npm - @ait-co/devtools - Versions diffs - 0.1.58 → 0.1.60 - Mend

@ait-co/devtools 0.1.58 → 0.1.60

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/dist/deeplink-BONXxWEO.cjs +44 -0
package/dist/deeplink-BONXxWEO.cjs.map +1 -0
package/dist/deeplink-CCGiyoHq.cjs +44 -0
package/dist/deeplink-CCGiyoHq.cjs.map +1 -0
package/dist/deeplink-CaO6hZVG.js +44 -0
package/dist/deeplink-CaO6hZVG.js.map +1 -0
package/dist/deeplink-Cqli4qzm.js +44 -0
package/dist/deeplink-Cqli4qzm.js.map +1 -0
package/dist/devtools-opener-BbUXBzgA.js +65 -0
package/dist/devtools-opener-BbUXBzgA.js.map +1 -0
package/dist/devtools-opener-Bp671YXu.cjs +62 -0
package/dist/devtools-opener-Bp671YXu.cjs.map +1 -0
package/dist/devtools-opener-D84kZFtR.js +65 -0
package/dist/devtools-opener-D84kZFtR.js.map +1 -0
package/dist/devtools-opener-h6A-UjzC.cjs +62 -0
package/dist/devtools-opener-h6A-UjzC.cjs.map +1 -0
package/dist/mcp/cli.js +862 -403
package/dist/mcp/cli.js.map +1 -1
package/dist/mcp/server.js +5 -1
package/dist/mcp/server.js.map +1 -1
package/dist/panel/index.d.ts +15 -9
package/dist/panel/index.d.ts.map +1 -1
package/dist/panel/index.js +27705 -1965
package/dist/panel/index.js.map +1 -1
package/dist/qr-http-server-Byk0Yjk_.cjs +901 -0
package/dist/qr-http-server-Byk0Yjk_.cjs.map +1 -0
package/dist/qr-http-server-D_Aj5Vq6.cjs +901 -0
package/dist/qr-http-server-D_Aj5Vq6.cjs.map +1 -0
package/dist/qr-http-server-N4mX8GaC.js +901 -0
package/dist/qr-http-server-N4mX8GaC.js.map +1 -0
package/dist/qr-http-server-kYvmlXlg.js +901 -0
package/dist/qr-http-server-kYvmlXlg.js.map +1 -0
package/dist/relay-secret-store-5A7_7zOp.js +111 -0
package/dist/relay-secret-store-5A7_7zOp.js.map +1 -0
package/dist/{relay-secret-store-DqyUoeXy.js → relay-secret-store-C4QQN5NA.js} +3 -3
package/dist/{relay-secret-store-DqyUoeXy.js.map → relay-secret-store-C4QQN5NA.js.map} +1 -1
package/dist/{relay-secret-store-DnTNl-9z.cjs → relay-secret-store-CLkF8Pa0.cjs} +3 -2
package/dist/{relay-secret-store-DnTNl-9z.cjs.map → relay-secret-store-CLkF8Pa0.cjs.map} +1 -1
package/dist/relay-url-store-COG2dSql.cjs +113 -0
package/dist/relay-url-store-COG2dSql.cjs.map +1 -0
package/dist/relay-url-store-WKfo0VQV.js +112 -0
package/dist/relay-url-store-WKfo0VQV.js.map +1 -0
package/dist/relay-url-store-qaoe0zOD.js +118 -0
package/dist/relay-url-store-qaoe0zOD.js.map +1 -0
package/dist/totp-86i_CNqh.js +3 -0
package/dist/{totp-D0a8VwoR.js → totp-BIrJHsQn.js} +1 -1
package/dist/{totp-D0a8VwoR.js.map → totp-BIrJHsQn.js.map} +1 -1
package/dist/{totp-BkP5yU2K.js → totp-BjtKFt88.js} +2 -2
package/dist/{totp-BkP5yU2K.js.map → totp-BjtKFt88.js.map} +1 -1
package/dist/totp-BxtxuEt4.js +64 -0
package/dist/totp-BxtxuEt4.js.map +1 -0
package/dist/totp-D9rndqg_.cjs +64 -0
package/dist/totp-D9rndqg_.cjs.map +1 -0
package/dist/{totp-DLgGbySX.cjs → totp-DA8vjAi7.cjs} +2 -1
package/dist/{totp-DLgGbySX.cjs.map → totp-DA8vjAi7.cjs.map} +1 -1
package/dist/{tunnel-nKYPtc-g.cjs → tunnel-GieyWa22.cjs} +114 -3
package/dist/tunnel-GieyWa22.cjs.map +1 -0
package/dist/{tunnel-CI61NvPI.js → tunnel-JuZ5_Pci.js} +114 -4
package/dist/tunnel-JuZ5_Pci.js.map +1 -0
package/dist/unplugin/index.cjs +116 -4
package/dist/unplugin/index.cjs.map +1 -1
package/dist/unplugin/index.d.cts +20 -1
package/dist/unplugin/index.d.cts.map +1 -1
package/dist/unplugin/index.d.ts +20 -1
package/dist/unplugin/index.d.ts.map +1 -1
package/dist/unplugin/index.js +116 -5
package/dist/unplugin/index.js.map +1 -1
package/dist/unplugin/tunnel.cjs +114 -2
package/dist/unplugin/tunnel.cjs.map +1 -1
package/dist/unplugin/tunnel.d.cts +62 -1
package/dist/unplugin/tunnel.d.cts.map +1 -1
package/dist/unplugin/tunnel.d.ts +62 -1
package/dist/unplugin/tunnel.d.ts.map +1 -1
package/dist/unplugin/tunnel.js +113 -3
package/dist/unplugin/tunnel.js.map +1 -1
package/package.json +11 -3
package/dist/totp-CQFmgOhM.js +0 -3
package/dist/tunnel-CI61NvPI.js.map +0 -1
package/dist/tunnel-nKYPtc-g.cjs.map +0 -1

package/dist/mcp/cli.js CHANGED Viewed

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
-import { i as generateTotp, n as assertRelayAuthConfigured, r as buildRelayVerifyAuth } from "../totp-D0a8VwoR.js";
+import { t as loadRelaySecretReadOnly } from "../relay-secret-store-5A7_7zOp.js";
+import { i as generateTotp, n as assertRelayAuthConfigured, r as buildRelayVerifyAuth } from "../totp-BIrJHsQn.js";
 import { createRequire } from "node:module";
 import { existsSync, mkdirSync, readFileSync, realpathSync, rmSync, writeFileSync } from "node:fs";
 import { argv } from "node:process";
@@ -13,12 +14,77 @@ import { createServer } from "node:http";
 import { spawn } from "node:child_process";
 import net from "node:net";
 import { homedir, platform } from "node:os";
-import { dirname, join } from "node:path";
+import { join } from "node:path";
 import { randomBytes } from "node:crypto";
 import { Tunnel, bin, install } from "cloudflared";
 //#region \0rolldown/runtime.js
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
+//#region src/shared/parent-watcher.ts
+/**
+* Shared parent-PID watcher — used by both the MCP debug daemon and the
+* unplugin tunnel path to self-terminate when the parent process (e.g. Claude
+* Code, vite) has died or been reparented without sending SIGTERM/SIGHUP.
+*
+* Intentionally react-free and Node-stdlib-only so this module is safe to
+* import from the MCP daemon bundle (`dist/mcp/cli.js`) without violating the
+* install-graph invariant.
+*/
+/**
+* Returns `true` when the given PID refers to a running process.
+*
+* Uses `process.kill(pid, 0)` — a no-op signal that succeeds when the process
+* exists and we have permission to signal it; throws ESRCH when it doesn't exist.
+*/
+function isPidAlive$1(pid) {
+	try {
+		process.kill(pid, 0);
+		return true;
+	} catch (err) {
+		if (err.code === "EPERM") return true;
+		return false;
+	}
+}
+/**
+* Starts a periodic watcher that detects when the parent process (e.g. Claude
+* Code) has died without sending SIGTERM/SIGHUP, and calls `onOrphaned` so the
+* daemon can self-terminate rather than running as a zombie.
+*
+* Mirrors the `startAttachWatcher` pattern: `setInterval`-based, returns
+* `{ stop(): void }`, injectable deps for testability.
+*
+* @param onOrphaned - Called once when the parent is gone.
+* @param opts.intervalMs   - Poll interval in milliseconds (default 5 000).
+* @param opts.initialPpid  - Parent PID to watch (default `process.ppid`).
+* @param opts.isAlive      - Predicate to test if a PID is running (default `isPidAlive`).
+* @param opts.getPpid      - Supplier of current ppid (default `() => process.ppid`).
+*                            Detects ppid changes as well as death.
+* @param opts.log          - Logger (default `process.stderr.write`).
+*
+* @returns `stop` — call during shutdown to clear the interval.
