@hermespilot/link 0.1.5 → 0.1.7

package/dist/chunk-E54NSFGF.js

@@ -1,1652 +0,0 @@
-// src/http/app.ts
-import Koa from "koa";
-import Router from "@koa/router";
-import { Readable } from "stream";
-
-// src/constants.ts
-var LINK_VERSION = "0.1.5";
-var LINK_COMMAND = "hermeslink";
-var LINK_DEFAULT_PORT = 52379;
-var LINK_RUNTIME_DIR_NAME = ".hermeslink";
-
-// src/runtime/paths.ts
-import os from "os";
-import path from "path";
-function resolveRuntimeHome() {
-  return process.env.HERMESLINK_HOME?.trim() ? path.resolve(process.env.HERMESLINK_HOME) : path.join(os.homedir(), LINK_RUNTIME_DIR_NAME);
-}
-function resolveRuntimePaths(homeDir = resolveRuntimeHome()) {
-  return {
-    homeDir,
-    identityFile: path.join(homeDir, "identity.json"),
-    configFile: path.join(homeDir, "config.json"),
-    stateFile: path.join(homeDir, "state.json"),
-    credentialsFile: path.join(homeDir, "credentials.json"),
-    databaseFile: path.join(homeDir, "link.db"),
-    logsDir: path.join(homeDir, "logs"),
-    runDir: path.join(homeDir, "run"),
-    pairingDir: path.join(homeDir, "pairing")
-  };
-}
-
-// src/storage/atomic-json.ts
-import { mkdir, open, readFile, rename, rm } from "fs/promises";
-import path2 from "path";
-async function readJsonFile(filePath) {
-  try {
-    const raw = await readFile(filePath, "utf8");
-    return JSON.parse(raw);
-  } catch (error) {
-    if (isNodeError(error, "ENOENT")) {
-      return null;
-    }
-    throw error;
-  }
-}
-async function writeJsonFile(filePath, value, mode = 384) {
-  await mkdir(path2.dirname(filePath), { recursive: true, mode: 448 });
-  const tmpPath = `${filePath}.${process.pid}.${Date.now()}.tmp`;
-  const payload = `${JSON.stringify(value, null, 2)}
-`;
-  const handle = await open(tmpPath, "w", mode);
-  try {
-    await handle.writeFile(payload, "utf8");
-    await handle.sync();
-  } finally {
-    await handle.close();
-  }
-  try {
-    await rename(tmpPath, filePath);
-  } catch (error) {
-    await rm(tmpPath, { force: true });
-    throw error;
-  }
-}
-function isNodeError(error, code) {
-  return typeof error === "object" && error !== null && "code" in error && error.code === code;
-}
-
-// src/config/config.ts
-var defaultLinkConfig = {
-  port: LINK_DEFAULT_PORT,
-  serverBaseUrl: "https://hermes-server.clawpilot.me",
-  relayBaseUrl: "https://hermes-relay.clawpilot.me",
-  appConnectTokenIssuer: "https://hermes-server.clawpilot.me",
-  appConnectTokenAudience: "hermes-link",
-  language: "auto"
-};
-async function loadConfig(paths = resolveRuntimePaths()) {
-  const existing = await readJsonFile(paths.configFile);
-  const language = normalizeConfiguredLanguage(existing?.language);
-  return {
-    ...defaultLinkConfig,
-    ...existing ?? {},
-    language
-  };
-}
-function normalizeConfiguredLanguage(language) {
-  if (language === "zh-CN" || language === "en" || language === "auto") {
-    return language;
-  }
-  return defaultLinkConfig.language;
-}
-
-// src/http/errors.ts
-var LinkHttpError = class extends Error {
-  constructor(status, code, message) {
-    super(message);
-    this.status = status;
-    this.code = code;
-  }
-  status;
-  code;
-};
-function isLinkHttpError(error) {
-  return error instanceof LinkHttpError;
-}
-
-// src/hermes/api-server.ts
-import { randomUUID } from "crypto";
-
-// src/hermes/config.ts
-import { randomBytes } from "crypto";
-import { copyFile, mkdir as mkdir2, readFile as readFile2, writeFile } from "fs/promises";
-import os2 from "os";
-import path3 from "path";
-import YAML from "yaml";
-function resolveHermesProfileDir(profileName = "default") {
-  if (profileName === "default") {
-    return path3.join(os2.homedir(), ".hermes");
-  }
-  return path3.join(os2.homedir(), ".hermes", "profiles", profileName);
-}
-function resolveHermesConfigPath(profileName = "default") {
-  return path3.join(resolveHermesProfileDir(profileName), "config.yaml");
-}
-async function readHermesApiServerConfig(profileName = "default", configPath = resolveHermesConfigPath(profileName)) {
-  const existingRaw = await readFile2(configPath, "utf8").catch((error) => {
-    if (isNodeError2(error, "ENOENT")) {
-      return null;
-    }
-    throw error;
-  });
-  if (!existingRaw) {
-    return {};
-  }
-  const config = toRecord(YAML.parse(existingRaw));
-  const platforms = toRecord(config.platforms);
-  const apiServer = toRecord(platforms.api_server);
-  return readApiServerConfig(toRecord(apiServer.extra));
-}
-async function ensureHermesApiServerKey(profileName = "default", configPath = resolveHermesConfigPath(profileName)) {
-  const existingRaw = await readFile2(configPath, "utf8").catch((error) => {
-    if (isNodeError2(error, "ENOENT")) {
-      return null;
-    }
-    throw error;
-  });
-  const document = existingRaw ? YAML.parseDocument(existingRaw) : new YAML.Document({});
-  const config = toRecord(document.toJSON());
-  const platforms = ensureRecord(config, "platforms");
-  const apiServer = ensureRecord(platforms, "api_server");
-  const extra = ensureRecord(apiServer, "extra");
-  const beforeKey = typeof extra.key === "string" && extra.key.length > 0 ? extra.key : null;
-  let changed = false;
-  if (!beforeKey) {
-    extra.key = randomBytes(32).toString("base64url");
-    changed = true;
-  }
-  if (!changed) {
-    return {
-      configPath,
-      apiServer: readApiServerConfig(extra),
-      changed: false,
-      keyAdded: false,
-      backupPath: null,
-      notice: null
-    };
-  }
-  const backupPath = existingRaw ? `${configPath}.bak.${Date.now()}` : null;
-  await mkdir2(path3.dirname(configPath), { recursive: true, mode: 448 });
-  if (backupPath) {
-    await copyFile(configPath, backupPath);
-  }
-  document.contents = document.createNode(config);
-  await writeFile(configPath, document.toString(), { mode: 384 });
-  return {
-    configPath,
-    apiServer: readApiServerConfig(extra),
-    changed: true,
-    keyAdded: true,
-    backupPath,
-    notice: "\u5DF2\u4E3A Hermes API Server \u81EA\u52A8\u8865\u5145 key\uFF1B\u672A\u8986\u76D6\u5DF2\u6709 port/host/key\u3002"
-  };
-}
-function readApiServerConfig(extra) {
-  return {
-    host: typeof extra.host === "string" ? extra.host : void 0,
-    port: typeof extra.port === "number" ? extra.port : void 0,
-    key: typeof extra.key === "string" ? extra.key : void 0
-  };
-}
-function toRecord(value) {
-  return typeof value === "object" && value !== null ? value : {};
-}
-function ensureRecord(parent, key) {
-  const value = parent[key];
-  if (typeof value === "object" && value !== null && !Array.isArray(value)) {
-    return value;
-  }
-  const next = {};
-  parent[key] = next;
-  return next;
-}
-function isNodeError2(error, code) {
-  return typeof error === "object" && error !== null && "code" in error && error.code === code;
-}
-
-// src/hermes/api-server.ts
-var fallbackRuns = /* @__PURE__ */ new Map();
-async function listHermesModels(options = {}) {
-  const response = await callHermesApi("/v1/models", { method: "GET" }, options);
-  if (response.status === 404) {
-    return { models: [] };
-  }
-  return await readJsonResponse(response);
-}
-async function createHermesRun(input, options = {}) {
-  const response = await callHermesApi(
-    "/v1/runs",
-    {
-      method: "POST",
