teamcopilot 0.0.2 → 0.1.0

package/dist/utils/approval-snapshot-common.js

@@ -62,6 +62,32 @@ function assertNoSymlink(absolutePath, resourceLabel) {
         };
     }
 }
+function resolveSnapshotRootPath(rootPath, slug, resourceLabel) {
+    if (!fs_1.default.existsSync(rootPath)) {
+        throw {
+            status: 404,
+            message: `${capitalize(resourceLabel)} not found for slug: ${slug}`
+        };
+    }
+    const lstat = fs_1.default.lstatSync(rootPath);
+    if (lstat.isSymbolicLink()) {
+        const resolvedPath = fs_1.default.realpathSync(rootPath);
+        if (!fs_1.default.statSync(resolvedPath).isDirectory()) {
+            throw {
+                status: 400,
+                message: `${capitalize(resourceLabel)} path is not a directory`
+            };
+        }
+        return resolvedPath;
+    }
+    if (!lstat.isDirectory()) {
+        throw {
+            status: 400,
+            message: `${capitalize(resourceLabel)} path is not a directory`
+        };
+    }
+    return rootPath;
+}
 function ensureDirectoryExists(absoluteDir) {
     fs_1.default.mkdirSync(absoluteDir, { recursive: true });
 }
@@ -150,20 +176,8 @@ function computeSnapshotHash(files) {
     return hash.digest("hex");
 }
 function collectCurrentResourceSnapshot(options) {
-    const { root_path: rootPath, slug, resource_label: resourceLabel } = options;
-    if (!fs_1.default.existsSync(rootPath)) {
-        throw {
-            status: 404,
-            message: `${capitalize(resourceLabel)} not found for slug: ${slug}`
-        };
-    }
-    assertNoSymlink(rootPath, resourceLabel);
-    if (!fs_1.default.statSync(rootPath).isDirectory()) {
-        throw {
-            status: 400,
-            message: `${capitalize(resourceLabel)} path is not a directory`
-        };
-    }
+    const { root_path: configuredRootPath, slug, resource_label: resourceLabel } = options;
+    const rootPath = resolveSnapshotRootPath(configuredRootPath, slug, resourceLabel);
     const files = [];
     collectFilesRecursive(rootPath, "", files, resourceLabel);
     files.sort((a, b) => a.relative_path.localeCompare(b.relative_path));
@@ -322,8 +336,7 @@ async function restoreResourceToApprovedSnapshot(config, userId) {
             message: "No approved snapshot exists to restore"
         };
     }
-    const rootPath = config.root_path;
-    assertNoSymlink(rootPath, config.resource_label);
+    const rootPath = resolveSnapshotRootPath(config.root_path, config.slug, config.resource_label);
     const currentPaths = [];
     collectCurrentNonIgnoredFilePaths(rootPath, "", currentPaths, config.resource_label);
     const snapshotPathSet = new Set(snapshot.files.map((file) => file.relative_path));

