@fengye404/termpilot 0.1.0

package/dist/cli.js

@@ -0,0 +1,1962 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import path3 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+
+// agent/src/cli.ts
+import { cwd as processCwd2 } from "process";
+
+// agent/src/daemon.ts
+import { setTimeout as delay } from "timers/promises";
+import WebSocket from "ws";
+
+// packages/protocol/src/index.ts
+var DEFAULT_DEVICE_ID = "pc-main";
+var DEFAULT_AGENT_TOKEN = "demo-agent-token";
+var DEFAULT_CLIENT_TOKEN = "demo-client-token";
+function parseJsonMessage(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+// agent/src/state-store.ts
+import { randomUUID } from "crypto";
+import { closeSync, mkdirSync, openSync, readFileSync, renameSync, rmSync, statSync, writeFileSync } from "fs";
+import { homedir } from "os";
+import path from "path";
+var INITIAL_STATE = {
+  version: 1,
+  sessions: []
+};
+var LOCK_STALE_MS = 1e4;
+var LOCK_TIMEOUT_MS = 5e3;
+var LOCK_POLL_MS = 20;
+function sleepMs(ms) {
+  Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
+}
+function getAgentHome() {
+  return process.env.TERMPILOT_HOME ?? path.join(homedir(), ".termpilot");
+}
+function getStateFilePath() {
+  return path.join(getAgentHome(), "state.json");
+}
+function getStateLockPath() {
+  return `${getStateFilePath()}.lock`;
+}
+function ensureAgentHome() {
+  const dir = getAgentHome();
+  mkdirSync(dir, { recursive: true });
+  return dir;
+}
+function loadStateFromDisk(filePath) {
+  try {
+    const raw = readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed.sessions)) {
+      return { ...INITIAL_STATE };
+    }
+    return parsed;
+  } catch {
+    return { ...INITIAL_STATE };
+  }
+}
+function loadState() {
+  ensureAgentHome();
+  return loadStateFromDisk(getStateFilePath());
+}
+function saveStateToDisk(filePath, state) {
+  const tempFilePath = `${filePath}.${process.pid}.${randomUUID()}.tmp`;
+  writeFileSync(tempFilePath, `${JSON.stringify(state, null, 2)}
+`, "utf8");
+  renameSync(tempFilePath, filePath);
+}
+function withStateLock(action) {
+  ensureAgentHome();
+  const filePath = getStateFilePath();
+  const lockPath = getStateLockPath();
+  const deadline = Date.now() + LOCK_TIMEOUT_MS;
+  while (true) {
+    try {
+      const lockFd = openSync(lockPath, "wx");
+      closeSync(lockFd);
+      break;
+    } catch (error) {
+      const code = error && typeof error === "object" && "code" in error ? error.code : void 0;
+      if (code !== "EEXIST") {
+        throw error;
+      }
+      try {
+        const stat = statSync(lockPath);
+        if (Date.now() - stat.mtimeMs > LOCK_STALE_MS) {
+          rmSync(lockPath, { force: true });
+          continue;
+        }
+      } catch {
+        continue;
+      }
+      if (Date.now() >= deadline) {
+        throw new Error("\u7B49\u5F85\u72B6\u6001\u6587\u4EF6\u9501\u8D85\u65F6\uFF0C\u8BF7\u7A0D\u540E\u91CD\u8BD5\u3002");
+      }
+      sleepMs(LOCK_POLL_MS);
+    }
+  }
+  try {
+    return action(filePath);
+  } finally {
+    rmSync(lockPath, { force: true });
+  }
+}
+function upsertSession(session) {
+  return withStateLock((filePath) => {
+    const state = loadStateFromDisk(filePath);
+    const sessions = state.sessions.filter((item) => item.sid !== session.sid);
+    sessions.push(session);
+    sessions.sort((left, right) => left.startedAt.localeCompare(right.startedAt));
+    const nextState = {
+      version: 1,
+      sessions
+    };
+    saveStateToDisk(filePath, nextState);
+    return nextState;
+  });
+}
+function updateSession(sid, updater) {
+  return withStateLock((filePath) => {
+    const state = loadStateFromDisk(filePath);
+    const sessions = state.sessions.map((session) => session.sid === sid ? updater(session) : session);
+    const nextState = {
+      version: 1,
+      sessions
+    };
+    saveStateToDisk(filePath, nextState);
+    return nextState;
+  });
+}
+
+// agent/src/tmux-backend.ts
+import { randomUUID as randomUUID2 } from "crypto";
+import { spawn } from "child_process";
+import { cwd as processCwd } from "process";
+var TERM_PREFIX = "termpilot";
+function now() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function sanitizeName(value) {
+  return value.replace(/[^a-zA-Z0-9_-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "") || "session";
+}
+function buildTmuxSessionName(sid, name) {
+  return `${TERM_PREFIX}-${sanitizeName(name)}-${sid.slice(0, 8)}`;
+}
+function runTmux(args) {
+  return new Promise((resolve, reject) => {
+    const child = spawn("tmux", args, {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString("utf8");
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString("utf8");
+    });
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve(stdout.trimEnd());
+        return;
+      }
+      reject(new Error(stderr.trim() || `tmux exited with code ${code ?? "unknown"}`));
+    });
+  });
+}
+async function ensureTmuxAvailable() {
+  await runTmux(["-V"]);
+}
+async function createSession(input = {}) {
+  const sid = randomUUID2();
+  const name = input.name?.trim() || `session-${sid.slice(0, 6)}`;
+  const shell = input.shell?.trim() || process.env.SHELL || "/bin/zsh";
+  const workingDirectory = input.cwd?.trim() || processCwd();
+  const deviceId = input.deviceId || DEFAULT_DEVICE_ID;
+  const startedAt = now();
+  const tmuxSessionName = buildTmuxSessionName(sid, name);
+  await runTmux(["new-session", "-d", "-s", tmuxSessionName, "-c", workingDirectory, shell]);
+  const session = {
+    sid,
+    deviceId,
+    name,
+    backend: "tmux",
+    shell,
+    cwd: workingDirectory,
+    status: "running",
+    startedAt,
+    lastSeq: 0,
+    lastActivityAt: startedAt,
+    tmuxSessionName
+  };
+  upsertSession(session);
+  return session;
+}
+function listSessions() {
+  return loadState().sessions;
+}
+function getSessionBySid(sid) {
+  return loadState().sessions.find((session) => session.sid === sid);
+}
+async function hasSession(tmuxSessionName) {
+  try {
+    await runTmux(["has-session", "-t", tmuxSessionName]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function captureSession(session) {
+  return runTmux(["capture-pane", "-p", "-S", "-2000", "-t", session.tmuxSessionName]);
+}
+async function sendLiteralText(tmuxSessionName, text) {
+  if (!text) {
+    return;
+  }
+  await runTmux(["send-keys", "-t", tmuxSessionName, "-l", "--", text]);
+}
+async function sendInput(session, text, key) {
+  if (text) {
+    const parts = text.split("\n");
+    for (let index = 0; index < parts.length; index += 1) {
+      await sendLiteralText(session.tmuxSessionName, parts[index] ?? "");
+      if (index < parts.length - 1) {
+        await runTmux(["send-keys", "-t", session.tmuxSessionName, "Enter"]);
+      }
+    }
+  }
+  if (!key) {
+    return;
+  }
+  const keyMap = {
+    enter: "Enter",
+    tab: "Tab",
+    ctrl_c: "C-c",
+    ctrl_d: "C-d",
+    escape: "Escape",
+    arrow_up: "Up",
+    arrow_down: "Down",
+    arrow_left: "Left",
+    arrow_right: "Right"
+  };
+  await runTmux(["send-keys", "-t", session.tmuxSessionName, keyMap[key]]);
+}
+async function resizeSession(session, cols, rows) {
+  await runTmux(["resize-window", "-t", session.tmuxSessionName, "-x", String(cols), "-y", String(rows)]);
+}
+async function killSession(sid) {
+  const session = getSessionBySid(sid);
+  if (!session) {
+    throw new Error(`\u4F1A\u8BDD ${sid} \u4E0D\u5B58\u5728`);
+  }
+  const exists = await hasSession(session.tmuxSessionName);
+  if (exists) {
+    await runTmux(["kill-session", "-t", session.tmuxSessionName]);
+  }
+  const nextState = updateSession(sid, (current) => ({
+    ...current,
+    status: "exited",
+    lastActivityAt: now()
+  }));
+  const nextSession = nextState.sessions.find((item) => item.sid === sid);
+  if (!nextSession) {
+    throw new Error(`\u4F1A\u8BDD ${sid} \u72B6\u6001\u66F4\u65B0\u5931\u8D25`);
+  }
+  return nextSession;
+}
+function markSessionExited(sid) {
+  const nextState = updateSession(sid, (current) => ({
+    ...current,
+    status: "exited",
+    lastActivityAt: now()
+  }));
+  return nextState.sessions.find((session) => session.sid === sid);
+}
+function bumpSessionSeq(sid) {
+  const nextState = updateSession(sid, (current) => ({
+    ...current,
+    lastSeq: current.lastSeq + 1,
+    lastActivityAt: now()
+  }));
+  return nextState.sessions.find((session) => session.sid === sid);
+}
+function attachSession(session) {
+  return new Promise((resolve, reject) => {
+    const child = spawn("tmux", ["attach-session", "-t", session.tmuxSessionName], {
+      stdio: "inherit"
+    });
+    child.on("error", reject);
+    child.on("close", (code) => resolve(code));
+  });
+}
+
+// agent/src/daemon.ts
+var DEFAULT_RELAY_URL = "ws://127.0.0.1:8787/ws";
+var AgentDaemon = class {
+  constructor(options) {
+    this.options = options;
+  }
+  runtimeState = /* @__PURE__ */ new Map();
+  socket = null;
+  running = false;
+  async start() {
+    await ensureTmuxAvailable();
+    this.running = true;
+    await Promise.all([this.connectLoop(), this.syncLoop()]);
+  }
+  async stop() {
+    this.running = false;
+    this.socket?.close();
+  }
+  async connectLoop() {
+    while (this.running) {
+      const wsUrl = new URL(this.options.relayUrl);
+      wsUrl.searchParams.set("role", "agent");
+      wsUrl.searchParams.set("token", this.options.agentToken);
+      wsUrl.searchParams.set("deviceId", this.options.deviceId);
+      const socket = new WebSocket(wsUrl);
+      this.socket = socket;
+      socket.on("open", () => {
+        this.sendSessionListResult({
+          type: "session.list.result",
+          reqId: "initial-sync",
+          deviceId: this.options.deviceId,
+          payload: {
+            sessions: listSessions().filter((session) => session.deviceId === this.options.deviceId)
+          }
+        });
+      });
+      socket.on("message", (raw) => {
+        const message = parseJsonMessage(raw.toString("utf8"));
+        if (!message) {
+          return;
+        }
+        void this.handleMessage(message);
+      });
+      const closePromise = new Promise((resolve) => {
+        socket.on("close", () => resolve());
+        socket.on("error", () => resolve());
+      });
+      await closePromise;
+      if (!this.running) {
+        break;
+      }
+      await delay(1500);
+    }
+  }
+  async syncLoop() {
+    while (this.running) {
+      const sessions = loadState().sessions.filter((session) => session.deviceId === this.options.deviceId);
+      for (const session of sessions) {
+        await this.syncSession(session);
+      }
+      await delay(this.options.pollIntervalMs);
+    }
+  }
+  async syncSession(session) {
+    const runtimeState = this.runtimeState.get(session.sid) ?? {
+      lastRenderedBuffer: "",
+      lastStatus: session.status
+    };
+    if (session.status === "exited") {
+      if (runtimeState.lastStatus !== "exited") {
+        this.runtimeState.set(session.sid, {
+          ...runtimeState,
+          lastStatus: "exited"
+        });
+        this.sendMessage({
+          type: "session.state",
+          deviceId: this.options.deviceId,
+          sid: session.sid,
+          payload: {
+            session
+          }
+        });
+      }
+      return;
+    }
+    const exists = await hasSession(session.tmuxSessionName);
+    if (!exists) {
+      const exitedSession = markSessionExited(session.sid);
+      if (exitedSession) {
+        this.runtimeState.set(session.sid, {
+          ...runtimeState,
+          lastStatus: "exited"
+        });
+        this.sendMessage({
+          type: "session.exit",
+          deviceId: this.options.deviceId,
+          sid: exitedSession.sid,
+          payload: {
+            reason: "tmux \u4F1A\u8BDD\u4E0D\u5B58\u5728\uFF0C\u5DF2\u6807\u8BB0\u9000\u51FA",
+            exitCode: null
+          }
+        });
+        this.sendMessage({
+          type: "session.state",
+          deviceId: this.options.deviceId,
+          sid: exitedSession.sid,
+          payload: {
+            session: exitedSession
+          }
+        });
+      }
+      return;
+    }
+    const buffer = await captureSession(session);
+    if (buffer === runtimeState.lastRenderedBuffer && runtimeState.lastStatus === session.status) {
+      return;
+    }
+    const nextSession = bumpSessionSeq(session.sid);
+    if (!nextSession) {
+      return;
+    }
+    this.runtimeState.set(session.sid, {
+      lastRenderedBuffer: buffer,
+      lastStatus: nextSession.status
+    });
+    const outputMessage = {
+      type: "session.output",
+      deviceId: this.options.deviceId,
+      sid: session.sid,
+      seq: nextSession.lastSeq,
+      payload: {
+        data: buffer,
+        mode: "replace"
+      }
+    };
+    const stateMessage = {
+      type: "session.state",
+      deviceId: this.options.deviceId,
+      sid: session.sid,
+      payload: {
+        session: nextSession
+      }
+    };
+    this.sendMessage(outputMessage);
+    this.sendMessage(stateMessage);
+  }
+  async handleMessage(message) {
+    switch (message.type) {
+      case "auth.ok":
+        return;
+      case "error":
+        this.handleError(message);
+        return;
+      case "session.list":
+        this.sendSessionListResult({
+          type: "session.list.result",
+          reqId: message.reqId,
+          deviceId: this.options.deviceId,
+          payload: {
+            sessions: listSessions().filter((session) => session.deviceId === this.options.deviceId)
+          }
+        });
+        return;
+      case "session.create":
+        await this.handleCreate(message);
+        return;
+      case "session.input":
+        await this.handleInput(message);
+        return;
+      case "session.resize":
+        await this.handleResize(message);
+        return;
+      case "session.kill":
+        await this.handleKill(message);
+        return;
+    }
+  }
+  handleError(message) {
+    if (message.code === "AUTH_FAILED" || message.code === "AGENT_REPLACED") {
+      this.running = false;
+      this.socket?.close();
+      console.error(`agent \u5DF2\u505C\u6B62: ${message.message}`);
+    }
+  }
+  async handleCreate(message) {
+    try {
+      const session = await createSession({
+        deviceId: this.options.deviceId,
+        name: message.payload.name,
+        cwd: message.payload.cwd,
+        shell: message.payload.shell
+      });
+      this.sendMessage({
+        type: "session.created",
+        reqId: message.reqId,
+        deviceId: this.options.deviceId,
+        payload: {
+          session
+        }
+      });
+    } catch (error) {
+      this.sendError(message.reqId, "SESSION_CREATE_FAILED", error);
+    }
+  }
+  async handleInput(message) {
+    try {
+      const session = getSessionBySid(message.sid);
+      if (!session) {
+        this.sendError(message.reqId, "SESSION_NOT_FOUND", `\u4F1A\u8BDD ${message.sid} \u4E0D\u5B58\u5728`);
+        return;
+      }
+      await sendInput(session, message.payload.text, message.payload.key);
+    } catch (error) {
+      this.sendError(message.reqId, "SESSION_INPUT_FAILED", error);
+    }
+  }
+  async handleResize(message) {
+    try {
+      const session = getSessionBySid(message.sid);
+      if (!session) {
+        this.sendError(message.reqId, "SESSION_NOT_FOUND", `\u4F1A\u8BDD ${message.sid} \u4E0D\u5B58\u5728`);
+        return;
+      }
+      await resizeSession(session, message.payload.cols, message.payload.rows);
+    } catch (error) {
+      this.sendError(message.reqId, "SESSION_RESIZE_FAILED", error);
+    }
+  }
+  async handleKill(message) {
+    try {
+      const session = await killSession(message.sid);
+      const exitMessage = {
+        type: "session.exit",
+        reqId: message.reqId,
+        deviceId: this.options.deviceId,
+        sid: session.sid,
+        payload: {
+          reason: "\u7528\u6237\u4E3B\u52A8\u5173\u95ED\u4F1A\u8BDD",
+          exitCode: null
+        }
+      };
+      const stateMessage = {
+        type: "session.state",
+        reqId: message.reqId,
+        deviceId: this.options.deviceId,
+        sid: session.sid,
+        payload: {
+          session
+        }
+      };
+      this.sendMessage(exitMessage);
+      this.sendMessage(stateMessage);
+    } catch (error) {
+      this.sendError(message.reqId, "SESSION_KILL_FAILED", error);
+    }
+  }
+  sendSessionListResult(message) {
+    this.sendMessage(message);
+  }
+  sendError(reqId, code, error) {
+    const message = error instanceof Error ? error.message : String(error);
+    const payload = {
+      type: "error",
+      reqId,
+      deviceId: this.options.deviceId,
+      code,
+      message
+    };
+    this.sendMessage(payload);
+  }
+  sendMessage(message) {
+    if (!this.socket || this.socket.readyState !== WebSocket.OPEN) {
+      return;
+    }
+    this.socket.send(JSON.stringify(message));
+  }
+};
+function createDaemonFromEnv() {
+  return new AgentDaemon({
+    relayUrl: process.env.TERMPILOT_RELAY_URL ?? DEFAULT_RELAY_URL,
+    agentToken: process.env.TERMPILOT_AGENT_TOKEN ?? DEFAULT_AGENT_TOKEN,
+    deviceId: process.env.TERMPILOT_DEVICE_ID ?? DEFAULT_DEVICE_ID,
+    pollIntervalMs: Number(process.env.TERMPILOT_POLL_INTERVAL_MS ?? 500)
+  });
+}
+
+// agent/src/relay-admin.ts
+function getRelayBaseUrl() {
+  const relayUrl = process.env.TERMPILOT_RELAY_URL ?? "ws://127.0.0.1:8787/ws";
+  let url;
+  try {
+    url = new URL(relayUrl);
+  } catch {
+    throw new Error("TERMPILOT_RELAY_URL \u65E0\u6548\uFF0C\u8BF7\u63D0\u4F9B\u5B8C\u6574\u7684 ws:// \u6216 wss:// \u5730\u5740\u3002");
+  }
+  url.protocol = url.protocol === "wss:" ? "https:" : "http:";
+  url.pathname = "/";
+  url.search = "";
+  return url.toString();
+}
+function getAgentToken() {
+  return process.env.TERMPILOT_AGENT_TOKEN ?? DEFAULT_AGENT_TOKEN;
+}
+function resolveDeviceId(value) {
+  return value?.trim() || process.env.TERMPILOT_DEVICE_ID || DEFAULT_DEVICE_ID;
+}
+async function readJsonOrThrow(response, message) {
+  if (!response.ok) {
+    throw new Error(`${message}: ${await response.text()}`);
+  }
+  return response.json();
+}
+async function fetchJson(input, init, message) {
+  let response;
+  try {
+    response = await fetch(input, init);
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : "\u672A\u77E5\u7F51\u7EDC\u9519\u8BEF";
+    throw new Error(`${message}: \u65E0\u6CD5\u8FDE\u63A5 relay (${input.origin})\uFF0C${detail}`);
+  }
+  return readJsonOrThrow(response, message);
+}
+async function createPairingCode(deviceId) {
+  return fetchJson(
+    new URL("/api/pairing-codes", getRelayBaseUrl()),
+    {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${getAgentToken()}`,
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({ deviceId })
+    },
+    "\u7533\u8BF7\u914D\u5BF9\u7801\u5931\u8D25"
+  );
+}
+async function listDeviceGrants(deviceId) {
+  return fetchJson(
+    new URL(`/api/devices/${deviceId}/grants`, getRelayBaseUrl()),
+    {
+      headers: {
+        authorization: `Bearer ${getAgentToken()}`
+      }
+    },
+    "\u8BFB\u53D6\u8BBF\u95EE\u4EE4\u724C\u5931\u8D25"
+  );
+}
+async function revokeDeviceGrant(deviceId, accessToken) {
+  await fetchJson(
+    new URL(`/api/devices/${deviceId}/grants/${accessToken}`, getRelayBaseUrl()),
+    {
+      method: "DELETE",
+      headers: {
+        authorization: `Bearer ${getAgentToken()}`
+      }
+    },
+    "\u64A4\u9500\u8BBF\u95EE\u4EE4\u724C\u5931\u8D25"
+  );
+}
+async function listAuditEvents(deviceId, limit) {
+  const constrainedLimit = Math.max(1, Math.min(limit, 100));
+  return fetchJson(
+    new URL(`/api/devices/${deviceId}/audit-events?limit=${constrainedLimit}`, getRelayBaseUrl()),
+    {
+      headers: {
+        authorization: `Bearer ${getAgentToken()}`
+      }
+    },
+    "\u8BFB\u53D6\u5BA1\u8BA1\u65E5\u5FD7\u5931\u8D25"
+  );
+}
+
+// agent/src/cli.ts
+function printHelp() {
+  console.log(`TermPilot agent \u7528\u6CD5\uFF1A
+
+  termpilot agent
+  termpilot create --name claude-main --cwd /path/to/project
+  termpilot list
+  termpilot kill --sid <sid>
+  termpilot attach --sid <sid>
+  termpilot pair
+  termpilot grants
+  termpilot audit
+  termpilot revoke --token <accessToken>
+  termpilot doctor
+`);
+}
+function parseArgs(argv) {
+  const args = {};
+  for (let index = 0; index < argv.length; index += 1) {
+    const current = argv[index];
+    if (!current?.startsWith("--")) {
+      continue;
+    }
+    const key = current.slice(2);
+    const next = argv[index + 1];
+    if (!next || next.startsWith("--")) {
+      args[key] = true;
+      continue;
+    }
+    args[key] = next;
+    index += 1;
+  }
+  return args;
+}
+async function runCreate(argv) {
+  const args = parseArgs(argv);
+  const session = await createSession({
+    name: typeof args.name === "string" ? args.name : void 0,
+    cwd: typeof args.cwd === "string" ? args.cwd : processCwd2(),
+    shell: typeof args.shell === "string" ? args.shell : void 0,
+    deviceId: typeof args.deviceId === "string" ? args.deviceId : void 0
+  });
+  console.log(`\u5DF2\u521B\u5EFA\u4F1A\u8BDD ${session.sid}`);
+  console.log(`\u540D\u79F0: ${session.name}`);
+  console.log(`tmux: ${session.tmuxSessionName}`);
+}
+function runList() {
+  const sessions = loadState().sessions;
+  if (sessions.length === 0) {
+    console.log("\u5F53\u524D\u6CA1\u6709\u4EFB\u4F55\u4F1A\u8BDD\u3002");
+    return;
+  }
+  console.table(
+    sessions.map((session) => ({
+      sid: session.sid,
+      name: session.name,
+      status: session.status,
+      cwd: session.cwd,
+      tmux: session.tmuxSessionName,
+      lastSeq: session.lastSeq,
+      updatedAt: session.lastActivityAt
+    }))
+  );
+}
+async function runKill(argv) {
+  const args = parseArgs(argv);
+  const sid = typeof args.sid === "string" ? args.sid : void 0;
+  if (!sid) {
+    throw new Error("\u8BF7\u901A\u8FC7 --sid \u6307\u5B9A\u4F1A\u8BDD\u3002");
+  }
+  const session = await killSession(sid);
+  console.log(`\u5DF2\u5173\u95ED\u4F1A\u8BDD ${session.sid} (${session.name})`);
+}
+async function runAttach(argv) {
+  const args = parseArgs(argv);
+  const sid = typeof args.sid === "string" ? args.sid : void 0;
+  if (!sid) {
+    throw new Error("\u8BF7\u901A\u8FC7 --sid \u6307\u5B9A\u4F1A\u8BDD\u3002");
+  }
+  const session = getSessionBySid(sid);
+  if (!session) {
+    throw new Error(`\u4F1A\u8BDD ${sid} \u4E0D\u5B58\u5728\u3002`);
+  }
+  const exists = await hasSession(session.tmuxSessionName);
+  if (!exists) {
+    throw new Error(`tmux \u4F1A\u8BDD ${session.tmuxSessionName} \u4E0D\u5B58\u5728\u3002`);
+  }
+  await attachSession(session);
+}
+async function runDoctor() {
+  console.log(`\u72B6\u6001\u76EE\u5F55: ${getAgentHome()}`);
+  console.log(`\u72B6\u6001\u6587\u4EF6: ${getStateFilePath()}`);
+  await ensureTmuxAvailable();
+  console.log("tmux \u53EF\u7528\u3002");
+}
+function getDeviceId(argv) {
+  const args = parseArgs(argv);
+  return resolveDeviceId(typeof args.deviceId === "string" ? args.deviceId : void 0);
+}
+async function runPair(argv) {
+  const deviceId = getDeviceId(argv);
+  const payload = await createPairingCode(deviceId);
+  console.log(`\u8BBE\u5907: ${payload.deviceId}`);
+  console.log(`\u914D\u5BF9\u7801: ${payload.pairingCode}`);
+  console.log(`\u6709\u6548\u671F\u81F3: ${payload.expiresAt}`);
+  console.log("\u8BF7\u5728\u624B\u673A\u7AEF\u8F93\u5165\u8FD9\u4E2A\u914D\u5BF9\u7801\uFF0C\u6362\u53D6\u8BBE\u5907\u8BBF\u95EE\u4EE4\u724C\u3002");
+}
+async function runGrants(argv) {
+  const deviceId = getDeviceId(argv);
+  const payload = await listDeviceGrants(deviceId);
+  if (payload.grants.length === 0) {
+    console.log(`\u8BBE\u5907 ${payload.deviceId} \u5F53\u524D\u6CA1\u6709\u4EFB\u4F55\u5DF2\u7ED1\u5B9A\u8BBF\u95EE\u4EE4\u724C\u3002`);
+    return;
+  }
+  console.table(
+    payload.grants.map((grant) => ({
+      token: grant.accessToken,
+      createdAt: grant.createdAt,
+      lastUsedAt: grant.lastUsedAt
+    }))
+  );
+}
+async function runRevoke(argv) {
+  const args = parseArgs(argv);
+  const accessToken = typeof args.token === "string" ? args.token : void 0;
+  if (!accessToken) {
+    throw new Error("\u8BF7\u901A\u8FC7 --token \u6307\u5B9A\u8981\u64A4\u9500\u7684\u8BBF\u95EE\u4EE4\u724C\u3002");
+  }
+  const deviceId = getDeviceId(argv);
+  await revokeDeviceGrant(deviceId, accessToken);
+  console.log(`\u5DF2\u64A4\u9500\u8BBE\u5907 ${deviceId} \u7684\u8BBF\u95EE\u4EE4\u724C ${accessToken}`);
+}
+async function runAudit(argv) {
+  const args = parseArgs(argv);
+  const deviceId = getDeviceId(argv);
+  const parsedLimit = typeof args.limit === "string" ? Number(args.limit) : 20;
+  if (!Number.isFinite(parsedLimit) || parsedLimit <= 0) {
+    throw new Error("\u8BF7\u901A\u8FC7 --limit \u6307\u5B9A\u5927\u4E8E 0 \u7684\u6570\u5B57\u3002");
+  }
+  const limit = Math.floor(parsedLimit);
+  const payload = await listAuditEvents(deviceId, limit);
+  if (payload.events.length === 0) {
+    console.log(`\u8BBE\u5907 ${payload.deviceId} \u5F53\u524D\u6CA1\u6709\u5BA1\u8BA1\u65E5\u5FD7\u3002`);
+    return;
+  }
+  console.table(
+    payload.events.map((event) => ({
+      createdAt: event.createdAt,
+      action: event.action,
+      actorRole: event.actorRole,
+      detail: event.detail
+    }))
+  );
+}
+async function runAgentCli(argv = process.argv.slice(2)) {
+  const [command, ...rest] = argv;
+  if (!command || command === "help" || command === "--help") {
+    printHelp();
+    return;
+  }
+  switch (command) {
+    case "daemon": {
+      await ensureTmuxAvailable();
+      const daemon = createDaemonFromEnv();
+      process.on("SIGINT", () => {
+        void daemon.stop().finally(() => process.exit(0));
+      });
+      process.on("SIGTERM", () => {
+        void daemon.stop().finally(() => process.exit(0));
+      });
+      await daemon.start();
+      return;
+    }
+    case "create":
+      await ensureTmuxAvailable();
+      await runCreate(rest);
+      return;
+    case "list":
+      runList();
+      return;
+    case "kill":
+      await ensureTmuxAvailable();
+      await runKill(rest);
+      return;
+    case "attach":
+      await ensureTmuxAvailable();
+      await runAttach(rest);
+      return;
+    case "doctor":
+      await runDoctor();
+      return;
+    case "pair":
+      await runPair(rest);
+      return;
+    case "grants":
+      await runGrants(rest);
+      return;
+    case "audit":
+      await runAudit(rest);
+      return;
+    case "revoke":
+      await runRevoke(rest);
+      return;
+    default:
+      printHelp();
+      process.exitCode = 1;
+  }
+}
+
+// relay/src/server.ts
+import { createReadStream, existsSync, statSync as statSync2 } from "fs";
+import path2 from "path";
+import { fileURLToPath } from "url";
+import Fastify from "fastify";
+import websocket from "@fastify/websocket";
+import { Pool } from "pg";
+
+// relay/src/auth-store.ts
+import { randomBytes } from "crypto";
+function createPairingCodeValue() {
+  const alphabet = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
+  const bytes = randomBytes(6);
+  const chars = Array.from(bytes, (value) => alphabet[value % alphabet.length]);
+  return `${chars.slice(0, 3).join("")}-${chars.slice(3).join("")}`;
+}
+function createAccessToken() {
+  return randomBytes(24).toString("hex");
+}
+var MemoryAuthStore = class {
+  pairingCodes = /* @__PURE__ */ new Map();
+  grants = /* @__PURE__ */ new Map();
+  async init() {
+  }
+  async createPairingCode(deviceId, ttlMinutes) {
+    const pairingCode = createPairingCodeValue();
+    const expiresAt = new Date(Date.now() + ttlMinutes * 6e4).toISOString();
+    this.pairingCodes.set(pairingCode, {
+      deviceId,
+      expiresAt
+    });
+    return {
+      deviceId,
+      pairingCode,
+      expiresAt
+    };
+  }
+  async redeemPairingCode(pairingCode) {
+    const record = this.pairingCodes.get(pairingCode);
+    if (!record || record.redeemedAt || Date.parse(record.expiresAt) <= Date.now()) {
+      return null;
+    }
+    record.redeemedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.pairingCodes.set(pairingCode, record);
+    const accessToken = createAccessToken();
+    const now3 = (/* @__PURE__ */ new Date()).toISOString();
+    const grant = {
+      accessToken,
+      deviceId: record.deviceId,
+      createdAt: now3,
+      lastUsedAt: now3
+    };
+    this.grants.set(accessToken, grant);
+    return grant;
+  }
+  async getGrantByAccessToken(accessToken) {
+    const grant = this.grants.get(accessToken);
+    if (!grant) {
+      return null;
+    }
+    const nextGrant = {
+      ...grant,
+      lastUsedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.grants.set(accessToken, nextGrant);
+    return nextGrant;
+  }
+  async listGrants(deviceId) {
+    return Array.from(this.grants.values()).filter((grant) => grant.deviceId === deviceId).sort((left, right) => right.createdAt.localeCompare(left.createdAt));
+  }
+  async revokeGrant(deviceId, accessToken) {
+    const grant = this.grants.get(accessToken);
+    if (!grant || grant.deviceId !== deviceId) {
+      return false;
+    }
+    this.grants.delete(accessToken);
+    return true;
+  }
+};
+var PostgresAuthStore = class {
+  constructor(pool) {
+    this.pool = pool;
+  }
+  async init() {
+    await this.pool.query(`
+      create table if not exists relay_pairing_codes (
+        pairing_code text primary key,
+        device_id text not null,
+        expires_at timestamptz not null,
+        redeemed_at timestamptz null,
+        created_at timestamptz not null default now()
+      );
+    `);
+    await this.pool.query(`
+      create table if not exists relay_client_grants (
+        access_token text primary key,
+        device_id text not null,
+        created_at timestamptz not null default now(),
+        last_used_at timestamptz not null default now()
+      );
+    `);
+  }
+  async createPairingCode(deviceId, ttlMinutes) {
+    const pairingCode = createPairingCodeValue();
+    const expiresAt = new Date(Date.now() + ttlMinutes * 6e4).toISOString();
+    await this.pool.query(
+      `
+      insert into relay_pairing_codes (pairing_code, device_id, expires_at)
+      values ($1, $2, $3)
+      `,
+      [pairingCode, deviceId, expiresAt]
+    );
+    return {
+      deviceId,
+      pairingCode,
+      expiresAt
+    };
+  }
+  async redeemPairingCode(pairingCode) {
+    const client = await this.pool.connect();
+    try {
+      await client.query("begin");
+      const result = await client.query(
+        `
+        select device_id, expires_at, redeemed_at
+        from relay_pairing_codes
+        where pairing_code = $1
+        for update
+        `,
+        [pairingCode]
+      );
+      const record = result.rows[0];
+      if (!record || record.redeemed_at || Date.parse(record.expires_at) <= Date.now()) {
+        await client.query("rollback");
+        return null;
+      }
+      const accessToken = createAccessToken();
+      await client.query(
+        `
+        update relay_pairing_codes
+        set redeemed_at = now()
+        where pairing_code = $1
+        `,
+        [pairingCode]
+      );
+      await client.query(
+        `
+        insert into relay_client_grants (access_token, device_id)
+        values ($1, $2)
+        `,
+        [accessToken, record.device_id]
+      );
+      await client.query("commit");
+      const now3 = (/* @__PURE__ */ new Date()).toISOString();
+      return {
+        accessToken,
+        deviceId: record.device_id,
+        createdAt: now3,
+        lastUsedAt: now3
+      };
+    } catch (error) {
+      await client.query("rollback");
+      throw error;
+    } finally {
+      client.release();
+    }
+  }
+  async getGrantByAccessToken(accessToken) {
+    const result = await this.pool.query(
+      `
+      update relay_client_grants
+      set last_used_at = now()
+      where access_token = $1
+      returning access_token, device_id, created_at, last_used_at
+      `,
+      [accessToken]
+    );
+    const record = result.rows[0];
+    if (!record) {
+      return null;
+    }
+    return {
+      accessToken: record.access_token,
+      deviceId: record.device_id,
+      createdAt: record.created_at,
+      lastUsedAt: record.last_used_at
+    };
+  }
+  async listGrants(deviceId) {
+    const result = await this.pool.query(
+      `
+      select access_token, device_id, created_at, last_used_at
+      from relay_client_grants
+      where device_id = $1
+      order by created_at desc
+      `,
+      [deviceId]
+    );
+    return result.rows.map((record) => ({
+      accessToken: record.access_token,
+      deviceId: record.device_id,
+      createdAt: record.created_at,
+      lastUsedAt: record.last_used_at
+    }));
+  }
+  async revokeGrant(deviceId, accessToken) {
+    const result = await this.pool.query(
+      `
+      delete from relay_client_grants
+      where device_id = $1 and access_token = $2
+      `,
+      [deviceId, accessToken]
+    );
+    return (result.rowCount ?? 0) > 0;
+  }
+};
+
+// relay/src/audit-store.ts
+import { randomUUID as randomUUID3 } from "crypto";
+function now2() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+var MemoryAuditStore = class {
+  events = /* @__PURE__ */ new Map();
+  async init() {
+  }
+  async addEvent(input) {
+    const event = {
+      id: randomUUID3(),
+      deviceId: input.deviceId,
+      action: input.action,
+      actorRole: input.actorRole,
+      detail: input.detail,
+      createdAt: now2()
+    };
+    const bucket = this.events.get(input.deviceId) ?? [];
+    bucket.unshift(event);
+    this.events.set(input.deviceId, bucket.slice(0, 200));
+    return event;
+  }
+  async listEvents(deviceId, limit) {
+    return (this.events.get(deviceId) ?? []).slice(0, limit);
+  }
+};
+var PostgresAuditStore = class {
+  constructor(pool) {
+    this.pool = pool;
+  }
+  async init() {
+    await this.pool.query(`
+      create table if not exists relay_audit_events (
+        id text primary key,
+        device_id text not null,
+        action text not null,
+        actor_role text not null,
+        detail text not null,
+        created_at timestamptz not null default now()
+      );
+    `);
+    await this.pool.query(`
+      create index if not exists relay_audit_events_device_id_idx
+      on relay_audit_events (device_id, created_at desc);
+    `);
+  }
+  async addEvent(input) {
+    const event = {
+      id: randomUUID3(),
+      deviceId: input.deviceId,
+      action: input.action,
+      actorRole: input.actorRole,
+      detail: input.detail,
+      createdAt: now2()
+    };
+    await this.pool.query(
+      `
+      insert into relay_audit_events (id, device_id, action, actor_role, detail, created_at)
+      values ($1, $2, $3, $4, $5, $6)
+      `,
+      [event.id, event.deviceId, event.action, event.actorRole, event.detail, event.createdAt]
+    );
+    return event;
+  }
+  async listEvents(deviceId, limit) {
+    const result = await this.pool.query(
+      `
+      select id, device_id, action, actor_role, detail, created_at
+      from relay_audit_events
+      where device_id = $1
+      order by created_at desc
+      limit $2
+      `,
+      [deviceId, limit]
+    );
+    return result.rows.map((row) => ({
+      id: row.id,
+      deviceId: row.device_id,
+      action: row.action,
+      actorRole: row.actor_role,
+      detail: row.detail,
+      createdAt: row.created_at
+    }));
+  }
+};
+
+// relay/src/config.ts
+function loadConfig() {
+  return {
+    host: process.env.HOST ?? "0.0.0.0",
+    port: Number(process.env.PORT ?? 8787),
+    agentToken: process.env.TERMPILOT_AGENT_TOKEN ?? DEFAULT_AGENT_TOKEN,
+    clientToken: process.env.TERMPILOT_CLIENT_TOKEN ?? DEFAULT_CLIENT_TOKEN,
+    databaseUrl: process.env.DATABASE_URL?.trim() || void 0,
+    pairingTtlMinutes: Number(process.env.TERMPILOT_PAIRING_TTL_MINUTES ?? 10)
+  };
+}
+
+// relay/src/session-store.ts
+var MemorySessionStore = class {
+  mode = "memory";
+  sessions = /* @__PURE__ */ new Map();
+  async replaceSessions(deviceId, sessions) {
+    const bucket = /* @__PURE__ */ new Map();
+    for (const session of sessions) {
+      bucket.set(session.sid, session);
+    }
+    this.sessions.set(deviceId, bucket);
+  }
+  async upsertSession(session) {
+    const bucket = this.sessions.get(session.deviceId) ?? /* @__PURE__ */ new Map();
+    bucket.set(session.sid, session);
+    this.sessions.set(session.deviceId, bucket);
+  }
+  async markSessionExited(deviceId, sid) {
+    const bucket = this.sessions.get(deviceId);
+    const session = bucket?.get(sid);
+    if (!bucket || !session) {
+      return;
+    }
+    bucket.set(sid, {
+      ...session,
+      status: "exited",
+      lastActivityAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  async listSessions(deviceId) {
+    return Array.from(this.sessions.get(deviceId)?.values() ?? []);
+  }
+  async close() {
+  }
+};
+var PostgresSessionStore = class {
+  constructor(pool) {
+    this.pool = pool;
+  }
+  mode = "postgres";
+  async init() {
+    await this.pool.query(`
+      create table if not exists relay_sessions (
+        sid text primary key,
+        device_id text not null,
+        name text not null,
+        backend text not null,
+        shell text not null,
+        cwd text not null,
+        status text not null,
+        started_at timestamptz not null,
+        last_seq integer not null,
+        last_activity_at timestamptz not null,
+        tmux_session_name text not null,
+        updated_at timestamptz not null default now()
+      );
+    `);
+    await this.pool.query(`
+      create index if not exists relay_sessions_device_id_idx
+      on relay_sessions (device_id);
+    `);
+  }
+  async replaceSessions(deviceId, sessions) {
+    const client = await this.pool.connect();
+    try {
+      await client.query("begin");
+      await client.query("delete from relay_sessions where device_id = $1", [deviceId]);
+      for (const session of sessions) {
+        await this.upsertSessionWithClient(client, session);
+      }
+      await client.query("commit");
+    } catch (error) {
+      await client.query("rollback");
+      throw error;
+    } finally {
+      client.release();
+    }
+  }
+  async upsertSession(session) {
+    const client = await this.pool.connect();
+    try {
+      await this.upsertSessionWithClient(client, session);
+    } finally {
+      client.release();
+    }
+  }
+  async upsertSessionWithClient(client, session) {
+    await client.query(
+      `
+      insert into relay_sessions (
+        sid, device_id, name, backend, shell, cwd, status, started_at, last_seq, last_activity_at, tmux_session_name, updated_at
+      ) values (
+        $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, now()
+      )
+      on conflict (sid) do update set
+        device_id = excluded.device_id,
+        name = excluded.name,
+        backend = excluded.backend,
+        shell = excluded.shell,
+        cwd = excluded.cwd,
+        status = excluded.status,
+        started_at = excluded.started_at,
+        last_seq = excluded.last_seq,
+        last_activity_at = excluded.last_activity_at,
+        tmux_session_name = excluded.tmux_session_name,
+        updated_at = now()
+      `,
+      [
+        session.sid,
+        session.deviceId,
+        session.name,
+        session.backend,
+        session.shell,
+        session.cwd,
+        session.status,
+        session.startedAt,
+        session.lastSeq,
+        session.lastActivityAt,
+        session.tmuxSessionName
+      ]
+    );
+  }
+  async markSessionExited(deviceId, sid) {
+    await this.pool.query(
+      `
+      update relay_sessions
+      set status = 'exited', last_activity_at = now(), updated_at = now()
+      where device_id = $1 and sid = $2
+      `,
+      [deviceId, sid]
+    );
+  }
+  async listSessions(deviceId) {
+    const result = await this.pool.query(
+      `
+      select
+        sid,
+        device_id as "deviceId",
+        name,
+        backend,
+        shell,
+        cwd,
+        status,
+        started_at as "startedAt",
+        last_seq as "lastSeq",
+        last_activity_at as "lastActivityAt",
+        tmux_session_name as "tmuxSessionName"
+      from relay_sessions
+      where device_id = $1
+      order by started_at desc
+      `,
+      [deviceId]
+    );
+    return result.rows;
+  }
+  async close() {
+    await this.pool.end();
+  }
+};
+
+// relay/src/server.ts
+var STATIC_CONTENT_TYPES = {
+  ".css": "text/css; charset=utf-8",
+  ".html": "text/html; charset=utf-8",
+  ".ico": "image/x-icon",
+  ".js": "application/javascript; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".map": "application/json; charset=utf-8",
+  ".png": "image/png",
+  ".svg": "image/svg+xml; charset=utf-8",
+  ".txt": "text/plain; charset=utf-8",
+  ".webmanifest": "application/manifest+json; charset=utf-8"
+};
+function getMimeType(filePath) {
+  return STATIC_CONTENT_TYPES[path2.extname(filePath).toLowerCase()] ?? "application/octet-stream";
+}
+function createStaticPath(webDir, urlPath) {
+  const requestPath = decodeURIComponent(urlPath.split("?")[0] ?? "/");
+  const relativePath = requestPath === "/" ? "index.html" : requestPath.replace(/^\/+/, "");
+  const resolvedPath = path2.resolve(webDir, relativePath);
+  if (!resolvedPath.startsWith(path2.resolve(webDir))) {
+    return path2.join(webDir, "index.html");
+  }
+  if (!existsSync(resolvedPath)) {
+    return path2.join(webDir, "index.html");
+  }
+  try {
+    if (statSync2(resolvedPath).isDirectory()) {
+      return path2.join(webDir, "index.html");
+    }
+  } catch {
+    return path2.join(webDir, "index.html");
+  }
+  return resolvedPath;
+}
+function resolveDefaultWebDir(moduleUrl = import.meta.url) {
+  return fileURLToPath(new URL("../../app/dist", moduleUrl));
+}
+async function startRelayServer(options = {}) {
+  const config = {
+    ...loadConfig(),
+    ...options.config
+  };
+  const app = Fastify({ logger: true });
+  const agents = /* @__PURE__ */ new Map();
+  const clients = /* @__PURE__ */ new Set();
+  const sessionCache = /* @__PURE__ */ new Map();
+  const outputBuffers = /* @__PURE__ */ new Map();
+  const webDir = options.webDir ?? resolveDefaultWebDir(import.meta.url);
+  const storesPromise = (async () => {
+    if (!config.databaseUrl) {
+      app.log.warn("\u672A\u63D0\u4F9B DATABASE_URL\uFF0C\u5F53\u524D relay \u4F7F\u7528\u5185\u5B58\u5B58\u50A8\u4F1A\u8BDD\u5143\u6570\u636E\u3002");
+      const sessionStore2 = new MemorySessionStore();
+      const authStore2 = new MemoryAuthStore();
+      const auditStore2 = new MemoryAuditStore();
+      await authStore2.init();
+      await auditStore2.init();
+      return { sessionStore: sessionStore2, authStore: authStore2, auditStore: auditStore2 };
+    }
+    const pool = new Pool({ connectionString: config.databaseUrl });
+    const sessionStore = new PostgresSessionStore(pool);
+    const authStore = new PostgresAuthStore(pool);
+    const auditStore = new PostgresAuditStore(pool);
+    await sessionStore.init();
+    await authStore.init();
+    await auditStore.init();
+    app.log.info("relay \u5DF2\u8FDE\u63A5 PostgreSQL\uFF0C\u4F1A\u8BDD\u5143\u6570\u636E\u5C06\u5199\u5165\u6570\u636E\u5E93\u3002");
+    return { sessionStore, authStore, auditStore };
+  })();
+  async function appendAuditEvent(input) {
+    const { auditStore } = await storesPromise;
+    await auditStore.addEvent(input);
+  }
+  function clientCanAccessDevice(client, deviceId) {
+    if (!deviceId) {
+      return true;
+    }
+    return client.deviceScope === "*" || client.deviceScope.has(deviceId);
+  }
+  function serializeForClient(client, message) {
+    switch (message.type) {
+      case "relay.state": {
+        const scope = client.deviceScope;
+        const agentsForClient = scope === "*" ? message.payload.agents : message.payload.agents.filter((agent) => scope.has(agent.deviceId));
+        return JSON.stringify({
+          ...message,
+          payload: {
+            agents: agentsForClient
+          }
+        });
+      }
+      case "error":
+        return clientCanAccessDevice(client, message.deviceId) ? JSON.stringify(message) : null;
+      case "auth.ok":
+        return JSON.stringify(message);
+      default:
+        return clientCanAccessDevice(client, message.deviceId) ? JSON.stringify(message) : null;
+    }
+  }
+  function broadcastToClients(message) {
+    for (const client of clients) {
+      if (client.socket.readyState !== client.socket.OPEN) {
+        continue;
+      }
+      const raw = serializeForClient(client, message);
+      if (raw) {
+        client.socket.send(raw);
+      }
+    }
+  }
+  function sendError(socket, code, message, reqId) {
+    if (socket.readyState !== socket.OPEN) {
+      return;
+    }
+    const payload = {
+      type: "error",
+      code,
+      message,
+      reqId
+    };
+    socket.send(JSON.stringify(payload));
+  }
+  function disconnectClientsByAccessToken(accessToken) {
+    for (const client of clients) {
+      if (client.accessToken !== accessToken) {
+        continue;
+      }
+      sendError(client.socket, "AUTH_REVOKED", "\u5F53\u524D\u8BBF\u95EE\u4EE4\u724C\u5DF2\u88AB\u64A4\u9500");
+      client.socket.close();
+    }
+  }
+  function relayStateMessage() {
+    return {
+      type: "relay.state",
+      payload: {
+        agents: Array.from(agents.keys()).map((deviceId) => ({
+          deviceId,
+          online: true
+        }))
+      }
+    };
+  }
+  function broadcastRelayState() {
+    broadcastToClients(relayStateMessage());
+  }
+  function pruneOutputBuffers(deviceId, sessions) {
+    const prefix = `${deviceId}:`;
+    for (const key of outputBuffers.keys()) {
+      if (!key.startsWith(prefix)) {
+        continue;
+      }
+      const sid = key.slice(prefix.length);
+      if (!sessions.has(sid)) {
+        outputBuffers.delete(key);
+      }
+    }
+  }
+  function setCachedSessions(deviceId, sessions) {
+    const bucket = /* @__PURE__ */ new Map();
+    for (const session of sessions) {
+      bucket.set(session.sid, session);
+    }
+    sessionCache.set(deviceId, bucket);
+    pruneOutputBuffers(deviceId, bucket);
+  }
+  function upsertCachedSession(session) {
+    const bucket = sessionCache.get(session.deviceId) ?? /* @__PURE__ */ new Map();
+    bucket.set(session.sid, session);
+    sessionCache.set(session.deviceId, bucket);
+  }
+  function markCachedSessionExited(deviceId, sid) {
+    const bucket = sessionCache.get(deviceId);
+    const session = bucket?.get(sid);
+    if (!bucket || !session) {
+      return;
+    }
+    bucket.set(sid, {
+      ...session,
+      status: "exited",
+      lastActivityAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  function pushOutputFrame(frame) {
+    const key = `${frame.deviceId}:${frame.sid}`;
+    const buffer = outputBuffers.get(key) ?? { frames: [] };
+    buffer.frames.push(frame);
+    buffer.frames = buffer.frames.slice(-40);
+    outputBuffers.set(key, buffer);
+  }
+  async function handleAgentMessage(message) {
+    const { sessionStore } = await storesPromise;
+    switch (message.type) {
+      case "session.list.result":
+        setCachedSessions(message.deviceId, message.payload.sessions);
+        await sessionStore.replaceSessions(message.deviceId, message.payload.sessions);
+        broadcastToClients(message);
+        return;
+      case "session.created":
+        upsertCachedSession(message.payload.session);
+        await sessionStore.upsertSession(message.payload.session);
+        broadcastToClients(message);
+        return;
+      case "session.state":
+        upsertCachedSession(message.payload.session);
+        await sessionStore.upsertSession(message.payload.session);
+        broadcastToClients(message);
+        return;
+      case "session.output":
+        pushOutputFrame(message);
+        broadcastToClients(message);
+        return;
+      case "session.exit":
+        markCachedSessionExited(message.deviceId, message.sid);
+        await sessionStore.markSessionExited(message.deviceId, message.sid);
+        broadcastToClients(message);
+        return;
+      case "error":
+        broadcastToClients(message);
+    }
+  }
+  async function handleClientMessage(client, message) {
+    if (!clientCanAccessDevice(client, message.deviceId)) {
+      sendError(client.socket, "DEVICE_FORBIDDEN", `\u5F53\u524D\u5BA2\u6237\u7AEF\u65E0\u6743\u8BBF\u95EE\u8BBE\u5907 ${message.deviceId}`, "reqId" in message ? message.reqId : void 0);
+      return;
+    }
+    if (message.type === "session.replay") {
+      const key = `${message.deviceId}:${message.sid}`;
+      const frames = outputBuffers.get(key)?.frames ?? [];
+      for (const frame of frames.filter((item) => item.seq > (message.payload?.afterSeq ?? -1))) {
+        client.socket.send(JSON.stringify(frame));
+      }
+      return;
+    }
+    if (message.type === "session.list" && !agents.has(message.deviceId)) {
+      const { sessionStore } = await storesPromise;
+      const cached = sessionCache.get(message.deviceId);
+      const sessions = cached ? Array.from(cached.values()) : await sessionStore.listSessions(message.deviceId);
+      const payload = {
+        type: "session.list.result",
+        reqId: message.reqId,
+        deviceId: message.deviceId,
+        payload: {
+          sessions
+        }
+      };
+      client.socket.send(JSON.stringify(payload));
+      return;
+    }
+    const agent = agents.get(message.deviceId);
+    if (!agent || agent.socket.readyState !== agent.socket.OPEN) {
+      sendError(client.socket, "DEVICE_OFFLINE", `\u8BBE\u5907 ${message.deviceId} \u5F53\u524D\u4E0D\u5728\u7EBF`, "reqId" in message ? message.reqId : void 0);
+      return;
+    }
+    if (message.type === "session.create") {
+      await appendAuditEvent({
+        deviceId: message.deviceId,
+        action: "session.create_requested",
+        actorRole: "client",
+        detail: `\u8BF7\u6C42\u521B\u5EFA\u4F1A\u8BDD ${message.payload.name?.trim() || "(\u672A\u547D\u540D)"}${message.payload.cwd ? ` @ ${message.payload.cwd}` : ""}`
+      });
+    }
+    if (message.type === "session.kill") {
+      await appendAuditEvent({
+        deviceId: message.deviceId,
+        action: "session.kill_requested",
+        actorRole: "client",
+        detail: `\u8BF7\u6C42\u5173\u95ED\u4F1A\u8BDD ${message.sid}`
+      });
+    }
+    agent.socket.send(JSON.stringify(message));
+  }
+  await app.register(websocket);
+  app.addHook("onRequest", async (request, reply) => {
+    reply.header("access-control-allow-origin", "*");
+    reply.header("access-control-allow-methods", "GET,POST,OPTIONS");
+    reply.header("access-control-allow-headers", "content-type,authorization");
+    if (request.method === "OPTIONS") {
+      return reply.code(204).send();
+    }
+  });
+  app.addHook("onClose", async () => {
+    const { sessionStore } = await storesPromise;
+    await sessionStore.close();
+  });
+  app.get("/health", async () => {
+    const { sessionStore } = await storesPromise;
+    return {
+      ok: true,
+      storeMode: sessionStore.mode,
+      agentsOnline: agents.size,
+      clientsOnline: clients.size,
+      webUiReady: existsSync(webDir)
+    };
+  });
+  app.post("/api/pairing-codes", async (request, reply) => {
+    const authHeader = request.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : void 0;
+    if (token !== config.agentToken) {
+      return reply.code(401).send({ message: "agent \u8BA4\u8BC1\u5931\u8D25" });
+    }
+    const deviceId = request.body?.deviceId?.trim();
+    if (!deviceId) {
+      return reply.code(400).send({ message: "deviceId \u4E0D\u80FD\u4E3A\u7A7A" });
+    }
+    if (!agents.has(deviceId)) {
+      return reply.code(404).send({ message: `\u8BBE\u5907 ${deviceId} \u5F53\u524D\u4E0D\u5728\u7EBF` });
+    }
+    const { authStore } = await storesPromise;
+    const pairing = await authStore.createPairingCode(deviceId, config.pairingTtlMinutes);
+    await appendAuditEvent({
+      deviceId,
+      action: "pairing.code_created",
+      actorRole: "agent",
+      detail: `\u521B\u5EFA\u4E00\u6B21\u6027\u914D\u5BF9\u7801 ${pairing.pairingCode}\uFF0C\u6709\u6548\u671F\u81F3 ${pairing.expiresAt}`
+    });
+    const payload = {
+      deviceId: pairing.deviceId,
+      pairingCode: pairing.pairingCode,
+      expiresAt: pairing.expiresAt
+    };
+    return reply.send(payload);
+  });
+  app.post("/api/pairings/redeem", async (request, reply) => {
+    const pairingCode = request.body?.pairingCode?.trim().toUpperCase();
+    if (!pairingCode) {
+      return reply.code(400).send({ message: "pairingCode \u4E0D\u80FD\u4E3A\u7A7A" });
+    }
+    const { authStore } = await storesPromise;
+    const grant = await authStore.redeemPairingCode(pairingCode);
+    if (!grant) {
+      return reply.code(400).send({ message: "\u914D\u5BF9\u7801\u65E0\u6548\u3001\u5DF2\u4F7F\u7528\u6216\u5DF2\u8FC7\u671F" });
+    }
+    await appendAuditEvent({
+      deviceId: grant.deviceId,
+      action: "pairing.redeemed",
+      actorRole: "client",
+      detail: `\u4F7F\u7528\u914D\u5BF9\u7801 ${pairingCode} \u5151\u6362\u8BBF\u95EE\u4EE4\u724C ${grant.accessToken.slice(0, 8)}...`
+    });
+    const payload = {
+      deviceId: grant.deviceId,
+      accessToken: grant.accessToken
+    };
+    return reply.send(payload);
+  });
+  app.get("/api/devices/:deviceId/grants", async (request, reply) => {
+    const authHeader = request.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : void 0;
+    if (token !== config.agentToken) {
+      return reply.code(401).send({ message: "agent \u8BA4\u8BC1\u5931\u8D25" });
+    }
+    const deviceId = request.params.deviceId.trim();
+    const { authStore } = await storesPromise;
+    const grants = await authStore.listGrants(deviceId);
+    return reply.send({
+      deviceId,
+      grants
+    });
+  });
+  app.get("/api/devices/:deviceId/audit-events", async (request, reply) => {
+    const authHeader = request.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : void 0;
+    if (token !== config.agentToken) {
+      return reply.code(401).send({ message: "agent \u8BA4\u8BC1\u5931\u8D25" });
+    }
+    const deviceId = request.params.deviceId.trim();
+    const requestedLimit = Number(request.query.limit ?? 20);
+    const limit = Number.isFinite(requestedLimit) ? Math.min(Math.max(Math.floor(requestedLimit), 1), 100) : 20;
+    const { auditStore } = await storesPromise;
+    const events = await auditStore.listEvents(deviceId, limit);
+    return reply.send({
+      deviceId,
+      events
+    });
+  });
+  app.delete("/api/devices/:deviceId/grants/:accessToken", async (request, reply) => {
+    const authHeader = request.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : void 0;
+    if (token !== config.agentToken) {
+      return reply.code(401).send({ message: "agent \u8BA4\u8BC1\u5931\u8D25" });
+    }
+    const deviceId = request.params.deviceId.trim();
+    const accessToken = request.params.accessToken.trim();
+    const { authStore } = await storesPromise;
+    const revoked = await authStore.revokeGrant(deviceId, accessToken);
+    if (!revoked) {
+      return reply.code(404).send({ message: "\u8BBF\u95EE\u4EE4\u724C\u4E0D\u5B58\u5728" });
+    }
+    disconnectClientsByAccessToken(accessToken);
+    await appendAuditEvent({
+      deviceId,
+      action: "grant.revoked",
+      actorRole: "agent",
+      detail: `\u64A4\u9500\u8BBF\u95EE\u4EE4\u724C ${accessToken.slice(0, 8)}...`
+    });
+    return reply.send({ ok: true });
+  });
+  app.get("/ws", { websocket: true }, (connection, request) => {
+    const url = new URL(request.raw.url ?? "/ws", `http://${request.headers.host ?? "127.0.0.1"}`);
+    const role = url.searchParams.get("role");
+    const token = url.searchParams.get("token");
+    const deviceId = url.searchParams.get("deviceId") ?? void 0;
+    const socket = connection;
+    if (role === "agent") {
+      if (token !== config.agentToken || !deviceId) {
+        sendError(socket, "AUTH_FAILED", "agent \u8BA4\u8BC1\u5931\u8D25");
+        socket.close();
+        return;
+      }
+      const previousAgent = agents.get(deviceId);
+      if (previousAgent && previousAgent.socket !== socket) {
+        sendError(previousAgent.socket, "AGENT_REPLACED", `\u8BBE\u5907 ${deviceId} \u5DF2\u7531\u65B0\u7684 agent \u63A5\u7BA1`);
+        previousAgent.socket.close();
+      }
+      agents.set(deviceId, { socket, deviceId });
+      socket.send(JSON.stringify({ type: "auth.ok", payload: { role: "agent", deviceId } }));
+      broadcastRelayState();
+      socket.on("message", (raw) => {
+        const current = agents.get(deviceId);
+        if (current?.socket !== socket) {
+          return;
+        }
+        const message = parseJsonMessage(raw.toString());
+        if (!message) {
+          return;
+        }
+        void handleAgentMessage(message);
+      });
+      socket.on("close", () => {
+        const current = agents.get(deviceId);
+        if (current?.socket === socket) {
+          agents.delete(deviceId);
+        }
+        broadcastRelayState();
+      });
+      return;
+    }
+    if (role === "client") {
+      void (async () => {
+        let client = null;
+        if (token === config.clientToken) {
+          client = {
+            socket,
+            deviceScope: "*"
+          };
+        } else if (token) {
+          const { authStore } = await storesPromise;
+          const grant = await authStore.getGrantByAccessToken(token);
+          if (grant) {
+            client = {
+              socket,
+              deviceScope: /* @__PURE__ */ new Set([grant.deviceId]),
+              accessToken: grant.accessToken
+            };
+          }
+        }
+        if (!client) {
+          sendError(socket, "AUTH_FAILED", "client \u8BA4\u8BC1\u5931\u8D25");
+          socket.close();
+          return;
+        }
+        clients.add(client);
+        const scopedDeviceId = client.deviceScope === "*" ? void 0 : Array.from(client.deviceScope)[0];
+        socket.send(JSON.stringify({ type: "auth.ok", payload: { role: "client", deviceId: scopedDeviceId } }));
+        const relayState = serializeForClient(client, relayStateMessage());
+        if (relayState) {
+          socket.send(relayState);
+        }
+        socket.on("message", (raw) => {
+          const message = parseJsonMessage(raw.toString());
+          if (!message) {
+            return;
+          }
+          void handleClientMessage(client, message);
+        });
+        socket.on("close", () => {
+          if (client) {
+            clients.delete(client);
+          }
+        });
+      })();
+      return;
+    }
+    sendError(socket, "AUTH_FAILED", "\u672A\u77E5\u89D2\u8272");
+    socket.close();
+  });
+  const serveWebUi = async (requestPath, reply) => {
+    if (!existsSync(webDir)) {
+      return reply.code(503).type("text/plain; charset=utf-8").send("TermPilot Web UI \u5C1A\u672A\u6784\u5EFA\uFF0C\u8BF7\u5148\u8FD0\u884C `pnpm build` \u6216\u5B89\u88C5\u5DF2\u6253\u5305\u7248\u672C\u3002");
+    }
+    const filePath = createStaticPath(webDir, requestPath);
+    return reply.type(getMimeType(filePath)).send(createReadStream(filePath));
+  };
+  app.get("/", async (request, reply) => serveWebUi(request.url, reply));
+  app.get("/*", async (request, reply) => serveWebUi(request.url, reply));
+  for (const signal of ["SIGINT", "SIGTERM"]) {
+    process.on(signal, () => {
+      void app.close().finally(() => process.exit(0));
+    });
+  }
+  await app.listen({
+    host: config.host,
+    port: config.port
+  });
+  return app;
+}
+
+// src/cli.ts
+var AGENT_ENV_FLAGS = [
+  { flag: "--relay", envName: "TERMPILOT_RELAY_URL" },
+  { flag: "--device-id", envName: "TERMPILOT_DEVICE_ID" },
+  { flag: "--agent-token", envName: "TERMPILOT_AGENT_TOKEN" },
+  { flag: "--poll-interval", envName: "TERMPILOT_POLL_INTERVAL_MS" },
+  { flag: "--home", envName: "TERMPILOT_HOME" }
+];
+var RELAY_ENV_FLAGS = [
+  { flag: "--host", envName: "HOST" },
+  { flag: "--port", envName: "PORT" },
+  { flag: "--agent-token", envName: "TERMPILOT_AGENT_TOKEN" },
+  { flag: "--client-token", envName: "TERMPILOT_CLIENT_TOKEN" },
+  { flag: "--database-url", envName: "DATABASE_URL" },
+  { flag: "--pairing-ttl", envName: "TERMPILOT_PAIRING_TTL_MINUTES" }
+];
+function printHelp2() {
+  console.log(`TermPilot \u7528\u6CD5\uFF1A
+
+  termpilot relay [--host 0.0.0.0] [--port 8787]
+  termpilot agent [--relay ws://127.0.0.1:8787/ws] [--device-id pc-main]
+
+  termpilot pair [--device-id pc-main]
+  termpilot create --name claude-main [--cwd /path/to/project]
+  termpilot list
+  termpilot attach --sid <sid>
+  termpilot kill --sid <sid>
+  termpilot grants [--device-id pc-main]
+  termpilot audit [--device-id pc-main] [--limit 20]
+  termpilot revoke --token <accessToken> [--device-id pc-main]
+  termpilot doctor
+`);
+}
+function applyEnvFlags(argv, mappings) {
+  const rest = [];
+  for (let index = 0; index < argv.length; index += 1) {
+    const current = argv[index];
+    const mapping = mappings.find((item) => item.flag === current);
+    if (!mapping) {
+      rest.push(current);
+      continue;
+    }
+    const value = argv[index + 1];
+    if (!value || value.startsWith("--")) {
+      throw new Error(`${mapping.flag} \u9700\u8981\u4E00\u4E2A\u503C\u3002`);
+    }
+    process.env[mapping.envName] = value;
+    index += 1;
+  }
+  return rest;
+}
+function resolveBundledWebDir() {
+  return path3.resolve(path3.dirname(fileURLToPath2(import.meta.url)), "../app/dist");
+}
+async function main(argv = process.argv.slice(2)) {
+  const normalizedArgv = argv[0] === "--" ? argv.slice(1) : argv;
+  const [command, ...rest] = normalizedArgv;
+  if (!command || command === "help" || command === "--help") {
+    printHelp2();
+    return;
+  }
+  switch (command) {
+    case "relay": {
+      const relayArgs = applyEnvFlags(rest, RELAY_ENV_FLAGS);
+      if (relayArgs.includes("--help")) {
+        printHelp2();
+        return;
+      }
+      await startRelayServer({ webDir: resolveBundledWebDir() });
+      return;
+    }
+    case "agent": {
+      const agentArgs = applyEnvFlags(rest, AGENT_ENV_FLAGS);
+      await runAgentCli(agentArgs.length > 0 ? agentArgs : ["daemon"]);
+      return;
+    }
+    case "pair":
+    case "create":
+    case "list":
+    case "kill":
+    case "attach":
+    case "grants":
+    case "audit":
+    case "revoke":
+    case "doctor": {
+      const agentArgs = applyEnvFlags(rest, AGENT_ENV_FLAGS);
+      await runAgentCli([command, ...agentArgs]);
+      return;
+    }
+    default:
+      printHelp2();
+      process.exitCode = 1;
+  }
+}
+void main().catch((error) => {
+  console.error(error instanceof Error ? error.message : error);
+  process.exit(1);
+});