-      body: JSON.stringify(input),
-      headers: { "content-type": "application/json" }
-    },
-    options
-  );
-  if (response.status === 404 || response.status === 503) {
-    const runId2 = `run_${randomUUID().replaceAll("-", "")}`;
-    fallbackRuns.set(runId2, { input: input.input, createdAt: (/* @__PURE__ */ new Date()).toISOString() });
-    return { run_id: runId2, fallback: true };
-  }
-  const payload = await readJsonResponse(response);
-  const runId = readString(payload, "run_id") ?? readString(payload, "runId") ?? readString(payload, "id");
-  if (!runId) {
-    throw new LinkHttpError(502, "hermes_run_invalid", "Hermes API Server did not return a run id");
-  }
-  return { run_id: runId, fallback: false };
-}
-async function streamHermesRunEvents(runId, options = {}) {
-  const fallback = fallbackRuns.get(runId);
-  if (fallback) {
-    fallbackRuns.delete(runId);
-    return new Response(createFallbackSseStream(fallback.input), {
-      headers: {
-        "content-type": "text/event-stream; charset=utf-8",
-        "cache-control": "no-store"
-      }
-    });
-  }
-  const response = await callHermesApi(`/v1/runs/${encodeURIComponent(runId)}/events`, { method: "GET" }, options);
-  if (!response.ok || !response.body) {
-    throw new LinkHttpError(502, "hermes_events_unavailable", "Hermes run event stream is unavailable");
-  }
-  return new Response(response.body, {
-    status: response.status,
-    headers: {
-      "content-type": response.headers.get("content-type") ?? "text/event-stream; charset=utf-8",
-      "cache-control": "no-store"
-    }
-  });
-}
-async function cancelHermesRun(runId, options = {}) {
-  const response = await callHermesApi(
-    `/v1/runs/${encodeURIComponent(runId)}/cancel`,
-    { method: "POST" },
-    options
-  );
-  if (!response.ok && response.status !== 404) {
-    throw new LinkHttpError(502, "hermes_cancel_failed", "Hermes run cancel failed");
-  }
-  fallbackRuns.delete(runId);
-}
-async function callHermesApi(path7, init, options) {
-  const config = await readHermesApiServerConfig();
-  if (!config.port || !config.key) {
-    return new Response(null, { status: 503 });
-  }
-  const fetcher = options.fetchImpl ?? fetch;
-  const headers = new Headers(init.headers);
-  headers.set("accept", headers.get("accept") ?? "application/json");
-  headers.set("x-api-key", config.key);
-  headers.set("authorization", `Bearer ${config.key}`);
-  return await fetcher(`http://127.0.0.1:${config.port}${path7}`, {
-    ...init,
-    headers
-  }).catch(() => new Response(null, { status: 503 }));
-}
-async function readJsonResponse(response) {
-  const payload = await response.json().catch(() => null);
-  if (!response.ok || typeof payload !== "object" || payload === null) {
-    throw new LinkHttpError(502, "hermes_response_invalid", "Hermes API Server returned an invalid response");
-  }
-  return payload;
-}
-function createFallbackSseStream(input) {
-  const encoder = new TextEncoder();
-  return new ReadableStream({
-    start(controller) {
-      const message = `Hermes API Server is not running yet. Link received: ${input}`;
-      controller.enqueue(encoder.encode(`event: message.delta
-data: ${JSON.stringify({ type: "message.delta", delta: message })}
-
-`));
-      controller.enqueue(encoder.encode(`event: run.completed
-data: ${JSON.stringify({ type: "run.completed" })}
-
-`));
-      controller.close();
-    }
-  });
-}
-function readString(payload, key) {
-  const value = payload[key];
-  return typeof value === "string" && value.trim() ? value.trim() : null;
-}
-
-// src/hermes/profiles.ts
-import { mkdir as mkdir3, readdir, rename as rename2, rm as rm2, stat } from "fs/promises";
-import os3 from "os";
-import path4 from "path";
-var DEFAULT_PROFILE = "default";
-var PROFILE_NAME_PATTERN = /^[a-zA-Z0-9._-]{1,64}$/;
-async function listHermesProfiles(paths = resolveRuntimePaths()) {
-  const activeProfile = await getActiveProfile(paths);
-  const profiles = /* @__PURE__ */ new Map();
-  profiles.set(DEFAULT_PROFILE, profileInfo(DEFAULT_PROFILE, activeProfile));
-  const profilesDir = path4.join(os3.homedir(), ".hermes", "profiles");
-  const entries = await readdir(profilesDir, { withFileTypes: true }).catch((error) => {
-    if (isNodeError3(error, "ENOENT")) {
-      return [];
-    }
-    throw error;
-  });
-  for (const entry of entries) {
-    if (entry.isDirectory() && PROFILE_NAME_PATTERN.test(entry.name)) {
-      profiles.set(entry.name, profileInfo(entry.name, activeProfile));
-    }
-  }
-  return [...profiles.values()].sort((left, right) => {
-    if (left.name === DEFAULT_PROFILE) {
-      return -1;
-    }
-    if (right.name === DEFAULT_PROFILE) {
-      return 1;
-    }
-    return left.name.localeCompare(right.name);
-  });
-}
-async function getHermesProfileStatus(name, paths = resolveRuntimePaths()) {
-  assertProfileName(name);
-  const profile = profileInfo(name, await getActiveProfile(paths));
-  const exists = await stat(profile.path).then((value) => value.isDirectory()).catch((error) => {
-    if (isNodeError3(error, "ENOENT")) {
-      return false;
-    }
-    throw error;
-  });
-  const config = await readHermesApiServerConfig(name, profile.configPath);
-  return {
-    ...profile,
-    exists,
-    apiKeyConfigured: Boolean(config.key)
-  };
-}
-async function createHermesProfile(name) {
-  assertProfileName(name);
-  if (name === DEFAULT_PROFILE) {
-    throw new Error("default profile already exists");
-  }
-  const profile = profileInfo(name, DEFAULT_PROFILE);
-  if (await pathExists(profile.path)) {
-    throw new Error("profile already exists");
-  }
-  await mkdir3(profile.path, { recursive: true, mode: 448 });
-  await ensureHermesApiServerKey(name, profile.configPath);
-  return profile;
-}
-async function useHermesProfile(name, paths = resolveRuntimePaths()) {
-  assertProfileName(name);
-  const profile = profileInfo(name, name);
-  await mkdir3(profile.path, { recursive: true, mode: 448 });
-  const current = await readJsonFile(paths.stateFile) ?? {};
-  await writeJsonFile(paths.stateFile, { ...current, activeProfile: name });
-  return profile;
-}
-async function renameHermesProfile(oldName, newName) {
-  assertMutableProfile(oldName);
-  assertMutableProfile(newName);
-  const oldProfile = profileInfo(oldName, DEFAULT_PROFILE);
-  const newProfile = profileInfo(newName, DEFAULT_PROFILE);
-  await rename2(oldProfile.path, newProfile.path);
-  return newProfile;
-}
-async function deleteHermesProfile(name) {
-  assertMutableProfile(name);
-  await rm2(resolveHermesProfileDir(name), { recursive: true, force: true });
-}
-async function getActiveProfile(paths) {
-  const state = await readJsonFile(paths.stateFile);
-  return typeof state?.activeProfile === "string" && PROFILE_NAME_PATTERN.test(state.activeProfile) ? state.activeProfile : DEFAULT_PROFILE;
-}
-function profileInfo(name, activeProfile) {
-  return {
-    name,
-    active: name === activeProfile,
-    path: resolveHermesProfileDir(name),
-    configPath: resolveHermesConfigPath(name)
-  };
-}
-function assertMutableProfile(name) {
-  assertProfileName(name);
-  if (name === DEFAULT_PROFILE) {
-    throw new Error("default profile cannot be renamed or deleted");
-  }
-}
-function assertProfileName(name) {
