@ait-co/devtools 0.1.69 → 0.1.71

package/dist/mcp/cli.js

@@ -9,7 +9,7 @@ import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 import { EventEmitter } from "node:events";
-import { WebSocket } from "ws";
+import { WebSocket, WebSocketServer } from "ws";
 import { randomBytes } from "node:crypto";
 import { createServer } from "node:http";
 import { spawn } from "node:child_process";
@@ -120,6 +120,47 @@ var ChiiAitSource = class {
 	}
 };
 //#endregion
+//#region src/shared/relay-auth-close.ts
+/**
+* Shared constants for the relay's named TOTP-auth rejection (issue #478).
+*
+* Before #478 the relay rejected an unauthenticated WebSocket upgrade with a
+* raw `HTTP/1.1 401` + `socket.destroy()`. A handshake aborted that way is
+* indistinguishable from a network failure on the browser side — the
+* WebSocket only ever sees close code 1006, so the phone (env-2 launcher PWA)
+* could not tell "stale TOTP code" apart from "tunnel down" and stayed
+* silent. The fix is accept-then-close: complete the handshake, then close
+* with an application close code that NAMES the rejection.
+*
+* Three parties share this contract:
+*   - `src/mcp/chii-relay.ts` (Node) sends the close frame / HTTP error body;
+*   - `src/in-app/attach.ts` (browser) observes relay-bound WebSockets and
+*     surfaces the code to the launcher shell;
+*   - `src/mcp/chii-connection.ts` (Node daemon client) recognises the code
+*     as an auth failure on its own `/client` dial (defensive — #439's fresh
+*     code mint means it should not normally hit this).
+*
+* This module is intentionally dependency-free (no Node, no DOM) so it is
+* safe to import from both the browser in-app bundle and the MCP daemon
+* bundle.
+*
+* SECRET-HANDLING: these are fixed enum values. The close reason / error body
+* must never grow to carry a secret, a TOTP code, or a host.
+*/
+/**
+* WebSocket close code sent by the relay when TOTP auth is rejected.
+*
+* 4000–4999 is the application-reserved range (RFC 6455 §7.4.2); 4401 mirrors
+* HTTP 401 so it reads as "unauthorized" at a glance.
+*/
+const RELAY_AUTH_REJECT_CLOSE_CODE = 4401;
+/**
+* Close reason string accompanying {@link RELAY_AUTH_REJECT_CLOSE_CODE}, and
+* the `error` value of the relay's HTTP 401 JSON body. Enum string only —
+* never interpolated with request data.
+*/
+const RELAY_AUTH_REJECT_REASON = "totp-rejected";
+//#endregion
 //#region src/mcp/log.ts
 /**
 * Allowed field keys that may pass through to a log line.
@@ -467,12 +508,15 @@ var ChiiCdpConnection = class {
 		await new Promise((resolve, reject) => {
 			ws.once("open", () => resolve());
 			ws.once("error", (err) => reject(err));
+			ws.once("close", (code) => {
+				if (code === 4401) reject(/* @__PURE__ */ new Error("relay 인증(TOTP)이 거부됐습니다 (close 4401). 코드가 만료됐을 수 있습니다 — 재연결 시 새 코드가 발급됩니다."));
+			});
 		});
 		this.lastCrashDetectedAt = null;
 		this.targetLastSeenAt.clear();
 		this.connectionState = "connected";
 		ws.on("message", (data) => this.handleMessage(data.toString()));
-		ws.on("close", () => this.handleDisconnect("relay WebSocket 연결이 끊겼습니다"));
+		ws.on("close", (code) => this.handleDisconnect(code === 4401 ? "relay 인증(TOTP)이 거부돼 연결이 종료됐습니다 (close 4401)" : "relay WebSocket 연결이 끊겼습니다"));
 		ws.on("error", (err) => this.handleDisconnect(`relay WebSocket 오류: ${err.message}`));
 		this.sendFireAndForget("Runtime.enable");
 		this.sendFireAndForget("Network.enable");
@@ -721,12 +765,27 @@ var ChiiCdpConnection = class {
 * entries.
 *
 * TOTP auth (relay-side, authoritative gate):
-*   When `verifyAuth` is provided, this module registers HTTP 'upgrade' and
-*   'request' listeners on the server BEFORE calling `chii.start({server})`.
