@aquaclawai/aquarium 1.0.0

package/dist/routes/instance-files.js

@@ -0,0 +1,255 @@
+import { Router } from 'express';
+import path from 'node:path';
+import { requireAuth } from '../middleware/auth.js';
+import { getInstance } from '../services/instance-manager.js';
+import { getAgentType } from '../agent-types/registry.js';
+import { getRuntimeEngine } from '../runtime/factory.js';
+const MAX_UPLOAD_SIZE = 10 * 1024 * 1024;
+const BASE64_CHUNK_SIZE = 65536;
+const MIME_BY_EXT = {
+    '.xls': 'application/vnd.ms-excel',
+    '.xlsx': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+    '.doc': 'application/msword',
+    '.docx': 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+    '.pdf': 'application/pdf',
+    '.csv': 'text/csv',
+    '.txt': 'text/plain',
+    '.md': 'text/markdown',
+    '.json': 'application/json',
+    '.png': 'image/png',
+    '.jpg': 'image/jpeg',
+    '.jpeg': 'image/jpeg',
+    '.gif': 'image/gif',
+    '.webp': 'image/webp',
+    '.svg': 'image/svg+xml',
+    '.zip': 'application/zip',
+    '.py': 'text/x-python',
+    '.js': 'text/javascript',
+    '.ts': 'text/typescript',
+};
+const router = Router();
+router.use(requireAuth);
+router.post('/:id/files/upload', async (req, res) => {
+    try {
+        const { fileName, content, mimeType } = req.body;
+        if (!fileName || !content || !mimeType) {
+            res.status(400).json({
+                ok: false,
+                error: 'Missing required fields: fileName, content, mimeType',
+            });
+            return;
+        }
+        const estimatedSize = Math.ceil(content.length * 0.75);
+        if (estimatedSize > MAX_UPLOAD_SIZE) {
+            res.status(413).json({
+                ok: false,
+                error: `File too large. Maximum size is ${MAX_UPLOAD_SIZE / 1024 / 1024}MB`,
+            });
+            return;
+        }
+        // Security: sanitize fileName to prevent path traversal
+        const sanitized = fileName.replace(/[^a-zA-Z0-9._\-\u4e00-\u9fff\u3040-\u309f\u30a0-\u30ff]/g, '_');
+        if (!sanitized || sanitized.startsWith('.')) {
+            res.status(400).json({
+                ok: false,
+                error: 'Invalid file name',
+            });
+            return;
+        }
+        const instance = await getInstance(req.params.id, req.auth.userId);
+        if (!instance) {
+            res.status(404).json({ ok: false, error: 'Instance not found' });
+            return;
+        }
+        if (instance.status !== 'running') {
+            res.status(409).json({ ok: false, error: 'Instance is not running' });
+            return;
+        }
+        if (!instance.runtimeId) {
+            res.status(409).json({ ok: false, error: 'Instance has no runtime' });
+            return;
+        }
+        const agentType = getAgentType(instance.agentType);
+        if (!agentType) {
+            res.status(500).json({ ok: false, error: 'Unknown agent type' });
+            return;
+        }
+        const engine = getRuntimeEngine(instance.deploymentTarget);
+        if (!engine.exec) {
+            res.status(501).json({
+                ok: false,
+                error: 'Runtime engine does not support exec',
+            });
+            return;
+        }
+        const volumeMountPath = agentType.manifest.volumes[0]?.mountPath || '/home/node/.openclaw';
+        const uploadsRelative = `uploads/${Date.now()}-${sanitized}`;
+        const fullPath = `${volumeMountPath}/workspace/${uploadsRelative}`;
+        const dir = fullPath.substring(0, fullPath.lastIndexOf('/'));
+        await engine.exec(instance.runtimeId, ['mkdir', '-p', dir]);
+        if (content.length <= BASE64_CHUNK_SIZE) {
+            await engine.exec(instance.runtimeId, [
+                'sh', '-c', `printf '%s' '${content}' | base64 -d > '${fullPath}'`,
+            ]);
+        }
+        else {
+            // Large files: write base64 to temp file in chunks, then decode
+            const tempPath = `${fullPath}.b64`;
+            const chunks = [];
+            for (let i = 0; i < content.length; i += BASE64_CHUNK_SIZE) {
+                chunks.push(content.slice(i, i + BASE64_CHUNK_SIZE));
+            }
+            await engine.exec(instance.runtimeId, [
+                'sh', '-c', `printf '%s' '${chunks[0]}' > '${tempPath}'`,
+            ]);
+            for (let i = 1; i < chunks.length; i++) {
+                await engine.exec(instance.runtimeId, [
+                    'sh', '-c', `printf '%s' '${chunks[i]}' >> '${tempPath}'`,
