@adhdev/daemon-standalone 0.8.76 → 0.8.77

package/dist/index.js

@@ -9244,7 +9244,7 @@ var require_dist = __commonJS({
         }
       }
     };
-    var import_crypto2 = require("crypto");
+    var import_crypto3 = require("crypto");
     var path5 = __toESM2(require("path"));
     function normalizeSlug(input) {
       return input.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 48);
@@ -9360,7 +9360,7 @@ var require_dist = __commonJS({
     var SessionHostRegistry = class {
       sessions = /* @__PURE__ */ new Map();
       createSession(payload) {
-        const sessionId = payload.sessionId || (0, import_crypto2.randomUUID)();
+        const sessionId = payload.sessionId || (0, import_crypto3.randomUUID)();
         if (this.sessions.has(sessionId)) {
           throw new Error(`Session already exists: ${sessionId}`);
         }
@@ -26823,9 +26823,9 @@ var init_handler = __esm({
         if (this.fsw.closed) {
           return;
         }
-        const dirname3 = sp.dirname(file2);
+        const dirname4 = sp.dirname(file2);
         const basename3 = sp.basename(file2);
-        const parent = this.fsw._getWatchedDir(dirname3);
+        const parent = this.fsw._getWatchedDir(dirname4);
         let prevStats = stats;
         if (parent.has(basename3))
           return;
@@ -26852,7 +26852,7 @@ var init_handler = __esm({
                 prevStats = newStats2;
               }
             } catch (error48) {
-              this.fsw._remove(dirname3, basename3);
+              this.fsw._remove(dirname4, basename3);
             }
           } else if (parent.has(basename3)) {
             const at2 = newStats.atimeMs;
@@ -27927,7 +27927,7 @@ var require_dist2 = __commonJS({
       };
     }
     function generateMachineId() {
-      return `${MACHINE_ID_PREFIX}${(0, import_crypto2.randomUUID)().replace(/-/g, "")}`;
+      return `${MACHINE_ID_PREFIX}${(0, import_crypto3.randomUUID)().replace(/-/g, "")}`;
     }
     function isStableMachineId(machineId) {
       return typeof machineId === "string" && machineId.startsWith(MACHINE_ID_PREFIX);
@@ -28046,7 +28046,7 @@ var require_dist2 = __commonJS({
     var import_os2;
     var import_path2;
     var import_fs;
-    var import_crypto2;
+    var import_crypto3;
     var DEFAULT_CONFIG;
     var MACHINE_ID_PREFIX;
     var init_config = __esm2({
@@ -28055,7 +28055,7 @@ var require_dist2 = __commonJS({
         import_os2 = require("os");
         import_path2 = require("path");
         import_fs = require("fs");
-        import_crypto2 = require("crypto");
+        import_crypto3 = require("crypto");
         DEFAULT_CONFIG = {
           serverUrl: "https://api.adhf.dev",
           allowServerApiProxy: false,
@@ -32229,12 +32229,66 @@ ${data.message || ""}`.trim();
       const availableMem = darwinAvail != null ? darwinAvail : freeMem;
       return { totalMem, freeMem, availableMem };
     }
+    var LIVE_LIFECYCLES = /* @__PURE__ */ new Set(["starting", "running", "stopping", "interrupted"]);
+    function isSessionHostLiveRuntime(record2) {
+      const lifecycle = String(record2?.lifecycle || "").trim();
+      return LIVE_LIFECYCLES.has(lifecycle);
+    }
+    function getSessionHostRecoveryLabel(meta3) {
+      const recoveryState = typeof meta3?.runtimeRecoveryState === "string" ? String(meta3.runtimeRecoveryState).trim() : "";
+      if (!recoveryState) return null;
+      if (recoveryState === "auto_resumed") return "restored after restart";
+      if (recoveryState === "resume_failed") return "restore failed";
+      if (recoveryState === "host_restart_interrupted") return "host restart interrupted";
+      if (recoveryState === "orphan_snapshot") return "snapshot recovered";
+      return recoveryState.replace(/_/g, " ");
+    }
+    function isSessionHostRecoverySnapshot(record2) {
+      if (!record2) return false;
+      if (isSessionHostLiveRuntime(record2)) return false;
+      const lifecycle = String(record2.lifecycle || "").trim();
+      if (lifecycle && lifecycle !== "stopped" && lifecycle !== "failed") {
+        return false;
+      }
+      const meta3 = record2.meta || void 0;
+      if (meta3?.restoredFromStorage === true) return true;
