@hermespilot/link 0.1.5 → 0.1.7

package/dist/chunk-SCIAZZ4C.js

@@ -0,0 +1,2992 @@
+// src/http/app.ts
+import Koa from "koa";
+import Router from "@koa/router";
+import { Readable } from "stream";
+
+// src/constants.ts
+var LINK_VERSION = "0.1.7";
+var LINK_COMMAND = "hermeslink";
+var LINK_DEFAULT_PORT = 52379;
+var LINK_RUNTIME_DIR_NAME = ".hermeslink";
+
+// src/runtime/paths.ts
+import os from "os";
+import path from "path";
+function resolveRuntimeHome() {
+  return process.env.HERMESLINK_HOME?.trim() ? path.resolve(process.env.HERMESLINK_HOME) : path.join(os.homedir(), LINK_RUNTIME_DIR_NAME);
+}
+function resolveRuntimePaths(homeDir = resolveRuntimeHome()) {
+  return {
+    homeDir,
+    identityFile: path.join(homeDir, "identity.json"),
+    configFile: path.join(homeDir, "config.json"),
+    stateFile: path.join(homeDir, "state.json"),
+    credentialsFile: path.join(homeDir, "credentials.json"),
+    databaseFile: path.join(homeDir, "link.db"),
+    conversationsDir: path.join(homeDir, "conversations"),
+    blobsDir: path.join(homeDir, "blobs"),
+    indexesDir: path.join(homeDir, "indexes"),
+    logsDir: path.join(homeDir, "logs"),
+    runDir: path.join(homeDir, "run"),
+    pairingDir: path.join(homeDir, "pairing")
+  };
+}
+
+// src/storage/atomic-json.ts
+import { mkdir, open, readFile, rename, rm } from "fs/promises";
+import path2 from "path";
+async function readJsonFile(filePath) {
+  try {
+    const raw = await readFile(filePath, "utf8");
+    return JSON.parse(raw);
+  } catch (error) {
+    if (isNodeError(error, "ENOENT")) {
+      return null;
+    }
+    throw error;
+  }
+}
+async function writeJsonFile(filePath, value, mode = 384) {
+  await mkdir(path2.dirname(filePath), { recursive: true, mode: 448 });
+  const tmpPath = `${filePath}.${process.pid}.${Date.now()}.tmp`;
+  const payload = `${JSON.stringify(value, null, 2)}
+`;
+  const handle = await open(tmpPath, "w", mode);
+  try {
+    await handle.writeFile(payload, "utf8");
+    await handle.sync();
+  } finally {
+    await handle.close();
+  }
+  try {
+    await rename(tmpPath, filePath);
+  } catch (error) {
+    await rm(tmpPath, { force: true });
+    throw error;
+  }
+}
+function isNodeError(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+
+// src/config/config.ts
+var defaultLinkConfig = {
+  port: LINK_DEFAULT_PORT,
+  serverBaseUrl: "https://hermes-server.clawpilot.me",
+  relayBaseUrl: "https://hermes-relay.clawpilot.me",
+  appConnectTokenIssuer: "https://hermes-server.clawpilot.me",
+  appConnectTokenAudience: "hermes-link",
+  language: "auto"
+};
+async function loadConfig(paths = resolveRuntimePaths()) {
+  const existing = await readJsonFile(paths.configFile);
+  const language = normalizeConfiguredLanguage(existing?.language);
+  return {
+    ...defaultLinkConfig,
+    ...existing ?? {},
+    language
+  };
+}
+function normalizeConfiguredLanguage(language) {
+  if (language === "zh-CN" || language === "en" || language === "auto") {
+    return language;
+  }
+  return defaultLinkConfig.language;
+}
+
+// src/conversations/conversation-service.ts
+import { EventEmitter } from "events";
+import { appendFile, mkdir as mkdir4, readdir, readFile as readFile3, rm as rm2, stat, writeFile as writeFile2 } from "fs/promises";
+import path5 from "path";
+import { createHash, randomUUID } from "crypto";
+
+// src/http/errors.ts
+var LinkHttpError = class extends Error {
+  constructor(status, code, message) {
+    super(message);
+    this.status = status;
+    this.code = code;
+  }
+  status;
+  code;
+};
+function isLinkHttpError(error) {
+  return error instanceof LinkHttpError;
+}
+
+// src/hermes/gateway.ts
+import { execFile as execFile2, spawn } from "child_process";
+import { mkdir as mkdir3, open as open2 } from "fs/promises";
+import path4 from "path";
+import { setTimeout as delay } from "timers/promises";
+import { promisify as promisify2 } from "util";
+
+// src/hermes/config.ts
+import { randomBytes } from "crypto";
+import { copyFile, mkdir as mkdir2, readFile as readFile2, writeFile } from "fs/promises";
+import os2 from "os";
+import path3 from "path";
+import YAML from "yaml";
+var DEFAULT_HERMES_API_SERVER_HOST = "127.0.0.1";
+var DEFAULT_HERMES_API_SERVER_PORT = 8642;
+function resolveHermesProfileDir(profileName = "default") {
+  if (profileName === "default") {
+    return path3.join(os2.homedir(), ".hermes");
+  }
+  return path3.join(os2.homedir(), ".hermes", "profiles", profileName);
+}
+function resolveHermesConfigPath(profileName = "default") {
+  return path3.join(resolveHermesProfileDir(profileName), "config.yaml");
+}
+async function readHermesApiServerConfig(profileName = "default", configPath = resolveHermesConfigPath(profileName)) {
+  const existingRaw = await readFile2(configPath, "utf8").catch((error) => {
+    if (isNodeError2(error, "ENOENT")) {
+      return null;
+    }
+    throw error;
+  });
+  if (!existingRaw) {
+    return {};
+  }
+  const config = toRecord(YAML.parse(existingRaw));
+  const platforms = toRecord(config.platforms);
+  const apiServer = toRecord(platforms.api_server);
+  return readApiServerConfig(apiServer, true);
+}
+async function ensureHermesApiServerKey(profileName = "default", configPath = resolveHermesConfigPath(profileName)) {
+  return ensureHermesApiServerConfig(profileName, configPath);
+}
+async function ensureHermesApiServerConfig(profileName = "default", configPath = resolveHermesConfigPath(profileName)) {
+  const existingRaw = await readFile2(configPath, "utf8").catch((error) => {
+    if (isNodeError2(error, "ENOENT")) {
+      return null;
+    }
+    throw error;
+  });
+  const document = existingRaw ? YAML.parseDocument(existingRaw) : new YAML.Document({});
+  const config = toRecord(document.toJSON());
+  const platforms = ensureRecord(config, "platforms");
+  const apiServer = ensureRecord(platforms, "api_server");
+  const extra = ensureRecord(apiServer, "extra");
+  const beforeKey = typeof extra.key === "string" && extra.key.length > 0 ? extra.key : null;
+  const beforeEnabled = apiServer.enabled === true;
+  const beforeHost = typeof extra.host === "string" && extra.host.trim() ? extra.host : null;
+  const beforePort = typeof extra.port === "number" && Number.isFinite(extra.port) ? extra.port : null;
+  let changed = false;
+  let enabledAdded = false;
+  let hostAdded = false;
+  let portAdded = false;
+  if (!beforeEnabled) {
+    apiServer.enabled = true;
+    enabledAdded = true;
+    changed = true;
+  }
+  if (!beforeHost) {
+    extra.host = DEFAULT_HERMES_API_SERVER_HOST;
+    hostAdded = true;
+    changed = true;
+  }
+  if (!beforePort) {
+    extra.port = DEFAULT_HERMES_API_SERVER_PORT;
+    portAdded = true;
+    changed = true;
+  }
+  if (!beforeKey) {
+    extra.key = randomBytes(32).toString("base64url");
+    changed = true;
+  }
+  if (!changed) {
+    return {
+      configPath,
+      apiServer: readApiServerConfig(apiServer, true),
+      changed: false,
+      keyAdded: false,
+      enabledAdded: false,
+      hostAdded: false,
+      portAdded: false,
+      backupPath: null,
+      notice: null
+    };
+  }
+  const backupPath = existingRaw ? `${configPath}.bak.${Date.now()}` : null;
+  await mkdir2(path3.dirname(configPath), { recursive: true, mode: 448 });
+  if (backupPath) {
+    await copyFile(configPath, backupPath);
+  }
+  document.contents = document.createNode(config);
+  await writeFile(configPath, document.toString(), { mode: 384 });
+  return {
+    configPath,
+    apiServer: readApiServerConfig(apiServer, true),
+    changed: true,
+    keyAdded: !beforeKey,
+    enabledAdded,
+    hostAdded,
+    portAdded,
+    backupPath,
+    notice: buildNotice({ keyAdded: !beforeKey, enabledAdded, hostAdded, portAdded })
+  };
+}
+function readApiServerConfig(apiServerOrExtra, withDefaults = false) {
+  const apiServer = "extra" in apiServerOrExtra ? apiServerOrExtra : {};
+  const extra = toRecord("extra" in apiServerOrExtra ? apiServerOrExtra.extra : apiServerOrExtra);
+  const port = typeof extra.port === "number" ? extra.port : void 0;
+  const host = typeof extra.host === "string" ? extra.host : void 0;
+  return {
+    enabled: apiServer.enabled === true,
+    host: withDefaults ? host ?? DEFAULT_HERMES_API_SERVER_HOST : host,
+    port: withDefaults ? port ?? DEFAULT_HERMES_API_SERVER_PORT : port,
+    key: typeof extra.key === "string" ? extra.key : void 0
+  };
+}
+function buildNotice(flags) {
+  const fields = [];
+  if (flags.enabledAdded) {
+    fields.push("enabled");
+  }
+  if (flags.hostAdded) {
+    fields.push("host=127.0.0.1");
+  }
+  if (flags.portAdded) {
+    fields.push("port=8642");
+  }
+  if (flags.keyAdded) {
+    fields.push("key");
+  }
+  return `\u5DF2\u4E3A Hermes API Server \u81EA\u52A8\u8865\u5145 ${fields.join("\u3001")}\uFF1B\u672A\u8986\u76D6\u5DF2\u6709 port/host/key\u3002`;
+}
+function toRecord(value) {
+  return typeof value === "object" && value !== null ? value : {};
+}
+function ensureRecord(parent, key) {
+  const value = parent[key];
+  if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+    return value;
+  }
+  const next = {};
+  parent[key] = next;
+  return next;
+}
+function isNodeError2(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+
+// src/hermes/cli.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+async function deleteHermesSession(sessionId) {
+  if (!sessionId.trim()) {
+    throw new LinkHttpError(400, "hermes_session_id_required", "Hermes session id is required");
+  }
+  try {
+    await execFileAsync(resolveHermesBin(), ["sessions", "delete", sessionId, "--yes"], {
+      timeout: 1e4,
+      windowsHide: true
+    });
+  } catch (error) {
+    throw new LinkHttpError(
+      502,
+      "hermes_session_delete_failed",
+      error instanceof Error ? error.message : "Hermes session delete failed"
+    );
+  }
+}
+function resolveHermesBin() {
+  return process.env.HERMES_BIN?.trim() || "hermes";
+}
+
+// src/hermes/gateway.ts
+var execFileAsync2 = promisify2(execFile2);
+var DEFAULT_START_TIMEOUT_MS = 12e3;
+var HEALTH_TIMEOUT_MS = 1500;
+var MIN_API_SERVER_VERSION = "0.4.0";
+var gatewayStartInFlight = null;
+async function ensureHermesApiServerAvailable(options = {}) {
+  const configResult = await ensureHermesApiServerConfig();
+  const fetcher = options.fetchImpl ?? fetch;
+  if (await isHermesApiHealthy(configResult.apiServer, fetcher)) {
+    return { available: true, configResult, started: false };
+  }
+  if (!shouldAutoStart(options.autoStart)) {
+    throw new LinkHttpError(503, "hermes_api_server_unavailable", unavailableMessage());
+  }
+  const start = await startHermesGatewayOnce(options.paths ?? resolveRuntimePaths());
+  const deadline = Date.now() + (options.timeoutMs ?? DEFAULT_START_TIMEOUT_MS);
+  while (Date.now() < deadline) {
+    if (await isHermesApiHealthy(configResult.apiServer, fetcher)) {
+      return { available: true, configResult, started: true, start };
+    }
+    await delay(400);
+  }
+  throw new LinkHttpError(
+    503,
+    "hermes_api_server_unavailable",
+    `${unavailableMessage()} Link tried to start it with \`${resolveHermesBin()} gateway run --replace\`, but it did not become ready. Gateway log: ${start.logPath}`
+  );
+}
+async function readHermesVersion() {
+  const { stdout } = await execHermesVersion();
+  const raw = stdout.trim();
+  const version = parseHermesVersion(raw);
+  return {
+    raw,
+    version,
+    supportsApiServer: version ? compareSemver(version, MIN_API_SERVER_VERSION) >= 0 : null
+  };
+}
+async function execHermesVersion() {
+  try {
+    return await execFileAsync2(resolveHermesBin(), ["version"], {
+      timeout: 5e3,
+      windowsHide: true
+    });
+  } catch {
+    return await execFileAsync2(resolveHermesBin(), ["--version"], {
+      timeout: 5e3,
+      windowsHide: true
+    });
+  }
+}
+function assertHermesRunsApiSupported(version, status) {
+  if (status !== 404) {
+    return;
+  }
+  const versionText = version?.version ? `\u5F53\u524D\u68C0\u6D4B\u5230 Hermes Agent ${version.version}\u3002` : "";
+  throw new LinkHttpError(
+    502,
+    "hermes_runs_api_unsupported",
+    `${versionText}\u5F53\u524D Hermes Agent API Server \u4E0D\u652F\u6301 HermesPilot \u9700\u8981\u7684 /v1/runs \u63A5\u53E3\uFF0C\u8BF7\u5148\u8FD0\u884C \`hermes update\` \u5347\u7EA7 Hermes Agent\u3002`
+  );
+}
+async function startHermesGatewayOnce(paths) {
+  if (!gatewayStartInFlight) {
+    gatewayStartInFlight = startHermesGateway(paths).finally(() => {
+      gatewayStartInFlight = null;
+    });
+  }
+  return await gatewayStartInFlight;
+}
+async function startHermesGateway(paths) {
+  const version = await readHermesVersion().catch((error) => {
+    throw new LinkHttpError(
+      503,
+      "hermes_agent_not_available",
+      `\u6CA1\u6709\u627E\u5230\u53EF\u7528\u7684 Hermes Agent CLI\u3002\u8BF7\u5148\u5B89\u88C5 Hermes Agent\uFF0C\u6216\u8BBE\u7F6E HERMES_BIN\u3002${formatErrorSuffix(error)}`
+    );
+  });
+  if (version.supportsApiServer === false) {
+    throw new LinkHttpError(
+      503,
+      "hermes_agent_too_old",
+      `\u5F53\u524D Hermes Agent ${version.version} \u592A\u65E7\uFF0C\u53EF\u80FD\u4E0D\u652F\u6301 Hermes API Server\u3002\u8BF7\u5148\u8FD0\u884C \`hermes update\` \u5347\u7EA7\u3002`
+    );
+  }
+  await mkdir3(paths.logsDir, { recursive: true, mode: 448 });
+  const logPath = path4.join(paths.logsDir, "hermes-gateway.log");
+  const logFile = await open2(logPath, "a", 384);
+  try {
+    const child = spawn(resolveHermesBin(), ["gateway", "run", "--replace"], {