+                ]);
+            }
+            await engine.exec(instance.runtimeId, [
+                'sh', '-c', `base64 -d '${tempPath}' > '${fullPath}' && rm -f '${tempPath}'`,
+            ]);
+        }
+        console.log(`[instance-files] Uploaded ${sanitized} (${mimeType}, ~${Math.round(estimatedSize / 1024)}KB) to ${instance.id}:${fullPath}`);
+        res.json({
+            ok: true,
+            data: { path: uploadsRelative },
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error('[instance-files] Upload failed:', message);
+        res.status(500).json({ ok: false, error: message });
+    }
+});
+router.get('/:id/files/list', async (req, res) => {
+    try {
+        const instance = await getInstance(req.params.id, req.auth.userId);
+        if (!instance) {
+            res.status(404).json({ ok: false, error: 'Instance not found' });
+            return;
+        }
+        if (instance.status !== 'running') {
+            res.status(409).json({ ok: false, error: 'Instance is not running' });
+            return;
+        }
+        if (!instance.runtimeId) {
+            res.status(409).json({ ok: false, error: 'Instance has no runtime' });
+            return;
+        }
+        const agentType = getAgentType(instance.agentType);
+        if (!agentType) {
+            res.status(500).json({ ok: false, error: 'Unknown agent type' });
+            return;
+        }
+        const engine = getRuntimeEngine(instance.deploymentTarget);
+        if (!engine.exec) {
+            res.status(501).json({ ok: false, error: 'Runtime engine does not support exec' });
+            return;
+        }
+        const volumeMountPath = agentType.manifest.volumes[0]?.mountPath || '/home/node/.openclaw';
+        const uploadsDir = `${volumeMountPath}/workspace/uploads`;
+        const result = await engine.exec(instance.runtimeId, [
+            'sh', '-c',
+            `find '${uploadsDir}' -maxdepth 1 -type f -printf '%s\\t%T@\\t%f\\n' 2>/dev/null || true`,
+        ]);
+        const files = [];
+        const stdout = result.stdout?.trim();
+        if (stdout) {
+            for (const line of stdout.split('\n')) {
+                const parts = line.split('\t');
+                if (parts.length < 3)
+                    continue;
+                const [sizeStr, modifiedStr, ...nameParts] = parts;
+                const name = nameParts.join('\t');
+                const size = parseInt(sizeStr, 10);
+                const modifiedEpoch = parseFloat(modifiedStr);
+                const ext = path.extname(name).toLowerCase();
+                const mimeType = MIME_BY_EXT[ext] || 'application/octet-stream';
+                files.push({
+                    name,
+                    path: `uploads/${name}`,
+                    size: isNaN(size) ? 0 : size,
+                    mimeType,
+                    modified: isNaN(modifiedEpoch)
+                        ? new Date().toISOString()
+                        : new Date(modifiedEpoch * 1000).toISOString(),
+                });
+            }
+        }
+        files.sort((a, b) => new Date(b.modified).getTime() - new Date(a.modified).getTime());
+        res.json({
+            ok: true,
+            data: { files },
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error('[instance-files] List failed:', message);
+        res.status(500).json({ ok: false, error: message });
+    }
+});
+// ── Download / read file ─────────────────────────────────────────────
+router.get('/:id/files/download', async (req, res) => {
+    try {
+        const filePath = req.query.path;
+        if (!filePath) {
+            res.status(400).json({ ok: false, error: 'Missing query param: path' });
+            return;
+        }
+        // Security: only allow files under uploads/ and reject path traversal
+        const normalized = path.normalize(filePath);
+        if (!normalized.startsWith('uploads/') || normalized.includes('..')) {
+            res.status(403).json({ ok: false, error: 'Access denied: path must be under uploads/' });
+            return;
+        }
+        const instance = await getInstance(req.params.id, req.auth.userId);
+        if (!instance) {
+            res.status(404).json({ ok: false, error: 'Instance not found' });
+            return;
+        }
+        if (instance.status !== 'running') {
+            res.status(409).json({ ok: false, error: 'Instance is not running' });
+            return;
+        }
+        if (!instance.runtimeId) {