package/dist/utils/opencode-auth.js

@@ -5,14 +5,18 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getConfiguredModelProviderId = getConfiguredModelProviderId;
 exports.initializeOpencodeAuthStorage = initializeOpencodeAuthStorage;
+exports.isServiceManagedProvider = isServiceManagedProvider;
+exports.hasRuntimeProviderCredentials = hasRuntimeProviderCredentials;
 exports.getRuntimeProviderAuth = getRuntimeProviderAuth;
 exports.setRuntimeProviderAuth = setRuntimeProviderAuth;
+exports.syncManagedProviderConfiguration = syncManagedProviderConfiguration;
 const promises_1 = __importDefault(require("fs/promises"));
 const path_1 = __importDefault(require("path"));
 const assert_1 = require("./assert");
 const workspace_sync_1 = require("./workspace-sync");
 const WORKSPACE_OPENCODE_DIR = ".opencode";
 const WORKSPACE_AUTH_FILE = "auth.json";
+const WORKSPACE_CONFIG_FILE = "opencode.json";
 const RUNTIME_DATA_HOME_DIR = "xdg-data";
 function getWorkspaceOpencodeDir() {
     return path_1.default.join((0, workspace_sync_1.getWorkspaceDirFromEnv)(), WORKSPACE_OPENCODE_DIR);
@@ -23,6 +27,9 @@ function getRuntimeDataHomePath() {
 function getRuntimeAuthPath() {
     return path_1.default.join(getRuntimeDataHomePath(), "opencode", WORKSPACE_AUTH_FILE);
 }
+function getWorkspaceOpencodeConfigPath() {
+    return path_1.default.join(getWorkspaceOpencodeDir(), WORKSPACE_CONFIG_FILE);
+}
 function normalizeProviderId(providerId) {
     return providerId.replace(/\/+$/, "");
 }
@@ -80,6 +87,35 @@ async function writeAuthRecord(filepath, data) {
     await promises_1.default.rename(tempPath, filepath);
     await promises_1.default.chmod(filepath, 0o600).catch(() => { });
 }
+async function readOpencodeConfig(filepath) {
+    try {
+        const content = await promises_1.default.readFile(filepath, "utf-8");
+        const parsed = JSON.parse(content);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            throw new Error("Invalid opencode config");
+        }
+        return parsed;
+    }
+    catch (err) {
+        const nodeError = err;
+        if (nodeError.code === "ENOENT") {
+            return {
+                $schema: "https://opencode.ai/config.json",
+            };
+        }
+        throw err;
+    }
+}
+async function writeOpencodeConfig(filepath, data) {
+    await promises_1.default.mkdir(path_1.default.dirname(filepath), { recursive: true });
+    const tempPath = `${filepath}.tmp-${process.pid}-${Date.now()}`;
+    await promises_1.default.writeFile(tempPath, `${JSON.stringify(data, null, 2)}\n`, {
+        encoding: "utf-8",
+        mode: 0o600,
+    });
+    await promises_1.default.rename(tempPath, filepath);
+    await promises_1.default.chmod(filepath, 0o600).catch(() => { });
+}
 function getConfiguredModelProviderId() {
     const model = (0, assert_1.assertEnv)("OPENCODE_MODEL");
     const [providerId, ...parts] = model.split("/");
@@ -88,6 +124,14 @@ function getConfiguredModelProviderId() {
     }
     return providerId;
 }
+function getConfiguredModelId() {
+    const model = (0, assert_1.assertEnv)("OPENCODE_MODEL");
+    const [providerId, ...parts] = model.split("/");
+    if (!providerId || parts.length === 0) {
+        throw new Error("OPENCODE_MODEL must be in the format <provider>/<model>");
+    }
+    return parts.join("/");
+}
 function configureOpencodeDataHome() {
     const runtimeDataHome = getRuntimeDataHomePath();
     process.env.XDG_DATA_HOME = runtimeDataHome;
