tide-commander 1.87.0 → 1.89.0

package/dist/assets/{web-D3zCwsS9.js → web-BrBkKQlr.js}

@@ -1 +1 @@
-import{ck as s}from"./main-BrZe9Zbd.js";import"./vendor-react--Eh9ivFN.js";import"./vendor-three-Chj50gSY.js";class l extends s{constructor(){super(...arguments),this.pending=[],this.deliveredNotifications=[],this.hasNotificationSupport=()=>{if(!("Notification"in window)||!Notification.requestPermission)return!1;if(Notification.permission!=="granted")try{new Notification("")}catch(i){if(i instanceof Error&&i.name==="TypeError")return!1}return!0}}async getDeliveredNotifications(){const i=[];for(const t of this.deliveredNotifications){const e={title:t.title,id:parseInt(t.tag),body:t.body};i.push(e)}return{notifications:i}}async removeDeliveredNotifications(i){for(const t of i.notifications){const e=this.deliveredNotifications.find(n=>n.tag===String(t.id));e==null||e.close(),this.deliveredNotifications=this.deliveredNotifications.filter(()=>!e)}}async removeAllDeliveredNotifications(){for(const i of this.deliveredNotifications)i.close();this.deliveredNotifications=[]}async createChannel(){throw this.unimplemented("Not implemented on web.")}async deleteChannel(){throw this.unimplemented("Not implemented on web.")}async listChannels(){throw this.unimplemented("Not implemented on web.")}async schedule(i){if(!this.hasNotificationSupport())throw this.unavailable("Notifications not supported in this browser.");for(const t of i.notifications)this.sendNotification(t);return{notifications:i.notifications.map(t=>({id:t.id}))}}async getPending(){return{notifications:this.pending}}async registerActionTypes(){throw this.unimplemented("Not implemented on web.")}async cancel(i){this.pending=this.pending.filter(t=>!i.notifications.find(e=>e.id===t.id))}async areEnabled(){const{display:i}=await this.checkPermissions();return{value:i==="granted"}}async changeExactNotificationSetting(){throw this.unimplemented("Not implemented on web.")}async checkExactNotificationSetting(){throw this.unimplemented("Not implemented on web.")}async requestPermissions(){if(!this.hasNotificationSupport())throw this.unavailable("Notifications not supported in this browser.");return{display:this.transformNotificationPermission(await Notification.requestPermission())}}async checkPermissions(){if(!this.hasNotificationSupport())throw this.unavailable("Notifications not supported in this browser.");return{display:this.transformNotificationPermission(Notification.permission)}}transformNotificationPermission(i){switch(i){case"granted":return"granted";case"denied":return"denied";default:return"prompt"}}sendPending(){var i;const t=[],e=new Date().getTime();for(const n of this.pending)!((i=n.schedule)===null||i===void 0)&&i.at&&n.schedule.at.getTime()<=e&&(this.buildNotification(n),t.push(n));this.pending=this.pending.filter(n=>!t.find(o=>o===n))}sendNotification(i){var t;if(!((t=i.schedule)===null||t===void 0)&&t.at){const e=i.schedule.at.getTime()-new Date().getTime();this.pending.push(i),setTimeout(()=>{this.sendPending()},e);return}this.buildNotification(i)}buildNotification(i){const t=new Notification(i.title,{body:i.body,tag:String(i.id)});return t.addEventListener("click",this.onClick.bind(this,i),!1),t.addEventListener("show",this.onShow.bind(this,i),!1),t.addEventListener("close",()=>{this.deliveredNotifications=this.deliveredNotifications.filter(()=>!this)},!1),this.deliveredNotifications.push(t),t}onClick(i){const t={actionId:"tap",notification:i};this.notifyListeners("localNotificationActionPerformed",t)}onShow(i){this.notifyListeners("localNotificationReceived",i)}}export{l as LocalNotificationsWeb};
