svamp-cli 0.2.91 → 0.2.92

package/dist/{run-DWr_h85y.mjs → run-BF4AmFz8.mjs}

@@ -6,7 +6,6 @@ import { fileURLToPath } from 'url';
 import { execFile, spawn as spawn$1, execSync as execSync$1 } from 'child_process';
 import { randomUUID as randomUUID$1 } from 'crypto';
 import { existsSync, readFileSync, mkdirSync as mkdirSync$1, readdirSync, writeFileSync as writeFileSync$1, renameSync as renameSync$1, rmSync, appendFileSync, unlinkSync } from 'node:fs';
-import vm from 'node:vm';
 import { exec, spawn, execSync, execFile as execFile$1, execFileSync } from 'node:child_process';
 import { WebSocket } from 'ws';
 import { promisify } from 'util';
@@ -380,54 +379,6 @@ function buildSkillsPromptSection(skills) {
   ].join("\n");
 }
 
-function buildSvampApi(deps) {
-  return {
-    bash: (command, opts) => deps.runBash(command, opts),
-    context: () => deps.getContext(),
-    ask: (question) => deps.askSession(question),
-    summarize: (question) => deps.summarizeSession(question),
-    send: (message) => deps.sessionSend(message)
-  };
-}
-async function runJs(code, deps, opts = {}) {
-  return runJsWithApi(code, buildSvampApi(deps), opts);
-}
-async function runJsWithApi(code, api, opts = {}) {
-  const timeoutMs = opts.timeoutMs ?? 5e3;
-  const logs = [];
-  const capture = (...a) => {
-    logs.push(a.map((x) => typeof x === "string" ? x : JSON.stringify(x)).join(" "));
-  };
-  const sandbox = /* @__PURE__ */ Object.create(null);
-  sandbox.svamp = api;
-  sandbox.console = { log: capture, error: capture, warn: capture, info: capture };
-  const context = vm.createContext(sandbox, { name: "wise-run_js" });
-  const wrapped = `(async () => {
-${code}
-})()`;
-  let script;
-  try {
-    script = new vm.Script(wrapped, { filename: "wise-run_js.js" });
-  } catch (e) {
-    return { result: void 0, logs, error: "compile error: " + e.message };
-  }
-  let timer;
-  try {
-    const ran = script.runInContext(context, { timeout: timeoutMs });
-    const result = await Promise.race([
-      Promise.resolve(ran),
-      new Promise((_, reject) => {
-        timer = setTimeout(() => reject(new Error("run_js timed out")), timeoutMs);
-      })
-    ]);
-    return { result, logs };
-  } catch (e) {
-    return { result: void 0, logs, error: e.message };
-  } finally {
-    if (timer) clearTimeout(timer);
-  }
-}
-
 const READ_ONLY_TOOLS = ["get_context", "ask_session", "summarize_session", "use_skill"];
 const str$1 = (v) => v == null ? "" : String(v);
 function buildTools(deps, skills) {
@@ -483,16 +434,6 @@ function buildTools(deps, skills) {
         }
         return "(sent to the coding agent)";
       }
-    },
-    {
-      name: "run_js",
-      readOnly: false,
-      description: "Run JavaScript with an async `svamp` API to read state and compose several steps in one call: svamp.bash(cmd), svamp.context(), svamp.ask(q), svamp.summarize(q), svamp.send(msg). Use `await` and `return` a value; console.log is captured. Sandboxed, ~5s limit.",
-      parameters: { type: "object", properties: { code: { type: "string", description: "JS body; may use await and return." } }, required: ["code"], additionalProperties: false },
-      run: async (a) => {
-        const r = await runJs(str$1(a?.code), deps, { timeoutMs: 5e3 });
-        return JSON.stringify({ result: r.result, logs: r.logs, error: r.error });
-      }
     }
   ];
 }
@@ -619,7 +560,6 @@ You are WISE Agent, a fast, text-mode companion to the deep coding agent (Claude
 - summarize_session \u2014 a cheap subagent that summarizes the deep agent's transcript for a specific question.
 - use_skill \u2014 load a project skill's full steps by name, then carry them out with run_bash.
 - run_bash \u2014 run a shell command on the session's machine (when granted).
-- run_js \u2014 JavaScript with an async \`svamp\` API to compose several steps in one call (when granted).
 - send_to_session \u2014 hand a clear, reformulated instruction to the deep coding agent (when granted); pass wait=true to block for its reply.