-*   Node's `http.Server` calls listeners in registration order; the first to
-*   call `socket.destroy()` (upgrade) or `res.end()` (request) wins. Invalid
-*   auth → 401 + destroy (chii never sees the connection). Valid auth →
-*   return without side-effect (chii handles it).
+*   When `verifyAuth` is provided, this module gates both inbound surfaces:
+*
+*   - HTTP 'request': a listener registered BEFORE `chii.start({server})`.
+*     Node's `http.Server` calls listeners in registration order; the first
+*     to call `res.end()` wins. Invalid auth → 401 + CORS header + a tiny
+*     JSON body (`{"error":"totp-rejected"}`) so a cross-origin script
+*     `fetch()` probe can READ the status (issue #478). Valid auth → return
+*     without side-effect (chii's Koa handler serves it).
+*
+*   - WS 'upgrade': after `chii.start()` has registered chii's own upgrade
+*     listener, we take over the upgrade chain (remove chii's listeners,
+*     re-dispatch manually). Invalid auth → accept-then-close: complete the
+*     handshake via a `noServer` WebSocketServer, then immediately close
+*     with code 4401 reason 'totp-rejected' (issue #478). A raw 401 +
+*     `socket.destroy()` only ever surfaced as close code 1006 in the
+*     browser — indistinguishable from a tunnel failure, which left the
+*     env-2 phone UI silent. The explicit dispatch (not listener ordering)
+*     is what keeps chii away from rejected sockets: accept-then-close
+*     leaves the socket alive, so an order-based early-return would let
+*     chii's later listener complete a SECOND handshake on the same socket
+*     — an auth bypass. Valid auth → forward to chii's captured listeners.
 *
 * TOTP code transports (issue #466) — two equivalent ways to carry the code:
 *   1. Query param `at=<code>` — used by the daemon-side `/client` connection
@@ -753,6 +812,66 @@ var ChiiCdpConnection = class {
 *   predicate from the caller's perspective; this module only forwards pass/fail.
 */
 const require$1 = createRequire(import.meta.url);
+/**
+* WS keepalive ping interval (ms).
+*
+* Cloudflare proxied connections are dropped after ~100 s of no traffic.
+* 45 s comfortably fits inside that window and lets both the phone-target leg
+* and the daemon-client leg survive idle CDP sessions.
+*/
+const DEFAULT_KEEPALIVE_INTERVAL_MS = 45e3;
+/**
+* Loads chii's internal WebSocketServer class and returns it together with a
+* flag indicating whether the real class was found.
+*
+* Returns `null` if the internal path is not resolvable (future chii release
+* changes the layout) — callers skip keepalive gracefully.
+*/
+function tryLoadChiiWssClass() {
+	try {
+		const mod = require$1("chii/server/lib/WebSocketServer");
+		if (typeof mod === "function") return mod;
+	} catch {}
+	return null;
+}
+/**
+* Calls `chii.start()` and returns the chii `WebSocketServer` instance that
+* was constructed during the call.
+*
+* How: `chii/server/index.js`'s `start()` creates `new WebSocketServer()`
+* where `WebSocketServer` is captured from `require('./lib/WebSocketServer')`
+* at module load time. The class reference is stable, so we can temporarily
+* patch `ChiiWssClass.prototype.start` — which runs *on the instance* —
+* to record `this` before the original `start` runs.
+*
+* The patch is installed before `chii.start()` and removed (via `finally`)
+* immediately after, so concurrent `startChiiRelay` calls nest correctly: each
+* call's patch overrides the previous in the prototype chain for the duration
+* of its own `chii.start()` call, restoring the prior descriptor on exit.
+*
+* If `ChiiWssClass` is null (internal path changed in a future chii release),
+* `chii.start()` runs unpatched and the function returns null — callers skip
+* keepalive gracefully without affecting relay correctness.
