@co0ontty/wand 0.2.0

package/dist/server.js

@@ -0,0 +1,875 @@
+import express from "express";
+import { readdir } from "node:fs/promises";
+import { createServer as createHttpServer } from "node:http";
+import { createServer as createHttpsServer } from "node:https";
+import { exec } from "node:child_process";
+import { promisify } from "node:util";
+import path from "node:path";
+import process from "node:process";
+import { WebSocketServer, WebSocket } from "ws";
+const execAsync = promisify(exec);
+import { createSession, revokeSession, setAuthStorage, validateSession } from "./auth.js";
+import { ensureCertificates } from "./cert.js";
+import { isExecutionMode, resolveConfigDir } from "./config.js";
+import { ProcessManager } from "./process-manager.js";
+import { resolveDatabasePath, WandStorage } from "./storage.js";
+import { renderApp } from "./web-ui.js";
+import { parseMessages } from "./message-parser.js";
+function getErrorMessage(error, fallback) {
+    return error instanceof Error ? error.message : fallback;
+}
+/**
+ * Check if a directory is inside a git repository
+ */
+async function isGitRepo(dirPath) {
+    try {
+        await execAsync("git rev-parse --is-inside-work-tree", { cwd: dirPath });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get the git repository root directory
+ */
+async function getGitRepoRoot(dirPath) {
+    try {
+        const { stdout } = await execAsync("git rev-parse --show-toplevel", { cwd: dirPath });
+        return stdout.trim();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get git status for all files in a directory
+ * Returns a map of relative file paths to their git status
+ */
+async function getGitStatusMap(gitRoot) {
+    const statusMap = new Map();
+    try {
+        // Get git status in porcelain format (stable for parsing)
+        // -uno: don't list untracked files (we'll get them separately)
+        const { stdout: stagedStdout } = await execAsync("git status --porcelain -uno", { cwd: gitRoot });
+        // Get untracked files separately
+        const { stdout: untrackedStdout } = await execAsync("git ls-files --others --exclude-standard", { cwd: gitRoot });
+        // Parse staged/unstaged changes
+        const lines = stagedStdout.split("\n").filter(line => line.trim());
+        for (const line of lines) {
+            if (line.length < 4)
+                continue;
+            const stagedChar = line[0];
+            const unstagedChar = line[1];
+            const filePath = line.slice(3).trim();
+            if (!filePath)
+                continue;
+            const status = {};
+            // Parse staged status
+            if (stagedChar === "M")
+                status.staged = "modified";
+            else if (stagedChar === "A")
+                status.staged = "added";
+            else if (stagedChar === "D")
+                status.staged = "deleted";
+            else if (stagedChar === "R")
+                status.staged = "renamed";
+            // Parse unstaged status
+            if (unstagedChar === "M")
+                status.unstaged = "modified";
+            else if (unstagedChar === "D")
+                status.unstaged = "deleted";
+            statusMap.set(filePath, status);
+        }
+        // Parse untracked files
+        const untrackedFiles = untrackedStdout.split("\n").filter(line => line.trim());
+        for (const filePath of untrackedFiles) {
+            const existing = statusMap.get(filePath);
+            if (existing) {
+                existing.untracked = true;
+            }
+            else {
+                statusMap.set(filePath, { untracked: true });
+            }
+        }
+        return statusMap;
+    }
+    catch (error) {
+        // Git command failed, return empty map
+        return statusMap;
+    }
+}
+/**
+ * Enrich file entries with git status
+ */
+async function enrichWithGitStatus(items, dirPath) {
+    try {
+        const gitRoot = await getGitRepoRoot(dirPath);
+        if (!gitRoot) {
+            return items;
+        }
+        const gitStatusMap = await getGitStatusMap(gitRoot);
+        return items.map((item) => {
+            // Get path relative to git root
+            const relativePath = path.relative(gitRoot, item.path);
+            // Normalize path separators for cross-platform compatibility
+            const normalizedPath = relativePath.replace(/\\/g, '/');