-  if (!PROFILE_NAME_PATTERN.test(name)) {
-    throw new Error("invalid profile name");
-  }
-}
-async function pathExists(targetPath) {
-  return await stat(targetPath).then(() => true).catch((error) => {
-    if (isNodeError3(error, "ENOENT")) {
-      return false;
-    }
-    throw error;
-  });
-}
-function isNodeError3(error, code) {
-  return typeof error === "object" && error !== null && "code" in error && error.code === code;
-}
-
-// src/identity/identity.ts
-import { generateKeyPairSync, randomUUID as randomUUID2, sign } from "crypto";
-import { mkdir as mkdir4, chmod } from "fs/promises";
-import { z } from "zod";
-var linkIdentitySchema = z.object({
-  install_id: z.string().min(1),
-  link_id: z.string().min(1).nullable().optional(),
-  public_key_pem: z.string().min(1),
-  private_key_pem: z.string().min(1),
-  created_at: z.string().min(1),
-  updated_at: z.string().min(1)
-});
-async function loadIdentity(paths = resolveRuntimePaths()) {
-  const value = await readJsonFile(paths.identityFile);
-  if (value === null) {
-    return null;
-  }
-  return linkIdentitySchema.parse(value);
-}
-async function ensureIdentity(paths = resolveRuntimePaths()) {
-  const existing = await loadIdentity(paths);
-  if (existing) {
-    return existing;
-  }
-  await mkdir4(paths.homeDir, { recursive: true, mode: 448 });
-  await chmod(paths.homeDir, 448).catch(() => void 0);
-  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const identity = {
-    install_id: `install_${randomUUID2().replaceAll("-", "")}`,
-    link_id: null,
-    public_key_pem: publicKey.export({ type: "spki", format: "pem" }).toString(),
-    private_key_pem: privateKey.export({ type: "pkcs8", format: "pem" }).toString(),
-    created_at: now,
-    updated_at: now
-  };
-  await writeJsonFile(paths.identityFile, identity);
-  return identity;
-}
-async function saveAssignedLinkId(linkId, paths = resolveRuntimePaths()) {
-  const identity = await ensureIdentity(paths);
-  const next = {
-    ...identity,
-    link_id: linkId,
-    updated_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  await writeJsonFile(paths.identityFile, next);
-  return next;
-}
-function signRelayNonce(identity, nonce) {
-  const signature = sign(null, Buffer.from(nonce, "utf8"), identity.private_key_pem);
-  return signature.toString("base64url");
-}
-function getIdentityStatus(identity) {
-  return {
-    installId: identity.install_id,
-    linkId: identity.link_id ?? null,
-    hasPrivateKey: identity.private_key_pem.trim().length > 0,
-    publicKeyPem: identity.public_key_pem
-  };
-}
-
-// src/pairing/pairing.ts
-import path5 from "path";
-import { rm as rm3 } from "fs/promises";
-
-// src/security/devices.ts
-import { randomBytes as randomBytes2, randomUUID as randomUUID3, timingSafeEqual, createHash } from "crypto";
-var ACCESS_TOKEN_TTL_MS = 15 * 60 * 1e3;
-var REFRESH_TOKEN_TTL_MS = 90 * 24 * 60 * 60 * 1e3;
-async function createDeviceSession(input, paths = resolveRuntimePaths()) {
-  const store = await readCredentialStore(paths);
-  const now = /* @__PURE__ */ new Date();
-  const accessToken = randomToken("hpat_");
-  const refreshToken = randomToken("hprt_");
-  const device = {
-    id: `dev_${randomUUID3().replaceAll("-", "")}`,
-    label: input.label,
-    platform: input.platform,
-    scope: "admin",
-    access_token_hash: sha256(accessToken),
-    access_expires_at: new Date(now.getTime() + ACCESS_TOKEN_TTL_MS).toISOString(),
-    refresh_token_hash: sha256(refreshToken),
-    refresh_expires_at: new Date(now.getTime() + REFRESH_TOKEN_TTL_MS).toISOString(),
-    created_at: now.toISOString(),
-    updated_at: now.toISOString(),
-    revoked_at: null
-  };
-  store.devices.push(device);
-  await writeCredentialStore(paths, store);
-  return formatDeviceSession(device, accessToken, refreshToken);
-}
-async function authenticateDeviceAccessToken(token, paths = resolveRuntimePaths()) {
-  const tokenHash = sha256(token);
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((item) => safeEqual(item.access_token_hash, tokenHash));
-  if (!device || device.revoked_at || Date.parse(device.access_expires_at) <= Date.now()) {
-    return null;
-  }
-  return device;
-}
-async function refreshDeviceSession(refreshToken, paths = resolveRuntimePaths()) {
-  const tokenHash = sha256(refreshToken);
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((item) => safeEqual(item.refresh_token_hash, tokenHash));
-  if (!device || device.revoked_at || Date.parse(device.refresh_expires_at) <= Date.now()) {
-    throw new LinkHttpError(401, "refresh_token_invalid", "Refresh token is invalid or expired");
-  }
-  const now = /* @__PURE__ */ new Date();
-  const nextAccessToken = randomToken("hpat_");
-  const nextRefreshToken = randomToken("hprt_");
-  device.access_token_hash = sha256(nextAccessToken);
-  device.access_expires_at = new Date(now.getTime() + ACCESS_TOKEN_TTL_MS).toISOString();
-  device.refresh_token_hash = sha256(nextRefreshToken);
-  device.refresh_expires_at = new Date(now.getTime() + REFRESH_TOKEN_TTL_MS).toISOString();
-  device.updated_at = now.toISOString();
-  await writeCredentialStore(paths, store);
-  return formatDeviceSession(device, nextAccessToken, nextRefreshToken);
-}
-async function revokeDeviceRefreshToken(refreshToken, paths = resolveRuntimePaths()) {
-  const tokenHash = sha256(refreshToken);
-  const store = await readCredentialStore(paths);
-  const device = store.devices.find((item) => safeEqual(item.refresh_token_hash, tokenHash));
-  if (!device || device.revoked_at) {
-    return;
-  }
-  device.revoked_at = (/* @__PURE__ */ new Date()).toISOString();
-  device.updated_at = device.revoked_at;
-  await writeCredentialStore(paths, store);
-}
-async function readCredentialStore(paths) {
-  const existing = await readJsonFile(paths.credentialsFile);
-  return {
-    devices: Array.isArray(existing?.devices) ? existing.devices.filter(isDeviceRecord) : []
-  };
-}
-async function writeCredentialStore(paths, store) {
-  await writeJsonFile(paths.credentialsFile, store);
-}
-function formatDeviceSession(device, accessToken, refreshToken) {
-  return {
-    device: {
-      id: device.id,
-      device_id: device.id,
-      label: device.label,
-      platform: device.platform,
-      scope: device.scope
-    },
-    accessToken: {
-      token: accessToken,
-      expiresAt: device.access_expires_at
-    },
-    refreshToken: {
-      token: refreshToken,
-      expiresAt: device.refresh_expires_at
-    }
-  };
-}
-function isDeviceRecord(value) {
-  return typeof value === "object" && value !== null && typeof value.id === "string" && typeof value.access_token_hash === "string" && typeof value.refresh_token_hash === "string";
-}
-function randomToken(prefix) {
-  return `${prefix}${randomBytes2(24).toString("base64url")}`;
-}
-function sha256(value) {
-  return createHash("sha256").update(value).digest("hex");
-}
-function safeEqual(left, right) {
-  const leftBytes = Buffer.from(left);
-  const rightBytes = Buffer.from(right);
-  return leftBytes.length === rightBytes.length && timingSafeEqual(leftBytes, rightBytes);
-}
-
-// src/relay/bootstrap.ts
-async function bootstrapRelayLink(options) {
-  const fetcher = options.fetchImpl ?? fetch;
-  const baseUrl = options.relayBaseUrl.replace(/\/+$/u, "");