+*/
+function startParentWatcher(onOrphaned, opts) {
+	const { intervalMs = 5e3, initialPpid = process.ppid, isAlive = isPidAlive$1, getPpid = () => process.ppid, log = (msg) => process.stderr.write(msg) } = opts ?? {};
+	if (initialPpid <= 1) {
+		log("[ait-debug] parent-pid watcher: no parent to watch (ppid<=1), skipping\n");
+		return { stop() {} };
+	}
+	let fired = false;
+	const handle = setInterval(() => {
+		if (fired) return;
+		const currentPpid = getPpid();
+		if (currentPpid !== initialPpid || !isAlive(initialPpid)) {
+			fired = true;
+			clearInterval(handle);
+			log(`[ait-debug] parent-pid watcher: parent PID ${initialPpid} is gone (currentPpid=${currentPpid}) — shutting down\n`);
+			onOrphaned();
+		}
+	}, intervalMs);
+	return { stop() {
+		clearInterval(handle);
+	} };
+}
+//#endregion
 //#region src/mcp/ait-chii-source.ts
 function isObject$4(value) {
 	return typeof value === "object" && value !== null;
@@ -1579,7 +1645,746 @@ async function launchChromium(options = {}) {
 	};
 }
 //#endregion
+//#region src/i18n/en.ts
+const en = {
+	"panel.title": "AIT DevTools",
+	"panel.toggle.title": "AIT DevTools",
+	"panel.close": "Close",
+	"panel.editMode.on": "EDIT",
+	"panel.editMode.off": "READ-ONLY",
+	"panel.editMode.toggleTitle": "Toggle panel edit mode",
+	"panel.tabError": "Error rendering \"{tab}\" tab.",
+	"panel.tab.env": "Environment",
+	"panel.tab.presets": "Presets",
+	"panel.tab.viewport": "Viewport",
+	"panel.tab.permissions": "Permissions",
+	"panel.tab.notifications": "Notifications",
+	"panel.tab.location": "Location",
+	"panel.tab.device": "Device",
+	"panel.tab.iap": "IAP",
+	"panel.tab.ads": "Ads",
+	"panel.tab.events": "Events",
+	"panel.tab.analytics": "Analytics",
+	"panel.tab.storage": "Storage",
+	"common.readOnly": "Read-only — mock responses are controlled at build time.",
+	"toast.consent.title": "Send anonymous usage stats?",
+	"toast.consent.body": "We collect anonymous events only, to improve the tool. You can turn this off anytime in the Environment tab.",
+	"toast.consent.learnMore": "Learn more",
+	"toast.consent.accept": "Yes, send",
+	"toast.consent.deny": "No, thanks",
+	"env.section.platform": "Platform",
+	"env.row.os": "OS",
+	"env.row.appVersion": "App Version",
+	"env.row.environment": "Environment",
+	"env.row.locale": "Locale",
+	"env.section.network": "Network",
+	"env.row.networkStatus": "Status",
+	"env.section.safeArea": "Safe Area Insets",
+	"env.row.safeArea.top": "Top",
+	"env.row.safeArea.bottom": "Bottom",
+	"env.section.navigation": "Navigation",
+	"env.row.iosSwipeGesture": "iOS swipe-back",
+	"env.value.iosSwipeGesture.unset": "not called",
+	"env.value.iosSwipeGesture.enabled": "enabled",
+	"env.value.iosSwipeGesture.disabled": "disabled",
+	"env.hint.iosSwipeGesture": "Last value passed to setIosSwipeGestureEnabled. Switching Environment to toss lets a toss-gated guard toggle this.",
+	"env.telemetry.section": "Telemetry",
+	"env.telemetry.t0Row": "Anonymous usage signal (Tier 0)",
+	"env.telemetry.t0On": "On",
+	"env.telemetry.t0Off": "Off",
+	"env.telemetry.t0TurnOn": "Turn on",
+	"env.telemetry.t0TurnOff": "Turn off",
+	"env.telemetry.t0Desc": "Version + date only, no PII. Once per day. Helps improve the package.",
+	"env.telemetry.row": "Extended telemetry (Tier 1)",
+	"env.telemetry.on": "On",
+	"env.telemetry.off": "Off",
+	"env.telemetry.turnOn": "Turn on",
+	"env.telemetry.turnOff": "Turn off",
+	"env.telemetry.anonIdLabel": "anon_id: {value}",
+	"env.telemetry.anonIdNotSet": "(not yet set)",
+	"env.telemetry.anonIdCopyTitle": "Click to copy full anon_id",
+	"env.telemetry.deleteBtn": "Delete my data",
+	"env.telemetry.deleting": "Deleting…",
+	"env.telemetry.deleted": "Deleted",
+	"env.telemetry.deleteFailedRetry": "Delete failed (please retry)",
+	"env.telemetry.deleteFailed": "Delete failed",
+	"env.telemetry.privacyLink": "Privacy policy →",
+	"env.section.language": "Language",
+	"env.language.row": "Language",
+	"env.language.ko": "한국어",
+	"env.language.en": "English",
+	"permissions.section.device": "Device Permissions",
+	"location.section.current": "Current Location",
+	"location.row.latitude": "Latitude",
+	"location.row.longitude": "Longitude",
+	"location.row.accuracy": "Accuracy",
+	"device.section.modes": "Device API Modes",
+	"device.row.camera": "Camera",
+	"device.row.photos": "Photos",
+	"device.row.location": "Location",
+	"device.row.network": "Network",
+	"device.row.clipboard": "Clipboard",
+	"device.section.mockImages": "Mock Images ({count})",
+	"device.btn.add": "+ Add",
+	"device.btn.useDefaults": "Use defaults",
+	"device.btn.clear": "Clear",
+	"device.prompt.camera.title": "Camera Prompt — Select an image",
+	"device.prompt.photos.title": "Photos Prompt — Select images",
+	"device.prompt.location.title": "Location Prompt — Enter coordinates",
+	"device.prompt.locationUpdate.title": "Location Update — Send coordinates",
+	"device.prompt.fallbackTitle": "Prompt: {type}",
+	"device.prompt.label.lat": "Lat",
+	"device.prompt.label.lng": "Lng",
+	"device.prompt.send": "Send",
+	"device.prompt.cancel": "Cancel",
+	"device.section.haptic": "Haptic",
+	"device.haptic.lastCall": "Last haptic",
+	"device.haptic.noneYet": "(none yet)",
+	"device.haptic.trigger": "Trigger haptic",
+	"viewport.section.device": "Device",
+	"viewport.row.preset": "Preset",
+	"viewport.row.orientation": "Orientation",
+	"viewport.row.notchSide": "Notch side",
+	"viewport.section.custom": "Custom size",
+	"viewport.row.width": "Width (px)",
+	"viewport.row.height": "Height (px)",
+	"viewport.section.appearance": "Appearance",
+	"viewport.row.showFrame": "Show frame",
+	"viewport.row.showAitNavBar": "Show Apps in Toss nav bar",
+	"viewport.row.navBarType": "Nav bar type",
+	"viewport.status.noConstraint": "No viewport constraint — body fills the window.",
+	"viewport.status.cssPhysical": "CSS / physical",
+	"viewport.status.safeArea": "Safe area",
+	"viewport.status.aitNavBar": "AIT nav bar",
+	"viewport.status.aitNavBarValue": "{height}px → SafeArea top · {type}",
+	"viewport.orientation.autoSuffix": "{orient} (auto)",
+	"iap.section.simulator": "IAP Simulator",
+	"iap.row.nextResult": "Next Purchase Result",
+	"iap.section.tossPay": "TossPay",
+	"iap.row.tossPayResult": "Next Payment Result",
+	"iap.section.pending": "Pending Orders ({count})",
+	"iap.empty.pending": "(no pending orders)",
+	"iap.section.completed": "Completed Orders ({count})",
+	"iap.empty.completed": "(no completed orders)",
+	"iap.btn.complete": "Complete",
+	"iap.label.pending": "PENDING",
+	"events.section.navigation": "Navigation Events",
+	"events.btn.triggerBack": "Trigger Back Event",
+	"events.btn.triggerHome": "Trigger Home Event",
+	"events.section.login": "Login",
+	"events.row.loggedIn": "Logged In",
+	"events.row.tossLoginIntegrated": "Toss Login Integrated",
+	"analytics.section.log": "Analytics Log ({count})",
+	"analytics.btn.clear": "Clear",
+	"analytics.calls.section": "SDK Calls ({count})",
+	"analytics.calls.btn.clear": "Clear",
+	"analytics.calls.empty": "(no SDK calls yet)",
+	"storage.section.title": "Storage ({count} items)",
+	"storage.btn.clearAll": "Clear All",
+	"storage.empty": "No items in storage",
+	"presets.section.builtIn": "Built-in scenarios",
+	"presets.section.saved": "Saved presets ({count})",
+	"presets.section.save": "Save",
+	"presets.save.description": "Capture network / permissions / auth / IAP / ads / payment slices.",
+	"presets.btn.saveCurrent": "Save current as preset",
+	"presets.btn.apply": "Apply",
+	"presets.btn.reApply": "Re-apply",
+	"presets.btn.delete": "Delete",
+	"presets.empty.saved": "No saved presets yet.",
+	"presets.empty.builtIn": "No built-in presets.",
+	"presets.prompt.label": "Preset label?",
+	"presets.confirm.delete": "Delete preset \"{label}\"?",
+	"ads.section.state": "Ads State",
+	"ads.row.isLoaded": "isLoaded",
+	"ads.row.forceNoFill": "Force \"no fill\"",
+	"ads.empty.events": "No events yet",
+	"ads.section.googleAdMob": "GoogleAdMob",
+	"ads.section.tossAds": "TossAds",
+	"ads.section.fullScreenAd": "FullScreenAd",
+	"ads.btn.load": "Load",
+	"ads.btn.show": "Show",
+	"ads.section.tossAdsBanner": "TossAds Banner",
+	"ads.row.rewardUnitType": "Reward unit type",
+	"ads.row.rewardAmount": "Reward amount",
+	"ads.btn.render": "Render",
+	"ads.btn.noFill": "No-fill",
+	"ads.btn.click": "Click",
+	"ads.btn.destroy": "Destroy",
+	"notifications.section.title": "requestNotificationAgreement",
+	"notifications.option.newAgreement": "newAgreement (first-time agree)",
+	"notifications.option.alreadyAgreed": "alreadyAgreed (already opted-in)",
+	"notifications.option.agreementRejected": "agreementRejected (user declined)",
+	"dashboard.title": "AIT Debug Dashboard",
+	"dashboard.updated": "Last updated: {ts}",
+	"dashboard.tunnel.section": "Tunnel status",
+	"dashboard.tunnel.up": "Connected",
+	"dashboard.tunnel.down": "Disconnected",
+	"dashboard.attach.section": "Attach QR",
+	"dashboard.attach.hint": "Call the build_attach_url MCP tool to show the QR here.",
+	"dashboard.pages.section": "Connected Pages",
+	"dashboard.pages.empty": "No attached pages",
+	"attach.title": "AIT Debug Session — QR Scan",
+	"attach.deployment": "deployment: {label}",
+	"attach.steps.section": "How to scan",
+	"attach.step1": "Open the Toss app.",
+	"attach.step2": "Scan the QR code with your phone camera app.",
+	"attach.step3": "Tap <strong>\"Open in Toss\"</strong> when the popup appears.",
+	"attach.step4": "The mini-app opens and the debug session attaches automatically.",
+	"attach.faq.section": "Troubleshooting checklist",
+	"attach.faq.appNotOpen": "<strong>Toss app does not open</strong> — check app version; scan with the system camera app (not the Toss in-app QR reader)",
+	"attach.faq.prepare": "<strong>Mini-app stuck in PREPARE state</strong> — verify the deep-link has a <code>_deploymentId</code> parameter",
+	"attach.faq.chii": "<strong>Chii injection failure / console is empty</strong> — verify the mini-app bundle has an <code>in-app</code> debug import",
+	"attach.faq.totp": "<strong>TOTP gate Layer C is inactive</strong> — check that <code>AIT_DEBUG_TOTP_SECRET</code> is set on the relay server",
+	"attach.url.section": "URL (fallback)",
+	"launcher.title": "AITC DevTools Launcher",
+	"launcher.description": "Scan the terminal QR code or paste the tunnel URL.",
+	"launcher.installCta": "Install launcher to your phone",
+	"launcher.urlPlaceholder": "https://example.trycloudflare.com",
+	"launcher.openBtn": "Open",
+	"launcher.scanBtn": "Scan QR with camera",
+	"launcher.rescanBtn": "Rescan",
+	"launcher.noCamera": "No camera available — paste the URL instead.",
+	"launcher.cameraError": "Could not access the camera — paste the URL instead.",
+	"launcher.invalidUrlHttps": "Enter a valid https:// URL (the tunnel URL from your terminal).",
+	"launcher.invalidUrl": "Enter a valid http(s):// URL."
+};
+//#endregion
+//#region src/i18n/index.ts
+/**
+* Vanilla TS i18n for the floating DevTools panel.
+*
+* Public surface:
+*   - `t(key, vars?)` — look up a UI string, with `{name}` placeholder
+*     interpolation. Falls back to the key itself if a translation is missing.
+*   - `getLocale()` / `setLocale(locale)` — read/persist the active locale.
+*     `setLocale` dispatches `__ait:localechange` so the panel can remount.
+*   - `detectLocale()` — first-run heuristic from `navigator.language`.
