@johpaz/hive 1.1.0

package/packages/core/src/gateway/server.ts

@@ -0,0 +1,3317 @@
+import type { Config } from "../config/loader";
+import { loadConfig, getHiveDir } from "../config/loader";
+import { logger, onLogEntry } from "../utils/logger";
+import { sessionManager, parseSessionId } from "./session";
+import { laneQueue } from "./lane-queue";
+import {
+  type InboundMessage,
+  type OutboundMessage,
+  isSlashCommand,
+  executeSlashCommand,
+} from "./slash-commands";
+import { ChannelManager } from "../channels/manager";
+import { Agent } from "../agent/index";
+import { AgentRunner } from "../agent/providers/index";
+import type { IncomingMessage } from "../channels/base";
+import { mkdirSync, rmSync, unlinkSync, watch, existsSync } from "node:fs";
+import * as path from "node:path";
+import { cpus as osCpus } from "node:os";
+import { dbService, getDb, getDbPathLazy, type ChatMessageRow } from "../storage/sqlite";
+import { canvasManager } from "../canvas/canvas-manager.ts";
+import { subscribeCanvas, unsubscribeCanvas, emitCanvas, getCanvasSnapshot } from "../canvas/emitter";
+import { subscribeBridge, unsubscribeBridge } from "../tools/bridge-events";
+import { buildSupervisorGraph, rebuildSupervisorGraph, getSupervisorGraph } from "../agent/supervisor";
+import { randomUUID } from "crypto";
+import { resolveContext } from "./resolver";
+import { getUsageStats } from "../storage/usage";
+import { voiceService } from "../voice/index";
+import { Benchmark } from "../utils/benchmark";
+import { initializeGateway, type GatewayInitializationResult } from "./initializer";
+import { encryptConfig, decryptConfig, encryptApiKey, decryptApiKey, maskApiKey } from "../storage/crypto";
+import { resolveBestChannel } from "../tools/cron";
+import { loadContextToStore } from "../storage/bun-sqlite-store";
+
+const logSubscribers = new Set<string>();
+
+// ─── Tool narration map ───────────────────────────────────────────────────────
+// Maps tool name prefixes/exact names to human-readable Spanish narrations.
+// Shown to the user while the agent executes a tool.
+const TOOL_NARRATIONS: Record<string, string> = {
+  // Web
+  web_search:        "Buscando en la web...",
+  web_fetch:         "Leyendo página web...",
+  // Files
+  read:              "Leyendo archivo...",
+  write:             "Escribiendo archivo...",
+  edit:              "Editando archivo...",
+  exec:              "Ejecutando comando...",
+  // Cron
+  cron_add:          "Programando tarea...",
+  cron_list:         "Consultando tareas programadas...",
+  cron_remove:       "Eliminando tarea programada...",
+  cron_edit:         "Actualizando tarea programada...",
+  // Projects
+  project_create:    "Creando proyecto...",
+  project_update:    "Actualizando proyecto...",
+  project_done:      "Marcando proyecto como completado...",
+  project_fail:      "Registrando falla en el proyecto...",
+  task_create:       "Creando tarea...",
+  task_update:       "Actualizando tarea...",
+  // Agents
+  create_agent:      "Creando agente worker...",
+  find_agent:        "Buscando agente disponible...",
+  archive_agent:     "Archivando agente...",
+  // Memory
+  save_note:         "Guardando nota...",
+  memory_write:      "Guardando en memoria...",
+  memory_read:       "Leyendo memoria...",
+  memory_search:     "Buscando en memoria...",
+  memory_delete:     "Eliminando de memoria...",
+  memory_list:       "Listando notas...",
+  // Browser
+  browser_navigate:  "Navegando a la página...",
+  browser_click:     "Haciendo clic...",
+  browser_type:      "Escribiendo en la página...",
+  browser_screenshot:"Tomando captura de pantalla...",
+  browser_extract:   "Extrayendo información de la página...",
+  // Canvas
+  canvas_add_node:   "Actualizando canvas...",
+  canvas_update:     "Actualizando canvas...",
+  // Code Bridge
+  bridge_send:       "Enviando tarea al CLI...",
+  bridge_exec:       "Ejecutando en el Code Bridge...",
+  // Notify
+  notify:            "Enviando notificación...",
+  report_progress:   "Reportando progreso...",
+}
+
+function getNarration(toolName: string): string {
+  if (TOOL_NARRATIONS[toolName]) return TOOL_NARRATIONS[toolName]
+  // Prefix matching for MCP tools like "github__create_pr" → "Ejecutando github..."
+  const prefix = toolName.split("__")[0]
+  if (prefix && prefix !== toolName) return `Ejecutando ${prefix}...`
+  // Fallback
+  return `Ejecutando ${toolName.replace(/_/g, " ")}...`
+}
+
+function expandPath(p: string): string {
+  if (p.startsWith("~")) {
+    return path.join(process.env.HOME ?? "", p.slice(1));
+  }
+  return p;
+}
+
+// CORS helper for Vite dev server (port 5173)
+const CORS_ORIGINS = ["http://localhost:5173", "http://127.0.0.1:5173", "http://localhost:3000", "http://127.0.0.1:3000"];
+function addCorsHeaders(response: Response, request: Request): Response {
+  const origin = request.headers.get("Origin");
+  if (!origin) return response;
+
+  // Allow any localhost origin for development
+  const isLocalhost = origin.includes("localhost") || origin.includes("127.0.0.1");
+  const isCorsOrigin = CORS_ORIGINS.some(o => origin.includes(o.replace("http://", "")));
+
+  if (isCorsOrigin || isLocalhost) {
+    const headers = new Headers(response.headers);
+    headers.set("Access-Control-Allow-Origin", origin);
+    headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+    headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization, Accept, X-Requested-With");
+    headers.set("Access-Control-Allow-Credentials", "true");
+    headers.set("Access-Control-Max-Age", "86400");
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers,
+    });
+  }
+  return response;
+}
+
+// FIX 1 — Redactar secrets antes de exponer config al dashboard
+// Tokens y API keys nunca viajan completos al cliente
+function redactValue(value: string): string {
+  if (!value || value.length < 8) return "••••••••";
+  return `${value.slice(0, 4)}••••••••`;
+}
+
+function redactConfig(cfg: Config): Record<string, unknown> {
+  const redacted = JSON.parse(JSON.stringify(cfg)) as any;
+
+  // Redactar authToken del gateway
+  if (redacted.gateway?.authToken) {
+    redacted.gateway.authToken = redactValue(redacted.gateway.authToken);
+  }
+
+  // Redactar API keys de providers
+  if (redacted.models?.providers) {
+    for (const provider of Object.values(redacted.models.providers) as any[]) {
+      if (provider?.apiKey) provider.apiKey = redactValue(provider.apiKey);
+    }
+  }
+
+  // Redactar tokens de canales
+  if (redacted.channels) {
+    for (const channel of Object.values(redacted.channels) as any[]) {
+      if (channel?.accounts) {
+        for (const acc of Object.values(channel.accounts) as any[]) {
+          if (acc?.botToken) acc.botToken = redactValue(acc.botToken);
+          if (acc?.appToken) acc.appToken = redactValue(acc.appToken);
+          if (acc?.signingSecret) acc.signingSecret = redactValue(acc.signingSecret);
+        }
+      }
+    }
+  }
+
+  // Redactar headers de MCP servers
+  if (redacted.mcp?.servers) {
+    for (const server of Object.values(redacted.mcp.servers) as any[]) {
+      if (server?.headers) {
+        for (const [k, v] of Object.entries(server.headers)) {
+          const lk = k.toLowerCase();
+          if (lk.includes("auth") || lk.includes("token") || lk.includes("key")) {
+            server.headers[k] = redactValue(v as string);
+          }
+        }
+      }
+    }
+  }
+
+  return redacted;
+}
+
+// FIX 3 — Evitar "redaction round-trip"
+// Si recibimos una configuración con headers redactados (terminan en ••••••••),
+// preservamos el valor real que ya tenemos en memoria o BD.
+function mergeHeaders(newHeaders: Record<string, string>, oldHeaders: Record<string, string> = {}): Record<string, string> {
+  const merged = { ...newHeaders };
+  for (const [key, value] of Object.entries(merged)) {
+    if (typeof value === "string" && value.endsWith("••••••••")) {
+      if (oldHeaders[key]) {
+        merged[key] = oldHeaders[key];
+      }
+    }
+  }
+  return merged;
+}
+
+interface WebSocketData {
+  sessionId: string;
+  authenticatedAt: number;
+}
+
+export async function startGateway(config: Config): Promise<void> {
+  const host = config.gateway?.host ?? "127.0.0.1";
+  const port = config.gateway?.port ?? 18790;
+  const pidFile = expandPath(config.gateway?.pidFile ?? "~/.hive/gateway.pid");
+
+  // FIX 2 — startTime para calcular uptime en /status y /api/agents
+  const startTime = Date.now();
+
+  // CPU delta sampling — process.cpuUsage() is cumulative; we diff between calls
+  const numCores = osCpus().length || 1;
+  let lastCpuSample = process.cpuUsage();
+  let lastCpuSampleTime = Date.now();
+  const log = logger.child("gateway");
+  const mcpLog = logger.child("mcp:api");
+
+  log.info(`Starting gateway on ${host}:${port}`);
+
+  // ── Inicialización modular con manejo de errores ──────────────────────────
+  let agent: Agent;
+  let runner: AgentRunner;
+  let channelManager: ChannelManager;
+  let dbProvider: string;
+  let dbModel: string;
+  const agentList = config.agents?.list ?? [];
+  const defaultAgent = agentList.find((a) => a.default) ?? agentList[0];
+  const workspacePath = expandPath(defaultAgent?.workspace ?? "~/.hive/workspace");
+
+  // ── Bind port immediately so parent health-check doesn't timeout ──────────
+  // The full handler is loaded via server.reload() once initialization finishes
+  let server = Bun.serve<WebSocketData>({
+    port,
+    hostname: host,
+    fetch: (_req) => Response.json({ status: "starting" }),
+    websocket: { open() { }, message() { }, close() { } },
+  });
+  log.info(`Port ${port} bound (initializing gateway...)`);
+
+  try {
+    // Usar el inicializador modular para todos los componentes críticos
+    const init = await initializeGateway(config, pidFile);
+
+    agent = init.agent;
+    runner = init.runner;
+    channelManager = init.channelManager;
+    dbProvider = init.provider;
+    dbModel = init.model;
+
+    log.info("✅ Gateway initialization completed successfully");
+  } catch (error) {
+    log.error(`❌ Gateway initialization failed: ${(error as Error).message}`);
+    log.error("Stack trace:", (error as Error).stack);
+    process.exit(1);
+  }
+
+  // Check for insecure binding
+  if (host === "0.0.0.0" && config.security?.warnOnInsecureConfig !== false) {
+    log.warn("Gateway binding to 0.0.0.0 exposes server to all network interfaces!");
+  }
+
+  // ── CRON Handler setup ─────────────────────────────────────────────────────
+  function prepareTools(agentInstance: Agent, sessionId: string) {
+    // Tools are now handled by LangGraph internally via the supervisor
+    return undefined;
+  }
+
+  agent.on("cron", async (sessionId: string, task: string, jobId?: string, context?: { fecha_usuario: string; hora_usuario: string }) => {
+    log.info(`[CRON] Triggered task '${task}' for session ${sessionId}, jobId: ${jobId || 'unknown'} [${context?.fecha_usuario} ${context?.hora_usuario}]`);
+
+    let notifyChannel = "webchat";
+    let notifySessionId = sessionId;
+
+    if (jobId) {
+      try {
+        const db = getDb();
+        const cronJob = db.query<any, [string]>(
+          "SELECT user_id, notify_channel_id, task_config FROM cron_jobs WHERE id = ?"
+        ).get(jobId) as any;
+
+        if (cronJob) {
+          // Apply priority chain: explicit job channel → user preference → auto-detect
+          notifyChannel = resolveBestChannel(cronJob.user_id, cronJob.notify_channel_id);
+
+          // For external channels (telegram, discord, etc.) we need the channel-specific
+          // session ID (e.g. Telegram chatId), not the internal Hive userId.
+          // user_identities.channel_user_id is the exact value the channel uses as sessionId.
+          if (notifyChannel !== "webchat") {
+            const identity = db.query<{ channel_user_id: string }, [string, string]>(
+              "SELECT channel_user_id FROM user_identities WHERE user_id = ? AND channel = ? LIMIT 1"
+            ).get(cronJob.user_id, notifyChannel);
+            if (identity?.channel_user_id) {
+              notifySessionId = identity.channel_user_id;
+            } else {
+              // No identity found for this channel — fall back to webchat to avoid
+              // sending a non-parseable user UUID as a chat ID to an external channel.
+              log.warn(`[CRON] No identity found for channel '${notifyChannel}', falling back to webchat`);
+              notifyChannel = "webchat";
+              notifySessionId = cronJob.user_id;
+            }
+          } else {
+            notifySessionId = cronJob.user_id;
+          }
+        }
+      } catch (e) {
+        log.warn(`[CRON] Could not fetch notify channel for job ${jobId}: ${(e as Error).message}`);
+      }
+    }
+
+    // Use the resolved session for both internal processing and notifications
+    const activeSessionId = notifySessionId;
+
+    try {
+      await channelManager.send(notifyChannel, activeSessionId, {
+        content: `⏰ Ejecutando tarea: ${task}`,
+        type: "progress"
+      });
+    } catch (notifyErr) {
+      log.warn(`[CRON] Could not send start notification: ${(notifyErr as Error).message}`);
+    }
+
+    // Add as 'user' role so it appears in the chat history and the agent sees it as a direct request
+    const cronMessage = `[CRON] Scheduled task triggered: ${task}.
+[fecha_usuario: ${context?.fecha_usuario || ""}]
+[hora_usuario: ${context?.hora_usuario || ""}]
+Please execute it now.`;
+    dbService.addMessage(activeSessionId, "user", cronMessage);
+
+    laneQueue.enqueue(activeSessionId, async (_t, signal) => {
+      if (signal.aborted) return;
+      try {
+        const history = dbService.getMessages(activeSessionId);
+        const messages = history.map((row: ChatMessageRow) => ({
+          role: row.role as "user" | "assistant" | "system",
+          content: row.content,
+        }));
+
+        const provider = dbProvider;
+
+        log.info(`[CRON] Generating response for session ${activeSessionId}...`);
+        const response = await runner.generate({
+          provider: provider as any,
+          messages,
+          maxTokens: 4096,
+          tools: prepareTools(agent, activeSessionId),
+          maxSteps: 15,
+          threadId: activeSessionId,
+          onStep: async (step) => {
+            if (step.type === "text" && step.message) {
+              const trimmedMessage = (typeof step.message === "string" ? step.message : "").trim();
+              if (trimmedMessage) {
+                await channelManager.send(notifyChannel, notifySessionId, {
+                  content: trimmedMessage,
+                  type: "progress"
+                });
+              }
+            }
+            if (step.type === "tool_result" && step.message) {
+              try {
+                const result = JSON.parse(step.message);
+                if (result._sendToUser || result.status) {
+                  const userMessage = result.message || result.status || step.message;
+                  await channelManager.send(notifyChannel, notifySessionId, {
+                    content: `📊 ${userMessage}`,
+                    type: "progress"
+                  });
+                }
+              } catch { }
+            }
+          },
+        });
+
+        const responseContent = response.content?.trim() || "Task completed.";
+        dbService.addMessage(sessionId, "assistant", responseContent, {
+          response_type: "text",
+          channel: "cron"
+        });
+
+        const session = sessionManager.get(sessionId);
+        if (session?.ws) {
+          session.ws.send(JSON.stringify({ type: "message", sessionId: sessionId, content: responseContent } as OutboundMessage));
+        } else {
+          await channelManager.send(notifyChannel, notifySessionId, responseContent);
+        }
+      } catch (error) {
+        log.error(`[CRON] Error for session ${sessionId}: ${(error as Error).message}`);
+        await channelManager.send(notifyChannel, notifySessionId, {
+          content: `❌ Error en tarea programada: ${(error as Error).message}`,
+        });
+      }
+    });
+  });
+
+  // Set up hot reload watchers
+  const watchers: Array<() => void> = [];
+
+  // Note: Context store, Ethics, Supervisor Graph, LLM runner, and Channel Manager
+  // are now initialized by initializeGateway() above
+
+  // Handle messages from channels (Telegram, Discord, WhatsApp, Slack)
+  channelManager.onMessage(async (message: IncomingMessage) => {
+    log.info(`📥 Message from ${message.channel}:${message.accountId}`);
+    log.info(`   Session: ${message.sessionId}`);
+
+    const voiceConfig = voiceService.getChannelVoiceConfig(message.channel);
+    let messageContent = message.content;
+
+    let preferAudioResponse = false;
+    let inputType: "text" | "audio_transcribed" = "text";
+    let sttProviderUsed: string | null = null;
+
+    if (voiceConfig.voiceEnabled && message.audio) {
+      log.info(`🎙️ Voice enabled, processing audio...`);
+
+      if (!voiceConfig.sttProvider) {
+        log.warn(`⚠️ STT provider not configured for channel ${message.channel}`);
+        await channelManager.send(message.channel, message.sessionId, {
+          content: `🎙️ Para usar notas de voz, necesitas configurar el proveedor STT en la configuración del canal. Ve a Configuración > Canales > [Tu canal] y configura "Prov. STT" (ej: groq-whisper o openai)`,
+        });
+        return;
+      }
+
+      try {
+        const audioInput = voiceService.normalizeAudioFromChannel(message.channel, message.audio);
+        sttProviderUsed = voiceConfig.sttProvider || "groq-whisper";
+        messageContent = await voiceService.transcribe(audioInput, sttProviderUsed);
+        log.info(`📝 Transcribed: ${messageContent.substring(0, 100)}...`);
+
+        inputType = "audio_transcribed";
+        // If user sent audio and TTS is available, always respond in audio
+        preferAudioResponse = !!voiceConfig.ttsProvider;
+
+        await channelManager.send(message.channel, message.sessionId, {
+          content: `🎙️ Transcripción: ${messageContent}`,
+          type: "message"
+        });
+      } catch (error) {
+        log.error(`❌ Transcription failed: ${(error as Error).message}`);
+        await channelManager.send(message.channel, message.sessionId, {
+          content: `Error al transcribir audio: ${(error as Error).message}`,
+        });
+        return;
+      }
+    }
+
+    log.info(`   Content: ${messageContent.substring(0, 150)}${messageContent.length > 150 ? "..." : ""}`);
+
+    const { userId } = resolveContext({
+      channel: message.channel,
+      channelUserId: message.sessionId,
+    });
+
+    const telegramMeta = message.metadata?.telegram as { messageId?: number } | undefined;
+    const messageId = telegramMeta?.messageId?.toString();
+    await Promise.all([
+      channelManager.markAsRead(message.channel, message.sessionId, messageId),
+      channelManager.startTyping(message.channel, message.sessionId),
+    ]);
+
+    // unifiedSessionId = userId del onboarding → historial y thread LangGraph unificados
+    const unifiedSessionId = userId;
+    // routingSessionId = peerId del canal → para enviar respuestas de vuelta al canal correcto
+    const routingSessionId = message.sessionId;
+
+    const userMetadata = inputType === "audio_transcribed"
+      ? { input_type: "audio_transcribed", stt_provider: sttProviderUsed, channel: message.channel }
+      : { input_type: "text", channel: message.channel };
+
+    dbService.addMessage(unifiedSessionId, "user", messageContent, userMetadata);
+
+    // Obtener la zona horaria del usuario para el timestamp exacto
+    const userRow = getDb()
+      .query<any, [string]>("SELECT * FROM users WHERE id = ?")
