npm - zoe-agent - Versions diffs - 0.3.1 - Mend

zoe-agent 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/CHANGELOG.md +154 -0
package/LICENSE +96 -0
package/README.md +568 -0
package/dist/adapters/cli/agent.d.ts +59 -0
package/dist/adapters/cli/agent.js +232 -0
package/dist/adapters/cli/bootstrap.d.ts +25 -0
package/dist/adapters/cli/bootstrap.js +204 -0
package/dist/adapters/cli/commands/build-registry.d.ts +14 -0
package/dist/adapters/cli/commands/build-registry.js +88 -0
package/dist/adapters/cli/commands/clear.d.ts +7 -0
package/dist/adapters/cli/commands/clear.js +10 -0
package/dist/adapters/cli/commands/compact.d.ts +13 -0
package/dist/adapters/cli/commands/compact.js +96 -0
package/dist/adapters/cli/commands/exit.d.ts +7 -0
package/dist/adapters/cli/commands/exit.js +9 -0
package/dist/adapters/cli/commands/gateway.d.ts +7 -0
package/dist/adapters/cli/commands/gateway.js +152 -0
package/dist/adapters/cli/commands/help.d.ts +9 -0
package/dist/adapters/cli/commands/help.js +12 -0
package/dist/adapters/cli/commands/models.d.ts +10 -0
package/dist/adapters/cli/commands/models.js +32 -0
package/dist/adapters/cli/commands/registry.d.ts +70 -0
package/dist/adapters/cli/commands/registry.js +111 -0
package/dist/adapters/cli/commands/settings-utils.d.ts +38 -0
package/dist/adapters/cli/commands/settings-utils.js +182 -0
package/dist/adapters/cli/commands/settings.d.ts +9 -0
package/dist/adapters/cli/commands/settings.js +395 -0
package/dist/adapters/cli/commands/skills.d.ts +7 -0
package/dist/adapters/cli/commands/skills.js +21 -0
package/dist/adapters/cli/config-loader.d.ts +27 -0
package/dist/adapters/cli/config-loader.js +48 -0
package/dist/adapters/cli/docker-utils.d.ts +37 -0
package/dist/adapters/cli/docker-utils.js +90 -0
package/dist/adapters/cli/index.d.ts +2 -0
package/dist/adapters/cli/index.js +88 -0
package/dist/adapters/cli/repl.d.ts +22 -0
package/dist/adapters/cli/repl.js +256 -0
package/dist/adapters/cli/setup.d.ts +19 -0
package/dist/adapters/cli/setup.js +613 -0
package/dist/adapters/cli/system-prompts.d.ts +56 -0
package/dist/adapters/cli/system-prompts.js +131 -0
package/dist/adapters/cli/tui/app.d.ts +58 -0
package/dist/adapters/cli/tui/app.js +314 -0
package/dist/adapters/cli/tui/components/assistant-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/assistant-message.js +9 -0
package/dist/adapters/cli/tui/components/autocomplete.d.ts +19 -0
package/dist/adapters/cli/tui/components/autocomplete.js +75 -0
package/dist/adapters/cli/tui/components/command-palette.d.ts +15 -0
package/dist/adapters/cli/tui/components/command-palette.js +50 -0
package/dist/adapters/cli/tui/components/diff-viewer.d.ts +5 -0
package/dist/adapters/cli/tui/components/diff-viewer.js +109 -0
package/dist/adapters/cli/tui/components/error-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/error-message.js +8 -0
package/dist/adapters/cli/tui/components/footer.d.ts +20 -0
package/dist/adapters/cli/tui/components/footer.js +19 -0
package/dist/adapters/cli/tui/components/goal-status.d.ts +12 -0
package/dist/adapters/cli/tui/components/goal-status.js +22 -0
package/dist/adapters/cli/tui/components/info-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/info-message.js +8 -0
package/dist/adapters/cli/tui/components/logo-banner.d.ts +7 -0
package/dist/adapters/cli/tui/components/logo-banner.js +33 -0
package/dist/adapters/cli/tui/components/markdown.d.ts +9 -0
package/dist/adapters/cli/tui/components/markdown.js +92 -0
package/dist/adapters/cli/tui/components/message-area.d.ts +19 -0
package/dist/adapters/cli/tui/components/message-area.js +55 -0
package/dist/adapters/cli/tui/components/permission-prompt.d.ts +13 -0
