@bulolo/hermes-link 0.2.9 → 0.3.1

package/dist/chunk-GHAP2EHA.js

@@ -1,3649 +0,0 @@
-// src/http/app.ts
-import Koa from "koa";
-import bodyParser from "koa-bodyparser";
-import cors from "@koa/cors";
-import Router8 from "@koa/router";
-import { mkdir as mkdir8 } from "fs/promises";
-
-// src/runtime/logger.ts
-import { appendFile, mkdir, open, readFile, rename, rm, stat } from "fs/promises";
-import os2 from "os";
-import path2 from "path";
-import pino from "pino";
-
-// src/constants.ts
-import { createRequire } from "module";
-var _require = createRequire(import.meta.url);
-var _pkg = _require("../package.json");
-var LINK_COMMAND = "hermeslink";
-var LINK_VERSION = _pkg.version;
-var LINK_DEFAULT_PORT = 52379;
-var LINK_RUNTIME_DIR_NAME = ".hermeslink";
-var DEFAULT_LOG_FILE = "hermeslink.log";
-var DAEMON_LOG_FILE = "daemon.log";
-var GATEWAY_LOG_FILE = "hermes-gateway.log";
-var DEFAULT_HERMES_API_SERVER_PORT = 8642;
-var PROFILE_API_SERVER_PORT_START = DEFAULT_HERMES_API_SERVER_PORT + 1;
-var PROFILE_API_SERVER_PORT_END = DEFAULT_HERMES_API_SERVER_PORT + 999;
-
-// src/runtime/paths.ts
-import os from "os";
-import path from "path";
-function resolveRuntimeHome() {
-  return process.env.HERMESLINK_HOME?.trim() ? path.resolve(process.env.HERMESLINK_HOME) : path.join(os.homedir(), LINK_RUNTIME_DIR_NAME);
-}
-function resolveRuntimePaths(homeDir = resolveRuntimeHome()) {
-  return {
-    homeDir,
-    identityFile: path.join(homeDir, "identity.json"),
-    configFile: path.join(homeDir, "config.json"),
-    stateFile: path.join(homeDir, "state.json"),
-    credentialsFile: path.join(homeDir, "credentials.json"),
-    databaseFile: path.join(homeDir, "link.db"),
-    conversationsDir: path.join(homeDir, "conversations"),
-    blobsDir: path.join(homeDir, "blobs"),
-    indexesDir: path.join(homeDir, "indexes"),
-    logsDir: path.join(homeDir, "logs"),
-    runDir: path.join(homeDir, "run"),
-    pairingDir: path.join(homeDir, "pairing")
-  };
-}
-
-// src/runtime/logger.ts
-var DEFAULT_MAX_FILE_BYTES = 1024 * 1024;
-var DEFAULT_MAX_FILES = 5;
-var DEFAULT_READ_LIMIT = 200;
-var MAX_READ_LIMIT = 1e3;
-var DEFAULT_MAX_BYTES_PER_FILE = 512 * 1024;
-var LOG_LEVEL_PRIORITY = {
-  debug: 10,
-  info: 20,
-  warn: 30,
-  error: 40
-};
-var FileLogger = class {
-  filePath;
-  paths;
-  maxFileBytes;
-  maxFiles;
-  minLevel;
-  now;
-  queue = Promise.resolve();
-  constructor(options = {}) {
-    this.paths = options.paths ?? resolveRuntimePaths();
-    this.filePath = getLinkLogFile(this.paths, options.fileName);
-    this.maxFileBytes = Math.max(256, Math.floor(options.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES));
-    this.maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
-    this.minLevel = options.minLevel ?? "warn";
-    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
-  }
-  debug(message, fields) {
-    return this.write("debug", message, fields);
-  }
-  info(message, fields) {
-    return this.write("info", message, fields);
-  }
-  warn(message, fields) {
-    return this.write("warn", message, fields);
-  }
-  error(message, fields) {
-    return this.write("error", message, fields);
-  }
-  write(level, message, fields) {
-    if (LOG_LEVEL_PRIORITY[level] < LOG_LEVEL_PRIORITY[this.minLevel]) {
-      return Promise.resolve();
-    }
-    const entry = {
-      ts: this.now().toISOString(),
-      level,
-      message,
-      ...fields ? { fields: sanitizeFields(fields) } : {}
-    };
-    const next = this.queue.then(() => this.appendEntry(entry)).catch(() => void 0);
-    this.queue = next;
-    return next;
-  }
-  flush() {
-    return this.queue;
-  }
-  async appendEntry(entry) {
-    await mkdir(this.paths.logsDir, { recursive: true, mode: 448 });
-    const line = `${JSON.stringify(entry)}
-`;
-    await rotateLogFileIfNeeded(this.filePath, Buffer.byteLength(line, "utf8"), this.maxFileBytes, this.maxFiles);
-    await appendFile(this.filePath, line, { mode: 384 });
-  }
-};
-function createFileLogger(options = {}) {
-  return new FileLogger(options);
-}
-function getLinkLogFile(paths = resolveRuntimePaths(), fileName = DEFAULT_LOG_FILE) {
-  return path2.join(paths.logsDir, fileName);
-}
-function getGatewayRuntimeLogFile(paths = resolveRuntimePaths()) {
-  return getLinkLogFile(paths, GATEWAY_LOG_FILE);
-}
-function getGatewayLogFiles(paths = resolveRuntimePaths()) {
-  const runtimeGatewayLog = getGatewayRuntimeLogFile(paths);
-  const effectiveHome = path2.basename(paths.homeDir) === ".hermeslink" ? path2.dirname(paths.homeDir) : os2.homedir();
-  const hermesGatewayErrorLog = path2.join(effectiveHome, ".hermes", "logs", "gateway.error.log");
-  return Array.from(/* @__PURE__ */ new Set([runtimeGatewayLog, hermesGatewayErrorLog]));
-}
-function createRotatingTextLogWriter(options) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  const filePath = getLinkLogFile(paths, options.fileName);
-  const maxFileBytes = Math.max(256, Math.floor(options.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES));
-  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
-  let queue = Promise.resolve();
-  return {
-    filePath,
-    write(chunk) {
-      const buffer = typeof chunk === "string" ? Buffer.from(chunk, "utf8") : Buffer.from(chunk);
-      if (buffer.length === 0) {
-        return queue;
-      }
-      const next = queue.then(async () => {
-        await mkdir(paths.logsDir, { recursive: true, mode: 448 });
-        await rotateLogFileIfNeeded(filePath, buffer.length, maxFileBytes, maxFiles);
-        await appendFile(filePath, buffer, { mode: 384 });
-      }).catch(() => void 0);
-      queue = next;
-      return next;
-    },
-    flush() {
-      return queue;
-    }
-  };
-}
-async function readRecentLogEntries(options = {}) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  const filePath = getLinkLogFile(paths, options.fileName);
-  const limit = clampLimit(options.limit);
-  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
-  const maxBytesPerFile = Math.max(1024, Math.floor(options.maxBytesPerFile ?? DEFAULT_MAX_BYTES_PER_FILE));
-  const files = [
-    filePath,
-    ...Array.from({ length: maxFiles }, (_, index) => rotatedLogFile(filePath, index + 1))
-  ];
-  const entries = [];
-  for (const file of files) {
-    const raw = await readTail(file, maxBytesPerFile);
-    if (!raw) continue;
-    const lines = raw.split(/\r?\n/u).filter(Boolean);
-    for (let index = lines.length - 1; index >= 0 && entries.length < limit; index -= 1) {
-      const entry = parseLogLine(lines[index]);
-      if (entry) entries.push(entry);
-    }
-    if (entries.length >= limit) break;
-  }
-  return entries.reverse();
-}
-async function readRecentTextLogEntries(options = {}) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  const primaryFiles = options.filePaths ?? [getLinkLogFile(paths, options.fileName)];
-  const limit = clampLimit(options.limit);
-  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
-  const maxBytesPerFile = Math.max(1024, Math.floor(options.maxBytesPerFile ?? DEFAULT_MAX_BYTES_PER_FILE));
-  const files = primaryFiles.flatMap((filePath) => [
-    filePath,
-    ...Array.from({ length: maxFiles }, (_, index) => rotatedLogFile(filePath, index + 1))
-  ]);
-  const entries = [];
-  for (const file of files) {
-    const tail = await readTailWithMetadata(file, maxBytesPerFile);
-    if (!tail) continue;
-    const lines = tail.content.split(/\r?\n/u).map((line) => line.trim()).filter(Boolean);
-    for (let index = lines.length - 1; index >= 0 && entries.length < limit; index -= 1) {
-      entries.push(parseTextLogLine(lines[index], tail.modifiedAt));
-    }
-    if (entries.length >= limit) break;
-  }
-  return entries.reverse();
-}
-function readRecentGatewayLogEntries(options = {}) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  return readRecentTextLogEntries({
-    ...options,
-    paths,
-    filePaths: options.filePaths ?? getGatewayLogFiles(paths)
-  });
-}
-function createLogger(options) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  const logFile = getLinkLogFile(paths, options.fileName);
-  return pino({ level: options.level ?? "warn" }, pino.destination({ dest: logFile, sync: false, mkdir: true }));
-}
-function clampLimit(value) {
-  if (typeof value !== "number" || !Number.isFinite(value)) {
-    return DEFAULT_READ_LIMIT;
-  }
-  return Math.min(MAX_READ_LIMIT, Math.max(1, Math.floor(value)));
-}
-async function rotateLogFileIfNeeded(filePath, nextBytes, maxFileBytes, maxFiles) {
-  const current = await stat(filePath).catch(() => null);
-  if (!current || current.size === 0 || current.size + nextBytes <= maxFileBytes) return;
-  if (maxFiles === 0) {
-    await rm(filePath, { force: true }).catch(() => void 0);
-    return;
-  }
-  await rm(rotatedLogFile(filePath, maxFiles), { force: true }).catch(() => void 0);
-  for (let index = maxFiles - 1; index >= 1; index -= 1) {
-    await moveIfExists(rotatedLogFile(filePath, index), rotatedLogFile(filePath, index + 1));
-  }
-  await moveIfExists(filePath, rotatedLogFile(filePath, 1));
-}
-function sanitizeFields(fields) {
-  return sanitizeObject(fields, 0);
-}
-function sanitizeValue(value, depth) {
-  if (value === null || typeof value === "boolean") return value;
-  if (typeof value === "number") return Number.isFinite(value) ? value : null;
-  if (typeof value === "string") return value.length > 2e3 ? `${value.slice(0, 2e3)}...` : value;
-  if (Array.isArray(value)) {
-    if (depth >= 3) return "[array]";
-    return value.slice(0, 20).map((item) => sanitizeValue(item, depth + 1));
-  }
-  if (typeof value === "object" && value !== null) {
-    if (depth >= 3) return "[object]";
-    return sanitizeObject(value, depth + 1);
-  }
-  return String(value);
-}
-function sanitizeObject(value, depth) {
-  const result = {};
-  for (const [key, child] of Object.entries(value).slice(0, 50)) {
-    if (isSensitiveKey(key)) {
-      result[key] = "[redacted]";
-      continue;
-    }
-    result[key] = sanitizeValue(child, depth);
-  }
-  return result;
-}
-function isSensitiveKey(key) {
-  return /(authorization|cookie|token|secret|password|private[_-]?key|api[_-]?key)/iu.test(key);
-}
-function parseLogLine(line) {
-  try {
-    const value = JSON.parse(line);
-    if (!value || typeof value.ts !== "string" || !isLogLevel(value.level) || typeof value.message !== "string") {
-      return null;
-    }
-    return {
-      ts: value.ts,
-      level: value.level,
-      message: value.message,
-      timestampSource: "structured",
-      ...value.fields && typeof value.fields === "object" ? { fields: value.fields } : {}
-    };
-  } catch {
-    return null;
-  }
-}
-function parseTextLogLine(line, fallbackTimestamp) {
-  const embeddedTimestamp = readTimestampFromTextLog(line);
-  return {
-    ts: embeddedTimestamp ?? fallbackTimestamp ?? null,
-    level: inferTextLogLevel(line),
-    message: line,
-    ...embeddedTimestamp ? { timestampSource: "embedded" } : fallbackTimestamp ? { timestampSource: "file_mtime" } : {}
-  };
-}
-function readTimestampFromTextLog(line) {
-  const iso = /\b\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z\b/u.exec(line);
-  if (iso) return iso[0];
-  const bracketed = /^\[?(?<value>\d{4}-\d{2}-\d{2}[ T]\d{2}:\d{2}:\d{2}(?:\.\d+)?)\]?/u.exec(line);
-  if (!bracketed?.groups?.value) return null;
-  const parsed = new Date(bracketed.groups.value.replace(" ", "T"));
-  return Number.isNaN(parsed.getTime()) ? null : parsed.toISOString();
-}
-function inferTextLogLevel(line) {
-  if (/\b(error|fatal|traceback|failed|failure)\b/iu.test(line)) return "error";
-  if (/\b(warn|warning)\b/iu.test(line)) return "warn";
-  if (/\b(debug|trace)\b/iu.test(line)) return "debug";
-  return "info";
-}
-function isLogLevel(value) {
-  return value === "debug" || value === "info" || value === "warn" || value === "error";
-}
-async function readTail(filePath, maxBytes) {
-  const tail = await readTailWithMetadata(filePath, maxBytes);
-  return tail?.content ?? null;
-}
-async function readTailWithMetadata(filePath, maxBytes) {
-  const info = await stat(filePath).catch(() => null);
-  if (!info || info.size <= 0) return null;
-  const modifiedAt = info.mtime.toISOString();
-  if (info.size <= maxBytes) {
-    const content = await readFile(filePath, "utf8").catch(() => null);
-    return content === null ? null : { content, modifiedAt };
-  }
-  const handle = await open(filePath, "r").catch(() => null);
-  if (!handle) return null;
-  try {
-    const length = Math.min(info.size, maxBytes);
-    const buffer = Buffer.alloc(length);
-    await handle.read(buffer, 0, length, info.size - length);
-    return { content: buffer.toString("utf8"), modifiedAt };
-  } finally {
-    await handle.close();
-  }
-}
-async function moveIfExists(from, to) {
-  await rm(to, { force: true }).catch(() => void 0);
-  await rename(from, to).catch((error) => {
-    if (error.code !== "ENOENT") throw error;
-  });
-}
-function rotatedLogFile(filePath, index) {
-  return `${filePath}.${index}`;
-}
-
-// src/http/routes/system.ts
-import Router from "@koa/router";
-
-// src/autostart/autostart.ts
-import { execFile } from "child_process";
-import { mkdir as mkdir2, readFile as readFile2, rm as rm2, writeFile } from "fs/promises";
-import os3 from "os";
-import path3 from "path";
-import { promisify } from "util";
-var execFileAsync = promisify(execFile);
-var MACOS_LABEL = "com.hermes.link";
-async function enableAutostart() {
-  const definition = await resolveAutostartDefinition();
-  if (!definition) {
-    return unsupportedStatus();
-  }
-  await mkdir2(path3.dirname(definition.filePath), { recursive: true, mode: 448 });
-  await writeFile(definition.filePath, definition.content, { mode: 384 });
-  if (definition.method === "systemd-user") {
-    await execFileAsync("systemctl", ["--user", "enable", path3.basename(definition.filePath)]).catch(async () => {
-      await rm2(definition.filePath, { force: true }).catch(() => void 0);
-      const fallback = xdgAutostartDefinition();
-      await mkdir2(path3.dirname(fallback.filePath), { recursive: true, mode: 448 });
-      await writeFile(fallback.filePath, fallback.content, { mode: 384 });
-    });
-  }
-  return getAutostartStatus();
-}
-async function disableAutostart() {
-  const definitions = await allAutostartDefinitions();
-  for (const definition of definitions) {
-    if (definition.method === "systemd-user") {
-      await execFileAsync("systemctl", ["--user", "disable", path3.basename(definition.filePath)]).catch(() => void 0);
-    }
-    await rm2(definition.filePath, { force: true }).catch(() => void 0);
-  }
-  return getAutostartStatus();
-}
-async function getAutostartStatus() {
-  const definitions = await allAutostartDefinitions();
-  if (definitions.length === 0) {
-    return unsupportedStatus();
-  }
-  for (const definition of definitions) {
-    const content = await readFile2(definition.filePath, "utf8").catch(() => null);
-    if (content !== null) {
-      return {
-        supported: true,
-        enabled: true,
-        method: definition.method,
-        filePath: definition.filePath
-      };
-    }
-  }
-  const primary = definitions[0];
-  return {
-    supported: true,
-    enabled: false,
-    method: primary.method,
-    filePath: primary.filePath
-  };
-}
-async function resolveAutostartDefinition() {
-  if (process.platform === "darwin") {
-    return launchdDefinition();
-  }
-  if (process.platform === "win32") {
-    return windowsStartupDefinition();
-  }
-  if (process.platform === "linux") {
-    return await hasSystemctlUser() ? systemdUserDefinition() : xdgAutostartDefinition();
-  }
-  return null;
-}
-async function allAutostartDefinitions() {
-  if (process.platform === "darwin") {
-    return [launchdDefinition()];
-  }
-  if (process.platform === "win32") {
-    return [windowsStartupDefinition()];
-  }
-  if (process.platform === "linux") {
-    return [systemdUserDefinition(), xdgAutostartDefinition()];
-  }
-  return [];
-}
-async function hasSystemctlUser() {
-  try {
-    await execFileAsync("systemctl", ["--user", "show-environment"]);
-    return true;
-  } catch {
-    return false;
-  }
-}
-function launchdDefinition() {
-  const filePath = path3.join(os3.homedir(), "Library", "LaunchAgents", `${MACOS_LABEL}.plist`);
-  return {
-    method: "launchd",
-    filePath,
-    content: `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>Label</key>
-  <string>${MACOS_LABEL}</string>
-  <key>ProgramArguments</key>
-  <array>
-    <string>${xmlEscape(process.execPath)}</string>
-    <string>${xmlEscape(currentCliScriptPath())}</string>
-    <string>daemon-supervisor</string>
-  </array>
-  <key>RunAtLoad</key>
-  <true/>
-  <key>KeepAlive</key>
-  <false/>
-</dict>
-</plist>
-`
-  };
-}
-function systemdUserDefinition() {
-  const filePath = path3.join(os3.homedir(), ".config", "systemd", "user", "hermeslink.service");
-  return {
-    method: "systemd-user",
-    filePath,
-    content: `[Unit]
-Description=Hermes Link
-After=network-online.target
-
-[Service]
-Type=simple
-ExecStart=${systemdQuote(process.execPath)} ${systemdQuote(currentCliScriptPath())} daemon-supervisor
-Restart=no
-
-[Install]
-WantedBy=default.target
-`
-  };
-}
-function xdgAutostartDefinition() {
-  const filePath = path3.join(os3.homedir(), ".config", "autostart", "hermeslink.desktop");
-  return {
-    method: "xdg-autostart",
-    filePath,
-    content: `[Desktop Entry]
-Type=Application
-Name=Hermes Link
-Exec=${desktopQuote(process.execPath)} ${desktopQuote(currentCliScriptPath())} daemon-supervisor
-Terminal=false
-X-GNOME-Autostart-enabled=true
-`
-  };
-}
-function windowsStartupDefinition() {
-  const appData = process.env.APPDATA ?? path3.join(os3.homedir(), "AppData", "Roaming");
-  const filePath = path3.join(
-    appData,
-    "Microsoft",
-    "Windows",
-    "Start Menu",
-    "Programs",
-    "Startup",
-    "HermesLink.cmd"
-  );
-  return {
-    method: "windows-startup",
-    filePath,
-    content: `@echo off\r
-start "" /min "${process.execPath}" "${currentCliScriptPath()}" daemon-supervisor\r
-`
-  };
-}
-function unsupportedStatus() {
-  return { supported: false, enabled: false, method: "unsupported", filePath: null };
-}
-function xmlEscape(value) {
-  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
-}
-function systemdQuote(value) {
-  return `"${value.replaceAll("\\", "\\\\").replaceAll('"', '\\"')}"`;
-}
-function desktopQuote(value) {
-  return `"${value.replaceAll("\\", "\\\\").replaceAll('"', '\\"')}"`;
-}
-function currentCliScriptPath() {
-  return process.argv[1];
-}
-
-// src/network/environment.ts
-import { existsSync, readFileSync } from "fs";
-import os4 from "os";
-function detectRuntimeEnvironment(env = process.env) {
-  if (isWsl(env)) {
-    return {
-      kind: "wsl",
-      lanAutoDiscoveryUsable: false,
-      warning: "Detected WSL. The LAN IP found inside WSL is usually a private VM address and is not reachable from your phone. Use Relay or set `hermeslink config set lan-host <Windows LAN IP>`."