+            res.status(409).json({ ok: false, error: 'Instance has no runtime' });
+            return;
+        }
+        const agentType = getAgentType(instance.agentType);
+        if (!agentType) {
+            res.status(500).json({ ok: false, error: 'Unknown agent type' });
+            return;
+        }
+        const engine = getRuntimeEngine(instance.deploymentTarget);
+        if (!engine.exec) {
+            res.status(501).json({ ok: false, error: 'Runtime engine does not support exec' });
+            return;
+        }
+        const volumeMountPath = agentType.manifest.volumes[0]?.mountPath || '/home/node/.openclaw';
+        const fullPath = `${volumeMountPath}/workspace/${normalized}`;
+        const result = await engine.exec(instance.runtimeId, [
+            'sh', '-c', `base64 '${fullPath}'`,
+        ]);
+        if (result.exitCode !== 0) {
+            res.status(404).json({ ok: false, error: 'File not found or unreadable' });
+            return;
+        }
+        const content = result.stdout?.replace(/\s+/g, '') || '';
+        const fileName = path.basename(normalized);
+        const ext = path.extname(fileName).toLowerCase();
+        const mimeType = MIME_BY_EXT[ext] || 'application/octet-stream';
+        res.json({
+            ok: true,
+            data: { content, mimeType, encoding: 'base64' },
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error('[instance-files] Download failed:', message);
+        res.status(500).json({ ok: false, error: message });
+    }
+});
+export default router;
+//# sourceMappingURL=instance-files.js.map

package/dist/routes/instance-files.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"instance-files.js","sourceRoot":"","sources":["../../src/routes/instance-files.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAGzD,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AACzC,MAAM,iBAAiB,GAAG,KAAK,CAAC;AAEhC,MAAM,WAAW,GAA2B;IAC1C,MAAM,EAAE,0BAA0B;IAClC,OAAO,EAAE,mEAAmE;IAC5E,MAAM,EAAE,oBAAoB;IAC5B,OAAO,EAAE,yEAAyE;IAClF,MAAM,EAAE,iBAAiB;IACzB,MAAM,EAAE,UAAU;IAClB,MAAM,EAAE,YAAY;IACpB,KAAK,EAAE,eAAe;IACtB,OAAO,EAAE,kBAAkB;IAC3B,MAAM,EAAE,WAAW;IACnB,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,YAAY;IACrB,MAAM,EAAE,WAAW;IACnB,OAAO,EAAE,YAAY;IACrB,MAAM,EAAE,eAAe;IACvB,MAAM,EAAE,iBAAiB;IACzB,KAAK,EAAE,eAAe;IACtB,KAAK,EAAE,iBAAiB;IACxB,KAAK,EAAE,iBAAiB;CACzB,CAAC;AAEF,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;AACxB,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;AAExB,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IAClD,IAAI,CAAC;QACH,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,IAI3C,CAAC;QAEF,IAAI,CAAC,QAAQ,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;YACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,sDAAsD;aACxC,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACvD,IAAI,aAAa,GAAG,eAAe,EAAE,CAAC;YACpC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,mCAAmC,eAAe,GAAG,IAAI,GAAG,IAAI,IAAI;aACtD,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,wDAAwD;QACxD,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,0DAA0D,EAAE,GAAG,CAAC,CAAC;QACpG,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,mBAAmB;aACL,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAK,CAAC,MAAM,CAAC,CAAC;QACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAwB,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAClC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAwB,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAwB,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAwB,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,sCAAsC;aACxB,CAAC,CAAC;YACzB,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,sBAAsB,CAAC;QAC3F,MAAM,eAAe,GAAG,WAAW,IAAI,CAAC,GAAG,EAAE,IAAI,SAAS,EAAE,CAAC;QAC7D,MAAM,QAAQ,GAAG,GAAG,eAAe,cAAc,eAAe,EAAE,CAAC;QACnE,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;QAE7D,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;QAE5D,IAAI,OAAO,CAAC,MAAM,IAAI,iBAAiB,EAAE,CAAC;YACxC,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE;gBACpC,IAAI,EAAE,IAAI,EAAE,gBAAgB,OAAO,oBAAoB,QAAQ,GAAG;aACnE,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,gEAAgE;YAChE,MAAM,QAAQ,GAAG,GAAG,QAAQ,MAAM,CAAC;YACnC,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,iBAAiB,EAAE,CAAC;gBAC3D,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC;YACvD,CAAC;YACD,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE;gBACpC,IAAI,EAAE,IAAI,EAAE,gBAAgB,MAAM,CAAC,CAAC,CAAC,QAAQ,QAAQ,GAAG;aACzD,CAAC,CAAC;YACH,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE;oBACpC,IAAI,EAAE,IAAI,EAAE,gBAAgB,MAAM,CAAC,CAAC,CAAC,SAAS,QAAQ,GAAG;iBAC1D,CAAC,CAAC;YACL,CAAC;YACD,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE;gBACpC,IAAI,EAAE,IAAI,EAAE,cAAc,QAAQ,QAAQ,QAAQ,eAAe,QAAQ,GAAG;aAC7E,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,6BAA6B,SAAS,KAAK,QAAQ,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC,UAAU,QAAQ,CAAC,EAAE,IAAI,QAAQ,EAAE,CAAC,CAAC;QAE1I,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE;SACQ,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,OAAO,CAAC,CAAC;QAC1D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAwB,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC,CAAC,CAAC;AAYH,MAAM,CAAC,GAAG,CAAC,iBAAiB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IAC/C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAK,CAAC,MAAM,CAAC,CAAC;QACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAwB,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAClC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAwB,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAwB,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAwB,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sCAAsC,EAAwB,CAAC,CAAC;YACzG,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,sBAAsB,CAAC;QAC3F,MAAM,UAAU,GAAG,GAAG,eAAe,oBAAoB,CAAC;QAE1D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE;YACnD,IAAI,EAAE,IAAI;YACV,SAAS,UAAU,sEAAsE;SAC1F,CAAC,CAAC;QAEH,MAAM,KAAK,GAAmB,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;QACrC,IAAI,MAAM,EAAE,CAAC;YACX,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;oBAAE,SAAS;gBAC/B,MAAM,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,SAAS,CAAC,GAAG,KAAK,CAAC;gBACnD,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACnC,MAAM,aAAa,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;gBAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC7C,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,0BAA0B,CAAC;gBAEhE,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI;oBACJ,IAAI,EAAE,WAAW,IAAI,EAAE;oBACvB,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;oBAC5B,QAAQ;oBACR,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC;wBAC5B,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;iBACjD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QAEtF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,EAAE,KAAK,EAAE;SACiC,CAAC,CAAC;IACtD,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,OAAO,CAAC,CAAC;QACxD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAwB,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,wEAAwE;AAExE,MAAM,CAAC,GAAG,CAAC,qBAAqB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;IACnD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,IAA0B,CAAC;QACtD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAwB,CAAC,CAAC;YAC9F,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACpE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,4CAA4C,EAAwB,CAAC,CAAC;YAC/G,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAK,CAAC,MAAM,CAAC,CAAC;QACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAwB,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAClC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAwB,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAwB,CAAC,CAAC;YAC5F,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAwB,CAAC,CAAC;YACvF,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sCAAsC,EAAwB,CAAC,CAAC;YACzG,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,sBAAsB,CAAC;QAC3F,MAAM,QAAQ,GAAG,GAAG,eAAe,cAAc,UAAU,EAAE,CAAC;QAE9D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE;YACnD,IAAI,EAAE,IAAI,EAAE,WAAW,QAAQ,GAAG;SACnC,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YAC1B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAwB,CAAC,CAAC;YACjG,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;QACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QACjD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,0BAA0B,CAAC;QAEhE,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAI;YACR,IAAI,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAiB,EAAE;SACwB,CAAC,CAAC;IACtF,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,OAAO,CAAC,CAAC;QAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAwB,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,eAAe,MAAM,CAAC"}

package/dist/routes/instance-proxy.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Instance Proxy Route
+ *
+ * Provides a secure HTTP + WebSocket reverse proxy from the platform to
+ * a running OpenClaw Gateway instance.