+*/
+async function startChiiWithCapture(chii, startOptions, ChiiWssClass) {
+	if (ChiiWssClass === null) {
+		await chii.start(startOptions);
+		return null;
+	}
+	let captured = null;
+	const proto = ChiiWssClass.prototype;
+	const originalStart = proto.start;
+	proto.start = function(server) {
+		captured = this;
+		return originalStart.call(this, server);
+	};
+	try {
+		await chii.start(startOptions);
+	} finally {
+		proto.start = originalStart;
+	}
+	return captured;
+}
 function loadChiiServer() {
 	const mod = require$1("chii");
 	if (typeof mod === "object" && mod !== null && "start" in mod && typeof mod.start === "function") return mod;
@@ -805,6 +924,7 @@ async function startChiiRelay(options = {}) {
 	const requestedPort = options.port ?? 0;
 	const host = options.host ?? "127.0.0.1";
 	const { verifyAuth, onAuthReject } = options;
+	const keepaliveIntervalMs = options.keepaliveIntervalMs !== void 0 ? options.keepaliveIntervalMs : DEFAULT_KEEPALIVE_INTERVAL_MS;
 	const httpServer = createServer();
 	const notifyAuthReject = (kind) => {
 		if (onAuthReject === void 0) return;
@@ -812,33 +932,41 @@ async function startChiiRelay(options = {}) {
 			onAuthReject({ kind });
 		} catch {}
 	};
+	if (verifyAuth) httpServer.on("request", (req, res) => {
+		const rewritten = rewriteAtPathPrefix(req.url ?? "");
+		if (rewritten === null) return;
+		req.url = rewritten;
+		if (!verifyAuth(req)) {
+			res.statusCode = 401;
+			res.setHeader("Access-Control-Allow-Origin", "*");
+			res.setHeader("Content-Type", "application/json");
+			res.end(JSON.stringify({ error: RELAY_AUTH_REJECT_REASON }));
+			notifyAuthReject("http-request");
+		}
+	});
+	const chiiWssClass = keepaliveIntervalMs > 0 ? tryLoadChiiWssClass() : null;
+	const capturedChiiWss = await startChiiWithCapture(loadChiiServer(), {
+		server: httpServer,
+		domain: `${host}:${requestedPort}`,
+		port: requestedPort
+	}, chiiWssClass);
 	if (verifyAuth) {
-		httpServer.on("upgrade", (req, socket) => {
+		const chiiUpgradeListeners = httpServer.listeners("upgrade");
+		httpServer.removeAllListeners("upgrade");
+		const rejectWss = new WebSocketServer({ noServer: true });
+		httpServer.on("upgrade", (req, socket, head) => {
 			const rewritten = rewriteAtPathPrefix(req.url ?? "");
 			if (rewritten !== null) req.url = rewritten;
 			if (!verifyAuth(req)) {
-				socket.write("HTTP/1.1 401 Unauthorized\r\nContent-Length: 0\r\n\r\n");
-				socket.destroy();
+				rejectWss.handleUpgrade(req, socket, head, (ws) => {
+					ws.close(RELAY_AUTH_REJECT_CLOSE_CODE, RELAY_AUTH_REJECT_REASON);
+				});
 				notifyAuthReject("ws-upgrade");
 				return;
 			}
-		});
-		httpServer.on("request", (req, res) => {
-			const rewritten = rewriteAtPathPrefix(req.url ?? "");
-			if (rewritten === null) return;
-			req.url = rewritten;
-			if (!verifyAuth(req)) {
-				res.statusCode = 401;
-				res.end();
-				notifyAuthReject("http-request");
-			}
+			for (const listener of chiiUpgradeListeners) listener(req, socket, head);
 		});
 	}
-	await loadChiiServer().start({
-		server: httpServer,
-		domain: `${host}:${requestedPort}`,
-		port: requestedPort
-	});
 	const actualPort = await new Promise((resolve, reject) => {
 		httpServer.once("error", reject);
 		httpServer.listen(requestedPort, host, () => {
@@ -846,10 +974,21 @@ async function startChiiRelay(options = {}) {
 			resolve(httpServer.address().port);
 		});
 	});
+	let keepaliveHandle = null;
+	if (keepaliveIntervalMs > 0 && capturedChiiWss !== null) {
+		const chiiWss = capturedChiiWss;
+		keepaliveHandle = setInterval(() => {
+			for (const client of chiiWss._wss.clients) if (client.readyState === 1) client.ping();
+		}, keepaliveIntervalMs);
+	}
 	return {
 		port: actualPort,
 		baseUrl: `http://${host}:${actualPort}`,
 		close: () => new Promise((resolve) => {
+			if (keepaliveHandle !== null) {
+				clearInterval(keepaliveHandle);
+				keepaliveHandle = null;
+			}
 			httpServer.close(() => resolve());
 		})
 	};
@@ -1008,35 +1147,65 @@ function buildDeepLinkAttachUrl(schemeUrl, wssUrl, totpCode) {
 //#endregion
 //#region src/mcp/devtools-opener.ts
 /**
-* Base URL for the Chrome DevTools inspector hosted on appspot.