-    };
-  }
-  if (isContainer(env)) {
-    return {
-      kind: "container",
-      lanAutoDiscoveryUsable: false,
-      warning: "Detected a container environment. Container LAN IPs are usually not reachable from your phone. Use Relay or set `hermeslink config set lan-host <host LAN IP>`."
-    };
-  }
-  return { kind: "native", lanAutoDiscoveryUsable: true, warning: null };
-}
-function isWsl(env) {
-  if (process.platform !== "linux") {
-    return false;
-  }
-  if (env.WSL_DISTRO_NAME || env.WSL_INTEROP) {
-    return true;
-  }
-  const release = os4.release().toLowerCase();
-  return release.includes("microsoft") || release.includes("wsl");
-}
-function isContainer(env) {
-  if (env.container || env.CONTAINER || env.KUBERNETES_SERVICE_HOST) {
-    return true;
-  }
-  if (existsSync("/.dockerenv")) {
-    return true;
-  }
-  try {
-    const cgroup = readFileSync("/proc/1/cgroup", "utf8").toLowerCase();
-    return /docker|containerd|kubepods|libpod|podman/u.test(cgroup);
-  } catch {
-    return false;
-  }
-}
-
-// src/storage/atomic-json.ts
-import { readFile as readFile3 } from "fs/promises";
-
-// src/storage/atomic-file.ts
-import { randomUUID } from "crypto";
-import {
-  chmod,
-  chown,
-  lstat,
-  mkdir as mkdir3,
-  open as open2,
-  readdir,
-  rename as rename2,
-  rm as rm3,
-  stat as stat2
-} from "fs/promises";
-import path4 from "path";
-async function atomicWriteFilePreservingMetadata(filePath, value, options = {}) {
-  const resolvedPath = path4.resolve(filePath);
-  const directory = path4.dirname(resolvedPath);
-  await ensureDirectoryWithInheritedMetadata(directory, options.directoryMode ?? 448);
-  const existingMetadata = await readExistingFileMetadata(resolvedPath) ?? (options.metadataSourcePath ? await readExistingFileMetadata(path4.resolve(options.metadataSourcePath)) : null);
-  const directoryMetadata = await readPathMetadata(directory);
-  const metadata = {
-    uid: existingMetadata?.uid ?? directoryMetadata.uid,
-    gid: existingMetadata?.gid ?? directoryMetadata.gid,
-    mode: existingMetadata?.mode ?? options.mode ?? 384
-  };
-  const tempPath = path4.join(
-    directory,
-    `.${path4.basename(resolvedPath)}.${process.pid}.${Date.now()}.${randomUUID()}.tmp`
-  );
-  try {
-    const handle = await open2(tempPath, "wx", metadata.mode);
-    try {
-      if (typeof value === "string") {
-        await handle.writeFile(value, options.encoding ?? "utf8");
-      } else {
-        await handle.writeFile(value);
-      }
-      await handle.sync();
-    } finally {
-      await handle.close();
-    }
-    await applyMetadata(tempPath, metadata);
-    await rename2(tempPath, resolvedPath);
-  } catch (error) {
-    await rm3(tempPath, { force: true });
-    throw error;
-  }
-}
-async function ensureDirectoryWithInheritedMetadata(directory, mode) {
-  const { source, missing } = await findExistingAncestor(directory);
-  await mkdir3(directory, { recursive: true, mode });
-  for (const missingDirectory of missing) {
-    await applyMetadata(missingDirectory, { uid: source.uid, gid: source.gid, mode });
-  }
-}
-async function findExistingAncestor(directory) {
-  const missing = [];
-  let current = path4.resolve(directory);
-  while (true) {
-    const currentStat = await stat2(current).catch((error) => {
-      if (isNodeError(error, "ENOENT")) return null;
-      throw error;
-    });
-    if (currentStat) {
-      if (!currentStat.isDirectory()) throw new Error(`${current} is not a directory`);
-      return { source: metadataFromStats(currentStat), missing: missing.reverse() };
-    }
-    missing.push(current);
-    const parent = path4.dirname(current);
-    if (parent === current) throw new Error(`No existing parent directory for ${directory}`);
-    current = parent;
-  }
-}
-async function readExistingFileMetadata(filePath) {
-  const fileStat = await stat2(filePath).catch((error) => {
-    if (isNodeError(error, "ENOENT")) return null;
-    throw error;
-  });
-  if (!fileStat) return null;
-  if (!fileStat.isFile()) throw new Error(`${filePath} is not a file`);
-  return metadataFromStats(fileStat);
-}
-async function readPathMetadata(filePath) {
-  return metadataFromStats(await stat2(filePath));
-}
-async function applyMetadata(filePath, metadata) {
-  await applyOwner(filePath, metadata);
-  await chmod(filePath, metadata.mode);
-}
-async function applyOwner(filePath, metadata) {
-  if (process.platform === "win32") return;
-  const currentUid = typeof process.getuid === "function" ? process.getuid() : void 0;
-  const currentGid = typeof process.getgid === "function" ? process.getgid() : void 0;
-  if (metadata.uid === currentUid && metadata.gid === currentGid) return;
-  try {
-    await chown(filePath, metadata.uid, metadata.gid);
-  } catch (error) {
-    const current = await stat2(filePath);
-    if (current.uid !== metadata.uid || current.gid !== metadata.gid) throw error;
-  }
-}
-function metadataFromStats(statsValue) {
-  return { uid: statsValue.uid, gid: statsValue.gid, mode: statsValue.mode & 511 };
-}
-function isNodeError(error, code) {
-  return typeof error === "object" && error !== null && "code" in error && error.code === code;
-}
-
-// src/storage/atomic-json.ts
-async function readJsonFile(filePath) {
-  try {
-    const raw = await readFile3(filePath, "utf8");
-    return JSON.parse(raw);
-  } catch (error) {
-    if (isNodeError(error, "ENOENT")) return null;
-    throw error;
-  }
-}
-async function writeJsonFile(filePath, value, mode = 384) {
-  const payload = `${JSON.stringify(value, null, 2)}
-`;
-  await atomicWriteFilePreservingMetadata(filePath, payload, { mode });
-}
-
-// src/link/state.ts
-import path5 from "path";
-var STATE_FILE = "link-state.json";
-function stateFilePath(paths) {
-  return path5.join(paths.homeDir, STATE_FILE);
-}
-function defaultLinkState() {
-  return {
-    networkReport: {
-      lastReportedAt: null,
-      preferredUrls: [],
-      lanIps: [],
-      publicIpv4s: [],
-      publicIpv6s: []
-    },
-    updateAvailable: null,
-    updateDismissedAt: null
-  };
-}
-async function readLinkState(paths) {
-  const runtimePaths = paths ?? resolveRuntimePaths();
-  const raw = await readJsonFile(stateFilePath(runtimePaths));
-  if (!raw || typeof raw !== "object") return defaultLinkState();
-  const state = raw;
-  return {
-    networkReport: readNetworkReportState(state.networkReport),
-    updateAvailable: typeof state.updateAvailable === "string" ? state.updateAvailable : null,
-    updateDismissedAt: typeof state.updateDismissedAt === "string" ? state.updateDismissedAt : null
-  };
-}
-function readNetworkReportState(value) {
-  if (!value || typeof value !== "object") {
-    return defaultLinkState().networkReport;
-  }
-  const v = value;
-  return {
-    lastReportedAt: typeof v.lastReportedAt === "string" ? v.lastReportedAt : null,
-    preferredUrls: readStringArray(v.preferredUrls),
-    lanIps: readStringArray(v.lanIps),
-    publicIpv4s: readStringArray(v.publicIpv4s),
-    publicIpv6s: readStringArray(v.publicIpv6s)
-  };
-}
-function readStringArray(value) {
-  if (!Array.isArray(value)) return [];
-  return value.filter((v) => typeof v === "string");
-}
-async function updateNetworkReportState(update, paths) {
-  const runtimePaths = paths ?? resolveRuntimePaths();
-  const current = await readLinkState(runtimePaths);
-  const next = {
-    ...current,
-    networkReport: { ...current.networkReport, ...update }
-  };
-  await writeJsonFile(stateFilePath(runtimePaths), next);
-  return next;
-}
-async function updateLinkState(update, paths) {
-  const runtimePaths = paths ?? resolveRuntimePaths();
-  const current = await readLinkState(runtimePaths);
-  const next = { ...current, ...update };
-  await writeJsonFile(stateFilePath(runtimePaths), next);
-  return next;
-}
-
-// src/link/updates.ts
-async function checkForUpdates(options) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  const state = await readLinkState(paths);
-  const fetcher = options.fetchImpl ?? fetch;
-  try {
-    const response = await fetcher(
-      `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/link-versions/latest`,
-      { signal: AbortSignal.timeout(5e3) }
-    );
-    if (!response.ok) {
-      return buildUpdateInfo(state.updateAvailable, state.updateDismissedAt);
-    }
-    const body = await response.json().catch(() => null);
-    const latestVersion = typeof body?.version === "string" ? body.version : null;
-    if (latestVersion && latestVersion !== LINK_VERSION) {
-      await updateLinkState({ updateAvailable: latestVersion }, paths);
-      return buildUpdateInfo(latestVersion, state.updateDismissedAt);
-    }
-    return buildUpdateInfo(latestVersion, state.updateDismissedAt);
-  } catch {
-    return buildUpdateInfo(state.updateAvailable, state.updateDismissedAt);
-  }
-}
-function buildUpdateInfo(availableVersion, dismissedAt) {
-  return {
-    currentVersion: LINK_VERSION,
-    availableVersion,
-    dismissed: dismissedAt !== null
-  };
-}
-async function dismissUpdate(paths) {
-  const runtimePaths = paths ?? resolveRuntimePaths();
-  await updateLinkState({ updateDismissedAt: (/* @__PURE__ */ new Date()).toISOString() }, runtimePaths);
-}
-
-// src/security/credentials.ts
-import { randomBytes, randomUUID as randomUUID2, timingSafeEqual, createHash } from "crypto";
-var ACCESS_TOKEN_TTL_MS = 15 * 60 * 1e3;
-var REFRESH_TOKEN_TTL_MS = 90 * 24 * 60 * 60 * 1e3;
-var DEVICE_SEEN_WRITE_INTERVAL_MS = 60 * 60 * 1e3;
-function credentialsPath(paths) {
-  return paths.credentialsFile;
-}
-function sha256(value) {
-  return createHash("sha256").update(value).digest("hex");
-}
-function safeEqual(a, b) {
-  const ab = Buffer.from(a);
-  const bb = Buffer.from(b);
-  return ab.length === bb.length && timingSafeEqual(ab, bb);
-}
-function randomToken(prefix) {
-  return `${prefix}${randomBytes(24).toString("base64url")}`;
-}
-async function readCredentialStore(paths) {
-  const raw = await readJsonFile(credentialsPath(paths));
-  if (!raw || typeof raw !== "object") return { devices: [] };
-  const store = raw;
-  return { devices: Array.isArray(store.devices) ? store.devices : [] };
-}
-async function writeCredentialStore(paths, store) {
-  await writeJsonFile(credentialsPath(paths), store);
-}
-function formatDeviceSession(device, accessToken, refreshToken) {
-  return {
-    device: {
-      id: device.id,
-      device_id: device.id,
-      label: device.label,
-      platform: device.platform,
-      model: device.model ?? null,
-      scope: device.scope
-    },
-    accessToken: { token: accessToken, expiresAt: device.access_expires_at },
-    refreshToken: { token: refreshToken, expiresAt: device.refresh_expires_at }
-  };
-}
-function formatDeviceListItem(device) {
-  return {
-    id: device.id,
-    device_id: device.id,
-    label: device.label,
-    platform: device.platform,
-    model: device.model ?? null,
-    scope: device.scope,
-    status: device.revoked_at ? "revoked" : "active",
-    paired_at: device.created_at,
-    created_at: device.created_at,
-    updated_at: device.updated_at,
-    access_expires_at: device.access_expires_at,
-    refresh_expires_at: device.refresh_expires_at,
-    last_seen_at: device.last_seen_at ?? null,
-    revoked_at: device.revoked_at,
-    app_hidden_at: device.app_hidden_at ?? null,
-    app_instance_bound: Boolean(device.app_instance_hash)
-  };
-}
-async function rotateDeviceSession(store, device, now, paths) {
-  const accessToken = randomToken("hpat_");
-  const refreshToken = randomToken("hprt_");
-  device.access_token_hash = sha256(accessToken);
-  device.access_expires_at = new Date(now.getTime() + ACCESS_TOKEN_TTL_MS).toISOString();
-  device.refresh_token_hash = sha256(refreshToken);
-  device.refresh_expires_at = new Date(now.getTime() + REFRESH_TOKEN_TTL_MS).toISOString();
-  device.last_seen_at = now.toISOString();
-  device.updated_at = now.toISOString();
-  await writeCredentialStore(paths, store);
-  return formatDeviceSession(device, accessToken, refreshToken);
-}
-function hashAppInstanceId(value) {
-  const normalized = normalizeAppInstanceId(value);
-  return normalized ? sha256(`hermespilot-app-instance:${normalized}`) : null;
-}
-function normalizeAppInstanceId(value) {
-  if (typeof value !== "string") return null;
-  const trimmed = value.trim();
-  return /^appi_[A-Za-z0-9_-]{16,96}$/u.test(trimmed) ? trimmed : null;
-}
-function normalizeDeviceLabel(value) {
-  const trimmed = value.trim();
-  return trimmed ? trimmed.slice(0, 128) : "HermesPilot App";
-}
-function normalizeDevicePlatform(value) {
-  const trimmed = value.trim().toLowerCase();
-  return trimmed ? trimmed.slice(0, 48) : "unknown";
-}
-function normalizeDeviceModel(value) {
-  const trimmed = value?.trim();
-  return trimmed ? trimmed.slice(0, 128) : null;
-}
-function isDeviceVisibleInApp(device) {
-  return !device.app_hidden_at;
-}
-function maybeBindAppInstance(store, device, appInstanceId) {
-  const appInstanceHash = hashAppInstanceId(appInstanceId);
-  if (!appInstanceHash || device.app_instance_hash === appInstanceHash) return false;
-  if (device.app_instance_hash) return false;
-  const existing = store.devices.find((d) => d.id !== device.id && d.app_instance_hash === appInstanceHash);
-  if (existing) return false;
-  device.app_instance_hash = appInstanceHash;
-  return true;
-}
-function updateDeviceDescriptor(device, input) {
-  let changed = false;
-  if (input.label !== void 0 && input.label !== null) {
-    const label = normalizeDeviceLabel(input.label);
-    if (device.label !== label) {
-      device.label = label;
-      changed = true;
-    }
-  }
-  if (input.platform !== void 0 && input.platform !== null) {
-    const platform = normalizeDevicePlatform(input.platform);
-    if (device.platform !== platform) {
-      device.platform = platform;
-      changed = true;
-    }
-  }
-  if (input.model !== void 0 && input.model !== null) {
-    const model = normalizeDeviceModel(input.model);
-    if ((device.model ?? null) !== model) {
-      device.model = model;
-      changed = true;
-    }
-  }
-  return changed;
-}
-async function createDeviceSession(input, paths = resolveRuntimePaths()) {
-  const store = await readCredentialStore(paths);
-  const now = /* @__PURE__ */ new Date();
