package/dist/{serveManager-WHmYr8v-.mjs → serveManager-Blsg_Pa9.mjs}

@@ -3,7 +3,7 @@ import * as fs from 'fs';
 import * as http from 'http';
 import * as net from 'net';
 import * as path from 'path';
-import { S as ServeAuth, h as hasCookieToken } from './run-vAhBIn3O.mjs';
+import { S as ServeAuth, h as hasCookieToken } from './run-CPIINXWC.mjs';
 import 'os';
 import 'fs/promises';
 import 'url';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svamp-cli",
-  "version": "0.2.51",
+  "version": "0.2.53",
   "description": "Svamp CLI — AI workspace daemon on Hypha Cloud",
   "author": "Amun AI AB",
   "license": "SEE LICENSE IN LICENSE",