@brewnet/cli 0.0.1

package/dist/chunk-SIXBB6JU.js

@@ -0,0 +1,2973 @@
+#!/usr/bin/env node
+import {
+  DomainManager,
+  addApp,
+  addService,
+  appendDeployHistory,
+  createBackup,
+  getLogStats,
+  listBackups,
+  queryLogs,
+  readApps,
+  readDeployHistory,
+  removeApp,
+  removeService,
+  updateApp
+} from "./chunk-2VWMDHGI.js";
+import {
+  verifyToken
+} from "./chunk-JFPHGZ6Z.js";
+import {
+  SERVICE_REGISTRY,
+  getServiceDefinition
+} from "./chunk-4TJMJZMO.js";
+import {
+  getLastProject,
+  loadState,
+  logger
+} from "./chunk-ZKMWE5AH.js";
+import {
+  getStackById
+} from "./chunk-SYV6PK3R.js";
+
+// src/services/admin-server.ts
+import { createServer } from "http";
+import { createConnection } from "net";
+import { join as join2, resolve, extname } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, statSync, createReadStream } from "fs";
+import { fileURLToPath } from "url";
+import { homedir as homedir2 } from "os";
+import Dockerode from "dockerode";
+
+// src/services/app-manager.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, readdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+import { randomBytes } from "crypto";
+import { execa } from "execa";
+
+// src/services/gitea-client.ts
+import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync, unlinkSync } from "fs";
+import { dirname } from "path";
+import { execSync } from "child_process";
+var GiteaClient = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  // ---------------------------------------------------------------------------
+  // Token management
+  // ---------------------------------------------------------------------------
+  /**
+   * Create a Gitea API token via Basic Auth.
+   * If the admin account has mustChangePassword=true (403), auto-fixes via docker exec and retries.
+   * Saves the token to tokenPath on success.
+   */
+  async _createToken() {
+    const { tokenPath, baseUrl, username, password } = this.config;
+    const basic = Buffer.from(`${username}:${password}`).toString("base64");
+    const makeRequest = () => fetch(`${baseUrl}/api/v1/users/${username}/tokens`, {
+      method: "POST",
+      headers: { Authorization: `Basic ${basic}`, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        name: `brewnet-${Date.now()}`,
+        scopes: ["write:repository", "read:repository", "write:user", "read:user"]
+      }),
+      signal: AbortSignal.timeout(8e3)
+    });
+    let res = await makeRequest();
+    let wasFixed = false;
+    if (!res.ok) {
+      const body = await res.text();
+      if (res.status === 403 && body.includes("must change")) {
+        try {
+          execSync(
+            `docker exec -u git brewnet-gitea gitea admin user change-password --username ${username} --password ${password} --must-change-password=false`,
+            { stdio: "pipe" }
+          );
+        } catch (e) {
+          const stderr = e.stderr?.toString().trim() ?? String(e);
+          throw new Error(
+            `Gitea admin requires password change \u2014 auto-fix failed:
+  ${stderr}
+  Manual fix: docker exec -u git brewnet-gitea gitea admin user change-password --username ${username} --password <password> --must-change-password=false`
+          );
+        }
+        wasFixed = true;
+        res = await makeRequest();
+        if (!res.ok) {
+          throw new Error(
+            `Gitea token creation failed after auto-fix: ${res.status} ${await res.text()}`
+          );
+        }
+      } else {
+        throw new Error(`Gitea token creation failed: ${res.status} ${body}`);
+      }
+    }
+    const data = await res.json();
+    mkdirSync(dirname(tokenPath), { recursive: true });
+    writeFileSync(tokenPath, data.sha1, "utf-8");
+    chmodSync(tokenPath, 384);
+    return { wasFixed };
+  }
+  /**
+   * Explicit setup step — call once before any API operations.
+   * Validates any cached token; deletes and re-creates if stale (401).
+   * Returns what happened so the caller can surface it in job step logs.
+   */
+  async prepare() {
+    const { tokenPath, baseUrl } = this.config;
+    if (existsSync(tokenPath)) {
+      const token = readFileSync(tokenPath, "utf-8").trim();
+      try {
+        const check = await fetch(`${baseUrl}/api/v1/user`, {
+          headers: { Authorization: `token ${token}` },
+          signal: AbortSignal.timeout(8e3)
+        });
+        if (check.status !== 401) {
+          return { autoFixed: false, message: "token cached" };
+        }
+        unlinkSync(tokenPath);
+      } catch {
+        return { autoFixed: false, message: "token cached (network check skipped)" };
+      }
+    }
+    const { wasFixed } = await this._createToken();
+    return {
+      autoFixed: wasFixed,
+      message: wasFixed ? "mustChangePassword was set \u2014 auto-fixed via docker exec; token created" : "token created"
+    };
+  }
+  async ensureToken() {
+    const { tokenPath } = this.config;
+    if (existsSync(tokenPath)) {
+      return readFileSync(tokenPath, "utf-8").trim();
+    }
+    await this._createToken();
+    return readFileSync(tokenPath, "utf-8").trim();
+  }
+  async authHeaders() {
+    return {
+      Authorization: `token ${await this.ensureToken()}`,
+      "Content-Type": "application/json"
+    };
+  }
+  // ---------------------------------------------------------------------------
+  // Repository operations
+  // ---------------------------------------------------------------------------
+  async repoExists(name) {
+    const { baseUrl, username } = this.config;
+    const res = await fetch(
+      `${baseUrl}/api/v1/repos/${username}/${name}`,
+      { headers: await this.authHeaders() }
+    );
+    return res.status === 200;
+  }
+  /** Returns true if the repo exists but has no commits (empty: true from Gitea API). */
+  async repoIsEmpty(name) {
+    const { baseUrl, username } = this.config;
+    const res = await fetch(
+      `${baseUrl}/api/v1/repos/${username}/${name}`,
+      { headers: await this.authHeaders() }
+    );
+    if (res.status !== 200) return false;
+    const data = await res.json();
+    return data.empty === true;
+  }
+  /** Creates a private repo and returns the clone URL. */
+  async createRepo(name, description = "") {
+    const { baseUrl } = this.config;
+    const res = await fetch(`${baseUrl}/api/v1/user/repos`, {
+      method: "POST",
+      headers: await this.authHeaders(),
+      body: JSON.stringify({ name, description, private: false, auto_init: false })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      if (res.status === 409) {
+        const existing = await fetch(`${baseUrl}/api/v1/repos/${this.config.username}/${name}`, {
+          headers: await this.authHeaders()
+        });
+        if (existing.ok) {
+          const data2 = await existing.json();
+          return data2.clone_url;
+        }
+      }
+      if (res.status === 500 && body.includes("files already exist")) {
+        await this.deleteRepo(name).catch(() => {
+        });
+        const retry = await fetch(`${baseUrl}/api/v1/user/repos`, {
+          method: "POST",
+          headers: await this.authHeaders(),
+          body: JSON.stringify({ name, description, private: false, auto_init: false })
+        });
+        if (!retry.ok) {
+          throw new Error(`Gitea createRepo retry failed: ${retry.status} ${await retry.text()}`);
+        }
+        const retryData = await retry.json();
+        return retryData.clone_url;
+      }
+      throw new Error(`Gitea createRepo failed: ${res.status} ${body}`);
+    }
+    const data = await res.json();
+    return data.clone_url;
+  }
+  /** Patch a repo from private to public visibility. No-op if already public. */
+  async makeRepoPublic(name) {
+    const { baseUrl, username } = this.config;
+    const res = await fetch(`${baseUrl}/api/v1/repos/${username}/${name}`, {
+      method: "PATCH",
+      headers: await this.authHeaders(),
+      body: JSON.stringify({ private: false })
+    });
+    if (!res.ok) throw new Error(`Gitea makeRepoPublic failed: ${res.status} ${await res.text()}`);
+  }
+  async deleteRepo(name) {
+    const { baseUrl, username } = this.config;
+    await fetch(`${baseUrl}/api/v1/repos/${username}/${name}`, {
+      method: "DELETE",
+      headers: await this.authHeaders()
+    });
+  }
+  /** Returns all repos accessible to the authenticated user. */
+  async listRepos() {
+    const { baseUrl } = this.config;
+    const res = await fetch(`${baseUrl}/api/v1/user/repos`, {
+      headers: await this.authHeaders(),
+      signal: AbortSignal.timeout(8e3)
+    });
+    if (!res.ok) {
+      throw new Error(`Gitea listRepos failed: ${res.status} ${await res.text()}`);
+    }
+    return await res.json();
+  }
+  /** Fetch a single repo's detail (includes default_branch, ssh_url). */
+  async getRepo(name) {
+    const { baseUrl, username } = this.config;
+    const res = await fetch(`${baseUrl}/api/v1/repos/${username}/${name}`, {
+      headers: await this.authHeaders()
+    });
+    if (!res.ok) throw new Error(`Gitea getRepo failed: ${res.status} ${await res.text()}`);
+    return res.json();
+  }
+  /** Get the latest commit on a branch. Returns null for empty repos. */
+  async getLatestCommit(repoName, branch) {
+    const { baseUrl, username } = this.config;
+    const res = await fetch(
+      `${baseUrl}/api/v1/repos/${username}/${repoName}/commits?sha=${encodeURIComponent(branch)}&limit=1`,
+      { headers: await this.authHeaders() }
+    );
+    if (!res.ok) return null;
+    const commits = await res.json();
+    if (!commits.length) return null;
+    const c = commits[0];
+    return {
+      hash: c.sha,
+      shortHash: c.sha.slice(0, 7),
+      message: c.commit.message.split("\n")[0],
+      date: c.commit.committer.date
+    };
+  }
+  /** Register a push webhook on the repo. */
+  async createWebhook(repoName, webhookUrl, secret) {
+    const { baseUrl, username } = this.config;
+    const res = await fetch(`${baseUrl}/api/v1/repos/${username}/${repoName}/hooks`, {
+      method: "POST",
+      headers: await this.authHeaders(),
+      body: JSON.stringify({
+        type: "gitea",
+        config: { url: webhookUrl, content_type: "json", secret },
+        events: ["push"],
+        active: true
+      })
+    });
+    if (!res.ok) throw new Error(`Gitea createWebhook failed: ${res.status} ${await res.text()}`);
+  }
+  /** Returns branch names for a repo. Falls back to empty array on error. */
+  async listBranches(repoName) {
+    const { baseUrl, username } = this.config;
+    const res = await fetch(
+      `${baseUrl}/api/v1/repos/${username}/${repoName}/branches?limit=50`,
+      { headers: await this.authHeaders(), signal: AbortSignal.timeout(8e3) }
+    );
+    if (!res.ok) return [];
+    const data = await res.json();
+    return data.map((b) => b.name);
+  }
+  /** URL suitable for git remote add — includes credentials in URL (stored in .git/config which is chmod 600). */
+  authedCloneUrl(cloneUrl) {
+    const { username, password } = this.config;
+    const encUser = encodeURIComponent(username);
+    const encPass = encodeURIComponent(password);
+    return cloneUrl.replace("http://", `http://${encUser}:${encPass}@`);
+  }
+};
+
+// src/services/app-manager.ts
+var BREWNET_DIR = join(homedir(), ".brewnet");
+var GITEA_TOKEN_PATH = join(BREWNET_DIR, "gitea-token");
+var DEPLOY_HISTORY_PATH = join(BREWNET_DIR, "deploy-history.json");
+var jobs = /* @__PURE__ */ new Map();
+function resolveAppsJsonPath() {
+  return join(BREWNET_DIR, "apps.json");
+}
+function readDotEnvValue(envPath, key) {
+  if (!existsSync2(envPath)) return "";
+  const lines = readFileSync2(envPath, "utf-8").split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith(`${key}=`)) {
+      return trimmed.slice(key.length + 1).trim();
+    }
+  }
+  return "";
+}
+var _boilerplateRegistered = false;
+async function listApps() {
+  const appsJson = resolveAppsJsonPath();
+  const apps = readApps(appsJson);
+  if (_boilerplateRegistered) return apps;
+  _boilerplateRegistered = true;
+  try {
+    const ctx = resolveContext();
+    const bpPath = join(ctx.projectPath, ".brewnet-boilerplate.json");
+    if (existsSync2(bpPath)) {
+      const raw = JSON.parse(readFileSync2(bpPath, "utf-8"));
+      const bpMetas = Array.isArray(raw) ? raw : [raw];
+      let changed = false;
+      for (const bp of bpMetas) {
+        if (!bp.stackId || !bp.appDir) continue;
+        const exists = apps.some((a) => a.appDir === bp.appDir || a.stackId === bp.stackId);
+        if (!exists) {
+          const port = bp.backendUrl ? parseInt(new URL(bp.backendUrl).port || "8080", 10) : 8080;
+          const entry = {
+            name: bp.stackId,
+            mode: "boilerplate",
+            stackId: bp.stackId,
+            appDir: bp.appDir,
+            lang: bp.lang,
+            framework: bp.frameworkId,
+            port,
+            status: bp.status || "running",
+            createdAt: (/* @__PURE__ */ new Date()).toISOString()
+          };
+          apps.push(entry);
+          changed = true;
+        }
+      }
+      if (changed) {
+        writeFileSync2(appsJson, JSON.stringify(apps, null, 2), "utf-8");
+      }
+    }
+  } catch {
+  }
+  return apps;
+}
+function getDeployHistory(appName) {
+  const entries = readDeployHistory(DEPLOY_HISTORY_PATH);
+  if (!appName) return entries;
+  return entries.filter((e) => e.appName === appName);
+}
+async function listGiteaRepos() {
+  const ctx = resolveContext();
+  const gitea = new GiteaClient({
+    baseUrl: ctx.giteaBaseUrl,
+    username: ctx.giteaUser,
+    password: ctx.giteaPassword,
+    tokenPath: GITEA_TOKEN_PATH
+  });
+  await gitea.prepare();
+  return gitea.listRepos();
+}
+function getDeploySettings(appName) {
+  const apps = readApps(resolveAppsJsonPath());
+  const app = apps.find((a) => a.name === appName);
+  const settings = app?.deploySettings;
+  return settings ?? { autoDeploy: false, deployBranch: "main" };
+}
+function updateDeploySettings(appName, settings) {
+  const appsJson = resolveAppsJsonPath();
+  const apps = readApps(appsJson);
+  const app = apps.find((a) => a.name === appName);
+  if (!app) throw new Error(`App "${appName}" not found`);
+  const existing = app.deploySettings ?? { autoDeploy: false, deployBranch: "main" };
+  app.deploySettings = { ...existing, ...settings };
+  updateApp(appsJson, appName, app);
+}
+async function getAppGitInfo(appName) {
+  const ctx = resolveContext();
+  const apps = readApps(resolveAppsJsonPath());
+  const app = apps.find((a) => a.name === appName);
+  if (!app) throw new Error(`App "${appName}" not found`);
+  const gitea = new GiteaClient({
+    baseUrl: ctx.giteaBaseUrl,
+    username: ctx.giteaUser,
+    password: ctx.giteaPassword,