-  const appInstanceHash = hashAppInstanceId(input.appInstanceId);
-  if (appInstanceHash) {
-    const existing = store.devices.find((d) => d.app_instance_hash === appInstanceHash);
-    if (existing) {
-      updateDeviceDescriptor(existing, input);
-      existing.revoked_at = null;
-      existing.app_hidden_at = null;
-      return rotateDeviceSession(store, existing, now, paths);
-    }
-  }
-  const device = {
-    id: `dev_${randomUUID2().replaceAll("-", "")}`,
-    label: normalizeDeviceLabel(input.label),
-    platform: normalizeDevicePlatform(input.platform),
-    model: normalizeDeviceModel(input.model),
-    scope: "admin",
-    app_instance_hash: appInstanceHash,
-    access_token_hash: "",
-    access_expires_at: "",
-    refresh_token_hash: "",
-    refresh_expires_at: "",
-    created_at: now.toISOString(),
-    updated_at: now.toISOString(),
-    last_seen_at: now.toISOString(),
-    revoked_at: null,
-    app_hidden_at: null
-  };
-  store.devices.push(device);
-  return rotateDeviceSession(store, device, now, paths);
-}
-async function refreshDeviceSession(refreshToken, options = {}, paths = resolveRuntimePaths()) {
-  const tokenHash = sha256(refreshToken);
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((d) => safeEqual(d.refresh_token_hash, tokenHash));
-  if (!device || device.revoked_at || Date.parse(device.refresh_expires_at) <= Date.now()) {
-    throw Object.assign(new Error("Refresh token is invalid or expired"), { status: 401, code: "refresh_token_invalid" });
-  }
-  const now = /* @__PURE__ */ new Date();
-  maybeBindAppInstance(store, device, options.appInstanceId);
-  updateDeviceDescriptor(device, options);
-  return rotateDeviceSession(store, device, now, paths);
-}
-async function revokeDeviceRefreshToken(refreshToken, paths = resolveRuntimePaths()) {
-  const tokenHash = sha256(refreshToken);
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((d) => safeEqual(d.refresh_token_hash, tokenHash));
-  if (!device || device.revoked_at) return;
-  device.revoked_at = (/* @__PURE__ */ new Date()).toISOString();
-  device.updated_at = device.revoked_at;
-  await writeCredentialStore(paths, store);
-}
-async function authenticateDeviceAccessToken(token, paths = resolveRuntimePaths()) {
-  const tokenHash = sha256(token);
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((d) => safeEqual(d.access_token_hash, tokenHash));
-  if (!device || device.revoked_at || Date.parse(device.access_expires_at) <= Date.now()) return null;
-  return device;
-}
-async function recordDeviceSeen(deviceId, options = {}, paths = resolveRuntimePaths()) {
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((d) => d.id === deviceId);
-  if (!device || device.revoked_at) return device ?? null;
-  const now = /* @__PURE__ */ new Date();
-  const bound = maybeBindAppInstance(store, device, options.appInstanceId);
-  const descriptorUpdated = updateDeviceDescriptor(device, { model: options.model });
-  const shouldTouch = !device.last_seen_at || Number.isNaN(Date.parse(device.last_seen_at)) || now.getTime() - Date.parse(device.last_seen_at) >= DEVICE_SEEN_WRITE_INTERVAL_MS;
-  if (bound || descriptorUpdated || shouldTouch) {
-    device.last_seen_at = now.toISOString();
-    device.updated_at = now.toISOString();
-    await writeCredentialStore(paths, store);
-  }
-  return device;
-}
-async function listDevices(paths = resolveRuntimePaths()) {
-  const store = await readCredentialStore(paths);
-  return store.devices.filter(isDeviceVisibleInApp).map(formatDeviceListItem).sort((a, b) => {
-    if (a.status !== b.status) return a.status === "active" ? -1 : 1;
-    return Date.parse(b.created_at) - Date.parse(a.created_at);
-  });
-}
-async function readDeviceSummary(paths = resolveRuntimePaths()) {
-  const store = await readCredentialStore(paths);
-  const visible = store.devices.filter(isDeviceVisibleInApp);
-  const revoked = visible.filter((d) => d.revoked_at).length;
-  return { total: visible.length, active: visible.length - revoked, revoked };
-}
-async function revokeDeviceById(deviceId, paths = resolveRuntimePaths()) {
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((d) => d.id === deviceId);
-  if (!device) {
-    throw Object.assign(new Error("Device was not found"), { status: 404, code: "device_not_found" });
-  }
-  if (!device.revoked_at) {
-    device.revoked_at = (/* @__PURE__ */ new Date()).toISOString();
-    device.updated_at = device.revoked_at;
-    await writeCredentialStore(paths, store);
-  }
-  return formatDeviceListItem(device);
-}
-async function hideRevokedDeviceFromAppList(deviceId, paths = resolveRuntimePaths()) {
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((d) => d.id === deviceId);
-  if (!device) {
-    throw Object.assign(new Error("Device was not found"), { status: 404, code: "device_not_found" });
-  }
-  if (!device.revoked_at) {
-    throw Object.assign(new Error("Device must be revoked before it can be deleted from the app list"), {
-      status: 409,
-      code: "device_still_active"
-    });
-  }
-  if (!device.app_hidden_at) {
-    device.app_hidden_at = (/* @__PURE__ */ new Date()).toISOString();
-    device.updated_at = device.app_hidden_at;
-    await writeCredentialStore(paths, store);
-  }
-  return formatDeviceListItem(device);
-}
-async function renameDeviceById(deviceId, label, paths = resolveRuntimePaths()) {
-  const normalizedLabel = label.trim();
-  if (!normalizedLabel || normalizedLabel.length > 128) {
-    throw Object.assign(new Error("Device label is invalid"), { status: 400, code: "device_label_invalid" });
-  }
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((d) => d.id === deviceId);
-  if (!device) {
-    throw Object.assign(new Error("Device was not found"), { status: 404, code: "device_not_found" });
-  }
-  if (device.revoked_at) {
-    throw Object.assign(new Error("Device is revoked"), { status: 409, code: "device_revoked" });
-  }
-  device.label = normalizedLabel.slice(0, 128);
-  device.updated_at = (/* @__PURE__ */ new Date()).toISOString();
-  await writeCredentialStore(paths, store);
-  return formatDeviceListItem(device);
-}
-
-// src/security/app-connect-token.ts
-import crypto from "crypto";
-import path6 from "path";
-var TOKENS_FILE = "app-connect-tokens.json";
-var TOKEN_EXPIRY_MS = 5 * 60 * 1e3;
-function tokensFilePath(paths) {
-  return path6.join(paths.homeDir, TOKENS_FILE);
-}
-async function readTokens(paths) {
-  const raw = await readJsonFile(tokensFilePath(paths));
-  if (!Array.isArray(raw)) return [];
-  const now = /* @__PURE__ */ new Date();
-  return raw.filter(isValidToken).filter((t) => new Date(t.expiresAt) > now);
-}
-function isValidToken(value) {
-  if (!value || typeof value !== "object") return false;
-  const t = value;
-  return typeof t.token === "string" && typeof t.createdAt === "string" && typeof t.expiresAt === "string";
-}
-async function saveTokens(tokens, paths) {
-  await writeJsonFile(tokensFilePath(paths), tokens);
-}
-async function generateAppConnectToken(paths) {
-  const runtimePaths = paths ?? resolveRuntimePaths();
-  const now = /* @__PURE__ */ new Date();
-  const token = {
-    token: crypto.randomBytes(32).toString("base64url"),
-    createdAt: now.toISOString(),
-    usedAt: null,
-    expiresAt: new Date(now.getTime() + TOKEN_EXPIRY_MS).toISOString()
-  };
-  const tokens = await readTokens(runtimePaths);
-  tokens.push(token);
-  await saveTokens(tokens, runtimePaths);
-  return token;
-}
-async function consumeAppConnectToken(tokenValue, paths) {
-  const runtimePaths = paths ?? resolveRuntimePaths();
-  const tokens = await readTokens(runtimePaths);
-  const index = tokens.findIndex((t) => t.token === tokenValue && !t.usedAt);
-  if (index === -1) return null;
-  tokens[index].usedAt = (/* @__PURE__ */ new Date()).toISOString();
-  await saveTokens(tokens, runtimePaths);
-  return tokens[index];
-}
-
-// src/core/errors.ts
-var LinkHttpError = class extends Error {
-  status;
-  code;
-  constructor(status, code, message) {
-    super(message);
-    this.status = status;
-    this.code = code;
-  }
-};
-
-// src/http/auth.ts
-async function authenticateRequest(ctx, paths = resolveRuntimePaths()) {
-  const token = readBearerToken(ctx.get("authorization"));
-  if (!token) {
-    throw new LinkHttpError(401, "auth_required", "Authorization bearer token is required");
-  }
-  const device = await authenticateDeviceAccessToken(token, paths);
-  if (device) {
-    return { kind: "device", device };
-  }
-  if (token.startsWith("hpat_")) {
-    throw new LinkHttpError(401, "device_access_token_invalid", "Device access token is invalid or expired");
-  }
-  const localToken = await consumeAppConnectToken(token, paths);
-  if (localToken) {
-    return { kind: "app-connect", accountId: null, scopes: [], appInstanceId: null };
-  }
-  throw new LinkHttpError(401, "auth_invalid", "Token is invalid or expired");
-}
-function readBearerToken(value) {
-  const trimmed = value.trim();
-  if (!trimmed.toLowerCase().startsWith("bearer ")) return null;
-  const token = trimmed.slice(7).trim();
-  return token || null;
-}
-function readAppInstanceIdHeader(ctx) {
-  const value = ctx.get("x-hermes-app-instance-id").trim();
-  return /^appi_[A-Za-z0-9_-]{16,96}$/u.test(value) ? value : null;
-}
-function readDeviceModelHeader(ctx) {
-  const value = ctx.get("x-hermes-device-model").trim();
-  return value ? value.slice(0, 128) : null;
-}
-
-// src/http/routes/system.ts
-function createSystemRouter(options) {
-  const router = new Router({ prefix: "/api/v1/system" });
-  const paths = options.paths;
-  const auth = async (ctx, next) => {
-    await authenticateRequest(ctx, paths);
-    await next();
-  };
-  router.get("/status", async (ctx) => {
-    const state = await readLinkState(options.paths);
-    const autostart = await getAutostartStatus();
-    const environment = detectRuntimeEnvironment();
-    ctx.body = {
-      version: LINK_VERSION,
-      linkId: options.identity.link_id,
-      installId: options.identity.install_id,
-      port: options.config.port,
-      autostart: {
-        supported: autostart.supported,
-        enabled: autostart.enabled,
-        method: autostart.method
-      },
-      environment: {
-        kind: environment.kind,
-        warning: environment.warning
-      },
-      networkReport: state.networkReport,
-      updateAvailable: state.updateAvailable
-    };
-  });
-  router.get("/version", (ctx) => {
-    ctx.body = { version: LINK_VERSION };
-  });
-  router.post("/autostart/enable", auth, async (ctx) => {
-    const status = await enableAutostart();
-    ctx.body = status;
-  });
-  router.post("/autostart/disable", auth, async (ctx) => {
-    const status = await disableAutostart();
-    ctx.body = status;
-  });
-  router.get("/logs", auth, async (ctx) => {
-    const limit = Number(ctx.query.limit) || void 0;
-    const entries = await readRecentLogEntries({ paths: options.paths, limit });
-    ctx.body = { entries };
-  });
-  router.get("/logs/gateway", auth, async (ctx) => {
-    const limit = Number(ctx.query.limit) || void 0;
-    const entries = await readRecentGatewayLogEntries({ paths: options.paths, limit });
-    ctx.body = { entries };
-  });
-  router.get("/updates", auth, async (ctx) => {
-    const info = await checkForUpdates({
-      relayBaseUrl: options.config.relayBaseUrl,
-      paths: options.paths
-    });
-    ctx.body = info;
-  });
-  router.post("/updates/dismiss", auth, async (ctx) => {
-    await dismissUpdate(options.paths);
-    ctx.body = { ok: true };
-  });
-  return router;
-}
-
-// src/http/routes/statistics.ts
-import Router2 from "@koa/router";
-function createStatisticsRouter(options) {
-  const router = new Router2({ prefix: "/api/v1/statistics" });
-  const paths = options.paths;
-  const auth = async (ctx, next) => {
-    await authenticateRequest(ctx, paths);
-    await next();
-  };
-  router.get("/conversations", auth, (ctx) => {
-    const { from, to, profile } = ctx.query;
-    let query = `SELECT date, profile_name, conversation_count, message_count,
-      total_input_tokens, total_output_tokens
-      FROM conversation_stats WHERE 1=1`;
-    const params = [];
-    if (typeof from === "string") {
-      query += " AND date >= ?";
-      params.push(from);
-    }
-    if (typeof to === "string") {
-      query += " AND date <= ?";
-      params.push(to);
-    }
-    if (typeof profile === "string" && profile) {
-      query += " AND profile_name = ?";
-      params.push(profile);
-    }
-    query += " ORDER BY date DESC, profile_name ASC LIMIT 500";
-    const rows = options.db.prepare(query).all(...params);
-    ctx.body = { rows };
-  });
-  router.get("/usage", auth, (ctx) => {
-    const { from, to, profile, model } = ctx.query;
-    let query = `SELECT date, profile_name, model,
-      input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens, run_count
-      FROM run_usage_facts WHERE 1=1`;
-    const params = [];
-    if (typeof from === "string") {
-      query += " AND date >= ?";
-      params.push(from);
-    }
-    if (typeof to === "string") {
-      query += " AND date <= ?";
-      params.push(to);
-    }
-    if (typeof profile === "string" && profile) {
-      query += " AND profile_name = ?";
-      params.push(profile);
-    }
-    if (typeof model === "string" && model) {
-      query += " AND model = ?";
-      params.push(model);
-    }
-    query += " ORDER BY date DESC, profile_name ASC, model ASC LIMIT 1000";
-    const rows = options.db.prepare(query).all(...params);
-    ctx.body = { rows };
-  });
-  router.post("/conversations/upsert", auth, (ctx) => {
-    const body = ctx.request.body;
-    if (!body || typeof body !== "object") {
-      ctx.status = 400;
-      ctx.body = { error: "Invalid body" };
-      return;
-    }
-    const { date, profileName, conversationCount, messageCount, totalInputTokens, totalOutputTokens } = body;
-    if (!date || !profileName) {
-      ctx.status = 400;
-      ctx.body = { error: "Missing required fields: date, profileName" };
-      return;
-    }
-    options.db.prepare(
-      `INSERT INTO conversation_stats
-          (date, profile_name, conversation_count, message_count, total_input_tokens, total_output_tokens)
-          VALUES (?, ?, ?, ?, ?, ?)