+      detached: true,
+      env: process.env,
+      stdio: ["ignore", logFile.fd, logFile.fd],
+      windowsHide: true
+    });
+    await new Promise((resolve, reject) => {
+      let settled = false;
+      const finish = (callback) => {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        callback();
+      };
+      child.once("spawn", () => finish(resolve));
+      child.once("error", (error) => finish(() => reject(error)));
+    });
+    child.unref();
+    return { pid: child.pid ?? null, logPath, version };
+  } finally {
+    await logFile.close().catch(() => void 0);
+  }
+}
+async function isHermesApiHealthy(config, fetcher) {
+  const response = await fetchWithTimeout(`http://127.0.0.1:${config.port}/health`, {
+    method: "GET",
+    headers: authHeaders(config)
+  }, fetcher);
+  return Boolean(response?.ok);
+}
+function fetchWithTimeout(input, init, fetcher) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), HEALTH_TIMEOUT_MS);
+  return fetcher(input, { ...init, signal: controller.signal }).catch(() => null).finally(() => clearTimeout(timer));
+}
+function authHeaders(config) {
+  const headers = new Headers();
+  headers.set("accept", "application/json");
+  if (config.key) {
+    headers.set("x-api-key", config.key);
+    headers.set("authorization", `Bearer ${config.key}`);
+  }
+  return headers;
+}
+function shouldAutoStart(value) {
+  if (value !== void 0) {
+    return value;
+  }
+  const raw = process.env.HERMESLINK_GATEWAY_AUTOSTART?.trim().toLowerCase();
+  return raw !== "0" && raw !== "false" && raw !== "off";
+}
+function unavailableMessage() {
+  return "Hermes API Server \u5F53\u524D\u4E0D\u53EF\u7528\u3002\u8BF7\u786E\u8BA4 Hermes Agent \u5DF2\u5B89\u88C5\uFF0C\u5E76\u53EF\u901A\u8FC7 `hermes gateway run` \u542F\u52A8\uFF1BHermesPilot Link \u9700\u8981 Hermes Agent \u7684\u672C\u673A API Server\u3002";
+}
+function parseHermesVersion(value) {
+  const match = /\bv?(\d+\.\d+\.\d+)\b/u.exec(value);
+  return match?.[1] ?? null;
+}
+function compareSemver(left, right) {
+  const leftParts = left.split(".").map((part) => Number.parseInt(part, 10));
+  const rightParts = right.split(".").map((part) => Number.parseInt(part, 10));
+  for (let index = 0; index < 3; index += 1) {
+    const diff = (leftParts[index] || 0) - (rightParts[index] || 0);
+    if (diff !== 0) {
+      return diff;
+    }
+  }
+  return 0;
+}
+function formatErrorSuffix(error) {
+  if (!(error instanceof Error) || !error.message) {
+    return "";
+  }
+  return ` \u539F\u59CB\u9519\u8BEF\uFF1A${error.message}`;
+}
+
+// src/hermes/api-server.ts
+async function listHermesModels(options = {}) {
+  const response = await callHermesApi("/v1/models", { method: "GET" }, options);
+  if (response.status === 404) {
+    return { models: [] };
+  }
+  return await readJsonResponse(response);
+}
+async function createHermesRun(input, options = {}) {
+  const response = await callHermesApi(
+    "/v1/runs",
+    {
+      method: "POST",
+      body: JSON.stringify(input),
+      headers: { "content-type": "application/json" }
+    },
+    options
+  );
+  if (response.status === 404 || response.status === 503) {
+    assertHermesRunsApiSupported(await readHermesVersion().catch(() => null), response.status);
+    throw new LinkHttpError(503, "hermes_api_server_unavailable", "Hermes API Server is unavailable");
+  }
+  const payload = await readJsonResponse(response);
+  const runId = readString(payload, "run_id") ?? readString(payload, "runId") ?? readString(payload, "id");
+  if (!runId) {
+    throw new LinkHttpError(502, "hermes_run_invalid", "Hermes API Server did not return a run id");
+  }
+  return { run_id: runId, fallback: false };
+}
+async function streamHermesRunEvents(runId, options = {}) {
+  const response = await callHermesApi(`/v1/runs/${encodeURIComponent(runId)}/events`, { method: "GET" }, options);
+  assertHermesRunsApiSupported(await readHermesVersion().catch(() => null), response.status);
+  if (!response.ok || !response.body) {
+    throw new LinkHttpError(502, "hermes_events_unavailable", "Hermes run event stream is unavailable");
+  }
+  return new Response(response.body, {
+    status: response.status,
+    headers: {
+      "content-type": response.headers.get("content-type") ?? "text/event-stream; charset=utf-8",
+      "cache-control": "no-store"
+    }
+  });
+}
+async function cancelHermesRun(runId, options = {}) {
+  const response = await callHermesApi(
+    `/v1/runs/${encodeURIComponent(runId)}/cancel`,
+    { method: "POST" },
+    options
+  );
+  if (!response.ok && response.status !== 404) {
+    throw new LinkHttpError(502, "hermes_cancel_failed", "Hermes run cancel failed");
+  }
+}
+async function callHermesApi(path9, init, options) {
+  const availability = await ensureHermesApiServerAvailable({ fetchImpl: options.fetchImpl });
+  const config = availability.configResult.apiServer;
+  const fetcher = options.fetchImpl ?? fetch;
+  const headers = new Headers(init.headers);
+  headers.set("accept", headers.get("accept") ?? "application/json");
+  if (config.key) {
+    headers.set("x-api-key", config.key);
+    headers.set("authorization", `Bearer ${config.key}`);
+  }
+  return await fetcher(`http://127.0.0.1:${config.port}${path9}`, {
+    ...init,
+    headers
+  }).catch(() => {
+    throw new LinkHttpError(503, "hermes_api_server_unavailable", "Hermes API Server is unavailable");
+  });
+}
+async function readJsonResponse(response) {
+  const payload = await response.json().catch(() => null);
+  if (!response.ok || typeof payload !== "object" || payload === null) {
+    throw new LinkHttpError(502, "hermes_response_invalid", "Hermes API Server returned an invalid response");
+  }
+  return payload;
+}
+function readString(payload, key) {
+  const value = payload[key];
+  return typeof value === "string" && value.trim() ? value.trim() : null;
+}
+
+// src/conversations/conversation-service.ts
+var MAX_IMPORTED_BLOB_BYTES = 100 * 1024 * 1024;
+var MAX_UPLOADED_BLOB_BYTES = 50 * 1024 * 1024;
+var CONVERSATION_ID_PATTERN = /^conv_[a-f0-9]{32}$/u;
+var BLOB_ID_PATTERN = /^blob_[a-f0-9]{32}$/u;
+var MEDIA_TAG_PATTERN = /[`"']?MEDIA:\s*(`[^`\n]+`|"[^"\n]+"|'[^'\n]+'|(?:~\/|\/)\S+(?:[^\S\n]+\S+)*?\.(?:png|jpe?g|gif|webp|heic|pdf|txt|md|json|csv|mp4|mov|avi|mkv|webm|ogg|opus|mp3|wav|m4a)(?=[\s`"',;:)\]}]|$)|\S+)[`"']?/giu;
+var ConversationService = class {
+  constructor(paths, logger) {
+    this.paths = paths;
+    this.logger = logger;
+    this.emitter.setMaxListeners(0);
+  }
+  paths;
+  logger;
+  emitter = new EventEmitter();
+  async listConversations() {
+    await mkdir4(this.paths.conversationsDir, { recursive: true, mode: 448 });
+    const entries = await readdir(this.paths.conversationsDir, { withFileTypes: true }).catch((error) => {
+      if (isNodeError3(error, "ENOENT")) {
+        return [];
+      }
+      throw error;
+    });
+    const summaries = [];
+    for (const entry of entries) {
+      if (!entry.isDirectory()) {
+        continue;
+      }
+      const manifest = await this.readManifest(entry.name).catch(() => null);
+      if (!manifest || manifest.status !== "active") {
+        continue;
+      }
+      const snapshot = await this.readSnapshot(entry.name).catch(() => emptySnapshot());
+      summaries.push(toSummary(manifest, snapshot));
+    }
+    return summaries.sort((left, right) => Date.parse(right.updated_at) - Date.parse(left.updated_at));
+  }
+  async createConversation(input = {}) {
+    await mkdir4(this.paths.conversationsDir, { recursive: true, mode: 448 });
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const id = `conv_${randomUUID().replaceAll("-", "")}`;
+    const title = input.title?.trim() || "Untitled";
+    const manifest = {
+      id,
+      schema_version: 1,
+      kind: "direct",
+      title,
+      status: "active",
+      hermes_session_id: `hp_${id}`,
+      created_at: now,
+      updated_at: now,
+      last_event_seq: 0
+    };
+    await mkdir4(this.conversationDir(id), { recursive: true, mode: 448 });
+    await this.writeManifest(manifest);
+    await this.writeSnapshot(id, emptySnapshot());
+    const event = await this.appendEvent(manifest.id, {
+      type: "conversation.created",
+      payload: { title }
+    });
+    return { ...toSummary({ ...manifest, last_event_seq: event.seq }, emptySnapshot()), last_event_seq: event.seq };
+  }
+  async getMessages(conversationId) {
+    const manifest = await this.readActiveManifest(conversationId);
+    const snapshot = await this.readSnapshot(conversationId);
+    return {
+      messages: snapshot.messages,
+      last_event_seq: manifest.last_event_seq
+    };
+  }
+  async listEvents(conversationId, after = 0) {
+    await this.readManifest(conversationId);
+    const eventsPath = this.eventsPath(conversationId);
+    const raw = await readFile3(eventsPath, "utf8").catch((error) => {
+      if (isNodeError3(error, "ENOENT")) {
+        return "";
+      }
+      throw error;
+    });
+    return raw.split("\n").filter(Boolean).map((line) => JSON.parse(line)).filter((event) => event.seq > after);
+  }
+  subscribe(conversationId, listener) {
+    const eventName = this.liveEventName(conversationId);
+    this.emitter.on(eventName, listener);
+    return () => this.emitter.off(eventName, listener);
+  }
+  async sendMessage(input) {
+    const manifest = await this.readActiveManifest(input.conversationId);
+    const content = input.content.trim();
+    const userAttachmentParts = await this.resolveMessageAttachmentParts(
+      manifest.id,
+      input.attachments ?? []
+    );
+    if (!content && userAttachmentParts.length === 0) {
+      throw new LinkHttpError(400, "message_content_required", "message content is required");
+    }
+    const idempotencyKey = input.clientMessageId ?? input.idempotencyKey;
+    const snapshot = await this.readSnapshot(input.conversationId);
+    if (idempotencyKey) {
+      const existingUser = snapshot.messages.find((message) => message.client_message_id === idempotencyKey);
+      if (existingUser) {
+        const existingRun = snapshot.runs.find((run2) => run2.trigger_message_id === existingUser.id);
+        const existingAssistant = existingRun ? snapshot.messages.find((message) => message.id === existingRun.assistant_message_id) : null;
+        return {
+          conversation_id: manifest.id,
+          user_message: { id: existingUser.id, status: existingUser.status },
+          assistant_message: { id: existingAssistant?.id ?? "", status: existingAssistant?.status ?? "failed" },
+          run: { id: existingRun?.id ?? "", status: existingRun?.status ?? "unknown" },
+          last_event_seq: manifest.last_event_seq
+        };
+      }
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const userMessage = {
+      id: `msg_${randomUUID().replaceAll("-", "")}`,
+      schema_version: 1,
+      conversation_id: manifest.id,
+      role: "user",
+      status: "completed",
+      client_message_id: idempotencyKey,
+      created_at: now,
+      updated_at: now,
+      sender: { id: "app_user", type: "human", display_name: "Me" },
+      parts: [{ type: "text", text: content }, ...userAttachmentParts],
+      attachments: userAttachmentParts.map((part) => ({
+        blob_id: part.blob,
+        mime: part.mime,
+        size: part.size,
+        filename: part.filename
+      })),
+      raw: { format: "hermes-link-user-message", payload: { content, attachments: input.attachments ?? [] } }
+    };
+    const assistantMessage = {
+      id: `msg_${randomUUID().replaceAll("-", "")}`,
+      schema_version: 1,
+      conversation_id: manifest.id,
+      role: "assistant",
+      status: "streaming",
+      created_at: now,
+      updated_at: now,
+      sender: { id: "agent_default", type: "agent", display_name: "Hermes", profile: "default" },
+      parts: [{ type: "text", text: "" }],
+      attachments: []
+    };
+    const run = {
+      id: `run_${randomUUID().replaceAll("-", "")}`,
+      conversation_id: manifest.id,
+      trigger_message_id: userMessage.id,
+      assistant_message_id: assistantMessage.id,
+      hermes_session_id: manifest.hermes_session_id,
+      status: "running",
+      started_at: now
+    };
+    snapshot.messages.push(userMessage, assistantMessage);
+    snapshot.runs.push(run);
+    await this.writeSnapshot(manifest.id, snapshot);
+    await this.appendEvent(manifest.id, {
+      type: "message.created",
+      message_id: userMessage.id,
+      payload: { message: userMessage }
+    });
+    await this.appendEvent(manifest.id, {
+      type: "message.created",
+      message_id: assistantMessage.id,
+      run_id: run.id,
+      payload: { message: assistantMessage }
+    });
+    const runEvent = await this.appendEvent(manifest.id, {
+      type: "run.started",
+      message_id: assistantMessage.id,
+      run_id: run.id,
+      payload: { run }
+    });
+    void this.startRunWorker(manifest.id, run.id, this.buildHermesInput(content, userAttachmentParts)).catch((error) => {
+      void this.failRun(manifest.id, run.id, error instanceof Error ? error.message : String(error));
+    });
+    return {
+      conversation_id: manifest.id,
+      user_message: { id: userMessage.id, status: userMessage.status },
+      assistant_message: { id: assistantMessage.id, status: assistantMessage.status },
+      run: { id: run.id, status: run.status },
+      last_event_seq: runEvent.seq
+    };
+  }
+  async deleteConversation(conversationId) {