+      .get(userId);
+    const userTimezone = userRow?.timezone || "UTC";
+    const now = new Date();
+    let exactTime = "";
+    try {
+      exactTime = now.toLocaleString("en-US", {
+        timeZone: userTimezone,
+        dateStyle: "full",
+        timeStyle: "long",
+      });
+    } catch (e) {
+      exactTime = now.toISOString();
+    }
+    const messageContentWithTime = `[Timestamp: ${exactTime} (${userTimezone})]\n${messageContent}`;
+
+    const messages = [{ role: "user" as const, content: messageContentWithTime }];
+
+    try {
+      log.info(`🤖 Routing to agent loop...`);
+
+      const response = await runner.generate({
+        provider: dbProvider as any,
+        messages,
+        maxTokens: 4096,
+        tools: prepareTools(agent, unifiedSessionId),
+        maxSteps: 15,
+        threadId: unifiedSessionId,
+        userId,
+        channel: message.channel,
+        onStep: async (step) => {
+          // "text" = el agente narra lo que está pensando/haciendo antes de un tool_call
+          if (step.type === "text" && step.message) {
+            const trimmedMessage = (typeof step.message === "string" ? step.message : "").trim();
+            if (trimmedMessage) {
+              log.debug(`[NARRATION] ${trimmedMessage.substring(0, 100)}`);
+              await channelManager.send(message.channel, routingSessionId, {
+                content: trimmedMessage,
+                type: "progress",
+              });
+            }
+            return;
+          }
+
+          // "tool_call" = el agente va a ejecutar una herramienta → narrar al usuario
+          if (step.type === "tool_call" && step.toolName) {
+            const narration = getNarration(step.toolName);
+            log.debug(`[TOOL] ${step.toolName} → "${narration}"`);
+            await channelManager.send(message.channel, routingSessionId, {
+              content: narration,
+              type: "progress",
+            });
+            return;
+          }
+
+          // "tool_result" = resultado de la herramienta
+          // Solo enviamos al usuario si el resultado lo pide explícitamente
+          if (step.type === "tool_result" && step.message) {
+            try {
+              const result = JSON.parse(step.message);
+              if (result._sendToUser) {
+                const userMessage = result.message || result.status || step.message;
+                await channelManager.send(message.channel, routingSessionId, {
+                  content: userMessage,
+                  type: "progress",
+                });
+              }
+            } catch {
+              // No es JSON estructurado — no enviamos resultados crudos al usuario
+            }
+            return;
+          }
+        },
+      });
+
+      const responseContent = response.content || "...";
+      log.info(`📤 LLM response: ${responseContent.substring(0, 100)}${responseContent.length > 100 ? "..." : ""}`);
+
+      const shouldSpeak = preferAudioResponse;
+      let responseType: "text" | "audio" = "text";
+      let ttsProviderUsed: string | null = null;
+      let ttsMimeType: string | null = null;
+
+      if (responseContent && responseContent !== "...") {
+        if (shouldSpeak) {
+          if (!voiceConfig.ttsProvider) {
+            log.warn(`⚠️ TTS provider not configured, user requested audio`);
+            await channelManager.send(message.channel, routingSessionId, {
+              content: `${responseContent}\n\n🔊 Para recibir respuestas en audio, configura el proveedor TTS en Configuración > Canales > [Tu canal] (ej: elevenlabs, openai-tts)`
+            });
+          } else {
+            try {
+              log.info(`🔊 TTS enabled, synthesizing audio...`);
+              const audioOutput = await voiceService.speak(responseContent, voiceConfig.ttsProvider, voiceConfig.ttsVoiceId || undefined);
+              ttsProviderUsed = voiceConfig.ttsProvider;
+              ttsMimeType = audioOutput.mimeType;
+              responseType = "audio";
+
+              const channel = channelManager.getChannel(message.channel);
+              if (channel?.sendAudio) {
+                await channel.sendAudio(routingSessionId, audioOutput.data as Buffer, audioOutput.mimeType);
+                log.info(`✅ Audio sent to ${routingSessionId}`);
+              } else {
+                await channelManager.send(message.channel, routingSessionId, { content: responseContent });
+              }
+            } catch (error) {
+              log.error(`❌ TTS failed: ${(error as Error).message}), sending text instead`);
+              await channelManager.send(message.channel, routingSessionId, { content: responseContent });
+            }
+          }
+        } else {
+          await channelManager.send(message.channel, routingSessionId, { content: responseContent });
+        }
+      }
+
+      const assistantMetadata = {
+        response_type: responseType,
+        tts_provider: ttsProviderUsed,
+        mime_type: ttsMimeType,
+        channel: message.channel
+      };
+      dbService.addMessage(unifiedSessionId, "assistant", responseContent, assistantMetadata);
+
+      await channelManager.stopTyping(message.channel, routingSessionId);
+      log.info(`✅ Response sent to ${routingSessionId} via ${message.channel}`);
+    } catch (error) {
+      await channelManager.stopTyping(message.channel, routingSessionId);
+      log.error(`❌ Error: ${(error as Error).message} `);
+      await channelManager.send(message.channel, routingSessionId, {
+        content: `Error: ${(error as Error).message} `,
+      });
+    }
+  });
+
+  // ── Auth helper ──────────────────────────────────────────────────────────
+  // En modo desarrollo (HIVE_DEV=true), no requerimos autenticación
+  const isDev = process.env.HIVE_DEV === "true" || process.env.NODE_ENV === "development";
+
+  function checkAuth(req: Request, url: URL): boolean {
+    // En modo desarrollo, permitir todo
+    if (isDev) return true;
+
+    // Read live from env so the token set during setup/complete takes effect immediately
+    const activeToken = process.env.HIVE_AUTH_TOKEN;
+    if (!activeToken) return true;
+    const authHeader = req.headers.get("authorization");
+    const provided = authHeader?.replace(/^Bearer\s+/i, "") ?? url.searchParams.get("token");
+    return provided === activeToken;
+  }
+
+  // Reload with full handler now that initialization is complete
+  server.reload({
+    async fetch(req, server) {
+      const start = Date.now();
+      const url = new URL(req.url);
+      const method = req.method;
+
+      const logRequest = (status: number, duration: number) => {
+        // Skip health checks from spamming logs unless debug
+        if (url.pathname === "/health" || url.pathname === "/health/") {
+          log.debug(`${method} ${url.pathname} - ${status} (${duration}ms)`);
+        } else {
+          log.info(`${method} ${url.pathname} - ${status} (${duration}ms)`);
+        }
+      };
+
+      const handleRequest = async (): Promise<Response | undefined> => {
+
+        // ── CORS preflight ────────────────────────────────────────────────────
+        if (req.method === "OPTIONS") {
+          const origin = req.headers.get("Origin");
+          if (origin && (origin.includes("localhost") || origin.includes("127.0.0.1") || CORS_ORIGINS.some(o => origin.includes(o.replace("http://", ""))))) {
+            return new Response(null, {
+              status: 204,
+              headers: {
+                "Access-Control-Allow-Origin": origin,
+                "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
+                "Access-Control-Allow-Headers": "Content-Type, Authorization, Accept, X-Requested-With",
+                "Access-Control-Allow-Credentials": "true",
+                "Access-Control-Max-Age": "86400",
+              },
+            });
+          }
+          return new Response(null, { status: 204 });
+        }
+
+        // ── WebSocket upgrade ────────────────────────────────────────────────
+        if (url.pathname === "/ws" || url.pathname === "/ws/") {
+          // En modo desarrollo, no requerir autenticación para WebSocket
+          if (!isDev && !checkAuth(req, url)) {
+            return new Response("Unauthorized", { status: 401 });
+          }
+          const sessionId = url.searchParams.get("session") || process.env.HIVE_USER_ID;
+          if (!sessionId) {
+            return new Response("Missing session or user ID", { status: 400 });
+          }
+          const success = server.upgrade(req, {
+            data: { sessionId, authenticatedAt: Date.now() },
+          });
+          if (success) return undefined;
+          return new Response("WebSocket upgrade failed", { status: 400 });
+        }
+
+        // ── Bridge Events WebSocket upgrade ────────────────────────────────────
+        if (url.pathname === "/bridge-events" || url.pathname === "/bridge-events/") {
+          const sessionId = `bridge:${url.searchParams.get("sessionId") ?? (process.env.HIVE_USER_ID ?? "default")}`;
+          const success = server.upgrade(req, { data: { sessionId, authenticatedAt: Date.now() } });
+          if (success) return undefined;
+          return new Response("Bridge events WebSocket upgrade failed", { status: 400 });
+        }
+
+        // ── Canvas WebSocket upgrade ────────────────────────────────────────────
+        if (url.pathname === "/canvas" || url.pathname === "/canvas/") {
+          // En modo desarrollo, no requerir autenticación para Canvas WebSocket
+          let sessionId = url.searchParams.get("sessionId") ?? url.searchParams.get("session");
+          if (!sessionId && process.env.HIVE_USER_ID) {
+            sessionId = `canvas:${process.env.HIVE_USER_ID}`;
+          }
+          if (!sessionId) {
+            return new Response("Missing session or user ID for canvas", { status: 400 });
+          }
+          const success = server.upgrade(req, {
+            data: { sessionId: sessionId.startsWith("canvas:") ? sessionId : `canvas:${sessionId}`, authenticatedAt: Date.now() },
+          });
+          if (success) return undefined;
+          return new Response("Canvas WebSocket upgrade failed", { status: 400 });
+        }
+
+        // ── Health (must be before UI routing so it works in dev mode too) ───
+        if (url.pathname === "/health" || url.pathname === "/health/") {
+          return addCorsHeaders(Response.json({ status: "ok", pid: process.pid }), req);
+        }
+
+        // ── Dashboard / UI ────────────────────────────────────────────────────
+        // In development: UI is served by Vite on port 5173, Gateway only handles /api and /ws
+        // In production: serve static files from packages/hive-ui/dist
+
+        // Check if this is an API or WebSocket request
+        const isApiRequest = url.pathname.startsWith("/api");
+        const isWsRequest = url.pathname.startsWith("/ws");
+        const isUiRequest = url.pathname === "/ui" || url.pathname === "/ui/" || url.pathname.startsWith("/ui/") || url.pathname.startsWith("/ui?");
+        const isSetupRequest = url.pathname === "/setup" || url.pathname === "/setup/" || url.pathname.startsWith("/setup/") || url.pathname.startsWith("/setup?");
+
+        // In development mode, skip UI handling - Vite handles it directly
+        // Only serve static files from dist if they exist (production mode)
+        if (!isApiRequest && !isWsRequest) {
+          // In development: tell user to use Vite directly
+          if (isDev) {
+            return new Response(
+              "UI not available through Gateway in development.\n\n" +
+              "Use Vite directly: http://localhost:5173\n",
+              { status: 404, headers: { "Content-Type": "text/plain" } }
+            );
+          }
+
+          // In production: serve from dist folder
+          const uiDir = path.join(process.cwd(), "packages/hive-ui/dist");
+          let subPath = url.pathname;
+
+          // Normalize path for /ui routes
+          if (subPath === "/ui" || subPath === "/ui/") {
+            subPath = "/index.html";
+          } else if (subPath.startsWith("/ui/")) {
+            subPath = subPath.replace(/^\/ui/, "");
+            if (!subPath) subPath = "/index.html";
+          } else if (subPath === "/") {
+            subPath = "/index.html";
+          }
+
+          // Normalize path for /setup routes
+          if (subPath === "/setup" || subPath === "/setup/") {
+            subPath = "/index.html";
+          } else if (subPath.startsWith("/setup/")) {
+            subPath = subPath.replace(/^\/setup/, "");
+            if (!subPath) subPath = "/index.html";
+          }
+
+          const filePath = path.join(uiDir, subPath);
+          const uiFile = Bun.file(filePath);
+          if (await uiFile.exists()) {
+            return new Response(uiFile);
+          }
+
+          // If it's a UI route and no dist, show message
+          if (isUiRequest || isSetupRequest) {
+            return new Response(
+              "UI not found.\n\n" +
+              "To build for production:\n" +
+              "  cd packages/hive-ui && bun run build\n",
+              { status: 404, headers: { "Content-Type": "text/plain" } }
+            );
+          }
+        }
+
+        // Handle /dashboard redirect for backwards compatibility
+        if (url.pathname.startsWith("/dashboard")) {
+          const tokenParam = url.searchParams.get("token") ? `? token = ${url.searchParams.get("token")} ` : "";
+          return Response.redirect(`/ ui${tokenParam} `, 301);
+        }
+
+        // ── Rutas que requieren autenticación ────────────────────────────────
+        if (!checkAuth(req, url)) {
+          log.warn(`[AUTH] Unauthorized request to ${url.pathname} from ${req.headers.get("origin")} `);
+          return new Response("Unauthorized", { status: 401 });
+        }
+
+        // ── Setup API ────────────────────────────────────────────────────────
+        // Only available when hive.db does not exist (first-run mode)
+        const isSetupMode = !existsSync(getDbPathLazy());
+
+        // GET /api/setup/status - Check if setup is needed
+        if (url.pathname === "/api/setup/status" || url.pathname === "/api/setup/status/") {
+          return addCorsHeaders(Response.json({
+            configured: !isSetupMode,
+            setupMode: isSetupMode,
+          }), req);
+        }
+
+        // POST /api/setup/verify-provider - Verify API key
+        if (url.pathname === "/api/setup/verify-provider" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { provider, apiKey, model } = body;
+
+          if (!provider || !apiKey) {
+            return addCorsHeaders(Response.json({
+              success: false,
+              error: "Provider and API key are required",
+            }, { status: 400 }), req);
+          }
+
+          try {
+            let testUrl: string | null = null;
+            let testBody: any = null;
+            let headers: Record<string, string> = {};
+
+            const testMessages = [{ role: "user" as const, content: "Say 'ok' if you can read this." }];
+
+            if (provider === "ollama") {
+              // Ollama doesn't require API key, just check if it's running
+              try {
+                const response = await fetch("http://localhost:11434/api/tags", {
+                  signal: AbortSignal.timeout(5000),
+                });
+                return addCorsHeaders(Response.json({
+                  success: response.ok,
+                  error: response.ok ? null : "Could not connect to Ollama",
+                }), req);
+              } catch {
+                return addCorsHeaders(Response.json({
+                  success: false,
+                  error: "Could not connect to Ollama at http://localhost:11434",
+                }), req);
+              }
+            }
+
+            if (provider === "anthropic") {
+              testUrl = "https://api.anthropic.com/v1/messages";
+              testBody = {
+                model: model || "claude-sonnet-4-6",
+                max_tokens: 10,
+                messages: testMessages,
+              };
+              headers = {
+                "Content-Type": "application/json",
+                "x-api-key": apiKey,
+                "anthropic-version": "2023-06-01",
+                "anthropic-dangerous-direct-browser-access": "true",
+              };
+            } else if (provider === "openai") {
+              testUrl = "https://api.openai.com/v1/chat/completions";
+              testBody = {
+                model: model || "gpt-5.2",
+                max_tokens: 10,
+                messages: testMessages,
+              };
+              headers = {
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${apiKey}`,
+              };
+            } else if (provider === "gemini") {
+              testUrl = `https://generativelanguage.googleapis.com/v1beta/models/${model || "gemini-2.5-flash"}:generateContent?key=${apiKey}`;
+              testBody = {
+                contents: [{ parts: [{ text: "Say ok" }] }],
+              };
+              headers = { "Content-Type": "application/json" };
+            } else if (provider === "groq") {
+              testUrl = "https://api.groq.com/openai/v1/chat/completions";
+              testBody = {