+      return getSessionHostRecoveryLabel(meta3) !== null;
+    }
+    function getSessionHostSurfaceKind(record2) {
+      if (isSessionHostLiveRuntime(record2)) return "live_runtime";
+      if (isSessionHostRecoverySnapshot(record2)) return "recovery_snapshot";
+      return "inactive_record";
+    }
+    function partitionSessionHostRecords(records) {
+      const liveRuntimes = [];
+      const recoverySnapshots = [];
+      const inactiveRecords = [];
+      for (const record2 of records) {
+        const kind = getSessionHostSurfaceKind(record2);
+        if (kind === "live_runtime") {
+          liveRuntimes.push(record2);
+        } else if (kind === "recovery_snapshot") {
+          recoverySnapshots.push(record2);
+        } else {
+          inactiveRecords.push(record2);
+        }
+      }
+      return {
+        liveRuntimes,
+        recoverySnapshots,
+        inactiveRecords
+      };
+    }
+    function partitionSessionHostDiagnosticsSessions(records) {
+      return partitionSessionHostRecords(records || []);
+    }
     var DEFAULT_ACTIVE_CHAT_POLL_STATUSES = /* @__PURE__ */ new Set([
       "generating",
       "waiting_approval",
       "starting"
     ]);
     var DEFAULT_CHAT_TAIL_RECENT_MESSAGE_GRACE_MS = 8e3;
+    var LIVE_RUNTIME_LIFECYCLES = /* @__PURE__ */ new Set(["starting", "running", "stopping", "interrupted"]);
     function parseMessageTimestamp(value) {
       if (typeof value === "number" && Number.isFinite(value)) return value;
       if (typeof value === "string") {
@@ -32243,6 +32297,23 @@ ${data.message || ""}`.trim();
       }
       return 0;
     }
+    function isDefinitelyNonLiveRuntimeSession(session) {
+      const surfaceKind = String(session?.runtimeSurfaceKind || "").trim();
+      if (surfaceKind === "live_runtime") return false;
+      if (surfaceKind === "recovery_snapshot") return true;
+      if (surfaceKind === "inactive_record") return false;
+      const lifecycle = String(session?.runtimeLifecycle || "").trim();
+      if (lifecycle && LIVE_RUNTIME_LIFECYCLES.has(lifecycle)) return false;
+      const inferredSurfaceKind = getSessionHostSurfaceKind({
+        lifecycle: lifecycle || null,
+        meta: {
+          restoredFromStorage: session?.runtimeRestoredFromStorage === true,
+          ...session?.runtimeRecoveryState ? { runtimeRecoveryState: session.runtimeRecoveryState } : {}
+        }
+      });
+      if (inferredSurfaceKind === "recovery_snapshot") return true;
+      return false;
+    }
     function classifyHotChatSessionsForSubscriptionFlush2(sessions, previousHotSessionIds, options = {}) {
       const now = options.now ?? Date.now();
       const recentMessageGraceMs = Math.max(
@@ -32251,9 +32322,14 @@ ${data.message || ""}`.trim();
       );
       const activeStatuses = options.activeStatuses ?? DEFAULT_ACTIVE_CHAT_POLL_STATUSES;
       const active = /* @__PURE__ */ new Set();
+      const excluded = /* @__PURE__ */ new Set();
       for (const session of sessions) {
         const sessionId = typeof session?.id === "string" ? session.id : "";
         if (!sessionId) continue;
+        if (isDefinitelyNonLiveRuntimeSession(session)) {
+          excluded.add(sessionId);
+          continue;
+        }
         const status = String(session?.status || "").toLowerCase();
         const lastMessageAt = parseMessageTimestamp(session?.lastMessageAt);
         const recentlyUpdated = lastMessageAt > 0 && now - lastMessageAt <= recentMessageGraceMs;
@@ -32262,7 +32338,7 @@ ${data.message || ""}`.trim();
         }
       }
       const finalizing = new Set(
-        Array.from(previousHotSessionIds).filter((sessionId) => !active.has(sessionId))
+        Array.from(previousHotSessionIds).filter((sessionId) => !active.has(sessionId) && !excluded.has(sessionId))
       );
       return { active, finalizing };
     }
@@ -36481,7 +36557,7 @@ ${effect.notification.body || ""}`.trim();
       return profile !== "live";
     }
     function shouldIncludeRuntimeMetadata(profile) {
-      return profile !== "live";
+      return true;
     }
     function findCdpManager(cdpManagers, key) {
       const exact = cdpManagers.get(key);
@@ -36636,8 +36712,12 @@ ${effect.notification.body || ""}`.trim();