package/dist/adapters/cli/tui/components/permission-prompt.js +32 -0
package/dist/adapters/cli/tui/components/prompt-area.d.ts +22 -0
package/dist/adapters/cli/tui/components/prompt-area.js +68 -0
package/dist/adapters/cli/tui/components/text-input.d.ts +27 -0
package/dist/adapters/cli/tui/components/text-input.js +142 -0
package/dist/adapters/cli/tui/components/tool-call-block.d.ts +11 -0
package/dist/adapters/cli/tui/components/tool-call-block.js +68 -0
package/dist/adapters/cli/tui/components/user-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/user-message.js +8 -0
package/dist/adapters/cli/tui/diff/file-write-meta.d.ts +11 -0
package/dist/adapters/cli/tui/diff/file-write-meta.js +11 -0
package/dist/adapters/cli/tui/diff/line-diff.d.ts +17 -0
package/dist/adapters/cli/tui/diff/line-diff.js +44 -0
package/dist/adapters/cli/tui/feed-serializer.d.ts +29 -0
package/dist/adapters/cli/tui/feed-serializer.js +70 -0
package/dist/adapters/cli/tui/file-index.d.ts +8 -0
package/dist/adapters/cli/tui/file-index.js +41 -0
package/dist/adapters/cli/tui/hooks/use-agent.d.ts +54 -0
package/dist/adapters/cli/tui/hooks/use-agent.js +177 -0
package/dist/adapters/cli/tui/hooks/use-feed.d.ts +16 -0
package/dist/adapters/cli/tui/hooks/use-feed.js +25 -0
package/dist/adapters/cli/tui/hooks/use-file-watcher.d.ts +10 -0
package/dist/adapters/cli/tui/hooks/use-file-watcher.js +43 -0
package/dist/adapters/cli/tui/hooks/use-keybindings.d.ts +16 -0
package/dist/adapters/cli/tui/hooks/use-keybindings.js +25 -0
package/dist/adapters/cli/tui/hooks/use-theme.d.ts +8 -0
package/dist/adapters/cli/tui/hooks/use-theme.js +12 -0
package/dist/adapters/cli/tui/index.d.ts +19 -0
package/dist/adapters/cli/tui/index.js +206 -0
package/dist/adapters/cli/tui/ink-reset.d.ts +29 -0
package/dist/adapters/cli/tui/ink-reset.js +57 -0
package/dist/adapters/cli/tui/layout.d.ts +15 -0
package/dist/adapters/cli/tui/layout.js +15 -0
package/dist/adapters/cli/tui/logo/gradient.d.ts +11 -0
package/dist/adapters/cli/tui/logo/gradient.js +31 -0
package/dist/adapters/cli/tui/overlays/help-dialog.d.ts +4 -0
package/dist/adapters/cli/tui/overlays/help-dialog.js +26 -0
package/dist/adapters/cli/tui/overlays/model-selector.d.ts +14 -0
package/dist/adapters/cli/tui/overlays/model-selector.js +43 -0
package/dist/adapters/cli/tui/overlays/session-selector.d.ts +35 -0
package/dist/adapters/cli/tui/overlays/session-selector.js +162 -0
package/dist/adapters/cli/tui/overlays/settings-overlay.d.ts +24 -0
package/dist/adapters/cli/tui/overlays/settings-overlay.js +126 -0
package/dist/adapters/cli/tui/session-export.d.ts +21 -0
package/dist/adapters/cli/tui/session-export.js +63 -0
package/dist/adapters/cli/tui/theme.d.ts +23 -0
package/dist/adapters/cli/tui/theme.js +22 -0
package/dist/adapters/cli/tui/types.d.ts +52 -0
package/dist/adapters/cli/tui/types.js +12 -0
package/dist/adapters/sdk/agent.d.ts +20 -0
package/dist/adapters/sdk/agent.js +356 -0
package/dist/adapters/sdk/http.d.ts +43 -0
package/dist/adapters/sdk/http.js +61 -0
package/dist/adapters/sdk/index.d.ts +58 -0
package/dist/adapters/sdk/index.js +209 -0
package/dist/adapters/sdk/settings.d.ts +18 -0
package/dist/adapters/sdk/settings.js +57 -0
package/dist/adapters/sdk/tools.d.ts +7 -0
package/dist/adapters/sdk/tools.js +13 -0
package/dist/adapters/server/auth.d.ts +53 -0
package/dist/adapters/server/auth.js +168 -0
package/dist/adapters/server/index.d.ts +40 -0
package/dist/adapters/server/index.js +255 -0
package/dist/adapters/server/rest-gateway.d.ts +13 -0
package/dist/adapters/server/rest-gateway.js +218 -0
package/dist/adapters/server/rest.d.ts +37 -0
package/dist/adapters/server/rest.js +341 -0