+*
+* `ko` is the source of truth (keys are typed from it). `en` is also a full
+* `Record<StringKey, string>` (devtools is developer-facing, en is a real
+* audience). The `Partial` lookup table preserves the runtime `?? key` safety
+* net even though we ship complete catalogs today.
+*/
+const tables = {
+	ko: {
+		"panel.title": "AIT DevTools",
+		"panel.toggle.title": "AIT DevTools",
+		"panel.close": "Close",
+		"panel.editMode.on": "EDIT",
+		"panel.editMode.off": "READ-ONLY",
+		"panel.editMode.toggleTitle": "패널 편집 모드 전환",
+		"panel.tabError": "\"{tab}\" 탭 렌더링 중 오류가 발생했습니다.",
+		"panel.tab.env": "Environment",
+		"panel.tab.presets": "Presets",
+		"panel.tab.viewport": "Viewport",
+		"panel.tab.permissions": "Permissions",
+		"panel.tab.notifications": "Notifications",
+		"panel.tab.location": "Location",
+		"panel.tab.device": "Device",
+		"panel.tab.iap": "IAP",
+		"panel.tab.ads": "Ads",
+		"panel.tab.events": "Events",
+		"panel.tab.analytics": "Analytics",
+		"panel.tab.storage": "Storage",
+		"common.readOnly": "읽기 전용 — mock 응답은 빌드 타임에 고정됩니다.",
+		"toast.consent.title": "익명 사용 통계를 보낼까요?",
+		"toast.consent.body": "도구 개선을 위해 익명 이벤트만 수집해요. 언제든 환경 탭에서 끌 수 있어요.",
+		"toast.consent.learnMore": "더 알아보기",
+		"toast.consent.accept": "네, 보낼게요",
+		"toast.consent.deny": "아니요",
+		"env.section.platform": "Platform",
+		"env.row.os": "OS",
+		"env.row.appVersion": "App Version",
+		"env.row.environment": "Environment",
+		"env.row.locale": "Locale",
+		"env.section.network": "Network",
+		"env.row.networkStatus": "Status",
+		"env.section.safeArea": "Safe Area Insets",
+		"env.row.safeArea.top": "Top",
+		"env.row.safeArea.bottom": "Bottom",
+		"env.section.navigation": "Navigation",
+		"env.row.iosSwipeGesture": "iOS swipe-back",
+		"env.value.iosSwipeGesture.unset": "미호출",
+		"env.value.iosSwipeGesture.enabled": "enabled",
+		"env.value.iosSwipeGesture.disabled": "disabled",
+		"env.hint.iosSwipeGesture": "setIosSwipeGestureEnabled의 마지막 호출값. Environment를 toss로 바꾸면 toss-gated 가드가 이 값을 토글합니다.",
+		"env.telemetry.section": "Telemetry",
+		"env.telemetry.t0Row": "익명 사용 신호 (Tier 0)",
+		"env.telemetry.t0On": "On",
+		"env.telemetry.t0Off": "Off",
+		"env.telemetry.t0TurnOn": "Turn on",
+		"env.telemetry.t0TurnOff": "Turn off",
+		"env.telemetry.t0Desc": "버전·날짜만 수집, PII 없음. 하루 1회. 패키지 개선에 사용됩니다.",
+		"env.telemetry.row": "확장 텔레메트리 (Tier 1)",
+		"env.telemetry.on": "On",
+		"env.telemetry.off": "Off",
+		"env.telemetry.turnOn": "Turn on",
+		"env.telemetry.turnOff": "Turn off",
+		"env.telemetry.anonIdLabel": "anon_id: {value}",
+		"env.telemetry.anonIdNotSet": "(not yet set)",
+		"env.telemetry.anonIdCopyTitle": "전체 anon_id 복사",
+		"env.telemetry.deleteBtn": "내 데이터 삭제",
+		"env.telemetry.deleting": "삭제 중…",
+		"env.telemetry.deleted": "삭제 완료",
+		"env.telemetry.deleteFailedRetry": "삭제 실패 (다시 시도해주세요)",
+		"env.telemetry.deleteFailed": "삭제 실패",
+		"env.telemetry.privacyLink": "개인정보 처리방침 →",
+		"env.section.language": "Language",
+		"env.language.row": "Language",
+		"env.language.ko": "한국어",
+		"env.language.en": "English",
+		"permissions.section.device": "Device Permissions",
+		"location.section.current": "Current Location",
+		"location.row.latitude": "Latitude",
+		"location.row.longitude": "Longitude",
+		"location.row.accuracy": "Accuracy",
+		"device.section.modes": "Device API Modes",
+		"device.row.camera": "Camera",
+		"device.row.photos": "Photos",
+		"device.row.location": "Location",
+		"device.row.network": "Network",
+		"device.row.clipboard": "Clipboard",
+		"device.section.mockImages": "Mock Images ({count})",
+		"device.btn.add": "+ Add",
+		"device.btn.useDefaults": "Use defaults",
+		"device.btn.clear": "Clear",
+		"device.prompt.camera.title": "Camera Prompt — 이미지를 선택하세요",
+		"device.prompt.photos.title": "Photos Prompt — 이미지를 선택하세요",
+		"device.prompt.location.title": "Location Prompt — 좌표 입력",
+		"device.prompt.locationUpdate.title": "Location Update — 좌표 전송",
+		"device.prompt.fallbackTitle": "Prompt: {type}",
+		"device.prompt.label.lat": "Lat",
+		"device.prompt.label.lng": "Lng",
+		"device.prompt.send": "Send",
+		"device.prompt.cancel": "Cancel",
+		"device.section.haptic": "Haptic",
+		"device.haptic.lastCall": "마지막 haptic",
+		"device.haptic.noneYet": "(아직 없음)",
+		"device.haptic.trigger": "Haptic 트리거",
+		"viewport.section.device": "Device",
+		"viewport.row.preset": "Preset",
+		"viewport.row.orientation": "Orientation",
+		"viewport.row.notchSide": "Notch side",
+		"viewport.section.custom": "Custom size",
+		"viewport.row.width": "Width (px)",
+		"viewport.row.height": "Height (px)",
+		"viewport.section.appearance": "Appearance",
+		"viewport.row.showFrame": "Show frame",
+		"viewport.row.showAitNavBar": "Apps in Toss 내비게이션 바 표시",
+		"viewport.row.navBarType": "Nav bar type",
+		"viewport.status.noConstraint": "뷰포트 제약 없음 — body가 창을 가득 채웁니다.",
+		"viewport.status.cssPhysical": "CSS / physical",
+		"viewport.status.safeArea": "Safe area",
+		"viewport.status.aitNavBar": "AIT nav bar",
+		"viewport.status.aitNavBarValue": "{height}px → SafeArea top · {type}",
+		"viewport.orientation.autoSuffix": "{orient} (auto)",
+		"iap.section.simulator": "IAP Simulator",
+		"iap.row.nextResult": "Next Purchase Result",
+		"iap.section.tossPay": "TossPay",
+		"iap.row.tossPayResult": "Next Payment Result",
+		"iap.section.pending": "Pending Orders ({count})",
+		"iap.empty.pending": "(대기 중인 주문 없음)",
+		"iap.section.completed": "Completed Orders ({count})",
+		"iap.empty.completed": "(완료된 주문 없음)",
+		"iap.btn.complete": "Complete",
+		"iap.label.pending": "PENDING",
+		"events.section.navigation": "Navigation Events",
+		"events.btn.triggerBack": "Back 이벤트 발생",
+		"events.btn.triggerHome": "Home 이벤트 발생",
+		"events.section.login": "Login",
+		"events.row.loggedIn": "Logged In",
+		"events.row.tossLoginIntegrated": "Toss Login Integrated",
+		"analytics.section.log": "Analytics Log ({count})",
+		"analytics.btn.clear": "Clear",
+		"analytics.calls.section": "SDK Calls ({count})",
+		"analytics.calls.btn.clear": "Clear",
+		"analytics.calls.empty": "(아직 SDK 호출 없음)",
+		"storage.section.title": "Storage ({count} items)",
+		"storage.btn.clearAll": "Clear All",
+		"storage.empty": "저장된 항목이 없습니다",
+		"presets.section.builtIn": "Built-in scenarios",
+		"presets.section.saved": "Saved presets ({count})",
+		"presets.section.save": "Save",
+		"presets.save.description": "network / permissions / auth / IAP / ads / payment 슬라이스를 캡처합니다.",
+		"presets.btn.saveCurrent": "현재 상태를 프리셋으로 저장",
+		"presets.btn.apply": "Apply",
+		"presets.btn.reApply": "Re-apply",
+		"presets.btn.delete": "Delete",
+		"presets.empty.saved": "저장된 프리셋이 아직 없습니다.",
+		"presets.empty.builtIn": "내장 프리셋이 없습니다.",
+		"presets.prompt.label": "프리셋 라벨을 입력하세요",
+		"presets.confirm.delete": "\"{label}\" 프리셋을 삭제할까요?",
+		"ads.section.state": "Ads State",
+		"ads.row.isLoaded": "isLoaded",
+		"ads.row.forceNoFill": "강제 \"no fill\"",
+		"ads.empty.events": "아직 이벤트가 없습니다",
+		"ads.section.googleAdMob": "GoogleAdMob",
+		"ads.section.tossAds": "TossAds",
+		"ads.section.fullScreenAd": "FullScreenAd",
+		"ads.btn.load": "Load",
+		"ads.btn.show": "Show",
+		"ads.section.tossAdsBanner": "TossAds 배너",
+		"ads.row.rewardUnitType": "리워드 단위 타입",
+		"ads.row.rewardAmount": "리워드 수량",
+		"ads.btn.render": "Render",
+		"ads.btn.noFill": "No-fill",
+		"ads.btn.click": "Click",
+		"ads.btn.destroy": "Destroy",
+		"notifications.section.title": "requestNotificationAgreement",
+		"notifications.option.newAgreement": "newAgreement (최초 동의)",
+		"notifications.option.alreadyAgreed": "alreadyAgreed (이미 동의됨)",
+		"notifications.option.agreementRejected": "agreementRejected (사용자 거절)",
+		"dashboard.title": "AIT 디버그 Dashboard",
+		"dashboard.updated": "마지막 갱신: {ts}",
+		"dashboard.tunnel.section": "터널 상태",
+		"dashboard.tunnel.up": "연결됨",
+		"dashboard.tunnel.down": "끊어짐",
+		"dashboard.attach.section": "Attach QR",
+		"dashboard.attach.hint": "build_attach_url MCP tool을 호출하면 QR이 여기에 표시됩니다.",
+		"dashboard.pages.section": "연결된 Pages",
+		"dashboard.pages.empty": "attach된 페이지 없음",
+		"attach.title": "AIT 디버그 세션 — QR 스캔",
+		"attach.deployment": "deployment: {label}",
+		"attach.steps.section": "스캔 절차",
+		"attach.step1": "토스 앱을 실행하세요.",
+		"attach.step2": "폰 카메라 앱으로 QR 코드를 스캔하세요.",
+		"attach.step3": "팝업이 뜨면 <strong>\"토스로 열기\"</strong>를 탭하세요.",
+		"attach.step4": "미니앱이 열리고 디버그 세션이 자동으로 attach됩니다.",
+		"attach.faq.section": "진단 체크리스트",
+		"attach.faq.appNotOpen": "<strong>토스 앱이 안 열리는 경우</strong> — 앱 버전 확인, 카메라 앱으로 스캔 (토스 앱 내 QR 리더 X)",
+		"attach.faq.prepare": "<strong>미니앱이 PREPARE 상태에서 멈추는 경우</strong> — deep-link에 <code>_deploymentId</code> 파라미터가 있는지 확인",
+		"attach.faq.chii": "<strong>Chii 주입 실패 / 콘솔이 비어 있는 경우</strong> — 미니앱 번들에 <code>in-app</code> debug import가 있는지 확인",
+		"attach.faq.totp": "<strong>TOTP gate Layer C가 비활성인 경우</strong> — relay 서버에 <code>AIT_DEBUG_TOTP_SECRET</code>이 설정돼 있는지 확인",
+		"attach.url.section": "URL (fallback)",
+		"launcher.title": "AITC DevTools Launcher",
+		"launcher.description": "터미널 QR을 스캔하거나 URL을 입력하세요.",
+		"launcher.installCta": "폰에 런처 설치하기",
+		"launcher.urlPlaceholder": "https://example.trycloudflare.com",
+		"launcher.openBtn": "Open",
+		"launcher.scanBtn": "QR 카메라로 스캔",
+		"launcher.rescanBtn": "Rescan",
+		"launcher.noCamera": "카메라를 사용할 수 없습니다 — URL을 직접 붙여넣으세요.",
+		"launcher.cameraError": "카메라에 접근할 수 없습니다 — URL을 직접 붙여넣으세요.",
+		"launcher.invalidUrlHttps": "올바른 https:// URL을 입력하세요 (터미널의 터널 URL).",
+		"launcher.invalidUrl": "올바른 http(s):// URL을 입력하세요."