-*
-* The `@` path segment is the "latest / bleeding edge" alias which tracks the
-* current Chrome stable CDP protocol version — compatible with the chobitsu-
-* based CDP that Chii injects. A specific commit hash may be pinned here if
-* a regression is observed.
-*/
-const DEVTOOLS_FRONTEND_BASE = "https://chrome-devtools-frontend.appspot.com/serve_file/@/inspector.html";
-/**
-* Assembles the Chrome DevTools inspector URL that connects to a Chii relay
-* WebSocket.
-*
-* The `wss=` parameter expects a host-and-path string without the `wss://`
-* scheme prefix — the DevTools frontend prepends it automatically.
-*
-* @param wssRelayUrl - Full `wss://` URL of the Chii relay (public tunnel).
-*   Example: `wss://abc.trycloudflare.com`
+* Assembles the Chii self-hosted DevTools inspector URL for a given relay
+* and target.
+*
+* Chii serves its own DevTools frontend at
+* `<relayHttpBaseUrl>/front_end/chii_app.html`. The `ws=` (plain HTTP relay)
+* or `wss=` (HTTPS relay) query parameter is a URL-encoded string of the form
+* `<relay-host>/client/<uuid>?target=<id>` (and optionally `&at=<totp>`) —
+* the same format used by Chii's own target list page (derived from
+* `chii/public/index.js`).
+*
+* The `at=` TOTP code is minted at call time via `mintTotp()`.  It is valid
+* for the current 30-second RFC 6238 step (±1 step skew = 90 s acceptance
+* window).  The developer must open the returned URL within that window.  If
+* the window expires before the browser connects, the relay will reject the
+* WebSocket upgrade with close code 4401.
+*
+* SECRET-HANDLING: `mintTotp` returns a code, not a secret. The code is
+* embedded in the `wss=` parameter (inside the `at=` param) of the returned
+* URL. Callers MUST NOT log the returned URL to stdout (stderr is OK — it is
+* the intended fallback surface for the developer to copy the URL).
+*
+* @param relayHttpBaseUrl - Local HTTP base URL of the Chii relay, e.g.
+*   `http://127.0.0.1:9100`. No trailing slash.
+* @param targetId - Chii target id (from `GET <relay>/targets`).
+* @param mintTotp - Optional function that returns a fresh 6-digit TOTP code
+*   string. Called at most once. When omitted (TOTP disabled) no `at=` param
+*   is added.
 * @param panel - Initial panel. Defaults to `"console"`.
 *
 * @example
-* buildChromeDevtoolsUrl('wss://abc.trycloudflare.com')
-* // → 'https://chrome-devtools-frontend.appspot.com/serve_file/@/inspector.html?wss=abc.trycloudflare.com&panel=console'
-*/
-function buildChromeDevtoolsUrl(wssRelayUrl, panel = "console") {
-	const wssParam = wssRelayUrl.replace(/^wss:\/\//i, "");
-	return `${DEVTOOLS_FRONTEND_BASE}?${new URLSearchParams({
-		wss: wssParam,
+* buildChiiInspectorUrl(
+*   'http://127.0.0.1:9100',
+*   'abc123',
+*   () => generateTotp(secret),
+* )
+* // → 'http://127.0.0.1:9100/front_end/chii_app.html?ws=127.0.0.1%3A9100%2Fclient%2F<uuid>%3Ftarget%3Dabc123%26at%3D<code>'
+*/
+function buildChiiInspectorUrl(relayHttpBaseUrl, targetId, mintTotp, panel = "console") {
+	let relayHost;
+	let wsParamName;
+	try {
+		const parsed = new URL(relayHttpBaseUrl);
+		relayHost = parsed.host;
+		wsParamName = parsed.protocol === "https:" ? "wss" : "ws";
+	} catch {
+		relayHost = relayHttpBaseUrl.replace(/^https?:\/\//i, "");
+		wsParamName = /^https:/i.test(relayHttpBaseUrl) ? "wss" : "ws";
+	}
+	const clientId = `devtools-opener-${Date.now().toString(36)}`;
+	let wsPath = `${relayHost}/client/${clientId}?target=${encodeURIComponent(targetId)}`;
+	if (mintTotp) {
+		const code = mintTotp();
+		wsPath += `&at=${encodeURIComponent(code)}`;
+	}
+	const params = new URLSearchParams({
+		[wsParamName]: wsPath,
 		panel
-	}).toString()}`;
+	});
+	return `${relayHttpBaseUrl.replace(/\/$/, "")}/front_end/chii_app.html?${params.toString()}`;
 }
 /**
 * Returns `true` when auto-open is **disabled** via the `AIT_AUTO_DEVTOOLS`
@@ -1106,31 +1275,45 @@ function openUrlInBrowser(url) {
 var AutoDevtoolsOpener = class {
 	_opened = false;
 	/**
-	* Attempts to auto-open Chrome DevTools.
