npm - tide-commander - Versions diffs - 1.97.0 → 1.99.0 - Mend

tide-commander 1.97.0 → 1.99.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/dist/src/packages/server/data/migrations/007_whatsapp_messages.sql ADDED Viewed

@@ -0,0 +1,48 @@
+-- Migration 007: WhatsApp Messages
+-- Mirrors slack_messages: every inbound and outbound WhatsApp message captured
+-- by the upstream WS bridge is persisted here so chat history is queryable from
+-- SQLite. message_id + session_id together are unique so redelivered echoes
+-- (server restart, upstream replay) don't double-insert.
+CREATE TABLE whatsapp_messages (
+  id                   INTEGER PRIMARY KEY AUTOINCREMENT,
+  session_id           TEXT NOT NULL,
+  message_id           TEXT,
+  chat_id              TEXT NOT NULL,
+  is_group             INTEGER NOT NULL DEFAULT 0,
+  group_name           TEXT,
+  from_jid             TEXT NOT NULL,
+  from_name            TEXT,
+  direction            TEXT NOT NULL,
+  body                 TEXT NOT NULL,
+  message_type         TEXT NOT NULL,
+  media_mimetype       TEXT,
+  media_size           INTEGER,
+  media_filename       TEXT,
+  media_path           TEXT,
+  audio_transcription  TEXT,
+  agent_id             TEXT,
+  workflow_instance_id TEXT,
+  raw_event            TEXT,
+  timestamp            INTEGER NOT NULL,
+  received_at          INTEGER NOT NULL
+);
+CREATE UNIQUE INDEX idx_whatsapp_messages_unique
+  ON whatsapp_messages(session_id, message_id)
+  WHERE message_id IS NOT NULL;
+CREATE INDEX idx_whatsapp_messages_chat
+  ON whatsapp_messages(session_id, chat_id, timestamp DESC);
+CREATE INDEX idx_whatsapp_messages_timestamp
+  ON whatsapp_messages(timestamp);
+CREATE INDEX idx_whatsapp_messages_direction
+  ON whatsapp_messages(direction);
+CREATE INDEX idx_whatsapp_messages_workflow
+  ON whatsapp_messages(workflow_instance_id);
+CREATE INDEX idx_whatsapp_messages_agent
+  ON whatsapp_messages(agent_id);

package/dist/src/packages/server/index.js CHANGED Viewed

@@ -74,6 +74,7 @@ async function main() {
         eventDb: {
             logTriggerFire: eventQueries.logTriggerFire,
             logSlackMessage: eventQueries.logSlackMessage,
+            logWhatsAppMessage: eventQueries.logWhatsAppMessage,
             logEmailMessage: eventQueries.logEmailMessage,
             logApprovalEvent: eventQueries.logApprovalEvent,
             logDocumentGeneration: eventQueries.logDocumentGeneration,

package/dist/src/packages/server/integrations/gmail/gmail-client.js CHANGED Viewed