-  const commonPayload = {
-    install_id: options.identity.install_id,
-    link_id: options.identity.link_id ?? void 0,
-    public_key_pem: options.identity.public_key_pem
-  };
-  const challenge = await postJson(
-    fetcher,
-    `${baseUrl}/api/v1/relay/link/challenge`,
-    options.relayBootstrapToken,
-    commonPayload
-  );
-  if (challenge.ok !== true || typeof challenge.nonce !== "string") {
-    throw new Error("Relay did not return a valid install challenge");
-  }
-  const proof = {
-    nonce: challenge.nonce,
-    signature: signRelayNonce(options.identity, challenge.nonce)
-  };
-  const assigned = await postJson(
-    fetcher,
-    `${baseUrl}/api/v1/relay/link/bootstrap`,
-    options.relayBootstrapToken,
-    {
-      ...commonPayload,
-      proof
-    }
-  );
-  if (assigned.ok !== true || typeof assigned.link_id !== "string") {
-    throw new Error("Relay did not return a valid link_id");
-  }
-  await saveAssignedLinkId(assigned.link_id, options.paths ?? resolveRuntimePaths());
-  return {
-    linkId: assigned.link_id,
-    reused: assigned.reused === true
-  };
-}
-async function postJson(fetcher, url, token, body) {
-  const response = await fetcher(url, {
-    method: "POST",
-    headers: {
-      authorization: `Bearer ${token}`,
-      "content-type": "application/json"
-    },
-    body: JSON.stringify(body)
-  });
-  const payload = await response.json().catch(() => null);
-  if (!response.ok) {
-    const message = readErrorMessage(payload) ?? `Relay request failed with HTTP ${response.status}`;
-    throw new Error(message);
-  }
-  if (!payload) {
-    throw new Error("Relay returned an empty response");
-  }
-  return payload;
-}
-function readErrorMessage(payload) {
-  if (typeof payload !== "object" || payload === null) {
-    return null;
-  }
-  const error = payload.error;
-  if (typeof error !== "object" || error === null) {
-    return null;
-  }
-  const message = error.message;
-  return typeof message === "string" ? message : null;
-}
-
-// src/topology/network.ts
-import os4 from "os";
-var VIRTUAL_INTERFACE_NAME_PATTERN = /(docker|veth|vmnet|vmenet|vbox|virtualbox|vmware|tailscale|zerotier|wireguard|utun|virbr|hyper-v|vethernet|loopback|\blo\b|^lo\d*$|^br-|^bridge\d+$|^zt|^tun|^tap|awdl|llw|anpi|gif|stf|ipsec|ppp)/iu;
-var MAX_LAN_IPS = 4;
-var MAX_PUBLIC_IPV4S = 2;
-var MAX_PUBLIC_IPV6S = 2;
-async function discoverRouteCandidates(options) {
-  const lanIps = discoverLanIps();
-  const publicIps = options.relayBootstrapToken ? await observePublicRoute(options).catch(() => ({ publicIpv4s: [], publicIpv6s: [] })) : { publicIpv4s: [], publicIpv6s: [] };
-  const publicIpv4s = unique(publicIps.publicIpv4s.filter(isUsablePublicIpv4)).slice(0, MAX_PUBLIC_IPV4S);
-  const publicIpv6s = unique(publicIps.publicIpv6s.filter(isUsablePublicIpv6)).slice(0, MAX_PUBLIC_IPV6S);
-  const preferredUrls = [
-    ...lanIps.map((ip) => buildDirectUrl(ip, options.port)),
-    ...publicIpv4s.map((ip) => buildDirectUrl(ip, options.port)),
-    ...publicIpv6s.map((ip) => buildDirectUrl(ip, options.port)),
-    `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/links/${options.linkId}`
-  ];
-  return {
-    lanIps,
-    publicIpv4s,
-    publicIpv6s,
-    preferredUrls
-  };
-}
-function discoverLanIps() {
-  return discoverLanIpsFromInterfaces(os4.networkInterfaces());
-}
-function discoverLanIpsFromInterfaces(interfaces) {
-  const result = /* @__PURE__ */ new Set();
-  const candidates = [];
-  for (const [name, items] of Object.entries(interfaces)) {
-    if (shouldIgnoreInterface(name)) {
-      continue;
-    }
-    for (const item of items ?? []) {
-      if (!item.internal && item.address && item.family === "IPv4" && isUsableLanIpv4(item.address, item.netmask)) {
-        candidates.push({ name, address: item.address });
-      }
-    }
-  }
-  for (const candidate of candidates.sort(compareLanCandidate)) {
-    result.add(candidate.address);
-  }
-  return [...result].slice(0, MAX_LAN_IPS);
-}
-async function observePublicRoute(options) {
-  const fetcher = options.fetchImpl ?? fetch;
-  const response = await fetcher(`${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/public-route/observe`, {
-    method: "POST",
-    headers: {
-      authorization: `Bearer ${options.relayBootstrapToken}`,
-      "content-type": "application/json"
-    },
-    body: JSON.stringify({
-      install_id: options.installId,
-      link_id: options.linkId,
-      public_key_pem: options.publicKeyPem
-    })
-  });
-  const payload = await response.json().catch(() => null);
-  const record = typeof payload?.record === "object" && payload.record !== null ? payload.record : null;
-  const observed = typeof payload?.observed === "object" && payload.observed !== null ? payload.observed : null;
-  const values = [
-    readIpRecord(record?.ipv4),
-    readIpRecord(record?.ipv6),
-    typeof observed?.ip === "string" ? observed.ip : null
-  ].filter((value) => Boolean(value));
-  return {
-    publicIpv4s: unique(values.filter(isUsablePublicIpv4)),
-    publicIpv6s: unique(values.filter(isUsablePublicIpv6))
-  };
-}
-function readIpRecord(value) {
-  if (typeof value !== "object" || value === null) {
-    return null;
-  }
-  const ip = value.ip;
-  return typeof ip === "string" && ip.trim() ? ip.trim() : null;
-}
-function buildDirectUrl(ip, port) {
-  return `http://${ip.includes(":") ? `[${ip}]` : ip}:${port}`;
-}
-function shouldIgnoreInterface(name) {
-  return !name.trim() || VIRTUAL_INTERFACE_NAME_PATTERN.test(name);
-}
-function compareLanCandidate(left, right) {
-  const priority = interfacePriority(left.name) - interfacePriority(right.name);
-  return priority || left.name.localeCompare(right.name) || left.address.localeCompare(right.address);
-}
-function interfacePriority(name) {
-  if (/^(en|eth|wlan|wi-fi|wifi)/iu.test(name)) {
-    return 0;
-  }
-  return 1;
-}
-function isUsableLanIpv4(address, netmask) {
-  return isPrivateIpv4(address) && !isNetworkOrBroadcastIpv4Address(address, netmask);
-}
-function isUsablePublicIpv4(address) {
-  return isValidIpv4(address) && !isSpecialIpv4(address);
-}
-function isUsablePublicIpv6(address) {
-  const normalized = address.toLowerCase();
-  return normalized.includes(":") && !normalized.startsWith("fe80:") && !normalized.startsWith("fc") && !normalized.startsWith("fd") && !normalized.startsWith("ff") && normalized !== "::" && normalized !== "::1";
-}
-function isPrivateIpv4(address) {
-  const parts = parseIpv4Segments(address);
-  if (!parts) {
-    return false;
-  }
-  const [first, second] = parts;
-  return first === 10 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168;
-}
-function isSpecialIpv4(address) {
-  const parts = parseIpv4Segments(address);
-  if (!parts) {
-    return true;
-  }
-  const [first, second, third, fourth] = parts;
-  return first === 0 || first === 10 || first === 127 || first >= 224 || first === 100 && second >= 64 && second <= 127 || first === 169 && second === 254 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168 || first === 192 && second === 0 && third === 2 || first === 198 && (second === 18 || second === 19) || first === 198 && second === 51 && third === 100 || first === 203 && second === 0 && third === 113 || first === 255 && second === 255 && third === 255 && fourth === 255;