package/dist/adapters/server/server-core.d.ts +55 -0
package/dist/adapters/server/server-core.js +121 -0
package/dist/adapters/server/session-store.d.ts +81 -0
package/dist/adapters/server/session-store.js +272 -0
package/dist/adapters/server/settings-handlers.d.ts +24 -0
package/dist/adapters/server/settings-handlers.js +360 -0
package/dist/adapters/server/standalone.d.ts +19 -0
package/dist/adapters/server/standalone.js +113 -0
package/dist/adapters/server/websocket.d.ts +26 -0
package/dist/adapters/server/websocket.js +68 -0
package/dist/adapters/server/ws-handlers.d.ts +32 -0
package/dist/adapters/server/ws-handlers.js +523 -0
package/dist/adapters/server/ws-types.d.ts +304 -0
package/dist/adapters/server/ws-types.js +7 -0
package/dist/core/agent-loop.d.ts +68 -0
package/dist/core/agent-loop.js +423 -0
package/dist/core/config.d.ts +115 -0
package/dist/core/config.js +189 -0
package/dist/core/errors.d.ts +58 -0
package/dist/core/errors.js +88 -0
package/dist/core/hooks.d.ts +35 -0
package/dist/core/hooks.js +49 -0
package/dist/core/index.d.ts +23 -0
package/dist/core/index.js +29 -0
package/dist/core/message-convert.d.ts +41 -0
package/dist/core/message-convert.js +94 -0
package/dist/core/middleware/auth.d.ts +24 -0
package/dist/core/middleware/auth.js +28 -0
package/dist/core/middleware/logging.d.ts +23 -0
package/dist/core/middleware/logging.js +28 -0
package/dist/core/middleware/rate-limit.d.ts +27 -0
package/dist/core/middleware/rate-limit.js +38 -0
package/dist/core/middleware/semantic-tools.d.ts +10 -0
package/dist/core/middleware/semantic-tools.js +43 -0
package/dist/core/middleware.d.ts +48 -0
package/dist/core/middleware.js +38 -0
package/dist/core/permission.d.ts +25 -0
package/dist/core/permission.js +50 -0
package/dist/core/provider-config.d.ts +129 -0
package/dist/core/provider-config.js +273 -0
package/dist/core/provider-env.d.ts +39 -0
package/dist/core/provider-env.js +142 -0
package/dist/core/provider-resolver.d.ts +12 -0
package/dist/core/provider-resolver.js +12 -0
package/dist/core/session-store.d.ts +75 -0
package/dist/core/session-store.js +245 -0
package/dist/core/settings-manager.d.ts +57 -0
package/dist/core/settings-manager.js +359 -0
package/dist/core/settings-schema.d.ts +38 -0
package/dist/core/settings-schema.js +171 -0
package/dist/core/skill-catalog.d.ts +6 -0
package/dist/core/skill-catalog.js +17 -0
package/dist/core/skill-invoker.d.ts +127 -0
package/dist/core/skill-invoker.js +182 -0
package/dist/core/stream-accumulator.d.ts +21 -0
package/dist/core/stream-accumulator.js +51 -0
package/dist/core/stream-manager.d.ts +58 -0
package/dist/core/stream-manager.js +212 -0
package/dist/core/tool-executor.d.ts +84 -0
package/dist/core/tool-executor.js +256 -0
package/dist/core/types.d.ts +259 -0
package/dist/core/types.js +11 -0
package/dist/gateway/gateway.d.ts +52 -0
package/dist/gateway/gateway.js +537 -0
package/dist/gateway/index.d.ts +21 -0
package/dist/gateway/index.js +31 -0
package/dist/gateway/openapi-importer.d.ts +15 -0
package/dist/gateway/openapi-importer.js +66 -0
package/dist/gateway/semantic-scorer.d.ts +7 -0
package/dist/gateway/semantic-scorer.js +24 -0
package/dist/gateway/settings-adapter.d.ts +49 -0
package/dist/gateway/settings-adapter.js +137 -0
package/dist/gateway/tool-factory.d.ts +9 -0
package/dist/gateway/tool-factory.js +414 -0
package/dist/gateway/types.d.ts +68 -0
package/dist/gateway/types.js +7 -0
package/dist/models-catalog.js +46 -0
package/dist/providers/anthropic.d.ts +22 -0
package/dist/providers/anthropic.js +148 -0
package/dist/providers/factory.d.ts +10 -0
package/dist/providers/factory.js +25 -0