+    tokenPath: GITEA_TOKEN_PATH
+  });
+  let branch = "main";
+  let latestCommit = null;
+  let cloneUrlSsh = `ssh://git@localhost:2222/${ctx.giteaUser}/${appName}.git`;
+  try {
+    const repo = await gitea.getRepo(appName);
+    branch = repo.default_branch || "main";
+    cloneUrlSsh = repo.ssh_url || cloneUrlSsh;
+    if (repo.private) {
+      await gitea.makeRepoPublic(appName).catch((e) => {
+        console.warn(`[app-manager] makeRepoPublic failed for ${appName}: ${e instanceof Error ? e.message : String(e)}`);
+      });
+    }
+    latestCommit = await gitea.getLatestCommit(appName, branch);
+  } catch (e) {
+    console.warn(`[app-manager] getAppGitInfo Gitea call failed (${appName}): ${e instanceof Error ? e.message : String(e)}`);
+  }
+  return {
+    giteaUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}`,
+    cloneUrlHttp: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}.git`,
+    cloneUrlSsh,
+    localPath: app.appDir,
+    branch,
+    latestCommit
+  };
+}
+async function rollbackApp(appName, commitHash) {
+  const job = newJob(appName, ["Checkout", "Build & Start", "Health check"]);
+  jobs.set(job.jobId, job);
+  setImmediate(() => void _runRollback(job, appName, commitHash));
+  return job.jobId;
+}
+async function _runRollback(job, appName, commitHash) {
+  try {
+    const apps = readApps(resolveAppsJsonPath());
+    const app = apps.find((a) => a.name === appName);
+    if (!app) throw new Error(`App "${appName}" not found`);
+    const target = commitHash || "HEAD~1";
+    setStep(job, 0, "running", `git checkout ${target.slice(0, 7)}`);
+    await execa("git", ["checkout", target], { cwd: app.appDir });
+    setStep(job, 0, "done");
+    await _injectQuickTunnelIfNeeded(app.appDir, appName, app.port);
+    setStep(job, 1, "running", "docker compose up --build");
+    await _dockerComposeUp(app.appDir, job);
+    setStep(job, 1, "done", "containers started");
+    setStep(job, 2, "running");
+    const healthUrl = _buildHealthUrl(app.appDir, app.port);
+    setStep(job, 2, "running", `polling ${healthUrl}`);
+    await _pollHealth(healthUrl, 12e4, job);
+    setStep(job, 2, "done");
+    updateApp(resolveAppsJsonPath(), appName, { status: "running" });
+    appendDeployHistory(DEPLOY_HISTORY_PATH, {
+      appName,
+      commitHash,
+      commitMessage: `Rollback to ${commitHash.slice(0, 7)}`,
+      status: "success",
+      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    job.status = "done";
+  } catch (err) {
+    job.status = "failed";
+    job.error = err instanceof Error ? err.message : String(err);
+    for (const step of job.steps) {
+      if (step.status === "running" || step.status === "pending") step.status = "failed";
+    }
+    appendDeployHistory(DEPLOY_HISTORY_PATH, {
+      appName,
+      commitHash,
+      commitMessage: `Rollback to ${commitHash.slice(0, 7)}`,
+      status: "failed",
+      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+}
+async function getAppBranches(appName) {
+  const ctx = resolveContext();
+  const gitea = new GiteaClient({
+    baseUrl: ctx.giteaBaseUrl,
+    username: ctx.giteaUser,
+    password: ctx.giteaPassword,
+    tokenPath: GITEA_TOKEN_PATH
+  });
+  return gitea.listBranches(appName);
+}
+async function setupWebhook(appName, webhookUrl) {
+  const ctx = resolveContext();
+  const settings = getDeploySettings(appName);
+  const secret = settings.webhookSecret ?? randomBytes(16).toString("hex");
+  const gitea = new GiteaClient({
+    baseUrl: ctx.giteaBaseUrl,
+    username: ctx.giteaUser,
+    password: ctx.giteaPassword,
+    tokenPath: GITEA_TOKEN_PATH
+  });
+  await gitea.createWebhook(appName, webhookUrl, secret);
+  updateDeploySettings(appName, { webhookSecret: secret });
+}
+async function deployApp(appName) {
+  const job = newJob(appName, ["Pull", "Build & Start", "Health check"]);
+  jobs.set(job.jobId, job);
+  setImmediate(() => void _runDeploy(job, appName));
+  return job.jobId;
+}
+async function _runDeploy(job, appName) {
+  const apps = readApps(resolveAppsJsonPath());
+  const app = apps.find((a) => a.name === appName);
+  if (!app) {
+    job.status = "failed";
+    job.error = `App "${appName}" not found`;
+    return;
+  }
+  try {
+    const settings = getDeploySettings(appName);
+    setStep(job, 0, "running");
+    try {
+      const ctx = resolveContext();
+      const gitea = new GiteaClient({
+        baseUrl: ctx.giteaBaseUrl,
+        username: ctx.giteaUser,
+        password: ctx.giteaPassword,
+        tokenPath: GITEA_TOKEN_PATH
+      });
+      await gitea.prepare();
+      const repoExists = await gitea.repoExists(appName);
+      if (!repoExists) {
+        appendLog(job, "[pull] Gitea repo not found \u2014 recreating and pushing local code");
+        const cloneUrl = await gitea.createRepo(appName, `Brewnet app: ${appName}`);
+        const authedUrl = gitea.authedCloneUrl(cloneUrl);
+        await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: app.appDir }).catch(
+          () => execa("git", ["remote", "set-url", "brewnet", authedUrl], { cwd: app.appDir })
+        );
+        await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: app.appDir });
+        appendLog(job, "[pull] Gitea repo recreated and code pushed \u2713");
+      } else if (!existsSync2(app.appDir)) {
+        appendLog(job, "[pull] appDir missing \u2014 cloning from Gitea");
+        const authedUrl = gitea.authedCloneUrl(`${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}.git`);
+        await execa("git", ["clone", authedUrl, app.appDir]);
+        appendLog(job, "[pull] re-cloned from Gitea \u2713");
+      } else if (await gitea.repoIsEmpty(appName)) {
+        appendLog(job, "[pull] Gitea repo is empty \u2014 pushing local code");
+        const isShallow = await execa("git", ["rev-parse", "--is-shallow-repository"], { cwd: app.appDir }).then((r) => r.stdout.trim() === "true").catch(() => false);
+        if (isShallow) {
+          appendLog(job, "[pull] shallow clone detected \u2014 unshallowing");
+          await execa("git", ["fetch", "--unshallow", "origin"], { cwd: app.appDir }).catch(async () => {
+            const { reinitGit } = await import("./boilerplate-manager-P6QYUU7Q.js");
+            await reinitGit(app.appDir);
+          });
+        }
+        const authedUrl = gitea.authedCloneUrl(`${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}.git`);
+        await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: app.appDir }).catch(
+          () => execa("git", ["remote", "set-url", "brewnet", authedUrl], { cwd: app.appDir })
+        );
+        await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: app.appDir });
+        appendLog(job, "[pull] code pushed to Gitea \u2713");
+      } else {
+        await execa("git", ["pull", "brewnet", settings.deployBranch], { cwd: app.appDir }).catch((e) => {
+          appendLog(job, `[pull] git pull failed (non-critical): ${e instanceof Error ? e.message : String(e)}`);
+        });
+      }
+    } catch (e) {
+      appendLog(job, `[pull] Gitea sync failed (non-critical): ${e instanceof Error ? e.message : String(e)}`);
+    }
+    setStep(job, 0, "done");
+    const hasCompose = existsSync2(join(app.appDir, "docker-compose.yml")) || existsSync2(join(app.appDir, "compose.yml"));
+    if (!hasCompose) {
+      const projectType = _detectProjectType(app.appDir);
+      if (projectType) {
+        appendLog(job, `[scaffold] Detected ${projectType} project \u2014 generating Docker config`);
+        _scaffoldDockerConfig(app.appDir, appName, app.port, job, projectType);
+      } else {
+        throw new Error(
+          "This project has no docker-compose.yml or Dockerfile. Add a Dockerfile and docker-compose.yml to deploy, or use a Brewnet boilerplate."
+        );
+      }
+    }
+    await _injectQuickTunnelIfNeeded(app.appDir, appName, app.port);
+    setStep(job, 1, "running", "docker compose up --build");
+    await _dockerComposeUp(app.appDir, job);
+    setStep(job, 1, "done", "containers started");
+    setStep(job, 2, "running");
+    const healthUrlDeploy = _buildHealthUrl(app.appDir, app.port);
+    setStep(job, 2, "running", `polling ${healthUrlDeploy}`);
+    await _pollHealth(healthUrlDeploy, 12e4, job);
+    setStep(job, 2, "done");
+    updateApp(resolveAppsJsonPath(), appName, { status: "running" });
+    const headHash = await execa("git", ["rev-parse", "HEAD"], { cwd: app.appDir }).then((r) => r.stdout.trim()).catch(() => "");
+    const headMsg = await execa("git", ["log", "-1", "--format=%s"], { cwd: app.appDir }).then((r) => r.stdout.trim()).catch(() => "Manual deploy");
+    appendDeployHistory(DEPLOY_HISTORY_PATH, {
+      appName,
+      commitHash: headHash,
+      commitMessage: headMsg,
+      status: "success",
+      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    job.status = "done";
+  } catch (err) {
+    job.status = "failed";
+    job.error = err instanceof Error ? err.message : String(err);
+    for (const step of job.steps) {
+      if (step.status === "running" || step.status === "pending") step.status = "failed";
+    }
+    const headHashFail = await execa("git", ["rev-parse", "HEAD"], { cwd: app.appDir }).then((r) => r.stdout.trim()).catch(() => "");
+    appendDeployHistory(DEPLOY_HISTORY_PATH, {
+      appName,
+      commitHash: headHashFail,
+      commitMessage: "Manual deploy",
+      status: "failed",
+      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+}
+function getAppDir(appName) {
+  const apps = readApps(resolveAppsJsonPath());
+  return apps.find((a) => a.name === appName)?.appDir;
+}
+function getJobStatus(jobId) {
+  return jobs.get(jobId);
+}
+function newJob(appName, stepLabels) {
+  return {
+    jobId: randomBytes(8).toString("hex"),
+    appName,
+    status: "running",
+    steps: stepLabels.map((label) => ({ label, status: "pending" }))
+  };
+}
+function setStep(job, index, status, message) {
+  const step = job.steps[index];
+  if (step) {
+    step.status = status;
+    if (message) step.message = message;
+  }
+}
+function appendLog(job, line) {
+  if (!job.logs) job.logs = [];
+  job.logs.push(line);
+  if (job.logs.length > 200) job.logs.splice(0, job.logs.length - 200);
+}
+function readBoilerplateMeta(projectPath) {
+  const p = join(projectPath, ".brewnet-boilerplate.json");
+  if (!existsSync2(p)) return [];
+  try {
+    const raw = JSON.parse(readFileSync2(p, "utf-8"));
+    return Array.isArray(raw) ? raw : [raw];
+  } catch {
+    return [];
+  }
+}
+function resolveContext() {
+  const last = getLastProject();
+  const state = loadState(last ?? "");
+  const raw = state?.projectPath ?? process.cwd();
+  const projectPath = raw.startsWith("~") ? join(homedir(), raw.slice(1)) : raw;
+  const envPath = join(projectPath, ".env");
+  const giteaUser = readDotEnvValue(envPath, "GITEA_ADMIN_USER") || state?.admin?.username || "admin";
+  const secretsPath = join(projectPath, "secrets", "admin_password");
+  const secretsPassword = existsSync2(secretsPath) ? readFileSync2(secretsPath, "utf-8").trim() : "";
+  const giteaPassword = secretsPassword || readDotEnvValue(envPath, "GITEA_ADMIN_PASSWORD") || state?.admin?.password || "";
+  const tunnelMode = state?.domain?.cloudflare?.tunnelMode ?? "";
+  const gitPort = state?.servers?.gitServer?.port ?? 3e3;
+  const giteaBaseUrl = tunnelMode === "quick" ? "http://localhost/git" : `http://localhost:${gitPort}`;
+  return { projectPath, giteaBaseUrl, giteaUser, giteaPassword };
+}
+async function _injectQuickTunnelIfNeeded(appDir, appName, port) {
+  try {
+    const last = getLastProject();
+    const state = loadState(last ?? "");
+    if (state?.domain?.cloudflare?.tunnelMode !== "quick") return;
+    const { injectTraefikForQuickTunnel } = await import("./boilerplate-manager-P6QYUU7Q.js");
+    injectTraefikForQuickTunnel(appDir, appName, port);
+  } catch (err) {
+    console.error(`[Quick Tunnel] Failed to inject Traefik labels for ${appName}: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
+function _detectProjectType(dir) {
+  try {
+    if (existsSync2(join(dir, "next.config.ts")) || existsSync2(join(dir, "next.config.mjs")) || existsSync2(join(dir, "next.config.js"))) return "nextjs";
+    if (existsSync2(join(dir, "package.json"))) return "nodejs";
+    if (existsSync2(join(dir, "requirements.txt")) || existsSync2(join(dir, "pyproject.toml"))) return "python";
+    if (existsSync2(join(dir, "go.mod"))) return "go";
+    if (existsSync2(join(dir, "Cargo.toml"))) return "rust";
+    if (existsSync2(join(dir, "pom.xml")) || existsSync2(join(dir, "build.gradle")) || existsSync2(join(dir, "build.gradle.kts"))) return "java";
+    if (existsSync2(join(dir, "index.html"))) return "static";
+    if (readdirSync(dir).some((f) => f.endsWith(".html"))) return "static";
+  } catch {
+  }
+  return null;
+}
+function _scaffoldDockerConfig(dir, _appName, port, job, detectedType) {
+  const type = detectedType || _detectProjectType(dir);
+  if (!type) throw new Error(`Cannot auto-detect project type in ${dir}. Add a Dockerfile and docker-compose.yml manually.`);
+  if (job && !detectedType) appendLog(job, `[scaffold] Detected ${type} project \u2014 generating Docker config`);
+  let dockerfile = "";
+  switch (type) {
+    case "nextjs":
+      dockerfile = [
+        "FROM node:22-alpine",
+        "WORKDIR /app",
+        "COPY package.json package-lock.json* pnpm-lock.yaml* yarn.lock* ./",
+        "RUN npm install --legacy-peer-deps 2>/dev/null || yarn install 2>/dev/null || true",
+        "COPY . .",
+        "RUN npm run build",
+        "ENV PORT=3000 HOSTNAME=0.0.0.0",
+        "EXPOSE 3000",
+        'CMD ["npm", "start"]'
+      ].join("\n");
+      break;
+    case "nodejs":
+      dockerfile = [
+        "FROM node:22-alpine",
+        "WORKDIR /app",
+        "COPY package.json package-lock.json* pnpm-lock.yaml* yarn.lock* ./",
+        "RUN npm install --legacy-peer-deps || true",
+        "COPY . .",
+        "RUN npm run build 2>/dev/null || true",
+        "EXPOSE " + port,
+        'CMD ["npm", "start"]'
+      ].join("\n");
+      break;
+    case "python":
+      dockerfile = [
+        "FROM python:3.13-slim",
+        "WORKDIR /app",
+        "COPY requirements.txt* pyproject.toml* ./",
+        "RUN pip install --no-cache-dir -r requirements.txt 2>/dev/null || pip install --no-cache-dir . 2>/dev/null || true",
+        "COPY . .",
+        "EXPOSE " + port,
+        'CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "' + port + '"]'
+      ].join("\n");
+      break;
+    case "go":
+      dockerfile = [
+        "FROM golang:1.22-alpine AS builder",
+        "WORKDIR /app",
+        "COPY go.mod go.sum* ./",
+        "RUN go mod download",
+        "COPY . .",