@@ -383,6 +383,140 @@ function parseGmailMessage(msg) {
         attachmentsMeta: attachmentsMeta.length > 0 ? attachmentsMeta : undefined,
     };
 }
+export class GmailAttachmentNotAuthenticatedError extends Error {
+    constructor() { super('Gmail not authenticated'); this.name = 'GmailAttachmentNotAuthenticatedError'; }
+}
+export class GmailAttachmentNotFoundError extends Error {
+    constructor() { super('attachment not found'); this.name = 'GmailAttachmentNotFoundError'; }
+}
+export class GmailAttachmentTooLargeError extends Error {
+    bytes;
+    cap;
+    constructor(bytes, cap) {
+        super(`attachment too large (${bytes} > ${cap})`);
+        this.bytes = bytes;
+        this.cap = cap;
+        this.name = 'GmailAttachmentTooLargeError';
+    }
+}
+export async function dumpGmailMessageParts(messageId) {
+    if (!gmail)
+        throw new GmailAttachmentNotAuthenticatedError();
+    let res;
+    try {
+        res = await gmail.users.messages.get({
+            userId: 'me',
+            id: messageId,
+            format: 'full',
+        });
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === 404 || e.status === 404)
+            return null;
+        throw err;
+    }
+    const out = [];
+    function walk(part, depth) {
+        if (!part)
+            return;
+        out.push({
+            partId: part.partId ?? '',
+            mimeType: part.mimeType ?? '',
+            filename: part.filename ?? '',
+            attachmentId: part.body?.attachmentId ?? null,
+            size: part.body?.size ?? 0,
+            depth,
+        });
+        if (part.parts)
+            for (const p of part.parts)
+                walk(p, depth + 1);
+    }
+    walk(res.data.payload ?? undefined, 0);
+    return { found: true, parts: out };
+}
+export async function resolveGmailAttachmentPart(messageId, identifier, filenameHint) {
+    if (!gmail)
+        throw new GmailAttachmentNotAuthenticatedError();
+    let res;
+    try {
+        res = await gmail.users.messages.get({
+            userId: 'me',
+            id: messageId,
+            format: 'full',
+        });
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === 404 || e.status === 404)
+            return null;
+        throw err;
+    }
+    const candidates = [];
+    function walk(part) {
+        if (!part)
+            return;
+        const attId = part.body?.attachmentId;
+        if (attId) {
+            candidates.push({
+                realAttachmentId: attId,
+                filename: part.filename || '',
+                mimeType: part.mimeType || 'application/octet-stream',
+                size: part.body?.size ?? 0,
+                partId: part.partId ?? '',
+            });
+        }
+        if (part.parts)
+            for (const p of part.parts)
+                walk(p);
+    }
+    walk(res.data.payload ?? undefined);
+    const id = identifier.trim();
+    const norm = (s) => s.normalize('NFC').toLowerCase().trim();
+    const hint = filenameHint ? norm(filenameHint) : undefined;
+    for (const c of candidates)
+        if (c.realAttachmentId === id)
+            return c;
+    for (const c of candidates)
+        if (c.partId === id)
+            return c;
+    if (hint) {
+        for (const c of candidates)
+            if (norm(c.filename) === hint)
+                return c;
+    }
+    for (const c of candidates)
+        if (norm(c.filename) === norm(id))
+            return c;
+    return null;
+}
+export async function fetchGmailAttachmentBuffer(messageId, attachmentId) {
+    if (!gmail)
+        throw new GmailAttachmentNotAuthenticatedError();
+    const { MAX_ATTACHMENT_BYTES } = await import('../../services/attachment-downloader.js');
+    let res;
+    try {
+        res = await gmail.users.messages.attachments.get({