package/dist/providers/openai.d.ts +15 -0
package/dist/providers/openai.js +71 -0
package/dist/providers/types.d.ts +48 -0
package/dist/providers/types.js +1 -0
package/dist/skills/args.d.ts +37 -0
package/dist/skills/args.js +99 -0
package/dist/skills/index.d.ts +11 -0
package/dist/skills/index.js +23 -0
package/dist/skills/loader.d.ts +3 -0
package/dist/skills/loader.js +59 -0
package/dist/skills/parser.d.ts +7 -0
package/dist/skills/parser.js +152 -0
package/dist/skills/registry.d.ts +13 -0
package/dist/skills/registry.js +74 -0
package/dist/skills/resolver.d.ts +19 -0
package/dist/skills/resolver.js +116 -0
package/dist/skills/types.d.ts +74 -0
package/dist/skills/types.js +50 -0
package/dist/tools/browser.d.ts +2 -0
package/dist/tools/browser.js +68 -0
package/dist/tools/core.d.ts +20 -0
package/dist/tools/core.js +244 -0
package/dist/tools/email.d.ts +2 -0
package/dist/tools/email.js +61 -0
package/dist/tools/image.d.ts +2 -0
package/dist/tools/image.js +257 -0
package/dist/tools/index.d.ts +2 -0
package/dist/tools/index.js +88 -0
package/dist/tools/interface.d.ts +22 -0
package/dist/tools/interface.js +1 -0
package/dist/tools/notify.d.ts +2 -0
package/dist/tools/notify.js +100 -0
package/dist/tools/prompt-optimizer.d.ts +2 -0
package/dist/tools/prompt-optimizer.js +65 -0
package/dist/tools/screenshot.d.ts +2 -0
package/dist/tools/screenshot.js +184 -0
package/dist/tools/search.d.ts +2 -0
package/dist/tools/search.js +78 -0
package/dist/tools/todos.d.ts +10 -0
package/dist/tools/todos.js +50 -0
package/package.json +119 -0
package/skills/docker-ops/SKILL.md +329 -0
package/skills/k8s-deploy/SKILL.md +397 -0
package/skills/log-analyzer/SKILL.md +331 -0
package/skills/speckit-analyze/SKILL.md +260 -0
package/skills/speckit-checklist/SKILL.md +374 -0
package/skills/speckit-clarify/SKILL.md +286 -0
package/skills/speckit-constitution/SKILL.md +157 -0
package/skills/speckit-implement/SKILL.md +224 -0
package/skills/speckit-plan/SKILL.md +171 -0
package/skills/speckit-specify/SKILL.md +346 -0
package/skills/speckit-tasks/SKILL.md +215 -0
package/skills/speckit-taskstoissues/SKILL.md +107 -0

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,154 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [Unreleased]
+## [v0.3.0] - 2026-06-10
+Major release adding the **Gateway subsystem** — a universal API hub that makes Zoe act as an MCP client, secure REST proxy, and OpenAPI auto-adapter. This release also includes two security fixes found during code scrutiny, a new middleware pipeline, and 10 new agent-facing gateway tools.
+### Added
+- **Gateway Engine** (`src/gateway/gateway.ts`): `MCPGateway` class managing target lifecycle, MCP client connections (stdio/SSE/HTTP), REST proxying with credential injection, pattern-based + semantic routing, and lazy reconnect on failure.
+- **Semantic Tool Injection** (`src/core/middleware/semantic-tools.ts`): Middleware scores the user's last message against all discovered gateway tools using keyword relevance scoring and injects the top-K most relevant tools directly into the agent's tool context. Falls through to proxy pattern when no matches found.
+- **Agent-Loop Bridge** (`src/core/agent-loop.ts`): FinalHandler rebuilds options from `ctx` to capture middleware mutations; inline injected-tools lookup dispatches to injected handlers or falls through to static tool registry. ~21 lines total.
+- **10 Gateway Proxy Tools** (`src/gateway/tool-factory.ts`): `gateway_route`, `gateway_call_tool`, `gateway_call_rest`, `gateway_capabilities`, `gateway_read_resource`, `gateway_get_prompt`, `gateway_import_openapi`, `gateway_register_target`, `gateway_audit_log`, `gateway_usage_stats`.