+    const manifest = await this.readActiveManifest(conversationId);
+    const snapshot = await this.readSnapshot(conversationId).catch(() => emptySnapshot());
+    const referencedBlobIds = /* @__PURE__ */ new Set([
+      ...collectBlobIds(snapshot),
+      ...await this.listConversationBlobIds(conversationId)
+    ]);
+    await deleteHermesSession(manifest.hermes_session_id);
+    const deletedAt = (/* @__PURE__ */ new Date()).toISOString();
+    const next = {
+      ...manifest,
+      status: "deleted_soft",
+      updated_at: deletedAt,
+      deleted_at: deletedAt
+    };
+    await this.writeManifest(next);
+    const deleteEvent = await this.appendEvent(conversationId, {
+      type: "conversation.deleted",
+      payload: { deleted_at: deletedAt, hermes_session_id: manifest.hermes_session_id }
+    });
+    await this.writeSnapshot(conversationId, emptySnapshot());
+    await writeFile2(this.eventsPath(conversationId), `${JSON.stringify(deleteEvent)}
+`, { mode: 384 });
+    await this.pruneConversationBlobReferences(conversationId, [...referencedBlobIds]);
+    return { conversation_id: conversationId, hermes_deleted: true, deleted_at: deletedAt };
+  }
+  async writeBlob(conversationId, input) {
+    await this.readActiveManifest(conversationId);
+    if (input.bytes.byteLength > MAX_UPLOADED_BLOB_BYTES) {
+      throw new LinkHttpError(413, "blob_too_large", "Blob is too large");
+    }
+    const id = `blob_${randomUUID().replaceAll("-", "")}`;
+    const filePath = this.blobPath(id);
+    await mkdir4(path5.dirname(filePath), { recursive: true, mode: 448 });
+    await writeFile2(filePath, input.bytes, { mode: 384 });
+    const manifestPath = `${filePath}.json`;
+    const blob = {
+      id,
+      size: input.bytes.byteLength,
+      mime: input.mime || "application/octet-stream",
+      filename: sanitizeFilename(input.filename, id),
+      created_at: (/* @__PURE__ */ new Date()).toISOString(),
+      conversation_ids: [conversationId]
+    };
+    await writeJsonFile(manifestPath, blob);
+    await this.appendEvent(conversationId, {
+      type: "blob.created",
+      payload: blob
+    });
+    return blob;
+  }
+  async readBlob(conversationId, blobId) {
+    await this.readActiveManifest(conversationId);
+    const filePath = this.blobPath(blobId);
+    const manifest = await this.readBlobManifest(conversationId, blobId);
+    const bytes = await readFile3(filePath).catch((error) => {
+      if (isNodeError3(error, "ENOENT")) {
+        throw new LinkHttpError(404, "blob_not_found", "Blob was not found");
+      }
+      throw error;
+    });
+    return {
+      bytes,
+      mime: manifest.mime || "application/octet-stream",
+      filename: manifest.filename || blobId,
+      size: manifest.size || bytes.byteLength
+    };
+  }
+  async resolveMessageAttachmentParts(conversationId, attachments) {
+    const parts = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const attachment of attachments) {
+      const blobId = attachment.blob_id ?? attachment.blobId;
+      if (!blobId || seen.has(blobId)) {
+        continue;
+      }
+      seen.add(blobId);
+      const manifest = await this.readBlobManifest(conversationId, blobId);
+      const mime = manifest.mime || "application/octet-stream";
+      parts.push({
+        type: mediaKindForMime(mime),
+        blob: blobId,
+        mime,
+        size: manifest.size,
+        filename: manifest.filename || blobId,
+        url: `/api/v1/conversations/${encodeURIComponent(conversationId)}/blobs/${encodeURIComponent(blobId)}`
+      });
+    }
+    return parts;
+  }
+  buildHermesInput(content, parts) {
+    const attachmentLines = parts.filter((part) => part.blob).map((part) => {
+      const label = part.filename ?? part.blob;
+      const mime = part.mime ? `, ${part.mime}` : "";
+      const size = part.size ? `, ${part.size} bytes` : "";
+      return `- ${label}${mime}${size}: ${this.blobPath(part.blob)}`;
+    });
+    if (attachmentLines.length === 0) {
+      return content;
+    }
+    const prefix = content ? `${content}
+
+` : "";
+    return `${prefix}Attachments available on this computer:
+${attachmentLines.join("\n")}`;
+  }
+  async readBlobManifest(conversationId, blobId) {
+    assertValidConversationId(conversationId);
+    assertValidBlobId(blobId);
+    const manifest = await readJsonFile(
+      `${this.blobPath(blobId)}.json`
+    );
+    if (!manifest?.conversation_ids?.includes(conversationId)) {
+      throw new LinkHttpError(404, "blob_not_found", "Blob was not found");
+    }
+    return manifest;
+  }
+  async writeBlobFromFile(conversationId, source) {
+    const sourcePath = resolveMediaSourcePath(source.path);
+    const fileStat = await stat(sourcePath).catch((error) => {
+      if (isNodeError3(error, "ENOENT")) {
+        throw new LinkHttpError(404, "media_source_not_found", "Hermes output file was not found");
+      }
+      throw error;
+    });
+    if (!fileStat.isFile()) {
+      throw new LinkHttpError(400, "media_source_not_file", "Hermes output media source is not a file");
+    }
+    if (fileStat.size > MAX_IMPORTED_BLOB_BYTES) {
+      throw new LinkHttpError(413, "media_source_too_large", "Hermes output media source is too large");
+    }
+    return this.writeBlob(conversationId, {
+      bytes: await readFile3(sourcePath),
+      filename: path5.basename(sourcePath),
+      mime: source.mime ?? inferMimeType(sourcePath)
+    });
+  }
+  async startRunWorker(conversationId, runId, input) {
+    const snapshot = await this.readSnapshot(conversationId);
+    const run = snapshot.runs.find((item) => item.id === runId);
+    if (!run) {
+      return;
+    }
+    const runResponse = await createHermesRun({
+      input,
+      session_id: run.hermes_session_id,
+      conversation_history: buildConversationHistory(snapshot, run)
+    });
+    await this.updateRun(conversationId, runId, { hermes_run_id: runResponse.run_id });
+    const response = await streamHermesRunEvents(runResponse.run_id);
+    for await (const event of parseSseResponse(response)) {
+      if (!await this.isConversationActive(conversationId)) {
+        return;
+      }
+      const type = event.payloadType;
+      if (type === "run.completed") {
+        await this.importMediaReferencesForEvent(conversationId, runId, event);
+        await this.completeRun(conversationId, runId, event);
+        return;
+      }
+      if (type === "run.failed") {
+        await this.importMediaReferencesForEvent(conversationId, runId, event);
+        await this.failRun(conversationId, runId, readErrorMessage(event.payload) ?? "Hermes run failed", event);
+        return;
+      }
+      await this.persistHermesEvent(conversationId, runId, event);
+    }
+    await this.completeRun(conversationId, runId);
+  }
+  async persistHermesEvent(conversationId, runId, event) {
+    if (!await this.isConversationActive(conversationId)) {
+      return;
+    }
+    const type = event.payloadType;
+    if (type === "message.delta") {
+      const delta = readDelta(event.payload);
+      if (delta) {
+        await this.appendAssistantDelta(conversationId, runId, delta, event.payload);
+      }
+      return;
+    }
+    const messageId = await this.assistantMessageIdForRun(conversationId, runId);
+    await this.appendEvent(conversationId, {
+      type,
+      message_id: messageId,
+      run_id: runId,
+      payload: event.payload,
+      raw: { format: "hermes-run-event", payload: event.rawPayload }
+    });
+    if (messageId) {
+      await this.importMediaReferences(conversationId, runId, messageId, collectMediaReferences(event.payload));
+    }
+  }
+  async importMediaReferencesForEvent(conversationId, runId, event) {
+    const messageId = await this.assistantMessageIdForRun(conversationId, runId);
+    if (!messageId) {
+      return;
+    }
+    await this.importMediaReferences(conversationId, runId, messageId, collectMediaReferences(event.payload));
+  }
+  async appendAssistantDelta(conversationId, runId, delta, rawPayload) {
+    const snapshot = await this.readSnapshot(conversationId);
+    const run = snapshot.runs.find((item) => item.id === runId);
+    if (!run) {
+      return;
+    }
+    const assistant = snapshot.messages.find((message) => message.id === run.assistant_message_id);
+    if (!assistant) {
+      return;
+    }
+    const textPart = assistant.parts.find((part) => part.type === "text");
+    if (textPart) {
+      textPart.text = `${textPart.text ?? ""}${delta}`;
+    } else {
+      assistant.parts.push({ type: "text", text: delta });
+    }
+    assistant.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    assistant.raw = { format: "hermes-run-event", payload: rawPayload };
+    await this.writeSnapshot(conversationId, snapshot);
+    await this.appendEvent(conversationId, {
+      type: "message.delta",
+      message_id: assistant.id,
+      run_id: runId,
+      payload: { delta },
+      raw: { format: "hermes-run-event", payload: rawPayload }
+    });
+  }
+  async completeRun(conversationId, runId, source) {
+    let snapshot = await this.readSnapshot(conversationId);
+    let run = snapshot.runs.find((item) => item.id === runId);
+    if (!run) {
+      return;
+    }
+    const initialRun = run;
+    let assistant = snapshot.messages.find((message) => message.id === initialRun.assistant_message_id);
+    if (assistant) {
+      await this.importMediaReferences(conversationId, runId, assistant.id, collectMediaTags(messageText(assistant)));
+      snapshot = await this.readSnapshot(conversationId);
+      const refreshedRun = snapshot.runs.find((item) => item.id === runId);
+      if (!refreshedRun) {
+        return;
+      }
+      run = refreshedRun;
+      assistant = snapshot.messages.find((message) => message.id === refreshedRun.assistant_message_id);
+    }
+    const completedAt = (/* @__PURE__ */ new Date()).toISOString();
+    run.status = "completed";
+    run.completed_at = completedAt;
+    if (assistant) {
+      assistant.status = "completed";
+      assistant.updated_at = completedAt;
+      cleanMessageTextParts(assistant);
+    }
+    await this.writeSnapshot(conversationId, snapshot);
+    if (assistant) {
+      await this.appendEvent(conversationId, {
+        type: "message.completed",
+        message_id: assistant.id,
+        run_id: runId,
+        payload: { message: assistant }
+      });
+    }
+    await this.appendEvent(conversationId, {
+      type: "run.completed",
+      message_id: assistant?.id,
+      run_id: runId,
+      payload: { run, ...source ? { hermes: source.payload } : {} },
+      ...source ? { raw: { format: "hermes-run-event", payload: source.rawPayload } } : {}
+    });
+  }
+  async failRun(conversationId, runId, message, source) {
+    const snapshot = await this.readSnapshot(conversationId).catch(() => null);
+    if (!snapshot) {
+      return;
+    }
+    const run = snapshot.runs.find((item) => item.id === runId);
+    if (!run) {
+      return;
+    }
+    run.status = "failed";
+    run.completed_at = (/* @__PURE__ */ new Date()).toISOString();
+    run.error_message = message;
+    const assistant = snapshot.messages.find((item) => item.id === run.assistant_message_id);
+    if (assistant) {
+      assistant.status = "failed";
+      assistant.updated_at = run.completed_at;
+      const textPart = assistant.parts.find((part) => part.type === "text");
+      if (textPart && !textPart.text) {
+        textPart.text = message;
+      }
+    }
+    await this.writeSnapshot(conversationId, snapshot);
+    await this.appendEvent(conversationId, {
+      type: "run.failed",
+      message_id: assistant?.id,
+      run_id: runId,
+      payload: { error: { message }, run, ...source ? { hermes: source.payload } : {} },
+      ...source ? { raw: { format: "hermes-run-event", payload: source.rawPayload } } : {}
+    });
+    void this.logger.warn("conversation_run_failed", { conversation_id: conversationId, run_id: runId, error: message });
+  }
+  async updateRun(conversationId, runId, patch) {
+    const snapshot = await this.readSnapshot(conversationId);
+    const run = snapshot.runs.find((item) => item.id === runId);
+    if (!run) {
+      return;
+    }
+    Object.assign(run, patch);
+    await this.writeSnapshot(conversationId, snapshot);
+  }
+  async assistantMessageIdForRun(conversationId, runId) {
+    const snapshot = await this.readSnapshot(conversationId).catch(() => null);
+    return snapshot?.runs.find((item) => item.id === runId)?.assistant_message_id;
+  }
+  async importMediaReferences(conversationId, runId, messageId, references) {
+    if (references.length === 0) {
+      return;
+    }
+    const snapshot = await this.readSnapshot(conversationId);
+    const assistant = snapshot.messages.find((message) => message.id === messageId);
+    if (!assistant) {
+      return;
+    }
+    const importedSourceKeys = readImportedMediaSourceKeys(assistant);
+    const importedParts = [];
+    for (const reference of references.slice(0, 10)) {
+      try {
+        const sourceKey = mediaSourceKey(reference.path);
+        if (importedSourceKeys.has(sourceKey)) {
+          continue;
+        }
+        const blob = await this.writeBlobFromFile(conversationId, reference);
+        const part = {
+          type: reference.kind ?? mediaKindForMime(blob.mime),
+          blob: blob.id,
+          mime: blob.mime,
+          size: blob.size,
+          filename: blob.filename,
+          url: `/api/v1/conversations/${encodeURIComponent(conversationId)}/blobs/${encodeURIComponent(blob.id)}`