+        "RUN CGO_ENABLED=0 go build -o server .",
+        "",
+        "FROM alpine",
+        "WORKDIR /app",
+        "COPY --from=builder /app/server .",
+        "EXPOSE " + port,
+        'CMD ["./server"]'
+      ].join("\n");
+      break;
+    case "rust":
+      dockerfile = [
+        "FROM rust:1.88 AS builder",
+        "WORKDIR /app",
+        "COPY . .",
+        "RUN cargo build --release",
+        "",
+        "FROM debian:bookworm-slim",
+        "WORKDIR /app",
+        "COPY --from=builder /app/target/release/* /app/ 2>/dev/null || true",
+        "EXPOSE " + port,
+        'CMD ["./app"]'
+      ].join("\n");
+      break;
+    case "java":
+      dockerfile = [
+        "FROM gradle:8.12-jdk21 AS builder",
+        "WORKDIR /app",
+        "COPY . .",
+        "RUN gradle build -x test 2>/dev/null || ./gradlew build -x test 2>/dev/null || mvn package -DskipTests 2>/dev/null || true",
+        "",
+        "FROM eclipse-temurin:21-jre-alpine",
+        "WORKDIR /app",
+        "COPY --from=builder /app/build/libs/*.jar app.jar 2>/dev/null || true",
+        "COPY --from=builder /app/target/*.jar app.jar 2>/dev/null || true",
+        "EXPOSE " + port,
+        'CMD ["java", "-jar", "app.jar"]'
+      ].join("\n");
+      break;
+    case "static":
+      dockerfile = [
+        "FROM nginx:1.27-alpine",
+        "COPY . /usr/share/nginx/html/",
+        "EXPOSE 80"
+      ].join("\n");
+      break;
+  }
+  const internalPort = type === "nextjs" ? 3e3 : type === "static" ? 80 : port;
+  const compose = [
+    "services:",
+    "  backend:",
+    "    build: .",
+    "    ports:",
+    `      - "${port}:${internalPort}"`,
+    "    restart: unless-stopped",
+    "    healthcheck:",
+    `      test: ["CMD", "wget", "-q", "-O", "/dev/null", "http://127.0.0.1:${internalPort}/"]`,
+    "      interval: 10s",
+    "      timeout: 5s",
+    "      retries: 5"
+  ].join("\n");
+  if (!existsSync2(join(dir, "Dockerfile"))) {
+    writeFileSync2(join(dir, "Dockerfile"), dockerfile, "utf-8");
+    if (job) appendLog(job, "[scaffold] Generated Dockerfile");
+  }
+  writeFileSync2(join(dir, "docker-compose.yml"), compose, "utf-8");
+  if (job) appendLog(job, "[scaffold] Generated docker-compose.yml");
+  if (!existsSync2(join(dir, ".dockerignore"))) {
+    writeFileSync2(join(dir, ".dockerignore"), "node_modules\n.next\n.git\n*.md\n", "utf-8");
+  }
+}
+function ensureComposeFile(dir, appName, port, job) {
+  if (existsSync2(join(dir, "docker-compose.yml")) || existsSync2(join(dir, "compose.yml"))) return;
+  _scaffoldDockerConfig(dir, appName, port, job);
+}
+function _resolveBackendPort(appDir, fallbackPort) {
+  const envPath = join(appDir, ".env");
+  const val = readDotEnvValue(envPath, "BACKEND_PORT");
+  const parsed = val ? parseInt(val, 10) : NaN;
+  return isNaN(parsed) ? fallbackPort : parsed;
+}
+function detectBasePath(appDir) {
+  for (const name of ["next.config.ts", "next.config.mjs", "next.config.js"]) {
+    const p = join(appDir, name);
+    if (existsSync2(p)) {
+      const content = readFileSync2(p, "utf-8");
+      const match = content.match(/basePath\s*:\s*['"`]([^'"`]+)['"`]/);
+      if (match) return match[1];
+    }
+  }
+  return "";
+}
+function _buildHealthUrl(appDir, fallbackPort) {
+  const healthPort = _resolveBackendPort(appDir, fallbackPort);
+  const basePath = detectBasePath(appDir);
+  const isBoilerplate = existsSync2(join(appDir, ".env.example")) && readFileSync2(join(appDir, ".env.example"), "utf-8").includes("STACK_LANG");
+  const hasHealthRoute = existsSync2(join(appDir, "src", "app", "health")) || existsSync2(join(appDir, "backend", "src"));
+  const healthPath = isBoilerplate || hasHealthRoute ? "/health" : "/";
+  return `http://127.0.0.1:${healthPort}${basePath}${healthPath}`;
+}
+async function _pollHealth(url, maxMs = 12e4, job) {
+  const deadline = Date.now() + maxMs;
+  let attempt = 0;
+  while (Date.now() < deadline) {
+    attempt++;
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
+      if (res.ok) {
+        if (job) appendLog(job, `[health] \u2713 ${url} \u2192 ${res.status} (attempt ${attempt})`);
+        return;
+      }
+      if (job) appendLog(job, `[health] ${url} \u2192 ${res.status} (attempt ${attempt})`);
+    } catch {
+      if (job && attempt % 3 === 1) appendLog(job, `[health] waiting... ${url} (attempt ${attempt})`);
+    }
+    await new Promise((r) => setTimeout(r, 3e3));
+  }
+  if (job) appendLog(job, `[health] \u2717 timeout after ${maxMs / 1e3}s`);
+  throw new Error(`Health check timed out after ${maxMs / 1e3}s: ${url}`);
+}
+async function _dockerComposeUp(cwd, job) {
+  appendLog(job, `[docker] $ docker compose up -d --build`);
+  appendLog(job, `[docker] cwd: ${cwd}`);
+  const proc = execa("docker", ["compose", "up", "-d", "--build"], { cwd, reject: false });
+  proc.stdout?.on("data", (chunk) => {
+    for (const line of chunk.toString().split("\n").filter(Boolean)) {
+      appendLog(job, `[docker] ${line}`);
+    }
+  });
+  proc.stderr?.on("data", (chunk) => {
+    for (const line of chunk.toString().split("\n").filter(Boolean)) {
+      appendLog(job, `[docker] ${line}`);
+    }
+  });
+  const result = await proc;
+  if (result.exitCode !== 0) {
+    appendLog(job, `[docker] \u2717 exit code ${result.exitCode}`);
+    throw new Error(`Command failed with exit code ${result.exitCode}: docker compose up -d --build
+${result.stderr}`);
+  }
+  appendLog(job, `[docker] \u2713 containers started`);
+}
+async function createApp(opts) {
+  const job = newJob(opts.appName, ["Validating", "Gitea setup", "Gitea repo", "Git push", "Docker up", "Health check"]);
+  jobs.set(job.jobId, job);
+  setImmediate(() => void _runCreateApp(job, opts));
+  return job.jobId;
+}
+async function _runCreateApp(job, opts) {
+  try {
+    const ctx = resolveContext();
+    const appsJson = resolveAppsJsonPath();
+    setStep(job, 0, "running");
+    if (opts.mode === "boilerplate") {
+      if (!opts.stackId) throw new Error("stackId is required for boilerplate mode");
+      const metas = readBoilerplateMeta(ctx.projectPath);
+      const meta = metas.find((m) => m.stackId === opts.stackId);
+      if (meta) {
+        opts._meta = meta;
+      } else {
+        appendLog(job, `[info] Stack "${opts.stackId}" not installed locally \u2014 cloning fresh from catalog`);
+        opts._resolvedStackId = opts.stackId;
+      }
+    } else if (opts.mode === "git-clone") {
+      if (!opts.gitUrl) throw new Error("gitUrl is required for Git Clone mode");
+    } else if (opts.mode === "new-project") {
+      const { resolveStackId } = await import("./frameworks-Z7VXDGP4.js");
+      const stackId = resolveStackId(opts.language ?? "nodejs", opts.frameworkId ?? "express");
+      if (!stackId) throw new Error(`Unknown stack: ${opts.language}/${opts.frameworkId}`);
+      opts._resolvedStackId = stackId;
+    }
+    setStep(job, 0, "done");
+    setStep(job, 1, "running");
+    const gitea = new GiteaClient({
+      baseUrl: ctx.giteaBaseUrl,
+      username: ctx.giteaUser,
+      password: ctx.giteaPassword,
+      tokenPath: GITEA_TOKEN_PATH
+    });
+    const giteaPrep = await gitea.prepare();
+    setStep(job, 1, "done", giteaPrep.message);
+    if (opts.mode === "boilerplate" && opts._meta) {
+      await _createModeA(job, opts, ctx, gitea, appsJson);
+    } else if (opts.mode === "git-clone") {
+      await _createModeB(job, opts, ctx, gitea, appsJson);
+    } else {
+      await _createModeC(job, opts, ctx, gitea, appsJson);
+    }
+    job.status = "done";
+  } catch (err) {
+    job.status = "failed";
+    job.error = err instanceof Error ? err.message : String(err);
+    for (const step of job.steps) {
+      if (step.status === "running" || step.status === "pending") step.status = "failed";
+    }
+  }
+}
+async function _createModeA(job, opts, ctx, gitea, appsJson) {
+  const meta = opts._meta;
+  const port = opts.port ?? meta.port ?? parseInt(meta.backendUrl.split(":").pop() ?? "8080", 10);
+  setStep(job, 2, "running", `checking ${ctx.giteaUser}/${opts.appName}`);
+  const alreadyExists = await gitea.repoExists(opts.appName);
+  let cloneUrl;
+  if (!alreadyExists) {
+    setStep(job, 2, "running", `creating ${ctx.giteaUser}/${opts.appName}`);
+    cloneUrl = await gitea.createRepo(opts.appName, `Brewnet app: ${opts.appName}`);
+  } else {
+    cloneUrl = `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}.git`;
+  }
+  setStep(job, 2, "done");
+  setStep(job, 3, "running", `pushing HEAD:main \u2192 ${ctx.giteaUser}/${opts.appName}`);
+  const shallowCheck = await execa("git", ["rev-parse", "--is-shallow-repository"], { cwd: meta.appDir }).catch(() => ({ stdout: "false" }));
+  if (shallowCheck.stdout.trim() === "true") {
+    await execa("git", ["fetch", "--unshallow", "origin"], { cwd: meta.appDir }).catch(async () => {
+      const { reinitGit } = await import("./boilerplate-manager-P6QYUU7Q.js");
+      await reinitGit(meta.appDir);
+    });
+  }
+  const authedUrl = gitea.authedCloneUrl(cloneUrl);
+  await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: meta.appDir }).catch(() => {
+    return execa("git", ["remote", "set-url", "brewnet", authedUrl], { cwd: meta.appDir });
+  });
+  await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: meta.appDir });
+  setStep(job, 3, "done");
+  setStep(job, 4, "running", "docker compose up --build");
+  ensureComposeFile(meta.appDir, opts.appName, port, job);
+  await _injectQuickTunnelIfNeeded(meta.appDir, opts.appName, port);
+  await _dockerComposeUp(meta.appDir, job);
+  setStep(job, 4, "done", "containers started");
+  setStep(job, 5, "running");
+  const healthUrlA = _buildHealthUrl(meta.appDir, port);
+  setStep(job, 5, "running", `polling ${healthUrlA}`);
+  await _pollHealth(healthUrlA, 12e4, job);
+  setStep(job, 5, "done");
+  addApp(appsJson, {
+    name: opts.appName,
+    mode: "boilerplate",
+    stackId: opts.stackId,
+    appDir: meta.appDir,
+    lang: meta.lang,
+    framework: meta.frameworkId,
+    port,
+    giteaRepoUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}`,
+    status: "running",
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  await setupWebhook(opts.appName, "http://localhost:8088/api/deploy/hook").catch((e) => {
+    console.warn("[webhook] registration failed (non-critical):", e instanceof Error ? e.message : String(e));
+  });
+}
+async function _createModeB(job, opts, ctx, gitea, appsJson) {
+  const port = opts.port ?? 8080;
+  const appDir = join(ctx.projectPath, "apps", opts.appName);
+  setStep(job, 2, "running", "Cloning external repository...");
+  const { reinitGit: reinitGitB } = await import("./boilerplate-manager-P6QYUU7Q.js");
+  const { rmSync } = await import("fs");
+  if (existsSync2(appDir)) {
+    rmSync(appDir, { recursive: true, force: true });
+  }
+  const cloneArgs = ["clone", "--depth", "1"];
+  if (opts.branch) cloneArgs.push("-b", opts.branch);
+  cloneArgs.push(opts.gitUrl, appDir);
+  await execa("git", cloneArgs);
+  const envExPath = join(appDir, ".env.example");
+  const envPath = join(appDir, ".env");
+  if (existsSync2(envExPath)) {
+    const { findFreePort: findFreePortB } = await import("./boilerplate-manager-P6QYUU7Q.js");
+    let envContent = readFileSync2(envExPath, "utf-8");
+    envContent = envContent.replace(/^BACKEND_PORT=.*/m, `BACKEND_PORT=${port}`);
+    const fePort = await findFreePortB(port + 1);
+    envContent = envContent.replace(/^FRONTEND_PORT=.*/m, `FRONTEND_PORT=${fePort}`);
+    writeFileSync2(envPath, envContent, "utf-8");
+  } else if (existsSync2(join(appDir, ".env"))) {
+    let envContent = readFileSync2(join(appDir, ".env"), "utf-8");
+    envContent = envContent.replace(/^BACKEND_PORT=.*/m, `BACKEND_PORT=${port}`);
+    writeFileSync2(join(appDir, ".env"), envContent, "utf-8");
+  }
+  await reinitGitB(appDir);
+  const alreadyExists = await gitea.repoExists(opts.appName);
+  const cloneUrl = alreadyExists ? `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}.git` : await gitea.createRepo(opts.appName, `Brewnet app: ${opts.appName}`);
+  setStep(job, 2, "done");
+  setStep(job, 3, "running");
+  const authedUrl = gitea.authedCloneUrl(cloneUrl);
+  await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: appDir });
+  await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: appDir });
+  setStep(job, 3, "done");
+  const hasCompose = existsSync2(join(appDir, "docker-compose.yml")) || existsSync2(join(appDir, "compose.yml"));
+  if (hasCompose) {
+    setStep(job, 4, "running", "docker compose up --build");
+    await _injectQuickTunnelIfNeeded(appDir, opts.appName, port);
+    await _dockerComposeUp(appDir, job);
+    setStep(job, 4, "done", "containers started");
+    setStep(job, 5, "running");
+    const healthUrlB = _buildHealthUrl(appDir, port);
+    setStep(job, 5, "running", `polling ${healthUrlB}`);
+    await _pollHealth(healthUrlB, 12e4, job);
+    setStep(job, 5, "done");
+  } else {
+    setStep(job, 4, "done", "skipped \u2014 no docker-compose.yml");
+    setStep(job, 5, "done", "skipped \u2014 deploy separately");
+    appendLog(job, "[clone] Gitea push completed \u2014 no docker-compose.yml, skipping Docker up");
+  }
+  addApp(appsJson, {
+    name: opts.appName,
+    mode: "git-clone",
+    sourceUrl: opts.gitUrl,
+    appDir,
+    port,
+    giteaRepoUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}`,
+    status: hasCompose ? "running" : "stopped",
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+async function _createModeC(job, opts, ctx, gitea, appsJson) {
+  const { cloneStack, generateEnv, reinitGit, findFreePort } = await import("./boilerplate-manager-P6QYUU7Q.js");
+  const { getStackById: getStackById2 } = await import("./stacks-M4FBTVO5.js");
+  const stackId = opts._resolvedStackId;
+  const requestedPort = opts.port ?? 8080;
+  const appDir = join(ctx.projectPath, "apps", opts.appName);
+  await cloneStack(stackId, appDir);
+  const port = await findFreePort(requestedPort);
+  const stackInfo = getStackById2(stackId);
+  const frontendPort = stackInfo && !stackInfo.isUnified ? await findFreePort(port + 1) : void 0;
+  generateEnv(appDir, stackId, "sqlite3", { hostPort: port, frontendPort });
+  await reinitGit(appDir);
+  setStep(job, 2, "running");
+  const cloneUrl = await gitea.createRepo(opts.appName, `Brewnet app: ${opts.appName}`);
+  setStep(job, 2, "done");
+  setStep(job, 3, "running");
+  const authedUrl = gitea.authedCloneUrl(cloneUrl);
+  await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: appDir });
+  await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: appDir });
+  setStep(job, 3, "done");
+  setStep(job, 4, "running", "docker compose up --build");
+  ensureComposeFile(appDir, opts.appName, port, job);