+- **OpenAPI Spec Importer** (`src/gateway/openapi-importer.ts`): Fetches OpenAPI specs (JSON/YAML), parses paths/operations, and auto-registers as a REST target. Supports tag filtering and base URL override.
+- **Gateway Settings Adapter** (`src/gateway/settings-adapter.ts`): Dedicated file-based storage (`~/.zoe/gateway/`) for targets, credentials, routes, and admin-target registry. Atomic writes with temp-file+rename pattern. Credential files written with `mode: 0o600`.
+- **Gateway Settings Schema** (`src/core/settings-schema.ts`): 4 typed settings (`gateway.enabled`, `gateway.semanticTopK`, `gateway.defaultRateLimitPerMin`, `gateway.maxAuditLogs`) in a new "Gateway" category. Env vars: `ZOE_GATEWAY_ENABLED`, `ZOE_GATEWAY_RATE_LIMIT`.
+- **Semantic Scorer** (`src/gateway/semantic-scorer.ts`): Zero-dependency keyword-based relevance scoring with 80+ stop words for filtering noise.
+- **Gateway REST Routes** (`src/adapters/server/rest-gateway.ts`): 11 REST endpoints under `/v1/gateway/*` for target CRUD, credentials, routes, OpenAPI import, audit logs, and usage stats. Proper auth scoping (`agent:read` for reads, `admin` for mutations).
+- **Server-Core Extraction** (`src/adapters/server/server-core.ts`): Extracted `serverGenerateText`/`serverStreamText` from `server/index.ts`. Both accept optional `middleware` parameter for gateway semantic injection.
+- **CLI `/gateway` Command** (`src/adapters/cli/commands/gateway.ts`): Full management: list, add, remove, toggle, routes, credentials, audit, usage. Wired into REPL with `gw` alias.
+- **SDK Gateway Namespace** (`src/adapters/sdk/index.ts`): Lazy-loaded `gateway.createGateway()` for programmatic gateway creation.
+- **GatewayError** (`src/core/errors.ts`): New error class with configurable `retryable` flag and `target` metadata. Configuration errors are non-retryable; transient errors are retryable.
+- **Credential Trust Guard** (`src/gateway/gateway.ts`): Agent-registered targets cannot resolve `credential:` env vars or `auth.credentialRef` — only admin-registered targets can. Prevents crafted targets from exfiltrating stored credentials.
+- **Injectable Tools Cache** (`src/gateway/gateway.ts`): `getInjectableTools()` caches its result and invalidates on target mutations for performance.
+- 14 new unit tests across gateway, settings-adapter, semantic-scorer, tool-factory, and middleware modules.
+### Fixed
+- **B3 Security: Trust guard gap in credential resolution** (`src/gateway/gateway.ts`): `callRest()` and `connectMcpClient()` SSE/HTTP auth headers resolved `credentialRef` for ALL targets regardless of admin status. A non-admin target could register with `auth.credentialRef` pointing to a stored credential and exfiltrate it via REST calls. Now gated behind `adminTargets.has(targetName)` check.
+- **B3 Security: OpenAPI import bypassed trust guard** (`src/gateway/openapi-importer.ts`, `src/gateway/tool-factory.ts`): `importOpenApiSpec()` registered all imported targets with `isAdmin=true`, but the agent-facing `gateway_import_openapi` tool called it directly — letting the agent create admin-registered targets with full credential access. Added `isAdmin` parameter; agent tool now passes `isAdmin: false`.
+- **JSON parsing returned 500 instead of 400** (`src/adapters/server/rest-gateway.ts`): All `JSON.parse()` calls in gateway REST handlers were unwrapped — malformed request bodies threw exceptions caught by the outer handler as 500 INTERNAL_ERROR. Extracted `parseJsonBody<T>()` helper that returns 400 BAD_REQUEST on parse failure.
+- **TypeScript compilation errors in test files** (`src/core/__tests__/semantic-tools.test.ts`, `src/gateway/__tests__/gateway.test.ts`): Message objects missing required `id`/`timestamp` fields (TS2739); `getAdminTargets` mock returned `string[]` instead of `Set<string>` (TS2322); credential injection tests registered targets without `isAdmin=true`, now correctly aligned with trust guard.
+### Changed
+- **Tool count**: 12 → 22 built-in tools (10 gateway proxy tools added).
+- **Settings count**: 31 → 35 typed settings (4 gateway settings added).
+- **Settings categories**: 5 → 6 ("Gateway" category added).