+        };
+        assistant.parts.push(part);
+        assistant.attachments.push({
+          blob_id: blob.id,
+          mime: blob.mime,
+          size: blob.size,
+          filename: blob.filename,
+          source: "hermes_output"
+        });
+        importedSourceKeys.add(sourceKey);
+        importedParts.push(part);
+      } catch (error) {
+        void this.logger.warn("conversation_media_import_failed", {
+          conversation_id: conversationId,
+          run_id: runId,
+          message_id: messageId,
+          error: error instanceof Error ? error.message : String(error)
+        });
+      }
+    }
+    if (importedParts.length === 0) {
+      return;
+    }
+    assistant.hermes = {
+      ...toRecord2(assistant.hermes),
+      imported_media_source_keys: [...importedSourceKeys]
+    };
+    assistant.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    await this.writeSnapshot(conversationId, snapshot);
+    await this.appendEvent(conversationId, {
+      type: "message.parts.created",
+      message_id: messageId,
+      run_id: runId,
+      payload: { parts: importedParts }
+    });
+  }
+  async appendEvent(conversationId, input) {
+    const manifest = await this.readManifest(conversationId);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const event = {
+      ...input,
+      seq: manifest.last_event_seq + 1,
+      conversation_id: conversationId,
+      created_at: now
+    };
+    await mkdir4(this.conversationDir(conversationId), { recursive: true, mode: 448 });
+    await appendFile(this.eventsPath(conversationId), `${JSON.stringify(event)}
+`, { mode: 384 });
+    await this.writeManifest({
+      ...manifest,
+      last_event_seq: event.seq,
+      updated_at: now
+    });
+    this.emitter.emit(this.liveEventName(conversationId), event);
+    return event;
+  }
+  async readActiveManifest(conversationId) {
+    const manifest = await this.readManifest(conversationId);
+    if (manifest.status !== "active") {
+      throw new LinkHttpError(404, "conversation_not_found", "Conversation was not found");
+    }
+    return manifest;
+  }
+  async isConversationActive(conversationId) {
+    const manifest = await this.readManifest(conversationId).catch(() => null);
+    return manifest?.status === "active";
+  }
+  async readManifest(conversationId) {
+    const manifest = await readJsonFile(this.manifestPath(conversationId));
+    if (!manifest) {
+      throw new LinkHttpError(404, "conversation_not_found", "Conversation was not found");
+    }
+    return manifest;
+  }
+  writeManifest(manifest) {
+    return writeJsonFile(this.manifestPath(manifest.id), manifest);
+  }
+  async readSnapshot(conversationId) {
+    return await readJsonFile(this.snapshotPath(conversationId)) ?? emptySnapshot();
+  }
+  writeSnapshot(conversationId, snapshot) {
+    return writeJsonFile(this.snapshotPath(conversationId), snapshot);
+  }
+  conversationDir(conversationId) {
+    assertValidConversationId(conversationId);
+    return path5.join(this.paths.conversationsDir, conversationId);
+  }
+  manifestPath(conversationId) {
+    return path5.join(this.conversationDir(conversationId), "manifest.json");
+  }
+  snapshotPath(conversationId) {
+    return path5.join(this.conversationDir(conversationId), "snapshot.json");
+  }
+  eventsPath(conversationId) {
+    return path5.join(this.conversationDir(conversationId), "events.ndjson");
+  }
+  blobPath(blobId) {
+    assertValidBlobId(blobId);
+    return path5.join(this.paths.blobsDir, `${blobId}.bin`);
+  }
+  liveEventName(conversationId) {
+    return `conversation:${conversationId}`;
+  }
+  async pruneConversationBlobReferences(conversationId, blobIds) {
+    for (const blobId of blobIds) {
+      try {
+        const manifestPath = `${this.blobPath(blobId)}.json`;
+        const manifest = await readJsonFile(manifestPath);
+        const nextConversationIds = (manifest?.conversation_ids ?? []).filter((id) => id !== conversationId);
+        if (nextConversationIds.length > 0) {
+          await writeJsonFile(manifestPath, { ...manifest, conversation_ids: nextConversationIds });
+          continue;
+        }
+        await rm2(this.blobPath(blobId), { force: true });
+        await rm2(manifestPath, { force: true });
+      } catch (error) {
+        void this.logger.warn("conversation_blob_gc_failed", {
+          conversation_id: conversationId,
+          blob_id: blobId,
+          error: error instanceof Error ? error.message : String(error)
+        });
+      }
+    }
+  }
+  async listConversationBlobIds(conversationId) {
+    await mkdir4(this.paths.blobsDir, { recursive: true, mode: 448 });
+    const entries = await readdir(this.paths.blobsDir, { withFileTypes: true }).catch((error) => {
+      if (isNodeError3(error, "ENOENT")) {
+        return [];
+      }
+      throw error;
+    });
+    const blobIds = [];
+    for (const entry of entries) {
+      if (!entry.isFile() || !entry.name.endsWith(".bin.json")) {
+        continue;
+      }
+      const blobId = entry.name.slice(0, -".bin.json".length);
+      if (!BLOB_ID_PATTERN.test(blobId)) {
+        continue;
+      }
+      const manifest = await readJsonFile(
+        path5.join(this.paths.blobsDir, entry.name)
+      ).catch(() => null);
+      if (manifest?.conversation_ids?.includes(conversationId)) {
+        blobIds.push(blobId);
+      }
+    }
+    return blobIds;
+  }
+};
+async function* parseSseResponse(response) {
+  if (!response.body) {
+    return;
+  }
+  const decoder = new TextDecoder();
+  let buffer = "";
+  for await (const chunk of response.body) {
+    buffer += decoder.decode(chunk, { stream: true });
+    let separatorIndex = buffer.indexOf("\n\n");
+    while (separatorIndex >= 0) {
+      const block = buffer.slice(0, separatorIndex);
+      buffer = buffer.slice(separatorIndex + 2);
+      const parsed = parseSseBlock(block);
+      if (parsed) {
+        yield parsed;
+      }
+      separatorIndex = buffer.indexOf("\n\n");
+    }
+  }
+  const trailing = parseSseBlock(buffer);
+  if (trailing) {
+    yield trailing;
+  }
+}
+function parseSseBlock(block) {
+  const lines = block.split("\n");
+  let eventName = "";
+  const data = [];
+  for (const rawLine of lines) {
+    const line = rawLine.trimEnd();
+    if (line.startsWith("event:")) {
+      eventName = line.slice(6).trim();
+    } else if (line.startsWith("data:")) {
+      data.push(line.slice(5).trimStart());
+    }
+  }
+  if (!eventName && data.length === 0) {
+    return null;
+  }
+  const raw = data.join("\n");
+  const decoded = decodeJson(raw);
+  const payload = toRecord2(decoded);
+  const payloadType = (readString2(payload, "type") ?? readString2(payload, "event") ?? eventName) || "message";
+  return { eventName, payloadType, payload, rawPayload: decoded ?? raw };
+}
+function decodeJson(value) {
+  if (!value.trim()) {
+    return {};
+  }
+  try {
+    return JSON.parse(value);
+  } catch {
+    return { type: "message.delta", delta: value };
+  }
+}
+function emptySnapshot() {
+  return { schema_version: 1, messages: [], runs: [] };
+}
+function toSummary(manifest, snapshot) {
+  const lastMessage = [...snapshot.messages].reverse().find((message) => message.parts.some((part) => part.type === "text" && part.text));
+  return {
+    id: manifest.id,
+    title: manifest.title,
+    created_at: manifest.created_at,
+    updated_at: manifest.updated_at,
+    last_event_seq: manifest.last_event_seq,
+    last_message: lastMessage ? {
+      id: lastMessage.id,
+      role: lastMessage.role,
+      content_preview: previewText(lastMessage)
+    } : null
+  };
+}
+function previewText(message) {
+  return messageText(message).slice(0, 160);
+}
+function messageText(message) {
+  return message.parts.filter((part) => part.type === "text" && part.text).map((part) => part.text).join("").trim();
+}
+function buildConversationHistory(snapshot, run) {
+  const triggerIndex = snapshot.messages.findIndex((message) => message.id === run.trigger_message_id);
+  const previousMessages = triggerIndex >= 0 ? snapshot.messages.slice(0, triggerIndex) : snapshot.messages;
+  return previousMessages.filter((message) => (message.role === "user" || message.role === "assistant") && message.status === "completed").map((message) => ({
+    role: message.role,
+    content: messageText(message)
+  })).filter((message) => message.content);
+}
+function readDelta(payload) {
+  return readString2(payload, "delta") ?? readString2(payload, "text") ?? readString2(payload, "content");
+}
+function readErrorMessage(payload) {
+  const error = toRecord2(payload.error);
+  return readString2(error, "message") ?? readString2(payload, "message");
+}
+function collectMediaReferences(payload) {
+  const references = [];
+  collectStructuredMediaReferences(payload, references);
+  for (const key of ["output", "content", "message", "text"]) {
+    const value = payload[key];
+    if (typeof value === "string") {
+      references.push(...collectMediaTags(value));
+    }
+  }
+  const unique2 = /* @__PURE__ */ new Set();
+  return references.filter((reference) => {
+    const key = `${reference.path}|${reference.mime ?? ""}|${reference.kind ?? ""}`;
+    if (unique2.has(key)) {
+      return false;
+    }
+    unique2.add(key);
+    return true;
+  });
+}
+function collectStructuredMediaReferences(value, references, depth = 0) {
+  if (depth > 4 || value === null || typeof value !== "object") {
+    return;
+  }
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      collectStructuredMediaReferences(item, references, depth + 1);
+    }
+    return;
+  }
+  const record = value;
+  for (const [key, item] of Object.entries(record)) {
+    if (typeof item === "string" && isExplicitMediaPathKey(key)) {
+      references.push({
+        path: item,
+        kind: mediaKindForMime(readString2(record, "mime") ?? readString2(record, "mime_type") ?? inferMimeType(item)),
+        mime: readString2(record, "mime") ?? readString2(record, "mime_type") ?? void 0
+      });
+      continue;
+    }
+    if (Array.isArray(item) || item !== null && typeof item === "object") {
+      collectStructuredMediaReferences(item, references, depth + 1);
+    }
+  }
+}
+function collectMediaTags(text) {
+  const references = [];
+  for (const match of text.matchAll(MEDIA_TAG_PATTERN)) {
+    const rawPath = match[1]?.trim();
+    const mediaPath = rawPath?.replace(/^["'`]|["'`]$/gu, "").replace(/["'`,.;:)}\]]+$/gu, "");
+    if (mediaPath) {
+      references.push({
+        path: mediaPath,
+        kind: mediaKindForMime(inferMimeType(mediaPath))
+      });
+    }
+  }
+  return references;
+}
+function cleanMessageTextParts(message) {
+  for (const part of message.parts) {
+    if (part.type === "text" && part.text) {
+      part.text = cleanHermesDisplayText(part.text);
+    }
+  }
+}
+function cleanHermesDisplayText(text) {
+  if (!text.includes("MEDIA:") && !text.includes("[[audio_as_voice]]")) {
+    return text;
+  }
+  return text.replaceAll("[[audio_as_voice]]", "").replace(MEDIA_TAG_PATTERN, "").replace(/\n{3,}/gu, "\n\n").trimEnd();
+}
+function isExplicitMediaPathKey(key) {
+  return [
+    "file_path",
+    "screenshot_path",
+    "image_path",
+    "audio_path",
+    "video_path",
+    "media_path",
+    "artifact_path"
+  ].includes(key);
+}
+function inferMimeType(filePath) {
+  const extension = path5.extname(filePath).toLowerCase();
+  return {
+    ".png": "image/png",
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+    ".gif": "image/gif",
+    ".webp": "image/webp",
+    ".heic": "image/heic",
+    ".pdf": "application/pdf",
+    ".txt": "text/plain",
+    ".md": "text/markdown",
+    ".json": "application/json",
+    ".csv": "text/csv",
+    ".mp3": "audio/mpeg",
+    ".wav": "audio/wav",
+    ".m4a": "audio/mp4",
+    ".ogg": "audio/ogg",
+    ".opus": "audio/ogg",
+    ".mp4": "video/mp4",
+    ".mov": "video/quicktime",
+    ".webm": "video/webm"
+  }[extension] ?? "application/octet-stream";
+}
+function mediaKindForMime(mime) {
+  if (mime.startsWith("image/")) {
+    return "image";
+  }
+  if (mime.startsWith("audio/")) {
+    return "audio";
+  }
+  return "file";
+}
+function collectBlobIds(snapshot) {
+  const blobIds = /* @__PURE__ */ new Set();
+  for (const message of snapshot.messages) {
+    for (const part of message.parts) {
+      if (part.blob) {
+        blobIds.add(part.blob);
+      }
+    }
+    for (const attachment of message.attachments) {
+      const record = toRecord2(attachment);
+      const blobId = readString2(record, "blob_id") ?? readString2(record, "blobId");
+      if (blobId) {
+        blobIds.add(blobId);
+      }
+    }
+  }
+  return [...blobIds];
+}
+function readImportedMediaSourceKeys(message) {
+  const hermes = toRecord2(message.hermes);
+  const keys = hermes.imported_media_source_keys;
+  if (!Array.isArray(keys)) {
+    return /* @__PURE__ */ new Set();
+  }
+  return new Set(keys.filter((key) => typeof key === "string" && key.length > 0));
+}
+function mediaSourceKey(sourcePath) {
+  return createHash("sha256").update(resolveMediaSourcePath(sourcePath)).digest("hex").slice(0, 32);
+}
+function sanitizeFilename(value, fallback) {
+  const base = path5.basename((value ?? "").replace(/[\r\n\t]/gu, " ").trim());
+  const safe = base.replace(/[/:\\]/gu, "_").slice(0, 200).trim();
+  return safe || fallback;
+}
+function resolveMediaSourcePath(sourcePath) {
+  const trimmed = sourcePath.trim();
+  const expanded = trimmed.startsWith("~/") ? path5.join(process.env.HOME ?? "", trimmed.slice(2)) : trimmed;