+            const gitStatus = gitStatusMap.get(normalizedPath);
+            return {
+                ...item,
+                gitStatus: gitStatus || undefined
+            };
+        });
+    }
+    catch {
+        return items;
+    }
+}
+// Simple in-memory rate limiter for login attempts
+const loginAttempts = new Map();
+const RATE_LIMIT_WINDOW = 15 * 60 * 1000; // 15 minutes
+const RATE_LIMIT_MAX = 10; // 10 attempts per window
+function checkRateLimit(ip) {
+    const now = Date.now();
+    const record = loginAttempts.get(ip);
+    if (!record || now > record.resetAt) {
+        return true;
+    }
+    return record.count < RATE_LIMIT_MAX;
+}
+function recordFailedLogin(ip) {
+    const now = Date.now();
+    const record = loginAttempts.get(ip);
+    if (!record || now > record.resetAt) {
+        loginAttempts.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW });
+        return;
+    }
+    record.count++;
+}
+function resetRateLimit(ip) {
+    loginAttempts.delete(ip);
+}
+function cleanupRateLimiter() {
+    const now = Date.now();
+    for (const [ip, record] of loginAttempts.entries()) {
+        if (now > record.resetAt) {
+            loginAttempts.delete(ip);
+        }
+    }
+}
+// Cleanup rate limiter every 5 minutes
+setInterval(cleanupRateLimiter, 5 * 60 * 1000);
+// Catch-all for unexpected startup errors
+process.on("uncaughtException", (err) => {
+    wandError("服务器异常", err.message, "请检查配置是否正确，或尝试重启服务。");
+    process.exit(1);
+});
+process.on("unhandledRejection", (reason) => {
+    const msg = reason instanceof Error ? reason.message : String(reason);
+    wandError("未处理的异步错误", msg);
+});
+// ── Friendly error / warn / info helpers ──────────────────────────────────
+function wandError(label, message, suggestion) {
+    process.stderr.write(`\n✗ [wand] ${label}：${message}\n`);
+    if (suggestion)
+        process.stderr.write(`  解决方法：${suggestion}\n`);
+    process.stderr.write("\n");
+}
+function wandWarn(message, hint) {
+    process.stderr.write(`⚠️  [wand] 警告：${message}\n`);
+    if (hint)
+        process.stderr.write(`  提示：${hint}\n`);
+}
+function wandInfo(message) {
+    process.stdout.write(`ℹ️  [wand] ${message}\n`);
+}
+export async function startServer(config, configPath) {
+    const app = express();
+    const storage = new WandStorage(resolveDatabasePath(configPath));
+    setAuthStorage(storage);
+    const processes = new ProcessManager(config, storage, resolveConfigDir(configPath));
+    const useHttps = config.https !== false; // Default to true
+    const protocol = useHttps ? "https" : "http";
+    app.use(express.json({ limit: "1mb" }));
+    app.use("/vendor/xterm", express.static(path.resolve(process.cwd(), "node_modules/xterm")));
+    app.use("/vendor/xterm-addon-fit", express.static(path.resolve(process.cwd(), "node_modules/@xterm/addon-fit")));
+    app.get("/", (_req, res) => {
+        res.type("html").send(renderApp(configPath));
+    });
+    // PWA manifest
+    app.get("/manifest.json", (_req, res) => {
+        res.type("json").send(JSON.stringify({
+            name: "Wand Console",
+            short_name: "Wand",
+            description: "Local CLI Console for Vibe Coding",
+            start_url: "/",
+            display: "standalone",
+            background_color: "#f6f1e8",
+            theme_color: "#c5653d",
+            orientation: "any",
+            icons: [
+                { src: "/icon-192.png", sizes: "192x192", type: "image/png", purpose: "any maskable" },
+                { src: "/icon-512.png", sizes: "512x512", type: "image/png", purpose: "any maskable" }
+            ],
+            categories: ["developer tools", "productivity"],
+            shortcuts: [
+                { name: "New Session", short_name: "New", url: "/?action=new", description: "Start a new CLI session" }
+            ]
+        }));
+    });
+    // PWA icons (SVG data URL converted to simple PNG-like response)
+    const iconSvg = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 192 192">
+    <defs><linearGradient id="g" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" style="stop-color:#d77a52"/>
+      <stop offset="100%" style="stop-color:#a95130"/>
+    </linearGradient></defs>
+    <rect width="192" height="192" rx="38" fill="url(#g)"/>