+- **Dependencies**: Added `@modelcontextprotocol/sdk` (^1.29.0) and `js-yaml` (^4.2.0).
+- Agent loop `finalHandler` now rebuilds options from middleware context (`ctx`) before calling `executeLoop`, capturing injected tool definitions.
+- Server `createServer()` initializes gateway at startup when `gateway.enabled` is true, wiring semantic middleware into both REST and WebSocket paths.
+- CLI `runChat()` initializes gateway at startup, wires middleware into Agent, and passes gateway instance to command registry.
+- `MCPGateway.registerTarget()` validates `kind` field (must be `mcp` or `rest`).
+- `MCPGateway.toggleTarget()` now persists the toggled state via settings adapter.
+- `MCPGateway.unregisterTarget()` cleans up routes, MCP clients, admin tracking, and injectable tools cache.
+### Security
+- **Critical**: B3 credential trust guard extended to REST proxy auth headers — agent-registered targets can no longer resolve `credentialRef` to exfiltrate stored credentials.
+- **Critical**: OpenAPI import from agent tools now creates non-admin targets; only REST API (admin scope) and CLI create admin targets with full credential access.
+- **Medium**: All gateway REST endpoints return 400 (not 500) for malformed JSON request bodies.
+- **Low**: Credential files written with `mode: 0o600` on Unix systems.
+## [v0.2.2] - 2026-06-10
+This release fixes five bugs found during a holistic system audit — two that could silently lose data under real workloads, one that broke SSE streaming order, one that left provider state corrupted after skill execution, and one that made `agent.abort()` a no-op during streaming. Session files are now written atomically, and a brand discriminator on `PersistenceBackend` stops metadata from being stripped when custom backends are passed to `createAgent()`.
+### Fixed
+- **SSE events arrived out of order** (`stream-manager.ts`): `toSSEStream()` drained the text queue completely before touching the step queue, so consumers saw all text deltas first, then all tool events — even when tools actually ran between text chunks. Added a unified `eventQueue` that preserves the real interleaved order. Text and step streams still work independently for non-SSE consumers.
+- **`agent.abort()` did nothing during `chatStream()`** (`sdk/agent.ts`): `chatStream()` created its own local `AbortController`, but `agent.abort()` still called `.abort()` on a stale closure variable. Now tracks a single `activeAbortController` that both `chat()` and `chatStream()` assign before starting the loop.
+- **`PersistenceBackend` instances lost metadata on save** (`sdk/agent.ts`, `types.ts`, `session-store.ts`): `wrapAsPersistenceBackend()` couldn't tell `SessionStore` from `PersistenceBackend` — both have a `save` method, so it always wrapped, calling `.save(id, data.messages)` and throwing away `createdAt`, `provider`, `model`, and custom `metadata`. Added a `__persistenceBackend` brand field to the interface and both built-in backends; the wrapper now passes through branded instances untouched. **Breaking**: third-party `PersistenceBackend` implementations must add `readonly __persistenceBackend = true as const`.
+- **Skill provider switching leaked state after loop exit** (`agent-loop.ts`): `providerFactory.restore()` was only called inside the tool-calls block. On text-only completion, errors, or aborts, the factory stayed in a switched state — the next agent run would start with the wrong provider. Wrapped the entire loop body in `try/finally` so `restore()` runs on every exit path.
+- **Concurrent `chat()`/`chatStream()` calls corrupted the message history** (`sdk/agent.ts`): `chatStream()` runs the agent loop in a background IIFE and returns immediately. Nothing prevented a second call from starting while the first was still mutating the shared `messages` array — no lock, no guard. Added a promise-based `acquire()`/`release()` lock that serializes all chat operations. A second call blocks until the first completes.
+- **Session files were not written atomically** (`session-store.ts`): `FilePersistenceBackend.save()` used a bare `fs.writeFile()` — a crash mid-write left a corrupt JSON file. Now writes to a temp file first, then renames to the target path, matching the atomic pattern already used by `SettingsManager`.
+- **Middleware errors left no audit trail** (`agent-loop.ts`): When outer middleware (auth, rate-limit) threw, the error was caught and returned as a structured result, but nothing was logged. Added a `console.error` in the middleware catch block so rejected requests show up in server logs.
+### Changed
+- Redesigned `/settings` interactive mode into a 3-level drill-down wizard with bordered ASCII headers and mini-forms.
+- Reorganized settings categories from 6 to 5: Providers & Models, Permissions & Safety, Tools & Integrations, Notifications, Skills.