+import{ck as s}from"./main-D-YFCprA.js";import"./vendor-react--Eh9ivFN.js";import"./vendor-three-Chj50gSY.js";class l extends s{constructor(){super(...arguments),this.pending=[],this.deliveredNotifications=[],this.hasNotificationSupport=()=>{if(!("Notification"in window)||!Notification.requestPermission)return!1;if(Notification.permission!=="granted")try{new Notification("")}catch(i){if(i instanceof Error&&i.name==="TypeError")return!1}return!0}}async getDeliveredNotifications(){const i=[];for(const t of this.deliveredNotifications){const e={title:t.title,id:parseInt(t.tag),body:t.body};i.push(e)}return{notifications:i}}async removeDeliveredNotifications(i){for(const t of i.notifications){const e=this.deliveredNotifications.find(n=>n.tag===String(t.id));e==null||e.close(),this.deliveredNotifications=this.deliveredNotifications.filter(()=>!e)}}async removeAllDeliveredNotifications(){for(const i of this.deliveredNotifications)i.close();this.deliveredNotifications=[]}async createChannel(){throw this.unimplemented("Not implemented on web.")}async deleteChannel(){throw this.unimplemented("Not implemented on web.")}async listChannels(){throw this.unimplemented("Not implemented on web.")}async schedule(i){if(!this.hasNotificationSupport())throw this.unavailable("Notifications not supported in this browser.");for(const t of i.notifications)this.sendNotification(t);return{notifications:i.notifications.map(t=>({id:t.id}))}}async getPending(){return{notifications:this.pending}}async registerActionTypes(){throw this.unimplemented("Not implemented on web.")}async cancel(i){this.pending=this.pending.filter(t=>!i.notifications.find(e=>e.id===t.id))}async areEnabled(){const{display:i}=await this.checkPermissions();return{value:i==="granted"}}async changeExactNotificationSetting(){throw this.unimplemented("Not implemented on web.")}async checkExactNotificationSetting(){throw this.unimplemented("Not implemented on web.")}async requestPermissions(){if(!this.hasNotificationSupport())throw this.unavailable("Notifications not supported in this browser.");return{display:this.transformNotificationPermission(await Notification.requestPermission())}}async checkPermissions(){if(!this.hasNotificationSupport())throw this.unavailable("Notifications not supported in this browser.");return{display:this.transformNotificationPermission(Notification.permission)}}transformNotificationPermission(i){switch(i){case"granted":return"granted";case"denied":return"denied";default:return"prompt"}}sendPending(){var i;const t=[],e=new Date().getTime();for(const n of this.pending)!((i=n.schedule)===null||i===void 0)&&i.at&&n.schedule.at.getTime()<=e&&(this.buildNotification(n),t.push(n));this.pending=this.pending.filter(n=>!t.find(o=>o===n))}sendNotification(i){var t;if(!((t=i.schedule)===null||t===void 0)&&t.at){const e=i.schedule.at.getTime()-new Date().getTime();this.pending.push(i),setTimeout(()=>{this.sendPending()},e);return}this.buildNotification(i)}buildNotification(i){const t=new Notification(i.title,{body:i.body,tag:String(i.id)});return t.addEventListener("click",this.onClick.bind(this,i),!1),t.addEventListener("show",this.onShow.bind(this,i),!1),t.addEventListener("close",()=>{this.deliveredNotifications=this.deliveredNotifications.filter(()=>!this)},!1),this.deliveredNotifications.push(t),t}onClick(i){const t={actionId:"tap",notification:i};this.notifyListeners("localNotificationActionPerformed",t)}onShow(i){this.notifyListeners("localNotificationReceived",i)}}export{l as LocalNotificationsWeb};