+	* Attempts to auto-open Chii DevTools in the developer's browser.
+	*
+	* Builds a `<relay-base>/front_end/chii_app.html?wss=…` URL pointing at the
+	* attached target. A fresh TOTP `at=` code is minted at call time so the
+	* relay's WebSocket upgrade gate accepts the connection.
 	*
 	* No-op when any of the following conditions hold:
 	*   1. Already opened this session (`_opened` is true).
 	*   2. `AIT_AUTO_DEVTOOLS=0` opt-out is set.
-	*   3. Environment is `mock` (env 1 — F12 is already available).
-	*   4. `wssRelayUrl` is null/undefined/empty (tunnel not yet up).
+	*   3. `options.env` is `mock` (env 1 — F12 is already available).
+	*   4. `options.relayHttpBaseUrl` is null/undefined/empty (relay not up yet).
+	*   5. `options.targetId` is null/undefined/empty (no page attached yet).
 	*
 	* Always writes the DevTools URL to stderr so the developer can copy it
 	* if the browser open fails or the popup is blocked.
 	*
-	* @param wssRelayUrl - The public `wss://` relay URL (from tunnel status).
-	* @param env - Current MCP environment (`mock` | `relay`).
+	* TOTP expiry caveat: the `at=` code embedded in the URL is valid for the
+	* current 30-second RFC 6238 step (±1 skew = 90 s). The developer must open
+	* the URL within that window; if they miss it, reload the page or re-run
+	* `open()` (though the once-per-session guard prevents that — restart the
+	* MCP server if needed).
+	*
+	* SECRET-HANDLING: the inspector URL (written to stderr) contains the relay
+	* host and a short-lived TOTP code. Do NOT write it to stdout or any
+	* persistent log.
 	*/
-	open(wssRelayUrl, env) {
+	open(options) {
 		if (this._opened) return;
 		if (isAutoDevtoolsDisabled()) return;
-		if (env === "mock") return;
-		if (!wssRelayUrl) return;
+		if (options.env === "mock") return;
+		if (!options.relayHttpBaseUrl) return;
+		if (!options.targetId) return;
 		this._opened = true;
-		const devtoolsUrl = buildChromeDevtoolsUrl(wssRelayUrl);
-		process.stderr.write(`[ait-debug] 기기가 연결됐습니다 — Chrome DevTools를 자동으로 엽니다.
-[ait-debug] Chrome DevTools URL: ${devtoolsUrl}\n[ait-debug] (AIT_AUTO_DEVTOOLS=0 으로 자동 열기를 끌 수 있습니다)
+		const inspectorUrl = buildChiiInspectorUrl(options.relayHttpBaseUrl, options.targetId, options.mintTotp);
+		process.stderr.write(`[ait-debug] 기기가 연결됐습니다 — Chii DevTools를 자동으로 엽니다.
+[ait-debug] DevTools URL: ${inspectorUrl}\n[ait-debug] (AIT_AUTO_DEVTOOLS=0 으로 자동 열기를 끌 수 있습니다)
+[ait-debug] 주의: URL의 at= 코드는 30초 창 안에서만 유효합니다.