+- `/settings` with no arguments now launches the wizard (was a plain list).
+- Removed `/settings edit` and `/settings wizard` subcommands.
+- All 12 built-in tools now carry a `risk` field (`safe`, `edit`, `communications`, or `destructive`).
+- `--headless` flag replaces the binary `ZOE_SHELL_APPROVE` approval mechanism.
+- Unknown and custom tools default to `destructive` risk category, requiring approval in all modes except `permissive`.
+- `ToolModule` interface now includes optional `risk` field.
+- `permissionMode` option removed from `AgentCreateOptions` (replaced by `permissionLevel`).
+### Added
+- `/setup` slash command to access the setup wizard directly.
+- Bordered mini-form with type-appropriate prompts (password masking, enum lists, boolean confirms).
+- Env var override warnings in the setting editor.
+- Number field validation with min/max constraints.
+- **Permission Levels System**: 3-tier permission matrix (strict/moderate/permissive) with 4 tool risk categories (safe/edit/communications/destructive) controlling which tools auto-execute vs. require human approval.
+- CLI flags: `--headless`, `--strict`, `--moderate`, `--yolo` for controlling tool approval behavior.
+- SDK: `permissionLevel` option on `GenerateTextOptions`, `StreamTextOptions`, and `AgentCreateOptions`.
+- Server: per-message permission level with `maxPermissionLevel` ceiling per connection.
+- `ZOE_PERMISSION` environment variable and settings file support for default permission level.
+- `src/core/permission.ts` — Permission matrix with 3 pure functions (`needsApproval`, `resolvePermissionLevel`, `getToolRiskCategory`).
+- 12 built-in tools categorized by risk; custom tools default to "destructive" (deny-by-default).
+- 25 new tests (22 in `permission.test.ts`, 3 in `tool-executor.test.ts`).
+- **Settings System**: Schema-driven settings management with CLI, SDK, and Server adapters.
+- `src/core/settings-schema.ts` — 37 settings mapped to AppConfig paths with validation metadata, env var overrides, and category grouping.
+- `src/core/settings-manager.ts` — SettingsManager with get/set/reset/list/onChange, secret masking, origin resolution, atomic file persistence, and deep merge for provider configs.
+- CLI `/settings` command with subcommands: `list`, `get`, `set`, `reset`, `edit`, `wizard`, `export`, `help`. Aliases: `/config`, `/setting`.
+- SDK `settings` facade exporting get/set/apply/list/listByCategory/onChange/reset/resetAll.
+- Server REST endpoints: `GET/PATCH /v1/settings`, `GET /v1/settings/schema`, `POST/PATCH/DELETE /v1/providers`.
+- Server WebSocket message types for settings get/update/change broadcast.
+- 58 new tests (30 unit + 28 integration) covering schema, manager, validation, persistence, events, and secret masking.
+### Security
+- **Critical**: WebSocket tool approvals are now bound to the originating connection, preventing cross-connection approval bypass.
+- **High**: `autoConfirm` state is captured immutably at agent construction time, preventing runtime mutation attacks.
+- **High**: Tool denial messages use generic text ("Tool execution denied.") to prevent information leakage.
+- **Medium**: Unknown permission level values are validated in server ceiling comparison, preventing ceiling bypass via invalid levels.
+- **Medium**: Custom tool registry is included in risk lookups alongside built-in tools.
+- **Low**: Conflicting `--headless` and permission level flags produce a warning.
+- **Low**: Legacy `ZOE_SHELL_APPROVE` env var is ignored when new permission flags are active.
+## [v0.2.1] - 2026-04-09
+### Fixed
+- Corrected Homebrew formula SHA256 checksum to match npm-published tarball.
+## [v0.2.0] - 2026-04-09
+### Added
+- **Skills System**: Loadable skill packs with `@path` references, workspace setup, and built-in skills (docker-ops, k8s-deploy, log-analyzer).
+- **SDK (Programmatic API)**: Full TypeScript SDK with `createAgent`, `streamText`, `generateText`, structured output, React hooks, and session persistence.
+- **Server Adapter**: Standalone HTTP/WebSocket server with REST API, session management, and authentication (API key + bearer token).
+- **Docker Support**: Production-ready Dockerfile, `.dockerignore`, `docker-compose.yml`, `--docker` CLI flag, and non-interactive environment detection.
+- **Shell Approval Modes**: Dual-mode shell command approval — interactive inquirer prompt and non-interactive `ZOE_SHELL_APPROVE` env var with `auto`/`deny` modes.