package/dist/assets/{web-DS0FHmg8.js → web-DCu3NTho.js}

@@ -1 +1 @@
-import{ck as a}from"./main-BrZe9Zbd.js";import{ImpactStyle as i,NotificationType as r}from"./index-DSvJOrb7.js";import"./vendor-react--Eh9ivFN.js";import"./vendor-three-Chj50gSY.js";class h extends a{constructor(){super(...arguments),this.selectionStarted=!1}async impact(t){const e=this.patternForImpact(t==null?void 0:t.style);this.vibrateWithPattern(e)}async notification(t){const e=this.patternForNotification(t==null?void 0:t.type);this.vibrateWithPattern(e)}async vibrate(t){const e=(t==null?void 0:t.duration)||300;this.vibrateWithPattern([e])}async selectionStart(){this.selectionStarted=!0}async selectionChanged(){this.selectionStarted&&this.vibrateWithPattern([70])}async selectionEnd(){this.selectionStarted=!1}patternForImpact(t=i.Heavy){return t===i.Medium?[43]:t===i.Light?[20]:[61]}patternForNotification(t=r.Success){return t===r.Warning?[30,40,30,50,60]:t===r.Error?[27,45,50]:[35,65,21]}vibrateWithPattern(t){if(navigator.vibrate)navigator.vibrate(t);else throw this.unavailable("Browser does not support the vibrate API")}}export{h as HapticsWeb};
+import{ck as a}from"./main-D-YFCprA.js";import{ImpactStyle as i,NotificationType as r}from"./index-BiAZinYH.js";import"./vendor-react--Eh9ivFN.js";import"./vendor-three-Chj50gSY.js";class h extends a{constructor(){super(...arguments),this.selectionStarted=!1}async impact(t){const e=this.patternForImpact(t==null?void 0:t.style);this.vibrateWithPattern(e)}async notification(t){const e=this.patternForNotification(t==null?void 0:t.type);this.vibrateWithPattern(e)}async vibrate(t){const e=(t==null?void 0:t.duration)||300;this.vibrateWithPattern([e])}async selectionStart(){this.selectionStarted=!0}async selectionChanged(){this.selectionStarted&&this.vibrateWithPattern([70])}async selectionEnd(){this.selectionStarted=!1}patternForImpact(t=i.Heavy){return t===i.Medium?[43]:t===i.Light?[20]:[61]}patternForNotification(t=r.Success){return t===r.Warning?[30,40,30,50,60]:t===r.Error?[27,45,50]:[35,65,21]}vibrateWithPattern(t){if(navigator.vibrate)navigator.vibrate(t);else throw this.unavailable("Browser does not support the vibrate API")}}export{h as HapticsWeb};

package/dist/assets/{web-DEq3Te_H.js → web-DX588C-g.js}

@@ -1 +1 @@
-import{ck as t}from"./main-BrZe9Zbd.js";import"./vendor-react--Eh9ivFN.js";import"./vendor-three-Chj50gSY.js";class o extends t{constructor(){super(),this.handleVisibilityChange=()=>{const e={isActive:document.hidden!==!0};this.notifyListeners("appStateChange",e),document.hidden?this.notifyListeners("pause",null):this.notifyListeners("resume",null)},document.addEventListener("visibilitychange",this.handleVisibilityChange,!1)}exitApp(){throw this.unimplemented("Not implemented on web.")}async getInfo(){throw this.unimplemented("Not implemented on web.")}async getLaunchUrl(){return{url:""}}async getState(){return{isActive:document.hidden!==!0}}async minimizeApp(){throw this.unimplemented("Not implemented on web.")}async toggleBackButtonHandler(){throw this.unimplemented("Not implemented on web.")}async getAppLanguage(){return{value:navigator.language.split("-")[0].toLowerCase()}}}export{o as AppWeb};
+import{ck as t}from"./main-D-YFCprA.js";import"./vendor-react--Eh9ivFN.js";import"./vendor-three-Chj50gSY.js";class o extends t{constructor(){super(),this.handleVisibilityChange=()=>{const e={isActive:document.hidden!==!0};this.notifyListeners("appStateChange",e),document.hidden?this.notifyListeners("pause",null):this.notifyListeners("resume",null)},document.addEventListener("visibilitychange",this.handleVisibilityChange,!1)}exitApp(){throw this.unimplemented("Not implemented on web.")}async getInfo(){throw this.unimplemented("Not implemented on web.")}async getLaunchUrl(){return{url:""}}async getState(){return{isActive:document.hidden!==!0}}async minimizeApp(){throw this.unimplemented("Not implemented on web.")}async toggleBackButtonHandler(){throw this.unimplemented("Not implemented on web.")}async getAppLanguage(){return{value:navigator.language.split("-")[0].toLowerCase()}}}export{o as AppWeb};

package/dist/index.html

@@ -22,10 +22,10 @@
     <link rel="icon" type="image/png" sizes="16x16" href="/assets/icons/favicon-16x16.png" />
     <link rel="apple-touch-icon" sizes="180x180" href="/assets/icons/apple-touch-icon.png" />
     <title>Tide Commander</title>
-    <script type="module" crossorigin src="/assets/main-BrZe9Zbd.js"></script>
+    <script type="module" crossorigin src="/assets/main-D-YFCprA.js"></script>
     <link rel="modulepreload" crossorigin href="/assets/vendor-react--Eh9ivFN.js">
     <link rel="modulepreload" crossorigin href="/assets/vendor-three-Chj50gSY.js">
-    <link rel="stylesheet" crossorigin href="/assets/main-kpU9m5LW.css">
+    <link rel="stylesheet" crossorigin href="/assets/main-Bw5ZddEN.css">
   </head>
   <body>
     <div id="app"></div>