-          ON CONFLICT (date, profile_name) DO UPDATE SET
-            conversation_count = excluded.conversation_count,
-            message_count = excluded.message_count,
-            total_input_tokens = excluded.total_input_tokens,
-            total_output_tokens = excluded.total_output_tokens`
-    ).run(
-      date,
-      profileName,
-      Number(conversationCount) || 0,
-      Number(messageCount) || 0,
-      Number(totalInputTokens) || 0,
-      Number(totalOutputTokens) || 0
-    );
-    ctx.body = { ok: true };
-  });
-  router.post("/usage/upsert", auth, (ctx) => {
-    const body = ctx.request.body;
-    if (!body || typeof body !== "object") {
-      ctx.status = 400;
-      ctx.body = { error: "Invalid body" };
-      return;
-    }
-    const { date, profileName, model, inputTokens, outputTokens, cacheCreationTokens, cacheReadTokens, runCount } = body;
-    if (!date || !profileName || !model) {
-      ctx.status = 400;
-      ctx.body = { error: "Missing required fields: date, profileName, model" };
-      return;
-    }
-    options.db.prepare(
-      `INSERT INTO run_usage_facts
-          (date, profile_name, model, input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens, run_count)
-          VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-          ON CONFLICT (date, profile_name, model) DO UPDATE SET
-            input_tokens = excluded.input_tokens,
-            output_tokens = excluded.output_tokens,
-            cache_creation_tokens = excluded.cache_creation_tokens,
-            cache_read_tokens = excluded.cache_read_tokens,
-            run_count = excluded.run_count`
-    ).run(
-      date,
-      profileName,
-      model,
-      Number(inputTokens) || 0,
-      Number(outputTokens) || 0,
-      Number(cacheCreationTokens) || 0,
-      Number(cacheReadTokens) || 0,
-      Number(runCount) || 0
-    );
-    ctx.body = { ok: true };
-  });
-  return router;
-}
-
-// src/http/routes/bootstrap.ts
-import Router3 from "@koa/router";
-
-// src/identity/identity.ts
-import { generateKeyPairSync, randomUUID as randomUUID3, sign } from "crypto";
-import { chmod as chmod2, mkdir as mkdir4 } from "fs/promises";
-import { z } from "zod";
-var linkIdentitySchema = z.object({
-  install_id: z.string().min(1),
-  link_id: z.string().min(1).nullable().optional(),
-  public_key_pem: z.string().min(1),
-  private_key_pem: z.string().min(1),
-  created_at: z.string().min(1),
-  updated_at: z.string().min(1)
-});
-async function loadIdentity(paths = resolveRuntimePaths()) {
-  const value = await readJsonFile(paths.identityFile);
-  if (value === null) {
-    return null;
-  }
-  return linkIdentitySchema.parse(value);
-}
-async function ensureIdentity(paths = resolveRuntimePaths()) {
-  const existing = await loadIdentity(paths);
-  if (existing) {
-    return existing;
-  }
-  await mkdir4(paths.homeDir, { recursive: true, mode: 448 });
-  await chmod2(paths.homeDir, 448).catch(() => void 0);
-  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const identity = {
-    install_id: `install_${randomUUID3().replaceAll("-", "")}`,
-    link_id: null,
-    public_key_pem: publicKey.export({ type: "spki", format: "pem" }).toString(),
-    private_key_pem: privateKey.export({ type: "pkcs8", format: "pem" }).toString(),
-    created_at: now,
-    updated_at: now
-  };
-  await writeJsonFile(paths.identityFile, identity);
-  return identity;
-}
-async function saveAssignedLinkId(linkId, paths = resolveRuntimePaths()) {
-  const identity = await ensureIdentity(paths);
-  const next = {
-    ...identity,
-    link_id: linkId,
-    updated_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  await writeJsonFile(paths.identityFile, next);
-  return next;
-}
-function signRelayNonce(identity, nonce) {
-  return signIdentityPayload(identity, nonce);
-}
-function signIdentityPayload(identity, payload) {
-  const signature = sign(null, Buffer.from(payload, "utf8"), identity.private_key_pem);
-  return signature.toString("base64url");
-}
-
-// src/config/config.ts
-var defaultLinkConfig = {
-  port: LINK_DEFAULT_PORT,
-  lanHost: null,
-  serverBaseUrl: "https://hermes-server.catwiki.ai",
-  relayBaseUrl: "https://hermes-relay.catwiki.ai",
-  appConnectTokenIssuer: "https://hermes-server.catwiki.ai",
-  appConnectTokenAudience: "hermes-link",
-  language: "auto",
-  logLevel: "warn"
-};
-async function loadConfig(paths = resolveRuntimePaths()) {
-  const existing = await readJsonFile(paths.configFile);
-  const language = normalizeConfiguredLanguage(existing?.language);
-  const lanHost = normalizeLanHost(existing?.lanHost);
-  const logLevel = normalizeLogLevel(existing?.logLevel ?? process.env.HERMESLINK_LOG_LEVEL);
-  return {
-    ...defaultLinkConfig,
-    ...existing ?? {},
-    language,
-    lanHost,
-    logLevel
-  };
-}
-async function saveConfig(patch, paths = resolveRuntimePaths()) {
-  const current = await loadConfig(paths);
-  const next = {
-    ...current,
-    ...patch,
-    logLevel: patch.logLevel === void 0 ? current.logLevel : normalizeLogLevel(patch.logLevel)
-  };
-  await writeJsonFile(paths.configFile, next);
-  return next;
-}
-function normalizeConfiguredLanguage(language) {
-  if (language === "zh-CN" || language === "en" || language === "auto") {
-    return language;
-  }
-  return defaultLinkConfig.language;
-}
-function normalizeLogLevel(level) {
-  if (level === "debug" || level === "info" || level === "warn" || level === "error") {
-    return level;
-  }
-  return defaultLinkConfig.logLevel;
-}
-function normalizeLanHost(value) {
-  if (value === null || value === void 0) return null;
-  if (typeof value !== "string") return null;
-  const host = value.trim().replace(/^\[/u, "").replace(/\]$/u, "");
-  if (!host) return null;
-  if (!isValidHostIpv4(host)) return null;
-  return host;
-}
-function isValidHostIpv4(value) {
-  const parts = value.split(".").map((part) => Number.parseInt(part, 10));
-  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
-    return false;
-  }
-  const [, , , fourth] = parts;
-  return fourth !== 0 && fourth !== 255;
-}
-
-// src/network/topology.ts
-import os5 from "os";
-var VIRTUAL_INTERFACE_NAME_PATTERN = /(docker|veth|vmnet|vmenet|vbox|virtualbox|vmware|tailscale|zerotier|wireguard|utun|virbr|hyper-v|vethernet|loopback|\blo\b|^lo\d*$|^br-|^bridge\d+$|^zt|^tun|^tap|awdl|llw|anpi|gif|stf|ipsec|ppp)/iu;
-var MAX_LAN_IPS = 4;
-var MAX_PUBLIC_IPV4S = 2;
-var MAX_PUBLIC_IPV6S = 2;
-async function discoverRouteCandidates(options) {
-  const environment = detectRuntimeEnvironment();
-  const configuredLanHost = normalizeLanHost(options.configuredLanHost);
-  const lanIps = configuredLanHost ? [configuredLanHost] : environment.lanAutoDiscoveryUsable ? discoverLanIps() : [];
-  const publicIps = options.relayBootstrapToken || options.observePublicRoute ? await observePublicRoute(options).catch(() => ({ publicIpv4s: [], publicIpv6s: [] })) : { publicIpv4s: [], publicIpv6s: [] };
-  const publicIpv4s = unique(publicIps.publicIpv4s.filter(isUsablePublicIpv4)).slice(0, MAX_PUBLIC_IPV4S);
-  const publicIpv6s = unique(publicIps.publicIpv6s.filter(isUsablePublicIpv6)).slice(0, MAX_PUBLIC_IPV6S);
-  const preferredUrls = [
-    ...lanIps.map((ip) => buildDirectUrl(ip, options.port)),
-    ...publicIpv4s.map((ip) => buildDirectUrl(ip, options.port)),
-    ...publicIpv6s.map((ip) => buildDirectUrl(ip, options.port)),
-    `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/links/${options.linkId}`
-  ];
-  return { lanIps, publicIpv4s, publicIpv6s, preferredUrls, environment };
-}
-function discoverLanIps() {
-  return discoverLanIpsFromInterfaces(os5.networkInterfaces());
-}
-function discoverLanIpsFromInterfaces(interfaces) {
-  const result = /* @__PURE__ */ new Set();
-  const candidates = [];
-  for (const [name, items] of Object.entries(interfaces)) {
-    if (shouldIgnoreInterface(name)) continue;
-    for (const item of items ?? []) {
-      if (!item.internal && item.address && item.family === "IPv4" && isUsableLanIpv4(item.address, item.netmask)) {
-        candidates.push({ name, address: item.address });
-      }
-    }
-  }
-  for (const candidate of candidates.sort(compareLanCandidate)) {
-    result.add(candidate.address);
-  }
-  return [...result].slice(0, MAX_LAN_IPS);
-}
-async function observePublicRoute(options) {
-  const fetcher = options.fetchImpl ?? fetch;
-  const simpleIp = await fetchPublicIpSimple(fetcher).catch(() => null);
-  try {
-    const response = await fetcher(
-      `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/public-route/observe`,
-      {
-        method: "POST",
-        headers: {
-          "content-type": "application/json",
-          ...options.relayBootstrapToken ? { authorization: `Bearer ${options.relayBootstrapToken}` } : {}
-        },
-        body: JSON.stringify({
-          install_id: options.installId,
-          link_id: options.linkId,
-          public_key_pem: options.publicKeyPem
-        }),
-        signal: AbortSignal.timeout(5e3)
-      }
-    );
-    const payload = await response.json().catch(() => null);
-    const record = typeof payload?.record === "object" && payload.record !== null ? payload.record : null;
-    const observed = typeof payload?.observed === "object" && payload.observed !== null ? payload.observed : null;
-    const values = [
-      simpleIp,
-      readIpRecord(record?.ipv4),
-      readIpRecord(record?.ipv6),
-      typeof observed?.ip === "string" ? observed.ip : null
-    ].filter((v) => Boolean(v));
-    return {
-      publicIpv4s: unique(values.filter(isUsablePublicIpv4)),
-      publicIpv6s: unique(values.filter(isUsablePublicIpv6))
-    };
-  } catch {
-    const values = [simpleIp].filter((v) => Boolean(v));
-    return {
-      publicIpv4s: unique(values.filter(isUsablePublicIpv4)),
-      publicIpv6s: []
-    };
-  }
-}
-async function fetchPublicIpSimple(fetcher) {
-  const res = await fetcher("https://api.ipify.org?format=json", {
-    signal: AbortSignal.timeout(4e3)
-  });
-  const data = await res.json();
-  return typeof data.ip === "string" && data.ip.trim() ? data.ip.trim() : null;
-}
-function readIpRecord(value) {
-  if (typeof value !== "object" || value === null) return null;
-  const ip = value.ip;
-  return typeof ip === "string" && ip.trim() ? ip.trim() : null;
-}
-function buildDirectUrl(ip, port) {
-  return `http://${ip.includes(":") ? `[${ip}]` : ip}:${port}`;
-}
-function shouldIgnoreInterface(name) {
-  return !name.trim() || VIRTUAL_INTERFACE_NAME_PATTERN.test(name);
-}
-function compareLanCandidate(left, right) {
-  const priority = interfacePriority(left.name) - interfacePriority(right.name);
-  return priority || left.name.localeCompare(right.name) || left.address.localeCompare(right.address);
-}
-function interfacePriority(name) {
-  return /^(en|eth|wlan|wi-fi|wifi)/iu.test(name) ? 0 : 1;
-}
-function isUsableLanIpv4(address, netmask) {
-  return isPrivateIpv4(address) && !isNetworkOrBroadcastIpv4Address(address, netmask);
-}
-function isUsablePublicIpv4(address) {
-  return isValidIpv4(address) && !isSpecialIpv4(address);
-}
-function isUsablePublicIpv6(address) {
-  const normalized = address.toLowerCase();
-  return normalized.includes(":") && !normalized.startsWith("fe80:") && !normalized.startsWith("fc") && !normalized.startsWith("fd") && !normalized.startsWith("ff") && normalized !== "::" && normalized !== "::1";
-}
-function isPrivateIpv4(address) {
-  const parts = parseIpv4Segments(address);
-  if (!parts) return false;
-  const [first, second] = parts;
-  return first === 10 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168;
-}
-function isSpecialIpv4(address) {
-  const parts = parseIpv4Segments(address);
-  if (!parts) return true;
-  const [first, second, third, fourth] = parts;
-  return first === 0 || first === 10 || first === 127 || first >= 224 || first === 100 && second >= 64 && second <= 127 || first === 169 && second === 254 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168 || first === 192 && second === 0 && third === 2 || first === 198 && (second === 18 || second === 19) || first === 198 && second === 51 && third === 100 || first === 203 && second === 0 && third === 113 || first === 255 && second === 255 && third === 255 && fourth === 255;
-}
-function isNetworkOrBroadcastIpv4Address(address, netmask) {
-  const addressParts = parseIpv4Segments(address);
-  const netmaskParts = netmask ? parseIpv4Segments(netmask) : null;
-  if (!addressParts) return true;
-  if (!netmaskParts) {
-    const last = addressParts[3];
-    return last === 0 || last === 255;
-  }
-  const addressInt = ipv4SegmentsToInt(addressParts);
-  const netmaskInt = ipv4SegmentsToInt(netmaskParts);
-  const hostMask = ~netmaskInt >>> 0;
-  if (hostMask === 0) return false;
-  const networkInt = addressInt & netmaskInt;
-  const broadcastInt = (networkInt | hostMask) >>> 0;
-  return addressInt === networkInt || addressInt === broadcastInt;
-}
-function isValidIpv4(address) {
-  return Boolean(parseIpv4Segments(address));
-}
-function parseIpv4Segments(address) {
-  if (!/^\d{1,3}(?:\.\d{1,3}){3}$/u.test(address)) return null;
-  const parts = address.split(".").map((part) => Number.parseInt(part, 10));
-  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
-  return parts;
-}
-function ipv4SegmentsToInt(parts) {
-  return (parts[0] << 24 >>> 0 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
-}
-function unique(values) {
-  return [...new Set(values)];
-}
-
-// src/http/routes/bootstrap.ts
-function routeObjects(urls) {
-  return urls.map((url) => ({
-    url,
-    kind: url.includes("/api/v1/relay/links/") ? "relay" : "lan"
-  }));
-}
-function createBootstrapRouter(options) {
-  const { paths } = options;
-  const router = new Router3();
-  router.get("/api/v1/bootstrap", async (ctx) => {
-    const [identity, config] = await Promise.all([loadIdentity(paths), loadConfig(paths)]);
-    const routes = identity?.link_id ? await discoverRouteCandidates({
-      port: config.port,
-      relayBaseUrl: config.relayBaseUrl,
-      linkId: identity.link_id,
-      installId: identity.install_id,
-      publicKeyPem: identity.public_key_pem,
-      configuredLanHost: config.lanHost
-    }) : null;
-    ctx.set("cache-control", "no-store");
-    ctx.body = {
-      link_id: identity?.link_id ?? null,
-      display_name: identity?.link_id ? "Hermes Link" : "Unpaired Hermes Link",
-      version: LINK_VERSION,
-      api_version: 1,
-      paired: Boolean(identity?.link_id),
-      pairing_supported: Boolean(identity?.link_id),
-      preferred_pairing_urls: routes?.preferredUrls ?? [],
-      routes: routes ? routeObjects(routes.preferredUrls) : [],
-      capabilities: {
-        runs: true,
-        sse: true,
-        relay: true,
-        profiles: true,
-        logs: true,
-        statistics: true,
-        conversations: true,
-        conversation_events: true,
-        conversation_delete: true,
-        conversation_bulk_delete: true,
-        conversation_clear_plan: true,
-        conversation_cancel: true,
-        conversation_rename: true,
-        blobs: true,
-        devices: true,
-        device_delete: true,
-        device_revoke: true,
-        device_rename: true,
-        device_session_enroll: true,
-        cron_jobs: true,
-        profile_skills: true,
-        profile_memory: true,
-        hermes_updates: true
-      }
-    };
-  });
-  return router;
-}
-
-// src/http/routes/auth.ts
-import Router4 from "@koa/router";
-function readString(body, ...keys) {
-  if (!body || typeof body !== "object") return null;
-  for (const key of keys) {
-    const val = body[key];
-    if (typeof val === "string") return val;
-  }
-  return null;
-}
-async function readJsonBody(req) {
-  return new Promise((resolve, reject) => {
-    let data = "";
-    req.setEncoding("utf8");
-    req.on("data", (chunk) => {
-      data += chunk;
-    });
-    req.on("end", () => {
-      try {
-        resolve(data ? JSON.parse(data) : {});
-      } catch {
-        resolve({});
-      }
-    });
-    req.on("error", reject);
-  });
-}
-function createAuthRouter(options) {
-  const { paths, logger } = options;
-  const router = new Router4();
-  router.get("/api/v1/auth/me", async (ctx) => {
-    const auth = await authenticateRequest(ctx, paths);
-    const identity = await loadIdentity(paths);
-    if (!identity?.link_id) throw new LinkHttpError(409, "link_not_paired", "Hermes Link is not paired");
-    const device = auth.device ? await recordDeviceSeen(
-      auth.device.id,
-      { appInstanceId: readAppInstanceIdHeader(ctx), model: readDeviceModelHeader(ctx) },
-      paths
-    ) ?? auth.device : null;
-    ctx.body = {
-      ok: true,
-      auth: { kind: auth.kind, account_id: auth.accountId ?? null },
-      link: { link_id: identity.link_id, display_name: "Hermes Link" },
-      device: device ? { id: device.id, device_id: device.id, label: device.label, platform: device.platform, model: device.model ?? null, scope: device.scope } : null
-    };
-  });
-  router.post("/api/v1/auth/device-session", async (ctx) => {
-    const auth = await authenticateRequest(ctx, paths);
-    if (auth.kind !== "app-connect") {
-      throw new LinkHttpError(403, "app_connect_required", "App connect token is required to create a device session");
-    }
-    if (auth.scopes && auth.scopes.length > 0 && !auth.scopes.includes("device:enroll")) {
-      throw new LinkHttpError(403, "device_enroll_scope_required", "App connect token cannot enroll a device");
-    }
-    const identity = await loadIdentity(paths);
-    if (!identity?.link_id) throw new LinkHttpError(409, "link_not_paired", "Hermes Link is not paired");
-    const body = await readJsonBody(ctx.req);
-    const session = await createDeviceSession(
-      {
-        label: readString(body, "device_label", "deviceLabel") ?? "HermesPilot App",
-        platform: readString(body, "device_platform", "devicePlatform") ?? "unknown",
-        model: readString(body, "device_model", "deviceModel"),