           runtimeKey: state.runtime?.runtimeKey,
           runtimeDisplayName: state.runtime?.displayName,
           runtimeWorkspaceLabel: state.runtime?.workspaceLabel,
+          runtimeLifecycle: state.runtime?.lifecycle ?? null,
+          runtimeSurfaceKind: state.runtime?.surfaceKind,
           runtimeWriteOwner: state.runtime?.writeOwner || null,
-          runtimeAttachedClients: state.runtime?.attachedClients || []
+          runtimeAttachedClients: state.runtime?.attachedClients || [],
+          runtimeRestoredFromStorage: state.runtime?.restoredFromStorage === true,
+          runtimeRecoveryState: state.runtime?.recoveryState ?? null
         },
         mode: state.mode,
         resume: state.resume,
@@ -39884,8 +39964,12 @@ ${effect.notification.body || ""}`.trim();
             runtimeKey: runtime.runtimeKey,
             displayName: runtime.displayName,
             workspaceLabel: runtime.workspaceLabel,
+            lifecycle: runtime.lifecycle ?? null,
+            surfaceKind: runtime.surfaceKind,
             writeOwner: runtime.writeOwner || null,
-            attachedClients: runtime.attachedClients || []
+            attachedClients: runtime.attachedClients || [],
+            restoredFromStorage: runtime.restoredFromStorage === true,
+            recoveryState: runtime.recoveryState ?? null
           } : void 0,
           resume: this.provider.resume,
           controlValues: surface.controlValues,
@@ -44167,59 +44251,6 @@ Run 'adhdev doctor' for detailed diagnostics.`
     }
     cleanOldFiles();
     init_logger();
-    var LIVE_LIFECYCLES = /* @__PURE__ */ new Set(["starting", "running", "stopping", "interrupted"]);
-    function isSessionHostLiveRuntime(record2) {
-      const lifecycle = String(record2?.lifecycle || "").trim();
-      return LIVE_LIFECYCLES.has(lifecycle);
-    }
-    function getSessionHostRecoveryLabel(meta3) {
-      const recoveryState = typeof meta3?.runtimeRecoveryState === "string" ? String(meta3.runtimeRecoveryState).trim() : "";
-      if (!recoveryState) return null;
-      if (recoveryState === "auto_resumed") return "restored after restart";
-      if (recoveryState === "resume_failed") return "restore failed";
-      if (recoveryState === "host_restart_interrupted") return "host restart interrupted";
-      if (recoveryState === "orphan_snapshot") return "snapshot recovered";
-      return recoveryState.replace(/_/g, " ");
-    }
-    function isSessionHostRecoverySnapshot(record2) {
-      if (!record2) return false;
-      if (isSessionHostLiveRuntime(record2)) return false;
-      const lifecycle = String(record2.lifecycle || "").trim();
-      if (lifecycle && lifecycle !== "stopped" && lifecycle !== "failed") {
-        return false;
-      }
-      const meta3 = record2.meta || void 0;
-      if (meta3?.restoredFromStorage === true) return true;
-      return getSessionHostRecoveryLabel(meta3) !== null;
-    }
-    function getSessionHostSurfaceKind(record2) {
-      if (isSessionHostLiveRuntime(record2)) return "live_runtime";
-      if (isSessionHostRecoverySnapshot(record2)) return "recovery_snapshot";
-      return "inactive_record";
-    }
-    function partitionSessionHostRecords(records) {
-      const liveRuntimes = [];
-      const recoverySnapshots = [];
-      const inactiveRecords = [];
-      for (const record2 of records) {
-        const kind = getSessionHostSurfaceKind(record2);
-        if (kind === "live_runtime") {
-          liveRuntimes.push(record2);
-        } else if (kind === "recovery_snapshot") {
-          recoverySnapshots.push(record2);
-        } else {
-          inactiveRecords.push(record2);
-        }
-      }
-      return {
-        liveRuntimes,
-        recoverySnapshots,
-        inactiveRecords
-      };
-    }
-    function partitionSessionHostDiagnosticsSessions(records) {
-      return partitionSessionHostRecords(records || []);
-    }
     var os16 = __toESM2(require("os"));
     init_config();
     init_terminal_screen();
@@ -52547,6 +52578,8 @@ data: ${JSON.stringify(msg.data)}
           runtimeKey: record2.runtimeKey,
           displayName: record2.displayName,
           workspaceLabel: record2.workspaceLabel,