-}
-function isNetworkOrBroadcastIpv4Address(address, netmask) {
-  const addressParts = parseIpv4Segments(address);
-  const netmaskParts = netmask ? parseIpv4Segments(netmask) : null;
-  if (!addressParts) {
-    return true;
-  }
-  if (!netmaskParts) {
-    const last = addressParts[3];
-    return last === 0 || last === 255;
-  }
-  const addressInt = ipv4SegmentsToInt(addressParts);
-  const netmaskInt = ipv4SegmentsToInt(netmaskParts);
-  const hostMask = ~netmaskInt >>> 0;
-  if (hostMask === 0) {
-    return false;
-  }
-  const networkInt = addressInt & netmaskInt;
-  const broadcastInt = (networkInt | hostMask) >>> 0;
-  return addressInt === networkInt || addressInt === broadcastInt;
-}
-function isValidIpv4(address) {
-  return Boolean(parseIpv4Segments(address));
-}
-function parseIpv4Segments(address) {
-  if (!/^\d{1,3}(?:\.\d{1,3}){3}$/u.test(address)) {
-    return null;
-  }
-  const parts = address.split(".").map((part) => Number.parseInt(part, 10));
-  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
-    return null;
-  }
-  return parts;
-}
-function ipv4SegmentsToInt(parts) {
-  return (parts[0] << 24 >>> 0 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
-}
-function unique(values) {
-  return [...new Set(values)];
-}
-
-// src/pairing/pairing.ts
-async function preparePairing(paths = resolveRuntimePaths()) {
-  const config = await loadConfig(paths);
-  const identity = await ensureIdentity(paths);
-  const created = await postServerJson(config.serverBaseUrl, "/api/v1/link-pairings", {
-    install_id: identity.install_id,
-    link_id: identity.link_id ?? void 0,
-    display_name: defaultDisplayName(),
-    public_key_pem: identity.public_key_pem
-  });
-  const relayBaseUrl = created.relayBaseUrl || config.relayBaseUrl;
-  const assigned = await bootstrapRelayLink({
-    relayBaseUrl,
-    relayBootstrapToken: created.relayBootstrapToken,
-    identity,
-    paths
-  });
-  const updatedIdentity = await loadIdentity(paths) ?? identity;
-  const routes = await discoverRouteCandidates({
-    port: config.port,
-    relayBaseUrl,
-    relayBootstrapToken: created.relayBootstrapToken,
-    linkId: assigned.linkId,
-    installId: updatedIdentity.install_id,
-    publicKeyPem: updatedIdentity.public_key_pem
-  });
-  await patchServerJson(config.serverBaseUrl, `/api/v1/link-pairings/${created.sessionId}/link`, created.pairingToken, {
-    install_id: updatedIdentity.install_id,
-    link_id: assigned.linkId,
-    display_name: defaultDisplayName(),
-    lan_ips: routes.lanIps,
-    public_ipv4s: routes.publicIpv4s,
-    public_ipv6s: routes.publicIpv6s,
-    preferred_urls: routes.preferredUrls
-  });
-  const qrPayload = {
-    kind: "hermes_link_pairing",
-    version: 1,
-    link_id: assigned.linkId,
-    display_name: defaultDisplayName(),
-    session_id: created.sessionId,
-    code: created.code,
-    preferred_urls: qrPreferredUrls(routes)
-  };
-  return {
-    sessionId: created.sessionId,
-    code: created.code,
-    pairingToken: created.pairingToken,
-    relayBootstrapToken: created.relayBootstrapToken,
-    relayBaseUrl,
-    displayName: defaultDisplayName(),
-    linkId: assigned.linkId,
-    routes,
-    qrPayload
-  };
-}
-async function recordPairingClaim(input, paths = resolveRuntimePaths()) {
-  const record = {
-    session_id: input.sessionId,
-    device_id: input.deviceId,
-    device_label: input.deviceLabel,
-    device_platform: input.devicePlatform,
-    claimed_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  await writeJsonFile(pairingClaimPath(input.sessionId, paths), record);
-  return record;
-}
-async function readPairingClaim(sessionId, paths = resolveRuntimePaths()) {
-  const record = await readJsonFile(pairingClaimPath(sessionId, paths));
-  if (!record || record.session_id !== sessionId || typeof record.device_id !== "string") {
-    return null;
-  }
-  return {
-    session_id: record.session_id,
-    device_id: record.device_id,
-    device_label: typeof record.device_label === "string" ? record.device_label : "",
-    device_platform: typeof record.device_platform === "string" ? record.device_platform : "unknown",
-    claimed_at: typeof record.claimed_at === "string" ? record.claimed_at : ""
-  };
-}
-async function clearPairingClaim(sessionId, paths = resolveRuntimePaths()) {
-  await rm3(pairingClaimPath(sessionId, paths), { force: true }).catch(() => void 0);
-}
-async function claimPairing(input) {
-  const paths = input.paths ?? resolveRuntimePaths();
-  const [identity, config] = await Promise.all([loadRequiredIdentity(paths), loadConfig(paths)]);
-  const verified = await postServerJson(
-    config.serverBaseUrl,
-    `/api/v1/link-pairings/${input.sessionId}/claim/verify`,
-    {
-      claim_token: input.claimToken
-    }
-  );
-  if (verified.ok !== true || verified.linkId !== identity.link_id) {
-    throw new LinkHttpError(409, "pairing_claim_mismatch", "Pairing claim does not match this Link");
-  }
-  const session = await createDeviceSession(
-    {
-      label: input.deviceLabel || "HermesPilot App",
-      platform: input.devicePlatform || "unknown"
-    },
-    paths
-  );
-  return {
-    link: {
-      link_id: identity.link_id,
-      display_name: defaultDisplayName()
-    },
-    device: formatDevice(session.device),
-    access_token: {
-      token: session.accessToken.token,
-      expires_at: session.accessToken.expiresAt
-    },
-    refresh_token: {
-      token: session.refreshToken.token,
-      expires_at: session.refreshToken.expiresAt
-    }
-  };
-}
-async function loadRequiredIdentity(paths) {
-  const identity = await loadIdentity(paths);
-  if (!identity?.link_id) {
-    throw new LinkHttpError(409, "link_not_paired", "Hermes Link is not paired");
-  }
-  return identity;
-}
-async function postServerJson(serverBaseUrl, path7, body) {
-  const response = await fetch(`${serverBaseUrl.replace(/\/+$/u, "")}${path7}`, {
-    method: "POST",
-    headers: {
-      accept: "application/json",
-      "content-type": "application/json"
-    },
-    body: JSON.stringify(body)
-  });
-  return readJsonResponse2(response);
-}
-async function patchServerJson(serverBaseUrl, path7, token, body) {
-  const response = await fetch(`${serverBaseUrl.replace(/\/+$/u, "")}${path7}`, {
-    method: "PATCH",
-    headers: {
-      accept: "application/json",
-      authorization: `Bearer ${token}`,
-      "content-type": "application/json"
-    },
-    body: JSON.stringify(body)
-  });
-  return readJsonResponse2(response);
-}
-async function readJsonResponse2(response) {
-  const payload = await response.json().catch(() => null);
-  if (!response.ok || !payload) {
-    const message = readErrorMessage2(payload) ?? `HermesPilot Server request failed with HTTP ${response.status}`;
-    throw new LinkHttpError(response.status, "server_request_failed", message);
-  }
-  return payload;
-}
-function readErrorMessage2(payload) {
-  if (typeof payload !== "object" || payload === null) {
-    return null;
-  }
-  const error = payload.error;
-  if (typeof error !== "object" || error === null) {
-    return null;
-  }
-  const message = error.message;
-  return typeof message === "string" ? message : null;
-}
-function defaultDisplayName() {