-        appInstanceId: auth.appInstanceId
-      },
-      paths
-    );
-    ctx.body = {
-      ok: true,
-      link: { link_id: identity.link_id, display_name: "Hermes Link" },
-      device: session.device,
-      access_token: { token: session.accessToken.token, expires_at: session.accessToken.expiresAt },
-      refresh_token: { token: session.refreshToken.token, expires_at: session.refreshToken.expiresAt }
-    };
-    logger.info({ device_id: session.device.device_id, device_platform: session.device.platform }, "device_session_enrolled");
-  });
-  router.post("/api/v1/auth/refresh", async (ctx) => {
-    const body = await readJsonBody(ctx.req);
-    const refreshToken = readString(body, "refresh_token", "refreshToken");
-    if (!refreshToken) throw new LinkHttpError(400, "refresh_token_required", "refresh_token is required");
-    const session = await refreshDeviceSession(
-      refreshToken,
-      {
-        appInstanceId: readString(body, "app_instance_id", "appInstanceId"),
-        label: readString(body, "device_label", "deviceLabel"),
-        platform: readString(body, "device_platform", "devicePlatform"),
-        model: readString(body, "device_model", "deviceModel")
-      },
-      paths
-    );
-    ctx.body = {
-      ok: true,
-      device: session.device,
-      access_token: { token: session.accessToken.token, expires_at: session.accessToken.expiresAt },
-      refresh_token: { token: session.refreshToken.token, expires_at: session.refreshToken.expiresAt }
-    };
-  });
-  router.post("/api/v1/auth/logout", async (ctx) => {
-    const body = await readJsonBody(ctx.req);
-    const refreshToken = readString(body, "refresh_token", "refreshToken");
-    if (refreshToken) await revokeDeviceRefreshToken(refreshToken, paths);
-    ctx.body = { ok: true };
-  });
-  return router;
-}
-
-// src/http/routes/devices.ts
-import Router5 from "@koa/router";
-function readString2(body, ...keys) {
-  if (!body || typeof body !== "object") return null;
-  for (const key of keys) {
-    const val = body[key];
-    if (typeof val === "string") return val;
-  }
-  return null;
-}
-async function readJsonBody2(req) {
-  return new Promise((resolve, reject) => {
-    let data = "";
-    req.setEncoding("utf8");
-    req.on("data", (chunk) => {
-      data += chunk;
-    });
-    req.on("end", () => {
-      try {
-        resolve(data ? JSON.parse(data) : {});
-      } catch {
-        resolve({});
-      }
-    });
-    req.on("error", reject);
-  });
-}
-function createDevicesRouter(options) {
-  const { paths, logger } = options;
-  const router = new Router5();
-  router.get("/api/v1/devices", async (ctx) => {
-    const auth = await authenticateRequest(ctx, paths);
-    const currentDevice = auth.device ? await recordDeviceSeen(
-      auth.device.id,
-      { appInstanceId: readAppInstanceIdHeader(ctx), model: readDeviceModelHeader(ctx) },
-      paths
-    ) ?? auth.device : null;
-    const [devices, summary] = await Promise.all([listDevices(paths), readDeviceSummary(paths)]);
-    const currentDeviceId = currentDevice?.id ?? null;
-    ctx.set("cache-control", "no-store");
-    ctx.body = {
-      ok: true,
-      current_device_id: currentDeviceId,
-      devices: devices.map((d) => ({ ...d, current: currentDeviceId === d.id })),
-      summary
-    };
-  });
-  router.delete("/api/v1/devices/:deviceId", async (ctx) => {
-    const auth = await authenticateRequest(ctx, paths);
-    const device = await revokeDeviceById(ctx.params.deviceId, paths);
-    const summary = await readDeviceSummary(paths);
-    ctx.body = {
-      ok: true,
-      current_device_revoked: auth.device?.id === device.id,
-      device: { ...device, current: auth.device?.id === device.id },
-      summary
-    };
-    logger.info({ device_id: device.id, current_device_revoked: auth.device?.id === device.id }, "device_revoked");
-  });
-  router.delete("/api/v1/devices/:deviceId/app-listing", async (ctx) => {
-    const auth = await authenticateRequest(ctx, paths);
-    const device = await hideRevokedDeviceFromAppList(ctx.params.deviceId, paths);
-    const summary = await readDeviceSummary(paths);
-    ctx.body = {
-      ok: true,
-      device: { ...device, current: auth.device?.id === device.id },
-      summary
-    };
-    logger.info({ device_id: device.id }, "device_app_listing_deleted");
-  });
-  router.patch("/api/v1/devices/:deviceId", async (ctx) => {
-    const auth = await authenticateRequest(ctx, paths);
-    const body = await readJsonBody2(ctx.req);
-    const label = readString2(body, "label", "device_label");
-    if (!label) throw new LinkHttpError(400, "device_label_required", "Device label is required");
-    const device = await renameDeviceById(ctx.params.deviceId, label, paths);
-    ctx.body = {
-      ok: true,
-      device: { ...device, current: auth.device?.id === device.id }
-    };
-    logger.info({ device_id: device.id }, "device_renamed");
-  });
-  return router;
-}
-
-// src/http/routes/conversations.ts
-import Router6 from "@koa/router";
-
-// src/http/sse-stream.ts
-function beginSseStream(req, res, options = {}) {
-  res.writeHead(200, {
-    "Content-Type": "text/event-stream",
-    "Cache-Control": "no-cache",
-    Connection: "keep-alive",
-    "X-Accel-Buffering": "no"
-  });
-  res.flushHeaders?.();
-  const heartbeat = setInterval(() => {
-    if (!res.writableEnded) res.write(": heartbeat\n\n");
-  }, 25e3);
-  heartbeat.unref?.();
-  const cleanup = () => {
-    clearInterval(heartbeat);
-    options.onClose?.();
-  };
-  req.once("close", cleanup);
-  req.once("aborted", cleanup);
-}
-function writeSseEvent(res, data) {
-  if (res.writableEnded) return;
-  const json = typeof data === "string" ? data : JSON.stringify(data);
-  const d = data;
-  if (d && typeof d.seq === "number") {
-    res.write(`id: ${d.seq}
-`);
-  }
-  if (d && typeof d.type === "string") {
-    res.write(`event: ${d.type}
-`);
-  }
-  res.write(`data: ${json}
-
-`);
-}
-
-// src/http/routes/conversations.ts
-var MAX_BLOB_UPLOAD_BYTES = 50 * 1024 * 1024;
-function readString3(body, ...keys) {
-  if (!body || typeof body !== "object") return null;
-  for (const key of keys) {
-    const val = body[key];
-    if (typeof val === "string") return val;
-  }
-  return null;
-}
-function readStringArray2(body, ...keys) {
-  if (!body || typeof body !== "object") return null;
-  for (const key of keys) {
-    const val = body[key];
-    if (Array.isArray(val) && val.every((v) => typeof v === "string")) return val;
-  }
-  return null;
-}
-function readQueryString(value) {
-  if (typeof value === "string" && value) return value;
-  return null;
-}
-function readLimit(value) {
-  const n = typeof value === "string" ? Number.parseInt(value, 10) : typeof value === "number" ? value : 20;
-  if (!Number.isFinite(n) || n < 1) return 20;
-  return Math.min(n, 100);
-}
-function readOptionalProfileName(body) {
-  return readString3(body, "profile", "profile_name", "profileName");
-}
-function readHeader(ctx, name) {
-  const val = ctx.get(name);
-  return val || null;
-}
-function resolveConversationEventCursor(options) {
-  const fromQuery = typeof options.queryAfter === "string" ? Number.parseInt(options.queryAfter, 10) : null;
-  if (fromQuery !== null && Number.isFinite(fromQuery)) return fromQuery;
-  const header = Array.isArray(options.lastEventIdHeader) ? options.lastEventIdHeader[0] : options.lastEventIdHeader;
-  if (typeof header === "string") {
-    const n = Number.parseInt(header, 10);
-    if (Number.isFinite(n)) return n;
-  }
-  return void 0;
-}
-function isConversationNotificationEvent(event) {
-  const type = event?.type;
-  if (typeof type !== "string") return false;
-  return ["conversation.updated", "message.created", "run.started", "run.completed", "run.failed", "run.cancelled"].includes(type);
-}
-async function readJsonBody3(req) {
-  return new Promise((resolve, reject) => {
-    let data = "";
-    req.setEncoding("utf8");
-    req.on("data", (chunk) => {
-      data += chunk;
-    });
-    req.on("end", () => {
-      try {
-        resolve(data ? JSON.parse(data) : {});
-      } catch {
-        resolve({});
-      }
-    });
-    req.on("error", reject);
-  });
-}
-async function readRawBody(req, maxBytes) {
-  return new Promise((resolve, reject) => {
-    const chunks = [];
-    let total = 0;
-    req.on("data", (chunk) => {
-      total += chunk.byteLength;
-      if (total > maxBytes) {
-        reject(new LinkHttpError(413, "blob_too_large", "Blob is too large"));
-        return;
-      }
-      chunks.push(chunk);
-    });
-    req.on("end", () => resolve(Buffer.concat(chunks)));
-    req.on("error", reject);
-  });
-}
-function readMessageAttachments(value) {
-  if (!Array.isArray(value)) return [];
-  return value;
-}
-function readUploadFilenameHeader(ctx) {
-  const cd = ctx.get("content-disposition");
-  if (!cd) return null;
-  const m = /filename="([^"]+)"/u.exec(cd);
-  return m ? m[1] ?? null : null;
-}
-function createConversationsRouter(options) {
-  const { paths, conversations } = options;
-  const router = new Router6();
-  router.get("/api/v1/conversations", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    const result = await conversations.listConversationPage({
-      limit: readLimit(ctx.query.limit),
-      cursor: readQueryString(ctx.query.cursor) ?? readQueryString(ctx.query.after) ?? readQueryString(ctx.query.page_cursor)
-    });
-    ctx.body = { ok: true, conversations: result.conversations, page: result.page };
-  });
-  router.get("/api/v1/conversations/search", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    const result = await conversations.searchConversationPage({
-      limit: readLimit(ctx.query.limit),
-      cursor: readQueryString(ctx.query.cursor) ?? readQueryString(ctx.query.after),
-      query: readQueryString(ctx.query.query) ?? readQueryString(ctx.query.q) ?? readQueryString(ctx.query.keyword) ?? ""
-    });
-    ctx.body = { ok: true, conversations: result.conversations, page: result.page };
-  });
-  router.post("/api/v1/conversations/clear-plans", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const plan = await conversations.prepareClearAllConversationPlan();
-    ctx.status = 201;
-    ctx.body = { ok: true, plan };
-  });
-  router.get("/api/v1/conversations/clear-plans/:planId", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    ctx.body = { ok: true, plan: await conversations.readClearAllConversationPlan(ctx.params.planId) };
-  });
-  router.post("/api/v1/conversations/clear-plans/:planId/execute", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const plan = await conversations.startClearAllConversationPlan(ctx.params.planId);
-    const p = plan;
-    ctx.status = p.status === "completed" ? 200 : 202;
-    ctx.body = { ok: true, plan };
-  });
-  router.get("/api/v1/conversations/events", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const mode = readQueryString(ctx.query.mode);
-    const notificationOnly = mode === "notifications";
-    ctx.respond = false;
-    const response = ctx.res;
-    let unsubscribe = () => {
-    };
-    beginSseStream(ctx.req, response, { onClose: () => unsubscribe() });
-    unsubscribe = conversations.subscribeAll((event) => {
-      if (notificationOnly && !isConversationNotificationEvent(event)) return;
-      writeSseEvent(response, event);
-    });
-  });
-  router.delete("/api/v1/conversations", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody3(ctx.req);
-    const conversationIds = readStringArray2(body, "conversation_ids", "conversationIds");
-    if (!conversationIds || conversationIds.length === 0) {
-      throw new LinkHttpError(400, "conversation_ids_required", "conversation_ids must be a non-empty array");
-    }
-    const deleted = await conversations.deleteConversations(conversationIds);
-    const ok = deleted.failed_count === 0;
-    ctx.status = ok ? 200 : 409;
-    ctx.body = {
-      ok,
-      ...!ok ? { error: { code: "conversation_bulk_delete_partial_failure", message: "Some conversations could not be deleted" } } : {},
-      ...deleted,
-      blob_gc_completed: true
-    };
-  });
-  router.post("/api/v1/conversations", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody3(ctx.req);
-    ctx.status = 201;
-    ctx.body = {
-      ok: true,
-      conversation: await conversations.createConversation({
-        title: readString3(body, "title") ?? void 0,
-        profileName: readOptionalProfileName(body)
-      })
-    };
-  });
-  router.get("/api/v1/conversations/:conversationId/messages", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    const result = await conversations.getMessages(ctx.params.conversationId, {
-      limit: readLimit(ctx.query.limit),
-      beforeMessageId: readQueryString(ctx.query.before_message_id) ?? readQueryString(ctx.query.before)
-    });
-    ctx.body = { ok: true, conversation_id: ctx.params.conversationId, ...result };
-  });
-  router.get("/api/v1/conversations/:conversationId/events", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const after = resolveConversationEventCursor({
-      queryAfter: ctx.query.after,
-      lastEventIdHeader: ctx.req.headers["last-event-id"]
-    });
-    const history = await conversations.listEvents(ctx.params.conversationId, after);
-    ctx.respond = false;
-    const response = ctx.res;
-    let unsubscribe = () => {
-    };
-    beginSseStream(ctx.req, response, { onClose: () => unsubscribe() });
-    for (const event of history) writeSseEvent(response, event);
-    unsubscribe = conversations.subscribe(ctx.params.conversationId, (event) => writeSseEvent(response, event));
-  });
-  router.post("/api/v1/conversations/:conversationId/messages", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody3(ctx.req);
-    const content = readString3(body, "content", "text", "input") ?? "";
-    const attachments = readMessageAttachments(body?.attachments ?? body?.blobs);
-    if (!content && attachments.length === 0) {
-      throw new LinkHttpError(400, "message_content_required", "message content is required");
-    }
-    ctx.status = 202;
-    ctx.body = {
-      ok: true,
-      ...await conversations.sendMessage({
-        conversationId: ctx.params.conversationId,
-        content,
-        attachments,
-        clientMessageId: readString3(body, "client_message_id", "clientMessageId") ?? void 0,
-        idempotencyKey: readHeader(ctx, "idempotency-key") ?? void 0,
-        profileName: readOptionalProfileName(body)
-      })
-    };
-  });
-  router.patch("/api/v1/conversations/:conversationId/model", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody3(ctx.req);
-    const modelId = readString3(body, "model_id", "modelId", "model");
-    if (!modelId) throw new LinkHttpError(400, "model_id_required", "model_id is required");
-    ctx.body = { ok: true, ...await conversations.setConversationModel(ctx.params.conversationId, modelId) };
-  });
-  router.patch("/api/v1/conversations/:conversationId/profile", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody3(ctx.req);
-    const profileName = readOptionalProfileName(body);
-    if (!profileName) throw new LinkHttpError(400, "profile_required", "profile is required");
-    ctx.body = { ok: true, ...await conversations.setConversationProfile(ctx.params.conversationId, profileName) };
-  });
-  router.patch("/api/v1/conversations/:conversationId/title", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody3(ctx.req);
-    const title = readString3(body, "title", "name", "display_name");
-    if (!title) throw new LinkHttpError(400, "title_required", "title is required");
-    ctx.body = { ok: true, ...await conversations.renameConversation(ctx.params.conversationId, title) };
-  });
-  router.post("/api/v1/conversations/:conversationId/ack", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.body = { ok: true };
-  });
-  router.post("/api/v1/conversations/:conversationId/runs/:runId/cancel", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.body = { ok: true, ...await conversations.cancelRun(ctx.params.conversationId, ctx.params.runId) };
-  });
-  router.post("/api/v1/conversations/:conversationId/approvals/:approvalId/approve", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody3(ctx.req);
-    const scope = readString3(body, "scope") ?? "always";
-    ctx.body = { ok: true, ...await conversations.resolveApproval({ conversationId: ctx.params.conversationId, approvalId: ctx.params.approvalId, decision: scope }) };
-  });
-  router.post("/api/v1/conversations/:conversationId/approvals/:approvalId/deny", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.body = { ok: true, ...await conversations.resolveApproval({ conversationId: ctx.params.conversationId, approvalId: ctx.params.approvalId, decision: "deny" }) };
-  });
-  router.delete("/api/v1/conversations/:conversationId", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.body = { ok: true, ...await conversations.deleteConversation(ctx.params.conversationId), blob_gc_completed: true };
-  });
-  router.post("/api/v1/conversations/:conversationId/blobs", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const bytes = await readRawBody(ctx.req, MAX_BLOB_UPLOAD_BYTES);
-    if (bytes.byteLength === 0) throw new LinkHttpError(400, "blob_empty", "Blob body is empty");
-    const blob = await conversations.writeBlob(ctx.params.conversationId, {
-      bytes,
-      filename: readUploadFilenameHeader(ctx) ?? void 0,
-      mime: ctx.get("content-type") || void 0
-    });
-    ctx.status = 201;
-    ctx.body = { ok: true, blob };
-  });
-  router.get("/api/v1/conversations/:conversationId/blobs/:blobId", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const blob = await conversations.readBlob(ctx.params.conversationId, ctx.params.blobId);
-    ctx.type = blob.mime;
-    ctx.set("content-disposition", `inline; filename="${blob.filename}"`);
-    ctx.set("content-length", String(blob.size));
-    ctx.body = blob.bytes;
-  });