+                model: model || "llama-3.3-70b-versatile",
+                max_tokens: 10,
+                messages: testMessages,
+              };
+              headers = {
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${apiKey}`,
+              };
+            } else if (provider === "openrouter") {
+              testUrl = "https://openrouter.ai/api/v1/chat/completions";
+              testBody = {
+                model: model || "meta-llama/llama-3.3-70b-instruct",
+                max_tokens: 10,
+                messages: testMessages,
+              };
+              headers = {
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${apiKey}`,
+              };
+            }
+
+            if (!testUrl) {
+              return addCorsHeaders(Response.json({
+                success: false,
+                error: "Unsupported provider",
+              }, { status: 400 }), req);
+            }
+
+            const response = await fetch(testUrl, {
+              method: "POST",
+              headers,
+              body: JSON.stringify(testBody),
+              signal: AbortSignal.timeout(10000),
+            });
+
+            return addCorsHeaders(Response.json({
+              success: response.ok,
+              error: response.ok ? null : `API error: ${response.status}`,
+            }), req);
+          } catch (error) {
+            return addCorsHeaders(Response.json({
+              success: false,
+              error: `Connection error: ${(error as Error).message}`,
+            }), req);
+          }
+        }
+
+        // POST /api/setup/complete - Complete setup wizard
+        if (url.pathname === "/api/setup/complete" && req.method === "POST") {
+          if (!isSetupMode) {
+            return addCorsHeaders(Response.json({
+              success: false,
+              error: "Setup already completed. Use config endpoints to modify settings.",
+            }, { status: 400 }), req);
+          }
+
+          const body = await req.json().catch(() => ({}));
+
+          try {
+            // Import onboarding functions
+            const {
+              initOnboardingDb,
+              saveUserProfile,
+              saveProviderConfig,
+              activateChannel,
+              saveVoiceConfig,
+            } = await import("../storage/onboarding");
+            const { randomUUID } = await import("node:crypto");
+            const { saveToken } = await import("../integrations/env");
+
+            // Initialize database with schema and seeds
+            initOnboardingDb();
+            log.info("✅ Database initialized with schema and seeds");
+
+            // Generate IDs
+            const userId = `user_${randomUUID().split("-")[0]}`;
+            const agentId = `agent_${randomUUID().split("-")[0]}`;
+            const channelUserId = randomUUID();
+
+            // Save user profile
+            saveUserProfile({
+              userId,
+              userName: body.userName || "User",
+              userLanguage: body.userLanguage || "es",
+              userTimezone: body.userTimezone || "UTC",
+              userOccupation: body.userOccupation || "",
+              userNotes: body.userNotes || "",
+              agentName: body.agentName || "Bee",
+              agentId,
+              agentDescription: body.agentDescription || "",
+              agentTone: "friendly",
+              channelUserId,
+            });
+            log.info(`✅ User profile saved: ${userId}`);
+
+            // Save provider config with API key
+            if (body.provider && body.apiKey) {
+              await saveProviderConfig({
+                userId,
+                provider: body.provider,
+                model: body.model,
+                apiKey: body.apiKey,
+              });
+              log.info(`✅ Provider config saved: ${body.provider}/${body.model}`);
+            }
+
+            // Activate WebChat channel (always enabled)
+            await activateChannel(userId, {
+              channelId: "webchat",
+              channelUserId,
+              config: {},
+            });
+            log.info("✅ WebChat channel activated");
+
+            // Activate other channels if configured
+            if (body.channels) {
+              for (const [channelId, channelData] of Object.entries(body.channels as Record<string, any>)) {
+                if (channelId !== "webchat" && channelData.enabled) {
+                  await activateChannel(userId, {
+                    channelId,
+                    config: channelData.config || {},
+                  });
+                  log.info(`✅ Channel activated: ${channelId}`);
+                }
+              }
+            }
+
+            // Save voice config if enabled
+            if (body.voiceEnabled) {
+              await saveVoiceConfig({
+                userId,
+                channelId: "webchat",
+                voiceEnabled: true,
+                sttProvider: body.sttProvider || "groq-whisper",
+                ttsProvider: body.ttsProvider || "elevenlabs",
+              });
+              log.info("✅ Voice config saved");
+            }
+
+            // Generate auth token and persist to .env (loaded by buildDefaultConfig on next start)
+            const authToken = randomUUID().replace(/-/g, "");
+            saveToken("HIVE_AUTH_TOKEN", authToken);
+
+            // Update the running process env + in-memory config so auth works immediately
+            process.env.HIVE_AUTH_TOKEN = authToken;
+            process.env.HIVE_USER_ID = userId;
+            process.env.HIVE_AGENT_ID = agentId;
+            config.gateway = { ...config.gateway, authToken };
+
+            return addCorsHeaders(Response.json({
+              success: true,
+              userId,
+              agentId,
+              authToken,
+              message: "Setup completed successfully",
+            }), req);
+          } catch (error) {
+            log.error(`❌ Setup failed: ${(error as Error).message}`);
+            return addCorsHeaders(Response.json({
+              success: false,
+              error: (error as Error).message,
+            }, { status: 500 }), req);
+          }
+        }
+
+        // ── Status ───────────────────────────────────────────────────────────
+        // FIX 3 — Cache-Control: max-age=5 para que el dashboard no haga
+        // polling más frecuente de cada 5 segundos (causa del spam en Network tab)
+        if (url.pathname === "/status" || url.pathname === "/status/") {
+          return addCorsHeaders(new Response(
+            JSON.stringify({
+              status: "ok",
+              version: "0.1.7",
+              uptime: Math.floor((Date.now() - startTime) / 1000),
+              gateway: { host, port },
+              sessions: sessionManager.list().map((s) => ({
+                id: s.id,
+                createdAt: s.createdAt,
+                messageCount: s.messageCount,
+              })),
+              channels: channelManager.listChannels(),
+              queue: { activeSessions: 0 },
+            }),
+            {
+              headers: {
+                "Content-Type": "application/json",
+                // Decirle al browser/dashboard que este endpoint no cambia
+                // más rápido que 5 segundos — frena el polling descontrolado
+                "Cache-Control": "max-age=5",
+              },
+            }
+          ), req);
+        }
+
+        // ── Activity Stats (message counts per hour) ──────────────────────────
+        if (url.pathname === "/api/activity-stats" || url.pathname === "/api/activity-stats/") {
+          const hours = Math.min(parseInt(url.searchParams.get("hours") || "12"), 48);
+          try {
+            const db = getDb();
+            const now = Math.floor(Date.now() / 1000);
+            const result: Array<{ time: string; count: number }> = [];
+            for (let i = hours - 1; i >= 0; i--) {
+              const from = now - (i + 1) * 3600;
+              const to = now - i * 3600;
+              const row = db.prepare(
+                `SELECT COUNT(*) as count FROM messages WHERE created_at >= ? AND created_at < ? AND role IN ('user','assistant')`
+              ).get(from, to) as { count: number };
+              result.push({ time: i === 0 ? "Ahora" : `${i}h`, count: row.count });
+            }
+            return addCorsHeaders(Response.json(result, {
+              headers: { "Cache-Control": "max-age=60" }
+            }), req);
+          } catch (error) {
+            log.error(`[API] Failed to get activity stats: ${(error as Error).message}`);
+            return addCorsHeaders(Response.json({ error: "Failed" }, { status: 500 }), req);
+          }
+        }
+
+        // ── System Stats (CPU, Memory, Uptime) ────────────────────────────────
+        if (url.pathname === "/api/system-stats" || url.pathname === "/api/system-stats/") {
+          const mem = process.memoryUsage();
+          const uptimeSeconds = Math.floor((Date.now() - startTime) / 1000);
+
+          // Proper CPU % = delta CPU time / delta wall time (per core)
+          const nowMs = Date.now();
+          const currentCpu = process.cpuUsage();
+          const elapsedUs = (nowMs - lastCpuSampleTime) * 1000;
+          const cpuDeltaUs = (currentCpu.user - lastCpuSample.user) + (currentCpu.system - lastCpuSample.system);
+          const cpuPercent = elapsedUs > 0
+            ? Math.min(100, Math.round((cpuDeltaUs / (elapsedUs * numCores)) * 100))
+            : 0;
+          lastCpuSample = currentCpu;
+          lastCpuSampleTime = nowMs;
+
+          const formatUptime = (seconds: number): string => {
+            const days = Math.floor(seconds / 86400);
+            const hours = Math.floor((seconds % 86400) / 3600);
+            const minutes = Math.floor((seconds % 3600) / 60);
+            if (days > 0) return `${days}d ${hours}h ${minutes}m`;
+            if (hours > 0) return `${hours}h ${minutes}m`;
+            if (minutes > 0) return `${minutes}m`;
+            return `${seconds % 60}s`;
+          };
+
+          const fmt = (b: number) => `${(b / 1024 / 1024).toFixed(1)} MB`;
+
+          const rssMB = Math.round(mem.rss / 1024 / 1024);
+          const heapUsedMB = Math.round(mem.heapUsed / 1024 / 1024);
+          const heapTotalMB = Math.round(mem.heapTotal / 1024 / 1024);
+          // heapUsed can briefly exceed heapTotal while V8 expands — cap at 100
+          const heapPercent = Math.min(100, Math.round((mem.heapUsed / Math.max(mem.heapTotal, 1)) * 100));
+
+          // Recent messages (last 5 min) as activity indicator
+          let recentMessages = 0;
+          try {
+            const since5m = Math.floor(Date.now() / 1000) - 300;
+            recentMessages = (getDb().prepare(
+              `SELECT COUNT(*) as c FROM messages WHERE created_at >= ? AND role IN ('user','assistant')`
+            ).get(since5m) as { c: number }).c;
+          } catch { /* non-critical */ }
+
+          log.debug(`[API] System stats: rss=${rssMB}MB heap=${heapUsedMB}/${heapTotalMB}MB msgs5m=${recentMessages}`);
+
+          return addCorsHeaders(Response.json({
+            cpu: cpuPercent,
+            memory: {
+              rss: rssMB,
+              heapUsed: heapUsedMB,
+              heapTotal: heapTotalMB,
+              heapPercent,
+              external: Math.round(mem.external / 1024 / 1024),
+              // legacy fields kept for compatibility
+              used: heapUsedMB,
+              total: heapTotalMB,
+              percentage: heapPercent,
+            },
+            uptime: formatUptime(uptimeSeconds),
+            connections: sessionManager.list().length,
+            cores: numCores,
+            recentMessages,
+          }, {
+            headers: { "Cache-Control": "max-age=2" }
+          }), req);
+        }
+
+        // ── Interactive Benchmark ────────────────────────────────────────────
+        if (url.pathname === "/api/benchmark" || url.pathname === "/api/benchmark/") {
+          if (req.method === "POST") {
+            log.info(`[API] Running interactive benchmark...`);
+            const bench = new Benchmark("UI Interactive").start();
+
+            // Capture a snapshot of current resource usage
+            const metrics = bench.stop();
+
+            return addCorsHeaders(Response.json({
+              success: true,
+              timestamp: new Date().toISOString(),
+              metrics
+            }), req);
+          }
+        }
+
+        // ── System Reload (Hot Reload for MCP, Tools, Agents) ────────────────
+        if (url.pathname === "/api/system/reload" || url.pathname === "/api/system/reload/") {
+          if (req.method === "POST") {
+            if (!checkAuth(req, url)) {
+              return addCorsHeaders(new Response("Unauthorized", { status: 401 }), req);
+            }
+            log.info(`[API] 🔄 System reload requested...`);
+            try {
+              // Re-init the agent to pick up new MCP servers from the DB
+              await agent.initialize();
+              log.info(`[API] Agent re - initialized(MCPs reconnected)`);
+
+              // Rebuild the supervisor graph so sub-agents are refreshed too
+              const mcp = agent.getMCPManager();
+              if (mcp) {
+                await rebuildSupervisorGraph({ mcpManager: mcp });
+                log.info(`[API] Supervisor graph rebuilt`);
+              }
+
+              return addCorsHeaders(Response.json({
+                success: true,
+                message: "System reloaded. New tools, MCP servers, and providers are now active.",
+                timestamp: new Date().toISOString(),
+              }), req);
+            } catch (error) {
+              log.error(`[API] System reload failed: ${(error as Error).message} `);
+              return addCorsHeaders(Response.json({
+                success: false,
+                error: (error as Error).message,
+              }, { status: 500 }), req);
+            }
+          }
+        }
+
+        // ── Usage Stats (tokens, costs) ───────────────────────────────────────
+        if (url.pathname === "/api/usage-stats" || url.pathname === "/api/usage-stats/") {
+          const hours = parseInt(url.searchParams.get("hours") || "24");
+          log.info(`[API] GET / api / usage - stats hours = ${hours} `);
+          try {
+            const stats = getUsageStats(Math.min(hours, 720));
+            log.info(`[API] Usage stats response: totalTokens = ${stats.totalTokens} totalCost = $${stats.totalCostUsd.toFixed(4)} providers = ${Object.keys(stats.byProvider).length} `);
+            return addCorsHeaders(Response.json(stats, {
+              headers: { "Cache-Control": "max-age=30" }
+            }), req);
+          } catch (error) {
+            log.error(`[API] Failed to get usage stats: ${(error as Error).message} `);
+            return addCorsHeaders(Response.json({ error: "Failed to get usage stats" }, { status: 500 }), req);
+          }
+        }
+
+        // ── Config ───────────────────────────────────────────────────────────
+        if (url.pathname === "/api/config") {
+          if (req.method === "GET") {
+            // FIX 1 — nunca devolver el config raw con secrets
+            return addCorsHeaders(Response.json(redactConfig(config)), req);
+          }
+        }
+
+        // ── Projects API ─────────────────────────────────────────────────────
+
+        // GET /api/projects — lista todos los proyectos con sus tareas anidadas
+        if (url.pathname === "/api/projects" || url.pathname === "/api/projects/") {
+          const db = getDb();
+          if (req.method === "GET") {
+            const statusFilter = url.searchParams.get("status");
+            const query = statusFilter
+              ? `SELECT * FROM projects WHERE status = ? ORDER BY created_at DESC`
+              : `SELECT * FROM projects ORDER BY created_at DESC`;
+            const projects = (statusFilter
+              ? db.query(query).all(statusFilter)
+              : db.query(query).all()) as any[];
+
+            const result = projects.map((p: any) => ({
+              ...p,
+              tasks: db.query("SELECT * FROM tasks WHERE project_id = ? ORDER BY id ASC").all(p.id),
+            }));
+            return addCorsHeaders(Response.json(result), req);
+          }
+        }
+
+        if (url.pathname === "/api/projects/active") {
+          if (req.method === "GET") {
+            const db = getDb();
+            const projects = db.query("SELECT * FROM projects WHERE status IN ('active','pending','paused') ORDER BY created_at DESC").all() as any[];
+            const result = projects.map((p: any) => ({
+              ...p,
+              tasks: db.query("SELECT * FROM tasks WHERE project_id = ? ORDER BY id ASC").all(p.id),
+            }));
+            return addCorsHeaders(Response.json(result), req);
+          }
+        }
+
+        if (url.pathname === "/api/projects/history") {
+          if (req.method === "GET") {
+            const page = parseInt(url.searchParams.get("page") || "1");
+            const limit = parseInt(url.searchParams.get("limit") || "20");
+            const offset = (page - 1) * limit;
+
+            const db = getDb();
+            const projects = db.query(
+              "SELECT * FROM projects WHERE status IN ('done','failed') ORDER BY completed_at DESC LIMIT ? OFFSET ?"