+	},
+	en
+};
+/**
+* Decide a locale from a BCP-47 language tag. `ko` (and `ko-*`) → `'ko'`,
+* everything else → `'en'`. Shared by the browser (`navigator.language`) and
+* Node (`Accept-Language` header) paths so both resolve identically.
+*/
+function localeFromLanguageTag(lang) {
+	return /^ko\b/i.test(lang) ? "ko" : "en";
+}
+/**
+* Decide a locale from an HTTP `Accept-Language` header value. The Node-served
+* surfaces (e.g. the qr-http-server dashboard) have no `navigator`, so the
+* request header is the only language signal. Reads the FIRST language tag
+* (highest priority, ignoring `q=` weights — good enough for ko/en) and feeds
+* it through the same `ko`-vs-`en` heuristic `detectLocale` uses. Returns `'en'`
+* for an empty/missing header.
+*/
+function parseAcceptLanguage(header) {
+	if (!header) return "en";
+	return localeFromLanguageTag(header.split(",")[0]?.trim().split(";")[0]?.trim() ?? "");
+}
+/**
+* A locale-bound string resolver for surfaces that can't use the in-memory
+* `getLocale()` cache — notably the Node HTTP server, which resolves locale
+* per-request from `Accept-Language` rather than from a process-global. Returns
+* a `t`-compatible closure over the SAME `ko`/`en` tables (single source of
+* truth), so the dashboard/attach HTML shares the exact 169-key catalog the
+* browser surfaces use. The `key: StringKey` signature keeps compile-time key
+* safety on the Node path identical to `t()`.
+*/
+function resolveLocaleStrings(locale) {
+	const table = tables[locale];
+	return (key, vars) => {
+		const raw = table[key] ?? key;
+		if (!vars) return raw;
+		return raw.replace(/\{(\w+)\}/g, (match, name) => {
+			const value = vars[name];
+			return value === void 0 ? match : String(value);
+		});
+	};
+}
+//#endregion
+//#region src/mcp/dashboard.generated.ts
+const dashboardChromeHtmlKo = `<!DOCTYPE html>
+<html lang="ko"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><title>AIT 디버그 Dashboard</title><style>
+*, *::before, *::after { box-sizing: border-box; }
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+  background: #0d1117; color: #c9d1d9;
+  display: flex; flex-direction: column; align-items: center;
+  min-height: 100vh; margin: 0; padding: 2rem 1rem;
+  gap: 1.5rem;
+}
+h1 { font-size: 1.25rem; font-weight: 600; color: #e6edf3; margin: 0; text-align: center; }
+.updated { font-size: 0.75rem; opacity: 0.4; font-family: monospace; margin: 0; }
+section { width: 100%; max-width: 520px; }
+h2 { font-size: 1rem; font-weight: 600; color: #e6edf3; margin: 0 0 0.5rem; }
+.status { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 999px; font-size: 0.8rem; font-weight: 600; }
+.status-up { background: #238636; color: #fff; }
+.status-down { background: #6e7681; color: #fff; }
+img.qr {
+  width: min(80vw, 300px); height: auto;
+  image-rendering: pixelated;
+  background: #fff; padding: 0.75rem; border-radius: 10px;
+  display: block; margin: 0.5rem auto;
+}
+.url-box {
+  font-family: monospace; font-size: 0.7rem;
+  word-break: break-all; opacity: 0.45;
+  background: #161b22; padding: 0.6rem 0.85rem;
+  border-radius: 6px; border: 1px solid #30363d; margin: 0.5rem 0 0;
+}
+.hint { font-size: 0.85rem; opacity: 0.5; margin: 0.25rem 0 0; }
+ul { margin: 0; padding-left: 1.25rem; }
+li { margin-bottom: 0.35rem; font-size: 0.85rem; line-height: 1.5; }
+li.empty { opacity: 0.4; list-style: none; padding-left: 0; }
+.page-id { font-family: monospace; font-size: 0.75rem; opacity: 0.5; margin-right: 0.4rem; }
+.page-url { word-break: break-all; }
+hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0; }
+</style></head><body><h1>AIT 디버그 Dashboard</h1><p class="updated" id="updated">마지막 갱신: __NOW__</p><section><h2>터널 상태</h2><span class="status __TUNNEL_CLASS__" id="tunnel-status">__TUNNEL_STATUS__</span></section><hr/><section><h2>Attach QR</h2><div id="attach-section">__ATTACH_SECTION__</div></section>__PAGES_SECTION__</body></html>`;
+const attachChromeHtmlKo = `<!DOCTYPE html>
+<html lang="ko"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="__QR_DATA_URL__"/><title>AIT 디버그 세션 — QR 스캔</title><style>
+*, *::before, *::after { box-sizing: border-box; }
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+  background: #0d1117; color: #c9d1d9;
+  display: flex; flex-direction: column; align-items: center;
+  min-height: 100vh; margin: 0; padding: 2rem 1rem;
+  gap: 1.5rem;
+}
+h1 { font-size: 1.25rem; font-weight: 600; color: #e6edf3; margin: 0; text-align: center; }
+.label { font-size: 0.8rem; opacity: 0.5; font-family: monospace; margin: 0; }
+img.qr {
+  width: min(90vw, 360px); height: auto;
+  image-rendering: pixelated;
+  background: #fff; padding: 1rem; border-radius: 12px;
+}
+section { width: 100%; max-width: 480px; }
+h2 { font-size: 1rem; font-weight: 600; color: #e6edf3; margin: 0 0 0.5rem; }
+ol, ul { margin: 0; padding-left: 1.25rem; }
+li { margin-bottom: 0.4rem; font-size: 0.9rem; line-height: 1.5; }
+.url-box {
+  font-family: monospace; font-size: 0.72rem;
+  word-break: break-all; opacity: 0.4;
+  background: #161b22; padding: 0.75rem 1rem;
+  border-radius: 6px; border: 1px solid #30363d;
+}
+hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0.5rem 0; }
+</style></head><body><h1>AIT 디버그 세션 — QR 스캔</h1><p class="label">deployment: __SAFE_LABEL__</p><img class="qr" src="__QR_DATA_URL__" alt="attach QR"/><section><h2>스캔 절차</h2><ol><li>토스 앱을 실행하세요.</li><li>폰 카메라 앱으로 QR 코드를 스캔하세요.</li><li>팝업이 뜨면 <strong>"토스로 열기"</strong>를 탭하세요.</li><li>미니앱이 열리고 디버그 세션이 자동으로 attach됩니다.</li></ol></section><hr/><section><h2>진단 체크리스트</h2><ul><li><strong>토스 앱이 안 열리는 경우</strong> — 앱 버전 확인, 카메라 앱으로 스캔 (토스 앱 내 QR 리더 X)</li><li><strong>미니앱이 PREPARE 상태에서 멈추는 경우</strong> — deep-link에 <code>_deploymentId</code> 파라미터가 있는지 확인</li><li><strong>Chii 주입 실패 / 콘솔이 비어 있는 경우</strong> — 미니앱 번들에 <code>in-app</code> debug import가 있는지 확인</li><li><strong>TOTP gate Layer C가 비활성인 경우</strong> — relay 서버에 <code>AIT_DEBUG_TOTP_SECRET</code>이 설정돼 있는지 확인</li></ul></section><hr/><section><h2>URL (fallback)</h2><p class="url-box">__SAFE_ATTACH_URL__</p></section></body></html>`;
+const dashboardChromeHtmlEn = `<!DOCTYPE html>
+<html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><title>AIT Debug Dashboard</title><style>
+*, *::before, *::after { box-sizing: border-box; }
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+  background: #0d1117; color: #c9d1d9;
+  display: flex; flex-direction: column; align-items: center;
+  min-height: 100vh; margin: 0; padding: 2rem 1rem;
+  gap: 1.5rem;
+}
+h1 { font-size: 1.25rem; font-weight: 600; color: #e6edf3; margin: 0; text-align: center; }
+.updated { font-size: 0.75rem; opacity: 0.4; font-family: monospace; margin: 0; }
+section { width: 100%; max-width: 520px; }
+h2 { font-size: 1rem; font-weight: 600; color: #e6edf3; margin: 0 0 0.5rem; }
+.status { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 999px; font-size: 0.8rem; font-weight: 600; }
+.status-up { background: #238636; color: #fff; }
+.status-down { background: #6e7681; color: #fff; }
+img.qr {
+  width: min(80vw, 300px); height: auto;
+  image-rendering: pixelated;
+  background: #fff; padding: 0.75rem; border-radius: 10px;
+  display: block; margin: 0.5rem auto;
+}
+.url-box {
+  font-family: monospace; font-size: 0.7rem;
+  word-break: break-all; opacity: 0.45;
+  background: #161b22; padding: 0.6rem 0.85rem;
+  border-radius: 6px; border: 1px solid #30363d; margin: 0.5rem 0 0;
+}
+.hint { font-size: 0.85rem; opacity: 0.5; margin: 0.25rem 0 0; }
+ul { margin: 0; padding-left: 1.25rem; }
+li { margin-bottom: 0.35rem; font-size: 0.85rem; line-height: 1.5; }
+li.empty { opacity: 0.4; list-style: none; padding-left: 0; }
+.page-id { font-family: monospace; font-size: 0.75rem; opacity: 0.5; margin-right: 0.4rem; }
+.page-url { word-break: break-all; }
+hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0; }
+</style></head><body><h1>AIT Debug Dashboard</h1><p class="updated" id="updated">Last updated: __NOW__</p><section><h2>Tunnel status</h2><span class="status __TUNNEL_CLASS__" id="tunnel-status">__TUNNEL_STATUS__</span></section><hr/><section><h2>Attach QR</h2><div id="attach-section">__ATTACH_SECTION__</div></section>__PAGES_SECTION__</body></html>`;
+const attachChromeHtmlEn = `<!DOCTYPE html>
+<html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="__QR_DATA_URL__"/><title>AIT Debug Session — QR Scan</title><style>
+*, *::before, *::after { box-sizing: border-box; }