+            userId: 'me',
+            messageId,
+            id: attachmentId,
+        });
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === 404 || e.status === 404)
+            throw new GmailAttachmentNotFoundError();
+        throw err;
+    }
+    const b64 = res.data?.data;
+    if (!b64)
+        throw new GmailAttachmentNotFoundError();
+    const buf = Buffer.from(b64, 'base64url');
+    if (buf.byteLength > MAX_ATTACHMENT_BYTES) {
+        throw new GmailAttachmentTooLargeError(buf.byteLength, MAX_ATTACHMENT_BYTES);
+    }
+    return { buffer: buf, size: buf.byteLength };
+}
 /**
  * Download a single Gmail attachment by id and persist it to disk under
  * `<TEMP_DIR>/triggers/gmail/<messageId>/<sanitized-filename>`. Mirrors what
@@ -396,7 +530,6 @@ export async function downloadGmailAttachment(messageId, meta) {
         ctx?.log.warn('Gmail not authenticated — skipping attachment download');
         return null;
     }
-    // Lazy-import the shared cap + temp root so we keep one source of truth.
     const { MAX_ATTACHMENT_BYTES, TRIGGER_ATTACHMENT_ROOT } = await import('../../services/attachment-downloader.js');
     if (meta.size > MAX_ATTACHMENT_BYTES) {
         ctx?.log.warn(`Gmail attachment ${meta.filename} (${meta.size}B) exceeds cap; skipping`);
@@ -404,15 +537,10 @@ export async function downloadGmailAttachment(messageId, meta) {
     }
     const path = await import('path');
     const fs = await import('fs/promises');
-    // Sanitize segments the same way attachment-downloader does — strip
-    // path separators / `..` / control chars so a hostile filename can't
-    // escape the trigger dir.
     const safe = (s) => s.replace(/[\\/\x00-\x1f\x7f]/g, '_').replace(/\.{2,}/g, '_').slice(0, 200) || 'file';
     const targetDir = path.join(TRIGGER_ATTACHMENT_ROOT, 'gmail', safe(messageId));
     const finalName = safe(meta.filename) || 'file';
     const targetPath = path.join(targetDir, finalName);
-    // Idempotency: if a file with the expected size already lives at the
-    // target path, skip the network round-trip.
     try {
         const st = await fs.stat(targetPath);
         if (st.isFile() && (meta.size === 0 || st.size === meta.size)) {
@@ -421,36 +549,23 @@ export async function downloadGmailAttachment(messageId, meta) {
     }
     catch { /* not cached */ }
     await fs.mkdir(targetDir, { recursive: true });
-    let res;
+    let buffer;
     try {
-        res = await gmail.users.messages.attachments.get({
-            userId: 'me',
-            messageId,
-            id: meta.attachmentId,
-        });
+        const fetched = await fetchGmailAttachmentBuffer(messageId, meta.attachmentId);
+        buffer = fetched.buffer;
     }
     catch (err) {
         ctx?.log.warn(`Gmail attachments.get failed for ${meta.filename}: ${err}`);
         return null;
     }
-    const b64 = res.data?.data;
-    if (!b64) {
-        ctx?.log.warn(`Gmail attachment ${meta.filename} returned empty data`);
-        return null;
-    }
-    const buf = Buffer.from(b64, 'base64url');
-    if (buf.byteLength > MAX_ATTACHMENT_BYTES) {
-        ctx?.log.warn(`Gmail attachment ${meta.filename} decoded to ${buf.byteLength}B (exceeds cap)`);
-        return null;
-    }
     try {
-        await fs.writeFile(targetPath, buf);
+        await fs.writeFile(targetPath, buffer);
     }
     catch (err) {
         ctx?.log.warn(`Gmail attachment write failed for ${targetPath}: ${err}`);
         return null;
     }
-    return { path: targetPath, bytesOnDisk: buf.byteLength, filename: finalName, mimeType: meta.mimeType };
+    return { path: targetPath, bytesOnDisk: buffer.byteLength, filename: finalName, mimeType: meta.mimeType };
 }
 export async function getThread(threadId) {
     if (!gmail)