+            ).all(limit, offset) as any[];
+
+            const total = db.query("SELECT COUNT(*) as count FROM projects WHERE status IN ('done', 'failed')").get() as { count: number };
+
+            return addCorsHeaders(Response.json({
+              data: projects.map((p: any) => ({
+                ...p,
+                tasks: db.query("SELECT * FROM tasks WHERE project_id = ? ORDER BY id ASC").all(p.id),
+              })),
+              pagination: {
+                page,
+                limit,
+                total: total.count,
+                pages: Math.ceil(total.count / limit)
+              }
+            }), req);
+          }
+        }
+
+        // GET/PATCH /api/projects/:id
+        const projectDetailMatch = url.pathname.match(/^\/api\/projects\/([^/]+)$/);
+        if (projectDetailMatch) {
+          const projectId = projectDetailMatch[1];
+          const db = getDb();
+
+          if (req.method === "GET") {
+            const project = db.query("SELECT * FROM projects WHERE id = ?").get(projectId) as any;
+            if (!project) return new Response("Project not found", { status: 404 });
+
+            const tasks = db.query("SELECT * FROM tasks WHERE project_id = ? ORDER BY id ASC").all(projectId);
+            const subprojects = db.query("SELECT * FROM projects WHERE parent_id = ?").all(projectId);
+            return addCorsHeaders(Response.json({ ...project, tasks, subprojects }), req);
+          }
+
+          if (req.method === "PATCH") {
+            const body = await req.json().catch(() => ({}));
+            const { status } = body;
+            if (!status || !['active', 'paused', 'done', 'failed', 'pending'].includes(status)) {
+              return new Response("Invalid status", { status: 400 });
+            }
+
+            const result = db.query("UPDATE projects SET status = ?, updated_at = unixepoch() WHERE id = ?").run(status, projectId);
+            if (result.changes === 0) return new Response("Project not found", { status: 404 });
+
+            return addCorsHeaders(Response.json({ success: true, status }), req);
+          }
+        }
+
+        // GET /api/projects/:id/tasks
+        const projectTasksMatch = url.pathname.match(/^\/api\/projects\/([^/]+)\/tasks$/);
+        if (projectTasksMatch) {
+          const projectId = projectTasksMatch[1];
+          const db = getDb();
+
+          if (req.method === "GET") {
+            const project = db.query("SELECT id FROM projects WHERE id = ?").get(projectId);
+            if (!project) return new Response("Project not found", { status: 404 });
+            const tasks = db.query("SELECT * FROM tasks WHERE project_id = ? ORDER BY id ASC").all(projectId);
+            return addCorsHeaders(Response.json(tasks), req);
+          }
+        }
+
+        // GET /api/tasks — lista tareas (filtro por agentId opcional)
+        if (url.pathname === "/api/tasks" || url.pathname === "/api/tasks/") {
+          const db = getDb();
+          if (req.method === "GET") {
+            const agentId = url.searchParams.get("agentId");
+            const tasks = agentId
+              ? db.query("SELECT * FROM tasks WHERE agent_id = ? ORDER BY id ASC").all(agentId)
+              : db.query("SELECT * FROM tasks ORDER BY id DESC LIMIT 100").all();
+            return addCorsHeaders(Response.json(tasks), req);
+          }
+        }
+
+        // PATCH /api/tasks/:id
+        const taskDetailMatch = url.pathname.match(/^\/api\/tasks\/(\d+)$/);
+        if (taskDetailMatch) {
+          const taskId = parseInt(taskDetailMatch[1]);
+          const db = getDb();
+
+          if (req.method === "PATCH") {
+            const body = await req.json().catch(() => ({}));
+            const allowed = ["status", "progress", "result", "agent_id"];
+            const fields: string[] = ["updated_at = unixepoch()"];
+            const values: any[] = [];
+
+            for (const key of allowed) {
+              if (body[key] !== undefined) {
+                fields.push(`${key} = ?`);
+                values.push(body[key]);
+              }
+            }
+            values.push(taskId);
+
+            const result = db.query(`UPDATE tasks SET ${fields.join(", ")} WHERE id = ?`).run(...values);
+            if (result.changes === 0) return new Response("Task not found", { status: 404 });
+
+            // Recalcular progreso del proyecto
+            const task = db.query<any, [number]>("SELECT project_id FROM tasks WHERE id = ?").get(taskId);
+            if (task?.project_id) {
+              const avgRow = db.query<any, [string]>("SELECT AVG(progress) as avg FROM tasks WHERE project_id = ?").get(task.project_id) as any;
+              const avg = Math.round(avgRow?.avg ?? 0);
+              db.query("UPDATE projects SET progress = ?, updated_at = unixepoch() WHERE id = ?").run(avg, task.project_id);
+            }
+
+            return addCorsHeaders(Response.json({ success: true }), req);
+          }
+        }
+
+
+
+
+        // ── Channels API ─────────────────────────────────────────────────────
+        if (url.pathname === "/api/channels" || url.pathname === "/api/channels/") {
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { name, accountId, config: channelConfigData } = body;
+            if (!name || !accountId || !channelConfigData) {
+              return addCorsHeaders(new Response("Missing name, accountId or config", { status: 400 }), req);
+            }
+            config.channels = config.channels || {};
+            config.channels[name] = config.channels[name] || { enabled: true, accounts: {} };
+            const channelEntry = config.channels[name] as any;
+            channelEntry.accounts = channelEntry.accounts || {};
+            channelEntry.accounts[accountId] = channelConfigData;
+            await channelManager.removeChannel(name, accountId);
+            await channelManager.startChannel(name, accountId);
+            return addCorsHeaders(Response.json({ success: true }), req);
+          }
+        }
+
+        const channelDetailMatch = url.pathname.match(/^\/api\/channels\/([^/]+)\/([^/]+)$/);
+        if (channelDetailMatch) {
+          const name = channelDetailMatch[1];
+          const accountId = channelDetailMatch[2];
+
+          if (req.method === "GET") {
+            const accConfig = channelManager.getAccountConfig(name, accountId);
+            if (!accConfig) return new Response("Channel account not found", { status: 404 });
+            return Response.json({ name, accountId, config: accConfig });
+          }
+          if (req.method === "PUT") {
+            const body = await req.json().catch(() => ({}));
+            if (!body.config) return new Response("Missing config", { status: 400 });
+            config.channels = config.channels || {};
+            config.channels[name] = config.channels[name] || { enabled: true, accounts: {} };
+            const channelEntry = config.channels[name] as any;
+            channelEntry.accounts = channelEntry.accounts || {};
+            channelEntry.accounts[accountId] = body.config;
+            await channelManager.removeChannel(name, accountId);
+            await channelManager.startChannel(name, accountId);
+            return Response.json({ success: true });
+          }
+          if (req.method === "DELETE") {
+            if (config.channels?.[name]) {
+              const channelEntry = config.channels[name] as any;
+              if (channelEntry.accounts) {
+                delete channelEntry.accounts[accountId];
+                if (Object.keys(channelEntry.accounts).length === 0) {
+                  delete config.channels[name];
+                }
+              }
+              await channelManager.removeChannel(name, accountId);
+            }
+            return Response.json({ success: true });
+          }
+        }
+
+        const channelActionMatch = url.pathname.match(
+          /^\/api\/channels\/([^/]+)\/([^/]+)\/(start|stop)$/
+        );
+        if (channelActionMatch) {
+          const [, name, accountId, action] = channelActionMatch;
+          if (req.method === "POST") {
+            try {
+              if (action === "start") await channelManager.startChannel(name, accountId);
+              else await channelManager.stopChannel(name, accountId);
+              return Response.json({ success: true });
+            } catch (error) {
+              return Response.json(
+                { success: false, error: (error as Error).message },
+                { status: 500 }
+              );
+            }
+          }
+        }
+
+        // ── Skills API ───────────────────────────────────────────────────────
+        if (url.pathname === "/api/skills" || url.pathname === "/api/skills/") {
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { name, description, content, raw } = body;
+            if (!name || (!content && !raw)) {
+              return addCorsHeaders(new Response("Missing name or content", { status: 400 }), req);
+            }
+            const managedDir = expandPath(config.skills?.managedDir ?? "~/.hive/skills");
+            const skillDir = path.join(managedDir, name);
+            const skillFile = path.join(skillDir, "SKILL.md");
+            mkdirSync(skillDir, { recursive: true });
+            const skillMd = raw || `-- -\nname: ${name} \ndescription: ${description || ""} \n-- -\n${content} `;
+            await Bun.write(skillFile, skillMd);
+            agent.reloadSkills();
+            return addCorsHeaders(Response.json({ success: true }), req);
+          }
+        }
+
+        // ── Model Config API ─────────────────────────────────────────────────
+        if (url.pathname === "/api/config/models") {
+          if (req.method === "GET") {
+            return addCorsHeaders(Response.json({
+              config: config.models || {},
+              availableProviders: ["openai", "anthropic", "gemini", "kimi", "ollama", "openrouter", "deepseek"],
+            }), req);
+          }
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { defaultProvider, defaults, providers } = body;
+            config.models = config.models || {};
+            if (defaultProvider) config.models.defaultProvider = defaultProvider;
+            if (defaults) config.models.defaults = { ...(config.models.defaults || {}), ...defaults };
+            if (providers) config.models.providers = { ...(config.models.providers || {}), ...providers };
+            await agent.updateConfig(config);
+            return addCorsHeaders(Response.json({ success: true }), req);
+          }
+        }
+
+        // ── MCP API ──────────────────────────────────────────────────────────
+        if (url.pathname.startsWith("/api/mcp/")) {
+          const mcp = agent.getMCPManager();
+          if (!mcp) return new Response("MCP is disabled", { status: 404 });
+
+          if (url.pathname === "/api/mcp/servers") {
+            if (!checkAuth(req, url)) return new Response("Unauthorized", { status: 401 });
+
+            if (req.method === "GET") {
+              // Obtener los MCPs activos del manager
+              const activeServers = mcp.listServers();
+
+              // Obtener todos los MCPs de la base de datos
+              const dbServers = dbService.listMCPServers();
+
+              // Combinar información: DB + estado de conexión en tiempo real
+              const allServers = dbServers.map(s => {
+                const activeServer = activeServers.find((as: any) => as.name === s.name);
+                const isEnabled = s.enabled === 1;
+
+                // Redact headers for safe UI display
+                let headers = undefined;
+                if (s.headers_encrypted && s.headers_iv) {
+                  try {
+                    const decryptedHeaders = decryptConfig(s.headers_encrypted, s.headers_iv);
+                    headers = Object.fromEntries(
+                      Object.entries(decryptedHeaders).map(([k, v]) => [
+                        k,
+                        k.toLowerCase().includes("auth") ||
+                          k.toLowerCase().includes("token") ||
+                          k.toLowerCase().includes("key")
+                          ? `${(v as string).slice(0, 4)}••••••••`
+                          : v,
+                      ])
+                    );
+                  } catch (e) {
+                    log.error(`Failed to decrypt headers for ${s.name}: ${(e as Error).message} `);
+                  }
+                }
+
+                return {
+                  name: s.name,
+                  enabled: isEnabled,
+                  status: isEnabled
+                    ? (activeServer?.status || "disconnected")
+                    : "not_configured",
+                  config: {
+                    transport: s.transport,
+                    command: s.command,
+                    args: s.args ? JSON.parse(s.args) : [],
+                    url: s.url,
+                    headers,
+                    enabled: isEnabled
+                  },
+                  tools_count: s.tools_count || 0,
+                  tools: activeServer?.tools || [],
+                };
+              });
+
+              return addCorsHeaders(Response.json(allServers), req);
+            }
+            if (req.method === "POST") {
+              const body = await req.json().catch(() => ({}));
+              if (!body.name || !body.config) {
+                return new Response("Missing name or config", { status: 400 });
+              }
+              mcpLog.info(`Creating MCP server: ${body.name} `, { config: body.config });
+              // Save to SQLite
+              config.mcp = config.mcp || {};
+              config.mcp.servers = config.mcp.servers || {};
+              config.mcp.servers[body.name] = body.config;
+              await agent.updateConfig(config);
+
+              // Update AgentLoop singleton with new mcpManager
+              const agentLoop = getSupervisorGraph();
+              if (agentLoop) {
+                agentLoop.setMCPManager(agent.getMCPManager());
+              }
+
+              // Encrypt sensitive headers for DB
+              let headersEnc = undefined;
+              if (body.config.headers) {
+                // No hay viejos headers en un POST de server nuevo, 
+                // pero por consistencia usamos la función
+                headersEnc = encryptConfig(body.config.headers);
+              }
+
+              // Save to SQLite
+              dbService.saveMCPServer({
+                name: body.name,
+                ...body.config,
+                headers_encrypted: headersEnc?.encrypted,
+                headers_iv: headersEnc?.iv,
+                enabled: body.config.enabled !== false,
+                builtin: false
+              });
+
+              mcpLog.info(`Successfully created MCP server: ${body.name} `);
+              return addCorsHeaders(Response.json({ success: true }), req);
+            }
+          }
+
+          // FIX 5 — separar el endpoint de tools del de detalles del servidor
+          const toolsMatch = url.pathname.match(/^\/api\/mcp\/servers\/([^/]+)\/tools$/);
+          if (toolsMatch && req.method === "GET") {
+            if (!checkAuth(req, url)) return new Response("Unauthorized", { status: 401 });
+            const serverName = decodeURIComponent(toolsMatch[1]);
+            const tools = mcp.getServerTools(serverName);
+            return addCorsHeaders(Response.json(tools), req);
+          }
+
+          const serverMatch = url.pathname.match(/^\/api\/mcp\/servers\/([^/]+)$/);
+          if (serverMatch) {
+            if (!checkAuth(req, url)) return new Response("Unauthorized", { status: 401 });
+            const serverName = decodeURIComponent(serverMatch[1]);
+            const details = mcp.getServerDetails(serverName);
+
+            if (req.method === "GET") {
+              if (!details) return new Response("Server not found", { status: 404 });
+              return addCorsHeaders(Response.json(details), req);
+            }
+            if (req.method === "PUT") {
+              const body = await req.json().catch(() => ({}));
+              if (!body.config) return new Response("Missing config", { status: 400 });
+
+              mcpLog.info(`Updating MCP server: ${serverName} `, { config: body.config });
+              const oldConfig = config.mcp?.servers?.[serverName];
+
+              // Smart merge for headers
+              if (body.config.headers && oldConfig?.headers) {
+                body.config.headers = mergeHeaders(body.config.headers, oldConfig.headers);
+              }
+
+              // Update SQLite
+              config.mcp = config.mcp || {};
+              config.mcp.servers = config.mcp.servers || {};
+              config.mcp.servers[serverName] = body.config;
+              await agent.updateConfig(config);
+
+              // Encrypt sensitive headers for DB
+              let headersEnc = undefined;
+              if (body.config.headers) {
+                headersEnc = encryptConfig(body.config.headers);
+              }
+
+              // Update SQLite
+              dbService.updateMCPServer(serverName, {
+                ...body.config,
+                headers_encrypted: headersEnc?.encrypted,
+                headers_iv: headersEnc?.iv,
+                enabled: body.config.enabled !== false
+              });
+
+              mcpLog.info(`Successfully updated MCP server: ${serverName} `);
+              return addCorsHeaders(Response.json({ success: true }), req);
+            }
+            if (req.method === "DELETE") {
+              mcpLog.info(`Deleting MCP server: ${serverName} `);
+              if (config.mcp?.servers?.[serverName]) {
+                delete config.mcp.servers[serverName];
+                await agent.updateConfig(config);
+              }
+              // Logic to delete from SQLite could be added if desired, 
+              // but usually we just disable them or keep the record.
+              // For now, let's just keep it simple and sync yaml.