+    <text x="96" y="128" text-anchor="middle" font-family="system-ui,sans-serif" font-size="88" font-weight="700" fill="white">W</text>
+  </svg>`;
+    app.get("/icon-192.png", (_req, res) => {
+        res.type("svg").send(iconSvg);
+    });
+    app.get("/icon-512.png", (_req, res) => {
+        res.type("svg").send(iconSvg);
+    });
+    // Service Worker for offline support
+    app.get("/sw.js", (_req, res) => {
+        res.type("javascript").send(`
+const CACHE_NAME = 'wand-v1';
+const STATIC_ASSETS = [
+  '/',
+  '/vendor/xterm/css/xterm.css',
+  '/vendor/xterm/lib/xterm.js',
+  '/vendor/xterm-addon-fit/lib/addon-fit.js'
+];
+
+self.addEventListener('install', (event) => {
+  event.waitUntil(caches.open(CACHE_NAME).then((cache) => cache.addAll(STATIC_ASSETS)));
+  self.skipWaiting();
+});
+
+self.addEventListener('activate', (event) => {
+  event.waitUntil(caches.keys().then((keys) => Promise.all(keys.filter((k) => k !== CACHE_NAME).map((k) => caches.delete(k)))));
+  self.clients.claim();
+});
+
+self.addEventListener('fetch', (event) => {
+  const url = new URL(event.request.url);
+  // API calls should always go to network
+  if (url.pathname.startsWith('/api/')) {
+    event.respondWith(fetch(event.request).catch(() => new Response(JSON.stringify({ error: 'Offline' }), { status: 503, headers: { 'Content-Type': 'application/json' } })));
+    return;
+  }
+  // Static assets: cache first, network fallback
+  event.respondWith(caches.match(event.request).then((cached) => cached || fetch(event.request).then((response) => {
+    if (response.ok && event.request.method === 'GET') {
+      const clone = response.clone();
+      caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone));
+    }
+    return response;
+  }).catch(() => caches.match('/'))));
+});
+`);
+    });
+    app.post("/api/login", (req, res) => {
+        const clientIp = req.ip || req.socket.remoteAddress || "unknown";
+        if (!checkRateLimit(clientIp)) {
+            res.status(429).json({ error: "登录尝试次数过多，请在 15 分钟后再试。" });
+            return;
+        }
+        const { password } = req.body;
+        // Check password: prefer database password, fallback to config password
+        const dbPassword = storage.getPassword();
+        const effectivePassword = dbPassword ?? config.password;
+        if (password !== effectivePassword) {
+            recordFailedLogin(clientIp);
+            res.status(401).json({ error: "密码错误，请重试。" });
+            return;
+        }
+        resetRateLimit(clientIp);
+        const token = createSession();
+        res.cookie("wand_session", token, {
+            httpOnly: true,
+            sameSite: "strict",
+            secure: useHttps,
+            maxAge: 1000 * 60 * 60 * 12
+        });
+        res.json({ ok: true });
+    });
+    app.post("/api/logout", (req, res) => {
+        revokeSession(readSessionCookie(req));
+        res.clearCookie("wand_session");
+        res.json({ ok: true });
+    });
+    // Set password endpoint (requires auth)
+    app.post("/api/set-password", requireAuth, (req, res) => {
+        const { password } = req.body;
+        if (!password || password.length < 6) {
+            res.status(400).json({ error: "密码长度至少为 6 个字符。" });
+            return;
+        }
+        storage.setPassword(password);
+        res.json({ ok: true });
+    });
+    app.use("/api", requireAuth);
+    app.get("/api/config", (_req, res) => {
+        res.json({
+            host: config.host,
+            port: config.port,
+            defaultMode: config.defaultMode,
+            defaultCwd: config.defaultCwd,
+            commandPresets: config.commandPresets
+        });
+    });
+    app.get("/api/sessions", (_req, res) => {
+        res.json(processes.list());
+    });
+    app.get("/api/path-suggestions", async (req, res) => {
+        const query = typeof req.query.q === "string" ? req.query.q : "";
+        try {
+            const suggestions = await listPathSuggestions(query, config.defaultCwd);
+            res.json(suggestions);
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "无法加载路径建议。") });
+        }
+    });
+    app.get("/api/directory", async (req, res) => {
+        const q = typeof req.query.q === "string" ? req.query.q : "";
+        const includeGitStatus = req.query.gitStatus === "true";
+        const targetPath = path.resolve(process.cwd(), q);
+        // Security check: ensure the resolved path is within the current working directory