+ *
+ * Route: /api/instances/:id/ui/*
+ *
+ * Auth chain:
+ *   1. Platform JWT (requireAuth middleware)
+ *   2. Ownership check — user must own the instance
+ *   3. Inject Gateway auth token as `Authorization: Bearer <authToken>` header
+ *
+ * Security:
+ *   - Only 'running' instances can be proxied
+ *   - Request body capped at 1 MB (express.json already in place; raw body limited here)
+ *   - Path whitelist: blocks obviously dangerous paths like /../
+ *   - Rate limit: 100 req/min per user (simple in-memory counter)
+ */
+import type { Instance } from '@aquarium/shared';
+import type { Server as HttpServer } from 'node:http';
+declare const router: import("express-serve-static-core").Router;
+export default router;
+/**
+ * Attach a WebSocket proxy to the HTTP server.
+ * Listens for upgrade requests on /api/instances/:id/ui (same path the
+ * Gateway Control UI connects to) and tunnels them to the Gateway's
+ * WebSocket endpoint.
+ *
+ * The instanceId is extracted from the URL path.
+ * Auth: cookie `token` (same-origin iframe) or `?token=<jwt>` query param.
+ */
+export declare function attachWebSocketProxy(httpServer: HttpServer, getInstanceFn: (id: string, userId: string) => Promise<Instance | null>, verifyJwt: (token: string) => Promise<{
+    userId: string;
+    email: string;
+} | null> | {
+    userId: string;
+    email: string;
+} | null): void;
+//# sourceMappingURL=instance-proxy.d.ts.map

package/dist/routes/instance-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"instance-proxy.d.ts","sourceRoot":"","sources":["../../src/routes/instance-proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH,OAAO,KAAK,EAAe,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE9D,OAAO,KAAK,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,WAAW,CAAC;AAkCtD,QAAA,MAAM,MAAM,4CAAW,CAAC;AAyIxB,eAAe,MAAM,CAAC;AAItB;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,EACvE,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,GACzH,IAAI,CAuIN"}

package/dist/routes/instance-proxy.js

@@ -0,0 +1,318 @@
+/**
+ * Instance Proxy Route
+ *
+ * Provides a secure HTTP + WebSocket reverse proxy from the platform to
+ * a running OpenClaw Gateway instance.