+  await _injectQuickTunnelIfNeeded(appDir, opts.appName, port);
+  await _dockerComposeUp(appDir, job);
+  setStep(job, 4, "done", "containers started");
+  setStep(job, 5, "running");
+  const healthUrlC = _buildHealthUrl(appDir, port);
+  setStep(job, 5, "running", `polling ${healthUrlC}`);
+  await _pollHealth(healthUrlC, 12e4, job);
+  setStep(job, 5, "done");
+  addApp(appsJson, {
+    name: opts.appName,
+    mode: opts.mode === "boilerplate" ? "boilerplate" : "new-project",
+    stackId,
+    appDir,
+    lang: opts.language ?? stackInfo?.language,
+    framework: opts.frameworkId ?? stackInfo?.framework,
+    port,
+    giteaRepoUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}`,
+    status: "running",
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+async function startApp(appName) {
+  const appsJson = resolveAppsJsonPath();
+  const apps = readApps(appsJson);
+  const app = apps.find((a) => a.name === appName);
+  if (!app) throw new Error(`App "${appName}" not found`);
+  await execa("docker", ["compose", "up", "-d"], { cwd: app.appDir });
+  updateApp(appsJson, appName, { status: "running" });
+}
+async function stopApp(appName) {
+  const appsJson = resolveAppsJsonPath();
+  const apps = readApps(appsJson);
+  const app = apps.find((a) => a.name === appName);
+  if (!app) throw new Error(`App "${appName}" not found`);
+  await execa("docker", ["compose", "down"], { cwd: app.appDir });
+  updateApp(appsJson, appName, { status: "stopped" });
+}
+async function removeApp2(appName) {
+  const appsJson = resolveAppsJsonPath();
+  const apps = readApps(appsJson);
+  const app = apps.find((a) => a.name === appName);
+  if (!app) throw new Error(`App "${appName}" not found`);
+  await execa("docker", ["compose", "down", "--volumes"], { cwd: app.appDir }).catch((e) => {
+    console.warn("[removeApp] docker compose down failed:", e instanceof Error ? e.message : String(e));
+  });
+  removeApp(appsJson, appName);
+}
+
+// src/services/admin-server.ts
+var PKG_ROOT = join2(fileURLToPath(import.meta.url), "../../../..");
+var ADMIN_UI_DIST = join2(PKG_ROOT, "packages/admin-ui/dist");
+var MIME_TYPES = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".mjs": "application/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2",
+  ".ttf": "font/ttf",
+  ".webmanifest": "application/manifest+json"
+};
+function serveStaticFile(filePath, res, statusCode = 200) {
+  const stat = statSync(filePath);
+  const mime = MIME_TYPES[extname(filePath).toLowerCase()] ?? "application/octet-stream";
+  const isHashed = new RegExp("assets/[^/]+-[A-Za-z0-9]{8,}\\.[^.]+$").test(filePath);
+  const cacheControl = isHashed ? "public, max-age=31536000, immutable" : "no-cache, no-store, must-revalidate";
+  res.writeHead(statusCode, {
+    "Content-Type": mime,
+    "Content-Length": stat.size,
+    "Cache-Control": cacheControl
+  });
+  createReadStream(filePath).pipe(res);
+}
+var ICON_SVG = (() => {
+  const candidates = [
+    join2(PKG_ROOT, "public/images/icon.svg"),
+    join2(PKG_ROOT, "../public/images/icon.svg")
+  ];
+  for (const p of candidates) {
+    if (existsSync3(p)) return readFileSync3(p, "utf-8");
+  }
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="48" height="48" viewBox="4 6 38 38" fill="none" stroke="#f5a623" stroke-linecap="round" stroke-linejoin="round"><path d="M8 26H32V34C32 36.8 29.8 39 27 39H13C10.2 39 8 36.8 8 34V26Z" stroke-width="3.5" fill="none"/><path d="M32 28.5C35.5 28.5 37 30.5 37 32.5C37 34.5 35.5 36.5 32 36.5" stroke-width="3.5" fill="none"/><circle cx="20" cy="30" r="2.2" fill="#f5a623" stroke="none"/><path d="M16.5 20a5 5 0 0 1 7 0" stroke-width="3.5" fill="none"/><path d="M13.5 15.5a10 10 0 0 1 13 0" stroke-width="3.5" fill="none"/><path d="M10.5 11a15 15 0 0 1 19 0" stroke-width="3.5" fill="none"/></svg>`;
+})();
+var FAVICON_ICO = (() => {
+  const candidates = [
+    join2(PKG_ROOT, "public/images/favicon.ico"),
+    join2(PKG_ROOT, "../public/images/favicon.ico")
+  ];
+  for (const p of candidates) {
+    if (existsSync3(p)) return readFileSync3(p);
+  }
+  return null;
+})();
+var SERVICE_DETAIL_MAP = {
+  Traefik: {
+    description: "Go-based open-source reverse proxy and load balancer",
+    license: "MIT",
+    docs: "https://traefik.io/traefik/",
+    features: [
+      "Docker label-based automatic service discovery",
+      "Let's Encrypt certificate auto-renewal",
+      "Built-in web dashboard for route monitoring",
+      "Middleware chain: BasicAuth, Rate Limit, IP Whitelist",
+      "HTTP to HTTPS automatic redirect"
+    ],
+    credentials: {
+      method: "basicauth",
+      summary: "No login in dev mode (--api.insecure=true). Use BasicAuth middleware for production.",
+      command: "htpasswd -nb admin YOUR_PASSWORD"
+    },
+    tips: [
+      "Remove --api.insecure=true in production and add BasicAuth or Authelia",
+      "Set exposedbydefault=false and explicitly enable each service with traefik.enable=true",
+      "Add --certificatesresolvers.le.acme.email=YOUR_EMAIL for Let's Encrypt"
+    ]
+  },
+  "Traefik Dashboard": {
+    description: "Built-in Traefik web UI for monitoring routes, services, and middleware",
+    license: "MIT",
+    docs: "https://doc.traefik.io/traefik/operations/dashboard/",
+    features: [
+      "Real-time view of HTTP/TCP routers",
+      "Service health and load balancer status",
+      "Middleware chain visualization"
+    ],
+    credentials: {
+      method: "none",
+      summary: "No authentication in dev mode (--api.insecure=true). Protected by BasicAuth in production."
+    },
+    tips: [
+      "Dashboard URL requires trailing slash: /dashboard/",
+      "Secure with BasicAuth middleware before exposing externally"
+    ]
+  },
+  Gitea: {
+    description: "Lightweight self-hosted Git service written in Go",
+    license: "MIT",
+    docs: "https://about.gitea.com/",
+    features: [
+      "GitHub-like web UI with issues, PRs, wiki, project boards",
+      "Gitea Actions \u2014 GitHub Actions compatible CI/CD",
+      "Low memory footprint (~200 MB)",
+      "LDAP, OAuth2, SMTP authentication support",
+      "PostgreSQL, MySQL, SQLite backend support"
+    ],
+    credentials: {
+      method: "wizard",
+      summary: 'First visit shows Installation Wizard. Create admin account in "Administrator Account Settings" section.',
+      command: "docker exec -it brewnet-gitea gitea admin user create --username admin --password PASSWORD --email admin@brewnet.dev --admin"
+    },
+    tips: [
+      "Set DISABLE_REGISTRATION=true to allow only admin-created accounts",
+      "Set REQUIRE_SIGNIN_VIEW=true to prevent anonymous repo browsing",
+      "SSH port mapped to 3022 to avoid conflict with host SSH (22)"
+    ]
+  },
+  Nextcloud: {
+    description: "Self-hosted cloud storage platform (Google Drive/Dropbox alternative)",
+    license: "AGPL-3.0",
+    docs: "https://nextcloud.com/",
+    features: [
+      "File sync, sharing, and collaboration",
+      "200+ app extensions: calendar, contacts, notes, office docs",
+      "WebDAV protocol support",
+      "Desktop and mobile clients available"
+    ],
+    credentials: {
+      method: "env",
+      summary: "Uses admin credentials set in Pre-Step of brewnet init wizard.",
+      command: 'docker exec -u www-data brewnet-nextcloud php occ user:add USERNAME --display-name="Display Name"'
+    },
+    tips: [
+      "Redis connection recommended for file locking and cache performance",
+      "Add all access domains/IPs to NEXTCLOUD_TRUSTED_DOMAINS",
+      "Switch background jobs to cron: docker exec -u www-data brewnet-nextcloud php occ background:cron"
+    ]
+  },
+  PostgreSQL: {
+    description: "Advanced open-source relational database",
+    license: "PostgreSQL (BSD-like)",
+    docs: "https://www.postgresql.org/",
+    features: [
+      "Full ACID compliance with MVCC",
+      "Native JSON/JSONB support",
+      "Full-text search, PostGIS, time-series extensions",
+      "Logical and physical replication"
+    ],
+    credentials: {
+      method: "env",
+      summary: "Configured via POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB environment variables.",
+      command: "docker exec -it brewnet-postgresql psql -U brewnet -d brewnet_db"
+    },
+    tips: [
+      "Internal network only (brewnet-internal) \u2014 no host port exposed",
+      "Data persisted in named volume \u2014 safe across container restarts",
+      "Use init SQL scripts in docker-entrypoint-initdb.d/ for multi-DB setup"
+    ]
+  },
+  MySQL: {
+    description: "Popular open-source relational database",
+    license: "GPL-2.0",
+    docs: "https://www.mysql.com/",
+    features: [
+      "InnoDB storage engine with ACID transactions",
+      "JSON support and document store",
+      "Replication and clustering",
+      "Widely supported by web applications"
+    ],
+    credentials: {
+      method: "env",
+      summary: "Configured via MYSQL_ROOT_PASSWORD, MYSQL_DATABASE, MYSQL_USER, MYSQL_PASSWORD environment variables.",
+      command: "docker exec -it brewnet-mysql mysql -u brewnet -p brewnet_db"
+    },
+    tips: [
+      "Internal network only (brewnet-internal) \u2014 no host port exposed",
+      "Root password required at first startup",
+      "Init SQL scripts run once from docker-entrypoint-initdb.d/"
+    ]
+  },
+  Redis: {
+    description: "In-memory key-value store for caching and message brokering",
+    license: "BSD-3",
+    docs: "https://redis.io/",
+    features: [
+      "Session storage, cache, message queue, Pub/Sub",
+      "Single-threaded event loop \u2014 100K+ ops/sec",
+      "RDB + AOF persistence support",
+      "Used by Nextcloud file locking and Gitea caching"
+    ],
+    credentials: {
+      method: "env",
+      summary: "No traditional user accounts. Optionally secured with --requirepass flag.",
+      command: "docker exec -it brewnet-redis redis-cli ping"
+    },
+    tips: [
+      "Set --maxmemory and --maxmemory-policy to prevent unbounded memory growth",
+      "Internal network only \u2014 no host port exposed",
+      "Redis 6+ supports ACL for multi-user access control"
+    ]
+  },
+  pgAdmin: {
+    description: "Web-based administration tool for PostgreSQL",
+    license: "PostgreSQL (BSD-like)",
+    docs: "https://www.pgadmin.org/",
+    features: [
+      "SQL editor with query execution and plan visualization",
+      "Table, index, view, and function GUI management",
+      "Backup and restore (pg_dump, pg_restore)",
+      "Multi-server management via server groups"
+    ],
+    credentials: {
+      method: "env",
+      summary: "Uses admin credentials set in Pre-Step. Email format: {username}@brewnet.dev. Register the DB server after first login."
+    },
+    tips: [
+      'Connect to PostgreSQL using hostname "postgresql" (Docker container name), port 5432',
+      "Set PGADMIN_CONFIG_SERVER_MODE=False to skip login in dev mode",
+      "Mount servers.json to auto-register DB servers on startup"
+    ]
+  },
+  Jellyfin: {
+    description: "Open-source media server (Plex/Emby free alternative)",
+    license: "GPL-2.0",
+    docs: "https://jellyfin.org/",
+    features: [
+      "Movies, TV, music, photos, and live TV/DVR",
+      "Hardware transcoding (Intel QSV, NVIDIA NVENC, VAAPI)",
+      "Clients for web, Android, iOS, Roku, Fire TV, Kodi",
+      "DLNA support"
+    ],
+    credentials: {
+      method: "wizard",
+      summary: "First visit shows Setup Wizard. Create admin account in step 2 (User)."
+    },
+    tips: [
+      "Mount media folders as read-only (:ro) for safety",
+      "Add --device=/dev/dri:/dev/dri for Intel GPU hardware transcoding",
+      "DLNA requires --net=host (does not work in Docker bridge mode)"
+    ]
+  },
+  "SSH Server": {
+    description: "Industry-standard remote access via OpenSSH in Docker",
+    license: "BSD",
+    docs: "https://www.openssh.com/",
+    features: [
+      "Key-based authentication (more secure than passwords)",
+      "Built-in SFTP \u2014 no separate FTP server needed",
+      "Port forwarding and tunneling support",
+      "Remote management entry point for Brewnet containers"
+    ],
+    credentials: {
+      method: "env",
+      summary: "Uses admin username set in Pre-Step. Password auth enabled (PASSWORD_ACCESS=true); switch to key-only after setup.",
+      command: "ssh -p 2222 USER@localhost"
+    },
+    tips: [
+      "Switch to key-only auth after initial setup: set PASSWORD_ACCESS=false",
+      "Port 2222 avoids conflict with host SSH (port 22)",
+      "SFTP runs as SSH subsystem \u2014 no separate container needed"
+    ]
+  },
+  FileBrowser: {
+    description: "Lightweight web-based file manager written in Go",
+    license: "Apache-2.0",
+    docs: "https://filebrowser.org/",
+    features: [
+      "Upload, download, edit, and delete files via browser",
+      "Multi-user support with per-user directory scoping",
+      "Built-in code editor for text files",
+      "Share link generation and shell command execution"
+    ],
+    credentials: {
+      method: "none",
+      summary: "Default user: admin. Random password printed to container logs on first start.",
+      command: 'docker logs brewnet-filebrowser | grep "password"'
+    },
+    tips: [
+      "Initial password is shown only once in logs \u2014 change it immediately",
+      "Set per-user Scope to restrict directory access",
+      "All settings and user data stored in filebrowser.db file"
+    ]
+  },
+  "MinIO Console": {
+    description: "S3-compatible object storage with a web console",
+    license: "AGPL-3.0",
+    docs: "https://min.io/",
+    features: [
+      "Amazon S3-compatible API",
+      "Web console for bucket and object management",
+      "Erasure coding and bitrot protection",
+      "Multi-user IAM with policies"
+    ],
+    credentials: {
+      method: "env",
+      summary: "Uses admin credentials set in Pre-Step of brewnet init wizard."
+    },
+    tips: [
+      "Console on port 9001, API on port 9000",
+      "Create IAM users with limited policies for application access",
+      "Use mc (MinIO Client) CLI for scripted bucket management"
+    ]
+  },
+  Cloudflared: {
+    description: "Cloudflare Tunnel daemon \u2014 exposes local services to the internet securely",
+    license: "Apache-2.0",
+    docs: "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/",
+    features: [
+      "No port forwarding or public IP required",
+      "Automatic SSL/TLS via Cloudflare",
+      "Quick Tunnel (*.trycloudflare.com) or Named Tunnel with custom domain",
+      "DDoS protection included"
+    ],
+    credentials: {
+      method: "none",
+      summary: "No login. Quick Tunnel needs no account. Named Tunnel uses TUNNEL_TOKEN from Cloudflare API."