+              return addCorsHeaders(Response.json({ success: true }), req);
+            }
+            if (req.method === "PATCH") {
+              const body = await req.json().catch(() => ({}));
+              if (body.enabled !== undefined) {
+                mcpLog.info(`${body.enabled ? "Enabling" : "Disabling"} MCP server: ${serverName} `);
+                // Update SQLite
+                config.mcp = config.mcp || {};
+                config.mcp.servers = config.mcp.servers || {};
+                config.mcp.servers[serverName] = {
+                  ...config.mcp.servers[serverName],
+                  enabled: body.enabled,
+                };
+                await agent.updateConfig(config);
+
+                // Update SQLite
+                dbService.updateMCPServer(serverName, { enabled: body.enabled });
+
+                return addCorsHeaders(Response.json({ success: true, enabled: body.enabled }), req);
+              }
+              return new Response("Missing enabled field", { status: 400 });
+            }
+            if (req.method === "POST") {
+              const body = await req.json().catch(() => ({}));
+              if (body.action === "connect") {
+                // Check if server exists in DB (not in config variable which may be stale)
+                const dbServer = dbService.listMCPServers().find((s: any) => s.name === serverName);
+                if (!dbServer || !dbServer.enabled) {
+                  return new Response("Server not found or disabled", { status: 400 });
+                }
+                await mcp.connectServer(serverName);
+
+                // Update tools count after connection
+                const tools = mcp.getServerTools(serverName) || [];
+                dbService.updateMCPServer(serverName, {
+                  status: "connected",
+                  tools_count: tools.length
+                });
+
+                return addCorsHeaders(Response.json({ success: true, tools_count: tools.length }), req);
+              }
+              if (body.action === "disconnect") {
+                await mcp.disconnectServer(serverName);
+                return addCorsHeaders(Response.json({ success: true }), req);
+              }
+            }
+          }
+        }
+
+        // ── Workspace API ────────────────────────────────────────────────────
+        for (const wsType of ["soul", "user", "ethics"] as const) {
+          if (url.pathname === `/api/workspace/${wsType}`) {
+            const filePath = path.join(workspacePath, `${wsType.toUpperCase()}.md`);
+
+            if (req.method === "GET") {
+              const defaults: Record<string, string> = {
+                soul: "# Agent Soul\n\nDefine your agent's personality here.",
+                user: "# User Profile\n\nAdd user preferences here.",
+                ethics: "# Ethics\n\nDefine ethical guidelines here.",
+              };
+              const wsFile = Bun.file(filePath);
+              const content = (await wsFile.exists())
+                ? await wsFile.text()
+                : defaults[wsType];
+              return addCorsHeaders(new Response(content, { headers: { "Content-Type": "text/plain" } }), req);
+            }
+
+            if (req.method === "POST") {
+              const content = await req.text();
+              mkdirSync(workspacePath, { recursive: true });
+              await Bun.write(filePath, content);
+              if (wsType === "soul") agent.reloadSoul();
+              if (wsType === "user") agent.reloadUser();
+              if (wsType === "ethics") await agent.reloadEthics();
+              return addCorsHeaders(Response.json({ success: true, savedAt: new Date().toISOString() }), req);
+            }
+          }
+        }
+
+        // ── Reload API ───────────────────────────────────────────────────────
+        if (url.pathname === "/api/reload" && req.method === "POST") {
+          try {
+            const newConfig = await loadConfig();
+            await agent.updateConfig(newConfig);
+            await agent.reload();
+            log.info("Configuration reloaded via API");
+            return addCorsHeaders(Response.json({ success: true, message: "Configuration reloaded" }), req);
+          } catch (error) {
+            return addCorsHeaders(Response.json(
+              { success: false, error: (error as Error).message },
+              { status: 500 }
+            ), req);
+          }
+        }
+
+        // ── User Channel Linking API ────────────────────────────────────────────
+        if (url.pathname === "/api/user/channels" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { channel, channelUserId } = body;
+
+          if (!channel || !channelUserId) {
+            return addCorsHeaders(Response.json({ success: false, error: "Missing channel or channelUserId" }, { status: 400 }), req);
+          }
+
+          config.user = config.user || { id: "", name: "User" };
+          config.user.channels = config.user.channels || {};
+          config.user.channels[channel] = channelUserId;
+
+          log.info(`Linked channel ${channel} to user ID ${channelUserId} `);
+
+          return addCorsHeaders(Response.json({ success: true, channels: config.user.channels }), req);
+        }
+
+        if (url.pathname === "/api/user/channels" && req.method === "GET") {
+          return addCorsHeaders(Response.json({
+            user: config.user || { id: "", name: "User", channels: {} },
+          }), req);
+        }
+
+        // ── Agents API ─────────────────────────────────────────────────────
+        if (url.pathname === "/api/agents" && req.method === "GET") {
+          const rows = getDb().query(`
+          SELECT a.*, u.notes as user_preferences,
+  CASE WHEN a.headers_encrypted IS NOT NULL THEN 1 ELSE 0 END as has_headers
+          FROM agents a
+          LEFT JOIN users u ON a.user_id = u.id
+          ORDER BY a.created_at DESC
+  `).all() as any[];
+          const agents = rows.map(row => ({
+            id: row.id,
+            name: row.name,
+            description: row.description,
+            status: row.status,
+            enabled: Boolean(row.enabled),
+            is_coordinator: Boolean(row.is_coordinator),
+            isCoordinator: Boolean(row.is_coordinator),
+            providerId: row.provider_id,
+            modelId: row.model_id,
+            tone: row.tone,
+            hasHeaders: row.has_headers === 1,
+            createdAt: new Date(row.created_at * 1000).toISOString(),
+            // UI specific mocks/defaults
+            taskCount: 0,
+            successRate: 100,
+          }));
+          return addCorsHeaders(Response.json({ agents }), req);
+        }
+
+        if (url.pathname === "/api/agents" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { encrypted: headersEnc, iv: headersIv } = body.headers ? encryptConfig(body.headers) : { encrypted: null, iv: null };
+
+          let agentId: string;
+
+          if (body.id) {
+            agentId = body.id;
+            getDb().query(`
+              INSERT INTO agents(id, name, description, provider_id, model_id, tone, enabled, headers_encrypted, headers_iv)
+VALUES(?, ?, ?, ?, ?, ?, 1, ?, ?)
+  `).run(
+              agentId,
+              body.name,
+              body.description || "",
+              body.providerId || "openai",
+              body.modelId || "gpt-4o",
+              body.tone || "friendly",
+              headersEnc,
+              headersIv
+            );
+          } else {
+            const result = getDb().query(`
+              INSERT INTO agents(name, description, provider_id, model_id, tone, enabled, headers_encrypted, headers_iv)
+VALUES(?, ?, ?, ?, ?, 1, ?, ?)
+              RETURNING id
+  `).get(
+              body.name,
+              body.description || "",
+              body.providerId || "openai",
+              body.modelId || "gpt-4o",
+              body.tone || "friendly",
+              headersEnc,
+              headersIv
+            ) as { id: string } | undefined;
+            agentId = result?.id || "";
+          }
+
+          emitCanvas("canvas:node_add", {
+            node: { id: agentId, name: body.name, status: "idle", type: "agent" }
+          });
+
+          // Return the created agent
+          const agent = getDb().query(`
+          SELECT id, name, description, provider_id, model_id, tone, status, enabled, active, created_at
+          FROM agents WHERE id = ?
+  `).get(agentId) as any;
+
+          return addCorsHeaders(Response.json({
+            ok: true,
+            agent: {
+              id: agent.id,
+              name: agent.name,
+              description: agent.description,
+              providerId: agent.provider_id,
+              modelId: agent.model_id,
+              tone: agent.tone,
+              status: agent.status,
+              enabled: agent.enabled === 1,
+              active: agent.active === 1,
+              createdAt: new Date(agent.created_at * 1000).toISOString(),
+            }
+          }), req);
+        }
+
+        // PATCH /api/agents/:id
+        if (url.pathname.startsWith("/api/agents/") && (req.method === "PATCH" || req.method === "PUT")) {
+          const agentId = url.pathname.split("/").pop();
+          const requestHeaders = Object.fromEntries(req.headers.entries());
+          log.info(`[API] PATCH / api / agents / ${agentId} reqHeaders = ${JSON.stringify(requestHeaders)} `);
+          if (!agentId) return addCorsHeaders(new Response("Missing ID", { status: 400 }), req);
+
+          const body = await req.json().catch(() => ({}));
+          log.info(`[API] PATCH full body: ${JSON.stringify(body)} `);
+
+          // Build dynamic SET clause for agents table
+          const updates: string[] = [];
+          const params: any[] = [];
+
+          const possibleFields = [
+            "name", "description", "provider_id", "model_id", "status",
+            "enabled", "tone"
+          ];
+
+          for (const field of possibleFields) {
+            const bodyKey = field.replace(/_([a-z])/g, (g) => g[1].toUpperCase()); // camelCase check
+            let val = body[field] !== undefined ? body[field] : body[bodyKey];
+
+            if (val !== undefined) {
+              updates.push(`${field} = ?`);
+              params.push(typeof val === 'object' ? JSON.stringify(val) : val);
+            }
+          }
+
+          // Handle headers separately for encryption
+          const agentHeaders = body.headers !== undefined ? body.headers : body.config?.headers;
+          log.info(`[API] PATCH agent headers: ${JSON.stringify(agentHeaders)} `);
+          if (agentHeaders !== undefined) {
+            const { encrypted, iv } = encryptConfig(agentHeaders);
+            updates.push("headers_encrypted = ?");
+            params.push(encrypted);
+            updates.push("headers_iv = ?");
+            params.push(iv);
+          }
+
+          // Handle userPreferences separately (stored in users table)
+          const userPreferences = body.userPreferences !== undefined ? body.userPreferences : body.user_preferences;
+          if (userPreferences !== undefined) {
+            // Get the user_id for this agent
+            const agentRow = getDb().query("SELECT user_id FROM agents WHERE id = ?").get(agentId) as any;
+            if (agentRow && agentRow.user_id) {
+              getDb().query(`UPDATE users SET notes = ? WHERE id = ? `).run(userPreferences, agentRow.user_id);
+            }
+          }
+
+          if (updates.length > 0) {
+            params.push(agentId);
+            getDb().query(`UPDATE agents SET ${updates.join(", ")} WHERE id = ? `).run(...params);
+
+            emitCanvas("canvas:node_update", {
+              id: agentId,
+              updates: body
+            });
+          }
+
+          return addCorsHeaders(Response.json({ ok: true }), req);
+        }
+
+        // ── Providers API ───────────────────────────────────────────────────
+        if (url.pathname === "/api/providers" && req.method === "GET") {
+          const rawProviders = getDb().query(`
+            SELECT id, name, base_url, enabled, active, num_ctx,
+              api_key_encrypted, api_key_iv,
+              CASE WHEN api_key_encrypted IS NOT NULL THEN 1 ELSE 0 END as has_api_key,
+              CASE WHEN headers_encrypted IS NOT NULL THEN 1 ELSE 0 END as has_headers
+            FROM providers
+          `).all() as any[];
+
+          const modelsRows = getDb().query(`
+            SELECT id, name, provider_id, enabled, active FROM models
+          `).all() as any[];
+
+          const modelsByProvider: Record<string, any[]> = {};
+          for (const m of modelsRows) {
+            if (!modelsByProvider[m.provider_id]) modelsByProvider[m.provider_id] = [];
+            modelsByProvider[m.provider_id].push({ id: m.id, name: m.name, provider_id: m.provider_id, enabled: !!m.enabled, active: !!m.active });
+          }
+
+          const providers = rawProviders.map((p) => {
+            let masked_api_key: string | null = null;
+            if (p.api_key_encrypted && p.api_key_iv) {
+              try {
+                const plain = decryptApiKey(p.api_key_encrypted, p.api_key_iv);
+                masked_api_key = maskApiKey(plain);
+              } catch { /* silently ignore */ }
+            }
+            return {
+              id: p.id,
+              name: p.name,
+              base_url: p.base_url,
+              enabled: p.enabled,
+              active: p.active,
+              num_ctx: p.num_ctx ?? null,
+              has_api_key: p.has_api_key,
+              has_headers: p.has_headers,
+              masked_api_key,
+              models: modelsByProvider[p.id] || [],
+            };
+          });
+
+          return addCorsHeaders(Response.json({ providers }), req);
+        }
+
+        if (url.pathname === "/api/providers" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          getDb().query(`
+          INSERT OR REPLACE INTO providers(id, name, base_url, enabled, active)
+VALUES(?, ?, ?, ?, 1)
+        `).run(body.id, body.name, body.base_url || null, body.enabled !== undefined ? body.enabled : 1);
+          return addCorsHeaders(Response.json({ ok: true }), req);
+        }
+
+        if (url.pathname.match(/^\/api\/providers\/[^/]+\/toggle$/)) {
+          const providerId = url.pathname.split("/")[3];
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { active } = body;
+            if (active === undefined) {
+              return addCorsHeaders(new Response("Missing active field", { status: 400 }), req);
+            }
+            getDb().query(`UPDATE providers SET active = ?, enabled = ? WHERE id = ? `).run(active ? 1 : 0, active ? 1 : 0, providerId);
+            return addCorsHeaders(Response.json({ success: true, active }), req);
+          }
+        }
+
+        const providerIdMatch = url.pathname.match(/^\/api\/providers\/([^/]+)$/);
+        if (providerIdMatch && (req.method === "PUT" || req.method === "PATCH")) {
+          const id = providerIdMatch[1];
+          const body = await req.json().catch(() => ({}));
+          const updates: string[] = [];
+          const params: any[] = [];
+
+          if (body.name) {
+            updates.push("name = ?");
+            params.push(body.name);
+          }
+          const baseUrl = body.base_url !== undefined ? body.base_url : body.baseUrl;
+          if (baseUrl !== undefined) {
+            updates.push("base_url = ?");
+            params.push(baseUrl || null);
+          }
+          if (body.enabled !== undefined) {
+            updates.push("enabled = ?");
+            params.push(body.enabled ? 1 : 0);
+          }
+          if (body.active !== undefined) {
+            updates.push("active = ?");
+            params.push(body.active ? 1 : 0);
+          }
+          if (body.config?.apiKey || body.apiKey) {
+            const apiKey = body.config?.apiKey || body.apiKey;
+            const { encrypted, iv } = encryptApiKey(apiKey);
+            updates.push("api_key_encrypted = ?");
+            params.push(encrypted);
+            updates.push("api_key_iv = ?");
+            params.push(iv);
+          }
+
+          if (body.headers) {
+            const { encrypted, iv } = encryptConfig(body.headers);
+            updates.push("headers_encrypted = ?");
+            params.push(encrypted);
+            updates.push("headers_iv = ?");
+            params.push(iv);
+          }
+
+          const numCtx = body.num_ctx !== undefined ? body.num_ctx : body.numCtx;
+          if (numCtx !== undefined) {
+            updates.push("num_ctx = ?");
+            params.push(numCtx ? Number(numCtx) : null);
+          }
+
+          if (updates.length > 0) {
+            params.push(id);
+            getDb().query(`UPDATE providers SET ${updates.join(", ")} WHERE id = ? `).run(...params);
+          }
+
+          const updated = getDb().query<any, [string]>(`
+            SELECT id, name, base_url, enabled, active, num_ctx,
+              api_key_encrypted, api_key_iv,
+              CASE WHEN api_key_encrypted IS NOT NULL THEN 1 ELSE 0 END as has_api_key,
+              CASE WHEN headers_encrypted IS NOT NULL THEN 1 ELSE 0 END as has_headers
+            FROM providers WHERE id = ?
+          `).get(id);
+
+          let masked_api_key: string | null = null;
+          if (updated?.api_key_encrypted && updated?.api_key_iv) {
+            try {
+              masked_api_key = maskApiKey(decryptApiKey(updated.api_key_encrypted, updated.api_key_iv));
+            } catch { /* ignore */ }
+          }
+
+          const models = getDb().query<any, [string]>(`
+            SELECT id, name, provider_id, enabled, active FROM models WHERE provider_id = ?
+          `).all(id);
+
+          return addCorsHeaders(Response.json({
+            success: true,
+            provider: {
+              id: updated.id,
+              name: updated.name,
+              base_url: updated.base_url,
+              enabled: !!updated.enabled,
+              active: !!updated.active,
+              num_ctx: updated.num_ctx ?? null,
+              has_api_key: !!updated.has_api_key,
+              has_headers: !!updated.has_headers,
+              masked_api_key,
+              models,
+            }
+          }), req);
+        }
+
+        // ── Models API ───────────────────────────────────────────────────
+        // GET /api/models?provider_id=xxx - Get models filtered by provider
+        if (url.pathname === "/api/models" && req.method === "GET") {
+          const searchParams = new URL(req.url).searchParams;
+          const providerId = searchParams.get("provider_id");
+          let models;
+          if (providerId) {
+            models = getDb().query(`
+            SELECT id, name, provider_id, context_window, capabilities, enabled, active 
+            FROM models
+            WHERE provider_id = ? AND(enabled = 1 OR active = 1)
+  `).all(providerId);
+          } else {
+            models = getDb().query(`
+            SELECT id, name, provider_id, context_window, capabilities, enabled, active 
+            FROM models
+          `).all();
+          }
+          return addCorsHeaders(Response.json({ models }), req);
+        }
+
+        // POST /api/providers/:id/sync-models — sincroniza modelos desde la API local del provider
+        const syncModelsMatch = url.pathname.match(/^\/api\/providers\/([^/]+)\/sync-models$/)
+        if (syncModelsMatch && req.method === "POST") {
+          const providerId = syncModelsMatch[1]
+          const providerRow = getDb().query<any, [string]>(
+            "SELECT * FROM providers WHERE id = ?"