+ *
+ * Route: /api/instances/:id/ui/*
+ *
+ * Auth chain:
+ *   1. Platform JWT (requireAuth middleware)
+ *   2. Ownership check — user must own the instance
+ *   3. Inject Gateway auth token as `Authorization: Bearer <authToken>` header
+ *
+ * Security:
+ *   - Only 'running' instances can be proxied
+ *   - Request body capped at 1 MB (express.json already in place; raw body limited here)
+ *   - Path whitelist: blocks obviously dangerous paths like /../
+ *   - Rate limit: 100 req/min per user (simple in-memory counter)
+ */
+import { Router } from 'express';
+import { request as httpRequest } from 'node:http';
+import { request as httpsRequest } from 'node:https';
+import { requireAuth } from '../middleware/auth.js';
+import { getInstance } from '../services/instance-manager.js';
+import { WebSocketServer, WebSocket } from 'ws';
+// ── Rate limiter (in-memory, per userId, 100 req / 60s) ──────────────────────
+const rateLimitMap = new Map();
+const RATE_LIMIT = 100;
+const RATE_WINDOW_MS = 60_000;
+function checkRateLimit(userId) {
+    const now = Date.now();
+    const entry = rateLimitMap.get(userId);
+    if (!entry || now > entry.resetAt) {
+        rateLimitMap.set(userId, { count: 1, resetAt: now + RATE_WINDOW_MS });
+        return true;
+    }
+    if (entry.count >= RATE_LIMIT)
+        return false;
+    entry.count++;
+    return true;
+}
+// ── Path sanitisation ─────────────────────────────────────────────────────────
+function sanitizePath(rawPath) {
+    // Must start with /
+    const p = rawPath.startsWith('/') ? rawPath : `/${rawPath}`;
+    // Block path traversal
+    if (p.includes('..') || p.includes('%2e%2e') || p.includes('%2E%2E'))
+        return null;
+    // Block null bytes
+    if (p.includes('\0') || p.includes('%00'))
+        return null;
+    return p;
+}
+// ── Router ────────────────────────────────────────────────────────────────────
+const router = Router();
+router.use(requireAuth);
+/**
+ * GET/POST/PUT/DELETE/PATCH /api/instances/:id/ui/*
+ * Proxy the request to the Gateway HTTP API.
+ */
+router.all('/:id/ui/*', async (req, res) => {
+    if (!checkRateLimit(req.auth.userId)) {
+        res.status(429).json({ ok: false, error: 'Rate limit exceeded' });
+        return;
+    }
+    const instanceId = Array.isArray(req.params['id']) ? req.params['id'][0] : req.params['id'];
+    let instance;
+    try {
+        instance = await getInstance(instanceId, req.auth.userId);
+    }
+    catch {
+        res.status(500).json({ ok: false, error: 'Failed to load instance' });
+        return;
+    }
+    if (!instance) {
+        res.status(404).json({ ok: false, error: 'Instance not found' });
+        return;
+    }
+    if (instance.status !== 'running' || !instance.controlEndpoint) {
+        res.status(400).json({ ok: false, error: 'Instance is not running' });
+        return;
+    }
+    // Build upstream path — strip the /api/instances/:id/ui prefix
+    const suffix = req.params[0] ?? '';
+    const upstreamPath = sanitizePath('/' + suffix + (req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : ''));
+    if (!upstreamPath) {
+        res.status(400).json({ ok: false, error: 'Invalid path' });
+        return;
+    }
+    // Parse the control endpoint to determine host/port
+    let upstreamUrl;
+    try {
+        upstreamUrl = new URL(instance.controlEndpoint);
+    }
+    catch {
+        res.status(502).json({ ok: false, error: 'Invalid control endpoint' });
+        return;
+    }
+    // Build proxy request options
+    const isHttps = upstreamUrl.protocol === 'https:';
+    const reqFn = isHttps ? httpsRequest : httpRequest;
+    const port = upstreamUrl.port || (isHttps ? '443' : '80');
+    // Forward request headers, injecting Gateway auth, stripping platform cookies
+    const forwardHeaders = {};
+    for (const [key, value] of Object.entries(req.headers)) {
+        const lower = key.toLowerCase();
+        // Strip platform-specific headers
+        if (lower === 'cookie' || lower === 'host' || lower === 'connection' || lower === 'transfer-encoding')
+            continue;
+        forwardHeaders[key] = value;
+    }
+    forwardHeaders['authorization'] = `Bearer ${instance.authToken}`;
+    forwardHeaders['host'] = `${upstreamUrl.hostname}:${port}`;
+    forwardHeaders['x-forwarded-for'] = req.ip ?? '';
+    forwardHeaders['x-forwarded-proto'] = req.protocol;
+    // Collect request body
+    const bodyChunks = [];
+    let bodySize = 0;
+    const MAX_BODY = 1_048_576; // 1 MB
+    req.on('data', (chunk) => {
+        bodySize += chunk.length;
+        if (bodySize > MAX_BODY) {
+            res.status(413).json({ ok: false, error: 'Request body too large' });
+            req.destroy();
+            return;
+        }
+        bodyChunks.push(chunk);
+    });
+    req.on('end', () => {
+        const body = bodyChunks.length > 0 ? Buffer.concat(bodyChunks) : undefined;
+        if (body) {
+            forwardHeaders['content-length'] = String(body.length);
+        }
+        else {
+            delete forwardHeaders['content-length'];
+        }
+        const proxyReq = reqFn({
+            hostname: upstreamUrl.hostname,
+            port,
+            path: upstreamPath,
+            method: req.method,
+            headers: forwardHeaders,
+            timeout: 30_000,
+        }, (proxyRes) => {
+            // Strip headers that block iframe embedding — the platform itself
+            // serves the iframe so same-origin framing is safe.