+    },
+    tips: [
+      "Quick Tunnel URL changes on every restart \u2014 use Named Tunnel for permanent access",
+      "Check tunnel status: brewnet domain tunnel status",
+      "Audit logs saved to ~/.brewnet/logs/tunnel.log"
+    ]
+  },
+  Nginx: {
+    description: "High-performance HTTP and reverse proxy server",
+    license: "BSD-2",
+    docs: "https://nginx.org/",
+    features: [
+      "Event-driven architecture \u2014 handles 10K+ concurrent connections",
+      "Static file serving and reverse proxy",
+      "Load balancing with multiple algorithms",
+      "SSL/TLS termination"
+    ],
+    credentials: {
+      method: "none",
+      summary: "No built-in authentication. Use auth_basic module or upstream auth for protection."
+    },
+    tips: [
+      "Default config serves welcome page on port 80",
+      "Use location blocks for path-based routing to upstream services",
+      "Reload config without downtime: nginx -s reload"
+    ]
+  },
+  Caddy: {
+    description: "Modern web server with automatic HTTPS",
+    license: "Apache-2.0",
+    docs: "https://caddyserver.com/",
+    features: [
+      "Automatic HTTPS with Let's Encrypt (zero config)",
+      "HTTP/2 and HTTP/3 support out of the box",
+      "Simple Caddyfile configuration",
+      "Reverse proxy with health checks"
+    ],
+    credentials: {
+      method: "none",
+      summary: "No built-in authentication. Use basicauth directive in Caddyfile for protection."
+    },
+    tips: [
+      "Caddyfile syntax is simpler than Nginx \u2014 great for small setups",
+      "Automatic certificate management requires ports 80 and 443",
+      "Use caddy reload for config changes without downtime"
+    ]
+  },
+  Valkey: {
+    description: "Open-source, high-performance Redis-compatible in-memory data store (Linux Foundation fork)",
+    license: "BSD-3",
+    docs: "https://valkey.io/",
+    features: [
+      "Drop-in Redis replacement \u2014 fully API compatible",
+      "Session storage, cache, message queue, Pub/Sub",
+      "RDB + AOF persistence support",
+      "Active community-driven development post Redis license change"
+    ],
+    credentials: {
+      method: "env",
+      summary: "No traditional user accounts. Optionally secured with --requirepass flag.",
+      command: "docker exec -it brewnet-valkey valkey-cli ping"
+    },
+    tips: [
+      "Set --maxmemory and --maxmemory-policy to prevent unbounded memory growth",
+      "Internal network only \u2014 no host port exposed",
+      "Use OBJECT ENCODING to inspect memory layout of individual keys"
+    ]
+  },
+  KeyDB: {
+    description: "Multithreaded Redis-compatible in-memory database with higher throughput",
+    license: "BSD-3",
+    docs: "https://docs.keydb.dev/",
+    features: [
+      "Multi-threaded architecture \u2014 higher throughput than Redis on multi-core CPUs",
+      "Active-Active replication for multi-master setups",
+      "FLASH storage support for large datasets exceeding RAM",
+      "Drop-in Redis replacement \u2014 fully API compatible"
+    ],
+    credentials: {
+      method: "env",
+      summary: "No traditional user accounts. Optionally secured with requirepass config.",
+      command: "docker exec -it brewnet-keydb keydb-cli ping"
+    },
+    tips: [
+      "Set server-threads to number of CPU cores for best performance",
+      "Internal network only \u2014 no host port exposed",
+      "Use keydb-cli --stat to monitor live throughput"
+    ]
+  }
+};
+var NAME_ALIASES = {
+  "OpenSSH Server": "SSH Server",
+  "Cloudflare Tunnel": "Cloudflared",
+  "MinIO": "MinIO Console"
+};
+var docker = new Dockerode();
+var REQUIRED_SERVICES = /* @__PURE__ */ new Set(["traefik", "nginx", "caddy", "gitea"]);
+var INTERNAL_SERVICES = /* @__PURE__ */ new Set(["brewnet-welcome", "brewnet-landing", "cloudflared"]);
+var NO_HTTP_SERVICES = /* @__PURE__ */ new Set([
+  "postgresql",
+  "mysql",
+  "mariadb",
+  "openssh-server"
+]);
+var TRAEFIK_PATH_SERVICES = {
+  traefik: "http://localhost/dashboard/",
+  gitea: "http://localhost/git",
+  nextcloud: "http://localhost/cloud",
+  pgadmin: "http://localhost:5050/pgadmin"
+};
+var KNOWN_SSH_PORTS = /* @__PURE__ */ new Set([22, 2222, 3022]);
+function getPrimaryPort(container) {
+  const tcp = (container.Ports ?? []).filter((p) => p.Type === "tcp" && p.PublicPort && !KNOWN_SSH_PORTS.has(p.PublicPort)).sort((a, b) => a.PublicPort - b.PublicPort);
+  return tcp[0]?.PublicPort ?? null;
+}
+function json(res, status, data) {
+  const payload = JSON.stringify(data);
+  res.writeHead(status, { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(payload) });
+  res.end(payload);
+}
+async function readBody(req) {
+  return new Promise((resolve2) => {
+    let body = "";
+    req.on("data", (c) => body += c);
+    req.on("end", () => resolve2(body));
+  });
+}
+async function handleGetServices(_req, res, _parts, _body, _projectPath, urlMap = TRAEFIK_PATH_SERVICES, quickTunnelUrl = "", allowedDirs) {
+  try {
+    const allContainers = await docker.listContainers({ all: true });
+    const services = [];
+    for (const c of allContainers) {
+      const composeService = c.Labels?.["com.docker.compose.service"];
+      if (!composeService) continue;
+      if (INTERNAL_SERVICES.has(composeService)) continue;
+      const workingDir = c.Labels?.["com.docker.compose.project.working_dir"] ?? "";
+      if (allowedDirs && allowedDirs.size > 0) {
+        if (workingDir && workingDir.startsWith(_projectPath) && !allowedDirs.has(workingDir)) {
+          continue;
+        }
+      }
+      const def = getServiceDefinition(composeService);
+      const s = c.State;
+      const status = s === "running" ? "running" : s === "exited" ? "stopped" : "error";
+      const port = getPrimaryPort(c) ?? def?.ports?.[0] ?? null;
+      const labels = c.Labels ?? {};
+      const primaryRouterKey = `traefik.http.routers.quicktunnel-${composeService}.rule`;
+      const routerRule = labels[primaryRouterKey] && String(labels[primaryRouterKey]).includes("PathPrefix") ? [primaryRouterKey, labels[primaryRouterKey]] : Object.entries(labels).find(
+        ([k, v]) => k.includes("traefik.http.routers.") && k.endsWith(".rule") && String(v).includes("PathPrefix")
+      );
+      let traefikPath = "";
+      if (routerRule) {
+        const pathMatch = String(routerRule[1]).match(/PathPrefix\(`([^`]+)`\)/);
+        if (pathMatch) traefikPath = pathMatch[1];
+      }
+      const hasStripPrefix = Object.keys(labels).some(
+        (k) => k.includes(".stripprefix.")
+      );
+      const localBasePath = traefikPath && !hasStripPrefix ? traefikPath : "";
+      let externalUrl = null;
+      const qtUrl = quickTunnelUrl;
+      if (qtUrl && traefikPath) {
+        let extPath = traefikPath;
+        const stackLabel = labels["com.brewnet.stack"] ?? "";
+        if (stackLabel === "nodejs-nextjs" || composeService === "backend" && extPath.includes("nextjs-app")) {
+          extPath += "/api/hello";
+        }
+        externalUrl = qtUrl.replace(/\/$/, "") + extPath;
+      }
+      if (!externalUrl && qtUrl) {
+        const EXT_PATH_MAP = {
+          traefik: "",
+          gitea: "/git",
+          nextcloud: "/cloud",
+          pgadmin: "/pgadmin",
+          jellyfin: "/jellyfin",
+          filebrowser: "/files",
+          minio: "/minio"
+        };
+        if (EXT_PATH_MAP[composeService] !== void 0) {
+          externalUrl = qtUrl.replace(/\/$/, "") + EXT_PATH_MAP[composeService];
+        }
+      }
+      const stackId = workingDir && workingDir.startsWith(_projectPath) ? workingDir.slice(_projectPath.length).replace(/^[/\\]/, "") || void 0 : void 0;
+      const GENERIC_BOILERPLATE_SERVICES = /* @__PURE__ */ new Set(["frontend", "backend"]);
+      const composeProject = c.Labels?.["com.docker.compose.project"] ?? "";
+      const isGeneric = GENERIC_BOILERPLATE_SERVICES.has(composeService) && !!composeProject;
+      const serviceId = isGeneric ? `${composeProject}-${composeService}` : composeService;
+      const serviceName = isGeneric ? `${composeProject}-${composeService === "frontend" ? "front" : "back"}` : def?.name ?? composeService;
+      services.push({
+        id: serviceId,
+        name: serviceName,
+        type: def ? inferType(composeService) : "unknown",
+        status,
+        cpu: "\u2014",
+        memory: "\u2014",
+        uptime: c.Status?.startsWith("Up") ? c.Status.replace(/^Up /, "") : "\u2014",
+        port: port ?? null,
+        // Show a local URL for any service with a public HTTP port.
+        // Database/queue services (non-HTTP) are excluded via NO_HTTP_SERVICES.
+        // urlMap overrides apply first (e.g. Traefik-path services like gitea → /git).
+        // localBasePath: Next.js basePath stacks serve at /apps/{name} even locally.
+        url: port && !NO_HTTP_SERVICES.has(composeService) ? urlMap[composeService] ?? `http://localhost:${port}${localBasePath}` : null,
+        externalUrl,
+        removable: !REQUIRED_SERVICES.has(composeService),
+        stackId
+      });
+    }
+    const running = services.filter((s) => s.status === "running").length;
+    json(res, 200, {
+      services,
+      summary: { total: services.length, running, stopped: services.length - running }
+    });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err), code: "BN001" });
+  }
+}
+function inferType(id) {
+  if (["traefik", "nginx", "caddy"].includes(id)) return "web";
+  if (["postgresql", "mysql"].includes(id)) return "db";
+  if (["nextcloud", "minio", "filebrowser"].includes(id)) return "file";
+  if (["jellyfin"].includes(id)) return "media";
+  if (["gitea"].includes(id)) return "git";
+  if (["openssh-server"].includes(id)) return "ssh";
+  return "app";
+}
+async function handleServiceAction(_req, res, parts, _body, _projectPath) {
+  const serviceId = parts[3];
+  const action = parts[4];
+  if (!serviceId || !["start", "stop"].includes(action)) {
+    json(res, 400, { success: false, error: "Invalid request" });
+    return;
+  }
+  try {
+    const containers = await docker.listContainers({ all: true });
+    const match = containers.find(
+      (c) => c.Labels?.["com.docker.compose.service"] === serviceId
+    );
+    if (!match) {
+      json(res, 404, { success: false, error: "Service not found", code: "BN008" });
+      return;
+    }
+    if (action === "start" && match.State === "running") {
+      json(res, 400, { success: false, error: "Service is already running", code: "ALREADY_RUNNING" });
+      return;
+    }
+    if (action === "stop" && match.State !== "running") {
+      json(res, 400, { success: false, error: "Service is not running", code: "NOT_RUNNING" });
+      return;
+    }
+    const container = docker.getContainer(match.Id);
+    if (action === "start") {
+      await container.start();
+    } else {
+      await container.stop();
+    }
+    const newStatus = action === "start" ? "running" : "stopped";
+    json(res, 200, { success: true, id: serviceId, status: newStatus });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err), code: "BN001" });
+  }
+}
+async function handleInstallService(_req, res, _parts, body, projectPath) {
+  try {
+    const { id } = JSON.parse(body);
+    if (!id) {
+      json(res, 400, { success: false, error: "Missing service id" });
+      return;
+    }
+    const result = await addService(id, projectPath);
+    if (result.success) {
+      json(res, 202, { success: true, id, status: "installed", message: `Service ${id} added` });
+    } else {
+      const code = result.error?.includes("already") ? "ALREADY_EXISTS" : "BN006";
+      json(res, result.error?.includes("already") ? 409 : 500, { success: false, error: result.error, code });
+    }
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+async function handleRemoveService(req, res, parts, _body, projectPath) {
+  const serviceId = parts[3];
+  if (!serviceId) {
+    json(res, 400, { success: false, error: "Missing service id" });
+    return;
+  }
+  if (REQUIRED_SERVICES.has(serviceId)) {
+    json(res, 400, { success: false, error: `Cannot remove required service: ${serviceId}`, code: "REQUIRED_SERVICE" });
+    return;
+  }
+  const url = new URL(req.url ?? "/", `http://localhost`);
+  const purge = url.searchParams.get("purge") === "true";
+  try {
+    const result = await removeService(serviceId, projectPath, { purge });
+    if (result.success) {
+      json(res, 200, { success: true, id: serviceId, dataPreserved: !purge });
+    } else {
+      json(res, result.error?.includes("not found") ? 404 : 500, { success: false, error: result.error, code: "BN008" });
+    }
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+async function handleGetCatalog(_req, res, _parts, _body, _projectPath) {
+  try {
+    const installed = /* @__PURE__ */ new Set();
+    const containers = await docker.listContainers({ all: true });
+    for (const c of containers) {
+      const id = c.Labels?.["com.docker.compose.service"];
+      if (id) installed.add(id);
+    }
+    const catalog = [...SERVICE_REGISTRY.values()].filter((def) => !REQUIRED_SERVICES.has(def.id)).map((def) => ({
+      id: def.id,
+      name: def.name,
+      description: "",
+      category: inferType(def.id),
+      image: def.image,
+      ramEstimateMB: def.ramMB,
+      installed: installed.has(def.id)
+    }));
+    json(res, 200, { catalog });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+async function handleBackup(req, res, _parts, _body, projectPath) {
+  const backupsDir = join2(homedir2(), ".brewnet", "backups");
+  if (req.method === "GET") {
+    try {
+      const backups = listBackups(backupsDir);
+      json(res, 200, { backups });
+    } catch (err) {
+      json(res, 500, { success: false, error: String(err) });
+    }
+    return;
+  }
+  try {
+    const record = createBackup(projectPath, backupsDir);
+    json(res, 202, { success: true, backupId: record.id, status: "completed" });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+var domainOpLogs = /* @__PURE__ */ new Map();
+var domainOpListeners = /* @__PURE__ */ new Map();
+function writeDomainLog(appName, line) {
+  const tagged = `[domain-connect] ${line}`;
+  logger.info("domain", `[${appName}] ${line}`);
+  if (!domainOpLogs.has(appName)) domainOpLogs.set(appName, []);
+  const buf = domainOpLogs.get(appName);
+  buf.push({ line: tagged, ts: Date.now() });
+  if (buf.length > 200) buf.shift();
+  domainOpListeners.get(appName)?.forEach((fn) => fn(tagged));
+}
+function createAdminServer(options = {}) {
+  const port = options.port ?? 8088;
+  let projectPath = options.projectPath ?? process.cwd();
+  let wizardState = null;
+  const last = getLastProject();
+  if (last) {
+    const state = loadState(last);
+    if (state) {
+      wizardState = state;
+      if (!options.projectPath && state.projectPath) projectPath = state.projectPath;
+    }
+  }
+  if (projectPath.startsWith("~/") || projectPath === "~") {
+    projectPath = join2(homedir2(), projectPath.slice(1));
+  }
+  const username = wizardState?.admin?.username ?? "";
+  const password = wizardState?.admin?.password ?? "";
+  const maskUser = (u) => u.length > 2 ? u.slice(0, -2) + "**" : "**";
+  const maskPass = (p) => p.length > 1 ? p[0] + "*".repeat(p.length - 1) : "********";
+  const allowedWorkingDirs = /* @__PURE__ */ new Set();
+  allowedWorkingDirs.add(projectPath);
+  try {
+    const bpMetaPath2 = join2(projectPath, ".brewnet-boilerplate.json");
+    if (existsSync3(bpMetaPath2)) {
+      const raw2 = JSON.parse(readFileSync3(bpMetaPath2, "utf-8"));
+      const stacks2 = Array.isArray(raw2) ? raw2 : raw2.stackId ? [raw2] : [];
+      for (const s of stacks2) {
+        if (s.appDir) allowedWorkingDirs.add(s.appDir);
+      }
+    }
+    const appsJsonPath = join2(homedir2(), ".brewnet", "apps.json");
+    if (existsSync3(appsJsonPath)) {
+      const apps = JSON.parse(readFileSync3(appsJsonPath, "utf-8"));
+      for (const app of apps) {
+        if (app.appDir) allowedWorkingDirs.add(app.appDir);