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+  background: #0d1117; color: #c9d1d9;
+  display: flex; flex-direction: column; align-items: center;
+  min-height: 100vh; margin: 0; padding: 2rem 1rem;
+  gap: 1.5rem;
+}
+h1 { font-size: 1.25rem; font-weight: 600; color: #e6edf3; margin: 0; text-align: center; }
+.label { font-size: 0.8rem; opacity: 0.5; font-family: monospace; margin: 0; }
+img.qr {
+  width: min(90vw, 360px); height: auto;
+  image-rendering: pixelated;
+  background: #fff; padding: 1rem; border-radius: 12px;
+}
+section { width: 100%; max-width: 480px; }
+h2 { font-size: 1rem; font-weight: 600; color: #e6edf3; margin: 0 0 0.5rem; }
+ol, ul { margin: 0; padding-left: 1.25rem; }
+li { margin-bottom: 0.4rem; font-size: 0.9rem; line-height: 1.5; }
+.url-box {
+  font-family: monospace; font-size: 0.72rem;
+  word-break: break-all; opacity: 0.4;
+  background: #161b22; padding: 0.75rem 1rem;
+  border-radius: 6px; border: 1px solid #30363d;
+}
+hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0.5rem 0; }
+</style></head><body><h1>AIT Debug Session — QR Scan</h1><p class="label">deployment: __SAFE_LABEL__</p><img class="qr" src="__QR_DATA_URL__" alt="attach QR"/><section><h2>How to scan</h2><ol><li>Open the Toss app.</li><li>Scan the QR code with your phone camera app.</li><li>Tap <strong>"Open in Toss"</strong> when the popup appears.</li><li>The mini-app opens and the debug session attaches automatically.</li></ol></section><hr/><section><h2>Troubleshooting checklist</h2><ul><li><strong>Toss app does not open</strong> — check app version; scan with the system camera app (not the Toss in-app QR reader)</li><li><strong>Mini-app stuck in PREPARE state</strong> — verify the deep-link has a <code>_deploymentId</code> parameter</li><li><strong>Chii injection failure / console is empty</strong> — verify the mini-app bundle has an <code>in-app</code> debug import</li><li><strong>TOTP gate Layer C is inactive</strong> — check that <code>AIT_DEBUG_TOTP_SECRET</code> is set on the relay server</li></ul></section><hr/><section><h2>URL (fallback)</h2><p class="url-box">__SAFE_ATTACH_URL__</p></section></body></html>`;
+/** Map from Locale to the precompiled dashboard chrome string. */
+const dashboardChromeByLocale = {
+	ko: dashboardChromeHtmlKo,
+	en: dashboardChromeHtmlEn
+};
+/** Map from Locale to the precompiled attach page chrome string. */
+const attachChromeByLocale = {
+	ko: attachChromeHtmlKo,
+	en: attachChromeHtmlEn
+};
+//#endregion
 //#region src/mcp/qr-http-server.ts
+/** HTML 특수문자를 이스케이프한다. */
+function escapeHtml(s) {
+	return s.replace(/[<>&"']/g, (c) => `&#${c.charCodeAt(0)};`);
+}
+/**
+* Dashboard HTML — precompiled chrome에 per-request 동적 값을 채워 완성한다.
+*
+* 토큰 채우기 순서:
+*   1. chrome string(locale별 precompile)을 가져온다.
+*   2. 동적 부분을 단순 replaceAll로 채운다 (토큰이 HTML context 밖에 있으므로 안전).
+*   3. inline SSE <script>를 </body> 직전에 주입한다.
+*
+* 동적 파트 분류:
+*   - "token-fill": 단일 값 교체 (__NOW__, __TUNNEL_CLASS__, __TUNNEL_STATUS__,
+*     __ATTACH_SECTION__)
+*   - "runtime builder": 가변 길이 구조 (__PAGES_SECTION__ — 조건부 렌더 + 가변 rows)
+*   - "suffix": inline SSE <script> (빌드 파이프라인 없는 클라이언트 스크립트, locale
+*     aware 문자열 포함)
+*
+* SECRET-HANDLING:
+*   - attachUrl은 url-box 안에서만 노출 (TOTP at= 코드 캡슐 그대로).
+*   - tunnel wssUrl은 "터널 연결됨" 상태 표시에서 UP/DOWN만 노출.
+*     wssUrl 값 자체는 dashboard HTML에 넣지 않는다.
+*/
+function buildDashboardHtml(state, qrDataUrl, locale) {
+	const s = resolveLocaleStrings(locale);
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const tunnelStatus = state.tunnel.up ? s("dashboard.tunnel.up") : s("dashboard.tunnel.down");
+	const tunnelClass = state.tunnel.up ? "status-up" : "status-down";
+	let attachSection;
+	if (qrDataUrl && state.attachUrl) attachSection = `<img class="qr" src="${qrDataUrl}" alt="attach QR" /><p class="url-box">${escapeHtml(state.attachUrl)}</p>`;
+	else attachSection = `<p class="hint">${escapeHtml(s("dashboard.attach.hint"))}</p>`;
+	const pagesSection = state.pages === null ? "" : `<hr /><section id="pages-section"><h2>${escapeHtml(s("dashboard.pages.section"))}</h2><ul id="pages-list">${state.pages.length > 0 ? state.pages.map((p) => {
+		return `<li><span class="page-id">${escapeHtml(p.id)}</span> <span class="page-url">${escapeHtml(p.url.slice(0, 120))}</span></li>`;
+	}).join("\n") : `<li class="empty">${escapeHtml(s("dashboard.pages.empty"))}</li>`}</ul></section>`;
+	const sseStrings = {
+		tunnelUp: JSON.stringify(s("dashboard.tunnel.up")),
+		tunnelDown: JSON.stringify(s("dashboard.tunnel.down")),
+		pagesEmpty: JSON.stringify(s("dashboard.pages.empty")),
+		attachHint: JSON.stringify(s("dashboard.attach.hint"))
+	};
+	const filled = dashboardChromeByLocale[locale].replaceAll("__NOW__", escapeHtml(now)).replaceAll("__TUNNEL_CLASS__", tunnelClass).replaceAll("__TUNNEL_STATUS__", escapeHtml(tunnelStatus)).replaceAll("__ATTACH_SECTION__", attachSection).replaceAll("__PAGES_SECTION__", pagesSection);
+	const sseScript = buildSseScript(sseStrings);
+	return filled.replace("</body>", `${sseScript}\n</body>`);
+}
+/**
+* Inline SSE client <script> — injected into the dashboard HTML at runtime.
+*
+* Subscribes to /events and updates the DOM without a build pipeline.
+* client side: attachUrl은 DOM에 렌더링, wssUrl은 절대 렌더링하지 않는다.
+* pages === null 이면 섹션을 건드리지 않는다 (#411).
+*
+* 문자열 인자는 빌드타임에 ko/en 테이블에서 가져와 JSON.stringify로 이미 escape됨.
+*/
+function buildSseScript(strings) {
+	return `<script>
+    // SSE — /events 구독해 상태 자동 갱신. 빌드 파이프라인 없는 인라인 스크립트.
+    (function () {
+      var TUNNEL_UP = ${strings.tunnelUp};
+      var TUNNEL_DOWN = ${strings.tunnelDown};
+      var PAGES_EMPTY = ${strings.pagesEmpty};
+      var ATTACH_HINT = ${strings.attachHint};
+      var src = new EventSource('/events');
+      src.onmessage = function (e) {
+        try {
+          var s = JSON.parse(e.data);
+          // 터널 상태 갱신
+          var el = document.getElementById('tunnel-status');
+          if (el) {
+            el.textContent = s.tunnel && s.tunnel.up ? TUNNEL_UP : TUNNEL_DOWN;
+            el.className = 'status ' + (s.tunnel && s.tunnel.up ? 'status-up' : 'status-down');
+          }
+          // page 목록 갱신 — pages === null(env 2)이면 섹션 자체를 숨긴 채 둔다.
+          // 정적 렌더가 #pages-section을 아예 안 그렸으므로 여기서도 손대지 않아
+          // SSE push 때 섹션이 되살아나지 않는다(#411). 배열일 때만 목록을 채운다.
+          if (s.pages !== null && s.pages !== undefined) {
+            var ul = document.getElementById('pages-list');
+            if (ul) {
+              if (s.pages.length === 0) {
+                ul.innerHTML = '<li class="empty">' + PAGES_EMPTY + '</li>';
+              } else {
+                ul.innerHTML = s.pages.map(function (p) {
+                  var sid = String(p.id || '').slice(0, 36).replace(/[<>&"']/g, function (c) { return '&#' + c.charCodeAt(0) + ';'; });
+                  var su = String(p.url || '').slice(0, 120).replace(/[<>&"']/g, function (c) { return '&#' + c.charCodeAt(0) + ';'; });
+                  return '<li><span class="page-id">' + sid + '</span> <span class="page-url">' + su + '</span></li>';
+                }).join('');
+              }
+            }
+          }
+          // attachUrl QR 갱신 — attachUrl이 없으면 hint 표시.
+          var sec = document.getElementById('attach-section');
+          if (sec) {
+            if (s.attachUrl) {
+              // QR은 서버에서 새로 렌더한 /qr.png?u= 로 img src 교체.
+              // TOTP at= 코드는 attachUrl 안에 캡슐화 — 별도 노출 없음.
+              // wssUrl은 절대 DOM에 렌더하지 않는다 (SECRET-HANDLING).
+              var encoded = encodeURIComponent(s.attachUrl);
+              var safeUrl = String(s.attachUrl).slice(0, 2000).replace(/[<>&"']/g, function (c) { return '&#' + c.charCodeAt(0) + ';'; });
+              sec.innerHTML =
+                '<img class="qr" src="/qr.png?u=' + encoded + '" alt="attach QR" />' +
+                '<p class="url-box">' + safeUrl + '</p>';
+            } else {
+              sec.innerHTML = '<p class="hint">' + ATTACH_HINT + '</p>';
+            }
+          }
+          // 갱신 시각
+          var upd = document.getElementById('updated');
+          if (upd) upd.textContent = upd.textContent.replace(/[^ ]+$/, new Date().toISOString());
+        } catch (_) { /* 파싱 오류 무시 */ }
+      };
+      src.onerror = function () {
+        // 재연결은 EventSource가 자동 처리 (spec 기본 동작).
+      };
+    })();
+  <\/script>`;
+}
+/**
+* Attach 페이지 HTML — precompiled chrome에 per-request 동적 값을 채워 완성한다.