+            const headers = { ...proxyRes.headers };
+            delete headers['x-frame-options'];
+            // Rewrite CSP frame-ancestors to allow our platform origin
+            if (typeof headers['content-security-policy'] === 'string') {
+                headers['content-security-policy'] = headers['content-security-policy']
+                    .replace(/frame-ancestors\s+[^;]+/i, "frame-ancestors 'self'");
+            }
+            res.writeHead(proxyRes.statusCode ?? 502, headers);
+            proxyRes.pipe(res, { end: true });
+        });
+        proxyReq.on('error', (err) => {
+            if (!res.headersSent) {
+                res.status(502).json({ ok: false, error: `Gateway unreachable: ${err.message}` });
+            }
+        });
+        proxyReq.on('timeout', () => {
+            proxyReq.destroy();
+            if (!res.headersSent) {
+                res.status(504).json({ ok: false, error: 'Gateway timeout' });
+            }
+        });
+        if (body) {
+            proxyReq.write(body);
+        }
+        proxyReq.end();
+    });
+    req.on('error', () => {
+        if (!res.headersSent) {
+            res.status(400).json({ ok: false, error: 'Request error' });
+        }
+    });
+});
+export default router;
+// ── WebSocket proxy setup (called from index.ts after server is created) ──────
+/**
+ * Attach a WebSocket proxy to the HTTP server.
+ * Listens for upgrade requests on /api/instances/:id/ui (same path the
+ * Gateway Control UI connects to) and tunnels them to the Gateway's
+ * WebSocket endpoint.
+ *
+ * The instanceId is extracted from the URL path.
+ * Auth: cookie `token` (same-origin iframe) or `?token=<jwt>` query param.
+ */
+export function attachWebSocketProxy(httpServer, getInstanceFn, verifyJwt) {
+    // We do NOT create a wss — we handle the raw 'upgrade' event ourselves to
+    // avoid interference with the existing WebSocket server on the same HTTP server.
+    httpServer.on('upgrade', (req, socket, head) => {
+        const url = req.url ?? '';
+        const match = url.match(/^\/api\/instances\/([^/?]+)\/ui(-ws)?(\/.*)?(?:\?.*)?$/);
+        if (!match)
+            return; // not our route
+        const instanceId = match[1];
+        const pathSuffix = match[3] ?? '/';
+        const queryString = (url.includes('?') ? url.slice(url.indexOf('?')) : '');
+        // Extract JWT from query param or cookie
+        const params = new URLSearchParams(queryString.replace(/^\?/, ''));
+        let jwtToken = params.get('token');
+        if (!jwtToken && req.headers.cookie) {
+            const cookieMatch = req.headers.cookie.match(/(?:^|;\s*)token=([^;]+)/);
+            if (cookieMatch)
+                jwtToken = cookieMatch[1];
+        }
+        if (!jwtToken) {
+            socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+            socket.destroy();
+            return;
+        }
+        void (async () => {
+            try {
+                const auth = await verifyJwt(jwtToken);
+                if (!auth) {
+                    socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+                    socket.destroy();
+                    return;
+                }
+                const instance = await getInstanceFn(instanceId, auth.userId);
+                if (!instance || instance.status !== 'running' || !instance.controlEndpoint) {
+                    socket.write('HTTP/1.1 503 Service Unavailable\r\n\r\n');
+                    socket.destroy();
+                    return;
+                }
+                if (!checkRateLimit(auth.userId)) {
+                    socket.write('HTTP/1.1 429 Too Many Requests\r\n\r\n');
+                    socket.destroy();
+                    return;
+                }
+                const upstream = new URL(instance.controlEndpoint);
+                const wsProto = upstream.protocol === 'https:' ? 'wss:' : 'ws:';
+                const targetUrl = `${wsProto}//${upstream.host}${pathSuffix}${queryString}`;
+                // Build upgrade headers — inject Gateway auth
+                const upgradeHeaders = {
+                    'Authorization': `Bearer ${instance.authToken}`,
+                };
+                // Forward selected request headers
+                for (const [key, value] of Object.entries(req.headers)) {
+                    const lower = key.toLowerCase();