package/dist/src/packages/server/data/builtin-skills/explore-database.js

@@ -0,0 +1,175 @@
+const BT3 = '```';
+export const exploreDatabase = {
+    slug: 'explore-database',
+    name: 'Explore Database',
+    description: 'Inspect database buildings via the Tide Commander API: list connections, browse databases/tables, read schemas, and run SQL.',
+    allowedTools: ['Bash(curl:*)', 'Bash(jq:*)'],
+    content: `# Explore Database Skill
+
+This skill lets you inspect any **database building** in Tide Commander through the
+internal HTTP API. You can list connections, list databases/tables, read schemas,
+and execute SQL — all without leaving the curl pattern.
+
+All endpoints live under \`/api/database/\` and use the same auth header as every
+other Tide Commander skill (\`X-Auth-Token\`). Passwords are never returned by the
+API; responses include a \`hasPassword\` boolean instead.
+
+---
+
+## Endpoint Reference
+
+| Endpoint | Method | Purpose |
+|---|---|---|
+| \`/api/database/buildings\` | GET | List every database building (redacted connections) |
+| \`/api/database/buildings/{buildingId}\` | GET | One database building with all its connections |
+| \`/api/database/buildings/{buildingId}/connections/{connectionId}/test\` | POST | Verify the connection works |
+| \`/api/database/buildings/{buildingId}/connections/{connectionId}/databases\` | GET | List databases on the server |
+| \`/api/database/buildings/{buildingId}/connections/{connectionId}/databases/{database}/tables\` | GET | List tables/views in a database |
+| \`/api/database/buildings/{buildingId}/connections/{connectionId}/databases/{database}/tables/{table}/columns\` | GET | **Describe table — columns only** (lean) |
+| \`/api/database/buildings/{buildingId}/connections/{connectionId}/databases/{database}/tables/{table}/schema\` | GET | Full schema: columns + indexes + foreign keys |
+| \`/api/database/buildings/{buildingId}/connections/{connectionId}/query\` | POST | Run SQL — body \`{database, query, limit?, recordHistory?}\` |
+| \`/api/database/buildings/{buildingId}/history\` | GET | Recent query history (\`?limit=N\`) |
+
+Engines supported: **mysql, postgresql, oracle, sqlite, mssql**. SSH tunnels are
+applied automatically when configured on the connection.
+
+---
+
+## Step 1: Discover database buildings
+
+${BT3}bash
+# List all DB buildings + their connections (redacted)
+curl -s http://localhost:5174/api/database/buildings | jq
+
+# Compact view: just id/name/engine of each connection
+curl -s http://localhost:5174/api/database/buildings \\
+  | jq '.buildings[] | {id, name, conns: [.connections[] | {id, engine, host, port, database}]}'
+${BT3}
+
+Pick the **buildingId** and **connectionId** you want to explore. The \`activeConnectionId\`
+field hints at the one the user typically works with.
+
+## Step 2: Verify the connection
+
+Always run a test before any heavy query — it brings up SSH tunnels and validates
+credentials cheaply.
+
+${BT3}bash
+curl -s -X POST http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/test
+# → {"success":true,"serverVersion":"8.0.36"} or {"success":false,"error":"..."}
+${BT3}
+
+## Step 3: Browse databases and tables
+
+${BT3}bash
+# List databases on the server
+curl -s http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/databases | jq
+
+# List tables/views in a specific database
+curl -s http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/databases/MY_DB/tables | jq
+
+# Compact: just names
+curl -s http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/databases/MY_DB/tables \\
+  | jq '.tables | map(.name)'
+${BT3}
+
+For Oracle, "database" means **schema/owner** (e.g. \`SCOTT\`, \`HR\`). For SQLite the
+"database" is the file path or \`main\`.
+
+## Step 4: Inspect a table's schema
+
+${BT3}bash
+curl -s http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/databases/MY_DB/tables/users/schema | jq