+          ).get(providerId)
+
+          if (!providerRow) {
+            return addCorsHeaders(new Response("Provider not found", { status: 404 }), req)
+          }
+
+          const baseUrl = (providerRow.base_url || "http://localhost:11434").replace(/\/(v1|api)\/?$/, "")
+
+          try {
+            const res = await fetch(`${baseUrl}/api/tags`)
+            if (!res.ok) {
+              return addCorsHeaders(Response.json({ error: `Ollama responded ${res.status}` }, { status: 502 }), req)
+            }
+            const data = await res.json() as { models: Array<{ name: string; size: number; details?: { parameter_size?: string } }> }
+            const ollamaModels = data.models || []
+
+            // Upsert each model — id = "providerId/modelName", name = modelName (what Ollama accepts)
+            const upsert = getDb().query(`
+              INSERT INTO models (id, provider_id, name, model_type, enabled, active)
+              VALUES (?, ?, ?, 'llm', 1, 1)
+              ON CONFLICT(id) DO UPDATE SET name = excluded.name, enabled = 1
+            `)
+            for (const m of ollamaModels) {
+              upsert.run(`${providerId}/${m.name}`, providerId, m.name)
+            }
+
+            // Desactiva modelos que ya no están instalados
+            const installedIds = ollamaModels.map(m => `${providerId}/${m.name}`)
+            const existingModels = getDb().query<any, [string]>(
+              "SELECT id FROM models WHERE provider_id = ?"
+            ).all(providerId) as { id: string }[]
+
+            const disable = getDb().query("UPDATE models SET active = 0, enabled = 0 WHERE id = ?")
+            for (const row of existingModels) {
+              if (!installedIds.includes(row.id)) {
+                disable.run(row.id)
+              }
+            }
+
+            const models = getDb().query<any, [string]>(
+              "SELECT id, name, provider_id, enabled, active FROM models WHERE provider_id = ?"
+            ).all(providerId)
+
+            return addCorsHeaders(Response.json({ success: true, synced: ollamaModels.length, models }), req)
+          } catch (err: any) {
+            return addCorsHeaders(Response.json({ error: `No se pudo conectar a Ollama: ${err.message}` }, { status: 502 }), req)
+          }
+        }
+
+        // POST /api/models - Create a new model
+        if (url.pathname === "/api/models" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { provider_id, name, model_type, context_window, capabilities } = body;
+          if (!provider_id || !name) {
+            return addCorsHeaders(new Response("Missing provider_id or name", { status: 400 }), req);
+          }
+          const id = `${provider_id}/${name}`;
+          getDb().query(`
+            INSERT OR IGNORE INTO models (id, provider_id, name, model_type, context_window, capabilities, enabled, active)
+            VALUES (?, ?, ?, ?, ?, ?, 1, 1)
+          `).run(id, provider_id, name, model_type || "llm", context_window || null, capabilities || null);
+          return addCorsHeaders(Response.json({ success: true, id }), req);
+        }
+
+        if (url.pathname.match(/^\/api\/models\/[^/]+\/toggle$/)) {
+          const modelId = url.pathname.split("/")[3];
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { active } = body;
+            if (active === undefined) {
+              return addCorsHeaders(new Response("Missing active field", { status: 400 }), req);
+            }
+            getDb().query(`UPDATE models SET active = ?, enabled = ? WHERE id = ? `).run(active ? 1 : 0, active ? 1 : 0, modelId);
+            return addCorsHeaders(Response.json({ success: true, active }), req);
+          }
+        }
+
+        // ── Channels API ───────────────────────────────────────────────────
+        if (url.pathname === "/api/channels" && req.method === "GET") {
+          const channels = getDb().query("SELECT id, type, id as account_id, enabled, active, status FROM channels").all();
+          return addCorsHeaders(Response.json({ channels }), req);
+        }
+
+        // ── MCP Servers API ──────────────────────────────────────────────────
+        if (url.pathname === "/api/mcp" && req.method === "GET") {
+          const servers = getDb().query("SELECT id, name, transport, status, enabled, active, builtin FROM mcp_servers").all();
+          return addCorsHeaders(Response.json({ servers }), req);
+        }
+
+        // ── Tools API ─────────────────────────────────────────────────────
+        if (url.pathname === "/api/tools" && req.method === "GET") {
+          const tools = getDb().query("SELECT id, name, description, category, enabled, active FROM tools").all();
+          return addCorsHeaders(Response.json({ tools }), req);
+        }
+
+        if (url.pathname.match(/^\/api\/tools\/[^/]+\/toggle$/)) {
+          const toolId = url.pathname.split("/")[3];
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { active } = body;
+            if (active === undefined) {
+              return addCorsHeaders(new Response("Missing active field", { status: 400 }), req);
+            }
+            getDb().query(`UPDATE tools SET active = ?, enabled = ? WHERE id = ? `).run(active ? 1 : 0, active ? 1 : 0, toolId);
+            return addCorsHeaders(Response.json({ success: true, active }), req);
+          }
+        }
+
+        if (url.pathname.match(/^\/api\/tools\/[^/]+$/)) {
+          const toolId = url.pathname.split("/")[3];
+          if (req.method === "PUT") {
+            const body = await req.json().catch(() => ({}));
+            const { name, description } = body;
+            const updates: string[] = [];
+            const params: any[] = [];
+
+            if (name !== undefined) {
+              updates.push("name = ?");
+              params.push(name);
+            }
+            if (description !== undefined) {
+              updates.push("description = ?");
+              params.push(description);
+            }
+
+            if (updates.length > 0) {
+              params.push(toolId);
+              getDb().query(`UPDATE tools SET ${updates.join(", ")} WHERE id = ?`).run(...params);
+            }
+            return addCorsHeaders(Response.json({ success: true }), req);
+          }
+        }
+
+        // ── Skills API ─────────────────────────────────────────────────────
+        if (url.pathname === "/api/skills" && req.method === "GET") {
+          const skills = getDb().query("SELECT id, name, description, source, enabled, active FROM skills").all();
+          return addCorsHeaders(Response.json({ skills }), req);
+        }
+
+        if (url.pathname === "/api/skills" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { name, description, source, enabled } = body;
+          if (!name) return addCorsHeaders(new Response("Missing name", { status: 400 }), req);
+
+          const id = randomUUID();
+          getDb().query(`
+          INSERT INTO skills(id, name, description, source, enabled, active)
+VALUES(?, ?, ?, ?, ?, 1)
+        `).run(id, name, description || "", source || "user", enabled !== undefined ? (enabled ? 1 : 0) : 1);
+
+          return addCorsHeaders(Response.json({ success: true, id }), req);
+        }
+
+        if (url.pathname.match(/^\/api\/skills\/[^/]+\/toggle$/)) {
+          const skillId = url.pathname.split("/")[3];
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { active } = body;
+            if (active === undefined) {
+              return addCorsHeaders(new Response("Missing active field", { status: 400 }), req);
+            }
+            getDb().query(`UPDATE skills SET active = ?, enabled = ? WHERE id = ? `).run(active ? 1 : 0, active ? 1 : 0, skillId);
+            await loadContextToStore(getDb());
+            return addCorsHeaders(Response.json({ success: true, active }), req);
+          }
+        }
+
+        if (url.pathname.match(/^\/api\/skills\/[^/]+$/)) {
+          const skillId = url.pathname.split("/")[3];
+          if (req.method === "PUT") {
+            const body = await req.json().catch(() => ({}));
+            const { name, description } = body;
+            const updates: string[] = [];
+            const params: any[] = [];
+
+            if (name !== undefined) {
+              updates.push("name = ?");
+              params.push(name);
+            }
+            if (description !== undefined) {
+              updates.push("description = ?");
+              params.push(description);
+            }
+
+            if (updates.length > 0) {
+              params.push(skillId);
+              getDb().query(`UPDATE skills SET ${updates.join(", ")} WHERE id = ?`).run(...params);
+              await loadContextToStore(getDb());
+            }
+            return addCorsHeaders(Response.json({ success: true }), req);
+          }
+
+          if (req.method === "DELETE") {
+            getDb().query(`DELETE FROM skills WHERE id = ? AND source != 'bundled'`).run(skillId);
+            await loadContextToStore(getDb());
+            return addCorsHeaders(Response.json({ success: true }), req);
+          }
+        }
+
+        // ── Ethics API ──────────────────────────────────────────────────────
+        if (url.pathname === "/api/ethics" && req.method === "GET") {
+          const ethics = getDb().query("SELECT * FROM ethics").all();
+          return addCorsHeaders(Response.json({ ethics }), req);
+        }
+
+        if (url.pathname === "/api/ethics" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { name, description, content, is_default } = body;
+          if (!name || !content) return addCorsHeaders(Response.json({ success: false, error: "Missing name or content", message: "Faltan campos requeridos: nombre y contenido" }, { status: 400 }), req);
+
+          const id = randomUUID();
+          getDb().query(`
+          INSERT INTO ethics(id, name, description, content, is_default, enabled, active)
+VALUES(?, ?, ?, ?, ?, 1, 1)
+        `).run(id, name, description || "", content, is_default ? 1 : 0);
+
+          return addCorsHeaders(Response.json({ success: true, id, message: `Registro de ética "${name}" creado correctamente` }), req);
+        }
+
+        const ethicsIdMatch = url.pathname.match(/^\/api\/ethics\/([^/]+)$/);
+        if (ethicsIdMatch) {
+          const id = ethicsIdMatch[1];
+          if (req.method === "PUT") {
+            const body = await req.json().catch(() => ({}));
+            const updates: string[] = [];
+            const params: any[] = [];
+            for (const [key, val] of Object.entries(body)) {
+              if (["name", "description", "content", "is_default", "enabled", "active"].includes(key)) {
+                updates.push(`${key} = ?`);
+                params.push(val);
+              }
+            }
+            if (updates.length > 0) {
+              params.push(id);
+              getDb().query(`UPDATE ethics SET ${updates.join(", ")} WHERE id = ? `).run(...params);
+            }
+            return addCorsHeaders(Response.json({ success: true, message: "Registro de ética actualizado correctamente" }), req);
+          }
+          if (req.method === "DELETE") {
+            getDb().query("DELETE FROM ethics WHERE id = ?").run(id);
+            return addCorsHeaders(Response.json({ success: true, message: "Registro de ética eliminado" }), req);
+          }
+        }
+
+        // ── Users API ───────────────────────────────────────────────────────
+        if (url.pathname === "/api/users" && req.method === "GET") {
+          const users = getDb().query("SELECT * FROM users").all();
+          return addCorsHeaders(Response.json({ users }), req);
+        }
+
+        if (url.pathname === "/api/users" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { id, name, language, timezone, occupation, notes, preferred_cron_channel } = body;
+
+          let userId: string;
+          let isUpdate: boolean;
+
+          if (id) {
+            userId = id;
+            isUpdate = true;
+            getDb().query(`
+              INSERT INTO users(id, name, language, timezone, occupation, notes, preferred_cron_channel)
+VALUES(?, ?, ?, ?, ?, ?, ?)
+              ON CONFLICT(id) DO UPDATE SET
+name = excluded.name,
+  language = excluded.language,
+  timezone = excluded.timezone,
+  occupation = excluded.occupation,
+  notes = excluded.notes,
+  preferred_cron_channel = excluded.preferred_cron_channel
+    `).run(id, name, language, timezone, occupation, notes, preferred_cron_channel ?? "auto");
+          } else {
+            isUpdate = false;
+            const result = getDb().query(`
+              INSERT INTO users(name, language, timezone, occupation, notes, preferred_cron_channel)
+VALUES(?, ?, ?, ?, ?, ?)