package/dist/src/packages/server/integrations/gmail/gmail-routes.js CHANGED Viewed

@@ -4,10 +4,42 @@
  * Mounted at /api/email/ by the integration registry.
  */
 import { Router } from 'express';
+import * as path from 'path';
+import * as fsp from 'fs/promises';
 import * as gmailClient from './gmail-client.js';
+import { GmailAttachmentNotAuthenticatedError, GmailAttachmentNotFoundError, GmailAttachmentTooLargeError, } from './gmail-client.js';
 import { createLogger } from '../../utils/logger.js';
 const log = createLogger('GmailRoutes');
 const router = Router();
+const SAVE_PATH_WHITELIST = ['/home/riven/obsidian', '/home/riven/d', '/tmp'];
+function sanitizeFilename(name) {
+    if (typeof name !== 'string')
+        return null;
+    const trimmed = name.trim();
+    if (!trimmed)
+        return null;
+    if (/[/\\]/.test(trimmed))
+        return null;
+    if (/[\x00-\x1f]/.test(trimmed))
+        return null;
+    const cleaned = trimmed.slice(0, 200);
+    return cleaned.length > 0 ? cleaned : null;
+}
+function isWithinWhitelist(absPath) {
+    const resolved = path.resolve(absPath);
+    return SAVE_PATH_WHITELIST.some((root) => {
+        const rootResolved = path.resolve(root);
+        return resolved === rootResolved || resolved.startsWith(rootResolved + path.sep);
+    });
+}
+function buildContentDisposition(filename) {
+    const asciiFallback = filename
+        .replace(/[^\x20-\x7e]/g, '_')
+        .replace(/"/g, "'")
+        .slice(0, 200) || 'attachment';
+    const encoded = encodeURIComponent(filename);
+    return `attachment; filename="${asciiFallback}"; filename*=UTF-8''${encoded}`;
+}
 // POST /api/email/send — Send an email
 router.post('/send', async (req, res) => {
     try {
@@ -208,4 +240,134 @@ router.post('/polling/stop', (req, res) => {
         res.status(500).json({ error: `Failed to stop polling: ${err instanceof Error ? err.message : err}` });
     }
 });
+router.get('/messages/:messageId/parts', async (req, res) => {
+    const messageId = (req.params.messageId ?? '').trim();
+    if (!messageId) {
+        res.status(400).json({ error: 'invalid messageId' });
+        return;
+    }
+    try {
+        const dump = await gmailClient.dumpGmailMessageParts(messageId);
+        if (!dump) {
+            res.status(404).json({ error: 'message not found' });
+            return;
+        }
+        res.json(dump);
+    }
+    catch (err) {
+        if (err instanceof GmailAttachmentNotAuthenticatedError) {
+            res.status(503).json({ error: 'Gmail not authenticated' });
+            return;
+        }
+        log.error(`Gmail message parts dump error: ${err}`);
+        res.status(500).json({ error: 'failed to dump message' });
+    }
+});
+router.post('/messages/:messageId/attachments/:attachmentId/download', async (req, res) => {
+    const messageId = (req.params.messageId ?? '').trim();
+    const attachmentId = (req.params.attachmentId ?? '').trim();
+    if (!messageId) {
+        res.status(400).json({ error: 'invalid messageId' });
+        return;
+    }
+    if (!attachmentId) {
+        res.status(400).json({ error: 'invalid attachmentId' });
+        return;
+    }
+    const savePathRaw = typeof req.query.savePath === 'string' ? req.query.savePath : undefined;
+    const filenameOverrideRaw = typeof req.query.filename === 'string' ? req.query.filename : undefined;
+    let filenameOverride = null;
+    if (filenameOverrideRaw !== undefined) {
+        filenameOverride = sanitizeFilename(filenameOverrideRaw);
+        if (!filenameOverride) {
+            res.status(400).json({ error: 'invalid filename' });
+            return;
+        }
+    }
+    let resolvedSavePath = null;
+    if (savePathRaw) {
+        if (!path.isAbsolute(savePathRaw)) {
+            res.status(400).json({ error: 'savePath outside whitelist' });
+            return;
+        }
+        resolvedSavePath = path.resolve(savePathRaw);
+        if (!isWithinWhitelist(resolvedSavePath)) {
+            res.status(400).json({ error: 'savePath outside whitelist' });
+            return;
+        }
+    }
+    try {
+        const part = await gmailClient.resolveGmailAttachmentPart(messageId, attachmentId, filenameOverrideRaw);
+        if (!part) {
+            res.status(404).json({ error: 'attachment not found' });
+            return;
+        }
+        const resolvedMime = part.mimeType || 'application/octet-stream';
+        const metaFilename = sanitizeFilename(part.filename) ?? 'attachment';
+        const resolvedFilename = filenameOverride ?? metaFilename;
+        const { buffer, size } = await gmailClient.fetchGmailAttachmentBuffer(messageId, part.realAttachmentId);
+        if (!resolvedSavePath) {
+            res.setHeader('Content-Type', resolvedMime);
+            res.setHeader('Content-Disposition', buildContentDisposition(resolvedFilename));
+            res.setHeader('Content-Length', String(size));
+            res.status(200).send(buffer);
+            return;
+        }
+        let targetPath;
+        let targetDir;
+        let isDir = false;
+        try {
+            const st = await fsp.stat(resolvedSavePath);
+            isDir = st.isDirectory();
+        }
+        catch {
+            const raw = savePathRaw ?? '';
+            isDir = raw.endsWith('/') || raw.endsWith(path.sep);
+        }
+        if (isDir) {
+            targetDir = resolvedSavePath;
+            targetPath = path.join(resolvedSavePath, resolvedFilename);
+        }
+        else {
+            const baseFromPath = path.basename(resolvedSavePath);
+            const safeBase = filenameOverride ?? sanitizeFilename(baseFromPath);
+            if (!safeBase) {
+                res.status(400).json({ error: 'invalid filename' });
+                return;
+            }
+            targetDir = path.dirname(resolvedSavePath);
+            targetPath = path.join(targetDir, safeBase);
+        }
+        if (!isWithinWhitelist(targetPath) || !isWithinWhitelist(targetDir)) {
+            res.status(400).json({ error: 'savePath outside whitelist' });
+            return;
+        }
+        try {
+            await fsp.mkdir(targetDir, { recursive: true });
+            await fsp.writeFile(targetPath, buffer);
+        }
+        catch (err) {
+            log.error(`Gmail attachment write failed for ${targetPath}: ${err}`);
+            res.status(500).json({ error: 'failed to write attachment' });
+            return;
+        }
+        res.json({ ok: true, path: targetPath, size });
+    }
+    catch (err) {
+        if (err instanceof GmailAttachmentNotAuthenticatedError) {
+            res.status(503).json({ error: 'Gmail not authenticated' });
+            return;
+        }
+        if (err instanceof GmailAttachmentNotFoundError) {
+            res.status(404).json({ error: 'attachment not found' });
+            return;
+        }
+        if (err instanceof GmailAttachmentTooLargeError) {
+            res.status(413).json({ error: 'attachment too large' });
+            return;
+        }
+        log.error(`Gmail attachment download error: ${err}`);
+        res.status(500).json({ error: 'failed to download attachment' });
+    }
+});
 export default router;