-  return `Hermes Link ${process.platform}`;
-}
-function pairingClaimPath(sessionId, paths) {
-  return path5.join(paths.pairingDir, `${Buffer.from(sessionId).toString("base64url")}.claimed.json`);
-}
-function qrPreferredUrls(routes) {
-  return routes.preferredUrls.filter((url) => !url.includes("/api/v1/relay/links/")).slice(0, 1);
-}
-function formatDevice(device) {
-  return {
-    id: device.id,
-    device_id: device.device_id,
-    label: device.label,
-    platform: device.platform,
-    scope: device.scope
-  };
-}
-
-// src/security/app-connect-token.ts
-import { createPublicKey, verify } from "crypto";
-var cachedJwks = null;
-async function verifyAppConnectToken(token, options) {
-  const segments = token.split(".");
-  if (segments.length !== 3) {
-    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token is malformed");
-  }
-  const [encodedHeader, encodedPayload, encodedSignature] = segments;
-  const header = decodeJson(encodedHeader);
-  const payload = decodeJson(encodedPayload);
-  if (header.alg !== "ES256" || header.typ !== "JWT") {
-    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token algorithm is unsupported");
-  }
-  if (payload.token_type !== "hermes_app_connect" || payload.iss !== options.config.appConnectTokenIssuer || payload.aud !== options.config.appConnectTokenAudience || payload.link_id !== options.linkId || !Number.isFinite(payload.exp) || payload.exp <= Math.floor(Date.now() / 1e3)) {
-    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token claims are invalid");
-  }
-  const jwks = await getJwks(options.config, options.fetchImpl ?? fetch);
-  const key = jwks.find((item) => item.kid === header.kid) ?? jwks[0];
-  if (!key) {
-    throw new LinkHttpError(503, "app_connect_jwks_unavailable", "App connect token key is unavailable");
-  }
-  const publicKey = createPublicKey({ key, format: "jwk" });
-  const ok = verify(
-    "sha256",
-    Buffer.from(`${encodedHeader}.${encodedPayload}`),
-    { key: publicKey, dsaEncoding: "ieee-p1363" },
-    Buffer.from(base64UrlToBase64(encodedSignature), "base64")
-  );
-  if (!ok) {
-    throw new LinkHttpError(401, "app_connect_token_invalid", "App connect token signature is invalid");
-  }
-  return payload;
-}
-async function getJwks(config, fetcher) {
-  if (cachedJwks && cachedJwks.expiresAt > Date.now()) {
-    return cachedJwks.keys;
-  }
-  const response = await fetcher(`${config.serverBaseUrl.replace(/\/+$/u, "")}/api/v1/app-connect/jwks.json`, {
-    headers: { accept: "application/json" }
-  });
-  if (!response.ok) {
-    throw new LinkHttpError(503, "app_connect_jwks_unavailable", "Unable to load app connect JWKS");
-  }
-  const payload = await response.json();
-  const keys = Array.isArray(payload.keys) ? payload.keys : [];
-  cachedJwks = {
-    keys,
-    expiresAt: Date.now() + 5 * 60 * 1e3
-  };
-  return keys;
-}
-function decodeJson(value) {
-  return JSON.parse(Buffer.from(base64UrlToBase64(value), "base64").toString("utf8"));
-}
-function base64UrlToBase64(value) {
-  const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
-  return normalized + "=".repeat((4 - normalized.length % 4) % 4);
-}
-
-// src/runtime/logger.ts
-import { appendFile, mkdir as mkdir5, open as open2, readFile as readFile3, rename as rename3, rm as rm4, stat as stat2 } from "fs/promises";
-import path6 from "path";
-var DEFAULT_LOG_FILE = "hermeslink.log";
-var DEFAULT_MAX_FILE_BYTES = 1024 * 1024;
-var DEFAULT_MAX_FILES = 5;
-var DEFAULT_READ_LIMIT = 200;
-var MAX_READ_LIMIT = 1e3;
-var DEFAULT_MAX_BYTES_PER_FILE = 512 * 1024;
-var FileLogger = class {
-  filePath;
-  paths;
-  maxFileBytes;
-  maxFiles;
-  now;
-  queue = Promise.resolve();
-  constructor(options = {}) {
-    this.paths = options.paths ?? resolveRuntimePaths();
-    this.filePath = getLinkLogFile(this.paths, options.fileName);
-    this.maxFileBytes = Math.max(256, Math.floor(options.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES));
-    this.maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
-    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
-  }
-  debug(message, fields) {
-    return this.write("debug", message, fields);
-  }
-  info(message, fields) {
-    return this.write("info", message, fields);
-  }
-  warn(message, fields) {
-    return this.write("warn", message, fields);
-  }
-  error(message, fields) {
-    return this.write("error", message, fields);
-  }
-  write(level, message, fields) {
-    const entry = {
-      ts: this.now().toISOString(),
-      level,
-      message,
-      ...fields ? { fields: sanitizeFields(fields) } : {}
-    };
-    const next = this.queue.then(() => this.appendEntry(entry)).catch(() => void 0);
-    this.queue = next;
-    return next;
-  }
-  flush() {
-    return this.queue;
-  }
-  async appendEntry(entry) {
-    await mkdir5(this.paths.logsDir, { recursive: true, mode: 448 });
-    const line = `${JSON.stringify(entry)}
-`;
-    await this.rotateIfNeeded(Buffer.byteLength(line, "utf8"));
-    await appendFile(this.filePath, line, { mode: 384 });
-  }
-  async rotateIfNeeded(nextBytes) {
-    const current = await stat2(this.filePath).catch(() => null);
-    if (!current || current.size === 0 || current.size + nextBytes <= this.maxFileBytes) {
-      return;
-    }
-    if (this.maxFiles === 0) {
-      await rm4(this.filePath, { force: true }).catch(() => void 0);
-      return;
-    }
-    await rm4(rotatedLogFile(this.filePath, this.maxFiles), { force: true }).catch(() => void 0);
-    for (let index = this.maxFiles - 1; index >= 1; index -= 1) {
-      await moveIfExists(rotatedLogFile(this.filePath, index), rotatedLogFile(this.filePath, index + 1));
-    }
-    await moveIfExists(this.filePath, rotatedLogFile(this.filePath, 1));
-  }
-};
-function createFileLogger(options = {}) {
-  return new FileLogger(options);
-}
-function getLinkLogFile(paths = resolveRuntimePaths(), fileName = DEFAULT_LOG_FILE) {
-  return path6.join(paths.logsDir, fileName);
-}
-async function readRecentLogEntries(options = {}) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  const filePath = getLinkLogFile(paths, options.fileName);
-  const limit = clampLimit(options.limit);
-  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
-  const maxBytesPerFile = Math.max(1024, Math.floor(options.maxBytesPerFile ?? DEFAULT_MAX_BYTES_PER_FILE));
-  const files = [filePath, ...Array.from({ length: maxFiles }, (_, index) => rotatedLogFile(filePath, index + 1))];
-  const entries = [];
-  for (const file of files) {
-    const raw = await readTail(file, maxBytesPerFile);
-    if (!raw) {
-      continue;
-    }
-    const lines = raw.split(/\r?\n/u).filter(Boolean);
-    for (let index = lines.length - 1; index >= 0 && entries.length < limit; index -= 1) {
-      const entry = parseLogLine(lines[index]);
-      if (entry) {
-        entries.push(entry);
-      }
-    }
-    if (entries.length >= limit) {
-      break;
-    }
-  }
-  return entries.reverse();
-}
-function clampLimit(value) {
-  if (typeof value !== "number" || !Number.isFinite(value)) {
-    return DEFAULT_READ_LIMIT;
-  }
-  return Math.min(MAX_READ_LIMIT, Math.max(1, Math.floor(value)));
-}
-function sanitizeFields(fields) {
-  return sanitizeObject(fields, 0);
-}
-function sanitizeValue(value, depth) {