+          lifecycle: typeof record2.lifecycle === "string" ? record2.lifecycle : null,
+          surfaceKind: record2.surfaceKind,
           writeOwner: record2.writeOwner ? {
             clientId: record2.writeOwner.clientId,
             ownerType: record2.writeOwner.ownerType
@@ -53149,6 +53182,7 @@ var import_ws = require("ws");
 var path4 = __toESM(require("path"));
 var fs3 = __toESM(require("fs"));
 var os5 = __toESM(require("os"));
+var import_crypto2 = require("crypto");
 var import_daemon_core2 = __toESM(require_dist2());
 
 // src/session-host.ts
@@ -53654,6 +53688,165 @@ async function getWorkspaceSocketInfo(workspaceName) {
 var import_daemon_core3 = __toESM(require_dist2());
 var DEFAULT_PORT = 3847;
 var STATUS_INTERVAL = 2e3;
+var STANDALONE_AUTH_SESSION_COOKIE = "adhdev_standalone_session";
+var STANDALONE_PASSWORD_CONFIG_FILE = "standalone-auth.json";
+var STANDALONE_BIND_HOST_CONFIG_FILE = "standalone-network.json";
+var STANDALONE_BIND_HOST_DEFAULT = "127.0.0.1";
+var PASSWORD_KEYLEN = 64;
+var DEFAULT_SESSION_TTL_MS = 1e3 * 60 * 60 * 24 * 30;
+function getStandalonePasswordConfigPath() {
+  const dir = path4.join(os5.homedir(), ".adhdev");
+  if (!fs3.existsSync(dir)) {
+    fs3.mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+  return path4.join(dir, STANDALONE_PASSWORD_CONFIG_FILE);
+}
+function getStandaloneConfigJsonPath() {
+  const dir = path4.join(os5.homedir(), ".adhdev");
+  if (!fs3.existsSync(dir)) {
+    fs3.mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+  return path4.join(dir, STANDALONE_BIND_HOST_CONFIG_FILE);
+}
+function loadStandaloneBindHostPreference() {
+  try {
+    const configPath = getStandaloneConfigJsonPath();
+    if (!fs3.existsSync(configPath)) return STANDALONE_BIND_HOST_DEFAULT;
+    const parsed = JSON.parse(fs3.readFileSync(configPath, "utf8"));
+    return parsed?.standaloneBindHost === "0.0.0.0" ? "0.0.0.0" : STANDALONE_BIND_HOST_DEFAULT;
+  } catch {
+    return STANDALONE_BIND_HOST_DEFAULT;
+  }
+}
+function saveStandaloneBindHostPreference(bindHost) {
+  const configPath = getStandaloneConfigJsonPath();
+  let parsed = {};
+  try {
+    if (fs3.existsSync(configPath)) {
+      const raw = fs3.readFileSync(configPath, "utf8");
+      const next = JSON.parse(raw);
+      if (next && typeof next === "object" && !Array.isArray(next)) parsed = next;
+    }
+  } catch {
+    parsed = {};
+  }
+  parsed.standaloneBindHost = bindHost;
+  fs3.writeFileSync(configPath, JSON.stringify(parsed, null, 2), { encoding: "utf8", mode: 384 });
+  try {
+    fs3.chmodSync(configPath, 384);
+  } catch {
+  }
+  return bindHost;
+}
+function createPasswordRecord(password, salt = (0, import_crypto2.randomBytes)(16).toString("hex")) {
+  return {
+    passwordHash: (0, import_crypto2.scryptSync)(`${password || ""}`, salt, PASSWORD_KEYLEN).toString("hex"),
+    passwordSalt: salt,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function verifyPassword(password, config2) {
+  if (!config2?.passwordHash || !config2.passwordSalt) return false;
+  const actual = Buffer.from((0, import_crypto2.scryptSync)(`${password || ""}`, config2.passwordSalt, PASSWORD_KEYLEN).toString("hex"), "utf8");
+  const expected = Buffer.from(config2.passwordHash, "utf8");
+  return actual.length === expected.length && (0, import_crypto2.timingSafeEqual)(actual, expected);
+}
+function loadStandalonePasswordConfig(filePath = getStandalonePasswordConfigPath()) {
+  if (!fs3.existsSync(filePath)) return null;
+  try {
+    const parsed = JSON.parse(fs3.readFileSync(filePath, "utf8"));
+    if (!parsed || typeof parsed !== "object") return null;
+    if (typeof parsed.passwordHash !== "string" || typeof parsed.passwordSalt !== "string") return null;
+    return {
+      passwordHash: parsed.passwordHash,
+      passwordSalt: parsed.passwordSalt,
+      updatedAt: typeof parsed.updatedAt === "string" ? parsed.updatedAt : (/* @__PURE__ */ new Date(0)).toISOString()
+    };
+  } catch {
+    return null;
+  }
+}
+function saveStandalonePasswordConfig(filePath, config2) {
+  const dir = path4.dirname(filePath);
+  if (!fs3.existsSync(dir)) {
+    fs3.mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+  fs3.writeFileSync(filePath, JSON.stringify(config2, null, 2), { encoding: "utf8", mode: 384 });