+                    if (['host', 'cookie', 'connection', 'upgrade', 'sec-websocket-key', 'sec-websocket-version'].includes(lower))
+                        continue;
+                    if (typeof value === 'string')
+                        upgradeHeaders[key] = value;
+                }
+                const upstreamWs = new WebSocket(targetUrl, {
+                    headers: upgradeHeaders,
+                });
+                upstreamWs.on('open', () => {
+                    // Now perform handshake with the browser socket
+                    const wss = new WebSocketServer({ noServer: true });
+                    wss.handleUpgrade(req, socket, head, (browserWs) => {
+                        // Bidirectional pipe
+                        browserWs.on('message', (data, isBinary) => {
+                            if (upstreamWs.readyState !== WebSocket.OPEN)
+                                return;
+                            // Intercept the Gateway Control UI 'connect' request and inject
+                            // auth token so the Gateway authenticates via token instead of
+                            // device pairing (which would require a paired device identity).
+                            if (!isBinary) {
+                                try {
+                                    const text = typeof data === 'string' ? data : Buffer.isBuffer(data) ? data.toString('utf8') : Buffer.from(data).toString('utf8');
+                                    const msg = JSON.parse(text);
+                                    if (typeof msg === 'object' && msg !== null &&
+                                        'type' in msg && msg.type === 'req' &&
+                                        'method' in msg && msg.method === 'connect' &&
+                                        'params' in msg && typeof msg.params === 'object') {
+                                        const params = msg.params;
+                                        // Replace device-based auth with token-based auth
+                                        delete params.device;
+                                        params.auth = { token: instance.authToken };
+                                        const patched = JSON.stringify(msg);
+                                        upstreamWs.send(patched);
+                                        return;
+                                    }
+                                }
+                                catch {
+                                    // Not valid JSON — forward as-is
+                                }
+                            }
+                            upstreamWs.send(data, { binary: isBinary });
+                        });
+                        browserWs.on('close', (code, reason) => {
+                            const safeCode = code >= 1000 && code <= 4999 ? code : 1000;
+                            if (upstreamWs.readyState === WebSocket.OPEN || upstreamWs.readyState === WebSocket.CONNECTING) {
+                                upstreamWs.close(safeCode, reason);
+                            }
+                        });
+                        browserWs.on('error', () => upstreamWs.close());
+                        upstreamWs.on('message', (data, isBinary) => {
+                            if (browserWs.readyState === WebSocket.OPEN) {
+                                browserWs.send(data, { binary: isBinary });
+                            }
+                        });
+                        upstreamWs.on('close', (code, reason) => {
+                            const safeCode = code >= 1000 && code <= 4999 ? code : 1000;
+                            if (browserWs.readyState === WebSocket.OPEN || browserWs.readyState === WebSocket.CONNECTING) {
+                                browserWs.close(safeCode, reason);
+                            }
+                        });
+                        upstreamWs.on('error', () => browserWs.close());
+                    });
+                });
+                upstreamWs.on('error', (err) => {
+                    socket.write('HTTP/1.1 502 Bad Gateway\r\n\r\n');
+                    socket.destroy();
+                });
+            }
+            catch {
+                socket.write('HTTP/1.1 500 Internal Server Error\r\n\r\n');
+                socket.destroy();
+            }
+        })();
+    });
+}
+//# sourceMappingURL=instance-proxy.js.map