 
 # Instructions
@@ -733,7 +673,7 @@ async function runWiseAgent(args) {
 }
 
 const MACHINE_READ_ONLY = ["daemon_status", "list_sessions", "read_session", "use_skill"];
-const MACHINE_MUTATING = ["run_bash", "run_js", "send_to_session", "spawn_session"];
+const MACHINE_MUTATING = ["run_bash", "send_to_session", "spawn_session"];
 const ALL_MACHINE_TOOLS = [...MACHINE_READ_ONLY, ...MACHINE_MUTATING];
 const str = (v) => v == null ? "" : String(v);
 function machineToolsForRole(role) {
@@ -741,16 +681,6 @@ function machineToolsForRole(role) {
   if (role === "interact") return [...MACHINE_READ_ONLY, "send_to_session"];
   return [...MACHINE_READ_ONLY];
 }
-function machineSvampApi(deps) {
-  return {
-    bash: (command, opts) => deps.runBash(command, opts),
-    status: () => deps.daemonStatus(),
-    listSessions: () => deps.listSessions(),
-    readSession: (id, opts) => deps.readSession(id, opts),
-    sendToSession: (id, message) => deps.sendToSession(id, message),
-    spawnSession: (directory) => deps.spawnSession(directory)
-  };
-}
 function buildMachineTools(deps, skills) {
   return [
     {
@@ -804,16 +734,6 @@ function buildMachineTools(deps, skills) {
       description: "Start a new agent session in a directory on this machine.",
       parameters: { type: "object", properties: { directory: { type: "string" } }, required: ["directory"], additionalProperties: false },
       run: async (a) => JSON.stringify(await deps.spawnSession(str(a?.directory)))
-    },
-    {
-      name: "run_js",
-      readOnly: false,
-      description: "Run JavaScript with an async `svamp` machine API to compose steps: svamp.bash(cmd), svamp.status(), svamp.listSessions(), svamp.readSession(id), svamp.sendToSession(id,msg), svamp.spawnSession(dir). Use await + return; console.log captured. Sandboxed, ~5s.",
-      parameters: { type: "object", properties: { code: { type: "string" } }, required: ["code"], additionalProperties: false },
-      run: async (a) => {
-        const r = await runJsWithApi(str(a?.code), machineSvampApi(deps), { timeoutMs: 5e3 });
-        return JSON.stringify({ result: r.result, logs: r.logs, error: r.error });
-      }
     }
   ];
 }
@@ -848,7 +768,7 @@ You are WISE in machine-manager (global) mode \u2014 a fast cockpit over the sva
 # Tools
 - daemon_status \u2014 daemon health / version / session count. Use first for machine status.
 - list_sessions / read_session \u2014 see all sessions and inspect any one.
-- run_bash / run_js \u2014 run quick commands / scripts on the machine.
+- run_bash \u2014 run quick commands / scripts on the machine.
 - send_to_session(id, message) \u2014 delegate a task to a specific session's Claude agent.
 - spawn_session(directory) \u2014 start a new session.
 - use_skill \u2014 load a machine-level procedure.
@@ -1022,7 +942,7 @@ function buildSessionDeps(rpc, opts = {}) {
 }
 
 function toolsForRole(role) {
-  if (role === "admin") return [...READ_ONLY_TOOLS, "run_bash", "send_to_session", "run_js"];
+  if (role === "admin") return [...READ_ONLY_TOOLS, "run_bash", "send_to_session"];
   if (role === "interact") return [...READ_ONLY_TOOLS, "send_to_session"];
   return [...READ_ONLY_TOOLS];
 }
@@ -1033,6 +953,7 @@ function buildVoiceSessionUpdate(instructions, tools, opts) {
   return {
     type: "session.update",
     session: {
+      type: "realtime",
       instructions,
       tools: toRealtimeTools(tools),
       tool_choice: "auto",
@@ -1094,20 +1015,88 @@ var sideband = /*#__PURE__*/Object.freeze({
 
 const realFactory = (url, headers) => new WebSocket(url, { headers });
 let _testFactory;
+const NOISY_EVENTS = /* @__PURE__ */ new Set([
+  "response.audio.delta",
+  "response.output_audio.delta",
+  "response.audio_transcript.delta",
+  "response.output_audio_transcript.delta",
+  "response.text.delta",
+  "response.output_text.delta",
+  "response.function_call_arguments.delta",
+  "input_audio_buffer.append",
+  "rate_limits.updated",
+  "conversation.item.input_audio_transcription.delta"
+]);
+const tag = (callId) => `[wise-voice callId=${callId.slice(0, 14)}\u2026]`;
 async function openSideband(opts) {
   const base = (opts.baseUrl || "https://api.openai.com").replace(/^http/, "ws").replace(/\/+$/, "");
   const url = `${base}/v1/realtime?call_id=${encodeURIComponent(opts.callId)}`;
   const { tools, sessionUpdate } = opts.prepared ?? await initVoiceSession(opts.init);
+  const T = tag(opts.callId);
+  const toolNames = tools.map((t) => t.name);
+  console.log(`${T} OPENING sideband \u2192 ${base}/v1/realtime (key=${opts.apiKey ? "set:" + opts.apiKey.slice(0, 7) + "\u2026" : "MISSING"}) | ${toolNames.length} tools: [${toolNames.join(", ")}]`);
   const ws = (opts.wsFactory || _testFactory || realFactory)(url, { Authorization: `Bearer ${opts.apiKey}` });
   const send = (e) => {
     try {
       ws.send(JSON.stringify(e));
-    } catch {
+    } catch (err) {
+      console.error(`${T} send failed (socket gone): ${err?.message || err}`);
     }
   };
   const nameByCallId = /* @__PURE__ */ new Map();
-  ws.on("open", () => send(sessionUpdate));
-  const wantTools = new Set(tools.map((t) => t.name));
+  let eventCount = 0;
+  let toolCalls = 0;
+  let closed = false;
+  const idleMs = opts.idleTimeoutMs ?? 12e4;
+  const lifeMs = opts.maxLifetimeMs ?? 30 * 6e4;
+  let idleTimer;
+  let lifeTimer;
+  const clearTimers = () => {