-  router.delete("/api/v1/conversations/:conversationId/blobs/:blobId", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.body = { ok: true, ...await conversations.deleteUnreferencedBlob(ctx.params.conversationId, ctx.params.blobId) };
-  });
-  return router;
-}
-
-// src/http/routes/pairing.ts
-import Router7 from "@koa/router";
-import path7 from "path";
-function readString4(body, ...keys) {
-  if (!body || typeof body !== "object") return null;
-  for (const key of keys) {
-    const val = body[key];
-    if (typeof val === "string") return val;
-  }
-  return null;
-}
-async function readJsonBody4(req) {
-  return new Promise((resolve, reject) => {
-    let data = "";
-    req.setEncoding("utf8");
-    req.on("data", (chunk) => {
-      data += chunk;
-    });
-    req.on("end", () => {
-      try {
-        resolve(data ? JSON.parse(data) : {});
-      } catch {
-        resolve({});
-      }
-    });
-    req.on("error", reject);
-  });
-}
-function pairingSessionPath(sessionId, paths) {
-  return path7.join(paths.pairingDir, `${Buffer.from(sessionId).toString("base64url")}.json`);
-}
-function pairingClaimPath(sessionId, paths) {
-  return path7.join(paths.pairingDir, `${Buffer.from(sessionId).toString("base64url")}.claimed.json`);
-}
-async function readPairingSession(sessionId, paths) {
-  const record = await readJsonFile(pairingSessionPath(sessionId, paths));
-  if (!record || record.session_id !== sessionId || typeof record.code !== "string" || typeof record.link_id !== "string") {
-    return null;
-  }
-  const r = record;
-  return {
-    session_id: r.session_id,
-    code: r.code,
-    link_id: r.link_id,
-    display_name: r.display_name,
-    local_api_url: r.local_api_url,
-    server_base_url: r.server_base_url,
-    relay_base_url: r.relay_base_url,
-    preferred_urls: Array.isArray(r.preferred_urls) ? r.preferred_urls.filter((v) => typeof v === "string") : [],
-    created_at: r.created_at,
-    expires_at: r.expires_at
-  };
-}
-function isPairingSessionExpired(session) {
-  const ms = Date.parse(session.expires_at);
-  return !Number.isFinite(ms) || Date.now() >= ms;
-}
-async function recordPairingClaim(input, paths) {
-  const record = {
-    session_id: input.sessionId,
-    device_id: input.deviceId,
-    device_label: input.deviceLabel,
-    device_platform: input.devicePlatform,
-    claimed_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  await writeJsonFile(pairingClaimPath(input.sessionId, paths), record);
-}
-function createPairingRouter(options) {
-  const { paths, logger, onPairingClaimed } = options;
-  const router = new Router7();
-  router.post("/api/v1/pairing/claim", async (ctx) => {
-    const body = await readJsonBody4(ctx.req);
-    const sessionId = readString4(body, "session_id", "sessionId");
-    const claimToken = readString4(body, "claim_token", "claimToken");
-    if (!sessionId || !claimToken) {
-      throw new LinkHttpError(400, "pairing_claim_invalid", "session_id and claim_token are required");
-    }
-    const [identity, localSession] = await Promise.all([
-      loadIdentity(paths),
-      readPairingSession(sessionId, paths)
-    ]);
-    if (!identity?.link_id) throw new LinkHttpError(409, "link_not_paired", "Hermes Link is not paired");
-    if (!localSession) throw new LinkHttpError(404, "pairing_session_not_found", "Pairing session was not found");
-    if (isPairingSessionExpired(localSession)) throw new LinkHttpError(404, "pairing_session_expired", "Pairing session has expired");
-    if (localSession.link_id !== identity.link_id) throw new LinkHttpError(409, "pairing_claim_mismatch", "Pairing claim does not match this Link");
-    if (localSession.code !== claimToken) {
-      throw new LinkHttpError(409, "pairing_claim_mismatch", "Pairing claim token does not match");
-    }
-    const appInstanceId = readString4(body, "app_instance_id", "appInstanceId");
-    const deviceLabel = readString4(body, "device_label", "deviceLabel") ?? "HermesPilot App";
-    const devicePlatform = readString4(body, "device_platform", "devicePlatform") ?? "unknown";
-    const session = await createDeviceSession(
-      { label: deviceLabel, platform: devicePlatform, model: readString4(body, "device_model", "deviceModel"), appInstanceId },
-      paths
-    );
-    ctx.body = {
-      link: { link_id: identity.link_id, display_name: "Hermes Link" },
-      device: session.device,
-      access_token: { token: session.accessToken.token, expires_at: session.accessToken.expiresAt },
-      refresh_token: { token: session.refreshToken.token, expires_at: session.refreshToken.expiresAt }
-    };
-    logger.info({ device_id: session.device.device_id, device_platform: session.device.platform }, "pairing_claimed");
-    const timer = setTimeout(() => {
-      void recordPairingClaim(
-        { sessionId, deviceId: session.device.device_id, deviceLabel, devicePlatform },
-        paths
-      ).catch(() => void 0);
-      onPairingClaimed?.();
-    }, 250);
-    timer.unref?.();
-  });
-  return router;
-}
-
-// src/relay/relay-client.ts
-import { EventEmitter } from "events";
-
-// src/relay/bootstrap.ts
-async function bootstrapWithRelay(options) {
-  const fetcher = options.fetchImpl ?? fetch;
-  const baseUrl = options.relayBaseUrl.replace(/\/+$/u, "");
-  const nonceResponse = await fetcher(`${baseUrl}/api/v1/relay/links/nonce`, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ install_id: options.identity.install_id })
-  });
-  if (!nonceResponse.ok) {
-    throw new Error(`Relay nonce request failed: ${nonceResponse.status}`);
-  }
-  const nonceBody = await nonceResponse.json();
-  const nonce = typeof nonceBody.nonce === "string" ? nonceBody.nonce : null;
-  if (!nonce) {
-    throw new Error("Relay did not return a nonce");
-  }
-  const signature = signRelayNonce(options.identity, nonce);
-  const registerResponse = await fetcher(`${baseUrl}/api/v1/relay/links`, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({
-      install_id: options.identity.install_id,
-      public_key_pem: options.identity.public_key_pem,
-      nonce,
-      signature,
-      port: options.port
-    })
-  });
-  if (!registerResponse.ok) {
-    throw new Error(`Relay registration failed: ${registerResponse.status}`);
-  }
-  const registerBody = await registerResponse.json();
-  const linkId = typeof registerBody.link_id === "string" ? registerBody.link_id : null;
-  const token = typeof registerBody.token === "string" ? registerBody.token : null;
-  if (!linkId || !token) {
-    throw new Error("Relay registration response missing link_id or token");
-  }
-  return { linkId, token };
-}
-async function refreshRelayToken(options) {
-  const fetcher = options.fetchImpl ?? fetch;
-  const baseUrl = options.relayBaseUrl.replace(/\/+$/u, "");
-  const nonceResponse = await fetcher(`${baseUrl}/api/v1/relay/links/nonce`, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ install_id: options.identity.install_id })
-  });
-  if (!nonceResponse.ok) {
-    throw new Error(`Relay nonce request failed: ${nonceResponse.status}`);
-  }
-  const nonceBody = await nonceResponse.json();
-  const nonce = typeof nonceBody.nonce === "string" ? nonceBody.nonce : null;
-  if (!nonce) throw new Error("Relay did not return a nonce");
-  const signature = signRelayNonce(options.identity, nonce);
-  const tokenResponse = await fetcher(
-    `${baseUrl}/api/v1/relay/links/${options.identity.link_id}/token`,
-    {
-      method: "POST",
-      headers: { "content-type": "application/json" },
-      body: JSON.stringify({
-        install_id: options.identity.install_id,
-        nonce,
-        signature
-      })
-    }
-  );
-  if (!tokenResponse.ok) {
-    throw new Error(`Relay token refresh failed: ${tokenResponse.status}`);
-  }
-  const tokenBody = await tokenResponse.json();
-  const token = typeof tokenBody.token === "string" ? tokenBody.token : null;
-  if (!token) throw new Error("Relay did not return a token");
-  return token;
-}
-
-// src/relay/relay-client.ts
-var WS;
-try {
-  WS = WebSocket;
-} catch {
-}
-var RelayClient = class extends EventEmitter {
-  options;
-  ws = null;
-  state = "disconnected";
-  token;
-  logger;
-  reconnectTimer = null;
-  pingTimer = null;
-  reconnectDelay;
-  closed = false;
-  constructor(options) {
-    super();
-    this.options = options;
-    this.token = options.token;
-    this.reconnectDelay = options.reconnectDelayMs ?? 1e3;
-    this.logger = createFileLogger({ paths: options.paths });
-  }
-  get currentState() {
-    return this.state;
-  }
-  start() {
-    if (this.closed) return;
-    this.connect();
-  }
-  stop() {
-    this.closed = true;
-    this.clearTimers();
-    if (this.ws) {
-      this.state = "closing";
-      try {
-        this.ws.close(1e3, "client shutdown");
-      } catch {
-      }
-    }
-  }
-  send(message) {
-    if (this.state !== "connected" || !this.ws) return;
-    try {
-      this.ws.send(JSON.stringify(message));
-    } catch (err) {
-      this.logger.warn("Failed to send relay message", { error: String(err) }).catch(() => void 0);
-    }
-  }
-  connect() {
-    if (this.closed) return;
-    this.state = "connecting";
-    const wsUrl = this.buildWsUrl();
-    try {
-      const ws = new WS(wsUrl, {
-        headers: { authorization: `Bearer ${this.token}` }
-      });
-      this.ws = ws;
-      ws.addEventListener("open", () => {
-        this.reconnectDelay = this.options.reconnectDelayMs ?? 1e3;
-        this.state = "connected";
-        this.startPing();
-        this.emit("connected");
-        this.logger.info("Relay WebSocket connected").catch(() => void 0);
-      });
-      ws.addEventListener("message", (event) => {
-        try {
-          const message = JSON.parse(event.data);
-          this.emit("message", message);
-        } catch {
-        }
-      });
-      ws.addEventListener("close", (event) => {
-        this.stopPing();
-        this.ws = null;
-        this.state = "disconnected";
-        this.emit("disconnected", { code: event.code, reason: event.reason });
-        if (!this.closed) {
-          this.scheduleReconnect();
-        }
-      });
-      ws.addEventListener("error", (event) => {
-        this.logger.warn("Relay WebSocket error", { error: String(event) }).catch(() => void 0);
-      });
-    } catch (err) {
-      this.state = "disconnected";
-      this.logger.warn("Failed to create WebSocket", { error: String(err) }).catch(() => void 0);
-      if (!this.closed) {
-        this.scheduleReconnect();
-      }
-    }
-  }
-  buildWsUrl() {
-    const base = this.options.relayBaseUrl.replace(/\/+$/u, "").replace(/^http/u, "ws");
-    return `${base}/api/v1/relay/links/${this.options.identity.link_id}/ws`;
-  }
-  scheduleReconnect() {
-    const maxDelay = this.options.maxReconnectDelayMs ?? 3e4;
-    const delay = Math.min(this.reconnectDelay, maxDelay);
-    this.reconnectDelay = Math.min(this.reconnectDelay * 2, maxDelay);
-    this.reconnectTimer = setTimeout(() => {
-      if (this.closed) return;
-      this.maybeRefreshTokenAndReconnect().catch(() => void 0);
-    }, delay);
-  }
-  async maybeRefreshTokenAndReconnect() {
-    try {
-      this.token = await refreshRelayToken({
-        relayBaseUrl: this.options.relayBaseUrl,
-        identity: this.options.identity,
-        fetchImpl: this.options.fetchImpl
-      });
-    } catch {
-    }
-    this.connect();
-  }
-  startPing() {
-    const intervalMs = this.options.pingIntervalMs ?? 25e3;
-    this.pingTimer = setInterval(() => {
-      if (this.state === "connected" && this.ws) {
-        try {
-          this.ws.send(JSON.stringify({ type: "ping" }));
-        } catch {
-        }
-      }
-    }, intervalMs);
-  }
-  stopPing() {
-    if (this.pingTimer !== null) {
-      clearInterval(this.pingTimer);
-      this.pingTimer = null;
-    }
-  }
-  clearTimers() {
-    this.stopPing();
-    if (this.reconnectTimer !== null) {
-      clearTimeout(this.reconnectTimer);
-      this.reconnectTimer = null;
-    }
-  }
-};
-
-// src/storage/sqlite.ts
-import Database from "better-sqlite3";
-function openSqliteDatabase(filePath, options = {}) {
-  return new Database(filePath, {
-    ...options.readonly === void 0 ? {} : { readonly: options.readonly, fileMustExist: options.readonly },
-    ...options.timeout === void 0 ? {} : { timeout: options.timeout }
-  });
-}
-
-// src/storage/link-database.ts
-import { mkdir as mkdir5 } from "fs/promises";
-import path8 from "path";
-async function initLinkDatabase(paths) {
-  await mkdir5(path8.dirname(paths.databaseFile), { recursive: true, mode: 448 });
-  const db = openDb(paths);
-  try {
-    db.exec(`
-      PRAGMA foreign_keys = ON;
-      PRAGMA busy_timeout = 5000;
-      PRAGMA journal_mode = WAL;
-
-      CREATE TABLE IF NOT EXISTS conversation_stats (
-        conversation_id   TEXT PRIMARY KEY,
-        kind              TEXT NOT NULL,
-        title             TEXT NOT NULL,
-        status            TEXT NOT NULL,
-        hermes_session_id TEXT NOT NULL,
-        profile_uid       TEXT,
-        profile_name_snapshot TEXT,
-        profile           TEXT,
-        model             TEXT,
-        provider          TEXT,
-        context_window    INTEGER,
-        input_tokens      INTEGER NOT NULL DEFAULT 0,
-        output_tokens     INTEGER NOT NULL DEFAULT 0,
-        total_tokens      INTEGER NOT NULL DEFAULT 0,
-        message_count     INTEGER NOT NULL DEFAULT 0,
-        run_count         INTEGER NOT NULL DEFAULT 0,
-        created_at        TEXT NOT NULL,
-        updated_at        TEXT NOT NULL,
-        deleted_at        TEXT,
-        stats_updated_at  TEXT NOT NULL
-      );
-      CREATE INDEX IF NOT EXISTS idx_conversation_stats_status
-        ON conversation_stats(status);
-      CREATE INDEX IF NOT EXISTS idx_conversation_stats_updated_at
-        ON conversation_stats(updated_at);
-      CREATE INDEX IF NOT EXISTS idx_conversation_stats_model
-        ON conversation_stats(model);
-      CREATE INDEX IF NOT EXISTS idx_conversation_stats_profile
-        ON conversation_stats(profile);
-      CREATE INDEX IF NOT EXISTS idx_conversation_stats_profile_uid
-        ON conversation_stats(profile_uid);
-      CREATE INDEX IF NOT EXISTS idx_conversation_stats_profile_name_snapshot
-        ON conversation_stats(profile_name_snapshot);
-
-      CREATE TABLE IF NOT EXISTS profile_registry (
-        profile_uid   TEXT PRIMARY KEY,
-        profile_name  TEXT NOT NULL UNIQUE,
-        profile_path  TEXT NOT NULL,
-        display_name  TEXT,
-        description   TEXT,
-        avatar_type   TEXT NOT NULL DEFAULT 'default',
-        avatar_url    TEXT,
-        created_at    TEXT NOT NULL,
-        updated_at    TEXT NOT NULL
-      );
-      CREATE INDEX IF NOT EXISTS idx_profile_registry_profile_name
-        ON profile_registry(profile_name);
-
-      CREATE TABLE IF NOT EXISTS run_usage_facts (
-        run_id                TEXT PRIMARY KEY,
-        conversation_id       TEXT NOT NULL,
-        profile_uid           TEXT,
-        profile_name_snapshot TEXT,
-        profile               TEXT,
-        model                 TEXT,
-        provider              TEXT,
-        input_tokens          INTEGER NOT NULL DEFAULT 0,
-        output_tokens         INTEGER NOT NULL DEFAULT 0,
-        total_tokens          INTEGER NOT NULL DEFAULT 0,
-        message_count         INTEGER NOT NULL DEFAULT 0,
-        started_at            TEXT NOT NULL,
-        completed_at          TEXT NOT NULL,
-        updated_at            TEXT NOT NULL
-      );
-      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_completed_at
-        ON run_usage_facts(completed_at);
-      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_conversation_id
-        ON run_usage_facts(conversation_id);
-      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_model
-        ON run_usage_facts(model);
-      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_profile_uid
-        ON run_usage_facts(profile_uid);
-      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_profile_name_snapshot
-        ON run_usage_facts(profile_name_snapshot);
-    `);
-  } finally {
-    db.close();
-  }
-}
-function openDb(paths) {
-  const db = openSqliteDatabase(paths.databaseFile, { timeout: 5e3 });
-  db.exec("PRAGMA foreign_keys = ON; PRAGMA busy_timeout = 5000; PRAGMA journal_mode = WAL;");
-  return db;
-}
-
-// src/conversations/service.ts
-import { EventEmitter as EventEmitter2 } from "events";
-import crypto4 from "crypto";
-
-// src/conversations/store.ts
-import { mkdir as mkdir6, readFile as readFile4, rm as rm4, writeFile as writeFile2 } from "fs/promises";
-import path9 from "path";
-import crypto2 from "crypto";
-function createConversationId() {
-  return `conv_${crypto2.randomUUID().replaceAll("-", "")}`;
-}
-function createMessageId() {
-  return `msg_${crypto2.randomUUID().replaceAll("-", "")}`;
-}
-function createRunId() {
-  return `run_${crypto2.randomUUID().replaceAll("-", "")}`;
-}
-function conversationDir(paths, conversationId) {
-  return path9.join(paths.conversationsDir, conversationId);
-}
-function manifestPath(paths, conversationId) {
-  return path9.join(conversationDir(paths, conversationId), "manifest.json");
-}
-function snapshotPath(paths, conversationId) {
-  return path9.join(conversationDir(paths, conversationId), "snapshot.json");
-}
-function eventsPath(paths, conversationId) {
-  return path9.join(conversationDir(paths, conversationId), "events.json");
-}
-function blobPath(paths, blobId) {
-  return path9.join(paths.blobsDir, blobId);
-}
-async function readJson(filePath, fallback) {
-  try {
-    const raw = await readFile4(filePath, "utf8");
-    return JSON.parse(raw);
-  } catch {
-    return fallback;
-  }
-}
-async function writeJson(filePath, data) {
-  await mkdir6(path9.dirname(filePath), { recursive: true, mode: 448 });
-  await writeFile2(filePath, JSON.stringify(data), { mode: 384 });
-}
-function assertValidConversationId(id) {
-  if (!/^conv_[a-zA-Z0-9]+$/u.test(id)) {