+${BT3}
+
+Returns \`{ database, table, columns, indexes, foreignKeys }\`. Use this to
+discover columns before writing a SELECT.
+
+## Step 5: Run SQL
+
+${BT3}bash
+# Read query — limit defaults to 1000, capped at 10000
+curl -s -X POST http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/query \\
+  -H "Content-Type: application/json" \\
+  -d '{"database":"MY_DB","query":"SELECT id, email FROM users WHERE created_at > NOW() - INTERVAL 1 DAY","limit":50}'
+
+# Persist into the building's query history (visible in the UI)
+curl -s -X POST http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/query \\
+  -H "Content-Type: application/json" \\
+  -d '{"database":"MY_DB","query":"SELECT COUNT(*) AS n FROM users","recordHistory":true}'
+
+# Mutating statements work too — affectedRows is reported instead of rows
+curl -s -X POST http://localhost:5174/api/database/buildings/BUILDING_ID/connections/CONNECTION_ID/query \\
+  -H "Content-Type: application/json" \\
+  -d '{"database":"MY_DB","query":"UPDATE users SET active = 1 WHERE id = 42"}'
+${BT3}
+
+**Response shape (success):**
+${BT3}json
+{
+  "id": "q_1700000000000_abc123",
+  "status": "success",
+  "duration": 12,
+  "rows": [{"id":1,"email":"a@b.com"}],
+  "fields": [{"name":"id","type":"INT"}, {"name":"email","type":"VARCHAR"}],
+  "rowCount": 1
+}
+${BT3}
+
+**Response shape (error):** \`{ "status": "error", "error": "...", "errorCode": "..." }\`
+The HTTP status is \`400\` for SQL errors and \`500\` only for unexpected failures.
+
+## Step 6: Review history
+
+${BT3}bash
+curl -s "http://localhost:5174/api/database/buildings/BUILDING_ID/history?limit=20" | jq '.history[] | {executedAt, status, duration, query}'
+${BT3}
+
+Only queries explicitly run with \`recordHistory:true\` (or executed via the UI)
+appear here.
+
+---
+
+## Important Rules
+
+1. **LIMIT is automatic.** SELECTs without a LIMIT/TOP/FETCH clause are wrapped
+   server-side using the \`limit\` body field (default 1000, max 10000). You don't
+   need to add it manually for safety, but you can.
+2. **One query per request.** The execute endpoint runs a single statement; do
+   not send multi-statement scripts.
+3. **Mutations are real.** \`UPDATE\`, \`DELETE\`, \`DROP\`, etc. execute against the
+   live connection — confirm the building/connection IDs before destructive ops.
+4. **Engine quirks:**
+   - Oracle: pass the **schema name** as \`{database}\`.
+   - SQLite: typically \`main\`. Pragma queries work as raw SQL.
+   - SQL Server: \`TOP n\` is auto-injected for SELECTs without it.
+5. **Never log credentials.** Connection objects from the API never include
+   passwords — \`hasPassword: true\` is the only signal.
+
+## Example Workflow
+
+${BT3}bash
+# 1) Find DB buildings and pick one
+curl -s http://localhost:5174/api/database/buildings \\
+  | jq '.buildings[] | {id, name, activeConnectionId}'
+
+# 2) Verify
+curl -s -X POST http://localhost:5174/api/database/buildings/building_xxx/connections/conn_yyy/test
+
+# 3) Pick a database, list its tables
+curl -s http://localhost:5174/api/database/buildings/building_xxx/connections/conn_yyy/databases | jq
+curl -s http://localhost:5174/api/database/buildings/building_xxx/connections/conn_yyy/databases/app_prod/tables \\
+  | jq '.tables | map(.name)'
+
+# 4) Inspect a table
+curl -s http://localhost:5174/api/database/buildings/building_xxx/connections/conn_yyy/databases/app_prod/tables/orders/schema \\
+  | jq '.columns | map({name, type, primaryKey, nullable})'
+
+# 5) Run an exploratory query
+curl -s -X POST http://localhost:5174/api/database/buildings/building_xxx/connections/conn_yyy/query \\
+  -H "Content-Type: application/json" \\
+  -d '{"database":"app_prod","query":"SELECT status, COUNT(*) c FROM orders GROUP BY status"}' \\
+  | jq '.rows'
+${BT3}
+`,
+};