+              RETURNING id
+            `).get(name, language, timezone, occupation, notes, preferred_cron_channel ?? "auto") as { id: string } | undefined;
+            userId = result?.id || "";
+          }
+
+          return addCorsHeaders(Response.json({
+            success: true,
+            id: userId,
+            message: isUpdate ? "Perfil de usuario actualizado correctamente" : "Usuario creado correctamente",
+          }), req);
+        }
+
+        // ── User settings (partial update) ──────────────────────────────────
+        if (url.pathname === "/api/user/settings" && req.method === "PATCH") {
+          const body = await req.json().catch(() => ({}));
+          const { preferred_cron_channel } = body;
+
+          const user = getDb().query("SELECT id FROM users LIMIT 1").get() as { id: string } | undefined;
+          if (!user) return addCorsHeaders(Response.json({ success: false, error: "No user found", message: "No se encontró ningún usuario" }, { status: 404 }), req);
+
+          const sets: string[] = [];
+          const vals: any[] = [];
+
+          if (preferred_cron_channel !== undefined) {
+            sets.push("preferred_cron_channel = ?");
+            vals.push(preferred_cron_channel);
+          }
+
+          if (sets.length > 0) {
+            vals.push(user.id);
+            getDb().query(`UPDATE users SET ${sets.join(", ")} WHERE id = ?`).run(...vals);
+          }
+
+          return addCorsHeaders(Response.json({ success: true, message: "Configuración de usuario guardada" }), req);
+        }
+
+        // ── MCP Servers API ──────────────────────────────────────────────────
+        if (url.pathname === "/api/mcp" && req.method === "GET") {
+          const servers = getDb().query("SELECT id, name, transport, status, enabled, active, builtin, command, args, url FROM mcp_servers").all();
+          return addCorsHeaders(Response.json({ servers }), req);
+        }
+
+        if (url.pathname.match(/^\/api\/mcp\/[^/]+\/toggle$/)) {
+          const mcpId = url.pathname.split("/")[3];
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { active } = body;
+            if (active === undefined) {
+              return addCorsHeaders(Response.json({ success: false, error: "Missing active field", message: "Falta el campo 'active'" }, { status: 400 }), req);
+            }
+            getDb().query(`UPDATE mcp_servers SET active = ?, enabled = ? WHERE id = ? `).run(active ? 1 : 0, active ? 1 : 0, mcpId);
+            return addCorsHeaders(Response.json({ success: true, active, message: active ? "Servidor MCP activado" : "Servidor MCP desactivado" }), req);
+          }
+        }
+
+        // ── Channels API ───────────────────────────────────────────────────
+        if (url.pathname === "/api/channels" && req.method === "GET") {
+          const channels = getDb().query("SELECT id, type, id as account_id, enabled, active, status FROM channels").all();
+          return addCorsHeaders(Response.json({ channels }), req);
+        }
+
+        // PUT /api/channels/:id - Update channel settings
+        const channelIdMatch = url.pathname.match(/^\/api\/channels\/([^/]+)$/);
+        if (channelIdMatch && req.method === "PUT") {
+          const channelId = channelIdMatch[1];
+          const body = await req.json().catch(() => ({})) as Record<string, unknown>;
+          const allowed = ["voice_enabled", "tts_enabled", "stt_provider", "tts_provider", "tts_voice_id", "step_delivery_mode"] as const;
+          const updates: string[] = [];
+          const params: unknown[] = [];
+          for (const key of allowed) {
+            if (key in body) {
+              updates.push(`${key} = ?`);
+              params.push(typeof body[key] === "boolean" ? (body[key] ? 1 : 0) : body[key]);
+            }
+          }
+          if (updates.length === 0) {
+            return addCorsHeaders(Response.json({ error: "No valid fields to update" }, { status: 400 }), req);
+          }
+          params.push(channelId);
+          (getDb().query(`UPDATE channels SET ${updates.join(", ")} WHERE id = ?`) as any).run(...params);
+          return addCorsHeaders(Response.json({ success: true }), req);
+        }
+
+        if (url.pathname.match(/^\/api\/channels\/[^/]+\/toggle$/)) {
+          const channelId = url.pathname.split("/")[3];
+          if (req.method === "POST") {
+            const body = await req.json().catch(() => ({}));
+            const { active } = body;
+            if (active === undefined) {
+              return addCorsHeaders(Response.json({ success: false, error: "Missing active field", message: "Falta el campo 'active'" }, { status: 400 }), req);
+            }
+            getDb().query(`UPDATE channels SET active = ?, enabled = ? WHERE id = ? `).run(active ? 1 : 0, active ? 1 : 0, channelId);
+            return addCorsHeaders(Response.json({ success: true, active, message: active ? `Canal "${channelId}" activado` : `Canal "${channelId}" desactivado` }), req);
+          }
+        }
+
+        // ── Voice API ───────────────────────────────────────────────────────
+
+        // GET /api/voice/providers - List STT and TTS providers
+        if (url.pathname === "/api/voice/providers" && req.method === "GET") {
+          const providers = getDb().query(`
+            SELECT m.id, m.name, m.model_type, p.name as provider_name, p.id as provider_id,
+  CASE WHEN p.api_key_encrypted IS NOT NULL THEN 1 ELSE 0 END as has_api_key
+            FROM models m
+            JOIN providers p ON m.provider_id = p.id
+            WHERE m.model_type IN('stt', 'tts')
+          `).all();
+          return addCorsHeaders(Response.json({ providers }), req);
+        }
+
+        // GET /api/voice/elevenlabs/voices - List ElevenLabs voices
+        if (url.pathname === "/api/voice/elevenlabs/voices" && req.method === "GET") {
+          try {
+            const voices = await voiceService.getElevenLabsVoices();
+            return addCorsHeaders(Response.json({ voices }), req);
+          } catch (error) {
+            return addCorsHeaders(Response.json({ error: (error as Error).message }), req);
+          }
+        }
+
+        // GET /api/voice/configured-providers - Which voice providers have API keys
+        if (url.pathname === "/api/voice/configured-providers" && req.method === "GET") {
+          const providers = voiceService.getConfiguredVoiceProviders();
+          return addCorsHeaders(Response.json(providers), req);
+        }
+
+        // GET /api/voice/openai/voices - List OpenAI TTS voices
+        if (url.pathname === "/api/voice/openai/voices" && req.method === "GET") {
+          const voices = voiceService.getOpenAIVoices();
+          return addCorsHeaders(Response.json({ voices }), req);
+        }
+
+        // GET /api/voice/gemini/voices - List Gemini TTS voices
+        if (url.pathname === "/api/voice/gemini/voices" && req.method === "GET") {
+          const voices = voiceService.getGeminiVoices();
+          return addCorsHeaders(Response.json({ voices }), req);
+        }
+
+        // GET /api/voice/qwen/voices - List Qwen TTS voices
+        if (url.pathname === "/api/voice/qwen/voices" && req.method === "GET") {
+          const voices = voiceService.getQwenVoices();
+          return addCorsHeaders(Response.json({ voices }), req);
+        }
+
+        // GET /api/channels/:id/voice - Get voice config for a channel
+        const channelVoiceMatch = url.pathname.match(/^\/api\/channels\/([^/]+)\/voice$/);
+        if (channelVoiceMatch && req.method === "GET") {
+          const channelId = channelVoiceMatch[1];
+          const voiceConfig = voiceService.getChannelVoiceConfig(channelId);
+          return addCorsHeaders(Response.json(voiceConfig), req);
+        }
+
+        // PATCH /api/channels/:id/voice - Update voice config for a channel
+        if (channelVoiceMatch && req.method === "PATCH") {
+          const channelId = channelVoiceMatch[1];
+          const body = await req.json().catch(() => ({}));
+
+          const updates: string[] = [];
+          const params: any[] = [];
+
+          if (body.voiceEnabled !== undefined) {
+            updates.push("voice_enabled = ?");
+            params.push(body.voiceEnabled ? 1 : 0);
+          }
+          if (body.ttsEnabled !== undefined) {
+            updates.push("tts_enabled = ?");
+            params.push(body.ttsEnabled ? 1 : 0);
+          }
+          if (body.sttProvider !== undefined) {
+            updates.push("stt_provider = ?");
+            params.push(body.sttProvider);
+          }
+          if (body.ttsProvider !== undefined) {
+            updates.push("tts_provider = ?");
+            params.push(body.ttsProvider);
+          }
+          if (body.ttsVoiceId !== undefined) {
+            updates.push("tts_voice_id = ?");
+            params.push(body.ttsVoiceId);
+          }
+
+          if (updates.length > 0) {
+            params.push(channelId);
+            getDb().query(`UPDATE channels SET ${updates.join(", ")} WHERE id = ? `).run(...params);
+          }
+
+          return addCorsHeaders(Response.json({ success: true }), req);
+        }
+
+        // POST /api/voice/test - Test TTS with a channel's config
+        if (url.pathname === "/api/voice/test" && req.method === "POST") {
+          const body = await req.json().catch(() => ({}));
+          const { channelId, text } = body;
+
+          if (!channelId || !text) {
+            return addCorsHeaders(new Response("Missing channelId or text", { status: 400 }), req);
+          }
+
+          try {
+            const voiceConfig = voiceService.getChannelVoiceConfig(channelId);
+
+            if (!voiceConfig.ttsEnabled || !voiceConfig.ttsProvider) {
+              return addCorsHeaders(Response.json({ error: "TTS not enabled for this channel" }), req);
+            }
+
+            const audioOutput = await voiceService.speak(text, voiceConfig.ttsProvider, voiceConfig.ttsVoiceId || undefined);
+
+            let base64Audio: string;
+            if (audioOutput.type === "buffer") {
+              base64Audio = (audioOutput.data as Buffer).toString("base64");
+            } else {
+              base64Audio = audioOutput.data as string;
+            }
+
+            return addCorsHeaders(Response.json({
+              audio: base64Audio,
+              mimeType: audioOutput.mimeType,
+            }), req);
+          } catch (error) {
+            return addCorsHeaders(Response.json({ error: (error as Error).message }), req);
+          }
+        }
+
+        // ── Chat API ────────────────────────────────────────────────────────
+        if (url.pathname === "/api/chat/history" && req.method === "GET") {
+          const sessionId = url.searchParams.get("sessionId");
+          if (!sessionId) {
+            return addCorsHeaders(new Response("Missing sessionId", { status: 400 }), req);
+          }
+
+          try {
+            const messages = dbService.getMessages(sessionId);
+            return addCorsHeaders(Response.json({ messages }), req);
+          } catch (error) {
+            log.error(`[API] Failed to get chat history: ${(error as Error).message}`);
+            return addCorsHeaders(Response.json({ error: "Failed to get chat history" }, { status: 500 }), req);
+          }
+        }
+        // ── Canvas API ─────────────────────────────────────────────────────
+        if (url.pathname === "/api/canvas" && req.method === "GET") {
+          return addCorsHeaders(Response.json(getCanvasSnapshot()), req);
+        }
+
+        // ── Notes API ────────────────────────────────────────────────────────
+        if (url.pathname === "/api/notes" && req.method === "GET") {
+          const notes = getDb().query("SELECT * FROM notes ORDER BY createdAt DESC").all();
+          return addCorsHeaders(Response.json({ notes }), req);
+        }
+
+        if (url.pathname.match(/^\/api\/notes\/[^/]+\/toggle$/)) {
+          const noteId = url.pathname.split("/")[3];
+          if (req.method === "PATCH") {
+            const body = await req.json().catch(() => ({}));
+            const { active } = body;
+            if (active === undefined) {
+              return addCorsHeaders(Response.json({ success: false, error: "Missing active field", message: "Falta el campo 'active'" }, { status: 400 }), req);
+            }
+            getDb().query(`UPDATE notes SET active = ?, updatedAt = unixepoch() WHERE id = ? `).run(active ? 1 : 0, noteId);
+            return addCorsHeaders(Response.json({ success: true, active: !!active, message: active ? "Nota activada" : "Nota desactivada" }), req);
+          }
+        }
+
+        // ── Cron Jobs API ────────────────────────────────────────────────────
+        if (url.pathname === "/api/cron-jobs" && req.method === "GET") {
+          const jobs = getDb().query("SELECT * FROM cron_jobs ORDER BY created_at DESC").all();
+          return addCorsHeaders(Response.json({ jobs }), req);
+        }
+
+        // Returns active channels with recommended flag for cron channel picker
+        if (url.pathname === "/api/cron-jobs/channels" && req.method === "GET") {
+          const db = getDb();
+          const channels = db.query<any, []>(
+            "SELECT id, type, active, enabled FROM channels ORDER BY id"
+          ).all();
+
+          // Priority order for auto-selection
+          const priority: Record<string, number> = { telegram: 0, discord: 1, webchat: 2 };
+          const sorted = [...channels].sort(
+            (a, b) => (priority[a.id] ?? 99) - (priority[b.id] ?? 99)
+          );
+
+          // Recommended = first active channel in priority order
+          const recommended = sorted.find(c => c.active === 1)?.id ?? "webchat";
+
+          const user = db.query("SELECT preferred_cron_channel FROM users LIMIT 1").get() as
+            | { preferred_cron_channel: string }
+            | undefined;
+
+          const result = channels.map((ch: any) => ({
+            id: ch.id,
+            type: ch.type,
+            active: ch.active === 1,
+            recommended: ch.id === recommended,
+          }));
+
+          return addCorsHeaders(
+            Response.json({ channels: result, recommended, userPreference: user?.preferred_cron_channel ?? "auto" }),
+            req
+          );
+        }
+
+        if (url.pathname.match(/^\/api\/cron-jobs\/[^/]+\/toggle$/)) {
+          const jobId = url.pathname.split("/")[3];
+          if (req.method === "PATCH") {
+            const body = await req.json().catch(() => ({}));
+            const { enabled } = body;
+            if (enabled === undefined) {
+              return addCorsHeaders(Response.json({ success: false, error: "Missing enabled field", message: "Falta el campo 'enabled'" }, { status: 400 }), req);
+            }
+            getDb().query(`UPDATE cron_jobs SET enabled = ?, updated_at = unixepoch() WHERE id = ? `).run(enabled ? 1 : 0, jobId);
+            return addCorsHeaders(Response.json({ success: true, enabled: !!enabled, message: enabled ? "Tarea programada activada" : "Tarea programada desactivada" }), req);
+          }
+        }
+
+        return addCorsHeaders(new Response("Not Found", { status: 404 }), req);
+      };
+
+      try {
+        const response = await handleRequest();
+        const duration = Date.now() - start;
+        if (response) {
+          logRequest(response.status, duration);
+        } else {
+          // Bun upgrade returns undefined on success
+          log.info(`${method} ${url.pathname} - 101 Switching Protocols(${duration}ms)`);
+        }
+        return response;
+      } catch (error) {
+        const duration = Date.now() - start;
+        log.error(`${method} ${url.pathname} - Internal Error(${duration}ms): ${(error as Error).message} `);
+        return addCorsHeaders(Response.json({ success: false, error: (error as Error).message, message: "Error interno del servidor" }, { status: 500 }), req);
+      }
+    },
+
+    websocket: {
+      open(ws) {
+        const data = ws.data;
+        const isCanvas = data.sessionId.startsWith("canvas:");
+        const isBridge = data.sessionId.startsWith("bridge:");
+
+        if (isBridge) {
+          log.info(`Bridge events client connected: ${data.sessionId}`);
+          subscribeBridge(ws as any);
+          ws.send(JSON.stringify({ type: "bridge:connected", sessionId: data.sessionId }));
+          return;
+        }
+
+        if (isCanvas) {
+          log.info(`Canvas session connected: ${data.sessionId} `);
+          canvasManager.registerSession(data.sessionId, ws as any);
+          subscribeCanvas(ws as any);
+          ws.send(JSON.stringify({ type: "canvas:connected", sessionId: data.sessionId }));
+          // Send initial snapshot so canvas shows current state
+          ws.send(JSON.stringify({ type: "canvas:snapshot", data: getCanvasSnapshot() }));
+          return;
+        }
+
+        log.debug(`WebSocket connected: ${data.sessionId} `);
+
+        sessionManager.create(data.sessionId, ws);
+
+        const channel = channelManager.getChannel("webchat") as any;
+        if (channel?.registerConnection) channel.registerConnection(ws);
+
+        // Send status message
+        ws.send(JSON.stringify({
+          type: "status",
+          sessionId: data.sessionId,
+          status: { state: "connected", model: `${dbProvider}/${dbModel}` },
+        } as OutboundMessage));
+
+        // Send welcome message with real user data
+        try {
+          const db = getDb();
+          const user = db.query("SELECT id, name, language FROM users LIMIT 1").get() as { id: string; name: string; language: string } | undefined;
+          const agent = db.query("SELECT id, name, provider_id, model_id FROM agents WHERE is_coordinator = 1 LIMIT 1").get() as { id: string; name: string; provider_id: string; model_id: string } | undefined;
+
+          // Get channels
+          const channels = db.query("SELECT id FROM channels WHERE active = 1").all() as Array<{ id: string }>;
+
+          // Get voice config from webchat channel
+          const voiceConfig = db.query("SELECT voice_enabled, stt_provider, tts_provider FROM channels WHERE id = 'webchat'").get() as { voice_enabled: number; stt_provider: string; tts_provider: string } | undefined;
+
+          // Get code bridge
+          const codeBridge = db.query("SELECT id FROM code_bridge WHERE enabled = 1").all() as Array<{ id: string }>;
+
+          ws.send(JSON.stringify({
+            type: "welcome",
+            sessionId: user?.id || data.sessionId,
+            user: user ? { id: user.id, name: user.name, language: user.language } : null,
+            agent: agent ? { id: agent.id, name: agent.name, provider: agent.provider_id, model: agent.model_id } : null,
+            channels: channels.map(c => c.id),
+            voice: voiceConfig ? {
+              enabled: voiceConfig.voice_enabled === 1,
+              sttProvider: voiceConfig.stt_provider,
+              ttsProvider: voiceConfig.tts_provider
+            } : { enabled: false, sttProvider: null, ttsProvider: null },
+            codeBridge: codeBridge.map(cb => cb.id)
+          } as OutboundMessage));
+        } catch (err) {
+          log.error("Error sending welcome message:", err);
+        }
+      },
+
+      async message(ws, message) {
+        const data = ws.data;
+
+        // Bridge events clients are read-only; ignore any messages they send
+        if (data.sessionId.startsWith("bridge:")) return;
+
+        let msg: InboundMessage;
+        try {
+          msg = JSON.parse(message.toString()) as InboundMessage;
+        } catch {
+          ws.send(JSON.stringify({
+            type: "error",
+            sessionId: data.sessionId,
+            error: "Invalid JSON message",
+          } as OutboundMessage));
+          return;
+        }
+
+        msg.sessionId = msg.sessionId ?? data.sessionId;
+        sessionManager.touch(msg.sessionId);
+
+        if (msg.type === "ping") {
+          ws.send(JSON.stringify({ type: "pong", sessionId: msg.sessionId } as OutboundMessage));
+          return;
+        }
+
+        // Canvas subscribe
+        if (msg.type === "canvas_subscribe") {
+          subscribeCanvas(ws);
+          ws.send(JSON.stringify({
+            type: "canvas:snapshot",
+            data: getCanvasSnapshot(),
+          }));
+          return;
+        }
+
+        // Canvas unsubscribe
+        if (msg.type === "canvas_unsubscribe") {
+          unsubscribeCanvas(ws);