@@ -112,6 +156,40 @@ function getAuthForProvider(record, providerId) {
     const normalizedProviderId = normalizeProviderId(providerId);
     return record[providerId] || record[normalizedProviderId] || record[`${normalizedProviderId}/`];
 }
+function isAzureCustomProvider(providerId) {
+    return normalizeProviderId(providerId).toLowerCase() === "azure-openai";
+}
+function isServiceManagedProvider(providerId) {
+    return isAzureCustomProvider(providerId);
+}
+function normalizeAzureEndpoint(endpoint) {
+    return endpoint.trim().replace(/\/+$/, "");
+}
+function hasRequiredAzureEnvironment() {
+    return isNonEmptyString(process.env.AZURE_API_KEY)
+        && isNonEmptyString(process.env.AZURE_OPENAI_ENDPOINT)
+        && isNonEmptyString(process.env.AZURE_OPENAI_API_VERSION);
+}
+async function hasAzureProviderConfiguration(providerId) {
+    const deployment = getConfiguredModelId().trim();
+    const config = await readOpencodeConfig(getWorkspaceOpencodeConfigPath());
+    const provider = config.provider?.[normalizeProviderId(providerId)];
+    if (!provider || provider.npm !== "@ai-sdk/azure") {
+        return false;
+    }
+    const models = provider.models;
+    if (!models || typeof models !== "object" || Array.isArray(models)) {
+        return false;
+    }
+    const deploymentConfig = models[deployment];
+    return Boolean(deploymentConfig && typeof deploymentConfig === "object" && !Array.isArray(deploymentConfig));
+}
+async function hasRuntimeProviderCredentials(providerId) {
+    if (isAzureCustomProvider(providerId)) {
+        return hasRequiredAzureEnvironment() && await hasAzureProviderConfiguration(providerId);
+    }
+    return Boolean(await getRuntimeProviderAuth(providerId));
+}
 async function getRuntimeProviderAuth(providerId) {
     const record = await readAuthRecord(getRuntimeAuthPath());
     return getAuthForProvider(record, providerId);
@@ -124,3 +202,37 @@ async function setRuntimeProviderAuth(providerId, info) {
     runtimeRecord[normalizedProviderId] = info;
     await writeAuthRecord(getRuntimeAuthPath(), runtimeRecord);
 }
+async function syncManagedProviderConfiguration() {
+    const providerId = getConfiguredModelProviderId();
+    if (!isAzureCustomProvider(providerId) || !hasRequiredAzureEnvironment()) {
+        return;
+    }
+    const endpoint = normalizeAzureEndpoint((0, assert_1.assertEnv)("AZURE_OPENAI_ENDPOINT"));
+    const apiVersion = (0, assert_1.assertEnv)("AZURE_OPENAI_API_VERSION").trim();
+    const deployment = getConfiguredModelId().trim();
+    const normalizedProviderId = normalizeProviderId(providerId);
+    const configPath = getWorkspaceOpencodeConfigPath();
+    const configRecord = await readOpencodeConfig(configPath);
+    const providerRecord = configRecord.provider ?? {};
+    const existingProviderConfig = providerRecord[normalizedProviderId];
+    configRecord.provider = {
+        ...providerRecord,
+        [normalizedProviderId]: {
+            ...(existingProviderConfig ?? {}),
+            npm: "@ai-sdk/azure",
+            name: "Azure OpenAI",
+            models: {
+                [deployment]: {
+                    name: deployment,
+                },
+            },
+            options: {
+                ...(existingProviderConfig?.options ?? {}),
+                baseURL: `${endpoint}/openai`,
+                apiVersion,
+                useDeploymentBasedUrls: true,
+            },
+        },
+    };
+    await writeOpencodeConfig(configPath, configRecord);
+}