package/dist/src/packages/server/data/builtin-skills/index.js

@@ -13,6 +13,7 @@ import { streamingExec } from './streaming-exec.js';
 import { bitbucketPR } from './bitbucket-pr.js';
 import { pm2Logs } from './pm2-logs.js';
 import { createBuilding } from './create-building.js';
+import { exploreDatabase } from './explore-database.js';
 import { releasePipeline } from './release-pipeline.js';
 import { taskLabel } from './task-label.js';
 import { agentTracking } from './agent-tracking.js';
@@ -34,6 +35,7 @@ export const BUILTIN_SKILLS = [
     bitbucketPR,
     pm2Logs,
     createBuilding,
+    exploreDatabase,
     releasePipeline,
     taskLabel,
     agentTracking,

package/dist/src/packages/server/data/event-queries.js

@@ -75,6 +75,7 @@ function slackRowToEvent(row) {
         workflowInstanceId: row.workflow_instance_id ?? undefined,
         rawEvent: fromJson(row.raw_event),
         receivedAt: row.received_at,
+        integrationInstanceId: row.integration_instance_id ?? 'default',
     };
 }
 export function logSlackMessage(msg) {
@@ -91,6 +92,7 @@ export function logSlackMessage(msg) {
         workflow_instance_id: msg.workflowInstanceId ?? null,
         raw_event: toJson(msg.rawEvent),
         received_at: msg.receivedAt,
+        integration_instance_id: msg.integrationInstanceId ?? 'default',
     });
 }
 function emailRowToEvent(row) {

package/dist/src/packages/server/data/index.js

@@ -323,6 +323,58 @@ export function getClaudeProjectDir(cwd) {
 // Buildings cache to avoid reading from disk on every call
 let buildingsCache = null;
 let buildingsCacheMtime = 0;
+// Sensitive fields on a DatabaseConnection that should be encrypted at rest.
+// Kept as a typed list so adding a new sensitive field surfaces a compile error
+// instead of silently leaking plaintext.
+const DB_CONNECTION_SECRET_KEYS = ['password'];
+const SSH_TUNNEL_SECRET_KEYS = ['password', 'privateKey', 'passphrase'];
+function encryptIfPresent(value) {
+    if (!value)
+        return value;
+    if (isEncrypted(value))
+        return value;
+    try {
+        return encryptValue(value);
+    }
+    catch {
+        return value;
+    }
+}
+function decryptIfEncrypted(value) {
+    if (!value)
+        return value;
+    if (!isEncrypted(value))
+        return value;
+    try {
+        return decryptValue(value);
+    }
+    catch (err) {
+        log.error(' Failed to decrypt building credential:', err);
+        return '';
+    }
+}
+function transformBuildingCredentials(buildings, mode) {
+    const transform = mode === 'encrypt' ? encryptIfPresent : decryptIfEncrypted;
+    return buildings.map(b => {
+        if (b.type !== 'database' || !b.database?.connections?.length)
+            return b;
+        const connections = b.database.connections.map(conn => {
+            const next = { ...conn };
+            for (const key of DB_CONNECTION_SECRET_KEYS) {
+                next[key] = transform(next[key]);
+            }
+            if (next.ssh) {
+                const ssh = { ...next.ssh };
+                for (const key of SSH_TUNNEL_SECRET_KEYS) {
+                    ssh[key] = transform(ssh[key]);
+                }
+                next.ssh = ssh;
+            }
+            return next;
+        });
+        return { ...b, database: { ...b.database, connections } };
+    });
+}
 /**
  * Load buildings from disk (cached, invalidated by file mtime)
  */
@@ -340,7 +392,7 @@ export function loadBuildings() {
     catch { /* proceed to read */ }
     const data = safeReadJsonSync(BUILDINGS_FILE, 'Buildings');
     if (data?.buildings) {
-        buildingsCache = data.buildings;
+        buildingsCache = transformBuildingCredentials(data.buildings, 'decrypt');
         try {
             buildingsCacheMtime = fs.statSync(BUILDINGS_FILE).mtimeMs;
         }
@@ -358,7 +410,9 @@ export function loadBuildings() {
 export function saveBuildings(buildings) {
     ensureDataDir();
     try {
-        atomicWriteJsonSync(BUILDINGS_FILE, { buildings, savedAt: Date.now(), version: '1.0.0' });
+        const persisted = transformBuildingCredentials(buildings, 'encrypt');
+        atomicWriteJsonSync(BUILDINGS_FILE, { buildings: persisted, savedAt: Date.now(), version: '1.0.0' });
+        // Cache the in-memory (decrypted) view so callers keep working with plaintext
         buildingsCache = buildings;
         buildingsCacheMtime = fs.statSync(BUILDINGS_FILE).mtimeMs;
     }

package/dist/src/packages/server/data/migrations/006_slack_messages_integration_instance.sql