+    if (idleTimer) clearTimeout(idleTimer);
+    if (lifeTimer) clearTimeout(lifeTimer);
+  };
+  const closeWith = (why) => {
+    if (closed) return;
+    console.log(`${T} CLOSING (${why})`);
+    clearTimers();
+    try {
+      ws.close();
+    } catch {
+    }
+  };
+  const bumpIdle = () => {
+    if (idleTimer) clearTimeout(idleTimer);
+    idleTimer = setTimeout(() => closeWith(`idle ${idleMs / 1e3}s \u2014 no events, treating call as abandoned`), idleMs);
+  };
+  lifeTimer = setTimeout(() => closeWith(`max lifetime ${lifeMs / 6e4}min reached`), lifeMs);
+  bumpIdle();
+  let settled = false;
+  let resolveOpen;
+  let rejectOpen;
+  const opened = new Promise((res, rej) => {
+    resolveOpen = res;
+    rejectOpen = rej;
+  });
+  const connectTimer = setTimeout(() => {
+    if (!settled) {
+      settled = true;
+      rejectOpen(new Error("sideband connect timeout (10s)"));
+      try {
+        ws.close();
+      } catch {
+      }
+    }
+  }, 1e4);
+  ws.on("open", () => {
+    console.log(`${T} WS OPEN \u2713 \u2014 OpenAI Realtime connected; sending session.update (instructions + ${toolNames.length} tools)`);
+    send(sessionUpdate);
+    if (!settled) {
+      settled = true;
+      clearTimeout(connectTimer);
+      resolveOpen();
+    }
+  });
+  const wantTools = new Set(toolNames);
   let reasserts = 0;
   ws.on("message", async (data) => {
     let ev;
@@ -1116,29 +1105,73 @@ async function openSideband(opts) {
     } catch {
       return;
     }
+    eventCount++;
+    bumpIdle();
+    if (ev?.type && !NOISY_EVENTS.has(ev.type)) {
+      if (ev.type === "error") {
+        console.error(`${T} \u26A0\uFE0F OpenAI error event: ${JSON.stringify(ev.error || ev).slice(0, 400)}`);
+      } else if (ev.type === "response.output_item.added" && ev.item?.type === "function_call") {
+        console.log(`${T} \u2190 model requested tool "${ev.item?.name}" (call_id=${ev.item?.call_id})`);
+        try {
+          opts.onTool?.({ callId: ev.item.call_id, name: ev.item.name || "", args: "", output: "", phase: "start" });
+        } catch {
+        }
+      } else if (ev.type === "response.function_call_arguments.done") {
+        toolCalls++;
+        console.log(`${T} \u2190 function_call_arguments.done call_id=${ev.call_id} name=${ev.name || nameByCallId.get(ev.call_id) || "?"} args=${String(ev.arguments || "").slice(0, 200)}`);
+      } else if (ev.type === "session.updated") {
+        const have = (ev.session?.tools || []).map((t) => t?.name);
+        console.log(`${T} session.updated \u2014 server now has tools: [${have.join(", ") || "NONE"}]`);
+      } else {
+        console.log(`${T} \u2190 ${ev.type}`);
+      }
+    }
     if (ev?.type === "session.updated" && wantTools.size) {
       const have = new Set((ev.session?.tools || []).map((t) => t?.name));
       const missing = [...wantTools].some((n) => !have.has(n));
       if (missing && reasserts < 10) {
         reasserts++;
+        console.log(`${T} \u27F3 tools were clobbered (peer session.update) \u2014 re-asserting #${reasserts}`);
         send(sessionUpdate);
         return;
       }
     }
     try {
-      await handleRealtimeEvent(ev, tools, send, nameByCallId);
+      const r = await handleRealtimeEvent(ev, tools, send, nameByCallId);
+      if (r) {
+        console.log(`${T} \u2192 tool "${r.name}" executed \u2192 ${String(r.output).slice(0, 160).replace(/\n/g, " ")}`);
+        try {
+          opts.onTool?.({ callId: ev.call_id, name: r.name, args: String(ev.arguments || ""), output: r.output, phase: "done" });
+        } catch {
+        }
+      }
     } catch (e) {
+      console.error(`${T} dispatch error: ${e?.message || e}`);
       opts.onError?.(e instanceof Error ? e : new Error(String(e)));
     }
   });
-  ws.on("close", () => opts.onClose?.());
-  ws.on("error", (e) => opts.onError?.(e instanceof Error ? e : new Error(String(e))));
-  return { callId: opts.callId, close: () => {
-    try {
-      ws.close();
-    } catch {
-    }
-  } };
+  ws.on("close", (code, reason) => {
+    closed = true;
+    clearTimers();
+    clearTimeout(connectTimer);
+    console.log(`${T} WS CLOSED (code=${code ?? "?"} reason=${reason ? String(reason).slice(0, 120) : ""}) \u2014 ${eventCount} events, ${toolCalls} tool calls`);
+    if (!settled) {
+      settled = true;
+      rejectOpen(new Error(`sideband closed before open (code ${code ?? "?"})`));
+    }
+    opts.onClose?.();
+  });
+  ws.on("error", (e) => {
+    console.error(`${T} WS ERROR: ${e?.message || e}`);
+    clearTimeout(connectTimer);
+    if (!settled) {
+      settled = true;
+      rejectOpen(e instanceof Error ? e : new Error(String(e)));
+    }
+    opts.onError?.(e instanceof Error ? e : new Error(String(e)));
+  });
+  await opened;
+  return { callId: opts.callId, close: () => closeWith("explicit close (release / new attach / shutdown)") };
 }
 
 const execFileAsync$1 = promisify(execFile);
@@ -1265,6 +1298,31 @@ function filterTerminalResponses(data) {
 function getMachineMetadataPath(svampHomeDir) {
   return join(svampHomeDir, "machine-metadata.json");
 }
+async function mintRealtimeEphemeralKey(baseUrl, apiKey, opts) {
+  const realtimeBase = baseUrl || "https://api.openai.com";
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), 15e3);
+  try {
+    const response = await fetch(`${realtimeBase}/v1/realtime/client_secrets`, {