+  try {
+    fs3.chmodSync(filePath, 384);
+  } catch {
+  }
+}
+function clearStandalonePasswordConfig(filePath = getStandalonePasswordConfigPath()) {
+  if (fs3.existsSync(filePath)) {
+    fs3.rmSync(filePath, { force: true });
+  }
+}
+function shouldWarnForPublicUnauthenticatedHost(input) {
+  return input.host === "0.0.0.0" && !input.hasTokenAuth && !input.hasPasswordAuth;
+}
+function parseCookies(cookieHeader) {
+  if (!cookieHeader) return {};
+  return Object.fromEntries(
+    cookieHeader.split(";").map((part) => part.trim()).filter(Boolean).map((part) => {
+      const eq = part.indexOf("=");
+      if (eq === -1) return [part, ""];
+      return [part.slice(0, eq), decodeURIComponent(part.slice(eq + 1))];
+    })
+  );
+}
+function buildSessionCookie(sessionId, secure, maxAgeMs = DEFAULT_SESSION_TTL_MS) {
+  const parts = [
+    `${STANDALONE_AUTH_SESSION_COOKIE}=${encodeURIComponent(sessionId)}`,
+    "Path=/",
+    "HttpOnly",
+    "SameSite=Lax",
+    `Max-Age=${Math.max(0, Math.floor(maxAgeMs / 1e3))}`
+  ];
+  if (secure) parts.push("Secure");
+  return parts.join("; ");
+}
+function buildClearedSessionCookie(secure) {
+  return buildSessionCookie("", secure, 0);
+}
+var StandaloneSessionStore = class {
+  sessions = /* @__PURE__ */ new Map();
+  create(ttlMs = DEFAULT_SESSION_TTL_MS) {
+    const id = (0, import_crypto2.randomBytes)(24).toString("hex");
+    this.sessions.set(id, Date.now() + ttlMs);
+    return id;
+  }
+  has(sessionId) {
+    if (!sessionId) return false;
+    const expiresAt = this.sessions.get(sessionId);
+    if (!expiresAt) return false;
+    if (expiresAt <= Date.now()) {
+      this.sessions.delete(sessionId);
+      return false;
+    }
+    return true;
+  }
+  revoke(sessionId) {
+    if (!sessionId) return;
+    this.sessions.delete(sessionId);
+  }
+  clear() {
+    this.sessions.clear();
+  }
+};
+function isStandaloneRequestAuthenticated(input) {
+  const hasTokenAuth = !!input.configuredToken;
+  const hasPasswordAuth = !!input.passwordConfig;
+  if (!hasTokenAuth && !hasPasswordAuth) return true;
+  if (hasTokenAuth && (input.bearerToken === input.configuredToken || input.queryToken === input.configuredToken)) {
+    return true;
+  }
+  if (hasPasswordAuth) {
+    const cookies = parseCookies(input.cookieHeader);
+    return input.sessionStore.has(cookies[STANDALONE_AUTH_SESSION_COOKIE]);
+  }
+  return false;
+}
 var pkgVersion = process.env.ADHDEV_PKG_VERSION || "unknown";
 if (pkgVersion === "unknown") {
   try {
@@ -53702,6 +53895,10 @@ var StandaloneServer = class {
   wsSessionModalSubscriptions = /* @__PURE__ */ new Map();
   wsDaemonMetadataSubscriptions = /* @__PURE__ */ new Map();
   authToken = null;
+  passwordConfigPath = getStandalonePasswordConfigPath();
+  passwordConfig = null;
+  authSessions = new StandaloneSessionStore();
+  listenHost = "127.0.0.1";
   statusTimer = null;
   lastStatusBroadcastAt = 0;
   statusBroadcastPending = false;
@@ -53758,10 +53955,88 @@ var StandaloneServer = class {
     const mode = this.getCliPresentationMode(sessionId);
     return mode === "chat" || mode === "terminal";
   }
+  hasPasswordAuth() {
+    return !!this.passwordConfig;
+  }
+  hasAnyAuth() {
+    return !!this.authToken || this.hasPasswordAuth();
+  }
+  getCookieSecureFlag(req) {
+    const forwardedProto = req.headers["x-forwarded-proto"];
+    return !!req.socket.encrypted || typeof forwardedProto === "string" && forwardedProto.toLowerCase().includes("https");
+  }
+  getRequestTokens(req, rawUrl) {
+    const authHeader = req.headers["authorization"];
+    const bearerToken = typeof authHeader === "string" && authHeader.startsWith("Bearer ") ? authHeader.slice(7) : null;
+    const queryToken = new URL(rawUrl, `http://${req.headers.host || "localhost"}`).searchParams.get("token");
+    return { bearerToken, queryToken };
+  }
+  isRequestAuthenticated(req, rawUrl) {
+    const { bearerToken, queryToken } = this.getRequestTokens(req, rawUrl);
+    return isStandaloneRequestAuthenticated({
+      configuredToken: this.authToken,
+      passwordConfig: this.passwordConfig,
+      bearerToken,
+      queryToken,