-    throw new LinkHttpError(400, "invalid_conversation_id", "Invalid conversation ID");
-  }
-}
-async function readManifest(paths, conversationId) {
-  assertValidConversationId(conversationId);
-  return readJson(manifestPath(paths, conversationId), null);
-}
-async function readActiveManifest(paths, conversationId) {
-  const manifest = await readManifest(paths, conversationId);
-  if (!manifest || manifest.status === "deleted_soft") {
-    throw new LinkHttpError(404, "conversation_not_found", "Conversation was not found");
-  }
-  return manifest;
-}
-async function writeManifest(paths, manifest) {
-  await writeJson(manifestPath(paths, manifest.id), manifest);
-}
-async function readSnapshot(paths, conversationId) {
-  return readJson(snapshotPath(paths, conversationId), { messages: [], runs: [] });
-}
-async function writeSnapshot(paths, conversationId, snapshot) {
-  await writeJson(snapshotPath(paths, conversationId), snapshot);
-}
-async function readEvents(paths, conversationId) {
-  return readJson(eventsPath(paths, conversationId), []);
-}
-async function appendEvent(paths, conversationId, event, manifestRef) {
-  const events = await readEvents(paths, conversationId);
-  const seq = (manifestRef.last_event_seq ?? 0) + 1;
-  manifestRef.last_event_seq = seq;
-  const fullEvent = {
-    ...event,
-    seq,
-    conversation_id: conversationId,
-    created_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  events.push(fullEvent);
-  await writeJson(eventsPath(paths, conversationId), events);
-  return fullEvent;
-}
-async function listConversationIds(paths) {
-  try {
-    const { readdir: readdir3 } = await import("fs/promises");
-    const entries = await readdir3(paths.conversationsDir, { withFileTypes: true });
-    return entries.filter((e) => e.isDirectory() && e.name.startsWith("conv_")).map((e) => e.name);
-  } catch {
-    return [];
-  }
-}
-
-// src/conversations/blobs.ts
-import { mkdir as mkdir7, readFile as readFile5, rm as rm5, writeFile as writeFile3 } from "fs/promises";
-import path10 from "path";
-import crypto3 from "crypto";
-var MAX_BLOB_UPLOAD_BYTES2 = 50 * 1024 * 1024;
-function blobManifestPath(paths, blobId) {
-  return `${blobPath(paths, blobId)}.json`;
-}
-function normalizeMime(mime, filename) {
-  if (mime && mime !== "application/octet-stream") return mime;
-  if (filename) {
-    const ext = path10.extname(filename).toLowerCase();
-    const mimeMap = {
-      ".jpg": "image/jpeg",
-      ".jpeg": "image/jpeg",
-      ".png": "image/png",
-      ".gif": "image/gif",
-      ".webp": "image/webp",
-      ".mp3": "audio/mpeg",
-      ".mp4": "video/mp4",
-      ".wav": "audio/wav",
-      ".pdf": "application/pdf",
-      ".txt": "text/plain",
-      ".json": "application/json"
-    };
-    if (mimeMap[ext]) return mimeMap[ext];
-  }
-  return "application/octet-stream";
-}
-function sanitizeFilename(filename, fallback) {
-  if (!filename) return fallback;
-  return path10.basename(filename).replace(/[^\w.\-]/gu, "_").slice(0, 255) || fallback;
-}
-async function writeBlob(paths, conversationId, input) {
-  assertValidConversationId(conversationId);
-  if (input.bytes.byteLength === 0) {
-    throw new LinkHttpError(400, "blob_empty", "Blob body is empty");
-  }
-  if (input.bytes.byteLength > MAX_BLOB_UPLOAD_BYTES2) {
-    throw new LinkHttpError(413, "blob_too_large", "Blob is too large");
-  }
-  const id = `blob_${crypto3.randomUUID().replaceAll("-", "")}`;
-  const filePath = blobPath(paths, id);
-  await mkdir7(path10.dirname(filePath), { recursive: true, mode: 448 });
-  await writeFile3(filePath, input.bytes, { mode: 384 });
-  const blob = {
-    id,
-    size: input.bytes.byteLength,
-    mime: normalizeMime(input.mime, input.filename),
-    filename: sanitizeFilename(input.filename, id),
-    created_at: (/* @__PURE__ */ new Date()).toISOString(),
-    conversation_ids: [conversationId]
-  };
-  await writeJsonFile(blobManifestPath(paths, id), blob);
-  return blob;
-}
-async function readBlob(paths, conversationId, blobId) {
-  assertValidConversationId(conversationId);
-  const manifest = await readBlobManifest(paths, conversationId, blobId);
-  const filePath = blobPath(paths, blobId);
-  const bytes = await readFile5(filePath).catch((err) => {
-    if (err.code === "ENOENT") throw new LinkHttpError(404, "blob_not_found", "Blob was not found");
-    throw err;
-  });
-  return {
-    bytes,
-    mime: manifest.mime || "application/octet-stream",
-    filename: manifest.filename || blobId,
-    size: manifest.size || bytes.byteLength
-  };
-}
-async function readBlobManifest(paths, conversationId, blobId) {
-  const raw = await readJsonFile(blobManifestPath(paths, blobId));
-  if (!raw || typeof raw !== "object") {
-    throw new LinkHttpError(404, "blob_not_found", "Blob was not found");
-  }
-  const manifest = raw;
-  if (!manifest.conversation_ids?.includes(conversationId)) {
-    throw new LinkHttpError(404, "blob_not_found", "Blob was not found");
-  }
-  return raw;
-}
-function isBlobReferenced(snapshot, blobId) {
-  return snapshot.messages.some(
-    (m) => m.parts.some((p) => p.blob === blobId) || m.attachments.some((a) => a.blob_id === blobId)
-  );
-}
-async function deleteUnreferencedBlob(paths, conversationId, blobId, snapshot) {
-  assertValidConversationId(conversationId);
-  if (isBlobReferenced(snapshot, blobId)) {
-    throw new LinkHttpError(409, "blob_in_use", "Blob is already referenced by a conversation message");
-  }
-  const manifestPath2 = blobManifestPath(paths, blobId);
-  const raw = await readJsonFile(manifestPath2);
-  const manifest = raw;
-  const nextIds = (manifest?.conversation_ids ?? []).filter((id) => id !== conversationId);
-  if (nextIds.length > 0) {
-    await writeJsonFile(manifestPath2, { ...manifest, conversation_ids: nextIds });
-  } else {
-    await rm5(blobPath(paths, blobId), { force: true }).catch(() => void 0);
-    await rm5(manifestPath2, { force: true }).catch(() => void 0);
-  }
-  return { deleted: true, blob_id: blobId };
-}
-
-// src/conversations/service.ts
-var conversationLocks = /* @__PURE__ */ new Map();
-function withConversationLock(id, fn) {
-  const current = conversationLocks.get(id) ?? Promise.resolve();
-  const next = current.then(fn, fn);
-  conversationLocks.set(id, next.catch(() => void 0));
-  return next;
-}
-function normalizeLimit(value, defaultValue, max) {
-  const n = typeof value === "string" ? Number.parseInt(value, 10) : typeof value === "number" ? value : defaultValue;
-  if (!Number.isFinite(n) || n < 1) return defaultValue;
-  return Math.min(n, max);
-}
-var ConversationService = class extends EventEmitter2 {
-  paths;
-  constructor(paths) {
-    super();
-    this.setMaxListeners(200);
-    this.paths = paths;
-  }
-  subscribeAll(handler) {
-    this.on("event", handler);
-    return () => this.off("event", handler);
-  }
-  subscribe(conversationId, handler) {
-    const key = `event:${conversationId}`;
-    this.on(key, handler);
-    return () => this.off(key, handler);
-  }
-  emit2(event) {
-    const e = event;
-    this.emit("event", e);
-    this.emit(`event:${event.conversation_id}`, e);
-  }
-  async appendAndEmit(conversationId, event, manifest) {
-    const full = await appendEvent(this.paths, conversationId, event, manifest);
-    this.emit2(full);
-    return full;
-  }
-  async listEvents(conversationId, after) {
-    const events = await readEvents(this.paths, conversationId);
-    if (after === void 0 || after === null) return events;
-    return events.filter((e) => e.seq > after);
-  }
-  async listConversationPage(options = {}) {
-    const limit = normalizeLimit(options.limit, 20, 100);
-    const ids = await listConversationIds(this.paths);
-    const manifests = [];
-    for (const id of ids) {
-      const m = await readManifest(this.paths, id);
-      if (m && m.status !== "deleted_soft") manifests.push(m);
-    }
-    manifests.sort((a, b) => b.updated_at.localeCompare(a.updated_at));
-    let startIndex = 0;
-    if (options.cursor) {
-      const idx = manifests.findIndex((m) => m.id === options.cursor);
-      if (idx >= 0) startIndex = idx + 1;
-    }
-    const page = manifests.slice(startIndex, startIndex + limit);
-    const hasMore = startIndex + limit < manifests.length;
-    return {
-      conversations: page.map((m) => this.summarizeManifest(m)),
-      page: {
-        limit,
-        has_more: hasMore,
-        next_cursor: hasMore && page.length > 0 ? page[page.length - 1]?.id ?? null : null
-      }
-    };
-  }
-  async searchConversationPage(options = {}) {
-    if (!options.query?.trim()) return this.listConversationPage(options);
-    const q = options.query.trim().toLowerCase();
-    const limit = normalizeLimit(options.limit, 20, 100);
-    const ids = await listConversationIds(this.paths);
-    const results = [];
-    for (const id of ids) {
-      const m = await readManifest(this.paths, id);
-      if (m && m.status !== "deleted_soft" && m.title.toLowerCase().includes(q)) {
-        results.push(m);
-      }
-    }
-    results.sort((a, b) => b.updated_at.localeCompare(a.updated_at));
-    const page = results.slice(0, limit);
-    return {
-      conversations: page.map((m) => this.summarizeManifest(m)),
-      page: { limit, has_more: results.length > limit, next_cursor: null }
-    };
-  }
-  async createConversation(options = {}) {
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const id = createConversationId();
-    const manifest = {
-      id,
-      kind: "chat",
-      title: options.title ?? "New conversation",
-      status: "active",
-      hermes_session_id: null,
-      profile_uid: null,
-      profile_name_snapshot: options.profileName ?? null,
-      profile: options.profileName ?? null,
-      last_event_seq: 0,
-      created_at: now,
-      updated_at: now,
-      deleted_at: null
-    };
-    await writeManifest(this.paths, manifest);
-    return this.summarizeManifest(manifest);
-  }
-  async getMessages(conversationId, options = {}) {
-    const manifest = await readActiveManifest(this.paths, conversationId);
-    const snapshot = await readSnapshot(this.paths, conversationId);
-    const limit = normalizeLimit(options.limit, 50, 200);
-    const total = snapshot.messages.length;
-    const endIndex = options.beforeMessageId ? snapshot.messages.findIndex((m) => m.id === options.beforeMessageId) : total;
-    if (endIndex < 0) throw new LinkHttpError(400, "message_cursor_not_found", "Message cursor was not found");
-    const startIndex = Math.max(0, endIndex - limit);
-    const messages = snapshot.messages.slice(startIndex, endIndex);
-    return {
-      messages,
-      last_event_seq: manifest.last_event_seq,
-      page: {
-        limit,
-        has_more_before: startIndex > 0,
-        has_more_after: endIndex < total,
-        oldest_message_id: messages[0]?.id ?? null,
-        newest_message_id: messages[messages.length - 1]?.id ?? null
-      }
-    };
-  }
-  async sendMessage(input) {
-    return withConversationLock(input.conversationId, () => this.sendMessageLocked(input));
-  }
-  async sendMessageLocked(input) {
-    const content = input.content.trim();
-    if (!content) throw new LinkHttpError(400, "message_content_required", "message content is required");
-    const manifest = await readActiveManifest(this.paths, input.conversationId);
-    const snapshot = await readSnapshot(this.paths, input.conversationId);
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const runId = createRunId();
-    const userMessageId = createMessageId();
-    const assistantMessageId = createMessageId();
-    const hasActive = snapshot.runs.some((r) => r.status === "running" || r.status === "queued");
-    const userMessage = {
-      id: userMessageId,
-      schema_version: 1,
-      conversation_id: manifest.id,
-      role: "user",
-      status: hasActive ? "queued" : "completed",
-      client_message_id: input.clientMessageId ?? void 0,
-      created_at: now,
-      updated_at: now,
-      sender: { id: "app_user", type: "human", display_name: "Me" },
-      parts: [{ type: "text", text: content }],
-      attachments: []
-    };
-    const assistantMessage = {
-      id: assistantMessageId,
-      schema_version: 1,
-      conversation_id: manifest.id,
-      role: "assistant",
-      status: hasActive ? "queued" : "streaming",
-      run_id: runId,
-      created_at: now,
-      updated_at: now,
-      sender: { id: "agent_default", type: "agent", display_name: "Hermes", profile: manifest.profile ?? void 0 },
-      parts: [{ type: "text", text: "" }],
-      attachments: []
-    };
-    const run = {
-      id: runId,
-      kind: "agent",
-      conversation_id: manifest.id,
-      trigger_message_id: userMessageId,
-      assistant_message_id: assistantMessageId,
-      hermes_session_id: manifest.hermes_session_id,
-      status: hasActive ? "queued" : "running",
-      started_at: now,
-      profile_name_snapshot: manifest.profile ?? void 0,
-      profile: manifest.profile ?? void 0
-    };
-    snapshot.messages.push(userMessage, assistantMessage);
-    snapshot.runs.push(run);
-    await writeSnapshot(this.paths, manifest.id, snapshot);
-    if (manifest.title === "New conversation") {
-      manifest.title = content.slice(0, 60);
-    }
-    manifest.updated_at = now;
-    await writeManifest(this.paths, manifest);
-    await this.appendAndEmit(manifest.id, { type: "message.created", message_id: userMessageId, payload: { message: userMessage } }, manifest);
-    await this.appendAndEmit(manifest.id, { type: "message.created", message_id: assistantMessageId, run_id: runId, payload: { message: assistantMessage } }, manifest);
-    const latestEvent = await this.appendAndEmit(manifest.id, { type: "run.started", message_id: assistantMessageId, run_id: runId, payload: { run } }, manifest);
-    await writeManifest(this.paths, manifest);
-    return {
-      conversation_id: manifest.id,
-      user_message: { id: userMessageId, status: userMessage.status },
-      assistant_message: { id: assistantMessageId, status: assistantMessage.status },
-      run: { id: runId, status: run.status },
-      last_event_seq: latestEvent.seq,
-      conversation: this.summarizeManifest(manifest)
-    };
-  }
-  async cancelRun(conversationId, runId) {
-    return withConversationLock(conversationId, async () => {
-      const manifest = await readActiveManifest(this.paths, conversationId);
-      const snapshot = await readSnapshot(this.paths, conversationId);
-      const run = snapshot.runs.find((r) => r.id === runId);
-      if (!run) throw new LinkHttpError(404, "run_not_found", "Run was not found");
-      if (run.status !== "running" && run.status !== "queued") {
-        return { conversation_id: conversationId, run: { id: run.id, status: run.status }, last_event_seq: manifest.last_event_seq };
-      }
-      const now = (/* @__PURE__ */ new Date()).toISOString();
-      run.status = "cancelled";
-      run.completed_at = now;
-      const assistant = snapshot.messages.find((m) => m.id === run.assistant_message_id);
-      if (assistant) {
-        assistant.status = "failed";
-        assistant.updated_at = now;
-      }
-      await writeSnapshot(this.paths, conversationId, snapshot);
-      await this.appendAndEmit(conversationId, { type: "run.cancelled", run_id: runId, payload: { run } }, manifest);
-      await writeManifest(this.paths, manifest);
-      return { conversation_id: conversationId, run: { id: run.id, status: run.status }, last_event_seq: manifest.last_event_seq };
-    });
-  }
-  async deleteConversation(conversationId) {
-    assertValidConversationId(conversationId);
-    return withConversationLock(conversationId, async () => {
-      const manifest = await readActiveManifest(this.paths, conversationId);
-      const now = (/* @__PURE__ */ new Date()).toISOString();
-      manifest.status = "deleted_soft";
-      manifest.deleted_at = now;
-      manifest.updated_at = now;
-      await writeManifest(this.paths, manifest);
-      return { conversation_id: conversationId, deleted_at: now };
-    });
-  }
-  async deleteConversations(conversationIds) {
-    const results = [];
-    let failedCount = 0;
-    for (const id of conversationIds) {
-      try {
-        const deleted = await this.deleteConversation(id);
-        results.push({ ...deleted, status: "deleted" });
-      } catch (err) {
-        failedCount++;
-        results.push({
-          conversation_id: id,
-          status: "failed",
-          error: { code: err instanceof LinkHttpError ? err.code : "internal_error", message: err.message }
-        });
-      }
-    }
-    return { deleted_count: conversationIds.length - failedCount, failed_count: failedCount, conversations: results };
-  }
-  async renameConversation(conversationId, title) {
-    return withConversationLock(conversationId, async () => {
-      const manifest = await readActiveManifest(this.paths, conversationId);
-      manifest.title = title;
-      manifest.updated_at = (/* @__PURE__ */ new Date()).toISOString();
-      await writeManifest(this.paths, manifest);
-      await this.appendAndEmit(conversationId, { type: "conversation.updated", payload: { conversation: this.summarizeManifest(manifest) } }, manifest);
-      await writeManifest(this.paths, manifest);
-      return { conversation_id: conversationId, title };
-    });
-  }
-  async setConversationModel(conversationId, modelId) {
-    return withConversationLock(conversationId, async () => {
-      const manifest = await readActiveManifest(this.paths, conversationId);
-      manifest.updated_at = (/* @__PURE__ */ new Date()).toISOString();
-      await writeManifest(this.paths, manifest);
-      return { conversation_id: conversationId, model_id: modelId };
-    });
-  }
-  async setConversationProfile(conversationId, profileName) {
-    return withConversationLock(conversationId, async () => {
-      const manifest = await readActiveManifest(this.paths, conversationId);
-      manifest.profile = profileName;