+*
+* 동적 파트:
+*   - __QR_DATA_URL__     : base64 data URL (QR 이미지)
+*   - __SAFE_LABEL__      : HTML-escaped deploymentId label
+*   - __SAFE_ATTACH_URL__ : HTML-escaped attach URL (TOTP at= 코드 포함 — 의도된 전달)
+*
+* SECRET-HANDLING: TOTP at= 코드는 attachUrl 캡슐 안에서만 노출 — 의도된 transport.
+*/
+function buildAttachHtml(qrDataUrl, safeLabel, safeAttachUrl, locale) {
+	return attachChromeByLocale[locale].replaceAll("__QR_DATA_URL__", qrDataUrl).replaceAll("__SAFE_LABEL__", safeLabel).replaceAll("__SAFE_ATTACH_URL__", safeAttachUrl);
+}
 /**
 * 로컬 HTTP 서버를 127.0.0.1 random port(또는 `AIT_DEBUG_HTTP_PORT` env)로 시작한다.
 * MCP debug server 생애주기에 묶어 사용 — `runDebugServer` shutdown 시 `close()`로 정리.
@@ -1606,6 +2411,7 @@ async function startQrHttpServer(getDashboardState) {
 	const server = createServer(async (req, res) => {
 		const [path, query = ""] = (req.url ?? "/").split("?", 2);
 		const params = new URLSearchParams(query ?? "");
+		const locale = parseAcceptLanguage(req.headers["accept-language"]);
 		if (path === "/") {
 			if (!getDashboardState) {
 				res.writeHead(204, { "Content-Type": "text/plain; charset=utf-8" });
@@ -1620,7 +2426,7 @@ async function startQrHttpServer(getDashboardState) {
 					errorCorrectionLevel: "M"
 				});
 			} catch {}
-			const html = buildDashboardHtml(state, qrDataUrl);
+			const html = buildDashboardHtml(state, qrDataUrl, locale);
 			res.writeHead(200, {
 				"Content-Type": "text/html; charset=utf-8",
 				"Cache-Control": "no-store"
@@ -1667,7 +2473,7 @@ async function startQrHttpServer(getDashboardState) {
 				type: "image/png",
 				errorCorrectionLevel: "M"
 			}).then((dataUrl) => {
-				const html = buildAttachHtml(dataUrl, deploymentIdLabel.replace(/[<>&"']/g, (c) => `&#${c.charCodeAt(0)};`), attachUrl.replace(/[<>&"']/g, (c) => `&#${c.charCodeAt(0)};`));
+				const html = buildAttachHtml(dataUrl, escapeHtml(deploymentIdLabel), escapeHtml(attachUrl), locale);
 				res.writeHead(200, {
 					"Content-Type": "text/html; charset=utf-8",
 					"Cache-Control": "no-store"
@@ -1735,329 +2541,6 @@ async function startQrHttpServer(getDashboardState) {
 		}
 	};
 }
-/**
-* Dashboard HTML — 터널/page/attachUrl 상태를 표시하고 SSE로 자동 갱신.
-*
-* SECRET-HANDLING:
-*   - attachUrl은 url-box 안에서만 노출 (TOTP at= 코드 캡슐 그대로).
-*   - tunnel wssUrl은 "터널 연결됨" 상태 표시에서 HOST가 아닌 UP/DOWN만 노출.
-*     wssUrl 값 자체는 dashboard HTML에 넣지 않는다 — 브라우저 탭이 보안 경계 밖에 있음.
-*   - inline <script>로 /events SSE 구독 — 빌드 파이프라인 추가 없음.
-*/
-function buildDashboardHtml(state, qrDataUrl) {
-	const tunnelStatus = state.tunnel.up ? "연결됨" : "끊어짐";
-	const tunnelClass = state.tunnel.up ? "status-up" : "status-down";
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const pagesHtml = state.pages.length > 0 ? state.pages.map((p) => {
-		return `<li><span class="page-id">${p.id.replace(/[<>&"']/g, (c) => `&#${c.charCodeAt(0)};`)}</span> <span class="page-url">${p.url.slice(0, 120).replace(/[<>&"']/g, (c) => `&#${c.charCodeAt(0)};`)}</span></li>`;
-	}).join("\n") : "<li class=\"empty\">attach된 페이지 없음</li>";
-	let attachSection;
-	if (qrDataUrl && state.attachUrl) attachSection = `
-      <img class="qr" src="${qrDataUrl}" alt="attach QR" />
-      <p class="url-box">${state.attachUrl.replace(/[<>&"']/g, (c) => `&#${c.charCodeAt(0)};`)}</p>`;
-	else attachSection = "<p class=\"hint\">build_attach_url MCP tool을 호출하면 QR이 여기에 표시됩니다.</p>";
-	return `<!DOCTYPE html>
-<html lang="ko">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>AIT 디버그 Dashboard</title>
-  <style>
-    *, *::before, *::after { box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
-      background: #0d1117; color: #c9d1d9;
-      display: flex; flex-direction: column; align-items: center;
-      min-height: 100vh; margin: 0; padding: 2rem 1rem;
-      gap: 1.5rem;
-    }
-    h1 { font-size: 1.25rem; font-weight: 600; color: #e6edf3; margin: 0; text-align: center; }
-    .updated { font-size: 0.75rem; opacity: 0.4; font-family: monospace; margin: 0; }
-    section { width: 100%; max-width: 520px; }
-    h2 { font-size: 1rem; font-weight: 600; color: #e6edf3; margin: 0 0 0.5rem; }
-    .status { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 999px; font-size: 0.8rem; font-weight: 600; }
-    .status-up { background: #238636; color: #fff; }
-    .status-down { background: #6e7681; color: #fff; }
-    img.qr {
-      width: min(80vw, 300px); height: auto;
-      image-rendering: pixelated;
-      background: #fff; padding: 0.75rem; border-radius: 10px;
-      display: block; margin: 0.5rem auto;
-    }
-    .url-box {
-      font-family: monospace; font-size: 0.7rem;
-      word-break: break-all; opacity: 0.45;
-      background: #161b22; padding: 0.6rem 0.85rem;
-      border-radius: 6px; border: 1px solid #30363d; margin: 0.5rem 0 0;
-    }
-    .hint { font-size: 0.85rem; opacity: 0.5; margin: 0.25rem 0 0; }
-    ul { margin: 0; padding-left: 1.25rem; }
-    li { margin-bottom: 0.35rem; font-size: 0.85rem; line-height: 1.5; }
-    li.empty { opacity: 0.4; list-style: none; padding-left: 0; }
-    .page-id { font-family: monospace; font-size: 0.75rem; opacity: 0.5; margin-right: 0.4rem; }
-    .page-url { word-break: break-all; }
-    hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0; }
-  </style>
-</head>
-<body>
-  <h1>AIT 디버그 Dashboard</h1>
-  <p class="updated" id="updated">마지막 갱신: ${now}</p>
-  <section>
-    <h2>터널 상태</h2>
-    <span class="status ${tunnelClass}" id="tunnel-status">${tunnelStatus}</span>
-  </section>
-  <hr />
-  <section>
-    <h2>Attach QR</h2>
-    <div id="attach-section">${attachSection}</div>
-  </section>
-  <hr />
-  <section>
-    <h2>연결된 Pages</h2>
-    <ul id="pages-list">${pagesHtml}</ul>
-  </section>
-  <script>
-    // SSE — /events 구독해 상태 자동 갱신. 빌드 파이프라인 없는 인라인 스크립트.
-    (function () {
-      var src = new EventSource('/events');
-      src.onmessage = function (e) {
-        try {
-          var s = JSON.parse(e.data);
-          // 터널 상태 갱신
-          var el = document.getElementById('tunnel-status');
-          if (el) {
-            el.textContent = s.tunnel && s.tunnel.up ? '연결됨' : '끊어짐';
-            el.className = 'status ' + (s.tunnel && s.tunnel.up ? 'status-up' : 'status-down');
-          }
-          // page 목록 갱신
-          var ul = document.getElementById('pages-list');
-          if (ul) {
-            if (!s.pages || s.pages.length === 0) {
-              ul.innerHTML = '<li class="empty">attach된 페이지 없음</li>';
-            } else {
-              ul.innerHTML = s.pages.map(function (p) {
-                var sid = String(p.id || '').slice(0, 36).replace(/[<>&"']/g, function (c) { return '&#' + c.charCodeAt(0) + ';'; });
-                var su = String(p.url || '').slice(0, 120).replace(/[<>&"']/g, function (c) { return '&#' + c.charCodeAt(0) + ';'; });
-                return '<li><span class="page-id">' + sid + '</span> <span class="page-url">' + su + '</span></li>';
-              }).join('');
-            }
-          }
-          // attachUrl QR 갱신 — attachUrl이 없으면 hint 표시.
-          var sec = document.getElementById('attach-section');
-          if (sec) {
-            if (s.attachUrl) {
-              // QR은 서버에서 새로 렌더한 /qr.png?u= 로 img src 교체.
-              // TOTP at= 코드는 attachUrl 안에 캡슐화 — 별도 노출 없음.
-              var encoded = encodeURIComponent(s.attachUrl);
-              var safeUrl = String(s.attachUrl).slice(0, 2000).replace(/[<>&"']/g, function (c) { return '&#' + c.charCodeAt(0) + ';'; });
-              sec.innerHTML =
-                '<img class="qr" src="/qr.png?u=' + encoded + '" alt="attach QR" />' +
-                '<p class="url-box">' + safeUrl + '</p>';
-            } else {
-              sec.innerHTML = '<p class="hint">build_attach_url MCP tool을 호출하면 QR이 여기에 표시됩니다.</p>';
-            }
-          }
-          // 갱신 시각
-          var upd = document.getElementById('updated');
-          if (upd) upd.textContent = '마지막 갱신: ' + new Date().toISOString();
-        } catch (_) { /* 파싱 오류 무시 */ }
-      };
-      src.onerror = function () {
-        // 재연결은 EventSource가 자동 처리 (spec 기본 동작).
-      };
-    })();
-  <\/script>
-</body>
-</html>`;
-}
-/**
-* QR 스캔 페이지 HTML 본문.
-* dark theme, inline style, 외부 fetch 없음.