+      method: "POST",
+      headers: { "Authorization": `Bearer ${apiKey}`, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        session: {
+          type: "realtime",
+          model: opts.model || "gpt-realtime-mini",
+          ...opts.voice ? { audio: { output: { voice: opts.voice } } } : {}
+        }
+      }),
+      signal: ctrl.signal
+    });
+    if (!response.ok) throw new Error(`OpenAI client_secrets error: ${response.status}`);
+    const result = await response.json();
+    if (!result.value) throw new Error("client_secrets returned no value");
+    return result.value;
+  } finally {
+    clearTimeout(timer);
+  }
+}
 function loadPersistedMachineMetadata(svampHomeDir) {
   try {
     const data = readFileSync$1(getMachineMetadataPath(svampHomeDir), "utf-8");
@@ -1295,6 +1353,50 @@ async function registerMachineService(server, machineId, metadata, daemonState,
   };
   const listeners = [];
   const voiceSidebands = /* @__PURE__ */ new Map();
+  const prepareVoiceSession = async (params, context) => {
+    const senderName = context?.user?.email || context?.user?.id || "user";
+    if (params.sessionId) {
+      const rpc = handlers.getSessionRPCHandlers?.(params.sessionId);
+      if (!rpc) return { ok: false, error: "Session not found on this machine" };
+      let cwd;
+      let owner;
+      let role2;
+      try {
+        role2 = (await rpc.getEffectiveRole(context))?.role ?? null;
+        if (!role2) return { ok: false, error: "Not authorized for this session" };
+        const metaRes = await rpc.getMetadata(context);
+        cwd = metaRes?.metadata?.path;
+        owner = metaRes?.metadata?.sharing?.owner;
+      } catch {
+        return { ok: false, error: "Not authorized for this session" };
+      }
+      try {
+        const deps = buildSessionDeps(rpc, { cwd, ownerEmail: owner });
+        const prepared = await initVoiceSession({ deps, config: { tools: toolsForRole(role2) }, sender: { name: senderName, kind: "user", verified: true }, voice: params.voice });
+        return { ok: true, prepared, role: role2, scope: "session" };
+      } catch (e) {
+        return { ok: false, error: e?.message || "Failed to prepare voice session" };
+      }
+    }
+    const role = getEffectiveRole(context, currentMetadata.sharing);
+    if (!role) return { ok: false, error: "Not authorized on this machine" };
+    try {
+      const machineDeps = buildMachineDeps(
+        {
+          getSessionIds: handlers.getSessionIds,
+          getSessionRPCHandlers: handlers.getSessionRPCHandlers,
+          getTrackedSessions: handlers.getTrackedSessions,
+          spawnSession: handlers.spawnSession,
+          getDaemonStatus: () => ({ status: currentDaemonState.status, machineId, pid: currentDaemonState.pid })
+        },
+        { cwd: process.env.HOME, ownerEmail: currentMetadata.sharing?.owner }
+      );
+      const prepared = await initMachineVoiceSession({ deps: machineDeps, role, voice: params.voice });
+      return { ok: true, prepared, role, scope: "machine" };
+    } catch (e) {
+      return { ok: false, error: e?.message || "Failed to prepare voice session" };
+    }
+  };
   const removeListener = (listener, reason) => {
     const idx = listeners.indexOf(listener);
     if (idx >= 0) {
@@ -2230,7 +2332,7 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         const tunnels = handlers.tunnels;
         if (!tunnels) throw new Error("Tunnel management not available");
         if (tunnels.has(params.name)) throw new Error(`Tunnel '${params.name}' already running`);
-        const { FrpcTunnel } = await import('./frpc-BBNWJChC.mjs');
+        const { FrpcTunnel } = await import('./frpc-D_1pEpUY.mjs');
         const tunnel = new FrpcTunnel({
           name: params.name,
           ports: params.ports,
@@ -2380,35 +2482,9 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         if (misconfig || !resolved.apiKey) {
           return { success: false, error: misconfig || "WISE voice is not configured: no OpenAI API key on this machine. Run `svamp wise-agent auth use-openai <KEY>` (or set OPENAI_API_KEY), then `svamp daemon restart`." };
         }
-        const realtimeBase = resolved.baseUrl || "https://api.openai.com";
         try {
-          const wisCtrl = new AbortController();
-          const wisTimer = setTimeout(() => wisCtrl.abort(), 15e3);
-          let response;
-          try {
-            response = await fetch(`${realtimeBase}/v1/realtime/client_secrets`, {
-              method: "POST",
-              headers: {
-                "Authorization": `Bearer ${resolved.apiKey}`,
-                "Content-Type": "application/json"
-              },
-              body: JSON.stringify({
-                session: {
-                  type: "realtime",
-                  model: params.model || "gpt-realtime-mini",
-                  ...params.voice ? { audio: { output: { voice: params.voice } } } : {}
-                }
-              }),
-              signal: wisCtrl.signal
-            });
-          } finally {
-            clearTimeout(wisTimer);
-          }
-          if (!response.ok) {
-            return { success: false, error: `OpenAI API error: ${response.status}` };
-          }
-          const result = await response.json();
-          return { success: true, clientSecret: result.value };
+          const clientSecret = await mintRealtimeEphemeralKey(resolved.baseUrl, resolved.apiKey, { model: params.model, voice: params.voice });
+          return { success: true, clientSecret };
         } catch (error) {
           return { success: false, error: error instanceof Error ? error.message : "Failed to create token" };
         }
@@ -2429,54 +2505,22 @@ async function registerMachineService(server, machineId, metadata, daemonState,
           return { success: false, error: misconfig || "WISE voice is not configured on this machine." };
         }
         const userKey = (context?.user?.email || context?.user?.id || "anon").toLowerCase();
-        const senderName = context?.user?.email || context?.user?.id || "user";
-        let prepared;
-        let role;
-        if (params.sessionId) {
-          const rpc = handlers.getSessionRPCHandlers?.(params.sessionId);
-          if (!rpc) return { success: false, error: "Session not found on this machine" };
-          let cwd;
-          let owner;
-          try {
-            role = (await rpc.getEffectiveRole(context))?.role ?? null;
-            if (!role) return { success: false, error: "Not authorized for this session" };
-            const metaRes = await rpc.getMetadata(context);
-            cwd = metaRes?.metadata?.path;
-            owner = metaRes?.metadata?.sharing?.owner;
-          } catch {
-            return { success: false, error: "Not authorized for this session" };
-          }
-          try {
-            const deps = buildSessionDeps(rpc, { cwd, ownerEmail: owner });
-            prepared = await initVoiceSession({ deps, config: { tools: toolsForRole(role) }, sender: { name: senderName, kind: "user", verified: true }, voice: params.voice });
-          } catch (e) {
-            return { success: false, error: e?.message || "Failed to prepare voice session" };
-          }
-        } else {
-          role = getEffectiveRole(context, currentMetadata.sharing);
-          if (!role) return { success: false, error: "Not authorized on this machine" };
-          try {
-            const machineDeps = buildMachineDeps(
-              {
-                getSessionIds: handlers.getSessionIds,
-                getSessionRPCHandlers: handlers.getSessionRPCHandlers,
-                getTrackedSessions: handlers.getTrackedSessions,
-                spawnSession: handlers.spawnSession,
-                getDaemonStatus: () => ({ status: currentDaemonState.status, machineId, pid: currentDaemonState.pid })
-              },
-              { cwd: process.env.HOME, ownerEmail: currentMetadata.sharing?.owner }
-            );
-            prepared = await initMachineVoiceSession({ deps: machineDeps, role, voice: params.voice });
-          } catch (e) {
-            return { success: false, error: e?.message || "Failed to prepare voice session" };
-          }
+        const prep = await prepareVoiceSession(params, context);
+        if (!prep.ok) return { success: false, error: prep.error };
+        const { prepared, role } = prep;
+        const scope = params.sessionId ? `session ${params.sessionId}` : "machine-global";
+        console.log(`[wise-voice] ATTACH request user=${userKey} scope=${scope} role=${role} callId=${params.callId.slice(0, 16)}\u2026 tools=[${(prepared.tools || []).map((t) => t.name).join(", ")}]`);
+        const prior = voiceSidebands.get(userKey);
+        if (prior) {
+          console.log(`[wise-voice] superseding prior sideband for user=${userKey} (callId=${prior.callId.slice(0, 16)}\u2026) \u2014 closing to avoid a double bill`);
+          prior.close();
+          voiceSidebands.delete(userKey);
         }
-        voiceSidebands.get(userKey)?.close();
-        voiceSidebands.delete(userKey);
         try {
+          const ephemeralKey = await mintRealtimeEphemeralKey(resolved.baseUrl, resolved.apiKey, { model: params.model, voice: params.voice });
           const handle = await openSideband({
             callId: params.callId,
-            apiKey: resolved.apiKey,
+            apiKey: ephemeralKey,
             baseUrl: resolved.baseUrl,
             prepared,
             onClose: () => {
@@ -2484,16 +2528,117 @@ async function registerMachineService(server, machineId, metadata, daemonState,
             }
           });
           voiceSidebands.set(userKey, handle);
+          console.log(`[wise-voice] ATTACH ok user=${userKey} scope=${scope} \u2014 sideband live (active sidebands: ${voiceSidebands.size})`);
           return { success: true, role, scope: params.sessionId ? "session" : "machine" };
         } catch (e) {
+          console.error(`[wise-voice] ATTACH FAILED user=${userKey}: ${e?.message || e}`);
           return { success: false, error: e?.message || "Failed to attach voice sideband" };
         }
       },
-      // Explicit teardown of the caller's active voice sideband (e.g. on hang-up).
+      // UNIFIED INTERFACE (fixes the call_id 404): the DAEMON creates the WebRTC
+      // call so it OWNS it and can attach the sideband WS. The browser sends its SDP
+      // offer here (via the connect-time fetch reroute); we POST it to
+      // /v1/realtime/calls with the machine key + WISE session config (tools +
+      // instructions baked in), open the sideband to execute tools, and return the
+      // SDP answer + call_id for the browser to finish the WebRTC handshake.
+      wiseCreateCall: async (params, context) => {
+        trackInbound();
+        if (context && (!context.user || context.user.is_anonymous)) {
+          return { success: false, error: "Sign in to use WISE voice." };
+        }
+        if (!params?.sdp) return { success: false, error: "sdp offer is required" };
+        const resolved = resolveModel({ provider: "openai" }, process.env);
+        const misconfig = describeMisconfiguration(resolved);
+        if (misconfig || !resolved.apiKey) {
+          return { success: false, error: misconfig || "WISE voice is not configured on this machine." };
+        }
+        const userKey = (context?.user?.email || context?.user?.id || "anon").toLowerCase();
+        const prep = await prepareVoiceSession(params, context);
+        if (!prep.ok) return { success: false, error: prep.error };
+        const { prepared, role } = prep;
+        const scope = params.sessionId ? `session ${params.sessionId}` : "machine-global";
+        const model = params.model || "gpt-realtime-mini";
+        console.log(`[wise-voice] CREATE-CALL request user=${userKey} scope=${scope} role=${role} model=${model} tools=[${(prepared.tools || []).map((t) => t.name).join(", ")}]`);
+        const base = resolved.baseUrl || "https://api.openai.com";
+        let answerSdp;
+        let callId;
+        try {
+          const sessionConfig = { ...prepared.sessionUpdate.session, model };
+          const fd = new FormData();
+          fd.set("sdp", params.sdp);
+          fd.set("session", JSON.stringify(sessionConfig));
+          const ctrl = new AbortController();
+          const timer = setTimeout(() => ctrl.abort(), 2e4);
+          let resp;
+          try {
+            resp = await fetch(`${base}/v1/realtime/calls`, {
+              method: "POST",
+              headers: { "Authorization": `Bearer ${resolved.apiKey}` },
+              body: fd,
+              signal: ctrl.signal
+            });
+          } finally {
+            clearTimeout(timer);
+          }
+          if (!resp.ok) {
+            const body = await resp.text().catch(() => "");
+            console.error(`[wise-voice] CREATE-CALL OpenAI error ${resp.status}: ${body.slice(0, 300)}`);
+            return { success: false, error: `OpenAI call create failed (HTTP ${resp.status})${body ? `: ${body.slice(0, 160)}` : ""}` };
+          }
+          answerSdp = await resp.text();
+          const loc = resp.headers.get("Location") || "";
+          callId = loc.split("/").filter(Boolean).pop() || "";
+          console.log(`[wise-voice] CREATE-CALL ok callId=${callId.slice(0, 16)}\u2026 (SDP answer ${answerSdp.length}b, Location="${loc}")`);
+        } catch (e) {
+          console.error(`[wise-voice] CREATE-CALL failed: ${e?.message || e}`);
+          return { success: false, error: e?.message || "Failed to create voice call" };
+        }
+        let sidebandOk = false;
+        let sidebandError;
+        if (callId) {
+          voiceSidebands.get(userKey)?.close();
+          voiceSidebands.delete(userKey);
+          try {
+            const handle = await openSideband({
+              callId,
+              apiKey: resolved.apiKey,
+              baseUrl: resolved.baseUrl,
+              prepared,
+              onClose: () => {
+                if (voiceSidebands.get(userKey)?.callId === callId) voiceSidebands.delete(userKey);
+              },
+              // Push each tool's name/args/output to the browser (fire-and-forget)
+              // so it can render accurate tool rows the SDK can't provide.
+              onTool: params.onToolEvent ? (ev) => {
+                try {
+                  const p = params.onToolEvent(ev);
+                  if (p && typeof p.catch === "function") p.catch(() => {
+                  });
+                } catch {
+                }
+              } : void 0
+            });
+            voiceSidebands.set(userKey, handle);
+            sidebandOk = true;
+            console.log(`[wise-voice] CREATE-CALL sideband live user=${userKey} (active: ${voiceSidebands.size})`);
+          } catch (e) {
+            sidebandError = e?.message || String(e);
+            console.error(`[wise-voice] CREATE-CALL sideband FAILED: ${sidebandError}`);
+          }
+        } else {
+          sidebandError = "no call_id in OpenAI response";
+        }
+        return { success: true, sdp: answerSdp, callId, sidebandOk, sidebandError, role, scope: params.sessionId ? "session" : "machine" };
+      },
+      // Explicit teardown of the caller's active voice sideband (e.g. on hang-up,
+      // Stop, tab close/unload). The frontend calls this so we don't wait for the
+      // idle backstop — release the billable OpenAI session immediately.
       wiseReleaseVoice: async (_params, context) => {
         trackInbound();
         const userKey = (context?.user?.email || context?.user?.id || "anon").toLowerCase();
-        voiceSidebands.get(userKey)?.close();
+        const had = voiceSidebands.get(userKey);
+        if (had) console.log(`[wise-voice] RELEASE user=${userKey} callId=${had.callId.slice(0, 16)}\u2026 (explicit hang-up)`);
+        had?.close();
         voiceSidebands.delete(userKey);
         return { success: true };
       },
@@ -2587,6 +2732,19 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         if (!rpc?.channelDescribe) return { error: "channel not found" };
         return rpc.channelDescribe(kwargs.channel);
       },
+      // Clean GET endpoint for the self-contained skill markdown. Param is
+      // named `channel` (not `kwargs`) so the Hypha HTTP gateway maps a plain
+      // `?channel=<id>` query → a tidy, shareable SKILL.md URL.
+      skill: async (channel) => {
+        const id = channel;
+        if (!id) return "# error\nMissing ?channel=<id>";
+        const rpc = await findChannelOwner(id);
+        if (!rpc?.channelDescribe) return `# error
+channel "${id}" not found`;
+        const d = await rpc.channelDescribe(id);
+        return d?.skill?.body || `# error
+${d?.error || "not found"}`;
+      },
       send: async (kwargs = {}, context) => {
         trackInbound();
         const rpc = await findChannelOwner(kwargs.channel);
@@ -2955,7 +3113,7 @@ function validateChannel(c) {
   if (c.action?.kind === "loop" && m === "caller-supplied" && !c.identity?.shared_key)
     errs.push("a caller-supplied channel without a shared_key may not use a loop action (unauthenticated task injection)");
   if (c.action?.kind === "agent" && m === "caller-supplied" && !c.identity?.shared_key) {
-    const MUTATING = ["run_bash", "send_to_session", "run_js"];
+    const MUTATING = ["run_bash", "send_to_session"];
     const ag = c.action.agent || {};
     const grantsMutating = (ag.tools || []).some((t) => MUTATING.includes(t)) || Object.values(ag.per_caller || {}).some((p) => (p?.tools || []).some((t) => MUTATING.includes(t)));
     if (grantsMutating) errs.push("a caller-supplied agent channel without a shared_key may not grant run_bash/send_to_session");
@@ -3041,25 +3199,53 @@ class ChannelStore {
     return caller;
   }
 }
-function generateSkillBody(channel, urlBase) {
-  const url = `${"https://<svamp-tunnel>"}/channel/${channel.id}`;
+function gatewayBase(channelsServiceId, baseUrl) {
+  const slash = channelsServiceId.indexOf("/");
+  if (slash < 0) return `${baseUrl.replace(/\/$/, "")}/services/${channelsServiceId}`;
+  const ws = channelsServiceId.slice(0, slash);
+  const clientSvc = channelsServiceId.slice(slash + 1);
+  return `${baseUrl.replace(/\/$/, "")}/${ws}/services/${clientSvc}`;
+}
+function generateSkillBody(channel, ctx) {
+  const svc = ctx?.channelsServiceId || "<workspace>/<machine>:channels";
+  const base = ctx?.baseUrl || "https://hypha.aicell.io";
+  const gw = ctx?.channelsServiceId ? gatewayBase(svc, base) : `${base}/<workspace>/services/<machine>:channels`;
+  const skillUrl = `${gw}/skill?channel=${channel.id}`;
+  const sendUrl = `${gw}/send`;
+  const key = ctx?.key || "<your-key>";
   const isAgent = channel.action?.kind === "agent";
-  const replyNote = isAgent ? `
-This is a WISE Agent channel: send() runs a fast assistant against the session's tools/skills and **returns its answer synchronously** in the result \`reply\`.` : `
-Delivery is fire-and-forget; the message lands in the agent's inbox tagged with your identity (from/verified).`;
+  const hyphaOpen = (channel.identity?.hypha_allow || []).length > 0;
+  const name = channel.skill?.name || channel.name;
+  const desc = channel.skill?.description || channel.description || `Send a message to the "${channel.name}" channel.`;
+  const replyNote = isAgent ? `This is a **WISE Agent** channel: \`send()\` runs a fast assistant against the session's tools/skills and returns its answer synchronously in the result \`reply\`.` : `Delivery is fire-and-forget \u2014 the message lands in the agent's inbox, tagged with your verified identity (\`from\`).`;
+  const rpcLine = hyphaOpen ? `**Hypha RPC** \u2014 preferred. Your verified Hypha identity is accepted, no key needed:` : `**Hypha RPC** \u2014 verified identity:`;
   return `---
-name: ${channel.skill?.name || channel.name}
-description: ${channel.skill?.description || channel.description || `Send a message to the "${channel.name}" channel.`}
+name: ${name}
+description: ${desc}
 ---
-# ${channel.name}
+# ${name}
 ${channel.description || ""}
 
-Self-contained guide for messaging another agent \u2014 share this (or its URL,
-${url}/skill.md) with an agent so it knows how to reach me.
-${replyNote}
+Self-contained guide for messaging the **${channel.name}** channel. ${replyNote}
+This skill (with every value below already filled in) is served at:
+${skillUrl}
+
+${rpcLine}
+\`\`\`js
+await get_service("${svc}").send({
+  channel: "${channel.id}",
+  message: "your message here",
+  from:    "your-name",
+});
+\`\`\`
+
+**HTTP** \u2014 any client, no Hypha SDK needed (Hypha gateway wraps args under \`kwargs\`):
+\`\`\`
+POST ${sendUrl}
+Content-Type: application/json
 
-Hypha RPC (preferred, verified identity, no key): get_service("<ws>/<machine>:channels").send({ channel: "${channel.id}", message: "..." })
-HTTP: POST ${url} with header Authorization: Bearer <your-key>, body { "message": "...", "from": "..." }`;
+{"kwargs": {"channel": "${channel.id}", "message": "your message here", "from": "your-name", "key": "${key}"}}
+\`\`\``;
 }
 
 function resolveSender(channel, input = {}) {
@@ -3337,6 +3523,19 @@ function createSessionStore(server, sessionId, initialMetadata, initialAgentStat
     callbacks.onMetadataUpdate?.(metadata);
   };
   const channelStore = new ChannelStore(initialMetadata.path);
+  const cfg = server?.config || {};
+  const channelsServiceId = cfg.workspace && cfg.client_id ? `${cfg.workspace}/${cfg.client_id}:channels` : void 0;
+  const channelsBaseUrl = cfg.public_base_url || process.env.HYPHA_SERVER_URL || "https://hypha.aicell.io";
+  const skillCtxFor = (c) => ({
+    channelsServiceId,
+    baseUrl: channelsBaseUrl,
+    key: c.identity?.shared_key || c.identity?.callers?.[0]?.key
+  });
+  const skillUrlsFor = (c) => {
+    if (!channelsServiceId) return { skillUrl: void 0, sendUrl: void 0 };
+    const gw = gatewayBase(channelsServiceId, channelsBaseUrl);
+    return { skillUrl: `${gw}/describe?channel=${c.id}`, sendUrl: `${gw}/send` };
+  };
   const syncChannelsToMetadata = () => {
     metadata.channels = channelStore.list();
     metadataVersion++;
@@ -3550,7 +3749,17 @@ function createSessionStore(server, sessionId, initialMetadata, initialAgentStat
       authorizeRequest(context, metadata.sharing, "view");
       const c = channelStore.get(id);
       if (!c) return { error: "not found" };
-      return { skill: generateSkillBody(c) };
+      const { skillUrl, sendUrl } = skillUrlsFor(c);
+      return {
+        skill: generateSkillBody(c, skillCtxFor(c)),
+        channelsServiceId,
+        channelId: c.id,
+        name: c.name,
+        skillUrl,
+        sendUrl,
+        key: c.identity?.shared_key || c.identity?.callers?.[0]?.key,
+        hyphaKeyless: (c.identity?.hypha_allow || []).length > 0
+      };
     },
     // Public channel discovery (no session authz — channels are deliberately
     // published endpoints; each send() is gated by the channel's OWN identity).
@@ -3560,7 +3769,7 @@ function createSessionStore(server, sessionId, initialMetadata, initialAgentStat
     channelDescribe: async (id) => {
       const c = channelStore.get(id);
       if (!c || c.enabled === false) return { error: "not found" };
-      return { ...channelPublicView(c), skill: { body: generateSkillBody(c) } };
+      return { ...channelPublicView(c), skill: { body: generateSkillBody(c, skillCtxFor(c)) } };
     },
     channelSend: async (params, context) => {
       const c = channelStore.get(params.channel);
@@ -10207,7 +10416,7 @@ async function startDaemon(options) {
     const list = loadExposedTunnels().filter((t) => t.name !== name);
     saveExposedTunnels(list);
   }
-  const { ServeManager } = await import('./serveManager-Dn9GyzAG.mjs');
+  const { ServeManager } = await import('./serveManager-DNlqB0r6.mjs');
   const serveManager = new ServeManager(SVAMP_HOME, (msg) => logger.log(`[SERVE] ${msg}`), hyphaServerUrl);
   ensureAutoInstalledSkills(logger).catch(() => {
   });
@@ -12835,7 +13044,7 @@ ${capturedError}${buildClaudeErrorHint(capturedError)}`;
       const specs = loadExposedTunnels();
       if (specs.length === 0) return;
       logger.log(`[exposed-tunnels] Restoring ${specs.length} tunnel(s) from ${EXPOSED_TUNNELS_FILE}`);
-      const { FrpcTunnel } = await import('./frpc-BBNWJChC.mjs');
+      const { FrpcTunnel } = await import('./frpc-D_1pEpUY.mjs');
       for (const spec of specs) {
         if (tunnels.has(spec.name)) continue;
         try {
@@ -13607,4 +13816,4 @@ var run = /*#__PURE__*/Object.freeze({
     writeStopMarker: writeStopMarker
 });
 
-export { normalizeAllowedUser as A, loadSecurityContextConfig as B, resolveSecurityContext as C, buildSecurityContextFromFlags as D, mergeSecurityContexts as E, buildSessionShareUrl as F, computeOutboundHop as G, buildMachineShareUrl as H, generateHookSettings as I, DefaultTransport$1 as J, acpBackend as K, acpAgentConfig as L, codexMcpBackend as M, GeminiTransport$1 as N, claudeAuth as O, instanceConfig as P, api as Q, RoutineStore as R, ServeAuth as S, run as T, registerSessionService as a, stopDaemon as b, connectToHypha as c, daemonStatus as d, clearStopMarker as e, stopMarkerExists as f, getHyphaServerUrl$1 as g, getFrpsSubdomainHost as h, getFrpsServerPort as i, getFrpsServerAddr as j, getHyphaServerUrl as k, hasCookieToken as l, RoutineRunner as m, getSkillsServer as n, getSkillsWorkspaceName as o, parseFrontmatter as p, getSkillsCollectionName as q, registerMachineService as r, startDaemon as s, fetchWithTimeout as t, searchSkills as u, SKILLS_DIR as v, getSkillInfo as w, downloadSkillFile as x, listSkillFiles as y, resolveModel as z };
+export { normalizeAllowedUser as A, loadSecurityContextConfig as B, resolveSecurityContext as C, buildSecurityContextFromFlags as D, mergeSecurityContexts as E, buildSessionShareUrl as F, computeOutboundHop as G, buildMachineShareUrl as H, handleRealtimeEvent as I, describeMisconfiguration as J, buildMachineDeps as K, initMachineVoiceSession as L, generateHookSettings as M, DefaultTransport$1 as N, acpBackend as O, acpAgentConfig as P, codexMcpBackend as Q, RoutineStore as R, ServeAuth as S, GeminiTransport$1 as T, claudeAuth as U, instanceConfig as V, api as W, run as X, registerSessionService as a, stopDaemon as b, connectToHypha as c, daemonStatus as d, clearStopMarker as e, stopMarkerExists as f, getHyphaServerUrl$1 as g, getFrpsSubdomainHost as h, getFrpsServerPort as i, getFrpsServerAddr as j, getHyphaServerUrl as k, hasCookieToken as l, RoutineRunner as m, getSkillsServer as n, getSkillsWorkspaceName as o, parseFrontmatter as p, getSkillsCollectionName as q, registerMachineService as r, startDaemon as s, fetchWithTimeout as t, searchSkills as u, SKILLS_DIR as v, getSkillInfo as w, downloadSkillFile as x, listSkillFiles as y, resolveModel as z };