+        const allowedBase = process.cwd();
+        if (!targetPath.startsWith(allowedBase)) {
+            res.status(403).json({ error: "访问被拒绝：路径必须在项目目录内。" });
+            return;
+        }
+        try {
+            const entries = await readdir(targetPath, { withFileTypes: true });
+            let items = entries
+                .sort((a, b) => {
+                // Directories first, then alphabetically
+                if (a.isDirectory() && !b.isDirectory())
+                    return -1;
+                if (!a.isDirectory() && b.isDirectory())
+                    return 1;
+                return a.name.localeCompare(b.name);
+            })
+                .slice(0, 100)
+                .map((entry) => ({
+                path: path.join(targetPath, entry.name),
+                name: entry.name,
+                type: entry.isDirectory() ? "dir" : "file"
+            }));
+            // Enrich with git status if requested
+            if (includeGitStatus) {
+                items = await enrichWithGitStatus(items, targetPath);
+            }
+            res.json(items);
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "无法读取目录。可能原因：路径不存在或权限不足。") });
+        }
+    });
+    // Folder picker API - starts from /tmp by default, supports navigation
+    app.get("/api/folders", async (req, res) => {
+        const q = typeof req.query.q === "string" ? req.query.q : "/tmp";
+        const targetPath = path.resolve(q);
+        // Security check: prevent accessing sensitive system paths
+        const blockedPaths = ['/etc', '/root', '/boot'];
+        for (const blocked of blockedPaths) {
+            if (targetPath.startsWith(blocked)) {
+                res.status(403).json({ error: "访问被拒绝：无法访问系统敏感目录。" });
+                return;
+            }
+        }
+        try {
+            const entries = await readdir(targetPath, { withFileTypes: true });
+            const items = [];
+            // Add parent directory navigation (..)
+            const parentPath = path.dirname(targetPath);
+            if (parentPath !== targetPath) {
+                items.push({
+                    path: parentPath,
+                    name: "..",
+                    type: "parent",
+                    isParent: true
+                });
+            }
+            // Add subdirectories
+            entries
+                .filter((entry) => entry.isDirectory())
+                .sort((a, b) => a.name.localeCompare(b.name))
+                .slice(0, 100)
+                .forEach((entry) => {
+                items.push({
+                    path: path.join(targetPath, entry.name),
+                    name: entry.name,
+                    type: "dir"
+                });
+            });
+            res.json({
+                currentPath: targetPath,
+                items: items
+            });
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                res.status(404).json({ error: "路径不存在：" + q, currentPath: q, items: [] });
+            }
+            else if (error.code === 'EACCES') {
+                res.status(403).json({ error: "权限不足，无法访问：" + q, currentPath: q, items: [] });
+            }
+            else {
+                res.status(400).json({ error: "无法读取目录：" + getErrorMessage(error, "未知错误"), currentPath: q, items: [] });
+            }
+        }
+    });
+    // Quick paths API - returns common paths for quick access
+    app.get("/api/quick-paths", async (req, res) => {
+        const home = process.env.HOME || process.env.USERPROFILE || '/home';
+        const quickPaths = [
+            { path: "/tmp", name: "临时目录", icon: "🗑️" },
+            { path: home, name: "主目录", icon: "🏠" },
+            { path: process.cwd(), name: "当前目录", icon: "📂" },
+            { path: "/", name: "根目录", icon: "📁" }
+        ];
+        res.json(quickPaths);
+    });
+    app.get("/api/favorite-paths", (_req, res) => {
+        const stored = storage.getConfigValue("favorite_paths");
+        const favorites = stored ? JSON.parse(stored) : [];
+        res.json(favorites);
+    });
+    app.post("/api/favorite-paths", (req, res) => {
+        const { path: favPath, name, icon } = req.body;
+        if (!favPath) {
+            res.status(400).json({ error: "路径不能为空。" });
+            return;
+        }
+        const stored = storage.getConfigValue("favorite_paths");
+        const favorites = stored ? JSON.parse(stored) : [];
+        // Check if already exists
+        if (favorites.some((f) => f.path === favPath)) {
+            res.status(400).json({ error: "该路径已在收藏列表中。" });
+            return;
+        }
+        const newFavorite = {
+            path: favPath,
+            name: name || path.basename(favPath),
+            icon: icon || "⭐",
+            addedAt: new Date().toISOString()
+        };
+        favorites.push(newFavorite);
+        storage.setConfigValue("favorite_paths", JSON.stringify(favorites));
+        res.status(201).json(newFavorite);
+    });
+    app.delete("/api/favorite-paths", (req, res) => {
+        const { path: delPath } = req.body;
+        if (!delPath) {
+            res.status(400).json({ error: "路径不能为空。" });
+            return;
+        }
+        const stored = storage.getConfigValue("favorite_paths");
+        const favorites = stored ? JSON.parse(stored) : [];
+        const index = favorites.findIndex((f) => f.path === delPath);
+        if (index === -1) {
+            res.status(404).json({ error: "未找到该收藏路径。" });
+            return;
+        }
+        favorites.splice(index, 1);
+        storage.setConfigValue("favorite_paths", JSON.stringify(favorites));
+        res.json({ ok: true });
+    });
+    const MAX_RECENT_PATHS = 10;
+    app.get("/api/recent-paths", (_req, res) => {
+        const stored = storage.getConfigValue("recent_paths");
+        const recent = stored ? JSON.parse(stored) : [];
+        res.json(recent);
+    });
+    app.post("/api/recent-paths", (req, res) => {
+        const { path: usedPath } = req.body;
+        if (!usedPath) {
+            res.status(400).json({ error: "路径不能为空。" });
+            return;
+        }
+        const stored = storage.getConfigValue("recent_paths");
+        let recent = stored ? JSON.parse(stored) : [];
+        // Remove existing entry for this path (to update position)
+        recent = recent.filter((r) => r.path !== usedPath);
+        // Add to front
+        const newRecent = {
+            path: usedPath,
+            name: path.basename(usedPath),
+            lastUsedAt: new Date().toISOString()
+        };
+        recent.unshift(newRecent);
+        // Keep only last N entries
+        recent = recent.slice(0, MAX_RECENT_PATHS);
+        storage.setConfigValue("recent_paths", JSON.stringify(recent));
+        res.json(newRecent);
+    });
+    // ============ Path Validation API ============
+    app.get("/api/validate-path", async (req, res) => {
+        const inputPath = typeof req.query.path === "string" ? req.query.path : "";
+        if (!inputPath.trim()) {
+            res.json({ valid: false, error: "路径不能为空" });
+            return;
+        }
+        try {
+            const resolvedPath = path.resolve(inputPath);
+            const stats = await import("node:fs/promises").then(fs => fs.stat(resolvedPath));
+            if (!stats.isDirectory()) {
+                res.json({ valid: false, error: "路径不是目录", resolvedPath });
+                return;
+            }
+            // Check read permission
+            try {
+                await readdir(resolvedPath);
+                res.json({ valid: true, resolvedPath, name: path.basename(resolvedPath) });
+            }
+            catch (permError) {
+                res.json({ valid: false, error: "没有读取权限", resolvedPath });
+            }
+        }
+        catch (error) {
+            const err = error;
+            if (err.code === "ENOENT") {
+                res.json({ valid: false, error: "路径不存在" });
+            }
+            else if (err.code === "EACCES") {
+                res.json({ valid: false, error: "没有访问权限" });
+            }
+            else {
+                res.json({ valid: false, error: `无效路径: ${err.message}` });
+            }
+        }
+    });
+    // File search API - supports fuzzy matching across directory tree
+    app.get("/api/file-search", async (req, res) => {
+        const query = typeof req.query.q === "string" ? req.query.q : "";
+        const cwd = typeof req.query.cwd === "string" ? req.query.cwd : process.cwd();
+        const maxDepth = typeof req.query.depth === "string" ? parseInt(req.query.depth, 10) : 5;
+        const maxResults = typeof req.query.limit === "string" ? parseInt(req.query.limit, 10) : 50;
+        // Security check: ensure cwd is within allowed base
+        const allowedBase = process.cwd();
+        const resolvedCwd = path.resolve(allowedBase, cwd);
+        if (!resolvedCwd.startsWith(allowedBase)) {
+            res.status(403).json({ error: "访问被拒绝：路径必须在项目目录内。" });
+            return;
+        }
+        if (!query) {
+            res.json({ results: [], query: "", cwd: resolvedCwd });
+            return;
+        }
+        try {
+            const results = [];
+            const queryLower = query.toLowerCase();
+            // Recursive search function
+            async function searchDir(dirPath, currentDepth) {
+                if (currentDepth > maxDepth || results.length >= maxResults)
+                    return;
+                const entries = await readdir(dirPath, { withFileTypes: true });
+                for (const entry of entries) {
+                    if (results.length >= maxResults)
+                        break;
+                    // Skip hidden files and node_modules
+                    if (entry.name.startsWith(".") || entry.name === "node_modules")
+                        continue;
+                    const entryPath = path.join(dirPath, entry.name);
+                    const nameLower = entry.name.toLowerCase();
+                    // Check if name matches query (fuzzy match)
+                    const matchIndex = nameLower.indexOf(queryLower);
+                    if (matchIndex !== -1) {
+                        results.push({
+                            path: entryPath,
+                            name: entry.name,
+                            type: entry.isDirectory() ? "dir" : "file",
+                            matchScore: matchIndex // Lower score = better match (appears earlier in name)
+                        });
+                    }
+                    // Recurse into directories
+                    if (entry.isDirectory()) {
+                        await searchDir(entryPath, currentDepth + 1);
+                    }
+                }
+            }
+            await searchDir(resolvedCwd, 0);
+            // Sort by match score (earlier match = better) and then alphabetically
+            results.sort((a, b) => {
+                if (a.matchScore !== b.matchScore)
+                    return a.matchScore - b.matchScore;
+                return a.name.localeCompare(b.name);
+            });
+            res.json({ results: results.slice(0, maxResults), query, cwd: resolvedCwd });
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "搜索失败。可能原因：路径不存在或权限不足。") });
+        }
+    });
+    app.get("/api/sessions/:id", (req, res) => {
+        const snapshot = processes.get(req.params.id);
+        if (!snapshot) {
+            res.status(404).json({ error: "未找到该会话，可能已被删除。" });
+            return;
+        }
+        if (req.query.format === "chat") {
+            // Prefer structured messages from JSON chat mode, fall back to PTY parsing
+            const messages = snapshot.messages && snapshot.messages.length > 0
+                ? snapshot.messages
+                : parseMessages(snapshot.output);
+            res.json({ ...snapshot, messages });
+        }
+        else {
+            res.json(snapshot);
+        }
+    });
+    app.post("/api/commands", (req, res) => {
+        const body = req.body;
+        if (!body.command?.trim()) {
+            res.status(400).json({ error: "请输入要执行的命令。" });
+            return;
+        }
+        const initialInput = body.initialInput?.trim();
+        try {
+            const snapshot = processes.start(body.command, body.cwd, normalizeMode(body.mode, config.defaultMode), initialInput || undefined);
+            res.status(201).json(snapshot);
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "无法启动命令。请检查命令是否正确安装。") });
+        }
+    });
+    app.post("/api/sessions/:id/input", (req, res) => {
+        const body = req.body;
+        try {
+            const snapshot = processes.sendInput(req.params.id, body.input ?? "", body.view);
+            res.json(snapshot);
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "会话已结束，请启动新会话。") });
+        }
+    });
+    app.post("/api/sessions/:id/resize", (req, res) => {
+        const body = req.body;
+        try {
+            const snapshot = processes.resize(req.params.id, body.cols ?? 0, body.rows ?? 0);
+            res.json(snapshot);
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "无法调整终端大小。") });
+        }
+    });
+    app.post("/api/sessions/:id/stop", (req, res) => {
+        try {
+            const snapshot = processes.stop(req.params.id);
+            res.json(snapshot);
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "无法停止会话。") });
+        }
+    });
+    app.delete("/api/sessions/:id", (req, res) => {
+        try {
+            processes.delete(req.params.id);
+            res.json({ ok: true });
+        }
+        catch (error) {
+            res.status(400).json({ error: getErrorMessage(error, "无法删除会话。") });
+        }
+    });
+    await processes.runStartupCommands();
+    // Create server (HTTP or HTTPS) - useHttps and protocol already defined above
+    const server = useHttps
+        ? (() => {
+            const ssl = ensureCertificates(resolveConfigDir(configPath));
+            return createHttpsServer({ key: ssl.key, cert: ssl.cert }, app);
+        })()
+        : createHttpServer(app);
+    const wss = new WebSocketServer({ server, path: "/ws" });
+    const wsClients = new Set();
+    const MAX_QUEUE_SIZE = 500; // Max messages in queue before applying backpressure
+    const OUTPUT_DEBOUNCE_MS = 50; // Debounce PTY output updates to reduce flicker
+    // Output debounce cache - batch rapid output events per session
+    const outputDebounceCache = new Map();
+    // Process send queue for a WebSocket client
+    function processWsQueue(client) {
+        if (client.sendInProgress || client.sendQueue.length === 0 || client.backpressurePaused) {
+            return;
+        }
+        client.sendInProgress = true;
+        const message = client.sendQueue.shift();
+        if (client.ws.readyState === WebSocket.OPEN) {
+            client.ws.send(message, (err) => {
+                client.sendInProgress = false;
+                if (err) {
+                    // Error sending, drop message
+                    return;
+                }
+                // Check backpressure threshold
+                const threshold = MAX_QUEUE_SIZE * 0.8;
+                if (client.backpressurePaused && client.sendQueue.length < threshold) {
+                    client.backpressurePaused = false;
+                }
+                // Continue processing queue
+                processWsQueue(client);
+            });
+        }
+        else {
+            client.sendInProgress = false;
+        }
+    }
+    // Broadcast process events to WebSocket clients with debouncing and backpressure control
+    processes.on("process", (event) => {
+        // Debounce output events to reduce flicker during rapid streaming
+        if (event.type === "output") {
+            const existing = outputDebounceCache.get(event.sessionId);
+            if (existing) {
+                clearTimeout(existing.timer);
+            }
+            const timer = setTimeout(() => {
+                outputDebounceCache.delete(event.sessionId);
+                broadcastEvent(event);
+            }, OUTPUT_DEBOUNCE_MS);
+            outputDebounceCache.set(event.sessionId, { event, timer });
+            return;
+        }
+        // Non-output events (started, ended, status) are sent immediately
+        broadcastEvent(event);
+    });
+    function broadcastEvent(event) {
+        const message = JSON.stringify(event);
+        for (const client of wsClients) {
+            if (client.ws.readyState === WebSocket.OPEN) {
+                // Apply backpressure if queue is too large
+                if (client.sendQueue.length >= MAX_QUEUE_SIZE) {
+                    client.backpressurePaused = true;
+                    continue;
+                }
+                if (!client.backpressurePaused) {
+                    client.sendQueue.push(message);
+                    processWsQueue(client);
+                }
+            }
+        }
+    }
+    wss.on("connection", (ws, req) => {
+        const sessionToken = readSessionCookie(req);
+        if (!sessionToken || !validateSession(sessionToken)) {
+            ws.close(1008, "Unauthorized");
+            return;
+        }
+        const client = {
+            ws,
+            sendQueue: [],
+            sendInProgress: false,
+            backpressurePaused: false,
+            lastOutputBySession: new Map()
+        };
+        wsClients.add(client);
+        ws.on("close", () => {
+            wsClients.delete(client);
+        });
+        ws.on("error", () => {
+            // Already closed, ignore
+        });
+        ws.on("message", (data) => {
+            try {
+                const msg = JSON.parse(data.toString());
+                // Handle subscribe/unsubscribe for specific sessions
+                if (msg.type === "subscribe" && msg.sessionId) {
+                    // Client wants updates for a specific session
+                    const snapshot = processes.get(msg.sessionId);
+                    if (snapshot) {
+                        // Send full session snapshot including messages for reconnection recovery
+                        ws.send(JSON.stringify({
+                            type: "init",
+                            sessionId: msg.sessionId,
+                            data: {
+                                ...snapshot,
+                                // Ensure messages are included for chat mode recovery
+                                messages: snapshot.messages,
+                                // Include full output for terminal mode recovery
+                                output: snapshot.output
+                            }
+                        }));
+                    }
+                    else {
+                        // Session not found - might be deleted or never existed
+                        ws.send(JSON.stringify({
+                            type: "error",
+                            sessionId: msg.sessionId,
+                            error: "Session not found"
+                        }));
+                    }
+                }
+            }
+            catch {
+                // Ignore malformed messages
+            }
+        });
+    });
+    // Start server
+    await new Promise((resolve, reject) => {
+        server.listen(config.port, config.host, () => {
+            const listenAddr = config.host === "0.0.0.0" ? "0.0.0.0 (所有接口)" : config.host;
+            process.stdout.write(`[wand] Web console listening on ${listenAddr}:${config.port}\n` +
+                `[wand] 本地访问: ${protocol}://127.0.0.1:${config.port}\n`);
+            resolve();
+        });
+        server.on("error", (err) => {
+            if (err.code === "EADDRINUSE") {
+                wandError(`端口 ${config.port} 已被占用`, `可能有另一个 Wand 进程正在运行。`, `解决方法（二选一）：\n1. 在浏览器中访问当前运行的 Wand\n2. 或者终止占用端口的进程：\n   kill $(lsof -ti :${config.port})\n\n如果你确定没有其他实例在运行，可能是有程序意外占用了端口。`);
+                process.exit(1);
+            }
+            reject(err);
+        });
+    });
+    // Print security warnings
+    if (!storage.hasCustomPassword() && config.password === "change-me") {
+        wandWarn("正在使用默认密码（change-me），任何能访问本机的人都可以登录。", "修改方法：在界面右上角「设置」中修改密码，或运行：node dist/cli.js config:set password <你的新密码>");
+    }
+}
+function requireAuth(req, res, next) {
+    if (!validateSession(readSessionCookie(req))) {
+        res.status(401).json({ error: "未授权，请先登录。" });
+        return;
+    }
+    next();
+}
+function normalizeMode(input, fallback) {
+    return isExecutionMode(input) ? input : fallback;
+}
+function readSessionCookie(req) {
+    const cookie = req.headers.cookie;
+    if (!cookie) {
+        return undefined;
+    }
+    const match = cookie
+        .split(";")
+        .map((part) => part.trim())
+        .find((part) => part.startsWith("wand_session="));
+    return match?.slice("wand_session=".length);
+}
+async function listPathSuggestions(input, fallbackCwd) {
+    const normalizedInput = input.trim();
+    const baseInput = normalizedInput || fallbackCwd;
+    const resolvedInput = path.resolve(process.cwd(), baseInput);
+    const endsWithSeparator = /[\\/]$/.test(normalizedInput);
+    let searchDir = resolvedInput;
+    let partialName = "";
+    if (!endsWithSeparator) {
+        searchDir = path.dirname(resolvedInput);
+        partialName = path.basename(resolvedInput);
+    }
+    const entries = await readdir(searchDir, { withFileTypes: true });
+    return entries
+        .filter((entry) => entry.isDirectory())
+        .filter((entry) => !partialName || entry.name.toLowerCase().startsWith(partialName.toLowerCase()))
+        .sort((a, b) => a.name.localeCompare(b.name))
+        .slice(0, 8)
+        .map((entry) => ({
+        path: path.join(searchDir, entry.name),
+        name: entry.name,
+        isDirectory: true
+    }));
+}