-  if (value === null || typeof value === "boolean") {
-    return value;
-  }
-  if (typeof value === "number") {
-    return Number.isFinite(value) ? value : null;
-  }
-  if (typeof value === "string") {
-    return value.length > 2e3 ? `${value.slice(0, 2e3)}...` : value;
-  }
-  if (Array.isArray(value)) {
-    if (depth >= 3) {
-      return "[array]";
-    }
-    return value.slice(0, 20).map((item) => sanitizeValue(item, depth + 1));
-  }
-  if (typeof value === "object" && value !== null) {
-    if (depth >= 3) {
-      return "[object]";
-    }
-    return sanitizeObject(value, depth + 1);
-  }
-  return String(value);
-}
-function sanitizeObject(value, depth) {
-  const result = {};
-  for (const [key, child] of Object.entries(value).slice(0, 50)) {
-    if (isSensitiveKey(key)) {
-      result[key] = "[redacted]";
-      continue;
-    }
-    result[key] = sanitizeValue(child, depth);
-  }
-  return result;
-}
-function isSensitiveKey(key) {
-  return /(authorization|cookie|token|secret|password|private[_-]?key|api[_-]?key)/iu.test(key);
-}
-function parseLogLine(line) {
-  try {
-    const value = JSON.parse(line);
-    if (!value || typeof value.ts !== "string" || !isLogLevel(value.level) || typeof value.message !== "string") {
-      return null;
-    }
-    return {
-      ts: value.ts,
-      level: value.level,
-      message: value.message,
-      ...value.fields && typeof value.fields === "object" ? { fields: value.fields } : {}
-    };
-  } catch {
-    return null;
-  }
-}
-function isLogLevel(value) {
-  return value === "debug" || value === "info" || value === "warn" || value === "error";
-}
-async function readTail(filePath, maxBytes) {
-  const info = await stat2(filePath).catch(() => null);
-  if (!info || info.size <= 0) {
-    return null;
-  }
-  if (info.size <= maxBytes) {
-    return await readFile3(filePath, "utf8").catch(() => null);
-  }
-  const handle = await open2(filePath, "r").catch(() => null);
-  if (!handle) {
-    return null;
-  }
-  try {
-    const length = Math.min(info.size, maxBytes);
-    const buffer = Buffer.alloc(length);
-    await handle.read(buffer, 0, length, info.size - length);
-    return buffer.toString("utf8");
-  } finally {
-    await handle.close();
-  }
-}
-async function moveIfExists(from, to) {
-  await rm4(to, { force: true }).catch(() => void 0);
-  await rename3(from, to).catch((error) => {
-    if (error.code !== "ENOENT") {
-      throw error;
-    }
-  });
-}
-function rotatedLogFile(filePath, index) {
-  return `${filePath}.${index}`;
-}
-
-// src/http/app.ts
-async function createApp(options = {}) {
-  const paths = options.paths ?? resolveRuntimePaths();
-  const logger = options.logger ?? createFileLogger({ paths });
-  const app = new Koa();
-  const router = new Router();
-  app.use(async (ctx, next) => {
-    const startedAt = Date.now();
-    try {
-      await next();
-    } catch (error) {
-      const profileError = error instanceof Error && error.message === "invalid profile name";
-      const status = isLinkHttpError(error) ? error.status : profileError ? 400 : 500;
-      ctx.status = status;
-      ctx.body = {
-        ok: false,
-        error: {
-          code: isLinkHttpError(error) ? error.code : status === 400 ? "invalid_profile_name" : "internal_error",
-          message: error instanceof Error ? error.message : "Internal error"
-        }
-      };
-      void logger.write(status >= 500 ? "error" : "warn", "http_request_failed", {
-        method: ctx.method,
-        path: ctx.path,
-        status,
-        code: isLinkHttpError(error) ? error.code : status === 400 ? "invalid_profile_name" : "internal_error",
-        error: error instanceof Error ? error.message : String(error)
-      });
-    } finally {
-      void logger.info("http_request", {
-        method: ctx.method,
-        path: ctx.path,
-        status: ctx.status,
-        duration_ms: Date.now() - startedAt
-      });
-    }
-  });
-  router.get("/api/v1/bootstrap", async (ctx) => {
-    const [identity, config] = await Promise.all([loadIdentity(paths), loadConfig(paths)]);
-    const routes = identity?.link_id ? await discoverRouteCandidates({
-      port: config.port,
-      relayBaseUrl: config.relayBaseUrl,
-      linkId: identity.link_id,
-      installId: identity.install_id,
-      publicKeyPem: identity.public_key_pem
-    }) : null;
-    ctx.set("cache-control", "no-store");
-    ctx.body = {
-      link_id: identity?.link_id ?? null,
-      display_name: identity?.link_id ? "Hermes Link" : "Unpaired Hermes Link",
-      version: LINK_VERSION,
-      api_version: 1,
-      paired: Boolean(identity?.link_id),
-      pairing_supported: Boolean(identity?.link_id),
-      preferred_pairing_urls: routes?.preferredUrls ?? [],
-      routes: routes ? routeObjects(routes.preferredUrls) : [],
-      capabilities: {
-        runs: true,
-        sse: true,
-        relay: true,
-        profiles: true,
-        logs: true
-      }
-    };
-  });
-  router.post("/api/v1/pairing/claim", async (ctx) => {
-    const body = await readJsonBody(ctx.req);
-    const sessionId = readString2(body, "session_id") ?? readString2(body, "sessionId");
-    const claimToken = readString2(body, "claim_token") ?? readString2(body, "claimToken");
-    if (!sessionId || !claimToken) {
-      throw new LinkHttpError(400, "pairing_claim_invalid", "session_id and claim_token are required");
-    }
-    const claimed = await claimPairing({
-      sessionId,
-      claimToken,
-      deviceLabel: readString2(body, "device_label") ?? readString2(body, "deviceLabel") ?? "HermesPilot App",
-      devicePlatform: readString2(body, "device_platform") ?? readString2(body, "devicePlatform") ?? "unknown",
-      paths
-    });
-    ctx.body = claimed;
-    void logger.info("pairing_claimed", {
-      device_id: claimed.device.device_id,
-      device_platform: claimed.device.platform
-    });
-    const timer = setTimeout(() => {
-      void recordPairingClaim(
-        {
-          sessionId,
-          deviceId: claimed.device.device_id,
-          deviceLabel: claimed.device.label,
-          devicePlatform: claimed.device.platform
-        },
-        paths
-      ).catch((error) => {
-        void logger.warn("pairing_claim_record_failed", {
-          session_id: sessionId,
-          error: error instanceof Error ? error.message : String(error)
-        });
-      });
-      void options.onPairingClaimed?.();
-    }, 250);
-    timer.unref?.();
-  });
-  router.get("/api/v1/auth/me", async (ctx) => {
-    const auth = await authenticateRequest(ctx, paths);
-    const identity = await loadRequiredIdentity2(paths);
-    ctx.body = {
-      ok: true,
-      auth: { kind: auth.kind, account_id: auth.accountId ?? null },
-      link: {
-        link_id: identity.link_id,
-        display_name: "Hermes Link"
-      },
-      device: auth.device ? {
-        id: auth.device.id,
-        device_id: auth.device.id,
-        label: auth.device.label,
-        platform: auth.device.platform,
-        scope: auth.device.scope
-      } : null
-    };
-  });
-  router.post("/api/v1/auth/refresh", async (ctx) => {
-    const body = await readJsonBody(ctx.req);
-    const refreshToken = readString2(body, "refresh_token") ?? readString2(body, "refreshToken");