+      cookieHeader: typeof req.headers.cookie === "string" ? req.headers.cookie : void 0,
+      sessionStore: this.authSessions
+    });
+  }
+  getRequestSessionId(req) {
+    const cookies = parseCookies(typeof req.headers.cookie === "string" ? req.headers.cookie : void 0);
+    return cookies.adhdev_standalone_session || null;
+  }
+  buildAuthStatus(req, rawUrl) {
+    const required2 = this.hasAnyAuth();
+    return {
+      required: required2,
+      authenticated: this.isRequestAuthenticated(req, rawUrl),
+      hasTokenAuth: !!this.authToken,
+      hasPasswordAuth: this.hasPasswordAuth(),
+      publicHostWarning: shouldWarnForPublicUnauthenticatedHost({
+        host: this.listenHost,
+        hasTokenAuth: !!this.authToken,
+        hasPasswordAuth: this.hasPasswordAuth()
+      }),
+      boundHost: this.listenHost
+    };
+  }
+  isTrustedStandaloneMutationRequest(req) {
+    const originHeader = req.headers.origin;
+    if (typeof originHeader !== "string" || !originHeader.trim()) return true;
+    try {
+      const origin = new URL(originHeader);
+      const host = req.headers.host || "";
+      return origin.host === host;
+    } catch {
+      return false;
+    }
+  }
+  async readJsonBody(req) {
+    return await new Promise((resolve4, reject) => {
+      let body = "";
+      req.on("data", (chunk) => {
+        body += chunk;
+      });
+      req.on("end", () => {
+        try {
+          resolve4(body ? JSON.parse(body) : {});
+        } catch (error48) {
+          reject(error48);
+        }
+      });
+      req.on("error", reject);
+    });
+  }
   async start(options = {}) {
-    const port = options.port || DEFAULT_PORT;
-    const host = options.host || "127.0.0.1";
+    const persistedStandaloneBindHost = loadStandaloneBindHostPreference();
     const cfg = (0, import_daemon_core2.loadConfig)();
+    if (!options.host && persistedStandaloneBindHost !== STANDALONE_BIND_HOST_DEFAULT) {
+      saveStandaloneBindHostPreference(persistedStandaloneBindHost);
+    }
+    const port = options.port || DEFAULT_PORT;
+    const host = options.host || persistedStandaloneBindHost;
+    this.listenHost = host;
     const sessionHostEndpoint = await ensureSessionHostReady();
     this.sessionHostEndpoint = sessionHostEndpoint;
     const sessionHostControl = new StandaloneSessionHostControlPlane(
@@ -53769,6 +54044,7 @@ var StandaloneServer = class {
     );
     this.sessionHostControl = sessionHostControl;
     this.authToken = options.token || process.env.ADHDEV_TOKEN || null;
+    this.passwordConfig = loadStandalonePasswordConfig(this.passwordConfigPath);
     const statusInstanceId = `standalone_${cfg.machineId || "mach_unknown"}`;
     this.components = await (0, import_daemon_core2.initDaemonComponents)({
       cliManagerDeps: {
@@ -53842,13 +54118,10 @@ var StandaloneServer = class {
     this.httpServer.on("upgrade", (req, socket, head) => {
       const wsUrl = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
       if (wsUrl.pathname === "/ws") {
-        if (this.authToken) {
-          const urlToken = wsUrl.searchParams.get("token");
-          if (urlToken !== this.authToken) {
-            socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
-            socket.destroy();
-            return;
-          }
+        if (!this.isRequestAuthenticated(req, req.url || "/")) {
+          socket.write("HTTP/1.1 401 Unauthorized\r\n\r\n");
+          socket.destroy();
+          return;
         }
         this.wss.handleUpgrade(req, socket, head, (ws2) => {
           this.handleWsConnection(ws2);
@@ -53881,7 +54154,14 @@ var StandaloneServer = class {
       }
     }
     if (this.authToken) {
-      console.log(`   \u{1F511} Token: ${this.authToken}`);
+      console.log("   \u{1F511} Token auth: enabled");
+    }
+    if (this.passwordConfig) {
+      console.log("   \u{1F510} Password auth: enabled");
+    }
+    if (shouldWarnForPublicUnauthenticatedHost({ host, hasTokenAuth: !!this.authToken, hasPasswordAuth: !!this.passwordConfig })) {
+      console.warn("   \u26A0\uFE0F  Public host mode is enabled without any auth.");
+      console.warn("      Anyone on your LAN can open and control this dashboard until you set a password or token.");