+  const resolved = path5.resolve(expanded);
+  if (!path5.isAbsolute(expanded)) {
+    throw new LinkHttpError(400, "media_source_path_not_absolute", "Hermes output media source must be an absolute path");
+  }
+  return resolved;
+}
+function assertValidConversationId(conversationId) {
+  if (!CONVERSATION_ID_PATTERN.test(conversationId)) {
+    throw new LinkHttpError(404, "conversation_not_found", "Conversation was not found");
+  }
+}
+function assertValidBlobId(blobId) {
+  if (!BLOB_ID_PATTERN.test(blobId)) {
+    throw new LinkHttpError(404, "blob_not_found", "Blob was not found");
+  }
+}
+function readString2(payload, key) {
+  const value = payload[key];
+  return typeof value === "string" && value.trim() ? value.trim() : null;
+}
+function toRecord2(value) {
+  return typeof value === "object" && value !== null ? value : {};
+}
+function isNodeError3(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+
+// src/hermes/profiles.ts
+import { mkdir as mkdir5, readdir as readdir2, rename as rename2, rm as rm3, stat as stat2 } from "fs/promises";
+import os3 from "os";
+import path6 from "path";
+var DEFAULT_PROFILE = "default";
+var PROFILE_NAME_PATTERN = /^[a-zA-Z0-9._-]{1,64}$/;
+async function listHermesProfiles(paths = resolveRuntimePaths()) {
+  const activeProfile = await getActiveProfile(paths);
+  const profiles = /* @__PURE__ */ new Map();
+  profiles.set(DEFAULT_PROFILE, profileInfo(DEFAULT_PROFILE, activeProfile));
+  const profilesDir = path6.join(os3.homedir(), ".hermes", "profiles");
+  const entries = await readdir2(profilesDir, { withFileTypes: true }).catch((error) => {
+    if (isNodeError4(error, "ENOENT")) {
+      return [];
+    }
+    throw error;
+  });
+  for (const entry of entries) {
+    if (entry.isDirectory() && PROFILE_NAME_PATTERN.test(entry.name)) {
+      profiles.set(entry.name, profileInfo(entry.name, activeProfile));
+    }
+  }
+  return [...profiles.values()].sort((left, right) => {
+    if (left.name === DEFAULT_PROFILE) {
+      return -1;
+    }
+    if (right.name === DEFAULT_PROFILE) {
+      return 1;
+    }
+    return left.name.localeCompare(right.name);
+  });
+}
+async function getHermesProfileStatus(name, paths = resolveRuntimePaths()) {
+  assertProfileName(name);
+  const profile = profileInfo(name, await getActiveProfile(paths));
+  const exists = await stat2(profile.path).then((value) => value.isDirectory()).catch((error) => {
+    if (isNodeError4(error, "ENOENT")) {
+      return false;
+    }
+    throw error;
+  });
+  const config = await readHermesApiServerConfig(name, profile.configPath);
+  return {
+    ...profile,
+    exists,
+    apiKeyConfigured: Boolean(config.key)
+  };
+}
+async function createHermesProfile(name) {
+  assertProfileName(name);
+  if (name === DEFAULT_PROFILE) {
+    throw new Error("default profile already exists");
+  }
+  const profile = profileInfo(name, DEFAULT_PROFILE);
+  if (await pathExists(profile.path)) {
+    throw new Error("profile already exists");
+  }
+  await mkdir5(profile.path, { recursive: true, mode: 448 });
+  await ensureHermesApiServerKey(name, profile.configPath);
+  return profile;
+}
+async function useHermesProfile(name, paths = resolveRuntimePaths()) {
+  assertProfileName(name);
+  const profile = profileInfo(name, name);
+  await mkdir5(profile.path, { recursive: true, mode: 448 });
+  const current = await readJsonFile(paths.stateFile) ?? {};
+  await writeJsonFile(paths.stateFile, { ...current, activeProfile: name });
+  return profile;
+}
+async function renameHermesProfile(oldName, newName) {
+  assertMutableProfile(oldName);
+  assertMutableProfile(newName);
+  const oldProfile = profileInfo(oldName, DEFAULT_PROFILE);
+  const newProfile = profileInfo(newName, DEFAULT_PROFILE);
+  await rename2(oldProfile.path, newProfile.path);
+  return newProfile;
+}
+async function deleteHermesProfile(name) {
+  assertMutableProfile(name);
+  await rm3(resolveHermesProfileDir(name), { recursive: true, force: true });
+}
+async function getActiveProfile(paths) {
+  const state = await readJsonFile(paths.stateFile);
+  return typeof state?.activeProfile === "string" && PROFILE_NAME_PATTERN.test(state.activeProfile) ? state.activeProfile : DEFAULT_PROFILE;
+}
+function profileInfo(name, activeProfile) {
+  return {
+    name,
+    active: name === activeProfile,
+    path: resolveHermesProfileDir(name),
+    configPath: resolveHermesConfigPath(name)
+  };
+}
+function assertMutableProfile(name) {
+  assertProfileName(name);
+  if (name === DEFAULT_PROFILE) {
+    throw new Error("default profile cannot be renamed or deleted");
+  }
+}
+function assertProfileName(name) {
+  if (!PROFILE_NAME_PATTERN.test(name)) {
+    throw new Error("invalid profile name");
+  }
+}
+async function pathExists(targetPath) {
+  return await stat2(targetPath).then(() => true).catch((error) => {
+    if (isNodeError4(error, "ENOENT")) {
+      return false;
+    }
+    throw error;
+  });
+}
+function isNodeError4(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+
+// src/identity/identity.ts
+import { generateKeyPairSync, randomUUID as randomUUID2, sign } from "crypto";
+import { mkdir as mkdir6, chmod } from "fs/promises";
+import { z } from "zod";
+var linkIdentitySchema = z.object({
+  install_id: z.string().min(1),
+  link_id: z.string().min(1).nullable().optional(),
+  public_key_pem: z.string().min(1),
+  private_key_pem: z.string().min(1),
+  created_at: z.string().min(1),
+  updated_at: z.string().min(1)
+});
+async function loadIdentity(paths = resolveRuntimePaths()) {
+  const value = await readJsonFile(paths.identityFile);
+  if (value === null) {
+    return null;
+  }
+  return linkIdentitySchema.parse(value);
+}
+async function ensureIdentity(paths = resolveRuntimePaths()) {
+  const existing = await loadIdentity(paths);
+  if (existing) {
+    return existing;
+  }
+  await mkdir6(paths.homeDir, { recursive: true, mode: 448 });
+  await chmod(paths.homeDir, 448).catch(() => void 0);
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const identity = {
+    install_id: `install_${randomUUID2().replaceAll("-", "")}`,
+    link_id: null,
+    public_key_pem: publicKey.export({ type: "spki", format: "pem" }).toString(),
+    private_key_pem: privateKey.export({ type: "pkcs8", format: "pem" }).toString(),
+    created_at: now,
+    updated_at: now
+  };
+  await writeJsonFile(paths.identityFile, identity);
+  return identity;
+}
+async function saveAssignedLinkId(linkId, paths = resolveRuntimePaths()) {
+  const identity = await ensureIdentity(paths);
+  const next = {
+    ...identity,
+    link_id: linkId,
+    updated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await writeJsonFile(paths.identityFile, next);
+  return next;
+}
+function signRelayNonce(identity, nonce) {
+  const signature = sign(null, Buffer.from(nonce, "utf8"), identity.private_key_pem);
+  return signature.toString("base64url");
+}
+function getIdentityStatus(identity) {
+  return {
+    installId: identity.install_id,
+    linkId: identity.link_id ?? null,
+    hasPrivateKey: identity.private_key_pem.trim().length > 0,
+    publicKeyPem: identity.public_key_pem
+  };
+}
+
+// src/pairing/pairing.ts
+import path7 from "path";
+import { rm as rm4 } from "fs/promises";
+
+// src/security/devices.ts
+import { randomBytes as randomBytes2, randomUUID as randomUUID3, timingSafeEqual, createHash as createHash2 } from "crypto";
+var ACCESS_TOKEN_TTL_MS = 15 * 60 * 1e3;
+var REFRESH_TOKEN_TTL_MS = 90 * 24 * 60 * 60 * 1e3;
+async function createDeviceSession(input, paths = resolveRuntimePaths()) {
+  const store = await readCredentialStore(paths);
+  const now = /* @__PURE__ */ new Date();
+  const accessToken = randomToken("hpat_");
+  const refreshToken = randomToken("hprt_");
+  const device = {
+    id: `dev_${randomUUID3().replaceAll("-", "")}`,
+    label: input.label,
+    platform: input.platform,
+    scope: "admin",
+    access_token_hash: sha256(accessToken),
+    access_expires_at: new Date(now.getTime() + ACCESS_TOKEN_TTL_MS).toISOString(),
+    refresh_token_hash: sha256(refreshToken),
+    refresh_expires_at: new Date(now.getTime() + REFRESH_TOKEN_TTL_MS).toISOString(),
+    created_at: now.toISOString(),
+    updated_at: now.toISOString(),
+    revoked_at: null
+  };
+  store.devices.push(device);
+  await writeCredentialStore(paths, store);
+  return formatDeviceSession(device, accessToken, refreshToken);
+}
+async function authenticateDeviceAccessToken(token, paths = resolveRuntimePaths()) {
+  const tokenHash = sha256(token);
+  const store = await readCredentialStore(paths);
+  const device = store.devices.find((item) => safeEqual(item.access_token_hash, tokenHash));
+  if (!device || device.revoked_at || Date.parse(device.access_expires_at) <= Date.now()) {
+    return null;
+  }
+  return device;
+}
+async function refreshDeviceSession(refreshToken, paths = resolveRuntimePaths()) {
+  const tokenHash = sha256(refreshToken);
+  const store = await readCredentialStore(paths);
+  const device = store.devices.find((item) => safeEqual(item.refresh_token_hash, tokenHash));
+  if (!device || device.revoked_at || Date.parse(device.refresh_expires_at) <= Date.now()) {
+    throw new LinkHttpError(401, "refresh_token_invalid", "Refresh token is invalid or expired");
+  }
+  const now = /* @__PURE__ */ new Date();
+  const nextAccessToken = randomToken("hpat_");
+  const nextRefreshToken = randomToken("hprt_");
+  device.access_token_hash = sha256(nextAccessToken);
+  device.access_expires_at = new Date(now.getTime() + ACCESS_TOKEN_TTL_MS).toISOString();
+  device.refresh_token_hash = sha256(nextRefreshToken);
+  device.refresh_expires_at = new Date(now.getTime() + REFRESH_TOKEN_TTL_MS).toISOString();
+  device.updated_at = now.toISOString();
+  await writeCredentialStore(paths, store);
+  return formatDeviceSession(device, nextAccessToken, nextRefreshToken);
+}
+async function revokeDeviceRefreshToken(refreshToken, paths = resolveRuntimePaths()) {
+  const tokenHash = sha256(refreshToken);
+  const store = await readCredentialStore(paths);
+  const device = store.devices.find((item) => safeEqual(item.refresh_token_hash, tokenHash));
+  if (!device || device.revoked_at) {
+    return;
+  }
+  device.revoked_at = (/* @__PURE__ */ new Date()).toISOString();
+  device.updated_at = device.revoked_at;
+  await writeCredentialStore(paths, store);
+}
+async function readCredentialStore(paths) {
+  const existing = await readJsonFile(paths.credentialsFile);
+  return {
+    devices: Array.isArray(existing?.devices) ? existing.devices.filter(isDeviceRecord) : []
+  };
+}
+async function writeCredentialStore(paths, store) {
+  await writeJsonFile(paths.credentialsFile, store);
+}
+function formatDeviceSession(device, accessToken, refreshToken) {
+  return {
+    device: {
+      id: device.id,
+      device_id: device.id,
+      label: device.label,
+      platform: device.platform,
+      scope: device.scope
+    },
+    accessToken: {
+      token: accessToken,
+      expiresAt: device.access_expires_at
+    },
+    refreshToken: {
+      token: refreshToken,
+      expiresAt: device.refresh_expires_at
+    }
+  };
+}
+function isDeviceRecord(value) {
+  return typeof value === "object" && value !== null && typeof value.id === "string" && typeof value.access_token_hash === "string" && typeof value.refresh_token_hash === "string";
+}
+function randomToken(prefix) {
+  return `${prefix}${randomBytes2(24).toString("base64url")}`;
+}
+function sha256(value) {
+  return createHash2("sha256").update(value).digest("hex");
+}
+function safeEqual(left, right) {
+  const leftBytes = Buffer.from(left);
+  const rightBytes = Buffer.from(right);
+  return leftBytes.length === rightBytes.length && timingSafeEqual(leftBytes, rightBytes);
+}
+
+// src/relay/bootstrap.ts
+async function bootstrapRelayLink(options) {
+  const fetcher = options.fetchImpl ?? fetch;
+  const baseUrl = options.relayBaseUrl.replace(/\/+$/u, "");
+  const commonPayload = {
+    install_id: options.identity.install_id,
+    link_id: options.identity.link_id ?? void 0,
+    public_key_pem: options.identity.public_key_pem
+  };
+  const challenge = await postJson(
+    fetcher,
+    `${baseUrl}/api/v1/relay/link/challenge`,
+    options.relayBootstrapToken,
+    commonPayload
+  );
+  if (challenge.ok !== true || typeof challenge.nonce !== "string") {
+    throw new Error("Relay did not return a valid install challenge");
+  }
+  const proof = {
+    nonce: challenge.nonce,
+    signature: signRelayNonce(options.identity, challenge.nonce)
+  };
+  const assigned = await postJson(
+    fetcher,
+    `${baseUrl}/api/v1/relay/link/bootstrap`,
+    options.relayBootstrapToken,
+    {
+      ...commonPayload,
+      proof
+    }
+  );
+  if (assigned.ok !== true || typeof assigned.link_id !== "string") {
+    throw new Error("Relay did not return a valid link_id");
+  }
+  await saveAssignedLinkId(assigned.link_id, options.paths ?? resolveRuntimePaths());
+  return {
+    linkId: assigned.link_id,
+    reused: assigned.reused === true
+  };
+}
+async function postJson(fetcher, url, token, body) {
+  const response = await fetcher(url, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${token}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  const payload = await response.json().catch(() => null);
+  if (!response.ok) {
+    const message = readErrorMessage2(payload) ?? `Relay request failed with HTTP ${response.status}`;
+    throw new Error(message);
+  }
+  if (!payload) {