@@ -0,0 +1,9 @@
+-- Multi-instance Slack support
+-- Adds an instance id column to slack_messages so two side-by-side Slack
+-- integrations (e.g. xoxb- bot + xoxp- personal token) keep their inbound
+-- messages distinguishable. Existing rows are tagged 'default' to match the
+-- pre-multi-instance singleton.
+
+ALTER TABLE slack_messages ADD COLUMN integration_instance_id TEXT NOT NULL DEFAULT 'default';
+
+CREATE INDEX IF NOT EXISTS idx_slack_messages_instance ON slack_messages(integration_instance_id);

package/dist/src/packages/server/index.js

@@ -7,7 +7,7 @@ import { createServer } from 'http';
 import { createServer as createHttpsServer } from 'https';
 import fs from 'node:fs';
 import { createApp } from './app.js';
-import { agentService, runtimeService, bossService, skillService, customClassService, secretsService, buildingService, eventRetentionService, triggerService, workflowService } from './services/index.js';
+import { agentService, runtimeService, bossService, skillService, customClassService, secretsService, buildingService, eventRetentionService, triggerService, workflowService, databaseService } from './services/index.js';
 import * as websocket from './websocket/handler.js';
 import { getDataDir } from './data/index.js';
 import { initEventDb, closeEventDb } from './data/event-db.js';
@@ -212,6 +212,7 @@ async function main() {
             buildingService.stopDockerStatusPolling();
             buildingService.stopTerminalStatusPolling();
             buildingService.cleanupAllTerminals();
+            await databaseService.closeAllConnections();
             await runtimeService.shutdown();
             agentService.shutdownSessionHistory();
             agentService.flushPersistAgents();

package/dist/src/packages/server/integrations/gmail/gmail-trigger-handler.js

@@ -47,6 +47,10 @@ export const gmailTriggerHandler = {
     extractVariables(trigger, event) {
         const msg = event.data;
         void trigger;
+        const labels = msg.labels ?? [];
+        // Gmail tags sent messages with the SENT label. Anything else is treated
+        // as inbound (covers INBOX, drafts, all-mail, etc.).
+        const direction = labels.includes('SENT') ? 'outbound' : 'inbound';
         return {
             'email.from': msg.from,
             'email.to': msg.to.join(', '),
@@ -57,10 +61,14 @@ export const gmailTriggerHandler = {
             'email.date': new Date(msg.date).toISOString(),
             'email.hasAttachments': String(msg.hasAttachments),
             'email.attachments': msg.attachmentNames?.join(', ') || '',
+            'email.direction': direction,
+            'email.labels': labels.join(', '),
         };
     },
     formatEventForLLM(event) {
         const msg = event.data;
-        return `Email from ${msg.from}\nSubject: ${msg.subject}\nDate: ${new Date(msg.date).toISOString()}\n\n${msg.body}`;
+        const labels = msg.labels ?? [];
+        const direction = labels.includes('SENT') ? 'outbound' : 'inbound';
+        return `Email (${direction}) from ${msg.from}\nTo: ${msg.to.join(', ')}\nSubject: ${msg.subject}\nDate: ${new Date(msg.date).toISOString()}\n\n${msg.body}`;
     },
 };