     }
     console.log("");
     const cdpCount = [...this.components.cdpManagers.values()].filter((m) => m.isConnected).length;
@@ -53921,18 +54201,148 @@ var StandaloneServer = class {
       res.end();
       return;
     }
-    if (this.authToken && url2.startsWith("/api/")) {
-      const authHeader = req.headers["authorization"];
-      const bearerToken = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-      const queryToken = new URL(url2, `http://${req.headers.host || "localhost"}`).searchParams.get("token");
-      if (bearerToken !== this.authToken && queryToken !== this.authToken) {
-        res.writeHead(401, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "Unauthorized. Provide token via Authorization header or ?token= query." }));
-        return;
-      }
+    const parsedUrl = new URL(url2, `http://${req.headers.host || "localhost"}`);
+    if (parsedUrl.pathname === "/auth/session" && method === "GET") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify(this.buildAuthStatus(req, url2)));
+      return;
+    }
+    if (parsedUrl.pathname === "/auth/login" && method === "POST") {
+      void (async () => {
+        if (!this.passwordConfig) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Password auth is not configured." }));
+          return;
+        }
+        const body = await this.readJsonBody(req);
+        if (!verifyPassword(typeof body.password === "string" ? body.password : "", this.passwordConfig)) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Incorrect password." }));
+          return;
+        }
+        this.authSessions.clear();
+        const sessionId = this.authSessions.create();
+        res.setHeader("Set-Cookie", buildSessionCookie(sessionId, this.getCookieSecureFlag(req)));
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ ...this.buildAuthStatus(req, url2), authenticated: true }));
+      })().catch((error48) => {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: error48?.message || String(error48) }));
+      });
+      return;
+    }
+    if (parsedUrl.pathname === "/auth/logout" && method === "POST") {
+      this.authSessions.revoke(this.getRequestSessionId(req));
+      res.setHeader("Set-Cookie", buildClearedSessionCookie(this.getCookieSecureFlag(req)));
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ success: true }));
+      return;
+    }
+    if (parsedUrl.pathname === "/auth/password" && method === "POST") {
+      void (async () => {
+        if (!this.hasAnyAuth() && !this.isTrustedStandaloneMutationRequest(req)) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Cross-origin standalone settings changes are not allowed without existing auth." }));
+          return;
+        }
+        if (this.hasAnyAuth() && !this.isRequestAuthenticated(req, url2)) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Unauthorized" }));
+          return;
+        }
+        const body = await this.readJsonBody(req);
+        const currentPassword = typeof body.currentPassword === "string" ? body.currentPassword : "";
+        const newPassword = typeof body.newPassword === "string" ? body.newPassword : "";
+        const clearPassword = body.clear === true;
+        if (this.passwordConfig && !verifyPassword(currentPassword, this.passwordConfig)) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Current password is incorrect." }));
+          return;
+        }
+        if (clearPassword) {
+          clearStandalonePasswordConfig(this.passwordConfigPath);
+          this.passwordConfig = null;
+          this.authSessions.clear();
+          res.setHeader("Set-Cookie", buildClearedSessionCookie(this.getCookieSecureFlag(req)));
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ success: true, ...this.buildAuthStatus(req, url2), authenticated: !this.hasAnyAuth() }));
+          return;
+        }
+        if (newPassword.trim().length < 4) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Password must be at least 4 characters." }));
+          return;
+        }
+        const nextConfig = createPasswordRecord(newPassword.trim());
+        saveStandalonePasswordConfig(this.passwordConfigPath, nextConfig);