+      }
+    }
+  } catch {
+  }
+  const dashConfig = {
+    adminUsername: username ? maskUser(username) : "**",
+    passwordHint: password ? maskPass(password) : "********",
+    domainProvider: wizardState?.domain?.provider ?? "local",
+    quickTunnelUrl: wizardState?.domain?.cloudflare?.quickTunnelUrl ?? "",
+    zoneName: wizardState?.domain?.cloudflare?.zoneName ?? "",
+    tunnelId: wizardState?.domain?.cloudflare?.tunnelId ?? ""
+  };
+  const runtimeUrlMap = {
+    ...TRAEFIK_PATH_SERVICES,
+    jellyfin: "http://localhost:8096/jellyfin/web/"
+  };
+  let quickTunnelDetected = !!dashConfig.quickTunnelUrl;
+  async function detectQuickTunnelUrl() {
+    if (quickTunnelDetected) return;
+    quickTunnelDetected = true;
+    try {
+      const containers = await docker.listContainers({ all: true });
+      const cf = containers.find(
+        (c) => c.Labels?.["com.docker.compose.service"] === "cloudflared"
+      );
+      if (!cf || cf.State !== "running") return;
+      const container = docker.getContainer(cf.Id);
+      const logBuf = await container.logs({ stdout: true, stderr: true, tail: 50 });
+      const logStr = logBuf.toString("utf-8");
+      const match = logStr.match(/https?:\/\/([\w]+-[\w][\w-]*\.trycloudflare\.com)/i);
+      if (match) {
+        dashConfig.quickTunnelUrl = `https://${match[1]}`;
+        dashConfig.domainProvider = "quick-tunnel";
+      }
+    } catch {
+    }
+  }
+  let credentialsDetected = !!(username && password);
+  async function detectCredentials() {
+    if (credentialsDetected) return;
+    credentialsDetected = true;
+    try {
+      const containers = await docker.listContainers({ all: true });
+      const nc = containers.find(
+        (c) => c.Labels?.["com.docker.compose.service"] === "nextcloud"
+      );
+      if (!nc) return;
+      const info = await docker.getContainer(nc.Id).inspect();
+      const envArr = info.Config?.Env ?? [];
+      let u = "";
+      let p = "";
+      for (const entry of envArr) {
+        if (!u && entry.startsWith("NEXTCLOUD_ADMIN_USER=")) {
+          u = entry.split("=").slice(1).join("=");
+        }
+        if (!p && entry.startsWith("NEXTCLOUD_ADMIN_PASSWORD=")) {
+          p = entry.split("=").slice(1).join("=");
+        }
+      }
+      if (u || p) {
+        dashConfig.adminUsername = maskUser(u || "admin");
+        dashConfig.passwordHint = maskPass(p);
+      }
+    } catch {
+    }
+  }
+  const server = createServer(async (req, res) => {
+    const url = req.url ?? "/";
+    const parts = url.split("?")[0].split("/").filter(Boolean);
+    const body = await readBody(req);
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Admin-Password");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    if (req.method === "GET" && url === "/icon.svg") {
+      res.writeHead(200, { "Content-Type": "image/svg+xml", "Cache-Control": "public, max-age=86400" });
+      res.end(ICON_SVG);
+      return;
+    }
+    if (req.method === "GET" && url === "/favicon.ico") {
+      if (FAVICON_ICO) {
+        res.writeHead(200, { "Content-Type": "image/x-icon", "Cache-Control": "public, max-age=86400" });
+        res.end(FAVICON_ICO);
+      } else {
+        res.writeHead(200, { "Content-Type": "image/svg+xml", "Cache-Control": "public, max-age=86400" });
+        res.end(ICON_SVG);
+      }
+      return;
+    }
+    if (req.method === "GET" && url.startsWith("/assets/")) {
+      const pathname = url.split("?")[0];
+      const safePath = resolve(ADMIN_UI_DIST, "." + pathname);
+      if (!safePath.startsWith(ADMIN_UI_DIST)) {
+        res.writeHead(403);
+        res.end("Forbidden");
+        return;
+      }
+      if (existsSync3(safePath) && statSync(safePath).isFile()) {
+        serveStaticFile(safePath, res);
+        return;
+      }
+      res.writeHead(404);
+      res.end("Not Found");
+      return;
+    }
+    if (req.method === "GET" && !url.startsWith("/api/")) {
+      const pathname = url.split("?")[0];
+      const exactPath = resolve(ADMIN_UI_DIST, "." + (pathname === "/" ? "/index.html" : pathname));
+      if (exactPath.startsWith(ADMIN_UI_DIST) && existsSync3(exactPath) && statSync(exactPath).isFile()) {
+        serveStaticFile(exactPath, res);
+        return;
+      }
+      const indexPath = join2(ADMIN_UI_DIST, "index.html");
+      if (existsSync3(indexPath)) {
+        serveStaticFile(indexPath, res);
+        return;
+      }
+      res.writeHead(503, { "Content-Type": "text/plain" });
+      res.end("Admin UI not built. Run: pnpm --filter @brewnet/admin-ui build");
+      return;
+    }
+    if (parts[0] === "api") {
+      try {
+        if (parts[1] === "health" && req.method === "GET") {
+          if (wizardState?.admin?.password) {
+            const provided = req.headers["x-admin-password"];
+            if (!provided || provided !== wizardState.admin.password) {
+              json(res, 401, { error: "Unauthorized", message: "Admin password required" });
+              return;
+            }
+          }
+          json(res, 200, { status: "ok", version: "1.0.1" });
+          return;
+        }
+        if (parts[1] === "services" && parts[2] === "catalog" && req.method === "GET") {
+          json(res, 200, { catalog: SERVICE_DETAIL_MAP, aliases: NAME_ALIASES });
+          return;
+        }
+        if (parts[1] === "config" && req.method === "GET") {
+          await detectQuickTunnelUrl();
+          await detectCredentials();
+          json(res, 200, {
+            adminUsername: dashConfig.adminUsername,
+            passwordHint: dashConfig.passwordHint,
+            domainProvider: dashConfig.domainProvider,
+            quickTunnelUrl: dashConfig.quickTunnelUrl,
+            zoneName: dashConfig.zoneName,
+            tunnelId: dashConfig.tunnelId
+          });
+          return;
+        }
+        if (parts[1] === "services") {
+          if (req.method === "GET" && parts.length === 2) {
+            await handleGetServices(req, res, parts, body, projectPath, runtimeUrlMap, dashConfig.quickTunnelUrl, allowedWorkingDirs);
+            return;
+          }
+          if (req.method === "POST" && parts[2] === "install") {
+            await handleInstallService(req, res, parts, body, projectPath);
+            return;
+          }
+          if (req.method === "POST" && parts[3] && ["start", "stop"].includes(parts[4] ?? "")) {
+            await handleServiceAction(req, res, parts, body, projectPath);
+            return;
+          }
+          if (req.method === "DELETE" && parts[3]) {
+            await handleRemoveService(req, res, parts, body, projectPath);
+            return;
+          }
+        }
+        if (parts[1] === "catalog" && req.method === "GET") {
+          await handleGetCatalog(req, res, parts, body, projectPath);
+          return;
+        }
+        if (parts[1] === "backup") {
+          await handleBackup(req, res, parts, body, projectPath);
+          return;
+        }
+        if (parts[1] === "logs") {
+          if (req.method === "GET" && parts[2] === "stats") {
+            const stats = await getLogStats(projectPath);
+            json(res, 200, stats);
+            return;
+          }
+          if (req.method === "GET") {
+            const qUrl = new URL(url, "http://localhost");
+            const sources = qUrl.searchParams.get("source");
+            const levels = qUrl.searchParams.get("level");
+            const services = qUrl.searchParams.get("service");
+            const since = qUrl.searchParams.get("since") ?? void 0;
+            const until = qUrl.searchParams.get("until") ?? void 0;
+            const search = qUrl.searchParams.get("search") ?? void 0;
+            const limit = parseInt(qUrl.searchParams.get("limit") ?? "100", 10);
+            const offset = parseInt(qUrl.searchParams.get("offset") ?? "0", 10);
+            const result = await queryLogs(
+              {
+                sources: sources ? [sources] : void 0,
+                levels: levels ? [levels] : void 0,
+                services: services ? [services] : void 0,
+                since,
+                until,
+                search,
+                limit: isNaN(limit) ? 100 : limit,
+                offset: isNaN(offset) ? 0 : offset
+              },
+              projectPath
+            );
+            json(res, 200, result);
+            return;
+          }
+        }
+        if (parts[1] === "apps") {
+          if (req.method === "GET" && parts.length === 2) {
+            const apps = await listApps();
+            const history = getDeployHistory();
+            const historyByApp = /* @__PURE__ */ new Map();
+            for (const h of history) {
+              if (h.status === "success") historyByApp.set(h.appName, h);
+            }
+            const bpMetaPath = join2(projectPath, ".brewnet-boilerplate.json");
+            let bpMetaMap = /* @__PURE__ */ new Map();
+            if (existsSync3(bpMetaPath)) {
+              try {
+                const raw = JSON.parse(readFileSync3(bpMetaPath, "utf-8"));
+                const metas = Array.isArray(raw) ? raw : [raw];
+                for (const m of metas) bpMetaMap.set(m.stackId, m);
+              } catch {
+              }
+            }
+            const enrichedApps = apps.map((a) => {
+              const lastDeploy = historyByApp.get(a.name) ?? null;
+              const qt = dashConfig.quickTunnelUrl;
+              const bpMeta = a.mode === "boilerplate" && a.stackId ? bpMetaMap.get(a.stackId) : void 0;
+              const isNonUnified = bpMeta ? bpMeta.isUnified === false : !!(a.stackId && getStackById(a.stackId)?.isUnified === false);
+              let localUrl;
+              let externalUrl;
+              let backendLocalUrl = null;
+              let backendExternalUrl = null;
+              if (isNonUnified) {
+                let frontendPort = 3e3;
+                const feEnvPath = join2(a.appDir, ".env");
+                if (existsSync3(feEnvPath)) {
+                  const feEnvContent = readFileSync3(feEnvPath, "utf-8");
+                  const fePortMatch = feEnvContent.match(/^FRONTEND_PORT=(\d+)/m);
+                  if (fePortMatch) frontendPort = parseInt(fePortMatch[1], 10);
+                }
+                localUrl = `http://127.0.0.1:${frontendPort}`;
+                externalUrl = qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}-ui` : null;
+                backendLocalUrl = a.port ? `http://127.0.0.1:${a.port}` : null;
+                backendExternalUrl = qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}` : null;
+              } else {
+                localUrl = a.port ? `http://localhost:${a.port}` : null;
+                if (a.appDir) {
+                  const bp = detectBasePath(a.appDir);
+                  if (bp && localUrl) localUrl += bp;
+                }
+                externalUrl = qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}` : null;
+              }
+              return { ...a, lastDeployedAt: lastDeploy?.deployedAt ?? null, localUrl, externalUrl, backendLocalUrl, backendExternalUrl };
+            });
+            logger.info("admin-server", `[GET /api/apps] returning ${apps.length} app(s): ${JSON.stringify(apps.map((a) => a.name))}`);
+            json(res, 200, { apps: enrichedApps });
+            return;
+          }
+          if (req.method === "GET" && parts[2] === "boilerplates") {
+            const bpPath = join2(projectPath, ".brewnet-boilerplate.json");
+            const metas = [];
+            if (existsSync3(bpPath)) {
+              const raw = JSON.parse(readFileSync3(bpPath, "utf-8"));
+              const wizardMetas = Array.isArray(raw) ? raw : [raw];
+              metas.push(...wizardMetas);
+            }
+            const allApps = await listApps();
+            for (const app of allApps) {
+              if (app.mode !== "boilerplate" || !app.stackId) continue;
+              if (metas.some((m) => m.appDir && app.appDir && m.appDir === app.appDir)) continue;
+              const envPath = join2(app.appDir, ".env");
+              let frontendPort;
+              let dbDriver;
+              let dbUser;
+              let dbName;
+              if (existsSync3(envPath)) {
+                const envContent = readFileSync3(envPath, "utf-8");
+                const fpMatch = envContent.match(/^FRONTEND_PORT=(\d+)/m);
+                if (fpMatch) frontendPort = parseInt(fpMatch[1], 10);
+                const ddMatch = envContent.match(/^DB_DRIVER=(.+)/m);
+                if (ddMatch) dbDriver = ddMatch[1].trim();
+                const duMatch = envContent.match(/^DB_USER=(.+)/m);
+                if (duMatch) dbUser = duMatch[1].trim();
+                const dnMatch = envContent.match(/^DB_NAME=(.+)/m);
+                if (dnMatch) dbName = dnMatch[1].trim();
+              }
+              const stackEntry = getStackById(app.stackId);
+              metas.push({
+                stackId: app.stackId,
+                appDir: app.appDir,
+                backendUrl: `http://127.0.0.1:${app.port}`,
+                frontendUrl: frontendPort ? `http://127.0.0.1:${frontendPort}` : void 0,
+                isUnified: stackEntry?.isUnified ?? false,
+                lang: app.lang,
+                dbDriver,
+                dbUser,
+                dbName,
+                status: app.status
+              });
+            }
+            logger.info("admin-server", `[GET /api/apps/boilerplates] returning ${metas.length} boilerplate(s) (wizard=${metas.length - allApps.filter((a) => a.mode === "boilerplate" && a.stackId).length}, create-app=${allApps.filter((a) => a.mode === "boilerplate" && a.stackId).length})`);
+            json(res, 200, { boilerplates: metas });
+            return;
+          }
+          if (req.method === "POST" && parts[2] === "boilerplates" && parts[3] && (parts[4] === "stop" || parts[4] === "start")) {
+            const stackId = decodeURIComponent(parts[3]);
+            const action = parts[4];
+            const bpPath = join2(projectPath, ".brewnet-boilerplate.json");
+            if (!existsSync3(bpPath)) {
+              json(res, 404, { error: "No boilerplates found" });
+              return;
+            }
+            const bpRaw = JSON.parse(readFileSync3(bpPath, "utf-8"));
+            const bpMetas = Array.isArray(bpRaw) ? bpRaw : [bpRaw];
+            const meta = bpMetas.find((m) => m.stackId === stackId);
+            if (!meta) {
+              json(res, 404, { error: `Boilerplate "${stackId}" not found` });
+              return;
+            }
+            const { execa: execaBp } = await import("execa");
+            if (action === "stop") {
+              await execaBp("docker", ["compose", "down"], { cwd: meta.appDir });
+              meta.status = "stopped";
+            } else {
+              await execaBp("docker", ["compose", "up", "-d"], { cwd: meta.appDir });
+              meta.status = "running";
+            }
+            const { writeFileSync: writeFileSync4 } = await import("fs");
+            writeFileSync4(bpPath, JSON.stringify(bpMetas, null, 2), "utf-8");
+            json(res, 200, { success: true });
+            return;
+          }
+          if (req.method === "POST" && parts[2] === "create") {
+            const opts = JSON.parse(body);
+            const jobId = await createApp(opts);
+            json(res, 202, { jobId });
+            return;
+          }
+          if (req.method === "GET" && parts[2] === "jobs" && parts[3]) {
+            const job = getJobStatus(parts[3]);
+            if (!job) {
+              json(res, 404, { error: "Job not found" });
+              return;
+            }
+            json(res, 200, job);
+            return;
+          }
+          if (req.method === "POST" && parts[3] === "start") {
+            await startApp(decodeURIComponent(parts[2] ?? ""));
+            json(res, 200, { success: true });
+            return;
+          }
+          if (req.method === "POST" && parts[3] === "stop") {