-      manifest.profile_name_snapshot = profileName;
-      manifest.updated_at = (/* @__PURE__ */ new Date()).toISOString();
-      await writeManifest(this.paths, manifest);
-      return { conversation_id: conversationId, profile: profileName };
-    });
-  }
-  async ackConversation(conversationId, lastEventSeq) {
-    const manifest = await readActiveManifest(this.paths, conversationId);
-    return { conversation_id: conversationId, last_event_seq: manifest.last_event_seq, acked_seq: lastEventSeq };
-  }
-  async writeBlob(conversationId, input) {
-    return writeBlob(this.paths, conversationId, input);
-  }
-  async readBlob(conversationId, blobId) {
-    return readBlob(this.paths, conversationId, blobId);
-  }
-  async deleteUnreferencedBlob(conversationId, blobId) {
-    const snapshot = await readSnapshot(this.paths, conversationId);
-    return deleteUnreferencedBlob(this.paths, conversationId, blobId, snapshot);
-  }
-  async deleteLocalConversationsForProfile(options) {
-    const ids = await listConversationIds(this.paths);
-    let count = 0;
-    for (const id of ids) {
-      const m = await readManifest(this.paths, id);
-      if (!m || m.status === "deleted_soft") continue;
-      if (m.profile === options.profileName || options.profileUid && m.profile_uid === options.profileUid) {
-        await this.deleteConversation(id);
-        count++;
-      }
-    }
-    return { deleted_count: count };
-  }
-  async prepareClearAllConversationPlan() {
-    const planId = `plan_${crypto4.randomUUID().replaceAll("-", "")}`;
-    const ids = await listConversationIds(this.paths);
-    const activeIds = [];
-    for (const id of ids) {
-      const m = await readManifest(this.paths, id);
-      if (m && m.status === "active") activeIds.push(id);
-    }
-    return {
-      id: planId,
-      status: "pending",
-      conversation_count: activeIds.length,
-      conversation_ids: activeIds,
-      created_at: (/* @__PURE__ */ new Date()).toISOString()
-    };
-  }
-  async readClearAllConversationPlan(planId) {
-    return { id: planId, status: "pending", conversation_count: 0, conversation_ids: [], created_at: (/* @__PURE__ */ new Date()).toISOString() };
-  }
-  async startClearAllConversationPlan(planId) {
-    const ids = await listConversationIds(this.paths);
-    let count = 0;
-    for (const id of ids) {
-      const m = await readManifest(this.paths, id);
-      if (m && m.status === "active") {
-        await this.deleteConversation(id).catch(() => void 0);
-        count++;
-      }
-    }
-    return { id: planId, status: "completed", deleted_count: count, completed_at: (/* @__PURE__ */ new Date()).toISOString() };
-  }
-  async resolveApproval(input) {
-    return { conversation_id: input.conversationId, approval_id: input.approvalId, decision: input.decision };
-  }
-  async getStatistics(options) {
-    const ids = await listConversationIds(this.paths);
-    let total = 0, active = 0, messages = 0, runs = 0;
-    for (const id of ids) {
-      const m = await readManifest(this.paths, id);
-      if (!m) continue;
-      if (options.profileName && m.profile !== options.profileName) continue;
-      total++;
-      if (m.status === "active") active++;
-      const snap = await readSnapshot(this.paths, id);
-      messages += snap.messages.length;
-      runs += snap.runs.filter((r) => r.kind === "agent").length;
-    }
-    return {
-      conversations: { total, active },
-      messages: { total: messages },
-      runs: { total: runs },
-      models: { total: 0 },
-      skills: { total: 0 },
-      tools: { total: 0 },
-      profiles: { total: 0 }
-    };
-  }
-  summarizeManifest(manifest) {
-    return {
-      id: manifest.id,
-      kind: manifest.kind,
-      title: manifest.title,
-      status: manifest.status,
-      profile: manifest.profile,
-      profile_uid: manifest.profile_uid,
-      last_event_seq: manifest.last_event_seq,
-      created_at: manifest.created_at,
-      updated_at: manifest.updated_at,
-      stats: manifest.stats ?? null
-    };
-  }
-};
-
-// src/hermes/gateway.ts
-import { execFile as execFile3, spawn } from "child_process";
-import { promisify as promisify3 } from "util";
-
-// src/hermes/config.ts
-import os6 from "os";
-import path11 from "path";
-import YAML from "yaml";
-var PROFILE_PERMISSION_TOOLSETS = [
-  {
-    key: "web",
-    label: "Web \u641C\u7D22",
-    description: "\u8054\u7F51\u641C\u7D22\u4E0E\u7F51\u9875\u5185\u5BB9\u63D0\u53D6",
-    risk: "low"
-  },
-  {
-    key: "vision",
-    label: "\u89C6\u89C9\u7406\u89E3",
-    description: "\u8BFB\u53D6\u56FE\u7247\u5185\u5BB9\u5E76\u53C2\u4E0E\u63A8\u7406",
-    risk: "low"
-  },
-  {
-    key: "image_gen",
-    label: "\u56FE\u7247\u751F\u6210",
-    description: "\u8C03\u7528\u56FE\u7247\u751F\u6210\u540E\u7AEF",
-    risk: "low"
-  },
-  {
-    key: "browser",
-    label: "\u6D4F\u89C8\u5668\u81EA\u52A8\u5316",
-    description: "\u6253\u5F00\u7F51\u9875\u3001\u70B9\u51FB\u3001\u8F93\u5165\u548C\u8BFB\u53D6\u9875\u9762",
-    risk: "medium"
-  },
-  {
-    key: "skills",
-    label: "Skills",
-    description: "\u8BFB\u53D6\u548C\u7BA1\u7406 Hermes skills",
-    risk: "medium"
-  },
-  {
-    key: "memory",
-    label: "Memory",
-    description: "\u8BFB\u53D6\u548C\u5199\u5165\u957F\u671F\u8BB0\u5FC6",
-    risk: "medium"
-  },
-  {
-    key: "session_search",
-    label: "\u4F1A\u8BDD\u641C\u7D22",
-    description: "\u641C\u7D22\u5386\u53F2\u4F1A\u8BDD\u4E0E\u6458\u8981",
-    risk: "medium"
-  },
-  {
-    key: "todo",
-    label: "\u4EFB\u52A1\u89C4\u5212",
-    description: "\u7EF4\u62A4\u4F1A\u8BDD\u5185\u4EFB\u52A1\u5217\u8868",
-    risk: "medium"
-  },
-  {
-    key: "delegation",
-    label: "\u5B50\u4EFB\u52A1\u4EE3\u7406",
-    description: "\u521B\u5EFA\u72EC\u7ACB\u4E0A\u4E0B\u6587\u7684\u5B50 Agent",
-    risk: "medium"
-  },
-  {
-    key: "terminal",
-    label: "\u7EC8\u7AEF\u6267\u884C",
-    description: "\u6267\u884C shell \u547D\u4EE4\u548C\u7BA1\u7406\u8FDB\u7A0B",
-    risk: "high"
-  },
-  {
-    key: "file",
-    label: "\u6587\u4EF6\u8BFB\u5199",
-    description: "\u8BFB\u53D6\u3001\u641C\u7D22\u3001\u5199\u5165\u548C patch \u6587\u4EF6",
-    risk: "high"
-  },
-  {
-    key: "code_execution",
-    label: "\u4EE3\u7801\u6267\u884C",
-    description: "\u5728\u5DE5\u5177\u6C99\u7BB1\u4E2D\u6267\u884C\u4EE3\u7801\u7247\u6BB5",
-    risk: "high"
-  },
-  {
-    key: "cronjob",
-    label: "\u5B9A\u65F6\u4EFB\u52A1",
-    description: "\u521B\u5EFA\u3001\u66F4\u65B0\u3001\u6682\u505C\u548C\u8FD0\u884C cron jobs",
-    risk: "high"
-  },
-  {
-    key: "messaging",
-    label: "\u8DE8\u5E73\u53F0\u6D88\u606F",
-    description: "\u5411 Telegram\u3001Discord\u3001Slack \u7B49\u5E73\u53F0\u53D1\u6D88\u606F",
-    risk: "high"
-  },
-  {
-    key: "homeassistant",
-    label: "\u667A\u80FD\u5BB6\u5C45",
-    description: "\u8BFB\u53D6\u548C\u63A7\u5236 Home Assistant \u8BBE\u5907",
-    risk: "high"
-  },
-  {
-    key: "stt",
-    label: "\u8BED\u97F3\u8F6C\u5199 (STT)",
-    description: "\u628A\u7528\u6237\u8BED\u97F3\u6D88\u606F\u8F6C\u6210\u6587\u672C\u8F93\u5165",
-    risk: "medium"
-  },
-  {
-    key: "tts",
-    label: "\u8BED\u97F3\u5408\u6210 (TTS)",
-    description: "\u751F\u6210\u8BED\u97F3\u97F3\u9891",
-    risk: "medium"
-  },
-  {
-    key: "moa",
-    label: "Mixture of Agents",
-    description: "\u8C03\u7528\u591A Agent \u63A8\u7406\u5DE5\u5177",
-    risk: "medium"
-  },
-  {
-    key: "rl",
-    label: "RL \u8BAD\u7EC3",
-    description: "\u7BA1\u7406\u5F3A\u5316\u5B66\u4E60\u8BAD\u7EC3\u4EFB\u52A1",
-    risk: "high"
-  }
-];
-var PROFILE_PERMISSION_TOOLSET_KEYS = new Set(
-  PROFILE_PERMISSION_TOOLSETS.map((toolset) => toolset.key)
-);
-var API_SERVER_PROFILE_TOOLSET_KEYS = new Set(
-  PROFILE_PERMISSION_TOOLSETS.filter((toolset) => toolset.key !== "stt").map(
-    (toolset) => toolset.key
-  )
-);
-var profileApiServerPortAssignmentQueue = Promise.resolve();
-function resolveHermesProfilesDir() {
-  const hermesHome = process.env.HERMES_HOME?.trim();
-  if (hermesHome) {
-    return path11.join(
-      resolveDefaultHermesRoot(path11.resolve(hermesHome)),
-      "profiles"
-    );
-  }
-  return path11.join(os6.homedir(), ".hermes", "profiles");
-}
-function isValidProfileName(value) {
-  return typeof value === "string" && /^[a-zA-Z0-9._-]{1,64}$/.test(value);
-}
-function resolveDefaultHermesRoot(hermesHome) {
-  if (path11.basename(path11.dirname(hermesHome)) === "profiles") {
-    return path11.dirname(path11.dirname(hermesHome));
-  }
-  return hermesHome;
-}
-
-// src/hermes/cli.ts
-import { execFile as execFile2 } from "child_process";
-import { promisify as promisify2 } from "util";
-var execFileAsync2 = promisify2(execFile2);
-
-// src/hermes/gateway.ts
-import { readdir as readdir2 } from "fs/promises";
-var execFileAsync3 = promisify3(execFile3);
-async function listHermesProfiles() {
-  try {
-    const profilesDir = resolveHermesProfilesDir();
-    const entries = await readdir2(profilesDir, { withFileTypes: true });
-    return entries.filter((e) => e.isDirectory() && isValidProfileName(e.name)).map((e) => e.name);
-  } catch {
-    return [];
-  }
-}
-
-// src/http/app.ts
-async function startLinkService(options) {
-  const { config, identity, paths, relayToken } = options;
-  const logger = createLogger({ paths, fileName: "link.log", level: config.logLevel });
-  await initLinkDatabase(paths);
-  const db = openSqliteDatabase(paths.databaseFile, { timeout: 5e3 });
-  await mkdir8(paths.conversationsDir, { recursive: true, mode: 448 }).catch(() => void 0);
-  await mkdir8(paths.blobsDir, { recursive: true, mode: 448 }).catch(() => void 0);
-  await mkdir8(paths.pairingDir, { recursive: true, mode: 448 }).catch(() => void 0);
-  const conversations = new ConversationService(paths);
-  const app = new Koa();
-  app.use(cors({ origin: "*" }));
-  app.use(bodyParser({ jsonLimit: "10mb" }));
-  app.use(async (ctx, next) => {
-    try {
-      await next();
-    } catch (err) {
-      const error = err;
-      ctx.status = error.status ?? error.statusCode ?? 500;
-      ctx.body = {
-        ok: false,
-        error: {
-          code: error.code ?? "internal_error",
-          message: error.message ?? "Internal server error"
-        }
-      };
-      if (ctx.status >= 500) {
-        logger.error({ path: ctx.path, status: ctx.status, err: error.message }, "Request error");
-      }
-    }
-  });
-  const rootRouter = new Router8();
-  rootRouter.get("/pair", (ctx) => {
-    const connectToken = typeof ctx.query.connect_token === "string" ? ctx.query.connect_token : "";
-    ctx.type = "text/html";
-    ctx.body = buildPairingPage({ port: config.port, connectToken });
-  });
-  rootRouter.get("/api/v1/status", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    const [devices, profiles, linkUpdate] = await Promise.all([
-      readDeviceSummary(paths),
-      listHermesProfiles().catch(() => []),
-      checkForUpdates({ relayBaseUrl: config.relayBaseUrl, paths }).catch(() => null)
-    ]);
-    ctx.body = {
-      ok: true,
-      version: LINK_VERSION,
-      paired: Boolean(identity.link_id),
-      link_id: identity.link_id ?? null,
-      port: config.port,
-      link: {
-        state: "online",
-        version: LINK_VERSION,
-        update_available: linkUpdate?.availableVersion != null
-      },
-      hermes: {
-        local_version: null,
-        update_available: false
-      },
-      gateway: { state: "unknown", issue: null },
-      api_server: { state: "unknown", issue: null },
-      devices,
-      profiles: { total: profiles.length }
-    };
-  });
-  rootRouter.get("/api/v1/logs", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const source = typeof ctx.query.source === "string" ? ctx.query.source : "link";
-    const limit = typeof ctx.query.limit === "string" ? Number.parseInt(ctx.query.limit, 10) : 50;
-    ctx.set("cache-control", "no-store");
-    ctx.body = {
-      ok: true,
-      source,
-      logs: source === "gateway" ? await readRecentGatewayLogEntries({ paths, limit }) : await readRecentLogEntries({ paths, limit })
-    };
-  });
-  app.use(rootRouter.routes());
-  app.use(rootRouter.allowedMethods());
-  const bootstrapRouter = createBootstrapRouter({ paths });
-  app.use(bootstrapRouter.routes());
-  app.use(bootstrapRouter.allowedMethods());
-  const authRouter = createAuthRouter({ paths, logger });
-  app.use(authRouter.routes());
-  app.use(authRouter.allowedMethods());
-  const pairingRouter = createPairingRouter({ paths, logger });
-  app.use(pairingRouter.routes());
-  app.use(pairingRouter.allowedMethods());
-  const devicesRouter = createDevicesRouter({ paths, logger });
-  app.use(devicesRouter.routes());
-  app.use(devicesRouter.allowedMethods());
-  const conversationsRouter = createConversationsRouter({ paths, conversations, logger });
-  app.use(conversationsRouter.routes());
-  app.use(conversationsRouter.allowedMethods());
-  const systemRouter = createSystemRouter({ config, identity, paths });
-  app.use(systemRouter.routes());
-  app.use(systemRouter.allowedMethods());
-  const statsRouter = createStatisticsRouter({ db, paths });
-  app.use(statsRouter.routes());
-  app.use(statsRouter.allowedMethods());
-  const listenHost = process.env.HERMESLINK_LISTEN_HOST ?? "0.0.0.0";
-  const server = await new Promise((resolve, reject) => {
-    const s = app.listen(config.port, listenHost, () => resolve(s));
-    s.once("error", reject);
-  });
-  const relayClient = new RelayClient({
-    relayBaseUrl: config.relayBaseUrl,
-    identity,
-    token: relayToken,
-    paths
-  });
-  relayClient.start();
-  reportNetwork({ config, identity, paths }).catch(() => void 0);
-  const stop = async () => {
-    relayClient.stop();
-    await new Promise((resolve) => server.close(() => resolve()));
-    db.close();
-    logger.info("Link service stopped");
-  };
-  return { app, server, relayClient, stop };
-}
-async function reportNetwork(options) {
-  const candidates = await discoverRouteCandidates({
-    configuredLanHost: options.config.lanHost,
-    relayBaseUrl: options.config.relayBaseUrl,
-    linkId: options.identity.link_id ?? "",
-    port: options.config.port,
-    installId: options.identity.install_id,
-    publicKeyPem: options.identity.public_key_pem
-  });
-  await updateNetworkReportState(
-    {
-      lastReportedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      preferredUrls: candidates.preferredUrls,
-      lanIps: candidates.lanIps,
-      publicIpv4s: candidates.publicIpv4s,
-      publicIpv6s: candidates.publicIpv6s
-    },
-    options.paths
-  );
-}
-function buildPairingPage(options) {
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <title>Hermes Link \u2014 Pairing</title>
-  <style>
-    * { box-sizing: border-box; margin: 0; padding: 0; }
-    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: #0f0f0f; color: #e5e5e5; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
-    .card { background: #1a1a1a; border: 1px solid #2a2a2a; border-radius: 12px; padding: 2rem; max-width: 420px; width: 100%; text-align: center; }
-    h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 0.5rem; }
-    p { color: #a0a0a0; font-size: 0.9rem; margin-bottom: 1.5rem; line-height: 1.5; }
-    .token { font-family: monospace; background: #0f0f0f; border: 1px solid #333; border-radius: 6px; padding: 0.75rem 1rem; font-size: 0.85rem; word-break: break-all; color: #7dd3fc; margin-bottom: 1.5rem; }
-    button { background: #3b82f6; color: #fff; border: none; border-radius: 8px; padding: 0.75rem 1.5rem; font-size: 0.95rem; cursor: pointer; width: 100%; }
-    button:hover { background: #2563eb; }
-    .status { margin-top: 1rem; font-size: 0.85rem; color: #6ee7b7; display: none; }
-  </style>
-</head>
-<body>
-  <div class="card">
-    <h1>Hermes Link Pairing</h1>
-    <p>Use this page to pair your device with the local Hermes Link service running on port ${options.port}.</p>
-    <div class="token" id="token">${options.connectToken}</div>
-    <button onclick="pair()">Pair This Device</button>
-    <div class="status" id="status">Paired successfully!</div>
-  </div>
-  <script>
-    async function pair() {
-      const token = document.getElementById('token').textContent.trim();
-      const btn = document.querySelector('button');
-      btn.disabled = true;
-      btn.textContent = 'Pairing...';
-      try {
-        const res = await fetch('/api/v1/auth/device-session', {
-          method: 'POST',
-          headers: {
-            'Authorization': 'Bearer ' + token,
-            'Content-Type': 'application/json'
-          },
-          body: JSON.stringify({
-            device_label: navigator.userAgent.slice(0, 64),
-            device_platform: 'web'
-          })
-        });
-        const data = await res.json();
-        if (res.ok && data.access_token) {
-          document.getElementById('status').style.display = 'block';
-          document.getElementById('status').innerHTML =
-            'Paired! Access token:<br><code style="font-size:0.75rem;word-break:break-all">' +
-            data.access_token.token + '</code>';
-          btn.textContent = 'Paired';
-        } else {
-          throw new Error(data.error?.message || JSON.stringify(data));
-        }
-      } catch (e) {
-        btn.disabled = false;
-        btn.textContent = 'Pair This Device';
-        alert('Pairing failed: ' + e.message);
-      }
-    }
-  </script>
-</body>
-</html>`;
-}
-
-export {
-  LINK_COMMAND,
-  LINK_VERSION,
-  DAEMON_LOG_FILE,
-  resolveRuntimePaths,
-  writeJsonFile,
-  loadConfig,
-  saveConfig,
-  normalizeLanHost,
-  loadIdentity,
-  ensureIdentity,
-  saveAssignedLinkId,
-  enableAutostart,
-  disableAutostart,
-  getAutostartStatus,
-  currentCliScriptPath,
-  detectRuntimeEnvironment,
-  createRotatingTextLogWriter,
-  readRecentLogEntries,
-  readRecentGatewayLogEntries,
-  bootstrapWithRelay,
-  generateAppConnectToken,
-  discoverRouteCandidates,
-  startLinkService
-};