+        this.passwordConfig = nextConfig;
+        this.authSessions.clear();
+        const sessionId = this.authSessions.create();
+        res.setHeader("Set-Cookie", buildSessionCookie(sessionId, this.getCookieSecureFlag(req)));
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ success: true, ...this.buildAuthStatus(req, url2), authenticated: true }));
+      })().catch((error48) => {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: error48?.message || String(error48) }));
+      });
+      return;
+    }
+    if (parsedUrl.pathname === "/api/v1/standalone/preferences" && method === "GET") {
+      const configuredBindHost = loadStandaloneBindHostPreference();
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        standaloneBindHost: configuredBindHost,
+        currentBindHost: this.listenHost,
+        hasPasswordAuth: !!this.passwordConfig,
+        hasTokenAuth: !!this.authToken,
+        publicHostWarning: shouldWarnForPublicUnauthenticatedHost({
+          host: configuredBindHost,
+          hasTokenAuth: !!this.authToken,
+          hasPasswordAuth: !!this.passwordConfig
+        })
+      }));
+      return;
+    }
+    if (parsedUrl.pathname === "/api/v1/standalone/preferences" && method === "POST") {
+      void (async () => {
+        if (!this.hasAnyAuth() && !this.isTrustedStandaloneMutationRequest(req)) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Cross-origin standalone settings changes are not allowed without existing auth." }));
+          return;
+        }
+        if (this.hasAnyAuth() && !this.isRequestAuthenticated(req, url2)) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Unauthorized" }));
+          return;
+        }
+        const body = await this.readJsonBody(req);
+        const nextHost = body?.standaloneBindHost === "0.0.0.0" ? "0.0.0.0" : "127.0.0.1";
+        const savedHost = saveStandaloneBindHostPreference(nextHost);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          success: true,
+          standaloneBindHost: savedHost,
+          currentBindHost: this.listenHost,
+          hasPasswordAuth: !!this.passwordConfig,
+          hasTokenAuth: !!this.authToken,
+          publicHostWarning: shouldWarnForPublicUnauthenticatedHost({
+            host: savedHost,
+            hasTokenAuth: !!this.authToken,
+            hasPasswordAuth: !!this.passwordConfig
+          })
+        }));
+      })().catch((error48) => {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: error48?.message || String(error48) }));
+      });
+      return;
+    }
+    if (url2.startsWith("/api/") && !this.isRequestAuthenticated(req, url2)) {
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Unauthorized. Provide dashboard session cookie or token auth." }));
+      return;
     }
     const apiPath = url2.startsWith("/api/v1/") ? url2.slice(7) : null;
-    const parsedUrl = new URL(url2, `http://${req.headers.host || "localhost"}`);
     if (apiPath === "/status" && method === "GET") {
       const status = this.getStatus(getSharedSnapshot());
       res.writeHead(200, { "Content-Type": "application/json" });
@@ -54820,6 +55230,7 @@ async function main() {
     process.exit(exitCode);
   }
   const options = {};
+  let hostExplicit = false;
   for (let i = 0; i < args.length; i++) {
     if ((args[i] === "--port" || args[i] === "-p") && args[i + 1]) {
       options.port = parseInt(args[i + 1]);
@@ -54827,6 +55238,7 @@ async function main() {
     }
     if (args[i] === "--host" || args[i] === "-H") {
       options.host = "0.0.0.0";
+      hostExplicit = true;
     }
     if (args[i] === "--public" && args[i + 1]) {
       options.publicDir = args[i + 1];
@@ -54868,6 +55280,9 @@ Runtime commands:
       process.exit(0);
     }
   }
+  if (!hostExplicit) {
+    options.host = loadStandaloneBindHostPreference();
+  }
   if (!options.publicDir) {
     const candidates = [
       path4.join(__dirname, "../../web-standalone/dist"),
@@ -54883,6 +55298,9 @@ Runtime commands:
   }
   const server = new StandaloneServer();
   await server.start(options);
+  if (!hostExplicit) {
+    saveStandaloneBindHostPreference(options.host === "0.0.0.0" ? "0.0.0.0" : "127.0.0.1");
+  }
   await new Promise(() => {
   });
 }