+            await stopApp(decodeURIComponent(parts[2] ?? ""));
+            json(res, 200, { success: true });
+            return;
+          }
+          if (req.method === "DELETE" && parts[2]) {
+            await removeApp2(parts[2]);
+            json(res, 200, { success: true });
+            return;
+          }
+          if (req.method === "GET" && parts[2] && !["boilerplates", "jobs", "check-port"].includes(parts[2]) && parts.length === 3) {
+            const apps = await listApps();
+            const found = apps.find((a) => a.name === decodeURIComponent(parts[2]));
+            if (!found) {
+              json(res, 404, { error: "App not found" });
+              return;
+            }
+            const history = getDeployHistory();
+            const lastDeploy = history.filter((h) => h.appName === found.name && h.status === "success").pop() ?? null;
+            const qt = dashConfig.quickTunnelUrl;
+            const bpMetaSingle = found.mode === "boilerplate" && found.stackId ? (() => {
+              const p = join2(projectPath, ".brewnet-boilerplate.json");
+              if (!existsSync3(p)) return void 0;
+              try {
+                const raw = JSON.parse(readFileSync3(p, "utf-8"));
+                const list = Array.isArray(raw) ? raw : [raw];
+                return list.find((m) => m.stackId === found.stackId);
+              } catch {
+                return void 0;
+              }
+            })() : void 0;
+            const isNonUnified = bpMetaSingle ? bpMetaSingle.isUnified === false : !!(found.stackId && getStackById(found.stackId)?.isUnified === false);
+            let localUrlSingle;
+            let externalUrlSingle;
+            let backendLocalUrlSingle = null;
+            let backendExternalUrlSingle = null;
+            if (isNonUnified) {
+              let frontendPort = 3e3;
+              const feEnvPath = join2(found.appDir, ".env");
+              if (existsSync3(feEnvPath)) {
+                const m = readFileSync3(feEnvPath, "utf-8").match(/^FRONTEND_PORT=(\d+)/m);
+                if (m) frontendPort = parseInt(m[1], 10);
+              }
+              localUrlSingle = `http://127.0.0.1:${frontendPort}`;
+              externalUrlSingle = qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}-ui` : null;
+              backendLocalUrlSingle = found.port ? `http://127.0.0.1:${found.port}` : null;
+              backendExternalUrlSingle = qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}` : null;
+            } else {
+              localUrlSingle = found.port ? `http://localhost:${found.port}` : null;
+              if (found.appDir) {
+                const bp = detectBasePath(found.appDir);
+                if (bp && localUrlSingle) localUrlSingle += bp;
+              }
+              externalUrlSingle = qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}` : null;
+            }
+            const app = { ...found, lastDeployedAt: lastDeploy?.deployedAt ?? null, localUrl: localUrlSingle, externalUrl: externalUrlSingle, backendLocalUrl: backendLocalUrlSingle, backendExternalUrl: backendExternalUrlSingle };
+            json(res, 200, { app });
+            return;
+          }
+          if (req.method === "GET" && parts[3] === "git" && parts.length === 4) {
+            try {
+              const git = await getAppGitInfo(decodeURIComponent(parts[2] ?? ""));
+              json(res, 200, { git });
+            } catch (err) {
+              json(res, 502, { error: String(err) });
+            }
+            return;
+          }
+          if (req.method === "GET" && parts[3] === "branches" && parts.length === 4) {
+            try {
+              const branches = await getAppBranches(decodeURIComponent(parts[2] ?? ""));
+              json(res, 200, { branches });
+            } catch (err) {
+              json(res, 200, { branches: [] });
+            }
+            return;
+          }
+          if (req.method === "GET" && parts[3] === "deploy" && parts[4] === "settings") {
+            const settings = getDeploySettings(decodeURIComponent(parts[2] ?? ""));
+            json(res, 200, settings);
+            return;
+          }
+          if (req.method === "PUT" && parts[3] === "deploy" && parts[4] === "settings") {
+            const opts = JSON.parse(body);
+            updateDeploySettings(decodeURIComponent(parts[2] ?? ""), opts);
+            json(res, 200, { success: true });
+            return;
+          }
+          if (req.method === "POST" && parts[3] === "deploy" && !parts[4]) {
+            const jobId = await deployApp(decodeURIComponent(parts[2] ?? ""));
+            json(res, 202, { jobId });
+            return;
+          }
+          if (req.method === "POST" && parts[3] === "rollback" && !parts[4]) {
+            let parsed = {};
+            try {
+              parsed = JSON.parse(body);
+            } catch {
+              json(res, 400, { error: "Invalid JSON" });
+              return;
+            }
+            if (!parsed.commitHash) {
+              json(res, 400, { error: "commitHash is required" });
+              return;
+            }
+            const jobId = await rollbackApp(decodeURIComponent(parts[2] ?? ""), parsed.commitHash);
+            json(res, 202, { jobId });
+            return;
+          }
+          if (req.method === "GET" && parts[3] === "logs") {
+            const appDir = getAppDir(decodeURIComponent(parts[2] ?? ""));
+            if (!appDir) {
+              json(res, 404, { error: "App not found" });
+              return;
+            }
+            res.writeHead(200, {
+              "Content-Type": "text/event-stream",
+              "Cache-Control": "no-cache",
+              "Connection": "keep-alive"
+            });
+            res.flushHeaders();
+            const { execa: execaLocal } = await import("execa");
+            const proc = execaLocal("docker", ["compose", "logs", "--follow", "--tail", "50"], {
+              cwd: appDir,
+              reject: false,
+              stdout: "pipe",
+              stderr: "pipe"
+            });
+            const sendLine = (line) => {
+              if (line.trim()) res.write(`data: ${line.replace(/\r?\n/g, " ")}
+
+`);
+            };
+            proc.stdout?.on("data", (chunk) => {
+              for (const line of chunk.toString().split("\n")) sendLine(line);
+            });
+            proc.stderr?.on("data", (chunk) => {
+              for (const line of chunk.toString().split("\n")) sendLine(line);
+            });
+            const sseAppName = decodeURIComponent(parts[2] ?? "");
+            const domainListener = (line) => sendLine(line);
+            if (!domainOpListeners.has(sseAppName)) domainOpListeners.set(sseAppName, /* @__PURE__ */ new Set());
+            domainOpListeners.get(sseAppName).add(domainListener);
+            for (const entry of domainOpLogs.get(sseAppName) ?? []) sendLine(entry.line);
+            req.on("close", () => {
+              try {
+                proc.kill();
+              } catch {
+              }
+              domainOpListeners.get(sseAppName)?.delete(domainListener);
+            });
+            return;
+          }
+        }
+        if (parts[1] === "gitea" && parts[2] === "autologin" && req.method === "GET") {
+          const reqUrl = new URL(req.url ?? "/", "http://localhost");
+          const redirectPath = reqUrl.searchParams.get("redirect") ?? "/git";
+          const giteaBase = "http://localhost/git";
+          const targetUrl = `http://localhost${redirectPath.startsWith("/") ? redirectPath : "/" + redirectPath}`;
+          try {
+            const loginPageRes = await fetch(`${giteaBase}/user/login`, {
+              redirect: "manual",
+              headers: { "User-Agent": "brewnet-admin" },
+              signal: AbortSignal.timeout(5e3)
+            });
+            const rawSetCookies = [];
+            loginPageRes.headers.forEach((val, key) => {
+              if (key.toLowerCase() === "set-cookie") rawSetCookies.push(val);
+            });
+            const csrfCookieFull = rawSetCookies.find((c) => c.startsWith("_csrf=")) ?? "";
+            const csrfCookieVal = csrfCookieFull.split(";")[0] ?? "";
+            const pageHtml = await loginPageRes.text();
+            const csrfField = pageHtml.match(/name="_csrf"\s+value="([^"]+)"/)?.[1] ?? pageHtml.match(/value="([^"]+)"\s+name="_csrf"/)?.[1] ?? csrfCookieVal.replace("_csrf=", "");
+            if (!csrfField) {
+              res.writeHead(302, { Location: targetUrl });
+              res.end();
+              return;
+            }
+            const formBody = new URLSearchParams({
+              _csrf: csrfField,
+              user_name: username,
+              password,
+              remember: "on"
+            });
+            const loginRes = await fetch(`${giteaBase}/user/login`, {
+              method: "POST",
+              headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Cookie": csrfCookieVal,
+                "User-Agent": "brewnet-admin"
+              },
+              body: formBody.toString(),
+              redirect: "manual",
+              signal: AbortSignal.timeout(5e3)
+            });
+            const respCookies = [];
+            loginRes.headers.forEach((val, key) => {
+              if (key.toLowerCase() === "set-cookie") respCookies.push(val);
+            });
+            const forwardCookies = respCookies.filter((c) => !c.includes("Max-Age=0") && !c.match(/=;\s/));
+            const responseHeaders = { Location: targetUrl };
+            if (forwardCookies.length > 0) {
+              responseHeaders["Set-Cookie"] = forwardCookies;
+            } else {
+              logger.warn("admin-server", "[gitea/autologin] login POST did not return session cookies");
+            }
+            res.writeHead(302, responseHeaders);
+            res.end();
+          } catch (err) {
+            logger.warn("admin-server", `[gitea/autologin] failed: ${String(err)}`);
+            res.writeHead(302, { Location: targetUrl });
+            res.end();
+          }
+          return;
+        }
+        if (parts[1] === "deploy" && parts[2] === "history" && req.method === "GET") {
+          const reqUrl = new URL(req.url ?? "/", "http://localhost");
+          const appFilter = reqUrl.searchParams.get("app") ?? void 0;
+          const entries = getDeployHistory(appFilter);
+          json(res, 200, { history: entries });
+          return;
+        }
+        if (parts[1] === "git" && parts[2] === "repos" && req.method === "GET") {
+          try {
+            const repos = await listGiteaRepos();
+            const appsForEnrich = await listApps();
+            const enriched = repos.map((repo) => {
+              const r = repo;
+              const connectedApp = appsForEnrich.find(
+                (app) => app.giteaRepoUrl && (app.giteaRepoUrl.endsWith("/" + repo.name) || app.giteaRepoUrl.includes("/" + repo.name + "."))
+              );
+              return {
+                ...repo,
+                language: r["language"] ?? "",
+                stars: r["stars_count"] ?? 0,
+                updatedAt: r["updated"] ?? "",
+                appName: connectedApp?.name
+              };
+            });
+            json(res, 200, { repos: enriched });
+          } catch (err) {
+            json(res, 502, { success: false, error: String(err) });
+          }
+          return;
+        }
+        if (parts[1] === "git" && parts[2] === "repos" && parts[3] && parts[4] === "connect" && req.method === "POST") {
+          const repoName = decodeURIComponent(parts[3]);
+          let parsed = {};
+          try {
+            parsed = JSON.parse(body);
+          } catch {
+            json(res, 400, { error: "Invalid JSON" });
+            return;
+          }
+          const appName = parsed.appName?.trim();
+          if (!appName) {
+            json(res, 400, { error: "appName required" });
+            return;
+          }
+          try {
+            const appsPath = join2(homedir2(), ".brewnet", "apps.json");
+            let existing = existsSync3(appsPath) ? JSON.parse(readFileSync3(appsPath, "utf-8")) : [];
+            const repos = await listGiteaRepos();
+            const repo = repos.find((r) => r.name === repoName);
+            if (!repo) {
+              json(res, 404, { error: `Repo '${repoName}' not found in Gitea` });
+              return;
+            }
+            const repoUrl = repo.clone_url.replace(/\.git$/, "");
+            const conflict = Array.isArray(existing) ? existing.find((a) => a.name !== appName && a.giteaRepoUrl && (a.giteaRepoUrl.endsWith("/" + repoName) || a.giteaRepoUrl.includes("/" + repoName + "."))) : null;
+            if (conflict) {
+              json(res, 409, { error: `Repo already connected to app '${conflict.name}'` });
+              return;
+            }
+            let app = Array.isArray(existing) ? existing.find((a) => a.name === appName) : null;
+            if (!app) {
+              const docker2 = new (await import("dockerode")).default();
+              const containers = await docker2.listContainers({ all: true });
+              const matchedContainer = containers.find((c) => {
+                const svc = c.Labels?.["com.docker.compose.service"] ?? "";
+                const proj = c.Labels?.["com.docker.compose.project"] ?? "";
+                return proj.includes(repoName) || proj.includes(appName) || svc === appName;
+              });
+              const port2 = matchedContainer ? parseInt(String(matchedContainer.Ports?.[0]?.PublicPort ?? 0), 10) || 8080 : 8080;
+              const lang = repo["language"] || "";
+              app = {
+                name: appName,
+                mode: "boilerplate",
+                appDir: join2(projectPath, repoName),
+                lang,
+                port: port2,
+                giteaRepoUrl: repoUrl,
+                status: matchedContainer?.State === "running" ? "running" : "stopped",
+                createdAt: (/* @__PURE__ */ new Date()).toISOString()
+              };
+              if (Array.isArray(existing)) {
+                existing.push(app);
+              } else {
+                existing = [app];
+              }
+            } else {
+              app.giteaRepoUrl = repoUrl;
+            }
+            writeFileSync3(appsPath, JSON.stringify(existing, null, 2));
+            json(res, 200, { ok: true });
+          } catch (err) {
+            json(res, 500, { error: String(err) });
+          }
+          return;
+        }
+        if (parts[1] === "apps" && parts[2] === "check-port" && req.method === "GET") {
+          const reqUrl = new URL(req.url ?? "/", "http://localhost");
+          const portStr = reqUrl.searchParams.get("port") ?? "";
+          const port2 = parseInt(portStr, 10);
+          if (!port2 || port2 < 1 || port2 > 65535) {
+            json(res, 400, { error: "Invalid port" });
+            return;
+          }
+          const available = await new Promise((resolve2) => {
+            const sock = createConnection({ port: port2, host: "127.0.0.1" });
+            sock.once("connect", () => {
+              sock.destroy();
+              resolve2(false);
+            });
+            sock.once("error", () => resolve2(true));
+            sock.setTimeout(400, () => {
+              sock.destroy();
+              resolve2(true);
+            });
+          });
+          json(res, 200, { port: port2, available });
+          return;
+        }
+        if (parts[1] === "deploy" && parts[2] === "hook" && req.method === "POST") {
+          try {
+            const payload = JSON.parse(body);
+            const appName = payload.repository?.name;
+            const branch = (payload.ref ?? "").replace("refs/heads/", "");
+            if (appName) {
+              const settings = getDeploySettings(appName);
+              if (settings.autoDeploy && branch === settings.deployBranch) {
+                void deployApp(appName);
+              }
+            }
+          } catch {