-    if (!refreshToken) {
-      throw new LinkHttpError(400, "refresh_token_required", "refresh_token is required");
-    }
-    const session = await refreshDeviceSession(refreshToken, paths);
-    ctx.body = {
-      ok: true,
-      device: session.device,
-      access_token: {
-        token: session.accessToken.token,
-        expires_at: session.accessToken.expiresAt
-      },
-      refresh_token: {
-        token: session.refreshToken.token,
-        expires_at: session.refreshToken.expiresAt
-      }
-    };
-  });
-  router.post("/api/v1/auth/logout", async (ctx) => {
-    const body = await readJsonBody(ctx.req);
-    const refreshToken = readString2(body, "refresh_token") ?? readString2(body, "refreshToken");
-    if (refreshToken) {
-      await revokeDeviceRefreshToken(refreshToken, paths);
-    }
-    ctx.body = { ok: true };
-  });
-  router.get("/api/v1/status", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const [identity, config] = await Promise.all([loadIdentity(paths), loadConfig(paths)]);
-    ctx.body = {
-      ok: true,
-      version: LINK_VERSION,
-      paired: Boolean(identity?.link_id),
-      link_id: identity?.link_id ?? null,
-      port: config.port
-    };
-  });
-  router.get("/api/v1/logs", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    ctx.body = {
-      ok: true,
-      logs: await readRecentLogEntries({
-        paths,
-        limit: readLimit(ctx.query.limit)
-      })
-    };
-  });
-  router.get("/api/v1/models", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.body = await listHermesModels();
-  });
-  router.post("/api/v1/runs", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody(ctx.req);
-    const input = readString2(body, "input");
-    if (!input) {
-      throw new LinkHttpError(400, "run_input_required", "input is required");
-    }
-    ctx.status = 202;
-    ctx.body = await createHermesRun({
-      input,
-      conversation_history: readConversationHistory(body.conversation_history ?? body.conversationHistory),
-      session_id: readString2(body, "session_id") ?? readString2(body, "sessionId") ?? void 0
-    });
-  });
-  router.get("/api/v1/runs/:runId/events", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const response = await streamHermesRunEvents(ctx.params.runId);
-    ctx.status = response.status;
-    for (const [key, value] of response.headers.entries()) {
-      ctx.set(key, value);
-    }
-    ctx.respond = false;
-    const nodeResponse = ctx.res;
-    nodeResponse.statusCode = response.status;
-    for (const [key, value] of response.headers.entries()) {
-      nodeResponse.setHeader(key, value);
-    }
-    if (response.body) {
-      Readable.fromWeb(response.body).pipe(nodeResponse);
-    } else {
-      nodeResponse.end();
-    }
-  });
-  router.post("/api/v1/runs/:runId/cancel", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    await cancelHermesRun(ctx.params.runId);
-    ctx.body = { ok: true };
-  });
-  router.get("/api/v1/profiles", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    ctx.body = {
-      ok: true,
-      profiles: await listHermesProfiles()
-    };
-  });
-  router.get("/api/v1/profiles/:name/status", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.set("cache-control", "no-store");
-    ctx.body = {
-      ok: true,
-      profile: await getHermesProfileStatus(ctx.params.name)
-    };
-  });
-  router.post("/api/v1/profiles", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody(ctx.req);
-    const name = readProfileName(body);
-    ctx.status = 201;
-    ctx.body = {
-      ok: true,
-      profile: await createHermesProfile(name)
-    };
-  });
-  router.post("/api/v1/profiles/:name/use", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    ctx.body = {
-      ok: true,
-      profile: await useHermesProfile(ctx.params.name)
-    };
-  });
-  router.patch("/api/v1/profiles/:name", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    const body = await readJsonBody(ctx.req);
-    const name = readProfileName(body);
-    ctx.body = {
-      ok: true,
-      profile: await renameHermesProfile(ctx.params.name, name)
-    };
-  });
-  router.delete("/api/v1/profiles/:name", async (ctx) => {
-    await authenticateRequest(ctx, paths);
-    await deleteHermesProfile(ctx.params.name);
-    ctx.status = 204;
-  });
-  app.use(router.routes());
-  app.use(router.allowedMethods());
-  return app;
-}
-async function readJsonBody(request) {
-  const chunks = [];
-  for await (const chunk of request) {
-    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
-  }
-  if (chunks.length === 0) {
-    return {};
-  }
-  return JSON.parse(Buffer.concat(chunks).toString("utf8"));
-}
-function readProfileName(body) {
-  if (typeof body.name !== "string") {
-    throw new Error("invalid profile name");
-  }
-  return body.name;
-}
-async function authenticateRequest(ctx, paths) {
-  const token = readBearerToken(ctx.get("authorization"));
-  if (!token) {
-    throw new LinkHttpError(401, "auth_required", "Authorization bearer token is required");
-  }
-  const device = await authenticateDeviceAccessToken(token, paths);
-  if (device) {
-    return { kind: "device", device };
-  }
-  const [identity, config] = await Promise.all([loadRequiredIdentity2(paths), loadConfig(paths)]);
-  const claims = await verifyAppConnectToken(token, {
-    config,
-    linkId: identity.link_id
-  });
-  return { kind: "app-connect", accountId: claims.sub };
-}
-async function loadRequiredIdentity2(paths) {
-  const identity = await loadIdentity(paths);
-  if (!identity?.link_id) {
-    throw new LinkHttpError(409, "link_not_paired", "Hermes Link is not paired");
-  }
-  return identity;
-}
-function readBearerToken(value) {
-  const trimmed = value.trim();
-  if (!trimmed.toLowerCase().startsWith("bearer ")) {
-    return null;
-  }
-  const token = trimmed.slice(7).trim();
-  return token || null;
-}
-function readString2(body, key) {
-  const value = body[key];
-  return typeof value === "string" && value.trim() ? value.trim() : null;
-}
-function readLimit(value) {
-  const raw = Array.isArray(value) ? value[0] : value;
-  if (typeof raw !== "string") {
-    return void 0;
-  }
-  const parsed = Number.parseInt(raw, 10);
-  return Number.isFinite(parsed) ? parsed : void 0;
-}
-function readConversationHistory(value) {
-  if (!Array.isArray(value)) {
-    return [];
-  }
-  return value.map((item) => {
-    if (typeof item !== "object" || item === null) {
-      return null;
-    }
-    const role = item.role;
-    const content = item.content;
-    if (typeof role !== "string" || typeof content !== "string") {
-      return null;
-    }
-    return { role, content };
-  }).filter((item) => Boolean(item));
-}
-function routeObjects(urls) {
-  return urls.map((url) => ({
-    kind: url.includes("/api/v1/relay/links/") ? "relay" : "lan",
-    url,
-    observed_at: (/* @__PURE__ */ new Date()).toISOString()
-  }));
-}
-
-export {
-  LINK_VERSION,
-  LINK_COMMAND,
-  resolveRuntimePaths,
-  loadConfig,
-  ensureHermesApiServerKey,
-  loadIdentity,
-  ensureIdentity,
-  getIdentityStatus,
-  preparePairing,
-  readPairingClaim,
-  clearPairingClaim,
-  createFileLogger,
-  getLinkLogFile,
-  createApp
-};
-//# sourceMappingURL=chunk-E54NSFGF.js.map