+    throw new Error("Relay returned an empty response");
+  }
+  return payload;
+}
+function readErrorMessage2(payload) {
+  if (typeof payload !== "object" || payload === null) {
+    return null;
+  }
+  const error = payload.error;
+  if (typeof error !== "object" || error === null) {
+    return null;
+  }
+  const message = error.message;
+  return typeof message === "string" ? message : null;
+}
+
+// src/topology/network.ts
+import os4 from "os";
+var VIRTUAL_INTERFACE_NAME_PATTERN = /(docker|veth|vmnet|vmenet|vbox|virtualbox|vmware|tailscale|zerotier|wireguard|utun|virbr|hyper-v|vethernet|loopback|\blo\b|^lo\d*$|^br-|^bridge\d+$|^zt|^tun|^tap|awdl|llw|anpi|gif|stf|ipsec|ppp)/iu;
+var MAX_LAN_IPS = 4;
+var MAX_PUBLIC_IPV4S = 2;
+var MAX_PUBLIC_IPV6S = 2;
+async function discoverRouteCandidates(options) {
+  const lanIps = discoverLanIps();
+  const publicIps = options.relayBootstrapToken ? await observePublicRoute(options).catch(() => ({ publicIpv4s: [], publicIpv6s: [] })) : { publicIpv4s: [], publicIpv6s: [] };
+  const publicIpv4s = unique(publicIps.publicIpv4s.filter(isUsablePublicIpv4)).slice(0, MAX_PUBLIC_IPV4S);
+  const publicIpv6s = unique(publicIps.publicIpv6s.filter(isUsablePublicIpv6)).slice(0, MAX_PUBLIC_IPV6S);
+  const preferredUrls = [
+    ...lanIps.map((ip) => buildDirectUrl(ip, options.port)),
+    ...publicIpv4s.map((ip) => buildDirectUrl(ip, options.port)),
+    ...publicIpv6s.map((ip) => buildDirectUrl(ip, options.port)),
+    `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/links/${options.linkId}`
+  ];
+  return {
+    lanIps,
+    publicIpv4s,
+    publicIpv6s,
+    preferredUrls
+  };
+}
+function discoverLanIps() {
+  return discoverLanIpsFromInterfaces(os4.networkInterfaces());
+}
+function discoverLanIpsFromInterfaces(interfaces) {
+  const result = /* @__PURE__ */ new Set();
+  const candidates = [];
+  for (const [name, items] of Object.entries(interfaces)) {
+    if (shouldIgnoreInterface(name)) {
+      continue;
+    }
+    for (const item of items ?? []) {
+      if (!item.internal && item.address && item.family === "IPv4" && isUsableLanIpv4(item.address, item.netmask)) {
+        candidates.push({ name, address: item.address });
+      }
+    }
+  }
+  for (const candidate of candidates.sort(compareLanCandidate)) {
+    result.add(candidate.address);
+  }
+  return [...result].slice(0, MAX_LAN_IPS);
+}
+async function observePublicRoute(options) {
+  const fetcher = options.fetchImpl ?? fetch;
+  const response = await fetcher(`${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/public-route/observe`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${options.relayBootstrapToken}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify({
+      install_id: options.installId,
+      link_id: options.linkId,
+      public_key_pem: options.publicKeyPem
+    })
+  });
+  const payload = await response.json().catch(() => null);
+  const record = typeof payload?.record === "object" && payload.record !== null ? payload.record : null;
+  const observed = typeof payload?.observed === "object" && payload.observed !== null ? payload.observed : null;
+  const values = [
+    readIpRecord(record?.ipv4),
+    readIpRecord(record?.ipv6),
+    typeof observed?.ip === "string" ? observed.ip : null
+  ].filter((value) => Boolean(value));
+  return {
+    publicIpv4s: unique(values.filter(isUsablePublicIpv4)),
+    publicIpv6s: unique(values.filter(isUsablePublicIpv6))
+  };
+}
+function readIpRecord(value) {
+  if (typeof value !== "object" || value === null) {
+    return null;
+  }
+  const ip = value.ip;
+  return typeof ip === "string" && ip.trim() ? ip.trim() : null;
+}
+function buildDirectUrl(ip, port) {
+  return `http://${ip.includes(":") ? `[${ip}]` : ip}:${port}`;
+}
+function shouldIgnoreInterface(name) {
+  return !name.trim() || VIRTUAL_INTERFACE_NAME_PATTERN.test(name);
+}
+function compareLanCandidate(left, right) {
+  const priority = interfacePriority(left.name) - interfacePriority(right.name);
+  return priority || left.name.localeCompare(right.name) || left.address.localeCompare(right.address);
+}
+function interfacePriority(name) {
+  if (/^(en|eth|wlan|wi-fi|wifi)/iu.test(name)) {
+    return 0;
+  }
+  return 1;
+}
+function isUsableLanIpv4(address, netmask) {
+  return isPrivateIpv4(address) && !isNetworkOrBroadcastIpv4Address(address, netmask);
+}
+function isUsablePublicIpv4(address) {
+  return isValidIpv4(address) && !isSpecialIpv4(address);
+}
+function isUsablePublicIpv6(address) {
+  const normalized = address.toLowerCase();
+  return normalized.includes(":") && !normalized.startsWith("fe80:") && !normalized.startsWith("fc") && !normalized.startsWith("fd") && !normalized.startsWith("ff") && normalized !== "::" && normalized !== "::1";
+}
+function isPrivateIpv4(address) {
+  const parts = parseIpv4Segments(address);
+  if (!parts) {
+    return false;
+  }
+  const [first, second] = parts;
+  return first === 10 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168;
+}
+function isSpecialIpv4(address) {
+  const parts = parseIpv4Segments(address);
+  if (!parts) {
+    return true;
+  }
+  const [first, second, third, fourth] = parts;
+  return first === 0 || first === 10 || first === 127 || first >= 224 || first === 100 && second >= 64 && second <= 127 || first === 169 && second === 254 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168 || first === 192 && second === 0 && third === 2 || first === 198 && (second === 18 || second === 19) || first === 198 && second === 51 && third === 100 || first === 203 && second === 0 && third === 113 || first === 255 && second === 255 && third === 255 && fourth === 255;
+}
+function isNetworkOrBroadcastIpv4Address(address, netmask) {
+  const addressParts = parseIpv4Segments(address);
+  const netmaskParts = netmask ? parseIpv4Segments(netmask) : null;
+  if (!addressParts) {
+    return true;
+  }
+  if (!netmaskParts) {
+    const last = addressParts[3];
+    return last === 0 || last === 255;
+  }
+  const addressInt = ipv4SegmentsToInt(addressParts);
+  const netmaskInt = ipv4SegmentsToInt(netmaskParts);
+  const hostMask = ~netmaskInt >>> 0;
+  if (hostMask === 0) {
+    return false;
+  }
+  const networkInt = addressInt & netmaskInt;
+  const broadcastInt = (networkInt | hostMask) >>> 0;
+  return addressInt === networkInt || addressInt === broadcastInt;
+}
+function isValidIpv4(address) {
+  return Boolean(parseIpv4Segments(address));
+}
+function parseIpv4Segments(address) {
+  if (!/^\d{1,3}(?:\.\d{1,3}){3}$/u.test(address)) {
+    return null;
+  }
+  const parts = address.split(".").map((part) => Number.parseInt(part, 10));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+    return null;
+  }
+  return parts;
+}
+function ipv4SegmentsToInt(parts) {
+  return (parts[0] << 24 >>> 0 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
+}
+function unique(values) {
+  return [...new Set(values)];
+}
+
+// src/pairing/pairing.ts
+async function preparePairing(paths = resolveRuntimePaths()) {
+  const config = await loadConfig(paths);
+  const identity = await ensureIdentity(paths);
+  const created = await postServerJson(config.serverBaseUrl, "/api/v1/link-pairings", {
+    install_id: identity.install_id,
+    link_id: identity.link_id ?? void 0,
+    display_name: defaultDisplayName(),
+    public_key_pem: identity.public_key_pem
+  });
+  const relayBaseUrl = created.relayBaseUrl || config.relayBaseUrl;
+  const assigned = await bootstrapRelayLink({
+    relayBaseUrl,
+    relayBootstrapToken: created.relayBootstrapToken,
+    identity,
+    paths
+  });
+  const updatedIdentity = await loadIdentity(paths) ?? identity;
+  const routes = await discoverRouteCandidates({
+    port: config.port,
+    relayBaseUrl,
+    relayBootstrapToken: created.relayBootstrapToken,
+    linkId: assigned.linkId,
+    installId: updatedIdentity.install_id,
+    publicKeyPem: updatedIdentity.public_key_pem
+  });
+  await patchServerJson(config.serverBaseUrl, `/api/v1/link-pairings/${created.sessionId}/link`, created.pairingToken, {
+    install_id: updatedIdentity.install_id,
+    link_id: assigned.linkId,
+    display_name: defaultDisplayName(),
+    lan_ips: routes.lanIps,
+    public_ipv4s: routes.publicIpv4s,
+    public_ipv6s: routes.publicIpv6s,
+    preferred_urls: routes.preferredUrls
+  });
+  const qrPayload = {
+    kind: "hermes_link_pairing",
+    version: 1,
+    link_id: assigned.linkId,
+    display_name: defaultDisplayName(),
+    session_id: created.sessionId,
+    code: created.code,
+    preferred_urls: qrPreferredUrls(routes)
+  };
+  return {
+    sessionId: created.sessionId,
+    code: created.code,
+    pairingToken: created.pairingToken,
+    relayBootstrapToken: created.relayBootstrapToken,
+    relayBaseUrl,
+    displayName: defaultDisplayName(),
+    linkId: assigned.linkId,
+    routes,
+    qrPayload
+  };
+}
+async function recordPairingClaim(input, paths = resolveRuntimePaths()) {
+  const record = {
+    session_id: input.sessionId,
+    device_id: input.deviceId,
+    device_label: input.deviceLabel,
+    device_platform: input.devicePlatform,
+    claimed_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await writeJsonFile(pairingClaimPath(input.sessionId, paths), record);
+  return record;
+}
+async function readPairingClaim(sessionId, paths = resolveRuntimePaths()) {
+  const record = await readJsonFile(pairingClaimPath(sessionId, paths));
+  if (!record || record.session_id !== sessionId || typeof record.device_id !== "string") {
+    return null;
+  }
+  return {
+    session_id: record.session_id,
+    device_id: record.device_id,
+    device_label: typeof record.device_label === "string" ? record.device_label : "",
+    device_platform: typeof record.device_platform === "string" ? record.device_platform : "unknown",
+    claimed_at: typeof record.claimed_at === "string" ? record.claimed_at : ""
+  };
+}
+async function clearPairingClaim(sessionId, paths = resolveRuntimePaths()) {
+  await rm4(pairingClaimPath(sessionId, paths), { force: true }).catch(() => void 0);
+}
+async function claimPairing(input) {
+  const paths = input.paths ?? resolveRuntimePaths();
+  const [identity, config] = await Promise.all([loadRequiredIdentity(paths), loadConfig(paths)]);
+  const verified = await postServerJson(
+    config.serverBaseUrl,
+    `/api/v1/link-pairings/${input.sessionId}/claim/verify`,
+    {
+      claim_token: input.claimToken
+    }
+  );
+  if (verified.ok !== true || verified.linkId !== identity.link_id) {
+    throw new LinkHttpError(409, "pairing_claim_mismatch", "Pairing claim does not match this Link");
+  }
+  const session = await createDeviceSession(
+    {
+      label: input.deviceLabel || "HermesPilot App",
+      platform: input.devicePlatform || "unknown"
+    },
+    paths
+  );
+  return {
+    link: {
+      link_id: identity.link_id,
+      display_name: defaultDisplayName()
+    },
+    device: formatDevice(session.device),
+    access_token: {
+      token: session.accessToken.token,
+      expires_at: session.accessToken.expiresAt
+    },
+    refresh_token: {
+      token: session.refreshToken.token,
+      expires_at: session.refreshToken.expiresAt
+    }
+  };
+}
+async function loadRequiredIdentity(paths) {
+  const identity = await loadIdentity(paths);
+  if (!identity?.link_id) {
+    throw new LinkHttpError(409, "link_not_paired", "Hermes Link is not paired");
+  }
+  return identity;
+}
+async function postServerJson(serverBaseUrl, path9, body) {
+  const response = await fetch(`${serverBaseUrl.replace(/\/+$/u, "")}${path9}`, {
+    method: "POST",
+    headers: {
+      accept: "application/json",
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  return readJsonResponse2(response);
+}
+async function patchServerJson(serverBaseUrl, path9, token, body) {
+  const response = await fetch(`${serverBaseUrl.replace(/\/+$/u, "")}${path9}`, {
+    method: "PATCH",
+    headers: {
+      accept: "application/json",
+      authorization: `Bearer ${token}`,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  return readJsonResponse2(response);
+}
+async function readJsonResponse2(response) {
+  const payload = await response.json().catch(() => null);
+  if (!response.ok || !payload) {
+    const message = readErrorMessage3(payload) ?? `HermesPilot Server request failed with HTTP ${response.status}`;
+    throw new LinkHttpError(response.status, "server_request_failed", message);
+  }
+  return payload;
+}
+function readErrorMessage3(payload) {
+  if (typeof payload !== "object" || payload === null) {
+    return null;
+  }
+  const error = payload.error;
+  if (typeof error !== "object" || error === null) {
+    return null;
+  }
+  const message = error.message;
+  return typeof message === "string" ? message : null;
+}
+function defaultDisplayName() {
+  return `Hermes Link ${process.platform}`;
+}
+function pairingClaimPath(sessionId, paths) {
+  return path7.join(paths.pairingDir, `${Buffer.from(sessionId).toString("base64url")}.claimed.json`);
+}
+function qrPreferredUrls(routes) {
+  return routes.preferredUrls.filter((url) => !url.includes("/api/v1/relay/links/")).slice(0, 1);
+}
+function formatDevice(device) {
+  return {
+    id: device.id,
+    device_id: device.device_id,
+    label: device.label,
+    platform: device.platform,
+    scope: device.scope
+  };
+}
+
+// src/security/app-connect-token.ts
+import { createPublicKey, verify } from "crypto";
+var cachedJwks = null;
+async function verifyAppConnectToken(token, options) {
+  const segments = token.split(".");