package/dist/utils/resource-files.js

@@ -11,8 +11,22 @@ const redact_1 = require("./redact");
 function createResourceFileManager(options) {
     const { getResourcePath, resourceLabel, editorLabel } = options;
     const rootLabel = `${resourceLabel} root`;
-    const symlinkRootError = `${editorLabel} editor does not support symlinked ${resourceLabel} directories`;
     const symlinkError = `${editorLabel} editor does not support symlinks`;
+    function getResolvedRootPaths(slug) {
+        const configuredRoot = getResourcePath(slug);
+        try {
+            return {
+                configuredRoot,
+                realRoot: fs_1.default.realpathSync(configuredRoot),
+            };
+        }
+        catch {
+            throw {
+                status: 404,
+                message: `${rootLabel} not found`
+            };
+        }
+    }
     function toEtag(buffer) {
         return crypto_1.default.createHash("sha256").update(buffer).digest("hex");
     }
@@ -64,21 +78,8 @@ function createResourceFileManager(options) {
         }
         return absolute;
     }
-    function assertRootNotSymlink(slug) {
-        const resourceRoot = getResourcePath(slug);
-        if (!fs_1.default.existsSync(resourceRoot)) {
-            return;
-        }
-        const rootLstat = fs_1.default.lstatSync(resourceRoot);
-        if (rootLstat.isSymbolicLink()) {
-            throw {
-                status: 400,
-                message: symlinkRootError
-            };
-        }
-    }
     function assertRealPathWithinRoot(slug, absolutePath) {
-        const realRoot = fs_1.default.realpathSync(getResourcePath(slug));
+        const { realRoot } = getResolvedRootPaths(slug);
         const realTarget = fs_1.default.realpathSync(absolutePath);
         if (realTarget !== realRoot && !realTarget.startsWith(`${realRoot}${path_1.default.sep}`)) {
             throw {
@@ -88,9 +89,14 @@ function createResourceFileManager(options) {
         }
     }
     function assertNoSymlinkInAncestors(slug, absolutePath) {
-        const root = path_1.default.resolve(getResourcePath(slug));
+        const { configuredRoot: rawConfiguredRoot, realRoot: rawRealRoot } = getResolvedRootPaths(slug);
+        const configuredRoot = path_1.default.resolve(rawConfiguredRoot);
+        const realRoot = path_1.default.resolve(rawRealRoot);
         let current = path_1.default.resolve(absolutePath);
         while (true) {
+            if (current === configuredRoot || current === realRoot) {
+                return;
+            }
             const lstat = fs_1.default.lstatSync(current);
             if (lstat.isSymbolicLink()) {
                 throw {
@@ -98,9 +104,6 @@ function createResourceFileManager(options) {
                     message: symlinkError
                 };
             }
-            if (current === root) {
-                return;
-            }
             const parent = path_1.default.dirname(current);
             if (parent === current) {
                 throw {
@@ -112,12 +115,10 @@ function createResourceFileManager(options) {
         }
     }
     function assertExistingPathIsSafe(slug, absolutePath) {
-        assertRootNotSymlink(slug);
         assertRealPathWithinRoot(slug, absolutePath);
         assertNoSymlinkInAncestors(slug, absolutePath);
     }
     function assertParentDirectoryIsSafeForCreate(slug, parentAbsolutePath) {
-        assertRootNotSymlink(slug);
         assertRealPathWithinRoot(slug, parentAbsolutePath);
         assertNoSymlinkInAncestors(slug, parentAbsolutePath);
     }

package/dist/utils/skill.js

@@ -15,7 +15,7 @@ const client_1 = __importDefault(require("../prisma/client"));
 const workspace_sync_1 = require("./workspace-sync");
 const permission_common_1 = require("./permission-common");
 function getSkillsRootPath() {
-    return path_1.default.join((0, workspace_sync_1.getWorkspaceDirFromEnv)(), "custom-skills");
+    return path_1.default.join((0, workspace_sync_1.getWorkspaceDirFromEnv)(), ".agents", "skills");
 }
 function getSkillPath(slug) {
     return path_1.default.join(getSkillsRootPath(), slug);
@@ -66,9 +66,19 @@ function listSkillSlugs() {
     const entries = fs_1.default.readdirSync(skillsDir, { withFileTypes: true });
     const slugs = [];
     for (const entry of entries) {
-        if (!entry.isDirectory())
-            continue;
-        const canonicalManifestPath = path_1.default.join(skillsDir, entry.name, "SKILL.md");
+        const skillEntryPath = path_1.default.join(skillsDir, entry.name);
+        if (!entry.isDirectory()) {
+            if (!entry.isSymbolicLink())
+                continue;
+            try {
+                if (!fs_1.default.statSync(skillEntryPath).isDirectory())
+                    continue;
+            }
+            catch {
+                continue;
+            }
+        }
+        const canonicalManifestPath = path_1.default.join(skillEntryPath, "SKILL.md");
         if (fs_1.default.existsSync(canonicalManifestPath)) {
             slugs.push(entry.name);
         }
@@ -76,12 +86,32 @@ function listSkillSlugs() {
     return slugs;
 }
 function extractFrontmatterValue(frontmatter, key) {
-    const pattern = new RegExp(`^${key}\\s*:\\s*(.+)$`, "m");
-    const match = frontmatter.match(pattern);
-    if (!match) {
-        return null;
+    const lines = frontmatter.split("\n");
+    for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+        const match = line.match(new RegExp(`^${key}\\s*:\\s*(.*)$`));
+        if (!match) {
+            continue;
+        }
+        const rawValue = match[1]?.trim() ?? "";
+        if (rawValue === "|" || rawValue === ">") {
+            const blockLines = [];
+            for (let blockIndex = index + 1; blockIndex < lines.length; blockIndex += 1) {
+                const blockLine = lines[blockIndex] ?? "";
+                if (blockLine.length === 0) {
+                    blockLines.push("");
+                    continue;
+                }
+                if (!/^\s+/.test(blockLine)) {
+                    break;
+                }
+                blockLines.push(blockLine.replace(/^\s+/, ""));
+            }
+            return blockLines.join(rawValue === ">" ? " " : "\n").trim();
+        }
+        return rawValue.replace(/^["']|["']$/g, "");
     }
-    return match[1]?.trim().replace(/^["']|["']$/g, "") ?? null;
+    return null;
 }
 function readSkillManifest(slug) {
     const skillManifestPath = getSkillManifestPath(slug);