-*/
-function buildAttachHtml(qrDataUrl, safeLabel, safeAttachUrl) {
-	return `<!DOCTYPE html>
-<html lang="ko">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>AIT 디버그 세션 — QR 스캔</title>
-  <style>
-    *, *::before, *::after { box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
-      background: #0d1117; color: #c9d1d9;
-      display: flex; flex-direction: column; align-items: center;
-      min-height: 100vh; margin: 0; padding: 2rem 1rem;
-      gap: 1.5rem;
-    }
-    h1 { font-size: 1.25rem; font-weight: 600; color: #e6edf3; margin: 0; text-align: center; }
-    .label { font-size: 0.8rem; opacity: 0.5; font-family: monospace; margin: 0; }
-    img.qr {
-      width: min(90vw, 360px); height: auto;
-      image-rendering: pixelated;
-      background: #fff; padding: 1rem; border-radius: 12px;
-    }
-    section { width: 100%; max-width: 480px; }
-    h2 { font-size: 1rem; font-weight: 600; color: #e6edf3; margin: 0 0 0.5rem; }
-    ol, ul { margin: 0; padding-left: 1.25rem; }
-    li { margin-bottom: 0.4rem; font-size: 0.9rem; line-height: 1.5; }
-    .url-box {
-      font-family: monospace; font-size: 0.72rem;
-      word-break: break-all; opacity: 0.4;
-      background: #161b22; padding: 0.75rem 1rem;
-      border-radius: 6px; border: 1px solid #30363d;
-    }
-    hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0.5rem 0; }
-  </style>
-</head>
-<body>
-  <h1>AIT 디버그 세션 — QR 스캔</h1>
-  <p class="label">deployment: ${safeLabel}</p>
-  <img class="qr" src="${qrDataUrl}" alt="attach QR" />
-  <section>
-    <h2>스캔 절차</h2>
-    <ol>
-      <li>토스 앱을 실행하세요.</li>
-      <li>폰 카메라 앱으로 QR 코드를 스캔하세요.</li>
-      <li>팝업이 뜨면 <strong>"토스로 열기"</strong>를 탭하세요.</li>
-      <li>미니앱이 열리고 디버그 세션이 자동으로 attach됩니다.</li>
-    </ol>
-  </section>
-  <hr />
-  <section>
-    <h2>진단 체크리스트</h2>
-    <ul>
-      <li><strong>토스 앱이 안 열리는 경우</strong> — 앱 버전 확인, 카메라 앱으로 스캔 (토스 앱 내 QR 리더 X)</li>
-      <li><strong>미니앱이 PREPARE 상태에서 멈추는 경우</strong> — deep-link에 <code>_deploymentId</code> 파라미터가 있는지 확인</li>
-      <li><strong>Chii 주입 실패 / 콘솔이 비어 있는 경우</strong> — 미니앱 번들에 <code>in-app</code> debug import가 있는지 확인</li>
-      <li><strong>TOTP gate Layer C가 비활성인 경우</strong> — relay 서버에 <code>AIT_DEBUG_TOTP_SECRET</code>이 설정돼 있는지 확인</li>
-    </ul>
-  </section>
-  <hr />
-  <section>
-    <h2>URL (fallback)</h2>
-    <p class="url-box">${safeAttachUrl}</p>
-  </section>
-</body>
-</html>`;
-}
-//#endregion
-//#region src/mcp/relay-secret-store.ts
-/**
-* Project-local relay TOTP secret store (#394 first-run auto-mint, #396 moved to
-* a project-local single file `.ait_relay`).
-*
-* Two surfaces, intentionally split by who is allowed to write:
-*
-*   - {@link ensureRelaySecret} — WRITE path, called ONLY from the unplugin
-*     (env-2 relay boot). Mints a fresh secret on first run and persists it to
-*     `<projectRoot>/.ait_relay` (0600). A single file — no directory is created.
-*
-*   - {@link loadRelaySecretReadOnly} — READ-ONLY path, called from the MCP
-*     daemon when switching into a relay environment. It NEVER mints, chmods, or
-*     creates anything: it only reads an already-existing `.ait_relay` and injects
-*     its value into `env`. A daemon that minted would defeat the #250 fail-fast
-*     (the daemon is the verifier side — a self-minted secret would let a leaked
-*     tunnel URL attach unauthenticated), so the daemon stays read-only.
-*
-* Why a per-session `projectRoot` instead of `process.cwd()`: the daemon cannot
-* trust its own cwd — agent-plugin spawns it via `npx` without `cwd`, so cwd is
-* frozen at Claude Code launch and a cwd-walk stops at the monorepo workspace
-* root (which always has a package.json). So the project root is supplied
-* per-debug-session through `start_debug`.
-*
-* SECRET-HANDLING: this module handles AIT_DEBUG_TOTP_SECRET — the raw value and
-* its length MUST NOT appear in any log, error message, stdout, stderr, or
-* assertion output. Only boolean pass/fail signals are safe to surface, and the
-* discovered file path is never logged either. The persist file is written mode
-* 0600.
-*/
-/** Project-local secret file name (single file, not a directory). */
-const RELAY_SECRET_FILE_NAME = ".ait_relay";
-/**
-* Walks upward from `start` and returns the nearest directory that contains a
-* `package.json`. Falls back to `start` itself when none is found (so a write
-* still lands somewhere deterministic).
-*
-* The write (unplugin) and read (daemon) sides use the SAME anchor so a secret
-* minted by `pnpm dev` is found by the daemon: real mini-apps keep
-* `vite.config.ts` and `package.json` in the same directory, so
-* `server.config.root === package.json-dir`. In a monorepo subdir the anchor is
-* the package's own directory — the one the daemon can also reach via the
-* per-session projectRoot.
-*
-* @param start - Directory to start the upward walk from.
-* @param existsSyncFn - Injectable existence check (defaults to node:fs).
-*/
-function nearestPackageJsonDir(start, existsSyncFn) {
-	let dir = start;
-	while (true) {
-		if (existsSyncFn(join(dir, "package.json"))) return dir;
-		const parent = dirname(dir);
-		if (parent === dir) return start;
-		dir = parent;
-	}
-}
-/**
-* Absolute path to the project-local `.ait_relay` file for a given start
-* directory (resolved against the nearest package.json directory).
-*
-* Exported so tests can compute the expected path without duplicating the
-* resolution logic.
-*/
-function relaySecretFilePath(start, existsSyncFn) {
-	return join(nearestPackageJsonDir(start, existsSyncFn), RELAY_SECRET_FILE_NAME);
-}
-/**
-* Reads an already-existing `<projectRoot>/.ait_relay` and, if its contents are a
-* valid relay TOTP secret, injects them into `env.AIT_DEBUG_TOTP_SECRET`.
-*
-* Strictly READ-ONLY: it uses only `existsSync` + `readFileSync` and NEVER mints,
-* chmods, or creates files/directories. The daemon must not mint because it is
-* the relay verifier side — a self-minted secret would defeat the #250 fail-fast
-* (a leaked tunnel URL could then attach unauthenticated). If no valid secret is
-* found the function leaves `env` untouched and returns without throwing, so the
-* downstream `assertRelayAuthConfigured()` stays the single fail-fast.
-*
-* Resolution order:
-*   1. `env.AIT_DEBUG_TOTP_SECRET` already valid → no-op (operator export wins).
-*   2. `projectRoot` given → read `<nearest package.json dir>/.ait_relay`; inject
-*      iff the contents pass {@link isValidRelayAuthSecret}.
-*   3. Otherwise (no projectRoot, file absent, or invalid) → silent no-op.
-*
-* SECRET-HANDLING: the read value is passed ONLY to the boolean predicate before
-* assignment; its value, length, and the discovered file path are never logged.
-*
-* @param deps - Optional dependency overrides for testing.
-*/
-async function loadRelaySecretReadOnly(deps) {
-	const { projectRoot, env = process.env, fs: fsDep, existsSync: existsSyncDep } = deps ?? {};
-	const { isValidRelayAuthSecret } = await import("../totp-CQFmgOhM.js");
-	if (isValidRelayAuthSecret(env.AIT_DEBUG_TOTP_SECRET)) return;
-	if (projectRoot === void 0) return;
-	const fs = fsDep ?? await import("node:fs");
-	const secretPath = relaySecretFilePath(projectRoot, existsSyncDep ?? fs.existsSync);
-	if (!fs.existsSync(secretPath)) return;
-	let stored;
-	try {
-		stored = fs.readFileSync(secretPath, "utf8").trim();
-	} catch {
-		return;
-	}
-	if (!isValidRelayAuthSecret(stored)) return;
-	env.AIT_DEBUG_TOTP_SECRET = stored;
-}
 //#endregion
 //#region src/mcp/server-lock.ts
 /**
@@ -2124,18 +2607,10 @@ function ensureLockDir(lockPath) {
 /**
 * Returns `true` when the given PID refers to a running process.
 *
-* Uses `process.kill(pid, 0)` — a no-op signal that succeeds when the process
-* exists and we have permission to signal it; throws ESRCH when it doesn't exist.
+* Re-exported from `../shared/parent-watcher` so external callers that
+* import from `./server-lock` keep working without an import-path change.
 */
-function isPidAlive(pid) {
-	try {
-		process.kill(pid, 0);
-		return true;
-	} catch (err) {
-		if (err.code === "EPERM") return true;
-		return false;
-	}
-}
+const isPidAlive = isPidAlive$1;
 function readLock(lockPath) {
 	if (!existsSync(lockPath)) return null;
 	try {
@@ -2449,6 +2924,10 @@ const DEBUG_TOOL_DEFINITIONS = [
 				open_in_browser: {
 					type: "boolean",
 					description: "If true (default), render the QR as a PNG and open it in the OS default browser. Only works when the MCP server is running on a local GUI machine — headless or remote container environments should set this to false to use the text QR fallback."
+				},
+				projectRoot: {
+					type: "string",
+					description: "Absolute path to the mini-app project root (the directory containing its package.json and .ait_urls). When AIT_TUNNEL_BASE_URL is unset (env 2 / relay-mobile only), the daemon reads the app tunnel URL from <projectRoot>/.ait_urls written by the dev server (tunnel:{cdp:true}). Pass this because the daemon's own cwd is fixed at launch. Omit when AIT_TUNNEL_BASE_URL is set explicitly."
 				}
 			},
 			required: []
@@ -3432,7 +3911,7 @@ async function readMcpSdkVersion() {
 * some test environments that skip the build step).
 */
 function readDevtoolsVersion() {
-	return "0.1.58";
+	return "0.1.60";
 }
 /**
 * Derives the next recommended action from a completed diagnostics snapshot.
@@ -3920,7 +4399,7 @@ function createDebugServer(deps) {
 	const collector = collectorDep ?? new InMemoryDiagnosticsCollector();
 	const server = new Server({
 		name: "ait-debug",
-		version: "0.1.58"
+		version: "0.1.60"
 	}, { capabilities: { tools: { listChanged: true } } });
 	server.setRequestHandler(ListToolsRequestSchema, () => {
 		const conn = router.active;
@@ -3995,8 +4474,14 @@ function createDebugServer(deps) {
 			const waitForAttach = request.params.arguments?.wait_for_attach === true;
 			const openInBrowser = request.params.arguments?.open_in_browser !== false;
 			if (env === "relay-mobile") {
-				const tunnelHttpUrl = process.env.AIT_TUNNEL_BASE_URL?.trim() ?? "";
-				if (tunnelHttpUrl === "") return mcpError("build_attach_url(mobile): AIT_TUNNEL_BASE_URL이 설정되지 않았습니다. unplugin tunnel:{cdp:true} 배너에 출력되는 앱 HTTP 터널 URL을 AIT_TUNNEL_BASE_URL 환경변수로 전달하세요.");
+				const rawBuildProjectRoot = request.params.arguments?.projectRoot;
+				const buildProjectRoot = typeof rawBuildProjectRoot === "string" ? rawBuildProjectRoot : void 0;
+				let tunnelHttpUrl = process.env.AIT_TUNNEL_BASE_URL?.trim() ?? "";
+				if (tunnelHttpUrl === "" && buildProjectRoot !== void 0) {
+					const { readRelayUrls } = await import("../relay-url-store-qaoe0zOD.js");
+					tunnelHttpUrl = (await readRelayUrls({ projectRoot: buildProjectRoot }))?.tunnelBaseUrl ?? "";
+				}
+				if (tunnelHttpUrl === "") return mcpError("build_attach_url(mobile): AIT_TUNNEL_BASE_URL이 설정되지 않았습니다. dev 서버가 tunnel:{cdp:true}로 기동 중이면 .ait_urls 파일이 자동 생성돼 있어야 합니다. 자동 발견이 되지 않을 경우 앱 HTTP 터널 URL을 AIT_TUNNEL_BASE_URL 환경변수로 직접 전달하세요.");
 				const tunnelStatus = getTunnelStatus();
 				if (!tunnelStatus.up || tunnelStatus.wssUrl === null) return mcpError("build_attach_url(mobile): relay wssUrl이 아직 설정되지 않았습니다. unplugin tunnel:{cdp:true}가 relay를 완전히 기동할 때까지 잠시 후 다시 시도하세요.");
 				const secret = getTotpSecret();
@@ -4516,45 +5001,6 @@ function startAttachWatcher(connection, server, intervalMs = 1e3, onFirstAttach)
 	} };
 }
 /**
-* Starts a periodic watcher that detects when the parent process (e.g. Claude
-* Code) has died without sending SIGTERM/SIGHUP, and calls `onOrphaned` so the
-* daemon can self-terminate rather than running as a zombie.