+  if (segments.length !== 3) {
+    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token is malformed");
+  }
+  const [encodedHeader, encodedPayload, encodedSignature] = segments;
+  const header = decodeJson2(encodedHeader);
+  const payload = decodeJson2(encodedPayload);
+  if (header.alg !== "ES256" || header.typ !== "JWT") {
+    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token algorithm is unsupported");
+  }
+  if (payload.token_type !== "hermes_app_connect" || payload.iss !== options.config.appConnectTokenIssuer || payload.aud !== options.config.appConnectTokenAudience || payload.link_id !== options.linkId || !Number.isFinite(payload.exp) || payload.exp <= Math.floor(Date.now() / 1e3)) {
+    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token claims are invalid");
+  }
+  const jwks = await getJwks(options.config, options.fetchImpl ?? fetch);
+  const key = jwks.find((item) => item.kid === header.kid) ?? jwks[0];
+  if (!key) {
+    throw new LinkHttpError(503, "app_connect_jwks_unavailable", "App connect token key is unavailable");
+  }
+  const publicKey = createPublicKey({ key, format: "jwk" });
+  const ok = verify(
+    "sha256",
+    Buffer.from(`${encodedHeader}.${encodedPayload}`),
+    { key: publicKey, dsaEncoding: "ieee-p1363" },
+    Buffer.from(base64UrlToBase64(encodedSignature), "base64")
+  );
+  if (!ok) {
+    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token signature is invalid");
+  }
+  return payload;
+}
+async function getJwks(config, fetcher) {
+  if (cachedJwks && cachedJwks.expiresAt > Date.now()) {
+    return cachedJwks.keys;
+  }
+  const response = await fetcher(`${config.serverBaseUrl.replace(/\/+$/u, "")}/api/v1/app-connect/jwks.json`, {
+    headers: { accept: "application/json" }
+  });
+  if (!response.ok) {
+    throw new LinkHttpError(503, "app_connect_jwks_unavailable", "Unable to load app connect JWKS");
+  }
+  const payload = await response.json();
+  const keys = Array.isArray(payload.keys) ? payload.keys : [];
+  cachedJwks = {
+    keys,
+    expiresAt: Date.now() + 5 * 60 * 1e3
+  };
+  return keys;
+}
+function decodeJson2(value) {
+  return JSON.parse(Buffer.from(base64UrlToBase64(value), "base64").toString("utf8"));
+}
+function base64UrlToBase64(value) {
+  const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+  return normalized + "=".repeat((4 - normalized.length % 4) % 4);
+}
+
+// src/runtime/logger.ts
+import { appendFile as appendFile2, mkdir as mkdir7, open as open3, readFile as readFile4, rename as rename3, rm as rm5, stat as stat3 } from "fs/promises";
+import path8 from "path";
+var DEFAULT_LOG_FILE = "hermeslink.log";
+var DEFAULT_MAX_FILE_BYTES = 1024 * 1024;
+var DEFAULT_MAX_FILES = 5;
+var DEFAULT_READ_LIMIT = 200;
+var MAX_READ_LIMIT = 1e3;
+var DEFAULT_MAX_BYTES_PER_FILE = 512 * 1024;
+var FileLogger = class {
+  filePath;
+  paths;
+  maxFileBytes;
+  maxFiles;
+  now;
+  queue = Promise.resolve();
+  constructor(options = {}) {
+    this.paths = options.paths ?? resolveRuntimePaths();
+    this.filePath = getLinkLogFile(this.paths, options.fileName);
+    this.maxFileBytes = Math.max(256, Math.floor(options.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES));
+    this.maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  debug(message, fields) {
+    return this.write("debug", message, fields);
+  }
+  info(message, fields) {
+    return this.write("info", message, fields);
+  }
+  warn(message, fields) {
+    return this.write("warn", message, fields);
+  }
+  error(message, fields) {
+    return this.write("error", message, fields);
+  }
+  write(level, message, fields) {
+    const entry = {
+      ts: this.now().toISOString(),
+      level,
+      message,
+      ...fields ? { fields: sanitizeFields(fields) } : {}
+    };
+    const next = this.queue.then(() => this.appendEntry(entry)).catch(() => void 0);
+    this.queue = next;
+    return next;
+  }
+  flush() {
+    return this.queue;
+  }
+  async appendEntry(entry) {
+    await mkdir7(this.paths.logsDir, { recursive: true, mode: 448 });
+    const line = `${JSON.stringify(entry)}
+`;
+    await this.rotateIfNeeded(Buffer.byteLength(line, "utf8"));
+    await appendFile2(this.filePath, line, { mode: 384 });
+  }
+  async rotateIfNeeded(nextBytes) {
+    const current = await stat3(this.filePath).catch(() => null);
+    if (!current || current.size === 0 || current.size + nextBytes <= this.maxFileBytes) {
+      return;
+    }
+    if (this.maxFiles === 0) {
+      await rm5(this.filePath, { force: true }).catch(() => void 0);
+      return;
+    }
+    await rm5(rotatedLogFile(this.filePath, this.maxFiles), { force: true }).catch(() => void 0);
+    for (let index = this.maxFiles - 1; index >= 1; index -= 1) {
+      await moveIfExists(rotatedLogFile(this.filePath, index), rotatedLogFile(this.filePath, index + 1));
+    }
+    await moveIfExists(this.filePath, rotatedLogFile(this.filePath, 1));
+  }
+};
+function createFileLogger(options = {}) {
+  return new FileLogger(options);
+}
+function getLinkLogFile(paths = resolveRuntimePaths(), fileName = DEFAULT_LOG_FILE) {
+  return path8.join(paths.logsDir, fileName);
+}
+async function readRecentLogEntries(options = {}) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  const filePath = getLinkLogFile(paths, options.fileName);
+  const limit = clampLimit(options.limit);
+  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
+  const maxBytesPerFile = Math.max(1024, Math.floor(options.maxBytesPerFile ?? DEFAULT_MAX_BYTES_PER_FILE));
+  const files = [filePath, ...Array.from({ length: maxFiles }, (_, index) => rotatedLogFile(filePath, index + 1))];
+  const entries = [];
+  for (const file of files) {
+    const raw = await readTail(file, maxBytesPerFile);
+    if (!raw) {
+      continue;
+    }
+    const lines = raw.split(/\r?\n/u).filter(Boolean);
+    for (let index = lines.length - 1; index >= 0 && entries.length < limit; index -= 1) {
+      const entry = parseLogLine(lines[index]);
+      if (entry) {
+        entries.push(entry);
+      }
+    }
+    if (entries.length >= limit) {
+      break;
+    }
+  }
+  return entries.reverse();
+}
+function clampLimit(value) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    return DEFAULT_READ_LIMIT;
+  }
+  return Math.min(MAX_READ_LIMIT, Math.max(1, Math.floor(value)));
+}
+function sanitizeFields(fields) {
+  return sanitizeObject(fields, 0);
+}
+function sanitizeValue(value, depth) {
+  if (value === null || typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value === "number") {
+    return Number.isFinite(value) ? value : null;
+  }
+  if (typeof value === "string") {
+    return value.length > 2e3 ? `${value.slice(0, 2e3)}...` : value;
+  }
+  if (Array.isArray(value)) {
+    if (depth >= 3) {
+      return "[array]";
+    }
+    return value.slice(0, 20).map((item) => sanitizeValue(item, depth + 1));
+  }
+  if (typeof value === "object" && value !== null) {
+    if (depth >= 3) {
+      return "[object]";
+    }
+    return sanitizeObject(value, depth + 1);
+  }
+  return String(value);
+}
+function sanitizeObject(value, depth) {
+  const result = {};
+  for (const [key, child] of Object.entries(value).slice(0, 50)) {
+    if (isSensitiveKey(key)) {
+      result[key] = "[redacted]";
+      continue;
+    }
+    result[key] = sanitizeValue(child, depth);
+  }
+  return result;
+}
+function isSensitiveKey(key) {
+  return /(authorization|cookie|token|secret|password|private[_-]?key|api[_-]?key)/iu.test(key);
+}
+function parseLogLine(line) {
+  try {
+    const value = JSON.parse(line);
+    if (!value || typeof value.ts !== "string" || !isLogLevel(value.level) || typeof value.message !== "string") {
+      return null;
+    }
+    return {
+      ts: value.ts,
+      level: value.level,
+      message: value.message,
+      ...value.fields && typeof value.fields === "object" ? { fields: value.fields } : {}
+    };
+  } catch {
+    return null;
+  }
+}
+function isLogLevel(value) {
+  return value === "debug" || value === "info" || value === "warn" || value === "error";
+}
+async function readTail(filePath, maxBytes) {
+  const info = await stat3(filePath).catch(() => null);
+  if (!info || info.size <= 0) {
+    return null;
+  }
+  if (info.size <= maxBytes) {
+    return await readFile4(filePath, "utf8").catch(() => null);
+  }
+  const handle = await open3(filePath, "r").catch(() => null);
+  if (!handle) {
+    return null;
+  }
+  try {
+    const length = Math.min(info.size, maxBytes);
+    const buffer = Buffer.alloc(length);
+    await handle.read(buffer, 0, length, info.size - length);
+    return buffer.toString("utf8");
+  } finally {
+    await handle.close();
+  }
+}
+async function moveIfExists(from, to) {
+  await rm5(to, { force: true }).catch(() => void 0);
+  await rename3(from, to).catch((error) => {
+    if (error.code !== "ENOENT") {
+      throw error;
+    }
+  });
+}
+function rotatedLogFile(filePath, index) {
+  return `${filePath}.${index}`;
+}
+
+// src/http/app.ts
+var MAX_JSON_BODY_BYTES = 1024 * 1024;
+var MAX_BLOB_UPLOAD_BYTES = 50 * 1024 * 1024;
+async function createApp(options = {}) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  const logger = options.logger ?? createFileLogger({ paths });
+  const conversations = new ConversationService(paths, logger);
+  const app = new Koa();
+  const router = new Router();
+  app.use(async (ctx, next) => {
+    const startedAt = Date.now();
+    try {
+      await next();
+    } catch (error) {
+      const profileError = error instanceof Error && error.message === "invalid profile name";
+      const status = isLinkHttpError(error) ? error.status : profileError ? 400 : 500;
+      ctx.status = status;
+      ctx.body = {
+        ok: false,
+        error: {
+          code: isLinkHttpError(error) ? error.code : status === 400 ? "invalid_profile_name" : "internal_error",
+          message: error instanceof Error ? error.message : "Internal error"
+        }
+      };
+      void logger.write(status >= 500 ? "error" : "warn", "http_request_failed", {
+        method: ctx.method,
+        path: ctx.path,
+        status,
+        code: isLinkHttpError(error) ? error.code : status === 400 ? "invalid_profile_name" : "internal_error",
+        error: error instanceof Error ? error.message : String(error)
+      });
+    } finally {
+      void logger.info("http_request", {
+        method: ctx.method,
+        path: ctx.path,
+        status: ctx.status,
+        duration_ms: Date.now() - startedAt
+      });
+    }
+  });
+  router.get("/api/v1/bootstrap", async (ctx) => {
+    const [identity, config] = await Promise.all([loadIdentity(paths), loadConfig(paths)]);
+    const routes = identity?.link_id ? await discoverRouteCandidates({
+      port: config.port,
+      relayBaseUrl: config.relayBaseUrl,
+      linkId: identity.link_id,
+      installId: identity.install_id,
+      publicKeyPem: identity.public_key_pem
+    }) : null;
+    ctx.set("cache-control", "no-store");
+    ctx.body = {
+      link_id: identity?.link_id ?? null,
+      display_name: identity?.link_id ? "Hermes Link" : "Unpaired Hermes Link",
+      version: LINK_VERSION,
+      api_version: 1,
+      paired: Boolean(identity?.link_id),
+      pairing_supported: Boolean(identity?.link_id),
+      preferred_pairing_urls: routes?.preferredUrls ?? [],
+      routes: routes ? routeObjects(routes.preferredUrls) : [],
+      capabilities: {
+        runs: true,
+        sse: true,
+        relay: true,
+        profiles: true,
+        logs: true,
+        conversations: true,
+        conversation_delete: true,
+        blobs: true
+      }
+    };
+  });
+  router.post("/api/v1/pairing/claim", async (ctx) => {
+    const body = await readJsonBody(ctx.req);
+    const sessionId = readString3(body, "session_id") ?? readString3(body, "sessionId");
+    const claimToken = readString3(body, "claim_token") ?? readString3(body, "claimToken");
+    if (!sessionId || !claimToken) {
+      throw new LinkHttpError(400, "pairing_claim_invalid", "session_id and claim_token are required");
+    }
+    const claimed = await claimPairing({
+      sessionId,
+      claimToken,
+      deviceLabel: readString3(body, "device_label") ?? readString3(body, "deviceLabel") ?? "HermesPilot App",
+      devicePlatform: readString3(body, "device_platform") ?? readString3(body, "devicePlatform") ?? "unknown",
+      paths
+    });
+    ctx.body = claimed;
+    void logger.info("pairing_claimed", {
+      device_id: claimed.device.device_id,
+      device_platform: claimed.device.platform
+    });
+    const timer = setTimeout(() => {
+      void recordPairingClaim(
+        {
+          sessionId,
+          deviceId: claimed.device.device_id,
+          deviceLabel: claimed.device.label,
+          devicePlatform: claimed.device.platform
+        },
+        paths
+      ).catch((error) => {
+        void logger.warn("pairing_claim_record_failed", {
+          session_id: sessionId,
+          error: error instanceof Error ? error.message : String(error)
+        });
+      });
+      void options.onPairingClaimed?.();
+    }, 250);
+    timer.unref?.();
+  });
+  router.get("/api/v1/auth/me", async (ctx) => {
+    const auth = await authenticateRequest(ctx, paths);
+    const identity = await loadRequiredIdentity2(paths);
+    ctx.body = {
+      ok: true,
+      auth: { kind: auth.kind, account_id: auth.accountId ?? null },
+      link: {
+        link_id: identity.link_id,
+        display_name: "Hermes Link"
+      },
+      device: auth.device ? {
+        id: auth.device.id,
+        device_id: auth.device.id,
+        label: auth.device.label,
+        platform: auth.device.platform,
+        scope: auth.device.scope
+      } : null
+    };
+  });
+  router.post("/api/v1/auth/refresh", async (ctx) => {
+    const body = await readJsonBody(ctx.req);
+    const refreshToken = readString3(body, "refresh_token") ?? readString3(body, "refreshToken");
+    if (!refreshToken) {
+      throw new LinkHttpError(400, "refresh_token_required", "refresh_token is required");
+    }
+    const session = await refreshDeviceSession(refreshToken, paths);
+    ctx.body = {
+      ok: true,
+      device: session.device,
+      access_token: {
+        token: session.accessToken.token,
+        expires_at: session.accessToken.expiresAt
+      },
+      refresh_token: {
+        token: session.refreshToken.token,
+        expires_at: session.refreshToken.expiresAt
+      }
+    };
+  });
+  router.post("/api/v1/auth/logout", async (ctx) => {
+    const body = await readJsonBody(ctx.req);
+    const refreshToken = readString3(body, "refresh_token") ?? readString3(body, "refreshToken");
+    if (refreshToken) {
+      await revokeDeviceRefreshToken(refreshToken, paths);
+    }
+    ctx.body = { ok: true };
+  });
+  router.get("/api/v1/status", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const [identity, config] = await Promise.all([loadIdentity(paths), loadConfig(paths)]);
+    ctx.body = {
+      ok: true,
+      version: LINK_VERSION,
+      paired: Boolean(identity?.link_id),
+      link_id: identity?.link_id ?? null,
+      port: config.port
+    };
+  });
+  router.get("/api/v1/logs", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.set("cache-control", "no-store");
+    ctx.body = {
+      ok: true,
+      logs: await readRecentLogEntries({
+        paths,
+        limit: readLimit(ctx.query.limit)
+      })
+    };
+  });
+  router.get("/api/v1/models", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.body = await listHermesModels();
+  });
+  router.get("/api/v1/conversations", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.set("cache-control", "no-store");
+    ctx.body = {
+      ok: true,
+      conversations: await conversations.listConversations()
+    };
+  });
+  router.post("/api/v1/conversations", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const body = await readJsonBody(ctx.req);
+    ctx.status = 201;
+    ctx.body = {
+      ok: true,
+      conversation: await conversations.createConversation({
+        title: readString3(body, "title") ?? void 0
+      })
+    };
+  });
+  router.get("/api/v1/conversations/:conversationId/messages", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.set("cache-control", "no-store");
+    const result = await conversations.getMessages(ctx.params.conversationId);
+    ctx.body = {
+      ok: true,
+      conversation_id: ctx.params.conversationId,
+      ...result
+    };
+  });
+  router.get("/api/v1/conversations/:conversationId/events", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const after = readInteger(ctx.query.after) ?? 0;
+    const history = await conversations.listEvents(ctx.params.conversationId, after);
+    ctx.respond = false;
+    const response = ctx.res;
+    response.statusCode = 200;
+    response.setHeader("content-type", "text/event-stream; charset=utf-8");
+    response.setHeader("cache-control", "no-store");
+    response.setHeader("connection", "keep-alive");
+    for (const event of history) {
+      writeSseEvent(response, event);
+    }
+    const unsubscribe = conversations.subscribe(ctx.params.conversationId, (event) => {
+      writeSseEvent(response, event);
+    });
+    const cleanup = () => {
+      unsubscribe();
+      response.end();
+    };
+    ctx.req.on("close", cleanup);
+  });
+  router.post("/api/v1/conversations/:conversationId/messages", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const body = await readJsonBody(ctx.req);
+    const content = readString3(body, "content") ?? readString3(body, "text") ?? readString3(body, "input") ?? "";
+    const attachments = readMessageAttachments(body.attachments ?? body.blobs);
+    if (!content && attachments.length === 0) {
+      throw new LinkHttpError(400, "message_content_required", "message content is required");
+    }
+    ctx.status = 202;
+    ctx.body = {
+      ok: true,
+      ...await conversations.sendMessage({
+        conversationId: ctx.params.conversationId,
+        content,
+        attachments,
+        clientMessageId: readString3(body, "client_message_id") ?? readString3(body, "clientMessageId") ?? void 0,
+        idempotencyKey: readHeader(ctx, "idempotency-key") ?? void 0
+      })
+    };
+  });
+  router.post("/api/v1/conversations/:conversationId/ack", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.body = { ok: true };
+  });
+  router.delete("/api/v1/conversations/:conversationId", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.body = {
+      ok: true,
+      ...await conversations.deleteConversation(ctx.params.conversationId),
+      blob_gc_completed: true
+    };
+  });
+  router.post("/api/v1/conversations/:conversationId/blobs", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const bytes = await readRawBody(ctx.req, MAX_BLOB_UPLOAD_BYTES);
+    if (bytes.byteLength === 0) {
+      throw new LinkHttpError(400, "blob_empty", "Blob body is empty");
+    }
+    const blob = await conversations.writeBlob(ctx.params.conversationId, {
+      bytes,
+      filename: readHeader(ctx, "x-filename") ?? void 0,
+      mime: ctx.get("content-type") || void 0
+    });
+    ctx.status = 201;
+    ctx.body = { ok: true, blob };
+  });
+  router.get("/api/v1/conversations/:conversationId/blobs/:blobId", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const blob = await conversations.readBlob(ctx.params.conversationId, ctx.params.blobId);
+    ctx.set("content-type", blob.mime);
+    ctx.set("content-length", String(blob.size));
+    ctx.set("cache-control", "private, max-age=86400");
+    ctx.set("content-disposition", `inline; filename="${blob.filename.replaceAll('"', "")}"`);
+    ctx.body = blob.bytes;
+  });
+  router.post("/api/v1/runs", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const body = await readJsonBody(ctx.req);
+    const input = readString3(body, "input");
+    if (!input) {
+      throw new LinkHttpError(400, "run_input_required", "input is required");
+    }
+    ctx.status = 202;
+    ctx.body = await createHermesRun({
+      input,
+      conversation_history: readConversationHistory(body.conversation_history ?? body.conversationHistory),
+      session_id: readString3(body, "session_id") ?? readString3(body, "sessionId") ?? void 0
+    });
+  });
+  router.get("/api/v1/runs/:runId/events", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const response = await streamHermesRunEvents(ctx.params.runId);
+    ctx.status = response.status;
+    for (const [key, value] of response.headers.entries()) {
+      ctx.set(key, value);
+    }
+    ctx.respond = false;
+    const nodeResponse = ctx.res;
+    nodeResponse.statusCode = response.status;
+    for (const [key, value] of response.headers.entries()) {
+      nodeResponse.setHeader(key, value);
+    }
+    if (response.body) {
+      Readable.fromWeb(response.body).pipe(nodeResponse);
+    } else {
+      nodeResponse.end();
+    }
+  });
+  router.post("/api/v1/runs/:runId/cancel", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    await cancelHermesRun(ctx.params.runId);
+    ctx.body = { ok: true };
+  });
+  router.get("/api/v1/profiles", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.set("cache-control", "no-store");
+    ctx.body = {
+      ok: true,
+      profiles: await listHermesProfiles()
+    };
+  });
+  router.get("/api/v1/profiles/:name/status", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.set("cache-control", "no-store");
+    ctx.body = {
+      ok: true,
+      profile: await getHermesProfileStatus(ctx.params.name)
+    };
+  });
+  router.post("/api/v1/profiles", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const body = await readJsonBody(ctx.req);
+    const name = readProfileName(body);
+    ctx.status = 201;
+    ctx.body = {
+      ok: true,
+      profile: await createHermesProfile(name)
+    };
+  });
+  router.post("/api/v1/profiles/:name/use", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    ctx.body = {
+      ok: true,
+      profile: await useHermesProfile(ctx.params.name)
+    };
+  });
+  router.patch("/api/v1/profiles/:name", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    const body = await readJsonBody(ctx.req);
+    const name = readProfileName(body);
+    ctx.body = {
+      ok: true,
+      profile: await renameHermesProfile(ctx.params.name, name)
+    };
+  });
+  router.delete("/api/v1/profiles/:name", async (ctx) => {
+    await authenticateRequest(ctx, paths);
+    await deleteHermesProfile(ctx.params.name);
+    ctx.status = 204;
+  });
+  app.use(router.routes());
+  app.use(router.allowedMethods());
+  return app;
+}
+async function readJsonBody(request) {
+  const raw = await readRawBody(request, MAX_JSON_BODY_BYTES);
+  if (raw.byteLength === 0) {
+    return {};
+  }
+  try {
+    return JSON.parse(Buffer.from(raw).toString("utf8"));
+  } catch {
+    throw new LinkHttpError(400, "invalid_json", "Request body must be valid JSON");
+  }
+}
+async function readRawBody(request, maxBytes) {
+  const chunks = [];
+  let totalBytes = 0;
+  for await (const chunk of request) {
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    totalBytes += buffer.byteLength;
+    if (totalBytes > maxBytes) {
+      throw new LinkHttpError(413, "request_body_too_large", "Request body is too large");
+    }
+    chunks.push(buffer);
+  }
+  return Buffer.concat(chunks);
+}
+function readProfileName(body) {
+  if (typeof body.name !== "string") {
+    throw new Error("invalid profile name");
+  }
+  return body.name;
+}
+async function authenticateRequest(ctx, paths) {
+  const token = readBearerToken(ctx.get("authorization"));
+  if (!token) {
+    throw new LinkHttpError(401, "auth_required", "Authorization bearer token is required");
+  }
+  const device = await authenticateDeviceAccessToken(token, paths);
+  if (device) {
+    return { kind: "device", device };
+  }
+  const [identity, config] = await Promise.all([loadRequiredIdentity2(paths), loadConfig(paths)]);
+  const claims = await verifyAppConnectToken(token, {
+    config,
+    linkId: identity.link_id
+  });
+  return { kind: "app-connect", accountId: claims.sub };
+}
+async function loadRequiredIdentity2(paths) {
+  const identity = await loadIdentity(paths);
+  if (!identity?.link_id) {
+    throw new LinkHttpError(409, "link_not_paired", "Hermes Link is not paired");
+  }
+  return identity;
+}
+function readBearerToken(value) {
+  const trimmed = value.trim();
+  if (!trimmed.toLowerCase().startsWith("bearer ")) {
+    return null;
+  }
+  const token = trimmed.slice(7).trim();
+  return token || null;
+}
+function readString3(body, key) {
+  const value = body[key];
+  return typeof value === "string" && value.trim() ? value.trim() : null;
+}
+function readLimit(value) {
+  const raw = Array.isArray(value) ? value[0] : value;
+  if (typeof raw !== "string") {
+    return void 0;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  return Number.isFinite(parsed) ? parsed : void 0;
+}
+function readInteger(value) {
+  const raw = Array.isArray(value) ? value[0] : value;
+  if (typeof raw !== "string") {
+    return void 0;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  return Number.isFinite(parsed) ? Math.max(0, parsed) : void 0;
+}
+function readHeader(ctx, name) {
+  const value = ctx.get(name).trim();
+  return value ? value : null;
+}
+function writeSseEvent(response, event) {
+  response.write(`event: ${event.type}
+`);
+  response.write(`data: ${JSON.stringify(event)}
+
+`);
+}
+function readConversationHistory(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  return value.map((item) => {
+    if (typeof item !== "object" || item === null) {
+      return null;
+    }
+    const role = item.role;
+    const content = item.content;
+    if (typeof role !== "string" || typeof content !== "string") {
+      return null;
+    }
+    return { role, content };
+  }).filter((item) => Boolean(item));
+}
+function readMessageAttachments(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  return value.map((item) => {
+    if (typeof item === "string" && item.trim()) {
+      return { blob_id: item.trim() };
+    }
+    if (typeof item !== "object" || item === null) {
+      return null;
+    }
+    const record = item;
+    const blobId = typeof record.blob_id === "string" ? record.blob_id.trim() : typeof record.blobId === "string" ? record.blobId.trim() : "";
+    return blobId ? { blob_id: blobId } : null;
+  }).filter((item) => Boolean(item));
+}
+function routeObjects(urls) {
+  return urls.map((url) => ({
+    kind: url.includes("/api/v1/relay/links/") ? "relay" : "lan",
+    url,
+    observed_at: (/* @__PURE__ */ new Date()).toISOString()
+  }));
+}
+
+export {
+  LINK_VERSION,
+  LINK_COMMAND,
+  resolveRuntimePaths,
+  loadConfig,
+  ensureHermesApiServerConfig,
+  ensureHermesApiServerAvailable,
+  loadIdentity,
+  ensureIdentity,
+  getIdentityStatus,
+  preparePairing,
+  readPairingClaim,
+  clearPairingClaim,
+  createFileLogger,
+  getLinkLogFile,
+  createApp
+};
+//# sourceMappingURL=chunk-SCIAZZ4C.js.map