 `);
-		if (!openUrlInBrowser(devtoolsUrl)) process.stderr.write("[ait-debug] 브라우저 자동 열기 실패 — 위 URL을 브라우저에서 직접 여세요.\n");
+		if (!openUrlInBrowser(inspectorUrl)) process.stderr.write("[ait-debug] 브라우저 자동 열기 실패 — 위 URL을 브라우저에서 직접 여세요.\n");
 	}
 	/** Returns `true` if `open()` has passed all guards and fired once. */
 	get opened() {
@@ -1934,6 +2117,7 @@ const en = {
 	"launcher.invalidUrl": "Enter a valid http(s):// URL.",
 	"launcher.debugAuthFailed": "Debug connection authentication failed",
 	"launcher.debugAuthFailedHint": "The QR code may have expired. Scan a fresh QR code.",
+	"launcher.debugAuthExpiredHint": "The debug session has expired. Scan a fresh QR from the attach page on your Mac.",
 	"launcher.debugAuthRescanCta": "Scan a new QR",
 	"launcher.diagFab": "Diag",
 	"launcher.diagTitle": "Viewport diagnostics",
@@ -2177,6 +2361,7 @@ const tables = {
 		"launcher.invalidUrl": "올바른 http(s):// URL을 입력하세요.",
 		"launcher.debugAuthFailed": "디버그 연결 인증 실패",
 		"launcher.debugAuthFailedHint": "QR 코드가 만료되었을 수 있어요. 새 QR을 다시 스캔하세요.",
+		"launcher.debugAuthExpiredHint": "디버그 세션이 만료됐어요. Mac의 attach 페이지에서 새 QR을 스캔하세요.",
 		"launcher.debugAuthRescanCta": "새 QR 스캔하기",
 		"launcher.diagFab": "진단",
 		"launcher.diagTitle": "뷰포트 진단",
@@ -4381,7 +4566,7 @@ async function readMcpSdkVersion() {
 * some test environments that skip the build step).
 */
 function readDevtoolsVersion() {
-	return "0.1.69";
+	return "0.1.71";
 }
 /**
 * Derives the next recommended action from a completed diagnostics snapshot.
@@ -4885,7 +5070,7 @@ function createDebugServer(deps) {
 	const collector = collectorDep ?? new InMemoryDiagnosticsCollector();
 	const server = new Server({
 		name: "ait-debug",
-		version: "0.1.69"
+		version: "0.1.71"
 	}, { capabilities: { tools: { listChanged: true } } });
 	server.setRequestHandler(ListToolsRequestSchema, () => {
 		const conn = router.active;
@@ -5641,6 +5826,7 @@ async function bootRelayFamily(options = {}) {
 	return {
 		connection,
 		relayOrigin: "intoss-webview",
+		relayHttpUrl: relay.baseUrl,
 		getTunnelStatus: () => tunnelStatus,
 		stop() {
 			tunnelProbe?.stop();
@@ -5677,6 +5863,7 @@ async function bootExternalRelayFamily(relayBaseUrl) {
 	return {
 		connection,
 		relayOrigin: "external-pwa",
+		relayHttpUrl: relayBaseUrl,
 		getTunnelStatus: () => tunnelStatus,
 		stop() {
 			connection.close();
@@ -5843,7 +6030,16 @@ var DualConnectionRouter = class {
 		this.attachWatcher = startAttachWatcher(activeFamily.connection, server, this.deps.attachWatcherIntervalMs ?? 1e3, () => {
 			this.deps.diagnosticsCollector.recordAttach();
 			this.deps.onPageAttach?.();
-			if (activeFamily.connection.kind === "relay") this.deps.devtoolsOpener.open(this.relayTunnelStatus().wssUrl, deriveEnvironment(activeFamily.connection.kind, getLiveIntent(), activeFamily.relayOrigin));
+			if (activeFamily.connection.kind === "relay") {
+				const firstTarget = activeFamily.connection.listTargets()[0];
+				const env = deriveEnvironment(activeFamily.connection.kind, getLiveIntent(), activeFamily.relayOrigin);
+				this.deps.devtoolsOpener.open({
+					relayHttpBaseUrl: activeFamily.relayHttpUrl,
+					targetId: firstTarget?.id,
+					mintTotp: process.env.AIT_DEBUG_TOTP_SECRET ? () => generateTotp(process.env.AIT_DEBUG_TOTP_SECRET) : void 0,
+					env
+				});
+			}
 		});
 	}
 	/**
@@ -6761,7 +6957,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.69"
+		version: "0.1.71"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {