npm - @hellcoder/companion - Versions diffs - 0.96.0 - Mend

@hellcoder/companion 0.96.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

package/bin/cli.ts +168 -0
package/bin/ctl.ts +528 -0
package/bin/generate-token.ts +28 -0
package/dist/apple-touch-icon.png +0 -0
package/dist/assets/AgentsPage-DCFhrJ28.js +13 -0
package/dist/assets/CronManager-EGwLJONv.js +1 -0
package/dist/assets/IntegrationsPage-CTMRnbQS.js +1 -0
package/dist/assets/LinearOAuthSettingsPage-CgQFMIgr.js +1 -0
package/dist/assets/LinearSettingsPage-C9nok1qi.js +1 -0
package/dist/assets/Playground-BV3k0RbV.js +109 -0
package/dist/assets/PromptsPage-CFojqNKP.js +4 -0
package/dist/assets/RunsPage-DUJ1QUSa.js +1 -0
package/dist/assets/SandboxManager-CrVQ-VU_.js +8 -0
package/dist/assets/SettingsPage-D1fPCL19.js +1 -0
package/dist/assets/TailscalePage-D06cyvyC.js +1 -0
package/dist/assets/index-BhUa1e6X.css +1 -0
package/dist/assets/index-DkqeP-R9.js +134 -0
package/dist/assets/sw-register-BibwRdvC.js +1 -0
package/dist/assets/workbox-window.prod.es5-BIl4cyR9.js +2 -0
package/dist/favicon.svg +8 -0
package/dist/fonts/MesloLGSNerdFontMono-Bold.woff2 +0 -0
package/dist/fonts/MesloLGSNerdFontMono-Regular.woff2 +0 -0
package/dist/icon-192.png +0 -0
package/dist/icon-512.png +0 -0
package/dist/index.html +20 -0
package/dist/logo-codex.svg +14 -0
package/dist/logo-docker.svg +4 -0
package/dist/logo.svg +14 -0
package/dist/manifest.json +24 -0
package/dist/sw.js +2 -0
package/package.json +104 -0
package/server/agent-cron-migrator.test.ts +610 -0
package/server/agent-cron-migrator.ts +85 -0
package/server/agent-executor.test.ts +1108 -0
package/server/agent-executor.ts +346 -0
package/server/agent-store.test.ts +588 -0
package/server/agent-store.ts +185 -0
package/server/agent-types.ts +138 -0
package/server/ai-validation-settings.test.ts +128 -0
package/server/ai-validation-settings.ts +35 -0
package/server/ai-validator.test.ts +387 -0
package/server/ai-validator.ts +271 -0
package/server/auth-manager.test.ts +83 -0
package/server/auth-manager.ts +150 -0
package/server/auto-namer.test.ts +252 -0
package/server/auto-namer.ts +78 -0
package/server/backend-adapter.test.ts +38 -0
package/server/backend-adapter.ts +54 -0
package/server/cache-headers.test.ts +98 -0
package/server/cache-headers.ts +61 -0
package/server/claude-adapter.test.ts +1363 -0
package/server/claude-adapter.ts +889 -0
package/server/claude-container-auth.test.ts +44 -0
package/server/claude-container-auth.ts +30 -0
package/server/claude-protocol-contract.test.ts +71 -0
package/server/claude-protocol-drift.test.ts +78 -0
package/server/claude-session-discovery.test.ts +132 -0
package/server/claude-session-discovery.ts +157 -0
package/server/claude-session-history.test.ts +158 -0
package/server/claude-session-history.ts +410 -0
package/server/cli-launcher.test.ts +1343 -0
package/server/cli-launcher.ts +1298 -0
package/server/cli.test.ts +16 -0
package/server/codex-adapter.test.ts +5545 -0
package/server/codex-adapter.ts +3062 -0
package/server/codex-container-auth.test.ts +50 -0
package/server/codex-container-auth.ts +24 -0
package/server/codex-home.test.ts +61 -0
package/server/codex-home.ts +26 -0
package/server/codex-protocol-contract.test.ts +96 -0
package/server/codex-protocol-drift.test.ts +123 -0
package/server/codex-ws-proxy.cjs +226 -0
package/server/commands-discovery.test.ts +179 -0
package/server/commands-discovery.ts +81 -0
package/server/constants.ts +7 -0
package/server/container-manager.test.ts +1211 -0
package/server/container-manager.ts +1053 -0
package/server/cron-scheduler.test.ts +957 -0
package/server/cron-scheduler.ts +243 -0
package/server/cron-store.test.ts +422 -0
package/server/cron-store.ts +148 -0
package/server/cron-types.ts +63 -0
package/server/env-manager.test.ts +268 -0
package/server/env-manager.ts +161 -0
package/server/event-bus-types.ts +64 -0
package/server/event-bus.test.ts +244 -0
package/server/event-bus.ts +124 -0
package/server/execution-store.test.ts +307 -0
package/server/execution-store.ts +170 -0
package/server/fs-utils.ts +15 -0
package/server/git-utils.test.ts +938 -0
package/server/git-utils.ts +421 -0
package/server/github-pr.test.ts +498 -0
package/server/github-pr.ts +379 -0
package/server/image-pull-manager.test.ts +303 -0
package/server/image-pull-manager.ts +279 -0
package/server/index.ts +396 -0
package/server/linear-agent-bridge.test.ts +1157 -0
package/server/linear-agent-bridge.ts +629 -0
package/server/linear-agent.test.ts +473 -0
package/server/linear-agent.ts +479 -0
package/server/linear-cache.test.ts +136 -0
package/server/linear-cache.ts +113 -0
package/server/linear-connections.test.ts +350 -0
package/server/linear-connections.ts +231 -0
package/server/linear-credential-migration.test.ts +337 -0
package/server/linear-credential-migration.ts +63 -0
package/server/linear-oauth-connections-migration.test.ts +268 -0
package/server/linear-oauth-connections.test.ts +365 -0
package/server/linear-oauth-connections.ts +294 -0
package/server/linear-project-manager.test.ts +162 -0
package/server/linear-project-manager.ts +111 -0
package/server/linear-prompt-builder.test.ts +74 -0
package/server/linear-prompt-builder.ts +61 -0
package/server/linear-staging.test.ts +276 -0
package/server/linear-staging.ts +142 -0
package/server/logger.test.ts +393 -0
package/server/logger.ts +259 -0
package/server/metrics-collector.test.ts +413 -0
package/server/metrics-collector.ts +350 -0
package/server/metrics-types.ts +108 -0
package/server/middleware/managed-auth.test.ts +264 -0
package/server/middleware/managed-auth.ts +195 -0
package/server/novnc-proxy.test.ts +333 -0
package/server/novnc-proxy.ts +99 -0
package/server/path-resolver.test.ts +552 -0
package/server/path-resolver.ts +186 -0
package/server/paths.test.ts +31 -0
package/server/paths.ts +11 -0
package/server/pr-poller.test.ts +191 -0
package/server/pr-poller.ts +162 -0
package/server/prompt-manager.test.ts +211 -0
package/server/prompt-manager.ts +211 -0
package/server/protocol/claude-upstream/README.md +19 -0
package/server/protocol/claude-upstream/sdk.d.ts.txt +1943 -0
package/server/protocol/codex-upstream/ClientNotification.ts.txt +5 -0
package/server/protocol/codex-upstream/ClientRequest.ts.txt +60 -0
package/server/protocol/codex-upstream/README.md +18 -0
package/server/protocol/codex-upstream/ServerNotification.ts.txt +41 -0
package/server/protocol/codex-upstream/ServerRequest.ts.txt +16 -0
package/server/protocol/codex-upstream/v2/DynamicToolCallParams.ts.txt +6 -0
package/server/protocol/codex-upstream/v2/DynamicToolCallResponse.ts.txt +6 -0
package/server/protocol-monitor.ts +50 -0
package/server/recorder.test.ts +454 -0
package/server/recorder.ts +374 -0
package/server/recording-hub/compat-validator.test.ts +150 -0
package/server/recording-hub/compat-validator.ts +284 -0
package/server/recording-hub/diagnostics.test.ts +140 -0
package/server/recording-hub/diagnostics.ts +299 -0
package/server/recording-hub/hub-config.test.ts +44 -0
package/server/recording-hub/hub-config.ts +19 -0
package/server/recording-hub/hub-routes.test.ts +417 -0
package/server/recording-hub/hub-routes.ts +236 -0
package/server/recording-hub/hub-store.test.ts +262 -0
package/server/recording-hub/hub-store.ts +265 -0
package/server/recording-hub/replay-adapter.test.ts +294 -0
package/server/recording-hub/replay-adapter.ts +207 -0
package/server/relay-client.test.ts +337 -0
package/server/relay-client.ts +320 -0
package/server/replay.test.ts +200 -0
package/server/replay.ts +78 -0
package/server/routes/agent-routes.test.ts +1400 -0
package/server/routes/agent-routes.ts +409 -0
package/server/routes/cron-routes.test.ts +881 -0
package/server/routes/cron-routes.ts +103 -0
package/server/routes/env-routes.test.ts +383 -0
package/server/routes/env-routes.ts +95 -0
package/server/routes/fs-routes.test.ts +1198 -0
package/server/routes/fs-routes.ts +605 -0
package/server/routes/git-routes.test.ts +813 -0
package/server/routes/git-routes.ts +97 -0
package/server/routes/linear-agent-routes.test.ts +721 -0
package/server/routes/linear-agent-routes.ts +304 -0
package/server/routes/linear-connection-routes.test.ts +927 -0
package/server/routes/linear-connection-routes.ts +244 -0
package/server/routes/linear-oauth-connection-routes.test.ts +406 -0
package/server/routes/linear-oauth-connection-routes.ts +129 -0
package/server/routes/linear-routes.test.ts +1510 -0
package/server/routes/linear-routes.ts +953 -0
package/server/routes/metrics-routes.test.ts +103 -0
package/server/routes/metrics-routes.ts +13 -0
package/server/routes/prompt-routes.ts +67 -0
package/server/routes/sandbox-routes.test.ts +513 -0
package/server/routes/sandbox-routes.ts +127 -0
package/server/routes/settings-routes.ts +270 -0
package/server/routes/skills-routes.test.ts +690 -0
package/server/routes/skills-routes.ts +100 -0
package/server/routes/system-routes.test.ts +637 -0
package/server/routes/system-routes.ts +228 -0
package/server/routes/tailscale-routes.test.ts +176 -0
package/server/routes/tailscale-routes.ts +22 -0
package/server/routes.test.ts +4655 -0
package/server/routes.ts +1277 -0
package/server/sandbox-manager.test.ts +378 -0
package/server/sandbox-manager.ts +168 -0
package/server/service.test.ts +1419 -0
package/server/service.ts +718 -0
package/server/session-creation-service.test.ts +661 -0
package/server/session-creation-service.ts +473 -0
package/server/session-git-info.ts +104 -0
package/server/session-linear-issues.test.ts +118 -0
package/server/session-linear-issues.ts +88 -0
package/server/session-names.test.ts +94 -0
package/server/session-names.ts +67 -0
package/server/session-orchestrator.test.ts +1784 -0
package/server/session-orchestrator.ts +973 -0
package/server/session-state-machine.test.ts +606 -0
package/server/session-state-machine.ts +207 -0
package/server/session-store.test.ts +290 -0
package/server/session-store.ts +146 -0
package/server/session-types.ts +509 -0
package/server/settings-manager.test.ts +275 -0
package/server/settings-manager.ts +173 -0
package/server/tailscale-manager.test.ts +553 -0
package/server/tailscale-manager.ts +451 -0
package/server/terminal-manager.ts +240 -0
package/server/update-checker.test.ts +306 -0
package/server/update-checker.ts +197 -0
package/server/usage-limits.test.ts +536 -0
package/server/usage-limits.ts +225 -0
package/server/worktree-tracker.test.ts +243 -0
package/server/worktree-tracker.ts +84 -0
package/server/ws-auth.test.ts +59 -0
package/server/ws-auth.ts +41 -0
package/server/ws-bridge-browser-ingest.test.ts +272 -0
package/server/ws-bridge-browser-ingest.ts +72 -0
package/server/ws-bridge-browser.ts +112 -0
package/server/ws-bridge-cli-ingest.test.ts +302 -0
package/server/ws-bridge-cli-ingest.ts +81 -0
package/server/ws-bridge-codex.test.ts +1837 -0
package/server/ws-bridge-codex.ts +266 -0
package/server/ws-bridge-controls.test.ts +124 -0
package/server/ws-bridge-controls.ts +20 -0
package/server/ws-bridge-persist.test.ts +296 -0
package/server/ws-bridge-persist.ts +66 -0
package/server/ws-bridge-publish.test.ts +234 -0
package/server/ws-bridge-publish.ts +79 -0
package/server/ws-bridge-replay.test.ts +44 -0
package/server/ws-bridge-replay.ts +61 -0
package/server/ws-bridge-types.ts +106 -0
package/server/ws-bridge.test.ts +4777 -0
package/server/ws-bridge.ts +1279 -0

package/server/middleware/managed-auth.test.ts ADDED Viewed

@@ -0,0 +1,264 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { Hono } from "hono";
+import { createToken, verifyToken, managedAuth } from "./managed-auth.js";
+const TEST_SECRET = "test-secret-key-for-hmac-256-signing";
+describe("managed-auth token utilities", () => {
+  describe("createToken + verifyToken", () => {
+    it("creates a valid token that can be verified", async () => {
+      const token = await createToken(TEST_SECRET, 60);
+      expect(typeof token).toBe("string");
+      expect(token.split(".")).toHaveLength(2);
+      const valid = await verifyToken(token, TEST_SECRET);
+      expect(valid).toBe(true);
+    });
+    it("rejects tokens signed with a different secret", async () => {
+      const token = await createToken(TEST_SECRET, 60);
+      const valid = await verifyToken(token, "wrong-secret");
+      expect(valid).toBe(false);
+    });
+    it("rejects expired tokens", async () => {
+      // Create a token that expires in -1 seconds (already expired)
+      const token = await createToken(TEST_SECRET, -1);
+      const valid = await verifyToken(token, TEST_SECRET);
+      expect(valid).toBe(false);
+    });
+    it("rejects malformed tokens", async () => {
+      expect(await verifyToken("not-a-token", TEST_SECRET)).toBe(false);
+      expect(await verifyToken("a.b.c", TEST_SECRET)).toBe(false);
+      expect(await verifyToken("", TEST_SECRET)).toBe(false);
+    });
+    it("rejects tokens with tampered payload", async () => {
+      const token = await createToken(TEST_SECRET, 60);
+      const [, sig] = token.split(".");
+      // Replace payload with different data — signature won't match
+      const tamperedPayload = btoa(JSON.stringify({ exp: 9999999999 }))
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+      const valid = await verifyToken(`${tamperedPayload}.${sig}`, TEST_SECRET);
+      expect(valid).toBe(false);
+    });
+    it("uses custom TTL for token expiration", async () => {
+      // Create a token with a very long TTL
+      const token = await createToken(TEST_SECRET, 3600);
+      const valid = await verifyToken(token, TEST_SECRET);
+      expect(valid).toBe(true);
+    });
+  });
+});
+describe("managed-auth middleware", () => {
+  const savedEnv: Record<string, string | undefined> = {};
+  beforeEach(() => {
+    savedEnv.COMPANION_AUTH_ENABLED = process.env.COMPANION_AUTH_ENABLED;
+    savedEnv.COMPANION_AUTH_SECRET = process.env.COMPANION_AUTH_SECRET;
+    savedEnv.COMPANION_LOGIN_URL = process.env.COMPANION_LOGIN_URL;
+  });
+  afterEach(() => {
+    for (const [key, val] of Object.entries(savedEnv)) {
+      if (val === undefined) delete process.env[key];
+      else process.env[key] = val;
+    }
+  });
+  /**
+   * Helper: creates a test Hono app with managedAuth middleware
+   * and a catch-all route that returns 200 if reached.
+   */
+  function createTestApp() {
+    const app = new Hono();
+    app.use("/*", managedAuth);
+    app.all("/*", (c) => c.json({ ok: true }));
+    return app;
+  }
+  it("enforces auth even without COMPANION_AUTH_ENABLED (enable decision is in index.ts)", async () => {
+    // The middleware is always active when registered — the enable/disable
+    // decision moved to index.ts which only registers it when appropriate.
+    delete process.env.COMPANION_AUTH_ENABLED;
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const res = await app.request("/api/sessions");
+    expect(res.status).toBe(401);
+  });
+  it("bypasses auth for /health endpoint", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const res = await app.request("/health");
+    expect(res.status).toBe(200);
+  });
+  it("bypasses auth for /ws/cli/ paths", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const res = await app.request("/ws/cli/abc-123");
+    expect(res.status).toBe(200);
+  });
+  it("returns 401 when no token is provided and no login URL is set", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    delete process.env.COMPANION_LOGIN_URL;
+    const app = createTestApp();
+    const res = await app.request("/api/sessions");
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Unauthorized");
+  });
+  it("redirects when no token is provided and login URL is set", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    process.env.COMPANION_LOGIN_URL = "https://login.example.com";
+    const app = createTestApp();
+    const res = await app.request("/api/sessions", { redirect: "manual" });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("https://login.example.com");
+  });
+  it("returns 500 when COMPANION_AUTH_SECRET is missing", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    delete process.env.COMPANION_AUTH_SECRET;
+    const app = createTestApp();
+    // Provide a token so it gets past the "no token" check
+    const res = await app.request("/api/sessions?token=fake.token");
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body.error).toBe("Server misconfigured");
+  });
+  it("allows access with a valid token in query param", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const token = await createToken(TEST_SECRET, 60);
+    const res = await app.request(`/api/sessions?token=${token}`);
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ ok: true });
+    expect(res.headers.get("set-cookie")).toContain("companion_token=");
+  });
+  it("sets a Secure auth cookie for HTTPS requests", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const token = await createToken(TEST_SECRET, 60);
+    const res = await app.request(`https://instance.example.com/api/sessions?token=${token}`);
+    expect(res.status).toBe(200);
+    expect(res.headers.get("set-cookie")).toContain("Secure");
+  });
+  it("omits Secure on auth cookie for direct HTTP instance URLs", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const token = await createToken(TEST_SECRET, 60);
+    const res = await app.request(`http://5.161.114.105/?token=${token}`);
+    expect(res.status).toBe(200);
+    expect(res.headers.get("set-cookie")).not.toContain("Secure");
+  });
+  it("persists query-token auth as cookie for follow-up requests", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const token = await createToken(TEST_SECRET, 60);
+    const first = await app.request(`/api/sessions?token=${token}`);
+    expect(first.status).toBe(200);
+    const setCookie = first.headers.get("set-cookie");
+    expect(setCookie).toBeTruthy();
+    const cookiePair = setCookie!.split(";")[0];
+    const second = await app.request("/api/sessions", {
+      headers: { cookie: cookiePair },
+    });
+    expect(second.status).toBe(200);
+    expect(await second.json()).toEqual({ ok: true });
+  });
+  it("allows access with a valid token in cookie", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const token = await createToken(TEST_SECRET, 60);
+    const res = await app.request("/api/sessions", {
+      headers: { cookie: `companion_token=${token}` },
+    });
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ ok: true });
+  });
+  it("rejects an invalid token", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    delete process.env.COMPANION_LOGIN_URL;
+    const app = createTestApp();
+    const res = await app.request("/api/sessions?token=bad.token");
+    expect(res.status).toBe(401);
+  });
+  it("rejects an expired token", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    delete process.env.COMPANION_LOGIN_URL;
+    const app = createTestApp();
+    const token = await createToken(TEST_SECRET, -1);
+    const res = await app.request(`/api/sessions?token=${token}`);
+    expect(res.status).toBe(401);
+  });
+  it("redirects with invalid token when login URL is set", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    process.env.COMPANION_LOGIN_URL = "https://login.example.com";
+    const app = createTestApp();
+    const res = await app.request("/api/sessions?token=bad.token", {
+      redirect: "manual",
+    });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("https://login.example.com");
+  });
+  it("prefers query param over cookie when both are present", async () => {
+    process.env.COMPANION_AUTH_ENABLED = "1";
+    process.env.COMPANION_AUTH_SECRET = TEST_SECRET;
+    const app = createTestApp();
+    const validToken = await createToken(TEST_SECRET, 60);
+    // Query has valid token, cookie has bad token — query wins.
+    const res = await app.request(`/api/sessions?token=${validToken}`, {
+      headers: { cookie: "companion_token=bad.token" },
+    });
+    expect(res.status).toBe(200);
+  });
+});

package/server/middleware/managed-auth.ts ADDED Viewed

@@ -0,0 +1,195 @@
+import { createMiddleware } from "hono/factory";
+import type { Context } from "hono";
+/**
+ * Auth middleware for managed Companion Cloud instances.
+ *
+ * Only active when COMPANION_AUTH_ENABLED=1. Validates a JWT from a cookie
+ * or query parameter, signed by the control plane using COMPANION_AUTH_SECRET.
+ *
+ * Skipped paths:
+ *  - /ws/cli/*  — internal CLI WebSocket (Claude Code connects from within the machine)
+ *  - /health    — monitoring endpoint used by control plane health checks
+ */
+export const managedAuth = createMiddleware(async (c: Context, next) => {
+  // This middleware is only registered by index.ts when managed auth is
+  // enabled (COMPANION_AUTH_ENABLED=1 or COMPANION_AUTH_SECRET is set).
+  // No redundant env check needed here.
+  const path = c.req.path;
+  // Internal paths that bypass auth
+  if (path.startsWith("/ws/cli/") || path === "/health") return next();
+  const cookieToken = getCookie(c, "companion_token");
+  const queryToken = c.req.query("token");
+  // Give explicit URL token precedence so reconnect links can always override
+  // stale/expired cookies in the browser.
+  const token = queryToken || cookieToken;
+  if (!token) {
+    return redirectOrUnauthorized(c);
+  }
+  const secret = process.env.COMPANION_AUTH_SECRET;
+  if (!secret) {
+    console.error("[managed-auth] COMPANION_AUTH_SECRET is not set");
+    return c.json({ error: "Server misconfigured" }, 500);
+  }
+  const valid = await verifyToken(token, secret);
+  if (!valid) {
+    return redirectOrUnauthorized(c);
+  }
+  // When auth arrives via URL query once, persist it to a cookie so static
+  // assets and subsequent API calls are authenticated without ?token=...
+  if (queryToken && queryToken !== cookieToken) {
+    setAuthCookie(c, queryToken);
+  }
+  return next();
+});
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function getCookie(c: Context, name: string): string | undefined {
+  const header = c.req.header("cookie");
+  if (!header) return undefined;
+  const match = header.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
+  return match?.[1];
+}
+function setAuthCookie(c: Context, token: string): void {
+  const encoded = encodeURIComponent(token);
+  const secure = shouldUseSecureCookie(c) ? "; Secure" : "";
+  c.header(
+    "Set-Cookie",
+    `companion_token=${encoded}; Path=/; HttpOnly${secure}; SameSite=Lax; Max-Age=900`,
+  );
+}
+function shouldUseSecureCookie(c: Context): boolean {
+  const forwardedProto = c.req.header("x-forwarded-proto")?.split(",")[0]?.trim().toLowerCase();
+  if (forwardedProto) return forwardedProto === "https";
+  try {
+    return new URL(c.req.url).protocol === "https:";
+  } catch {
+    return true;
+  }
+}
+function redirectOrUnauthorized(c: Context): Response {
+  const loginUrl = process.env.COMPANION_LOGIN_URL;
+  if (loginUrl) {
+    return c.redirect(loginUrl);
+  }
+  return c.json({ error: "Unauthorized" }, 401);
+}
+/**
+ * Verify a JWT-like HMAC-SHA256 token.
+ * Token format: base64url(payload).base64url(signature)
+ * Payload: { exp: number } (Unix seconds)
+ */
+export async function verifyToken(
+  token: string,
+  secret: string,
+): Promise<boolean> {
+  const parts = token.split(".");
+  if (parts.length !== 2) return false;
+  const [payloadB64, signatureB64] = parts;
+  // Verify signature using HMAC-SHA256
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"],
+  );
+  const expectedSig = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(payloadB64),
+  );
+  const expectedB64 = base64UrlEncode(new Uint8Array(expectedSig));
+  if (!timingSafeEqual(expectedB64, signatureB64)) return false;
+  // Check expiration
+  try {
+    const payload = JSON.parse(
+      new TextDecoder().decode(base64UrlDecode(payloadB64)),
+    );
+    if (typeof payload.exp === "number" && payload.exp < Date.now() / 1000) {
+      return false;
+    }
+  } catch {
+    return false;
+  }
+  return true;
+}
+/**
+ * Create a signed token for the control plane to issue.
+ * Exported for use by the control plane's token endpoint.
+ */
+export async function createToken(
+  secret: string,
+  ttlSeconds = 900, // 15 minutes
+): Promise<string> {
+  const payload = { exp: Math.floor(Date.now() / 1000) + ttlSeconds };
+  const payloadB64 = base64UrlEncode(
+    new TextEncoder().encode(JSON.stringify(payload)),
+  );
+  const key = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"],
+  );
+  const sig = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(payloadB64),
+  );
+  return `${payloadB64}.${base64UrlEncode(new Uint8Array(sig))}`;
+}
+// ─── Base64url ───────────────────────────────────────────────────────────────
+function base64UrlEncode(data: Uint8Array): string {
+  let binary = "";
+  for (const byte of data) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(str: string): Uint8Array {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+/**
+ * Constant-time string comparison to prevent timing attacks.
+ */
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}