package/dist/src/packages/server/integrations/whatsapp/whatsapp-routes.js CHANGED Viewed

@@ -10,6 +10,7 @@ import { createLogger } from '../../utils/logger.js';
 import { WhatsAppClient } from './whatsapp-client.js';
 import { loadConfig, updateConfig, WHATSAPP_API_KEY_SECRET, } from './whatsapp-config.js';
 import { syncBridge } from './index.js';
+import { getWhatsAppChatsList, getWhatsAppMessagesByChatPaged, } from '../../data/event-queries.js';
 import { getConfig as getNotificationConfig, updateConfig as updateNotificationConfig, clearConfig as clearNotificationConfig, getDefaultConfig as getDefaultNotificationConfig, WHATSAPP_NOTIFICATION_EVENT_TYPES, } from '../../services/whatsapp-notification-config-service.js';
 const log = createLogger('WhatsAppRoutes');
 /** Build the router. Closes over the integration context for secret access. */
@@ -379,6 +380,86 @@ export function createWhatsAppRoutes(ctx) {
             res.status(500).json({ error: err instanceof Error ? err.message : String(err) });
         }
     });
+    // ─── GET /chats/:sessionId — chat summaries ───
+    router.get('/chats/:sessionId', (req, res) => {
+        const sessionId = req.params.sessionId.trim();
+        if (!sessionId) {
+            res.status(400).json({ error: 'sessionId is required' });
+            return;
+        }
+        try {
+            const chats = getWhatsAppChatsList(sessionId);
+            const body = { chats };
+            res.json(body);
+        }
+        catch (err) {
+            log.error(`WhatsApp chats list error: ${err}`);
+            res.status(500).json({ error: err instanceof Error ? err.message : String(err) });
+        }
+    });
+    // ─── GET /chats/:sessionId/:chatId/messages — paged history ───
+    router.get('/chats/:sessionId/:chatId/messages', (req, res) => {
+        const sessionId = req.params.sessionId.trim();
+        const chatId = req.params.chatId.trim();
+        if (!sessionId || !chatId) {
+            res.status(400).json({ error: 'sessionId and chatId are required' });
+            return;
+        }
+        const cursorRaw = req.query.cursor;
+        let cursor;
+        if (typeof cursorRaw === 'string' && cursorRaw.length > 0) {
+            const parsed = Number(cursorRaw);
+            if (!Number.isFinite(parsed)) {
+                res.status(400).json({ error: 'invalid cursor' });
+                return;
+            }
+            cursor = parsed;
+        }
+        const limitRaw = req.query.limit;
+        let limit;
+        if (typeof limitRaw === 'string' && limitRaw.length > 0) {
+            const parsed = Number(limitRaw);
+            if (!Number.isFinite(parsed) || parsed <= 0) {
+                res.status(400).json({ error: 'invalid limit' });
+                return;
+            }
+            limit = parsed;
+        }
+        const directionRaw = req.query.direction;
+        let direction;
+        if (typeof directionRaw === 'string' && directionRaw.length > 0) {
+            if (directionRaw !== 'inbound' && directionRaw !== 'outbound') {
+                res.status(400).json({ error: 'invalid direction' });
+                return;
+            }
+            direction = directionRaw;
+        }
+        const typeRaw = req.query.type;
+        const allowedTypes = [
+            'text', 'image', 'audio', 'video', 'document',
+            'sticker', 'location', 'contact', 'reaction', 'unknown',
+        ];
+        let type;
+        if (typeof typeRaw === 'string' && typeRaw.length > 0) {
+            if (!allowedTypes.includes(typeRaw)) {
+                res.status(400).json({ error: 'invalid type' });
+                return;
+            }
+            type = typeRaw;
+        }
+        try {
+            const page = getWhatsAppMessagesByChatPaged(sessionId, chatId, { cursor, limit, direction, type });
+            const body = {
+                messages: page.messages,
+                nextCursor: page.nextCursor === null ? null : String(page.nextCursor),
+            };
+            res.json(body);
+        }
+        catch (err) {
+            log.error(`WhatsApp messages page error: ${err}`);
+            res.status(500).json({ error: err instanceof Error ? err.message : String(err) });
+        }
+    });
     return router;
 }
 export default createWhatsAppRoutes;

package/dist/src/packages/server/integrations/whatsapp/whatsapp-trigger-handler.js CHANGED Viewed

@@ -121,6 +121,33 @@ export function createWhatsAppTriggerHandler(ctx) {
     function isRunning() {
         return client !== null;
     }
+    function persist(payload) {
+        try {
+            ctx.eventDb.logWhatsAppMessage({
+                sessionId: payload.sessionId,
+                messageId: payload.messageId,
+                chatId: payload.chatId,
+                isGroup: payload.isGroup,
+                groupName: payload.groupName,
+                fromJid: payload.from,
+                fromName: payload.fromName,
+                direction: payload.direction,
+                body: payload.body,
+                messageType: payload.mediaType ?? 'text',
+                mediaMimetype: payload.mediaMimetype,
+                mediaSize: payload.mediaSize,
+                mediaFilename: payload.mediaFilename,
+                mediaPath: payload.mediaPath,
+                audioTranscription: payload.audioTranscription,
+                rawEvent: payload,
+                timestamp: payload.timestamp,
+                receivedAt: Date.now(),
+            });
+        }
+        catch (err) {
+            ctx.log.warn(`WhatsApp logWhatsAppMessage failed: ${err}`);
+        }
+    }
     function extractMessageId(data) {
         if (!data || typeof data !== 'object')
             return undefined;
@@ -191,6 +218,7 @@ export function createWhatsAppTriggerHandler(ctx) {
             const needsMediaDownload = !!payload.mediaType &&
                 !!payload.messageId;
             if (!needsContactEnrich && !needsGroupEnrich && !needsMediaDownload) {
+                persist(payload);
                 ctx.broadcast({ type: 'whatsapp_message', payload });
                 notifyTriggerSubscribers(payload);
                 return;
@@ -292,6 +320,7 @@ export function createWhatsAppTriggerHandler(ctx) {
                 })()
                 : Promise.resolve();
             void Promise.all([contactPromise, groupPromise, mediaPromise]).then(() => {
+                persist(payload);
                 ctx.broadcast({ type: 'whatsapp_message', payload });
                 notifyTriggerSubscribers(payload);
             });