+          return;
+        }
+
+        // Canvas session - handle interactions
+        if (data.sessionId.startsWith("canvas:")) {
+          canvasManager.handleMessage(data.sessionId, message);
+          return;
+        }
+
+        if (msg.type === "command" || (msg.content && isSlashCommand(msg.content))) {
+          const result = await executeSlashCommand(msg.sessionId, msg.content ?? `/${msg.command}`, ws);
+          if (result) {
+            ws.send(JSON.stringify(result));
+            return;
+          }
+        }
+
+        // Logs subscription
+        if (msg.type === "logs_subscribe") {
+          logSubscribers.add(data.sessionId);
+          log.debug(`Session ${data.sessionId} subscribed to logs`);
+          return;
+        }
+
+        if (msg.type === "logs_unsubscribe") {
+          logSubscribers.delete(data.sessionId);
+          log.debug(`Session ${data.sessionId} unsubscribed from logs`);
+          return;
+        }
+
+        // Handle audio messages from WebChat
+        let webchatPreferAudio = false;
+        if (msg.type === "audio" && msg.audio) {
+          log.info(`WebChat audio from session ${msg.sessionId}`);
+
+          const voiceConfig = voiceService.getChannelVoiceConfig("webchat");
+
+          if (!voiceConfig.voiceEnabled) {
+            ws.send(JSON.stringify({
+              type: "error",
+              sessionId: msg.sessionId,
+              error: "Voice input not enabled for this channel"
+            } as OutboundMessage));
+            return;
+          }
+
+          if (!voiceConfig.sttProvider) {
+            ws.send(JSON.stringify({
+              type: "message",
+              sessionId: msg.sessionId,
+              content: "🎙️ Para usar notas de voz, configura el proveedor STT en Configuración > Canales > WebChat (ej: groq-whisper)"
+            } as OutboundMessage));
+            return;
+          }
+
+          ws.send(JSON.stringify({
+            type: "typing",
+            isTyping: true,
+            sessionId: msg.sessionId,
+          } as OutboundMessage));
+
+          try {
+            const audioInput = { type: "base64" as const, data: msg.audio, mimeType: "audio/webm" };
+            const sttProvider = voiceConfig.sttProvider || "groq-whisper";
+            const messageContent = await voiceService.transcribe(audioInput, sttProvider);
+
+            log.info(`📝 Transcribed: ${messageContent.substring(0, 100)}...`);
+
+            webchatPreferAudio = true;
+
+            ws.send(JSON.stringify({
+              type: "message",
+              sessionId: msg.sessionId,
+              content: `🎙️ Transcripción: ${messageContent}`
+            } as OutboundMessage));
+
+            dbService.addMessage(msg.sessionId, "user", messageContent, {
+              input_type: "audio_transcribed",
+              stt_provider: sttProvider,
+              channel: "webchat"
+            });
+
+            ws.send(JSON.stringify({
+              type: "typing",
+              isTyping: false,
+              sessionId: msg.sessionId,
+            } as OutboundMessage));
+
+            laneQueue.enqueue(msg.sessionId, async (_task, signal) => {
+              if (signal.aborted) {
+                ws.send(JSON.stringify({ type: "typing", isTyping: false, sessionId: msg.sessionId } as OutboundMessage));
+                ws.send(JSON.stringify({ type: "error", sessionId: msg.sessionId, error: "Task cancelled" } as OutboundMessage));
+                return;
+              }
+
+              try {
+                const unifiedSessionId = msg.sessionId;
+                const messages = [{ role: "user" as const, content: messageContent }];
+                log.info(`Generating response for session ${unifiedSessionId}...`);
+
+                const { userId } = resolveContext({
+                  channel: "webchat",
+                  channelUserId: msg.sessionId,
+                });
+
+                const response = await runner.generate({
+                  provider: dbProvider as any,
+                  messages,
+                  maxTokens: 4096,
+                  tools: prepareTools(agent, unifiedSessionId),
+                  maxSteps: 15,
+                  threadId: unifiedSessionId,
+                  userId,
+                  onStep: async (step) => {
+                    if (signal.aborted) return;
+                    if (step.type === "tool_result" && step.message) {
+                      try {
+                        const result = JSON.parse(step.message);
+                        if (result._sendToUser || result.status) {
+                          const userMessage = result.message || result.status || step.message;
+                          ws.send(JSON.stringify({
+                            type: "message",
+                            sessionId: unifiedSessionId,
+                            content: `📊 ${userMessage}`,
+                            isStep: true,
+                          } as unknown as OutboundMessage));
+                          return;
+                        }
+                      } catch { }
+                    }
+                    log.debug(`[TOOL] ${step.type}: ${step.toolName || ""}`);
+                  },
+                });
+
+                const content = response.content?.trim() || "...";
+                log.info(`Response sent to session ${unifiedSessionId} (${content.length} chars)`);
+
+                const voiceCfg = voiceService.getChannelVoiceConfig("webchat");
+                const shouldSpeak = webchatPreferAudio;
+                let responseType: "text" | "audio" = "text";
+                let ttsProviderUsed: string | null = null;
+                let ttsMimeType: string | null = null;
+
+                ws.send(JSON.stringify({ type: "typing", isTyping: false, sessionId: unifiedSessionId } as OutboundMessage));
+                if (content && content !== "...") {
+                  if (shouldSpeak) {
+                    if (!voiceCfg.ttsProvider) {
+                      ws.send(JSON.stringify({
+                        type: "message",
+                        sessionId: unifiedSessionId,
+                        content: `${content}\n\n🔊 Para recibir respuestas en audio, configura el proveedor TTS en Configuración > Canales > WebChat (ej: elevenlabs)`,
+                        isStep: false,
+                      } as OutboundMessage));
+                    } else {
+                      try {
+                        log.info(`🔊 TTS enabled, synthesizing audio for WebChat...`);
+                        const audioOutput = await voiceService.speak(content, voiceCfg.ttsProvider, voiceCfg.ttsVoiceId || undefined);
+                        ttsProviderUsed = voiceCfg.ttsProvider;
+                        ttsMimeType = audioOutput.mimeType;
+                        responseType = "audio";
+                        const base64Audio = (audioOutput.data as Buffer).toString("base64");
+                        ws.send(JSON.stringify({
+                          type: "audio",
+                          sessionId: unifiedSessionId,
+                          audio: base64Audio,
+                          content,
+                          mimeType: audioOutput.mimeType,
+                        } as OutboundMessage));
+                      } catch (ttsError) {
+                        log.error(`TTS failed: ${(ttsError as Error).message}), sending text instead`);
+                        ws.send(JSON.stringify({ type: "message", sessionId: unifiedSessionId, content, isStep: false } as OutboundMessage));
+                      }
+                    }
+                  } else {
+                    ws.send(JSON.stringify({ type: "message", sessionId: unifiedSessionId, content, isStep: false } as OutboundMessage));
+                  }
+                }
+
+                dbService.addMessage(unifiedSessionId, "assistant", content, {
+                  response_type: responseType,
+                  tts_provider: ttsProviderUsed,
+                  mime_type: ttsMimeType,
+                  channel: "webchat"
+                });
+              } catch (error) {
+                ws.send(JSON.stringify({ type: "typing", isTyping: false, sessionId: msg.sessionId } as OutboundMessage));
+                ws.send(JSON.stringify({
+                  type: "error",
+                  sessionId: msg.sessionId,
+                  error: (error as Error).message,
+                } as OutboundMessage));
+                log.error(`Error for session ${msg.sessionId}: ${(error as Error).message}`);
+              }
+            });
+          } catch (error) {
+            ws.send(JSON.stringify({
+              type: "typing",
+              isTyping: false,
+              sessionId: msg.sessionId,
+            } as OutboundMessage));
+            ws.send(JSON.stringify({
+              type: "error",
+              sessionId: msg.sessionId,
+              error: `Transcription failed: ${(error as Error).message}`
+            } as OutboundMessage));
+          }
+          return;
+        }
+
+        if (msg.type === "message" && msg.content) {
+          log.info(`WebChat message from session ${msg.sessionId}: ${msg.content.substring(0, 100)}`);
+
+          dbService.addMessage(msg.sessionId, "user", msg.content, {
+            input_type: "text",
+            channel: "webchat"
+          });
+
+          // FIX 6 — typing indicator inmediato ANTES de encolar
+          // El usuario ve "escribiendo..." de inmediato, no después del queue
+          ws.send(JSON.stringify({
+            type: "typing",
+            isTyping: true,
+            sessionId: msg.sessionId,
+          } as OutboundMessage));
+
+          laneQueue.enqueue(msg.sessionId, async (_task, signal) => {
+            if (signal.aborted) {
+              ws.send(JSON.stringify({ type: "typing", isTyping: false, sessionId: msg.sessionId } as OutboundMessage));
+              ws.send(JSON.stringify({ type: "error", sessionId: msg.sessionId, error: "Task cancelled" } as OutboundMessage));
+              return;
+            }
+
+            try {
+              const unifiedSessionId = msg.sessionId;
+              const messages = [{ role: "user" as const, content: msg.content }];
+              log.info(`Generating response for session ${unifiedSessionId}...`);
+
+              const { userId } = resolveContext({
+                channel: "webchat",
+                channelUserId: msg.sessionId,
+              });
+
+              const response = await runner.generate({
+                provider: dbProvider as any,
+                messages,
+                maxTokens: 4096,
+                tools: prepareTools(agent, unifiedSessionId),
+                maxSteps: 15,
+                threadId: unifiedSessionId,
+                userId,
+                onStep: async (step) => {
+                  if (signal.aborted) return;
+
+                  // Para tool_result, verificar si es un mensaje de progreso
+                  if (step.type === "tool_result" && step.message) {
+                    try {
+                      const result = JSON.parse(step.message);
+                      if (result._sendToUser || result.status) {
+                        const userMessage = result.message || result.status || step.message;
+                        ws.send(JSON.stringify({
+                          type: "message",
+                          sessionId: unifiedSessionId,
+                          content: `📊 ${userMessage}`,
+                          isStep: true,
+                        } as unknown as OutboundMessage));
+                        return;
+                      }
+                    } catch {
+                      // No es JSON de progreso
+                    }
+                  }
+
+                  log.debug(`[TOOL] ${step.type}: ${step.toolName || ""}`);
+                },
+              });
+
+              const content = response.content?.trim() || "...";
+              log.info(`Response sent to session ${unifiedSessionId} (${content.length} chars)`);
+
+              const voiceConfig = voiceService.getChannelVoiceConfig("webchat");
+              const shouldSpeak = webchatPreferAudio;
+              let responseType: "text" | "audio" = "text";
+              let ttsProviderUsed: string | null = null;
+              let ttsMimeType: string | null = null;
+
+              ws.send(JSON.stringify({ type: "typing", isTyping: false, sessionId: unifiedSessionId } as OutboundMessage));
+              if (content && content !== "...") {
+                if (shouldSpeak) {
+                  if (!voiceConfig.ttsProvider) {
+                    ws.send(JSON.stringify({
+                      type: "message",
+                      sessionId: unifiedSessionId,
+                      content: `${content}\n\n🔊 Para recibir respuestas en audio, configura el proveedor TTS en Configuración > Canales > WebChat (ej: elevenlabs)`,
+                      isStep: false
+                    } as OutboundMessage));
+                  } else {
+                    try {
+                      log.info(`🔊 TTS enabled, synthesizing audio for WebChat...`);
+                      const audioOutput = await voiceService.speak(content, voiceConfig.ttsProvider, voiceConfig.ttsVoiceId || undefined);
+                      ttsProviderUsed = voiceConfig.ttsProvider;
+                      ttsMimeType = audioOutput.mimeType;
+                      responseType = "audio";
+
+                      const base64Audio = (audioOutput.data as Buffer).toString("base64");
+
+                      ws.send(JSON.stringify({
+                        type: "audio",
+                        sessionId: unifiedSessionId,
+                        audio: base64Audio,
+                        content,
+                        mimeType: audioOutput.mimeType,
+                      } as OutboundMessage));
+                    } catch (ttsError) {
+                      log.error(`TTS failed: ${(ttsError as Error).message}), sending text instead`);
+                      ws.send(JSON.stringify({ type: "message", sessionId: unifiedSessionId, content, isStep: false } as OutboundMessage));
+                    }
+                  }
+                } else {
+                  ws.send(JSON.stringify({ type: "message", sessionId: unifiedSessionId, content, isStep: false } as OutboundMessage));
+                }
+              }
+
+              dbService.addMessage(unifiedSessionId, "assistant", content, {
+                response_type: responseType,
+                tts_provider: ttsProviderUsed,
+                mime_type: ttsMimeType,
+                channel: "webchat"
+              });
+            } catch (error) {
+              const unifiedSessionId = msg.sessionId;
+              // Detener typing aunque falle — nunca dejar el spinner infinito
+              ws.send(JSON.stringify({ type: "typing", isTyping: false, sessionId: unifiedSessionId } as OutboundMessage));
+              ws.send(JSON.stringify({
+                type: "error",
+                sessionId: unifiedSessionId,
+                error: (error as Error).message,
+              } as OutboundMessage));
+              log.error(`Error for session ${unifiedSessionId}: ${(error as Error).message}`);
+            }
+          });
+
+          return;
+        }
+
+        ws.send(JSON.stringify({
+          type: "error",
+          sessionId: msg.sessionId,
+          error: "Unknown message type",
+        } as OutboundMessage));
+      },
+
+      close(ws) {
+        const data = ws.data;
+        const isCanvas = data.sessionId.startsWith("canvas:");
+        const isBridge = data.sessionId.startsWith("bridge:");
+
+        if (isBridge) {
+          unsubscribeBridge(ws as any);
+          return;
+        }
+
+        if (isCanvas) {
+          canvasManager.unregisterSession(data.sessionId);
+          unsubscribeCanvas(ws as any);
+          return;
+        }
+
+        log.debug(`WebSocket disconnected: ${data.sessionId}`);
+        logSubscribers.delete(data.sessionId);
+        sessionManager.delete(data.sessionId);
+        laneQueue.cancel(data.sessionId);
+
+        const channel = channelManager.getChannel("webchat") as any;
+        if (channel?.unregisterConnection) channel.unregisterConnection(data.sessionId);
+      },
+    },
+  });
+
+  onLogEntry((entry) => {
+    if (logSubscribers.size === 0) return;
+
+    const payload = JSON.stringify({
+      type: "log",
+      sessionId: entry.meta?.sessionId || "system",
+      logEntry: entry,
+    });
+
+    for (const sessionId of logSubscribers) {
+      const session = sessionManager.get(sessionId);
+      if (session?.ws && session.ws.readyState === 1) {
+        try {
+          session.ws.send(payload);
+        } catch {
+          logSubscribers.delete(sessionId);
+        }
+      } else {
+        logSubscribers.delete(sessionId);
+      }
+    }
+  });
+
+  log.info(`Gateway started successfully`);
+
+  // Check if running as child process in dev mode (parent handles browser open)
+  const isGatewayChild = process.env.HIVE_GATEWAY_CHILD === "1";
+
+  // Print URLs based on mode
+  if (isDev) {
+    // In development: UI is served by Vite on port 5173
+    log.info(`[gateway] API:       http://${host}:${port}`);
+    log.info(`[gateway] WebSocket: ws://${host}:${port}/ws`);
+    log.info(`[gateway] Canvas:    ws://${host}:${port}/canvas`);
+    log.info(`[gateway] Modo:     desarrollo`);
+    if (!isGatewayChild) {
+      log.info(`🐝 Administra tu Hive aquí: http://localhost:5173`);
+    }
+  } else {
+    // In production: Gateway serves UI from dist/
+    // Check if this is first-run setup mode
+    const isSetupMode = !existsSync(getDbPathLazy());
+    const baseUrl = `http://${host}:${port}`;
+    const uiUrl = isSetupMode ? `${baseUrl}/setup` : `${baseUrl}/ui`;
+
+    log.info(`[gateway] UI:        ${uiUrl}`);
+    log.info(`[gateway] API:       http://${host}:${port}`);
+    log.info(`[gateway] WebSocket: ws://${host}:${port}/ws`);
+    log.info(`[gateway] Canvas:    ws://${host}:${port}/canvas`);
+
+    log.info(isSetupMode ? `🎉 Primer arranque — abriendo wizard de configuración...` : `🐝 Administra tu Hive aquí: ${uiUrl}`);
+
+    // Always open browser on startup (setup and normal mode).
+    // Set NO_BROWSER=1 to skip in headless/server environments.
+    if (!process.env.NO_BROWSER) {
+      try {
+        const platform = process.platform;
+        let shellCmd: string;
+        if (platform === "win32") {
+          shellCmd = `start "" "${uiUrl}"`;
+        } else if (platform === "darwin") {
+          shellCmd = `open "${uiUrl}"`;
+        } else {
+          // Linux: gio open first (GNOME/Wayland native), then xdg-open fallbacks
+          shellCmd = `gio open "${uiUrl}" 2>/dev/null || xdg-open "${uiUrl}" 2>/dev/null || sensible-browser "${uiUrl}" 2>/dev/null || x-www-browser "${uiUrl}" 2>/dev/null || true`;
+        }
+        const shell = platform === "win32" ? "cmd" : "/bin/sh";
+        const shellArg = platform === "win32" ? "/c" : "-c";
+        // Use Bun.spawn (native Bun API) for reliable detached subprocess
+        const proc = Bun.spawn([shell, shellArg, shellCmd], {
+          stdout: "ignore",
+          stderr: "ignore",
+          stdin: "ignore",
+        });
+        proc.unref();
+      } catch (err) {
+        log.warn(`Could not open browser: ${(err as Error).message}`);
+      }
+    }
+  }
+  log.info(`Channels: ${channelManager.listChannels().map((c) => c.name).join(", ") || "none"}`);
+
+  // FIX 7 — SIGTERM desconecta MCP limpiamente antes de cerrar
+  process.on("SIGTERM", async () => {
+    log.info("Received SIGTERM, shutting down gracefully...");
+    watchers.forEach((close) => close());
+    const mcp = agent.getMCPManager();
+    if (mcp) {
+      log.info("Disconnecting MCP servers...");
+      await mcp.disconnectAll().catch(() => { });
+    }
+    await channelManager.stopAll();
+    server.stop();
+    try { unlinkSync(pidFile); } catch { }
+    process.exit(0);
+  });
+
+  process.on("SIGHUP", async () => {
+    log.info("Received SIGHUP, reloading configuration...");
+    try {
+      const newConfig = await loadConfig();
+      await agent.updateConfig(newConfig);
+      await agent.reload();
+      log.info("Configuration reloaded successfully");
+    } catch (error) {
+      log.error(`Failed to reload configuration: ${(error as Error).message}`);
+    }
+  });
+}