package/dist/src/packages/server/integrations/slack/index.js

@@ -1,24 +1,52 @@
 /**
  * Slack Integration Plugin
  * Exports slackPlugin implementing IntegrationPlugin.
- * Wires together slack-client, slack-routes, slack-trigger-handler, slack-skill, and slack-config.
+ *
+ * Multi-instance: this plugin owns N independent Slack connections (e.g. one
+ * for a team bot using xoxb-, one for the user's personal xoxp- token). Each
+ * instance has its own config file, secret keys, and watermark file, but they
+ * share the same dispatcher pipeline (so triggers / wait-for-reply / WS
+ * broadcasts work uniformly).
+ *
+ * The IntegrationPlugin contract is per-plugin, not per-instance — Slack
+ * exposes its instance management through a custom settings component
+ * (registered via `getCustomSettingsComponent()`) and dedicated /instances
+ * CRUD routes.
  */
 import * as slackClient from './slack-client.js';
-import slackRoutes from './slack-routes.js';
+import slackRoutes, { setIntegrationContextForRoutes } from './slack-routes.js';
 import { slackTriggerHandler } from './slack-trigger-handler.js';
 import { slackSkill } from './slack-skill.js';
-import { slackConfigSchema, getConfigValues, setConfigValues, loadConfig } from './slack-config.js';
+import { slackConfigSchema, getConfigValues, setConfigValues, loadConfig, } from './slack-config.js';
+import { getInstance, listInstances, DEFAULT_INSTANCE_ID, } from './slack-instance.js';
+import { listInstanceMetas } from './slack-instance-manifest.js';
 let integrationCtx = null;
 export const slackPlugin = {
     id: 'slack',
     name: 'Slack',
-    description: 'Bidirectional Slack messaging for agents',
+    description: 'Bidirectional Slack messaging for agents (multi-instance)',
     routePrefix: '/slack',
     async init(ctx) {
         integrationCtx = ctx;
-        await slackClient.init(ctx);
+        setIntegrationContextForRoutes(ctx);
+        // Bring up every instance from the manifest. The default instance is
+        // always present (the manifest auto-creates it); user-added instances
+        // come in alongside it.
+        const metas = listInstanceMetas();
+        for (const meta of metas) {
+            const inst = getInstance(meta.id);
+            inst.setContext(ctx);
+            try {
+                await inst.init();
+            }
+            catch (err) {
+                ctx.log.error(`Slack[${meta.id}] init failed: ${err}`);
+                // One bad instance shouldn't take the others down.
+            }
+        }
     },
     async shutdown() {
+        setIntegrationContextForRoutes(null);
         await slackClient.shutdown();
     },
     getRoutes() {
@@ -30,15 +58,25 @@ export const slackPlugin = {
     getTriggerHandler() {
         return slackTriggerHandler;
     },
+    /**
+     * Status reflects the default instance (back-compat for the generic UI).
+     * Per-instance status is exposed through GET /api/slack/instances and the
+     * custom settings component reads from there.
+     */
     getStatus() {
-        return slackClient.getStatus();
+        return getInstance(DEFAULT_INSTANCE_ID).getStatus();
     },
     getConfigSchema() {
         return slackConfigSchema;
     },
+    /**
+     * The generic UI calls getConfig once and gets the default-instance values.
+     * The custom multi-instance UI uses /api/slack/instances/:id for per-instance
+     * config.
+     */
     getConfig() {
         if (!integrationCtx) {
-            const config = loadConfig();
+            const config = loadConfig(DEFAULT_INSTANCE_ID);
             return {
                 enabled: config.enabled,
                 defaultChannelId: config.defaultChannelId || '',
@@ -46,28 +84,36 @@ export const slackPlugin = {
                 SLACK_APP_TOKEN: '',
             };
         }
-        return getConfigValues(integrationCtx.secrets);
+        return getConfigValues(integrationCtx.secrets, DEFAULT_INSTANCE_ID);
     },
     async setConfig(config) {
         if (!integrationCtx)
             throw new Error('Slack not initialized');
-        await setConfigValues(config, integrationCtx.secrets);
-        // Auto-connect or disconnect based on new config state
-        const updated = loadConfig();
+        await setConfigValues(config, integrationCtx.secrets, DEFAULT_INSTANCE_ID);
+        // Reconnect the default instance based on its new config / secrets.
+        const updated = loadConfig(DEFAULT_INSTANCE_ID);
         const botToken = integrationCtx.secrets.get('SLACK_BOT_TOKEN');
-        const appToken = integrationCtx.secrets.get('SLACK_APP_TOKEN');
-        if (updated.enabled && botToken && appToken) {
-            // Tokens + enabled: (re)connect
+        const inst = getInstance(DEFAULT_INSTANCE_ID);
+        if (updated.enabled && botToken) {
             try {
-                await slackClient.reconnect();
+                await inst.reconnect();
             }
             catch {
-                // Error is already captured in config status by reconnect()
+                // Error captured via updateConfig's status:'error' path.
             }
         }
-        else if (!updated.enabled && slackClient.isConnected()) {
-            // Disabled: disconnect
-            await slackClient.disconnect();
+        else if (!updated.enabled && inst.isConnected()) {
+            await inst.disconnect();
         }
     },
+    /**
+     * Tells the frontend to render the custom multi-instance UI instead of the
+     * generic single-form schema renderer. The component name is mapped client-
+     * side in IntegrationsPanel.tsx.
+     */
+    getCustomSettingsComponent() {
+        return 'slack-multi-instance';
+    },
 };
+// Re-export for use by routes / trigger handler.
+export { listInstances };