+- **Standalone Server Binary**: `zoe-server` with `--generate-api-key` flag, env var configuration, and graceful shutdown.
+- Environment variable overrides for provider API keys.
+- VitePress documentation site.
+### Changed
+- **Modular Multi-Adapter Architecture**: Restructured from monolithic `index.ts` into `core/`, `adapters/{cli,sdk,server}/`, `providers/`, `skills/`, `tools/`.
+- **Unified Core**: Shared agent loop, provider resolver, tool executor, error hierarchy, and hooks system across all adapters.
+- Extracted error hierarchy into `src/core/errors.ts`.
+- Extracted tool executor into `src/core/tool-executor.ts`.
+- Split CLI adapter into focused modules (`agent.ts`, `config-loader.ts`, `setup.ts`, `index.ts`).
+- Standardized `OPENAI_COMPAT_*` environment variables.
+- Updated default models catalog.
+- Session store with filesystem backend for persistent session management.
+### Fixed
+- Corrected parentheses in provider resolution logic.
+### Removed
+- Monolithic `src/index.ts` entry point (replaced by modular architecture).

package/LICENSE ADDED Viewed

@@ -0,0 +1,96 @@
+Business Source License 1.1
+Parameters
+Licensor:             Hashan Wickramasinghe
+Licensed Work:        Zoe Agent — the `zoe-agent` npm package and the
+                      corresponding source code in this repository, including
+                      the CLI (`zoe`, `zoe-server`), the SDK (`zoe-agent`),
+                      the server adapter, built-in tools, and skills.
+                      The Licensed Work does not include separate third-party
+                      software modules distributed under their own licenses.
+Additional Use Grant: Use of the Licensed Work is permitted at no cost for:
+                        1. Personal, non-commercial use by individuals.
+                        2. Non-commercial use by educators, students, and
+                           academic or research institutions.
+                        3. Evaluation and internal trial use by any
+                           organization, for the lesser of ninety (90) days
+                           or a single development project.
+                      This Additional Use Grant does not extend to:
+                        a. Any production or commercial deployment of the
+                           Licensed Work, by or for the benefit of an
+                           organization.
+                        b. Offering the Licensed Work, in whole or in part,
+                           as a managed service, hosted product, or embedded
+                           component of a commercial offering.
+Change Date:          2028-01-01
+Change License:       Apache License 2.0
+Notice
+The Licensed Work is provided under the Business Source License 1.1 (BSL),
+a source-available license that is not an open-source license. You may not
+use the Licensed Work except in compliance with the BSL. The parameters
+above define the Additional Use Grant, the Change Date, and the Change
+License under which the Licensed Work will become available on or after the
+Change Date.
+A commercial license is required for any use that exceeds the Additional
+Use Grant above. To obtain a commercial license, contact the Licensor.
+For the full terms of the Business Source License 1.1, see:
+    https://mariadb.com/bsl11/
+Terms
+The Licensed Work is (c) 2024-2026 Hashan Wickramasinghe.
+------------------------------------------------------------------------------
+Business Source License 1.1
+Terms
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and non-commercially use the Licensed Work to the
+extent you are a Licensee in compliance with the Additional Use Grant and
+its associated terms and conditions, which are hereby incorporated by
+reference.
+You may redistribute the Licensed Work, in whole or in part, provided that
+you:
+    1. Prominently display the parameters of the BSL (Licensor, Licensed
+       Work, Additional Use Grant, Change Date, and Change License) on or
+       in association with every copy of the Licensed Work; and
+    2. Include a copy of, or the Uniform Resource Identifier for, the BSL
+       with every copy of the Licensed Work.
+You may use the Licensed Work for the purposes of the Additional Use Grant
+only. Any use beyond the scope of the Additional Use Grant (including but
+not limited to commercial use in production) requires the Licensor's
+separate written agreement (a "Commercial License"). Contact the Licensor
+to obtain a Commercial License.
+The Licensor will not bring a patent or copyright infringement action
+against you under the BSL for any use of the Licensed Work falling within
+the Additional Use Grant.
+On or after the Change Date, the Licensed Work will automatically become
+available under the Change License and you will be able to use it under the
+terms of that Change License.
+This License does not extend to, and no permission is granted for, the use
+of any trade names, trademarks, service marks, or product names of the
+Licensor, except as required for reasonable and customary use in describing
+the origin of the Licensed Work.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.