package/dist/utils/workspace-sync.js

@@ -21,6 +21,7 @@ const WORKSPACE_DB_DIRECTORY = ".sqlite";
 const WORKSPACE_DB_FILENAME = "data.db";
 const HONEYTOKEN_UUID = "1f9f0b72-5f9f-4c9b-aef1-2fb2e0f6d8c4";
 const HONEYTOKEN_FILE_NAME = `honeytoken-${HONEYTOKEN_UUID}.txt`;
+const WORKSPACE_AZURE_PROVIDER_VERSION = "3.0.48";
 function getWorkspaceDirFromEnv() {
     let workspaceDir = (0, assert_1.assertEnv)("WORKSPACE_DIR");
     if (!path_1.default.isAbsolute(workspaceDir)) {
@@ -48,13 +49,11 @@ function ensureWorkspaceDatabaseDirectory() {
 function normalizeRelativePath(relativePath) {
     return relativePath.split(path_1.default.sep).join("/");
 }
-const MANAGED_WORKSPACE_DIRECTORIES = new Set([
-    "workflows",
-    "custom-skills",
-]);
 function shouldSkipManagedDirectoryContent(relativePath) {
-    const [topLevelSegment] = relativePath.split("/");
-    if (MANAGED_WORKSPACE_DIRECTORIES.has(topLevelSegment)) {
+    if (relativePath === "workflows" || relativePath.startsWith("workflows/")) {
+        return true;
+    }
+    if (relativePath === ".agents/skills" || relativePath.startsWith(".agents/skills/")) {
         return true;
     }
     if (relativePath === ".opencode/xdg-data" || relativePath.startsWith(".opencode/xdg-data/")) {
@@ -178,6 +177,9 @@ function syncTemplateDirectory(sourceDirectory, targetDirectory, relativePath, i
                 mergeGitignoreFile(sourceEntryPath, targetEntryPath);
                 continue;
             }
+            if (relativeEntryPath === ".opencode/opencode.json" && fs_1.default.existsSync(targetEntryPath)) {
+                continue;
+            }
             if (entry.name === "package.json") {
                 mergePackageJsonFile(sourceEntryPath, targetEntryPath);
                 continue;
@@ -195,6 +197,9 @@ async function initializeWorkspaceNodeDependencies(workspaceDir) {
         ...(existingPackageJson.dependencies ?? {}),
         "opencode-ai": "1.1.65",
     };
+    if ((0, assert_1.assertEnv)("OPENCODE_MODEL").startsWith("azure-openai/")) {
+        dependencies["@ai-sdk/azure"] = WORKSPACE_AZURE_PROVIDER_VERSION;
+    }
     const workspacePackageJson = {
         ...existingPackageJson,
         dependencies,
@@ -210,7 +215,7 @@ async function initializeWorkspaceDirectory() {
     fs_1.default.mkdirSync(workspaceDir, { recursive: true });
     const workflowsDir = path_1.default.join(workspaceDir, "workflows");
     fs_1.default.mkdirSync(workflowsDir, { recursive: true });
-    const skillsDir = path_1.default.join(workspaceDir, "custom-skills");
+    const skillsDir = path_1.default.join(workspaceDir, ".agents", "skills");
     fs_1.default.mkdirSync(skillsDir, { recursive: true });
     const honeytokenValue = `DO_NOT_EXPOSE:${HONEYTOKEN_UUID}\n`;
     fs_1.default.writeFileSync(path_1.default.join(workflowsDir, HONEYTOKEN_FILE_NAME), honeytokenValue, "utf-8");

package/dist/workspace_files/.opencode/opencode.json

@@ -1,5 +1,8 @@
 {
   "$schema": "https://opencode.ai/config.json",
+  "tools": {
+    "skill": false
+  },
   "mcp": {
     "brave-search": {
       "type": "local",
@@ -14,4 +17,4 @@
       }
     }
   }
-}
+}

package/dist/workspace_files/.opencode/package.json

@@ -10,5 +10,6 @@
   "devDependencies": {
     "@types/node": "^20.0.0",
     "typescript": "^5.0.0"
-  }
+  },
+  "scripts": {}
 }

package/dist/workspace_files/.opencode/plugins/createSkill.ts

@@ -24,6 +24,14 @@ interface PermissionResponse {
   approved: boolean
 }
 
+interface SessionLookupResponse {
+  error?: unknown
+  data?: {
+    id?: string
+    parentID?: string
+  }
+}
+
 async function readErrorMessageFromResponse(
   response: Response,
   fallbackMessage: string
@@ -191,7 +199,29 @@ function buildSkillMarkdown(
   return `---\nname: ${JSON.stringify(slug)}\ndescription: ${JSON.stringify(description)}\n---\n\n${body}\n`
 }
 
-export const CreateSkillPlugin: Plugin = async (_ctx) => {
+export const CreateSkillPlugin: Plugin = async ({ client }) => {
+  async function resolveRootSessionID(sessionID: string): Promise<string> {
+    let currentSessionID = sessionID
+
+    while (true) {
+      const response = (await client.session.get({
+        path: {
+          id: currentSessionID,
+        },
+      })) as SessionLookupResponse
+      if (response.error) {
+        throw new Error(`Failed to resolve root session for ${currentSessionID}`)
+      }
+
+      const parentID = response.data?.parentID
+      if (!parentID) {
+        return currentSessionID
+      }
+
+      currentSessionID = parentID
+    }
+  }
+
   return {
     tool: {
       createSkill: tool({
@@ -210,6 +240,7 @@ export const CreateSkillPlugin: Plugin = async (_ctx) => {
         },
         async execute(args, context) {
           const { directory, sessionID } = context
+          const authSessionID = await resolveRootSessionID(sessionID)
           const slug = args.slug.trim()
           const description = args.description.trim()
           const content = args.content.trim()
@@ -238,7 +269,7 @@ export const CreateSkillPlugin: Plugin = async (_ctx) => {
             throw new Error("Could not determine call id from tool context.")
           }
 