+          }
+          json(res, 200, { status: "accepted" });
+          return;
+        }
+        if (parts[1] === "domain") {
+          if (req.method === "GET" && parts[2] === "list") {
+            await handleDomainList(res, wizardState);
+            return;
+          }
+          if (req.method === "GET" && parts[2] === "apps") {
+            handleDomainApps(res, wizardState);
+            return;
+          }
+          if (req.method === "POST" && parts[2] === "connect") {
+            await handleDomainConnect(res, body, wizardState);
+            return;
+          }
+          if (!checkAdminAuth(req, res, wizardState)) return;
+          if (req.method === "DELETE" && parts[2] === "disconnect" && parts[3]) {
+            await handleDomainDisconnect(res, parts[3], wizardState);
+            return;
+          }
+          if (req.method === "GET" && parts[2] === "status" && parts[3]) {
+            await handleDomainStatus(res, parts[3], wizardState);
+            return;
+          }
+        }
+        if (parts[1] === "cloudflare") {
+          if (!checkAdminAuth(req, res, wizardState)) return;
+          if (req.method === "GET" && parts[2] === "zones") {
+            await handleCloudflareZones(res, wizardState);
+            return;
+          }
+          if (req.method === "POST" && parts[2] === "tunnel") {
+            await handleCreateTunnel(res, body, wizardState, projectPath);
+            return;
+          }
+        }
+        if (parts[1] === "settings") {
+          if (!checkAdminAuth(req, res, wizardState)) return;
+          if (req.method === "GET" && parts[2] === "cloudflare") {
+            handleSettingsCloudflareGet(res, wizardState);
+            return;
+          }
+          if (req.method === "PUT" && parts[2] === "cloudflare") {
+            await handleSettingsCloudflarePut(res, body, wizardState);
+            return;
+          }
+        }
+        json(res, 404, { success: false, error: "Not found" });
+      } catch (err) {
+        logger.error("admin-server", "Unhandled error", { error: String(err) });
+        json(res, 500, { success: false, error: "Internal server error" });
+      }
+      return;
+    }
+    res.writeHead(404);
+    res.end("Not found");
+  });
+  return {
+    server,
+    start: () => new Promise((resolve2, reject) => {
+      server.listen(port, "127.0.0.1", () => {
+        logger.info("admin-server", `Listening on http://localhost:${port}`, { port });
+        resolve2(port);
+      });
+      server.once("error", reject);
+    }),
+    stop: () => new Promise((resolve2, reject) => {
+      server.close((err) => err ? reject(err) : resolve2());
+    })
+  };
+}
+function checkAdminAuth(req, res, state) {
+  if (!state?.admin?.password) {
+    json(res, 401, { error: "Unauthorized", message: "Admin password not configured" });
+    return false;
+  }
+  const provided = req.headers["x-admin-password"];
+  if (!provided || provided !== state.admin.password) {
+    json(res, 401, { error: "Unauthorized", message: "Admin password required for this operation" });
+    return false;
+  }
+  return true;
+}
+async function handleDomainList(res, state) {
+  if (!state) {
+    json(res, 200, { connections: [], tunnel: null, credentialsConfigured: false });
+    return;
+  }
+  try {
+    const mgr = new DomainManager(state.projectName);
+    const connections = mgr.list().map((c) => ({
+      ...c,
+      externalUrl: `https://${c.hostname}`
+    }));
+    let tunnel = null;
+    const cf = state.domain.cloudflare;
+    if (cf.tunnelId && cf.apiToken && cf.accountId) {
+      try {
+        const { getTunnelHealth } = await import("./cloudflare-client-TFT6VCXF.js");
+        const health = await getTunnelHealth(cf.apiToken, cf.accountId, cf.tunnelId);
+        tunnel = { ...health, tunnelName: cf.tunnelName, tunnelId: cf.tunnelId };
+      } catch {
+      }
+    }
+    const credentialsConfigured = !!(cf.apiToken && cf.accountId && cf.zoneId && cf.tunnelId);
+    json(res, 200, { connections, tunnel, credentialsConfigured });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+function handleDomainApps(res, state) {
+  if (!state) {
+    json(res, 200, { apps: [] });
+    return;
+  }
+  try {
+    const mgr = new DomainManager(state.projectName);
+    const apps = mgr.getConnectableApps();
+    json(res, 200, { apps });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+async function handleDomainConnect(res, body, state) {
+  if (!state) {
+    json(res, 500, { success: false, error: "No project state" });
+    return;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    json(res, 400, { success: false, error: "INVALID_JSON", message: "Request body must be valid JSON" });
+    return;
+  }
+  const { appName, subdomain, domain } = parsed;
+  if (!appName || !subdomain || !domain) {
+    json(res, 400, { success: false, error: "MISSING_FIELDS", message: "appName, subdomain, and domain are required" });
+    return;
+  }
+  if (!/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/.test(subdomain)) {
+    json(res, 400, { success: false, error: "INVALID_SUBDOMAIN", message: "Subdomain must be a valid DNS label" });
+    return;
+  }
+  const localConflict = (state.domainConnections ?? []).find(
+    (c) => c.subdomain === subdomain && c.domain === domain && c.appName !== appName
+  );
+  if (localConflict) {
+    json(res, 409, {
+      success: false,
+      error: "SUBDOMAIN_CONFLICT_LOCAL",
+      message: `Subdomain "${subdomain}.${domain}" is already connected to app "${localConflict.appName}"`,
+      conflictingApp: localConflict.appName
+    });
+    return;
+  }
+  try {
+    const mgr = new DomainManager(state.projectName);
+    const result = await mgr.connect(appName, subdomain, domain, {
+      onLog: (line) => writeDomainLog(appName, line.replace("[domain-connect] ", ""))
+    });
+    if (!result.success) {
+      if (result.error === "CNAME_CONFLICT") {
+        json(res, 409, {
+          success: false,
+          error: "SUBDOMAIN_CONFLICT_EXTERNAL",
+          message: `Subdomain "${subdomain}.${domain}" already has a DNS record in Cloudflare (not created by Brewnet)`,
+          steps: result.steps
+        });
+        return;
+      }
+      const statusCode = result.error?.startsWith("APP_NOT_RUNNING") ? 503 : 400;
+      json(res, statusCode, { success: false, error: result.error, message: result.error, steps: result.steps });
+      return;
+    }
+    json(res, 200, {
+      success: true,
+      hostname: result.hostname,
+      externalUrl: result.externalUrl,
+      steps: result.steps
+    });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+async function handleDomainDisconnect(res, appName, state) {
+  if (!state) {
+    json(res, 500, { success: false, error: "No project state" });
+    return;
+  }
+  try {
+    const mgr = new DomainManager(state.projectName);
+    const result = await mgr.disconnect(appName);
+    if (!result.success) {
+      const statusCode = result.error?.startsWith("NOT_CONNECTED") ? 404 : 500;
+      json(res, statusCode, { success: false, error: result.error?.split(":")[0], message: result.error });
+      return;
+    }
+    json(res, 200, {
+      success: true,
+      appName: result.appName,
+      removedHostname: result.removedHostname,
+      steps: result.steps
+    });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+async function handleDomainStatus(res, appName, state) {
+  if (!state) {
+    json(res, 404, { success: false, error: "No project state" });
+    return;
+  }
+  try {
+    const mgr = new DomainManager(state.projectName);
+    const statuses = await mgr.status(appName);
+    if (statuses.length === 0) {
+      json(res, 404, { success: false, error: "NOT_CONNECTED", message: `No domain connection for app: ${appName}` });
+      return;
+    }
+    json(res, 200, statuses[0]);
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+async function handleCloudflareZones(res, state) {
+  if (!state) {
+    json(res, 400, { success: false, error: "NO_TOKEN", message: "Cloudflare API token not configured. Complete Step 1 first." });
+    return;
+  }
+  const apiToken = state.domain.cloudflare.apiToken;
+  if (!apiToken) {
+    json(res, 400, { success: false, error: "NO_TOKEN", message: "Cloudflare API token not configured. Complete Step 1 first." });
+    return;
+  }
+  try {
+    const { getZones } = await import("./cloudflare-client-TFT6VCXF.js");
+    const zones = await getZones(apiToken);
+    if (!state.domain.cloudflare.accountId && zones.length > 0) {
+      const firstAccountId = zones[0]?.accountId;
+      if (firstAccountId) {
+        state.domain.cloudflare.accountId = firstAccountId;
+        const { saveState: save } = await import("./state-2SI3P4JG.js");
+        save(state);
+      }
+    }
+    if (zones.length === 0) {
+      json(res, 200, {
+        success: true,
+        zones: [],
+        warning: "No domains found. Ensure the token has Zone:Read permission and at least one domain is registered in your Cloudflare account."
+      });
+      return;
+    }
+    json(res, 200, { success: true, zones });
+  } catch (err) {
+    json(res, 400, {
+      success: false,
+      error: "TOKEN_INVALID",
+      message: "Stored API token is no longer valid. Please re-enter your token."
+    });
+  }
+}
+async function handleCreateTunnel(res, body, state, projectPath) {
+  if (!state) {
+    json(res, 400, { success: false, error: "CREDENTIALS_INCOMPLETE", message: "API token and zone must be configured before creating a tunnel." });
+    return;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    json(res, 400, { success: false, error: "INVALID_JSON", message: "Request body must be valid JSON" });
+    return;
+  }
+  const { tunnelName } = parsed;
+  if (!tunnelName || !tunnelName.trim()) {
+    json(res, 400, { success: false, error: "MISSING_TUNNEL_NAME", message: "tunnelName is required" });
+    return;
+  }
+  const cf = state.domain.cloudflare;
+  if (!cf.apiToken || !cf.accountId || !cf.zoneId) {
+    json(res, 400, { success: false, error: "CREDENTIALS_INCOMPLETE", message: "API token and zone must be configured before creating a tunnel." });
+    return;
+  }
+  try {
+    const { createTunnel: cfCreateTunnel } = await import("./cloudflare-client-TFT6VCXF.js");
+    const result = await cfCreateTunnel(cf.apiToken, cf.accountId, tunnelName.trim());
+    const { saveState: save } = await import("./state-2SI3P4JG.js");
+    state.domain.cloudflare.tunnelId = result.tunnelId;
+    state.domain.cloudflare.tunnelToken = result.tunnelToken;
+    state.domain.cloudflare.tunnelName = tunnelName.trim();
+    state.domain.cloudflare.tunnelMode = "named";
+    state.domain.cloudflare.enabled = true;
+    save(state);
+    let composeUpdated = false;
+    let containerRestarted = false;
+    const composePath = join2(projectPath, "docker-compose.yml");
+    const { existsSync: fsExists } = await import("fs");
+    if (fsExists(composePath)) {
+      try {
+        const { patchCloudflaredToNamedTunnel } = await import("./compose-generator-O7GSIJ2S.js");
+        composeUpdated = patchCloudflaredToNamedTunnel(composePath, result.tunnelToken);
+        logger.info("tunnel", `[${tunnelName}] compose patch: composeUpdated=${composeUpdated}`);
+      } catch (e) {
+        logger.warn("tunnel", `[${tunnelName}] compose patch failed: ${e instanceof Error ? e.message : e}`);
+      }
+      if (composeUpdated) {
+        try {
+          const { execa: execaTunnel } = await import("execa");
+          const up = await execaTunnel(
+            "docker",
+            ["compose", "-f", composePath, "up", "-d", "--force-recreate", "cloudflared"],
+            { cwd: projectPath, reject: false }
+          );
+          containerRestarted = up.exitCode === 0;
+          if (!containerRestarted) {
+            logger.warn("tunnel", `[${tunnelName}] cloudflared recreate failed (exit ${up.exitCode}): ${up.stderr}`);
+          } else {
+            logger.info("tunnel", `[${tunnelName}] cloudflared container recreated`);
+          }
+        } catch (e) {
+          logger.warn("tunnel", `[${tunnelName}] cloudflared recreate exception: ${e instanceof Error ? e.message : e}`);
+        }
+      }
+    } else {
+      logger.warn("tunnel", `[${tunnelName}] compose file not found at ${composePath} \u2014 cloudflared must be updated manually`);
+    }
+    json(res, 200, {
+      success: true,
+      tunnelId: result.tunnelId,
+      tunnelName: tunnelName.trim(),
+      composeUpdated,
+      containerRestarted
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.toLowerCase().includes("already exists")) {
+      json(res, 400, {
+        success: false,
+        error: "TUNNEL_NAME_CONFLICT",
+        message: `A tunnel named "${tunnelName}" already exists in your Cloudflare account. Choose a different name.`
+      });
+    } else {
+      json(res, 400, {
+        success: false,
+        error: "TUNNEL_CREATE_FAILED",
+        message: msg
+      });
+    }
+  }
+}
+function handleSettingsCloudflareGet(res, state) {
+  if (!state) {
+    json(res, 200, { configured: false });
+    return;
+  }
+  const cf = state.domain.cloudflare;
+  const mask = (s) => !s ? "not set" : s.length > 6 ? s.slice(0, 3) + "***" + s.slice(-3) : "***set***";
+  json(res, 200, {
+    configured: !!(cf.apiToken && cf.accountId && cf.zoneId),
+    accountId: mask(cf.accountId),
+    zoneId: mask(cf.zoneId),
+    zoneName: cf.zoneName || "",
+    tunnelId: mask(cf.tunnelId),
+    tunnelName: cf.tunnelName || "",
+    apiTokenSet: !!cf.apiToken,
+    apiTokenValid: !!cf.apiToken,
+    // Validated on save, assumed valid if set
+    projectName: state.projectName || ""
+  });
+}
+async function handleSettingsCloudflarePut(res, body, state) {
+  if (!state) {
+    json(res, 500, { success: false, error: "No project state" });
+    return;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    json(res, 400, { success: false, error: "INVALID_JSON", message: "Request body must be valid JSON" });
+    return;
+  }
+  const { accountId, zoneId, tunnelId } = parsed;
+  const apiToken = parsed.apiToken || state.domain.cloudflare.apiToken;
+  if (!apiToken) {
+    json(res, 400, { success: false, error: "MISSING_TOKEN", message: "apiToken is required" });
+    return;
+  }
+  try {
+    const result = await verifyToken(apiToken);
+    if (!result.valid) {
+      json(res, 400, {
+        success: false,
+        error: "INVALID_TOKEN",
+        message: "API token verification failed. Ensure the token has Tunnel:Edit, DNS:Edit, Zone:Read permissions."
+      });
+      return;
+    }
+    const { saveState: save } = await import("./state-2SI3P4JG.js");
+    state.domain.cloudflare.apiToken = apiToken;
+    let resolvedAccountId = accountId || state.domain.cloudflare.accountId || await (await import("./cloudflare-client-TFT6VCXF.js")).getAccounts(apiToken).then((a) => a[0]?.id ?? "").catch(() => "");
+    if (zoneId) state.domain.cloudflare.zoneId = zoneId;
+    if (tunnelId) state.domain.cloudflare.tunnelId = tunnelId;
+    let zoneName = state.domain.cloudflare.zoneName;
+    if (zoneId) {
+      try {
+        const { getZones } = await import("./cloudflare-client-TFT6VCXF.js");
+        const zones = await getZones(apiToken);
+        const found = zones.find((z) => z.id === zoneId);
+        if (found) {
+          zoneName = found.name;
+          state.domain.cloudflare.zoneName = zoneName;
+          if (!resolvedAccountId && found.accountId) {
+            resolvedAccountId = found.accountId;
+          }
+        }
+      } catch {
+      }
+    }
+    if (resolvedAccountId) state.domain.cloudflare.accountId = resolvedAccountId;
+    save(state);
+    json(res, 200, {
+      success: true,
+      verified: true,
+      email: result.email ?? "",
+      zoneName
+    });
+  } catch (err) {
+    json(res, 500, { success: false, error: String(err) });
+  }
+}
+
+export {
+  createAdminServer
+};
+//# sourceMappingURL=chunk-SIXBB6JU.js.map