package/dist/src/packages/server/routes/agent-prompt.js ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Agent Prompt Routes
+ *
+ * MCP perm-prompt bridge endpoints:
+ *  - POST /api/agent-prompt          MCP server enqueues a request; blocks until UI responds
+ *  - POST /api/agent-prompt/:id/respond  UI submits the user's answer
+ *  - GET  /api/agent-prompt/pending  list pending prompts (debug / reconnect)
+ */
+import { Router } from 'express';
+import * as agentPromptService from '../services/agent-prompt-service.js';
+import { createLogger } from '../utils/logger.js';
+const log = createLogger('AgentPromptRoutes');
+const router = Router();
+router.post('/agent-prompt', async (req, res) => {
+    try {
+        const { id, agentId, tool, input } = req.body || {};
+        if (!id || !agentId || !tool) {
+            res.status(400).json({ error: 'Missing required fields: id, agentId, tool' });
+            return;
+        }
+        if (tool !== 'AskUserQuestion' && tool !== 'ExitPlanMode') {
+            res.status(400).json({ error: `Unsupported tool: ${tool}` });
+            return;
+        }
+        const response = await agentPromptService.createPrompt({
+            id, agentId, tool,
+            input: input || {},
+        });
+        res.json(response);
+    }
+    catch (err) {
+        log.error('Prompt request error:', err);
+        res.status(500).json({ requestId: req.body?.id, approved: false, reason: `Server error: ${err?.message ?? err}` });
+    }
+});
+router.post('/agent-prompt/:id/respond', (req, res) => {
+    const { id } = req.params;
+    const { approved, answers, reason } = req.body || {};
+    if (typeof approved !== 'boolean') {
+        res.status(400).json({ error: 'approved (boolean) is required' });
+        return;
+    }
+    const ok = agentPromptService.respondToPrompt({ requestId: id, approved, answers, reason });
+    if (!ok) {
+        res.status(404).json({ error: 'No pending prompt with that id' });
+        return;
+    }
+    res.json({ ok: true });
+});
+router.get('/agent-prompt/pending', (req, res) => {
+    const agentId = typeof req.query.agentId === 'string' ? req.query.agentId : undefined;
+    const prompts = agentId
+        ? agentPromptService.getPendingPromptsForAgent(agentId)
+        : agentPromptService.getPendingPrompts();
+    res.json(prompts);
+});
+export default router;

package/dist/src/packages/server/routes/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ import { Router, raw } from 'express';
 import agentsRouter, { setBroadcast as setAgentsBroadcast } from './agents.js';
 import filesRouter from './files.js';
 import permissionsRouter from './permissions.js';
+import agentPromptRouter from './agent-prompt.js';
 import notificationsRouter, { setBroadcast as setNotificationBroadcast } from './notifications.js';
 import execRouter, { setBroadcast as setExecBroadcast } from './exec.js';
 import focusAgentRouter, { setBroadcast as setFocusAgentBroadcast } from './focus-agent.js';
@@ -25,6 +26,8 @@ import workflowRouter from './workflow-routes.js';
 import sessionsRouter from './sessions.js';
 import databaseRouter from './database.js';
 import buildingsRouter, { setBroadcast as setBuildingsBroadcast } from './buildings.js';
+import skillsRouter, { setBroadcast as setSkillsBroadcast } from './skills.js';
+import systemRouter from './system.js';
 import { getPlugins } from '../integrations/integration-registry.js';
 const router = Router();
 // Health check
@@ -52,6 +55,8 @@ router.use('/workflows', workflowRouter);
 router.use('/sessions', sessionsRouter);
 router.use('/database', databaseRouter);
 router.use('/buildings', buildingsRouter);
+router.use('/skills', skillsRouter);
+router.use('/system', systemRouter);
 // Integration plugin routes (e.g. /api/slack/*, /api/documents/*, /api/jira/*)
 // Uses lazy lookup so plugins can be registered after route setup
 router.use((req, res, next) => {
@@ -69,6 +74,8 @@ router.use((req, res, next) => {
 router.use('/config', raw({ type: 'application/zip', limit: '100mb' }), configRouter);
 // Permission routes are mounted at root level since they're called as /api/permission-request
 router.use('/', permissionsRouter);
+// Agent prompt routes — root-level: /api/agent-prompt and /api/agent-prompt/:id/respond
+router.use('/', agentPromptRouter);
 // Export the broadcast setters for WebSocket handler to use
-export { setNotificationBroadcast, setExecBroadcast, setFocusAgentBroadcast, setAgentsBroadcast, setTriggerBroadcast, setBuildingsBroadcast };
+export { setNotificationBroadcast, setExecBroadcast, setFocusAgentBroadcast, setAgentsBroadcast, setTriggerBroadcast, setBuildingsBroadcast, setSkillsBroadcast };
 export default router;