-          const skillsDir = path.join(directory, "custom-skills")
+          const skillsDir = path.join(directory, ".agents", "skills")
           const skillDir = path.join(skillsDir, slug)
 
           if (!isPathInside(skillDir, skillsDir)) {
@@ -250,7 +281,7 @@ export const CreateSkillPlugin: Plugin = async (_ctx) => {
           }
 
           await requestCreationPermission(
-            sessionID,
+            authSessionID,
             messageId,
             callId
           )
@@ -259,7 +290,7 @@ export const CreateSkillPlugin: Plugin = async (_ctx) => {
             method: "POST",
             headers: {
               "Content-Type": "application/json",
-              Authorization: `Bearer ${sessionID}`,
+              Authorization: `Bearer ${authSessionID}`,
             },
             body: JSON.stringify({
               name: slug,
@@ -278,7 +309,7 @@ export const CreateSkillPlugin: Plugin = async (_ctx) => {
             `${getApiBaseUrl()}/api/skills/${encodeURIComponent(slug)}/files/content?path=${encodeURIComponent("SKILL.md")}`,
             {
               headers: {
-                Authorization: `Bearer ${sessionID}`,
+                Authorization: `Bearer ${authSessionID}`,
               },
             }
           )
@@ -302,7 +333,7 @@ export const CreateSkillPlugin: Plugin = async (_ctx) => {
             method: "PUT",
             headers: {
               "Content-Type": "application/json",
-              Authorization: `Bearer ${sessionID}`,
+              Authorization: `Bearer ${authSessionID}`,
             },
             body: JSON.stringify({
               path: "SKILL.md",
@@ -324,7 +355,7 @@ export const CreateSkillPlugin: Plugin = async (_ctx) => {
               skill: {
                 slug,
                 description,
-                file_path: `custom-skills/${slug}/SKILL.md`,
+                file_path: `.agents/skills/${slug}/SKILL.md`,
               },
             },
             null,

package/dist/workspace_files/.opencode/plugins/createWorkflow.ts

@@ -37,6 +37,14 @@ interface PermissionResponse {
   approved: boolean
 }
 
+interface SessionLookupResponse {
+  error?: unknown
+  data?: {
+    id?: string
+    parentID?: string
+  }
+}
+
 // ============================================================================
 // Constants
 // ============================================================================
@@ -195,7 +203,29 @@ async function requestWorkflowPermission(
 // Plugin
 // ============================================================================
 
-export const CreateWorkflowPlugin: Plugin = async (_ctx) => {
+export const CreateWorkflowPlugin: Plugin = async ({ client }) => {
+  async function resolveRootSessionID(sessionID: string): Promise<string> {
+    let currentSessionID = sessionID
+
+    while (true) {
+      const response = (await client.session.get({
+        path: {
+          id: currentSessionID,
+        },
+      })) as SessionLookupResponse
+      if (response.error) {
+        throw new Error(`Failed to resolve root session for ${currentSessionID}`)
+      }
+
+      const parentID = response.data?.parentID
+      if (!parentID) {
+        return currentSessionID
+      }
+
+      currentSessionID = parentID
+    }
+  }
+
   return {
     tool: {
       createWorkflow: tool({
@@ -237,6 +267,7 @@ export const CreateWorkflowPlugin: Plugin = async (_ctx) => {
         },
         async execute(args, context) {
           const { directory, sessionID } = context
+          const authSessionID = await resolveRootSessionID(sessionID)
           const { slug, intent_summary, inputs = {}, timeout_seconds = 300 } = args
           const messageId = extractMessageId(context)
           const callId = extractCallId(context)
@@ -278,7 +309,7 @@ export const CreateWorkflowPlugin: Plugin = async (_ctx) => {
 
           // Request permission after basic validation and existence checks pass.
           await requestWorkflowPermission(
-            sessionID,
+            authSessionID,
             messageId,
             callId
           )
@@ -316,7 +347,7 @@ export const CreateWorkflowPlugin: Plugin = async (_ctx) => {
               method: "POST",
               headers: {
                 "Content-Type": "application/json",
-                Authorization: `Bearer ${sessionID}`,
+                Authorization: `Bearer ${authSessionID}`,
               },
             }
           )