-*
-* Mirrors the `startAttachWatcher` pattern: `setInterval`-based, returns
-* `{ stop(): void }`, injectable deps for testability.
-*
-* @param onOrphaned - Called once when the parent is gone.
-* @param opts.intervalMs   - Poll interval in milliseconds (default 5 000).
-* @param opts.initialPpid  - Parent PID to watch (default `process.ppid`).
-* @param opts.isAlive      - Predicate to test if a PID is running (default `isPidAlive`).
-* @param opts.getPpid      - Supplier of current ppid (default `() => process.ppid`).
-*                            Detects ppid changes as well as death.
-* @param opts.log          - Logger (default `process.stderr.write`).
-*
-* @returns `stop` — call during shutdown to clear the interval.
-*/
-function startParentWatcher(onOrphaned, opts) {
-	const { intervalMs = 5e3, initialPpid = process.ppid, isAlive = isPidAlive, getPpid = () => process.ppid, log = (msg) => process.stderr.write(msg) } = opts ?? {};
-	if (initialPpid <= 1) {
-		log("[ait-debug] parent-pid watcher: no parent to watch (ppid<=1), skipping\n");
-		return { stop() {} };
-	}
-	let fired = false;
-	const handle = setInterval(() => {
-		if (fired) return;
-		const currentPpid = getPpid();
-		if (currentPpid !== initialPpid || !isAlive(initialPpid)) {
-			fired = true;
-			clearInterval(handle);
-			log(`[ait-debug] parent-pid watcher: parent PID ${initialPpid} is gone (currentPpid=${currentPpid}) — shutting down\n`);
-			onOrphaned();
-		}
-	}, intervalMs);
-	return { stop() {
-		clearInterval(handle);
-	} };
-}
-/**
 * Factory that constructs a `ChiiCdpConnection` for the given relay base URL.
 *
 * Introduced as a named seam so PR-2 (dual-connection, #348) can defer
@@ -4735,22 +5181,31 @@ function familyKeyForMode(mode) {
 	}
 }
 /** The error thrown / surfaced when entering `mobile` without AIT_RELAY_BASE_URL. */
-const MOBILE_RELAY_BASE_URL_MISSING_MESSAGE = "start_debug(mobile): AIT_RELAY_BASE_URL이 설정되지 않았습니다 — unplugin이 tunnel:{cdp:true}로 띄운 relay base URL을 AIT_RELAY_BASE_URL 환경변수로 전달하세요. 환경 2(실기기 PWA) 진입은 외부 relay base가 필요합니다.";
+const MOBILE_RELAY_BASE_URL_MISSING_MESSAGE = "start_debug(mobile): AIT_RELAY_BASE_URL이 설정되지 않았습니다. dev 서버가 tunnel:{cdp:true}로 기동 중이면 .ait_urls 파일이 자동 생성돼 있어야 합니다. 자동 발견이 되지 않을 경우 relay base URL을 AIT_RELAY_BASE_URL 환경변수로 직접 전달하세요. 환경 2(실기기 PWA) 진입은 외부 relay base가 필요합니다.";
 /**
-* Reads `AIT_RELAY_BASE_URL` from the environment for the env-2 (`mobile`) boot
-* site (issue #378). Returns the trimmed value, or throws the precise
-* {@link MOBILE_RELAY_BASE_URL_MISSING_MESSAGE} when unset/empty.
+* Reads the env-2 relay base URL for the `mobile` boot site (issue #378, #424).
 *
-* SECRET-HANDLING: `AIT_RELAY_BASE_URL` carries the relay host (same class as a
-* wss URL). On the missing path the thrown message describes the env var name
-* and how to obtain it — it NEVER echoes any partial/garbled URL value. The
+* Resolution order (env wins — file is the fallback):
+*   1. `env.AIT_RELAY_BASE_URL` set and non-empty → return it (operator override).
+*   2. `projectRoot` given → read `<nearest package.json dir>/.ait_urls`;
+*      if `relayBaseUrl` is present → return it (auto-discovered from dev server).
+*   3. Neither → throw {@link MOBILE_RELAY_BASE_URL_MISSING_MESSAGE}.
+*
+* SECRET-HANDLING: `AIT_RELAY_BASE_URL` and the file-discovered value carry the
+* relay host. On the missing path the thrown message names the env var and notes
+* that the dev server auto-publishes it — it NEVER echoes any URL value. The
 * present value is returned to the caller (the CDP client) but never logged.
 */
-function readMobileRelayBaseUrl(env = process.env) {
+async function readMobileRelayBaseUrl(env = process.env, projectRoot) {
 	const raw = env.AIT_RELAY_BASE_URL;
-	const value = typeof raw === "string" ? raw.trim() : "";
-	if (value === "") throw new Error(MOBILE_RELAY_BASE_URL_MISSING_MESSAGE);
-	return value;
+	const envValue = typeof raw === "string" ? raw.trim() : "";
+	if (envValue !== "") return envValue;
+	if (projectRoot !== void 0) {
+		const { readRelayUrls } = await import("../relay-url-store-qaoe0zOD.js");
+		const stored = await readRelayUrls({ projectRoot });
+		if (stored?.relayBaseUrl !== void 0) return stored.relayBaseUrl;
+	}
+	throw new Error(MOBILE_RELAY_BASE_URL_MISSING_MESSAGE);
 }
 /**
 * Sentinel connection returned by {@link DualConnectionRouter.active} before the
@@ -4877,14 +5332,18 @@ var DualConnectionRouter = class {
 	}
 	/**
 	* Resolves the `BootedFamily` for `key`: the warm family if already booted,
-	* otherwise boots it via `bootLazyFor(key)` and stores it (once per key).
-	* Since #396 every family is lazy, so this is the single boot path for all
-	* three keys.
+	* otherwise boots it via `bootLazyFor(key, projectRoot)` and stores it (once
+	* per key). Since #396 every family is lazy, so this is the single boot path
+	* for all three keys.
+	*
+	* `projectRoot` is forwarded to `bootLazyFor` so `relay-sandbox` boot can
+	* fall back to `.ait_urls` file discovery (#424) when `AIT_RELAY_BASE_URL` is
+	* not set in the environment.
 	*/
-	async familyFor(key) {
+	async familyFor(key, projectRoot) {
 		const warm = this.lazyFamilies.get(key);
 		if (warm) return warm;
-		const booted = await this.deps.bootLazyFor(key);
+		const booted = await this.deps.bootLazyFor(key, projectRoot);
 		this.lazyFamilies.set(key, booted);
 		return booted;
 	}
@@ -4894,7 +5353,7 @@ var DualConnectionRouter = class {
 		this.swapInFlight = true;
 		try {
 			if (isRelayMode(mode)) await loadRelaySecretReadOnly({ projectRoot });
-			const target = await this.familyFor(familyKeyForMode(mode));
+			const target = await this.familyFor(familyKeyForMode(mode), projectRoot);
 			this.activeFamily = target;
 			setLiveIntent(mode === "relay-live");
 			this.stopWatcher();
@@ -4926,7 +5385,7 @@ async function runDebugServer(options = {}) {
 	const devtoolsOpener = new AutoDevtoolsOpener();
 	const diagnosticsCollector = new InMemoryDiagnosticsCollector();
 	const router = new DualConnectionRouter({
-		bootLazyFor: (key) => key === "relay-sandbox" ? bootExternalRelayFamily(readMobileRelayBaseUrl()) : key === "local-browser" ? bootLocalFamily() : bootRelayFamily({
+		bootLazyFor: async (key, projectRoot) => key === "relay-sandbox" ? bootExternalRelayFamily(await readMobileRelayBaseUrl(process.env, projectRoot)) : key === "local-browser" ? bootLocalFamily() : bootRelayFamily({
 			relayPort: options.relayPort,
 			verifyAuth: buildRelayVerifyAuth(),
 			onWssUrl: (wssUrl) => {
@@ -5083,7 +5542,7 @@ async function runLocalDebugServer(options = {}) {
 	const devtoolsOpener = new AutoDevtoolsOpener();
 	const diagnosticsCollector = new InMemoryDiagnosticsCollector();
 	const router = new DualConnectionRouter({
-		bootLazyFor: (key) => key === "relay-sandbox" ? bootExternalRelayFamily(readMobileRelayBaseUrl()) : key === "local-browser" ? bootLocalFamilyForEntry() : bootRelayFamily({
+		bootLazyFor: async (key, projectRoot) => key === "relay-sandbox" ? bootExternalRelayFamily(await readMobileRelayBaseUrl(process.env, projectRoot)) : key === "local-browser" ? bootLocalFamilyForEntry() : bootRelayFamily({
 			verifyAuth: buildRelayVerifyAuth(),
 			onWssUrl: (wssUrl) => {
 				lockHandle.updateWssUrl(wssUrl);
@@ -5218,12 +5677,12 @@ async function runLocalDebugServer(options = {}) {
 * value). The present value is passed straight to the CDP client, never logged.
 */
 async function runMobileDebugServer(options = {}) {
-	const relayBaseUrl = readMobileRelayBaseUrl();
+	const relayBaseUrl = await readMobileRelayBaseUrl(process.env, options.projectRoot ?? process.cwd());
 	const lockHandle = acquireLock({ force: options.force ?? false });
 	const devtoolsOpener = new AutoDevtoolsOpener();
 	const diagnosticsCollector = new InMemoryDiagnosticsCollector();
 	const router = new DualConnectionRouter({
-		bootLazyFor: (key) => key === "relay-sandbox" ? bootExternalRelayFamily(relayBaseUrl) : key === "local-browser" ? bootLocalFamily() : bootRelayFamily({
+		bootLazyFor: async (key) => key === "relay-sandbox" ? bootExternalRelayFamily(relayBaseUrl) : key === "local-browser" ? bootLocalFamily() : bootRelayFamily({
 			verifyAuth: buildRelayVerifyAuth(),
 			onWssUrl: (wssUrl) => {
 				lockHandle.updateWssUrl(wssUrl);
@@ -5758,7 +6217,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.58"
+		version: "0.1.60"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {