@kitecd/cli 1.2.0 → 1.3.0

package/dist/server/index.js

@@ -32076,7 +32076,7 @@ var init_node2 = __esm(() => {
   NodeRequestURL = class extends FastURL {
     #req;
     constructor({ req }) {
-      const path13 = req.url || "/";
+      const path17 = req.url || "/";
       let host = req.headers.host || req.headers[":authority"];
       if (host && !HOST_RE.test(host))
         host = "_invalid_";
@@ -32086,15 +32086,15 @@ var init_node2 = __esm(() => {
         else
           host = "localhost";
       const protocol = req.socket?.encrypted || req.headers["x-forwarded-proto"] === "https" || req.headers[":scheme"] === "https" ? "https:" : "http:";
-      if (path13[0] === "/") {
-        const qIndex = path13.indexOf("?");
+      if (path17[0] === "/") {
+        const qIndex = path17.indexOf("?");
         super({
           protocol,
           host,
-          pathname: qIndex === -1 ? path13 : path13.slice(0, qIndex) || "/",
-          search: qIndex === -1 ? "" : path13.slice(qIndex) || ""
+          pathname: qIndex === -1 ? path17 : path17.slice(0, qIndex) || "/",
+          search: qIndex === -1 ? "" : path17.slice(qIndex) || ""
         });
-      } else if (path13 === "*")
+      } else if (path17 === "*")
         super({
           protocol,
           host,
@@ -32102,7 +32102,7 @@ var init_node2 = __esm(() => {
           search: ""
         });
       else
-        super(path13);
+        super(path17);
       this.#req = req;
     }
     get pathname() {
@@ -32643,7 +32643,7 @@ __export(exports_dist, {
 });
 function createWebSocketAdapter() {
   const store = {};
-  function handler(app, path13, options) {
+  function handler(app, path17, options) {
     const { parse: parse5, body, response, ...rest3 } = options;
     const validateMessage = getSchemaValidator(body, {
       modules: app.definitions.typebox,
@@ -32668,7 +32668,7 @@ function createWebSocketAdapter() {
       };
       return ws;
     };
-    app.route("WS", path13, async (context) => {
+    app.route("WS", path17, async (context) => {
       const { set: set22, path: path22, qi, headers, query, params } = context;
       const id = context.request.wsId;
       context.validator = validateResponse;
@@ -32885,8 +32885,8 @@ var handleFile2 = (response, set22) => {
 }, handleElysiaFile2 = (file2, set22 = {
   headers: {}
 }) => {
-  const path13 = file2.path;
-  const contentType = mime[path13.slice(path13.lastIndexOf(".") + 1)];
+  const path17 = file2.path;
+  const contentType = mime[path17.slice(path17.lastIndexOf(".") + 1)];
   if (contentType)
     set22.headers["content-type"] = contentType;
   if (file2.stats && set22 && set22.status !== 206 && set22.status !== 304 && set22.status !== 412 && set22.status !== 416)
@@ -33411,8 +33411,11 @@ import { drizzle } from "drizzle-orm/libsql";
 // src/db/schema.ts
 var exports_schema = {};
 __export(exports_schema, {
+  tags: () => tags,
   settings: () => settings,
   projects: () => projects,
+  projectTags: () => projectTags,
+  projectLogSources: () => projectLogSources,
   deployments: () => deployments,
   categories: () => categories,
   auditLogs: () => auditLogs
@@ -33426,11 +33429,13 @@ var projects = sqliteTable("projects", {
   token: text("token").notNull().unique(),
   preDeployScript: text("pre_deploy_script"),
   postDeployScript: text("post_deploy_script"),
+  postDeployAsync: integer3("post_deploy_async", { mode: "boolean" }).default(false),
   env: text("env"),
   status: text("status").default("idle"),
   cleanMode: text("clean_mode"),
   protectPaths: text("protect_paths"),
   categoryId: text("category_id"),
+  pm2AppName: text("pm2_app_name"),
   createdAt: text("created_at").notNull(),
   updatedAt: text("updated_at").notNull()
 });
@@ -33460,6 +33465,29 @@ var deployments = sqliteTable("deployments", {
   artifactSize: integer3("artifact_size"),
   rollbackOf: text("rollback_of")
 });
+var projectLogSources = sqliteTable("project_log_sources", {
+  id: text("id").primaryKey(),
+  projectId: text("project_id").references(() => projects.id).notNull(),
+  label: text("label").notNull(),
+  filePath: text("file_path").notNull(),
+  kind: text("kind").default("plain"),
+  sortOrder: integer3("sort_order").default(0),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull()
+});
+var tags = sqliteTable("tags", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull().unique(),
+  color: text("color"),
+  sortOrder: integer3("sort_order").default(0),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull()
+});
+var projectTags = sqliteTable("project_tags", {
+  projectId: text("project_id").references(() => projects.id).notNull(),
+  tagId: text("tag_id").references(() => tags.id).notNull(),
+  createdAt: text("created_at").notNull()
+});
 var auditLogs = sqliteTable("audit_logs", {
   id: text("id").primaryKey(),
   createdAt: text("created_at").notNull(),
@@ -33492,6 +33520,7 @@ var initDb = async () => {
       token TEXT NOT NULL UNIQUE,
       pre_deploy_script TEXT,
       post_deploy_script TEXT,
+      post_deploy_async INTEGER DEFAULT 0,
       env TEXT,
       status TEXT DEFAULT 'idle',
       created_at TEXT NOT NULL,
@@ -33511,6 +33540,12 @@ var initDb = async () => {
     await client.execute(`ALTER TABLE projects ADD COLUMN category_id TEXT`);
   } catch {}
   await client.execute(`CREATE INDEX IF NOT EXISTS idx_projects_category_id ON projects(category_id);`);
+  try {
+    await client.execute(`ALTER TABLE projects ADD COLUMN post_deploy_async INTEGER DEFAULT 0`);
+  } catch {}
+  try {
+    await client.execute(`ALTER TABLE projects ADD COLUMN pm2_app_name TEXT`);
+  } catch {}
   await client.execute(`
     CREATE TABLE IF NOT EXISTS categories (
       id TEXT PRIMARY KEY,
@@ -33522,6 +33557,27 @@ var initDb = async () => {
     );
   `);
   await client.execute(`CREATE INDEX IF NOT EXISTS idx_categories_sort_order ON categories(sort_order);`);
+  await client.execute(`
+    CREATE TABLE IF NOT EXISTS tags (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL UNIQUE,
+      color TEXT,
+      sort_order INTEGER DEFAULT 0,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    );
+  `);
+  await client.execute(`CREATE INDEX IF NOT EXISTS idx_tags_sort_order ON tags(sort_order);`);
+  await client.execute(`
+    CREATE TABLE IF NOT EXISTS project_tags (
+      project_id TEXT NOT NULL REFERENCES projects(id),
+      tag_id TEXT NOT NULL REFERENCES tags(id),
+      created_at TEXT NOT NULL,
+      PRIMARY KEY (project_id, tag_id)
+    );
+  `);
+  await client.execute(`CREATE INDEX IF NOT EXISTS idx_project_tags_project_id ON project_tags(project_id);`);
+  await client.execute(`CREATE INDEX IF NOT EXISTS idx_project_tags_tag_id ON project_tags(tag_id);`);
   await client.execute(`
     CREATE TABLE IF NOT EXISTS settings (
       key TEXT PRIMARY KEY,
@@ -33552,6 +33608,36 @@ var initDb = async () => {
     sql: `INSERT OR IGNORE INTO settings (key, value) VALUES (?, ?)`,
     args: ["artifact_keep_n", "10"]
   });
+  const seededRow = await client.execute({
+    sql: "SELECT value FROM settings WHERE key = ?",
+    args: ["tags.seeded"]
+  });
+  if (!seededRow.rows[0]) {
+    const now = new Date().toISOString();
+    const seedTags = [
+      { name: "前端", color: "blue" },
+      { name: "后端", color: "green" },
+      { name: "Node", color: "green" },
+      { name: "Java", color: "yellow" },
+      { name: "Go", color: "cyan" },
+      { name: "Python", color: "purple" },
+      { name: "PM2", color: "pink" },
+      { name: "Docker", color: "cyan" },
+      { name: "SSR", color: "purple" },
+      { name: "静态站点", color: "gray" }
+    ];
+    for (let i = 0;i < seedTags.length; i++) {
+      const t2 = seedTags[i];
+      await client.execute({
+        sql: `INSERT OR IGNORE INTO tags (id, name, color, sort_order, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)`,
+        args: ["tag_" + randomUUID().replace(/-/g, "").substring(0, 12), t2.name, t2.color, i, now, now]
+      });
+    }
+    await client.execute({
+      sql: `INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)`,
+      args: ["tags.seeded", "1"]
+    });
+  }
   await client.execute(`
     CREATE TABLE IF NOT EXISTS deployments (
       id TEXT PRIMARY KEY,
@@ -33597,6 +33683,20 @@ var initDb = async () => {
   await client.execute(`CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at);`);
   await client.execute(`CREATE INDEX IF NOT EXISTS idx_audit_logs_action ON audit_logs(action);`);
   await client.execute(`CREATE INDEX IF NOT EXISTS idx_audit_logs_target_id ON audit_logs(target_id);`);
+  await client.execute(`
+    CREATE TABLE IF NOT EXISTS project_log_sources (
+      id TEXT PRIMARY KEY,
+      project_id TEXT NOT NULL REFERENCES projects(id),
+      label TEXT NOT NULL,
+      file_path TEXT NOT NULL,
+      kind TEXT DEFAULT 'plain',
+      sort_order INTEGER DEFAULT 0,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    );
+  `);
+  await client.execute(`CREATE INDEX IF NOT EXISTS idx_project_log_sources_project_id ON project_log_sources(project_id);`);
+  await client.execute(`CREATE INDEX IF NOT EXISTS idx_project_log_sources_sort_order ON project_log_sources(sort_order);`);
   if (process.env.KITE_SEED_DEMO_PROJECT !== "false") {
     const existing = await client.execute("SELECT COUNT(*) as count FROM projects");
     const count = existing.rows[0]?.count ?? 0;
@@ -33717,10 +33817,59 @@ var db = {
       if (!project)
         return false;
       await ormDb.delete(deployments).where(eq(deployments.projectId, id));
+      await ormDb.delete(projectLogSources).where(eq(projectLogSources.projectId, id));
+      await ormDb.delete(projectTags).where(eq(projectTags.projectId, id));
       await ormDb.delete(projects).where(eq(projects.id, id));
       return true;
     }
   },
+  logSources: {
+    async findByProject(projectId) {
+      await ensureDbReady();
+      return await ormDb.select().from(projectLogSources).where(eq(projectLogSources.projectId, projectId)).orderBy(asc(projectLogSources.sortOrder), asc(projectLogSources.label));
+    },
+    async findById(id) {
+      await ensureDbReady();
+      const result = await ormDb.select().from(projectLogSources).where(eq(projectLogSources.id, id)).limit(1);
+      return result[0] || null;
+    },
+    async create(data) {
+      await ensureDbReady();
+      const now = new Date().toISOString();
+      const row = {
+        id: "lsrc_" + randomUUID().replace(/-/g, "").substring(0, 12),
+        projectId: data.projectId,
+        label: data.label,
+        filePath: data.filePath,
+        kind: data.kind ?? "plain",
+        sortOrder: data.sortOrder ?? 0,
+        createdAt: now,
+        updatedAt: now
+      };
+      await ormDb.insert(projectLogSources).values(row);
+      return row;
+    },
+    async update(id, data) {
+      await ensureDbReady();
+      const patch = { updatedAt: new Date().toISOString() };
+      if (data.label !== undefined)
+        patch.label = data.label;
+      if (data.kind !== undefined)
+        patch.kind = data.kind;
+      if (data.sortOrder !== undefined)
+        patch.sortOrder = data.sortOrder;
+      await ormDb.update(projectLogSources).set(patch).where(eq(projectLogSources.id, id));
+      return this.findById(id);
+    },
+    async remove(id) {
+      await ensureDbReady();
+      const existing = await this.findById(id);
+      if (!existing)
+        return false;
+      await ormDb.delete(projectLogSources).where(eq(projectLogSources.id, id));
+      return true;
+    }
+  },
   categories: {
     async findAll() {
       await ensureDbReady();
@@ -33780,6 +33929,107 @@ var db = {
       return Number(result.rows[0]?.count ?? 0);
     }
   },
+  tags: {
+    async findAll() {
+      await ensureDbReady();
+      return await ormDb.select().from(tags).orderBy(asc(tags.sortOrder), asc(tags.name));
+    },
+    async findById(id) {
+      await ensureDbReady();
+      const result = await ormDb.select().from(tags).where(eq(tags.id, id)).limit(1);
+      return result[0] || null;
+    },
+    async findByName(name) {
+      await ensureDbReady();
+      const result = await ormDb.select().from(tags).where(eq(tags.name, name)).limit(1);
+      return result[0] || null;
+    },
+    async create(data) {
+      await ensureDbReady();
+      const now = new Date().toISOString();
+      const row = {
+        id: data.id || "tag_" + randomUUID().replace(/-/g, "").substring(0, 12),
+        name: data.name,
+        color: data.color ?? null,
+        sortOrder: data.sortOrder ?? 0,
+        createdAt: now,
+        updatedAt: now
+      };
+      await ormDb.insert(tags).values(row);
+      return row;
+    },
+    async update(id, data) {
+      await ensureDbReady();
+      const patch = { updatedAt: new Date().toISOString() };
+      if (data.name !== undefined)
+        patch.name = data.name;
+      if (data.color !== undefined)
+        patch.color = data.color;
+      if (data.sortOrder !== undefined)
+        patch.sortOrder = data.sortOrder;
+      await ormDb.update(tags).set(patch).where(eq(tags.id, id));
+      return this.findById(id);
+    },
+    async remove(id) {
+      await ensureDbReady();
+      const tag = await this.findById(id);
+      if (!tag)
+        return false;
+      await ormDb.delete(projectTags).where(eq(projectTags.tagId, id));
+      await ormDb.delete(tags).where(eq(tags.id, id));
+      return true;
+    },
+    async countProjects(id) {
+      await ensureDbReady();
+      const result = await client.execute({
+        sql: "SELECT COUNT(*) as count FROM project_tags WHERE tag_id = ?",
+        args: [id]
+      });
+      return Number(result.rows[0]?.count ?? 0);
+    }
+  },
+  projectTags: {
+    async listByProject(projectId) {
+      await ensureDbReady();
+      const rows = await ormDb.select().from(projectTags).where(eq(projectTags.projectId, projectId));
+      return rows.map((r) => r.tagId);
+    },
+    async listAllPairs() {
+      await ensureDbReady();
+      const rows = await ormDb.select().from(projectTags);
+      return rows.map((r) => ({ projectId: r.projectId, tagId: r.tagId }));
+    },
+    async setForProject(projectId, tagIds) {
+      await ensureDbReady();
+      const now = new Date().toISOString();
+      await ormDb.delete(projectTags).where(eq(projectTags.projectId, projectId));
+      const unique = Array.from(new Set(tagIds.filter(Boolean)));
+      for (const tagId of unique) {
+        try {
+          await ormDb.insert(projectTags).values({ projectId, tagId, createdAt: now });
+        } catch {}
+      }
+    },
+    async projectIdsHavingAll(tagIds) {
+      await ensureDbReady();
+      const ids = Array.from(new Set(tagIds.filter(Boolean)));
+      if (ids.length === 0)
+        return [];
+      const placeholders = ids.map(() => "?").join(",");
+      const res = await client.execute({
+        sql: `SELECT project_id AS pid FROM project_tags
+              WHERE tag_id IN (${placeholders})
+              GROUP BY project_id
+              HAVING COUNT(DISTINCT tag_id) = ?`,
+        args: [...ids, ids.length]
+      });
+      return res.rows.map((r) => String(r.pid));
+    },
+    async clearProject(projectId) {
+      await ensureDbReady();
+      await ormDb.delete(projectTags).where(eq(projectTags.projectId, projectId));
+    }
+  },
   deployments: {
     async insert(data) {
       await ensureDbReady();
@@ -36373,7 +36623,7 @@ var deployRoutes = new Elysia().post("/api/auth/login", async ({ body, headers,
   if (guard4.locked) {
     const retrySec = Math.ceil(guard4.retryAfterMs / 1000);
     set3.status = 429;
-    set3.headers = { ...set3.headers || {}, "Retry-After": String(retrySec) };
+    set3.headers["Retry-After"] = String(retrySec);
     await writeAudit({ headers }, {
       action: "auth.login_failed",
       targetType: "auth",
@@ -36400,12 +36650,28 @@ var deployRoutes = new Elysia().post("/api/auth/login", async ({ body, headers,
   return { success: false, message: "Invalid token" };
 }, {
   body: t.Object({ token: t.String() })
-}).get("/api/projects", async ({ headers, set: set3 }) => {
+}).get("/api/projects", async ({ headers, query, set: set3 }) => {
   if (!verifyAdminToken(headers)) {
     set3.status = 401;
     return { error: "Unauthorized" };
   }
-  return await db.projects.findAllWithMeta();
+  const items = await db.projects.findAllWithMeta();
+  const pairs = await db.projectTags.listAllPairs();
+  const tagMap = new Map;
+  for (const p of pairs) {
+    if (!tagMap.has(p.projectId))
+      tagMap.set(p.projectId, []);
+    tagMap.get(p.projectId).push(p.tagId);
+  }
+  const withTags = items.map((p) => ({ ...p, tagIds: tagMap.get(p.id) ?? [] }));
+  const tagIdsParam = typeof query.tagIds === "string" ? query.tagIds.trim() : "";
+  if (!tagIdsParam)
+    return withTags;
+  const wantedIds = tagIdsParam.split(",").map((s) => s.trim()).filter(Boolean);
+  if (wantedIds.length === 0)
+    return withTags;
+  const matchIds = new Set(await db.projectTags.projectIdsHavingAll(wantedIds));
+  return withTags.filter((p) => matchIds.has(p.id));
 }).post("/api/projects", async ({ headers, body, set: set3 }) => {
   if (!verifyAdminToken(headers)) {
     set3.status = 401;
@@ -36426,29 +36692,53 @@ var deployRoutes = new Elysia().post("/api/auth/login", async ({ body, headers,
     }
     categoryId = cat.id;
   }
+  const pm2AppName = typeof body.pm2AppName === "string" && body.pm2AppName.trim() !== "" ? body.pm2AppName.trim() : null;
+  const tagIds = [];
+  if (Array.isArray(body.tagIds)) {
+    for (const tid of body.tagIds) {
+      if (typeof tid !== "string" || !tid)
+        continue;
+      const tag = await db.tags.findById(tid);
+      if (tag)
+        tagIds.push(tag.id);
+    }
+  }
+  if (pm2AppName) {
+    const pm2Tag = await db.tags.findByName("PM2");
+    if (pm2Tag && !tagIds.includes(pm2Tag.id)) {
+      tagIds.push(pm2Tag.id);
+    }
+  }
+  const { tagIds: _omitTagIds, ...rest3 } = body;
   const project = await db.projects.create({
-    ...body,
+    ...rest3,
     categoryId,
+    pm2AppName,
     id: "proj_" + randomUUID2().replace(/-/g, "").substring(0, 12),
     token: "kt_" + randomUUID2().replace(/-/g, "")
   });
+  if (tagIds.length > 0) {
+    await db.projectTags.setForProject(project.id, tagIds);
+  }
   await writeAudit({ headers }, {
     action: "project.create",
     targetType: "project",
     targetId: project.id,
     targetName: project.name,
     before: null,
-    after: sanitize2(project),
+    after: { ...sanitize2(project), tagIds },
     summary: `创建项目 ${project.name}`
   });
-  return { success: true, project };
+  return { success: true, project: { ...project, tagIds } };
 }, {
   body: t.Object({
     name: t.String(),
     description: t.Optional(t.String()),
     deployPath: t.String(),
     env: t.Optional(t.String()),
-    categoryId: t.Optional(t.Union([t.String(), t.Null()]))
+    categoryId: t.Optional(t.Union([t.String(), t.Null()])),
+    pm2AppName: t.Optional(t.Union([t.String(), t.Null()])),
+    tagIds: t.Optional(t.Array(t.String()))
   })
 }).get("/api/projects/:id", async ({ headers, params, set: set3 }) => {
   if (!verifyAdminToken(headers)) {
@@ -36460,7 +36750,8 @@ var deployRoutes = new Elysia().post("/api/auth/login", async ({ body, headers,
     set3.status = 404;
     return { error: "Project not found" };
   }
-  return project;
+  const tagIds = await db.projectTags.listByProject(params.id);
+  return { ...project, tagIds };
 }).put("/api/projects/:id", async ({ headers, params, body, set: set3 }) => {
   if (!verifyAdminToken(headers)) {
     set3.status = 401;
@@ -36526,12 +36817,62 @@ var deployRoutes = new Elysia().post("/api/auth/login", async ({ body, headers,
       return { error: "categoryId must be string or null" };
     }
   }
+  if (typeof patch.pm2AppName !== "undefined") {
+    if (patch.pm2AppName === null) {} else if (typeof patch.pm2AppName === "string") {
+      const v = patch.pm2AppName.trim();
+      patch.pm2AppName = v === "" ? null : v;
+    } else {
+      set3.status = 400;
+      return { error: "pm2AppName must be string or null" };
+    }
+  }
+  let nextTagIds;
+  if (typeof patch.tagIds !== "undefined") {
+    if (!Array.isArray(patch.tagIds)) {
+      set3.status = 400;
+      return { error: "tagIds must be string[]" };
+    }
+    const validated = [];
+    for (const tid of patch.tagIds) {
+      if (typeof tid !== "string" || !tid)
+        continue;
+      const tag = await db.tags.findById(tid);
+      if (tag)
+        validated.push(tag.id);
+    }
+    nextTagIds = validated;
+    delete patch.tagIds;
+  }
   const after = await db.projects.update(params.id, patch);
   if (!after) {
     set3.status = 404;
     return { error: "Project not found" };
   }
+  const beforeTagIds = await db.projectTags.listByProject(params.id);
+  const beforePm2 = (before.pm2AppName || "").trim();
+  const afterPm2 = (after.pm2AppName || "").trim();
+  if (afterPm2 && afterPm2 !== beforePm2) {
+    const pm2Tag = await db.tags.findByName("PM2");
+    if (pm2Tag) {
+      const base = nextTagIds !== undefined ? nextTagIds : [...beforeTagIds];
+      if (!base.includes(pm2Tag.id)) {
+        base.push(pm2Tag.id);
+        nextTagIds = base;
+      }
+    }
+  }
+  if (nextTagIds !== undefined) {
+    await db.projectTags.setForProject(params.id, nextTagIds);
+  }
   const diff = diffFields(before, after, Object.keys(patch));
+  if (nextTagIds !== undefined) {
+    const sortedBefore = [...beforeTagIds].sort();
+    const sortedAfter = [...nextTagIds].sort();
+    if (sortedBefore.join(",") !== sortedAfter.join(",")) {
+      diff.before.tagIds = sortedBefore;
+      diff.after.tagIds = sortedAfter;
+    }
+  }
   if (Object.keys(diff.after).length > 0) {
     await writeAudit({ headers }, {
       action: "project.update",
@@ -36543,18 +36884,22 @@ var deployRoutes = new Elysia().post("/api/auth/login", async ({ body, headers,
       summary: `更新项目配置：${Object.keys(diff.after).join(", ")}`
     });
   }
-  return { success: true, project: after };
+  const respTagIds = nextTagIds !== undefined ? nextTagIds : beforeTagIds;
+  return { success: true, project: { ...after, tagIds: respTagIds } };
 }, {
   body: t.Object({
     name: t.Optional(t.String()),
     preDeployScript: t.Optional(t.String()),
     postDeployScript: t.Optional(t.String()),
+    postDeployAsync: t.Optional(t.Boolean()),
     deployPath: t.Optional(t.String()),
     description: t.Optional(t.String()),
     env: t.Optional(t.String()),
     cleanMode: t.Optional(t.Union([t.Literal("merge"), t.Literal("clean"), t.Literal("clean-all"), t.Null()])),
     protectPaths: t.Optional(t.Union([t.Array(t.String()), t.Null()])),
-    categoryId: t.Optional(t.Union([t.String(), t.Null()]))
+    categoryId: t.Optional(t.Union([t.String(), t.Null()])),
+    pm2AppName: t.Optional(t.Union([t.String(), t.Null()])),
+    tagIds: t.Optional(t.Array(t.String()))
   })
 }).delete("/api/projects/:id", async ({ headers, params, set: set3 }) => {
   if (!verifyAdminToken(headers)) {
@@ -36690,6 +37035,19 @@ data: ${JSON.stringify({ status: log3.status, duration: log3.duration })}
     }
     const preDeployCmd = body.preDeploy || project.preDeployScript;
     const postDeployCmd = body.postDeploy || project.postDeployScript;
+    const parseBool = (v) => {
+      if (typeof v === "boolean")
+        return v;
+      if (typeof v === "string") {
+        if (v === "true" || v === "1")
+          return true;
+        if (v === "false" || v === "0" || v === "")
+          return false;
+      }
+      return;
+    };
+    const overrideAsync = parseBool(body.postDeployAsync);
+    const postDeployAsync = overrideAsync !== undefined ? overrideAsync : Boolean(project.postDeployAsync);
     let deployEnv;
     if (body.env) {
       try {
@@ -36796,22 +37154,56 @@ data: ${JSON.stringify({ status: log3.status, duration: log3.duration })}
           await appendLog(`[Kite Deploy] Extracting files...`);
           new import_adm_zip.default(tempZipPath).extractAllTo(destPath, true);
           if (postDeployCmd) {
-            sendEvent(controller, "log", { data: `[Kite Deploy] Running Post-deploy: ${postDeployCmd}` });
-            await appendLog(`[Kite Deploy] Running Post-deploy: ${postDeployCmd}`);
-            let failed = false;
-            for await (const line of runShellCommand(postDeployCmd, destPath, deployEnv)) {
-              if (line.startsWith("\x00EXIT:")) {
-                const exitCode = parseInt(line.slice(6));
-                if (exitCode !== 0) {
-                  failed = true;
+            if (postDeployAsync) {
+              const dispatchMsg = `[Kite Deploy] Dispatching Post-deploy asynchronously (not waiting): ${postDeployCmd}`;
+              sendEvent(controller, "log", { data: dispatchMsg });
+              await appendLog(dispatchMsg);
+              (async () => {
+                try {
+                  for await (const line of runShellCommand(postDeployCmd, destPath, deployEnv)) {
+                    if (line.startsWith("\x00EXIT:")) {
+                      const exitCode = parseInt(line.slice(6));
+                      const exitMsg = exitCode === 0 ? `[Kite Deploy] (async) Post-deploy exited with code 0` : `[Kite Deploy] (async) Post-deploy exited with code ${exitCode}`;
+                      await appendLog(exitMsg);
+                      if (exitCode !== 0) {
+                        try {
+                          await writeAudit({ headers }, {
+                            action: "deploy.post_deploy_failed",
+                            targetType: "project",
+                            targetId: project.id,
+                            targetName: project.name,
+                            summary: `异步 postDeploy 退出码 ${exitCode}（部署 ${deploymentRow.id}）`,
+                            status: "failed",
+                            errorMessage: `Post-deploy exited with code ${exitCode}`
+                          });
+                        } catch {}
+                      }
+                    } else {
+                      await appendLog(line);
+                    }
+                  }
+                } catch (asyncErr) {
+                  await appendLog(`[Kite Deploy] (async) Post-deploy error: ${asyncErr?.message || asyncErr}`);
+                }
+              })();
+            } else {
+              sendEvent(controller, "log", { data: `[Kite Deploy] Running Post-deploy: ${postDeployCmd}` });
+              await appendLog(`[Kite Deploy] Running Post-deploy: ${postDeployCmd}`);
+              let failed = false;
+              for await (const line of runShellCommand(postDeployCmd, destPath, deployEnv)) {
+                if (line.startsWith("\x00EXIT:")) {
+                  const exitCode = parseInt(line.slice(6));
+                  if (exitCode !== 0) {
+                    failed = true;
+                  }
+                } else {
+                  sendEvent(controller, "log", { data: line });
+                  await appendLog(line);
                 }
-              } else {
-                sendEvent(controller, "log", { data: line });
-                await appendLog(line);
               }
+              if (failed)
+                throw new Error("Post-deploy failed");
             }
-            if (failed)
-              throw new Error("Post-deploy failed");
           }
           await fs3.unlink(tempZipPath);
           const durationStr = ((Date.now() - startTime) / 1000).toFixed(1) + "s";
@@ -36866,6 +37258,7 @@ data: ${JSON.stringify({ status: log3.status, duration: log3.duration })}
     projectId: t.String(),
     preDeploy: t.Optional(t.String()),
     postDeploy: t.Optional(t.String()),
+    postDeployAsync: t.Optional(t.Union([t.Boolean(), t.String()])),
     env: t.Optional(t.Any()),
     startedAt: t.Optional(t.String())
   })
@@ -36888,7 +37281,7 @@ data: ${JSON.stringify({ status: log3.status, duration: log3.duration })}
   }
   try {
     const entries = await fs3.readdir(targetPath, { withFileTypes: true });
-    const items = await Promise.all(entries.filter((e) => !e.name.startsWith(".")).map(async (entry) => {
+    const items = await Promise.all(entries.map(async (entry) => {
       const fullPath = path5.join(targetPath, entry.name);
       const relativePath = subPath ? `${subPath}/${entry.name}` : entry.name;
       const stat2 = await fs3.stat(fullPath);
@@ -36896,6 +37289,7 @@ data: ${JSON.stringify({ status: log3.status, duration: log3.duration })}
         name: entry.name,
         path: relativePath,
         isDir: entry.isDirectory(),
+        isHidden: entry.name.startsWith("."),
         size: stat2.size,
         mtime: stat2.mtime.toISOString()
       };
@@ -36903,6 +37297,8 @@ data: ${JSON.stringify({ status: log3.status, duration: log3.duration })}
     items.sort((a, b) => {
       if (a.isDir !== b.isDir)
         return a.isDir ? -1 : 1;
+      if (a.isHidden !== b.isHidden)
+        return a.isHidden ? 1 : -1;
       return a.name.localeCompare(b.name);
     });
     return items;
@@ -37051,6 +37447,67 @@ data: ${JSON.stringify({ status: log3.status, duration: log3.duration })}
     cleanMode: t.Optional(t.Union([t.Literal("merge"), t.Literal("clean"), t.Literal("clean-all"), t.Null()])),
     protectPaths: t.Optional(t.Array(t.String()))
   })
+}).patch("/api/deployments/:id/status", async ({ headers, params, body, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const nextStatus = body.status;
+  if (nextStatus !== "success" && nextStatus !== "failed") {
+    set3.status = 400;
+    return { error: 'status must be "success" or "failed"' };
+  }
+  const deployment = await db.deployments.findById(params.id);
+  if (!deployment) {
+    set3.status = 404;
+    return { error: "Deployment not found" };
+  }
+  if (deployment.status !== "running") {
+    set3.status = 409;
+    return { error: `Deployment is already ${deployment.status}, cannot mark`, code: "NOT_RUNNING" };
+  }
+  const endTimeIso = new Date().toISOString();
+  const startMs = new Date(deployment.startTime).getTime();
+  const endMs = new Date(endTimeIso).getTime();
+  const durationStr = Number.isFinite(startMs) && Number.isFinite(endMs) && endMs >= startMs ? ((endMs - startMs) / 1000).toFixed(1) + "s" : deployment.duration || "0s";
+  const markLine = `[Kite] Manually marked as ${nextStatus} by admin at ${endTimeIso}`;
+  const nextOutput = deployment.output ? `${deployment.output}
+${markLine}` : markLine;
+  await db.deployments.update(deployment.id, {
+    status: nextStatus,
+    endTime: endTimeIso,
+    duration: durationStr,
+    output: nextOutput
+  });
+  const project = await db.projects.findById(deployment.projectId);
+  if (project && project.status === "running") {
+    await db.projects.update(project.id, { status: nextStatus });
+  }
+  broadcastToSubscribers(deployment.id, "log", markLine);
+  broadcastToSubscribers(deployment.id, "status", JSON.stringify({ status: nextStatus, duration: durationStr }));
+  await writeAudit({ headers }, {
+    action: "deployment.mark_status",
+    targetType: "deployment",
+    targetId: deployment.id,
+    targetName: deployment.projectName,
+    before: { status: "running", endTime: deployment.endTime ?? null, duration: deployment.duration ?? null },
+    after: { status: nextStatus, endTime: endTimeIso, duration: durationStr },
+    summary: `手动将部署 ${deployment.id.slice(0, 8)} 标记为 ${nextStatus}`
+  });
+  return {
+    success: true,
+    deployment: {
+      ...deployment,
+      status: nextStatus,
+      endTime: endTimeIso,
+      duration: durationStr,
+      output: nextOutput
+    }
+  };
+}, {
+  body: t.Object({
+    status: t.Union([t.Literal("success"), t.Literal("failed")])
+  })
 }).post("/api/deployments/:id/rollback", async ({ headers, params, set: set3 }) => {
   if (!verifyAdminToken(headers)) {
     set3.status = 401;
@@ -37235,7 +37692,7 @@ var settingsRoutes = new Elysia().get("/api/settings", async ({ headers, set: se
     set3.status = 401;
     return { error: "Unauthorized" };
   }
-  const allowed = ["webhook_url", "webhook_events", "default_deploy_path", "max_upload_size", "global_deploy_token", "artifact_keep_n"];
+  const allowed = ["webhook_url", "webhook_events", "default_deploy_path", "max_upload_size", "global_deploy_token", "artifact_keep_n", "deployment_stuck_threshold_min"];
   const beforeAll = await db.settings.getAll();
   const entries = {};
   for (const [key, value2] of Object.entries(body)) {
@@ -37250,6 +37707,14 @@ var settingsRoutes = new Elysia().get("/api/settings", async ({ headers, set: se
       return { error: `global_deploy_token 强度不足：${result.reason}` };
     }
   }
+  if (Object.prototype.hasOwnProperty.call(entries, "deployment_stuck_threshold_min")) {
+    const n = Number(entries.deployment_stuck_threshold_min);
+    if (!Number.isFinite(n) || !Number.isInteger(n) || n < 1 || n > 1440) {
+      set3.status = 400;
+      return { error: "deployment_stuck_threshold_min 必须为 1~1440 之间的整数（分钟）" };
+    }
+    entries.deployment_stuck_threshold_min = String(n);
+  }
   await db.settings.setMany(entries);
   const afterAll = await db.settings.getAll();
   const changedKeys = Object.keys(entries);
@@ -37271,7 +37736,8 @@ var settingsRoutes = new Elysia().get("/api/settings", async ({ headers, set: se
     default_deploy_path: t.Optional(t.String()),
     max_upload_size: t.Optional(t.String()),
     global_deploy_token: t.Optional(t.String()),
-    artifact_keep_n: t.Optional(t.String())
+    artifact_keep_n: t.Optional(t.String()),
+    deployment_stuck_threshold_min: t.Optional(t.String())
   })
 }).post("/api/settings/token", async ({ headers, body, set: set3 }) => {
   if (!verifyAdminToken(headers)) {
@@ -37283,7 +37749,9 @@ var settingsRoutes = new Elysia().get("/api/settings", async ({ headers, set: se
   if (guard4.locked) {
     const retrySec = Math.ceil(guard4.retryAfterMs / 1000);
     set3.status = 429;
-    set3.headers = { ...set3.headers || {}, "Retry-After": String(retrySec) };
+    if (!set3.headers)
+      set3.headers = {};
+    set3.headers["Retry-After"] = String(retrySec);
     return { error: `Too many attempts, please retry after ${retrySec}s` };
   }
   const { oldToken, newToken } = body;
@@ -38641,33 +39109,47 @@ var fsRoutes = new Elysia().get("/api/fs/home", ({ headers, set: set3 }) => {
     set3.status = 500;
     return { error: err?.message || "readdir failed", path: normalized };
   }
-  const dirEntries = raw.filter((e) => e.isDirectory() || e.isSymbolicLink());
-  const truncated = dirEntries.length > MAX_ENTRIES;
-  const sliced = truncated ? dirEntries.slice(0, MAX_ENTRIES) : dirEntries;
+  const includeRaw = typeof query.include === "string" ? query.include : "dirs";
+  const include = includeRaw === "files" || includeRaw === "both" ? includeRaw : "dirs";
+  const wantedEntries = raw.filter((e) => e.isDirectory() || e.isFile() || e.isSymbolicLink());
+  const truncated = wantedEntries.length > MAX_ENTRIES;
+  const sliced = truncated ? wantedEntries.slice(0, MAX_ENTRIES) : wantedEntries;
   const entries = await Promise.all(sliced.map(async (e) => {
     const full = path11.join(normalized, e.name);
     let isDir = e.isDirectory();
+    let isFile = e.isFile();
     const isSymlink = e.isSymbolicLink();
-    if (!isDir && isSymlink) {
+    if (isSymlink && !isDir && !isFile) {
       try {
         const s = await fs9.stat(full);
         isDir = s.isDirectory();
+        isFile = s.isFile();
       } catch {
         isDir = false;
+        isFile = false;
       }
     }
     return {
       name: e.name,
       path: full,
       isDir,
+      isFile,
       isHidden: e.name.startsWith("."),
       isSymlink
     };
   }));
-  const dirOnly = entries.filter((e) => e.isDir);
-  dirOnly.sort((a, b) => {
+  const filtered = entries.filter((e) => {
+    if (include === "dirs")
+      return e.isDir;
+    if (include === "files")
+      return e.isFile;
+    return e.isDir || e.isFile;
+  });
+  filtered.sort((a, b) => {
     if (a.isHidden !== b.isHidden)
       return a.isHidden ? 1 : -1;
+    if (a.isDir !== b.isDir)
+      return a.isDir ? -1 : 1;
     return a.name.localeCompare(b.name);
   });
   return {
@@ -38676,7 +39158,7 @@ var fsRoutes = new Elysia().get("/api/fs/home", ({ headers, set: set3 }) => {
     exists: true,
     isDir: true,
     truncated,
-    entries: dirOnly
+    entries: filtered
   };
 });
 
@@ -38842,58 +39324,2197 @@ var categoryRoutes = new Elysia().get("/api/categories", async ({ headers, set:
   return { success: true, detachedProjects: projectCount };
 });
 
-// src/static.ts
+// src/routes/log-sources.ts
 init_dist3();
+import path13 from "node:path";
+
+// src/lib/log-tail.ts
+import fs10 from "node:fs";
+import fsp from "node:fs/promises";
 import path12 from "node:path";
-var MIME_TYPES = {
-  ".html": "text/html; charset=utf-8",
-  ".css": "text/css; charset=utf-8",
-  ".js": "application/javascript; charset=utf-8",
-  ".json": "application/json; charset=utf-8",
-  ".svg": "image/svg+xml",
-  ".png": "image/png",
-  ".jpg": "image/jpeg",
-  ".jpeg": "image/jpeg",
-  ".gif": "image/gif",
-  ".ico": "image/x-icon",
-  ".woff": "font/woff",
-  ".woff2": "font/woff2",
-  ".ttf": "font/ttf",
-  ".eot": "application/vnd.ms-fontobject",
-  ".map": "application/json",
-  ".txt": "text/plain; charset=utf-8",
-  ".xml": "application/xml"
-};
-function getMimeType(filePath) {
-  const ext2 = path12.extname(filePath).toLowerCase();
-  return MIME_TYPES[ext2] || "application/octet-stream";
+import os5 from "node:os";
+import readline from "node:readline";
+var log6 = moduleLogger("log-tail");
+var MAX_RANGE_SIZE = 1024 * 1024;
+var DEFAULT_RANGE_SIZE = 64 * 1024;
+var MAX_TAIL_LINES = 5000;
+var DEFAULT_TAIL_LINES = 200;
+var MAX_SEARCH_HITS = 5000;
+var DEFAULT_SEARCH_HITS = 500;
+var DEFAULT_SEARCH_CONTEXT = 2;
+var STREAM_HEARTBEAT_MS = 15000;
+var STREAM_POLL_MS = 1500;
+var STREAM_FLUSH_MS = 500;
+function getBlacklist() {
+  const home = process.env.KITE_HOME || path12.join(os5.homedir(), ".kite");
+  return [
+    path12.join(home, "config.json"),
+    path12.join(home, "kite.db"),
+    "/etc/shadow",
+    "/etc/passwd",
+    "/etc/master.passwd"
+  ];
 }
-var staticPlugin = new Elysia().get("/*", async ({ request, set: set3 }) => {
-  const webDir = process.env.KITE_WEB_DIR;
-  const url = new URL(request.url);
-  let pathname = url.pathname;
-  if (!webDir) {
-    if (pathname === "/")
-      return "Deploy Server is running!";
-    set3.status = 404;
-    return { error: "Web console not available" };
+async function pathGuard(rawPath, opts = {}) {
+  if (typeof rawPath !== "string" || !rawPath) {
+    return { ok: false, status: 400, error: "path is required" };
   }
-  const filePath = path12.resolve(webDir, "." + pathname);
-  if (!filePath.startsWith(path12.resolve(webDir))) {
-    set3.status = 403;
-    return { error: "Access denied" };
+  if (!path12.isAbsolute(rawPath)) {
+    return { ok: false, status: 400, error: "path must be absolute" };
   }
-  const { stat: stat2, access } = await import("node:fs/promises");
+  let resolved = path12.resolve(rawPath);
   try {
-    const fileStat = await stat2(filePath);
-    if (fileStat.isFile()) {
-      const buffer = await readFileBuffer(filePath);
-      set3.headers["Content-Type"] = getMimeType(filePath);
-      set3.headers["Cache-Control"] = pathname.startsWith("/assets/") ? "public, max-age=31536000, immutable" : "no-cache";
-      return new Response(buffer);
-    }
+    resolved = await fsp.realpath(resolved);
+  } catch (err) {
+    if (err?.code === "ENOENT") {
+      if (opts.allowMissing)
+        return { ok: true, resolved };
+      return { ok: false, status: 404, error: "path not found", resolved };
+    }
+    if (err?.code === "EACCES" || err?.code === "EPERM") {
+      return { ok: false, status: 403, error: "permission denied", resolved };
+    }
+    return { ok: false, status: 500, error: err?.message || "realpath failed", resolved };
+  }
+  const blacklist = getBlacklist();
+  for (const blocked of blacklist) {
+    if (resolved === blocked) {
+      return { ok: false, status: 403, error: "path is blacklisted", resolved };
+    }
+  }
+  let stat2;
+  try {
+    stat2 = await fsp.stat(resolved);
+  } catch (err) {
+    if (err?.code === "ENOENT")
+      return { ok: false, status: 404, error: "path not found", resolved };
+    if (err?.code === "EACCES" || err?.code === "EPERM") {
+      return { ok: false, status: 403, error: "permission denied", resolved };
+    }
+    return { ok: false, status: 500, error: err?.message || "stat failed", resolved };
+  }
+  if (!stat2.isFile()) {
+    return { ok: false, status: 400, error: "path is not a regular file", resolved };
+  }
+  return { ok: true, resolved, size: stat2.size };
+}
+function isBinarySample(buf) {
+  if (buf.length === 0)
+    return false;
+  let nul = 0;
+  let ctrl = 0;
+  const sample = buf.subarray(0, Math.min(buf.length, 4096));
+  for (let i = 0;i < sample.length; i++) {
+    const b = sample[i];
+    if (b === 0)
+      nul++;
+    else if (b < 9 || b > 13 && b < 32)
+      ctrl++;
+  }
+  if (nul / sample.length > 0.01)
+    return true;
+  if (ctrl / sample.length > 0.3)
+    return true;
+  return false;
+}
+async function readTail(filePath, maxLines) {
+  const fh = await fsp.open(filePath, "r");
+  try {
+    const stat2 = await fh.stat();
+    const size = stat2.size;
+    if (size === 0)
+      return { lines: [], binary: false, size, startOffset: 0 };
+    const chunkSize = 64 * 1024;
+    let position = size;
+    const chunks = [];
+    let lineCount = 0;
+    let binary = false;
+    let sampled = false;
+    while (position > 0 && lineCount <= maxLines) {
+      const readSize = Math.min(chunkSize, position);
+      position -= readSize;
+      const buf = Buffer.alloc(readSize);
+      await fh.read(buf, 0, readSize, position);
+      if (!sampled) {
+        binary = isBinarySample(buf);
+        sampled = true;
+        if (binary)
+          return { lines: [], binary: true, size, startOffset: size };
+      }
+      chunks.unshift(buf);
+      for (let i = 0;i < buf.length; i++) {
+        if (buf[i] === 10)
+          lineCount++;
+      }
+    }
+    const all = Buffer.concat(chunks).toString("utf8");
+    const allLines = all.split(`
+`);
+    if (allLines.length > 0 && allLines[allLines.length - 1] === "")
+      allLines.pop();
+    const sliced = allLines.length > maxLines ? allLines.slice(allLines.length - maxLines) : allLines;
+    return { lines: sliced, binary: false, size, startOffset: position };
+  } finally {
+    await fh.close();
+  }
+}
+async function readRange(filePath, opts = {}) {
+  const fh = await fsp.open(filePath, "r");
+  try {
+    const stat2 = await fh.stat();
+    const fileSize = stat2.size;
+    const winSize = Math.max(1024, Math.min(opts.size ?? DEFAULT_RANGE_SIZE, MAX_RANGE_SIZE));
+    const direction = opts.direction ?? (opts.offset === undefined ? "tail" : "forward");
+    if (fileSize === 0) {
+      return { startOffset: 0, endOffset: 0, fileSize, lines: [], truncatedHead: false, truncatedTail: false, binary: false };
+    }
+    let start;
+    if (direction === "tail") {
+      start = Math.max(0, fileSize - winSize);
+    } else if (direction === "backward") {
+      const o = opts.offset ?? fileSize;
+      start = Math.max(0, o - winSize);
+    } else {
+      start = Math.max(0, Math.min(opts.offset ?? 0, fileSize));
+    }
+    let end = Math.min(start + winSize, fileSize);
+    const len = end - start;
+    if (len <= 0) {
+      return { startOffset: start, endOffset: end, fileSize, lines: [], truncatedHead: false, truncatedTail: false, binary: false };
+    }
+    const buf = Buffer.alloc(len);
+    await fh.read(buf, 0, len, start);
+    if (isBinarySample(buf)) {
+      return { startOffset: start, endOffset: end, fileSize, lines: [], truncatedHead: false, truncatedTail: false, binary: true };
+    }
+    let truncatedHead = false;
+    let truncatedTail = false;
+    let viewStart = 0;
+    let viewEnd = buf.length;
+    if (start > 0) {
+      const nl = buf.indexOf(10);
+      if (nl >= 0) {
+        viewStart = nl + 1;
+        truncatedHead = true;
+      } else {
+        return {
+          startOffset: start,
+          endOffset: end,
+          fileSize,
+          lines: [],
+          truncatedHead: true,
+          truncatedTail: end < fileSize,
+          binary: false
+        };
+      }
+    }
+    if (end < fileSize) {
+      const nl = buf.lastIndexOf(10);
+      if (nl >= viewStart) {
+        viewEnd = nl + 1;
+        truncatedTail = true;
+      } else {
+        return {
+          startOffset: start,
+          endOffset: end,
+          fileSize,
+          lines: [],
+          truncatedHead,
+          truncatedTail: true,
+          binary: false
+        };
+      }
+    }
+    const text2 = buf.subarray(viewStart, viewEnd).toString("utf8");
+    const lines = text2.split(`
+`);
+    if (lines.length > 0 && lines[lines.length - 1] === "")
+      lines.pop();
+    return {
+      startOffset: start + viewStart,
+      endOffset: start + viewEnd,
+      fileSize,
+      lines,
+      truncatedHead,
+      truncatedTail,
+      binary: false
+    };
+  } finally {
+    await fh.close();
+  }
+}
+function watchTail(filePath, initialOffset, cb) {
+  let lastSize = initialOffset;
+  let closed = false;
+  let reading = false;
+  let pending = false;
+  const handleChange = async () => {
+    if (closed)
+      return;
+    if (reading) {
+      pending = true;
+      return;
+    }
+    reading = true;
+    try {
+      let stat2;
+      try {
+        stat2 = await fsp.stat(filePath);
+      } catch (err) {
+        if (err?.code === "ENOENT") {
+          if (lastSize !== 0) {
+            lastSize = 0;
+            cb.onRotate();
+          }
+          return;
+        }
+        throw err;
+      }
+      const newSize = stat2.size;
+      if (newSize < lastSize) {
+        lastSize = 0;
+        cb.onRotate();
+        return;
+      }
+      if (newSize === lastSize)
+        return;
+      const fh = await fsp.open(filePath, "r");
+      try {
+        const len = newSize - lastSize;
+        const buf = Buffer.alloc(len);
+        await fh.read(buf, 0, len, lastSize);
+        lastSize = newSize;
+        cb.onAppend(buf.toString("utf8"), newSize);
+      } finally {
+        await fh.close();
+      }
+    } catch (err) {
+      cb.onError?.(err);
+    } finally {
+      reading = false;
+      if (pending) {
+        pending = false;
+        setImmediate(handleChange);
+      }
+    }
+  };
+  let watcher = null;
+  try {
+    watcher = fs10.watch(filePath, { persistent: false }, () => {
+      handleChange();
+    });
+    watcher.on("error", (err) => {
+      cb.onError?.(err);
+    });
+  } catch (err) {
+    log6.warn({ filePath, err: err.message }, "fs.watch failed; relying on polling");
+  }
+  const timer = setInterval(handleChange, STREAM_POLL_MS);
+  if (typeof timer.unref === "function")
+    timer.unref();
+  return {
+    close() {
+      if (closed)
+        return;
+      closed = true;
+      try {
+        watcher?.close();
+      } catch {}
+      clearInterval(timer);
+    }
+  };
+}
+function grepStream(filePath, opts, cb) {
+  const maxHits = Math.max(1, Math.min(opts.maxHits ?? DEFAULT_SEARCH_HITS, MAX_SEARCH_HITS));
+  const context = Math.max(0, Math.min(opts.context ?? DEFAULT_SEARCH_CONTEXT, 20));
+  let matcher;
+  if (opts.regex) {
+    let re;
+    try {
+      re = new RegExp(opts.q, opts.caseInsensitive ? "i" : "");
+    } catch (err) {
+      cb.onError(new Error(`invalid regex: ${err?.message || err}`));
+      return { abort() {} };
+    }
+    matcher = (line) => re.test(line);
+  } else if (opts.caseInsensitive) {
+    const needle = opts.q.toLowerCase();
+    matcher = (line) => line.toLowerCase().includes(needle);
+  } else {
+    const needle = opts.q;
+    matcher = (line) => line.includes(needle);
+  }
+  const start = Math.max(0, opts.fromOffset ?? 0);
+  const end = opts.toOffset !== undefined ? Math.max(start, opts.toOffset) : undefined;
+  const readStream = fs10.createReadStream(filePath, end === undefined ? { start } : { start, end });
+  const rl = readline.createInterface({ input: readStream, crlfDelay: Infinity });
+  let bytesSeen = start;
+  let hits = 0;
+  let aborted = false;
+  const beforeBuf = [];
+  const pendingAfter = [];
+  function flushPending(currentLine) {
+    if (!currentLine) {
+      for (const p of pendingAfter)
+        cb.onHit(p.hit);
+      pendingAfter.length = 0;
+      return;
+    }
+    const stillPending = [];
+    for (const p of pendingAfter) {
+      p.hit.after.push(currentLine.text);
+      p.need -= 1;
+      if (p.need <= 0)
+        cb.onHit(p.hit);
+      else
+        stillPending.push(p);
+    }
+    pendingAfter.length = 0;
+    pendingAfter.push(...stillPending);
+  }
+  function pushBefore(entry) {
+    beforeBuf.push(entry);
+    if (beforeBuf.length > context)
+      beforeBuf.shift();
+  }
+  rl.on("line", (line) => {
+    if (aborted)
+      return;
+    if (opts.signal?.aborted) {
+      abort();
+      return;
+    }
+    const lineOffset = bytesSeen;
+    const byteLen = Buffer.byteLength(line, "utf8") + 1;
+    bytesSeen += byteLen;
+    flushPending({ offset: lineOffset, text: line });
+    if (matcher(line)) {
+      const hit = {
+        offset: lineOffset,
+        text: line,
+        before: beforeBuf.map((b) => b.text),
+        after: []
+      };
+      if (context > 0) {
+        pendingAfter.push({ hit, need: context });
+      } else {
+        cb.onHit(hit);
+      }
+      hits += 1;
+      if (hits >= maxHits) {
+        cb.onTruncated();
+        abort();
+        return;
+      }
+    }
+    pushBefore({ offset: lineOffset, text: line });
+  });
+  rl.on("close", () => {
+    if (aborted)
+      return;
+    flushPending(null);
+    cb.onDone(bytesSeen - start);
+  });
+  readStream.on("error", (err) => {
+    if (aborted)
+      return;
+    aborted = true;
+    cb.onError(err);
+  });
+  function abort() {
+    if (aborted)
+      return;
+    aborted = true;
+    try {
+      rl.close();
+    } catch {}
+    try {
+      readStream.destroy();
+    } catch {}
+    flushPending(null);
+    cb.onDone(bytesSeen - start);
+  }
+  if (opts.signal) {
+    if (opts.signal.aborted)
+      abort();
+    else
+      opts.signal.addEventListener("abort", abort, { once: true });
+  }
+  return { abort };
+}
+
+// src/routes/log-sources.ts
+var log7 = moduleLogger("log-sources");
+var VALID_KINDS = new Set(["pm2", "nginx", "plain"]);
+function normalizeKind(input) {
+  if (typeof input !== "string")
+    return "plain";
+  return VALID_KINDS.has(input) ? input : "plain";
+}
+function basename(p) {
+  return path13.basename(p) || p;
+}
+function toInt(v, fallback) {
+  if (typeof v === "number" && Number.isFinite(v))
+    return Math.trunc(v);
+  if (typeof v === "string" && v.trim() !== "") {
+    const n = Number(v);
+    if (Number.isFinite(n))
+      return Math.trunc(n);
+  }
+  return fallback;
+}
+function sseLine(event, data) {
+  return new TextEncoder().encode(`event: ${event}
+data: ${JSON.stringify(data)}
+
+`);
+}
+function sseComment(text2) {
+  return new TextEncoder().encode(`: ${text2}
+
+`);
+}
+var logSourceRoutes = new Elysia().get("/api/projects/:id/log-sources", async ({ headers, params, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const project = await db.projects.findById(params.id);
+  if (!project) {
+    set3.status = 404;
+    return { error: "Project not found" };
+  }
+  const sources = await db.logSources.findByProject(params.id);
+  return { items: sources };
+}).post("/api/projects/:id/log-sources", async ({ headers, params, body, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const project = await db.projects.findById(params.id);
+  if (!project) {
+    set3.status = 404;
+    return { error: "Project not found" };
+  }
+  const rawItems = Array.isArray(body?.items) ? body.items : null;
+  if (!rawItems || rawItems.length === 0) {
+    set3.status = 400;
+    return { error: "items is required (array of {label, filePath, kind?})" };
+  }
+  if (rawItems.length > 50) {
+    set3.status = 400;
+    return { error: "too many items in one request (max 50)" };
+  }
+  const created = [];
+  const errors2 = [];
+  for (let i = 0;i < rawItems.length; i++) {
+    const item = rawItems[i] || {};
+    const filePath = typeof item.filePath === "string" ? item.filePath : "";
+    if (!filePath) {
+      errors2.push({ index: i, error: "filePath is required" });
+      continue;
+    }
+    const guard4 = await pathGuard(filePath, { allowMissing: true });
+    if (!guard4.ok) {
+      errors2.push({ index: i, error: guard4.error || "invalid path" });
+      continue;
+    }
+    const label = typeof item.label === "string" && item.label.trim() ? item.label.trim() : basename(filePath);
+    const kind = normalizeKind(item.kind);
+    const row = await db.logSources.create({
+      projectId: params.id,
+      label,
+      filePath: guard4.resolved || filePath,
+      kind
+    });
+    created.push(row);
+  }
+  if (created.length === 0) {
+    set3.status = 400;
+    return { error: "no item created", details: errors2 };
+  }
+  return { created, errors: errors2 };
+}).patch("/api/log-sources/:sourceId", async ({ headers, params, body, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const existing = await db.logSources.findById(params.sourceId);
+  if (!existing) {
+    set3.status = 404;
+    return { error: "Log source not found" };
+  }
+  const patch = {};
+  if (typeof body?.label === "string") {
+    const trimmed = body.label.trim();
+    if (!trimmed) {
+      set3.status = 400;
+      return { error: "label cannot be empty" };
+    }
+    patch.label = trimmed;
+  }
+  if (body?.kind !== undefined) {
+    patch.kind = normalizeKind(body.kind);
+  }
+  if (body?.sortOrder !== undefined) {
+    patch.sortOrder = toInt(body.sortOrder, existing.sortOrder ?? 0);
+  }
+  const updated = await db.logSources.update(params.sourceId, patch);
+  return updated;
+}).delete("/api/log-sources/:sourceId", async ({ headers, params, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const ok = await db.logSources.remove(params.sourceId);
+  if (!ok) {
+    set3.status = 404;
+    return { error: "Log source not found" };
+  }
+  return { ok: true };
+}).get("/api/log-sources/:sourceId/meta", async ({ headers, params, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const src = await db.logSources.findById(params.sourceId);
+  if (!src) {
+    set3.status = 404;
+    return { error: "Log source not found" };
+  }
+  const guard4 = await pathGuard(src.filePath);
+  if (!guard4.ok) {
+    set3.status = guard4.status || 500;
+    return { error: guard4.error || "path error" };
+  }
+  return {
+    id: src.id,
+    label: src.label,
+    filePath: src.filePath,
+    resolvedPath: guard4.resolved,
+    kind: src.kind ?? "plain",
+    size: guard4.size ?? 0
+  };
+}).get("/api/log-sources/:sourceId/range", async ({ headers, params, query, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const src = await db.logSources.findById(params.sourceId);
+  if (!src) {
+    set3.status = 404;
+    return { error: "Log source not found" };
+  }
+  const guard4 = await pathGuard(src.filePath);
+  if (!guard4.ok) {
+    set3.status = guard4.status || 500;
+    return { error: guard4.error || "path error" };
+  }
+  const rawOffset = query.offset;
+  const rawDirection = query.direction;
+  const size = Math.max(1024, Math.min(toInt(query.size, DEFAULT_RANGE_SIZE), MAX_RANGE_SIZE));
+  const direction = rawDirection === "backward" || rawDirection === "forward" || rawDirection === "tail" ? rawDirection : rawOffset === undefined ? "tail" : "forward";
+  const offset = rawOffset === undefined ? undefined : Math.max(0, toInt(rawOffset, 0));
+  try {
+    const result = await readRange(guard4.resolved, { offset, size, direction });
+    return result;
+  } catch (err) {
+    log7.warn({ err: err?.message, sourceId: src.id }, "readRange failed");
+    set3.status = 500;
+    return { error: err?.message || "read failed" };
+  }
+}).get("/api/log-sources/:sourceId/stream", async ({ headers, params, query, set: set3, request }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const src = await db.logSources.findById(params.sourceId);
+  if (!src) {
+    set3.status = 404;
+    return new Response("Not found", { status: 404 });
+  }
+  const guard4 = await pathGuard(src.filePath);
+  if (!guard4.ok) {
+    set3.status = guard4.status || 500;
+    return new Response(guard4.error || "path error", { status: guard4.status || 500 });
+  }
+  const tailLines = Math.max(1, Math.min(toInt(query.tailLines, DEFAULT_TAIL_LINES), MAX_TAIL_LINES));
+  const filePath = guard4.resolved;
+  let watcher = null;
+  let heartbeat = null;
+  let flushTimer = null;
+  let pendingLines = [];
+  let closed = false;
+  let controllerRef = null;
+  const safeEnqueue = (chunk) => {
+    if (closed || !controllerRef)
+      return;
+    try {
+      controllerRef.enqueue(chunk);
+    } catch {}
+  };
+  const flush = () => {
+    if (flushTimer) {
+      clearTimeout(flushTimer);
+      flushTimer = null;
+    }
+    if (pendingLines.length === 0)
+      return;
+    const batch = pendingLines;
+    pendingLines = [];
+    safeEnqueue(sseLine("lines", { lines: batch }));
+  };
+  const scheduleFlush = () => {
+    if (flushTimer)
+      return;
+    flushTimer = setTimeout(flush, STREAM_FLUSH_MS);
+  };
+  const cleanup = () => {
+    if (closed)
+      return;
+    closed = true;
+    if (heartbeat)
+      clearInterval(heartbeat);
+    if (flushTimer)
+      clearTimeout(flushTimer);
+    if (watcher) {
+      try {
+        watcher.close();
+      } catch {}
+    }
+    try {
+      controllerRef?.close();
+    } catch {}
+  };
+  const stream = new ReadableStream({
+    start(controller) {
+      controllerRef = controller;
+      (async () => {
+        try {
+          const initial = await readTail(filePath, tailLines);
+          safeEnqueue(sseLine("snapshot", {
+            lines: initial.lines,
+            size: initial.size,
+            binary: initial.binary
+          }));
+          if (initial.binary) {
+            cleanup();
+            return;
+          }
+          watcher = watchTail(filePath, initial.size, {
+            onAppend: (chunk) => {
+              if (closed)
+                return;
+              const parts = chunk.split(`
+`);
+              if (parts.length > 0 && parts[parts.length - 1] === "")
+                parts.pop();
+              if (parts.length === 0)
+                return;
+              if (pendingLines.length + parts.length > 2000) {
+                pendingLines = pendingLines.concat(parts).slice(-2000);
+              } else {
+                pendingLines.push(...parts);
+              }
+              scheduleFlush();
+            },
+            onRotate: () => {
+              if (closed)
+                return;
+              flush();
+              safeEnqueue(sseLine("rotated", { at: new Date().toISOString() }));
+              readTail(filePath, tailLines).then((again) => {
+                if (closed)
+                  return;
+                safeEnqueue(sseLine("snapshot", {
+                  lines: again.lines,
+                  size: again.size,
+                  binary: again.binary
+                }));
+              }).catch((err) => {
+                safeEnqueue(sseLine("error", { message: err?.message || "rotate read failed" }));
+              });
+            },
+            onError: (err) => {
+              if (closed)
+                return;
+              safeEnqueue(sseLine("error", { message: err?.message || "watch error" }));
+            }
+          });
+          heartbeat = setInterval(() => safeEnqueue(sseComment("keep-alive")), STREAM_HEARTBEAT_MS);
+        } catch (err) {
+          safeEnqueue(sseLine("error", { message: err?.message || "init failed" }));
+          cleanup();
+        }
+      })();
+    },
+    cancel() {
+      cleanup();
+    }
+  });
+  request.signal?.addEventListener("abort", cleanup, { once: true });
+  return new Response(stream, {
+    headers: {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+      "X-Accel-Buffering": "no"
+    }
+  });
+}).get("/api/log-sources/:sourceId/search", async ({ headers, params, query, set: set3, request }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return new Response("Unauthorized", { status: 401 });
+  }
+  const src = await db.logSources.findById(params.sourceId);
+  if (!src) {
+    set3.status = 404;
+    return new Response("Not found", { status: 404 });
+  }
+  const guard4 = await pathGuard(src.filePath);
+  if (!guard4.ok) {
+    set3.status = guard4.status || 500;
+    return new Response(guard4.error || "path error", { status: guard4.status || 500 });
+  }
+  const q = typeof query.q === "string" ? query.q : "";
+  if (!q) {
+    set3.status = 400;
+    return new Response("q is required", { status: 400 });
+  }
+  const regex2 = query.regex === "true" || query.regex === "1";
+  const caseInsensitive = query.caseInsensitive === "true" || query.caseInsensitive === "1";
+  const maxHits = Math.max(1, Math.min(toInt(query.maxHits, DEFAULT_SEARCH_HITS), MAX_SEARCH_HITS));
+  const context = Math.max(0, Math.min(toInt(query.context, DEFAULT_SEARCH_CONTEXT), 20));
+  const fromOffset = query.fromOffset !== undefined ? Math.max(0, toInt(query.fromOffset, 0)) : undefined;
+  const toOffset = query.toOffset !== undefined ? Math.max(0, toInt(query.toOffset, 0)) : undefined;
+  let controllerRef = null;
+  let heartbeat = null;
+  let stopper = null;
+  let closed = false;
+  const safeEnqueue = (chunk) => {
+    if (closed || !controllerRef)
+      return;
+    try {
+      controllerRef.enqueue(chunk);
+    } catch {}
+  };
+  const cleanup = () => {
+    if (closed)
+      return;
+    closed = true;
+    if (heartbeat)
+      clearInterval(heartbeat);
+    if (stopper) {
+      try {
+        stopper.abort();
+      } catch {}
+    }
+    try {
+      controllerRef?.close();
+    } catch {}
+  };
+  const stream = new ReadableStream({
+    start(controller) {
+      controllerRef = controller;
+      heartbeat = setInterval(() => safeEnqueue(sseComment("keep-alive")), STREAM_HEARTBEAT_MS);
+      stopper = grepStream(guard4.resolved, {
+        q,
+        regex: regex2,
+        caseInsensitive,
+        maxHits,
+        context,
+        fromOffset,
+        toOffset,
+        signal: request.signal
+      }, {
+        onHit: (hit) => safeEnqueue(sseLine("hit", hit)),
+        onTruncated: () => safeEnqueue(sseLine("truncated", { maxHits })),
+        onDone: (scannedBytes) => {
+          safeEnqueue(sseLine("done", { scannedBytes }));
+          cleanup();
+        },
+        onError: (err) => {
+          safeEnqueue(sseLine("error", { message: err?.message || "search error" }));
+          cleanup();
+        }
+      });
+    },
+    cancel() {
+      cleanup();
+    }
+  });
+  request.signal?.addEventListener("abort", cleanup, { once: true });
+  return new Response(stream, {
+    headers: {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+      "X-Accel-Buffering": "no"
+    }
+  });
+});
+
+// src/routes/system.ts
+init_dist3();
+
+// src/lib/system-metrics.ts
+import os6 from "node:os";
+import fs11 from "node:fs/promises";
+function readCpuSnapshot() {
+  const cpus = os6.cpus();
+  let idle = 0;
+  let total = 0;
+  for (const c of cpus) {
+    const t2 = c.times;
+    idle += t2.idle;
+    total += t2.user + t2.nice + t2.sys + t2.idle + t2.irq;
+  }
+  return { idle, total };
+}
+var lastSnapshot = null;
+var lastCpuPercent = null;
+function sampleCpuPercent() {
+  const cur = readCpuSnapshot();
+  if (!lastSnapshot) {
+    lastSnapshot = cur;
+    return lastCpuPercent;
+  }
+  const idleDiff = cur.idle - lastSnapshot.idle;
+  const totalDiff = cur.total - lastSnapshot.total;
+  lastSnapshot = cur;
+  if (totalDiff <= 0)
+    return lastCpuPercent;
+  const pct = Math.max(0, Math.min(100, Math.round((1 - idleDiff / totalDiff) * 1e4) / 100));
+  lastCpuPercent = pct;
+  return pct;
+}
+readCpuSnapshot();
+lastSnapshot = readCpuSnapshot();
+async function readAvailableMemoryBytes(totalBytes) {
+  try {
+    if (process.platform === "darwin") {
+      const { stdout, code } = await runCmd("vm_stat", []);
+      if (code !== 0)
+        return os6.freemem();
+      const pageSizeMatch = stdout.match(/page size of (\d+) bytes/);
+      const pageSize = pageSizeMatch ? Number(pageSizeMatch[1]) : 4096;
+      const pick3 = (key) => {
+        const m = stdout.match(new RegExp(`Pages ${key}:\\s+(\\d+)`));
+        return m ? Number(m[1]) : 0;
+      };
+      const free = pick3("free");
+      const inactive = pick3("inactive");
+      const speculative = pick3("speculative");
+      const purgeable = pick3("purgeable");
+      const available = (free + inactive + speculative + purgeable) * pageSize;
+      return available > 0 ? Math.min(available, totalBytes) : os6.freemem();
+    }
+    if (process.platform === "linux") {
+      const content = await fs11.readFile("/proc/meminfo", "utf8");
+      const m = content.match(/^MemAvailable:\s+(\d+)\s*kB/m);
+      if (m) {
+        const bytes = Number(m[1]) * 1024;
+        return Number.isFinite(bytes) ? bytes : os6.freemem();
+      }
+      return os6.freemem();
+    }
+  } catch {
+    return os6.freemem();
+  }
+  return os6.freemem();
+}
+var lastProcCpuUsage = process.cpuUsage();
+var lastProcSampleAt = Date.now();
+var lastProcCpuPercent = null;
+function sampleProcessCpuPercent() {
+  const usage = process.cpuUsage(lastProcCpuUsage);
+  const now = Date.now();
+  const elapsedMs = now - lastProcSampleAt;
+  lastProcCpuUsage = process.cpuUsage();
+  lastProcSampleAt = now;
+  if (elapsedMs <= 0)
+    return lastProcCpuPercent;
+  const cpuMs = (usage.user + usage.system) / 1000;
+  const cores = Math.max(1, os6.cpus().length);
+  const pct = Math.max(0, Math.min(100, Math.round(cpuMs / (elapsedMs * cores) * 1e4) / 100));
+  lastProcCpuPercent = pct;
+  return pct;
+}
+async function collectSystemResources() {
+  const cpus = os6.cpus();
+  const cpuPercent = sampleCpuPercent();
+  const totalMem = os6.totalmem();
+  const freeMem = os6.freemem();
+  const [availMem, disk] = await Promise.all([
+    readAvailableMemoryBytes(totalMem),
+    fsFree()
+  ]);
+  const usedMem = Math.max(0, totalMem - availMem);
+  const mem = process.memoryUsage();
+  const runtimeName = typeof globalThis.Bun !== "undefined" ? "bun" : "node";
+  const runtimeVersion = runtimeName === "bun" ? `v${globalThis.Bun.version}` : process.version;
+  return {
+    collectedAt: new Date().toISOString(),
+    host: {
+      hostname: os6.hostname(),
+      platform: process.platform,
+      arch: process.arch,
+      cpuModel: cpus[0]?.model ?? null,
+      cpuCount: cpus.length,
+      loadAvg: os6.loadavg(),
+      uptimeSec: Math.floor(os6.uptime())
+    },
+    cpu: { percent: cpuPercent },
+    memory: {
+      totalBytes: totalMem,
+      freeBytes: freeMem,
+      availableBytes: availMem,
+      usedBytes: usedMem,
+      percentUsed: totalMem > 0 ? Math.round(usedMem / totalMem * 1e4) / 100 : 0
+    },
+    disk,
+    process: {
+      pid: process.pid,
+      runtime: runtimeName,
+      runtimeVersion,
+      uptimeSec: Math.floor(process.uptime()),
+      cpuPercent: sampleProcessCpuPercent(),
+      memoryRssBytes: mem.rss,
+      memoryHeapUsedBytes: mem.heapUsed
+    }
+  };
+}
+
+// src/routes/system.ts
+var systemRoutes = new Elysia().get("/api/system/resources", async ({ headers, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  return await collectSystemResources();
+});
+
+// src/routes/pm2.ts
+init_dist3();
+
+// src/lib/pm2.ts
+import os7 from "node:os";
+import path14 from "node:path";
+var cachedPm2Path = undefined;
+async function resolvePm2Path() {
+  if (cachedPm2Path !== undefined)
+    return cachedPm2Path;
+  const candidates = ["pm2"];
+  const home = os7.homedir();
+  candidates.push(path14.join(home, ".local/bin/pm2"), "/usr/local/bin/pm2", "/opt/homebrew/bin/pm2");
+  for (const c of candidates) {
+    const probe = await runCmd(c, ["--version"], 1500);
+    if (probe.code === 0) {
+      cachedPm2Path = c;
+      return c;
+    }
+  }
+  cachedPm2Path = null;
+  return null;
+}
+async function isPm2Available() {
+  return await resolvePm2Path() !== null;
+}
+var cache3 = null;
+var CACHE_TTL_MS3 = 1500;
+async function pm2Jlist() {
+  if (cache3 && Date.now() - cache3.at < CACHE_TTL_MS3)
+    return cache3.data;
+  const bin = await resolvePm2Path();
+  if (!bin)
+    return [];
+  const { stdout, code } = await runCmd(bin, ["jlist"], 4000);
+  if (code !== 0)
+    return [];
+  try {
+    const start = stdout.indexOf("[");
+    if (start < 0)
+      return [];
+    const arr = JSON.parse(stdout.slice(start));
+    if (!Array.isArray(arr))
+      return [];
+    cache3 = { at: Date.now(), data: arr };
+    return arr;
+  } catch {
+    return [];
+  }
+}
+async function listPm2Apps() {
+  const list = await pm2Jlist();
+  return list.map((item) => ({
+    name: String(item?.name ?? ""),
+    pmId: Number(item?.pm_id ?? -1),
+    status: String(item?.pm2_env?.status ?? "unknown")
+  })).filter((x) => x.name);
+}
+async function getPm2AppStatus(name) {
+  const available = await isPm2Available();
+  if (!available) {
+    return { found: false, name, message: "pm2 binary not found in PATH" };
+  }
+  const list = await pm2Jlist();
+  const matched = list.filter((item) => String(item?.name) === name);
+  if (matched.length === 0) {
+    return { found: false, name, message: `no pm2 app named "${name}"` };
+  }
+  const first = matched[0];
+  let cpuSum = 0;
+  let memSum = 0;
+  let restarts = 0;
+  let unstable = 0;
+  let uptimeMax = 0;
+  let status2 = "unknown";
+  for (const m of matched) {
+    const monit = m?.monit || {};
+    cpuSum += Number(monit.cpu ?? 0);
+    memSum += Number(monit.memory ?? 0);
+    const env4 = m?.pm2_env || {};
+    restarts += Number(env4.restart_time ?? 0);
+    unstable += Number(env4.unstable_restarts ?? 0);
+    if (typeof env4.pm_uptime === "number") {
+      const up = Date.now() - env4.pm_uptime;
+      if (up > uptimeMax)
+        uptimeMax = up;
+    }
+    if (env4.status)
+      status2 = String(env4.status);
+  }
+  const env3 = first?.pm2_env || {};
+  return {
+    found: true,
+    name,
+    pmId: Number(first?.pm_id ?? -1),
+    pid: Number(first?.pid ?? 0),
+    status: status2,
+    uptimeMs: uptimeMax || undefined,
+    restarts,
+    unstableRestarts: unstable,
+    cpuPercent: Math.round(cpuSum * 100) / 100,
+    memoryBytes: memSum,
+    execMode: env3.exec_mode ? String(env3.exec_mode) : undefined,
+    instances: matched.length,
+    pm2_env_status: env3.status ? String(env3.status) : undefined,
+    errorLogPath: env3.pm_err_log_path ? String(env3.pm_err_log_path) : undefined,
+    outLogPath: env3.pm_out_log_path ? String(env3.pm_out_log_path) : undefined,
+    createdAt: typeof env3.created_at === "number" ? env3.created_at : undefined
+  };
+}
+
+// src/routes/pm2.ts
+var pm2Routes = new Elysia().get("/api/pm2/available", async ({ headers, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const available = await isPm2Available();
+  return { available };
+}).get("/api/pm2/apps", async ({ headers, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const apps = await listPm2Apps();
+  return { apps };
+}).get("/api/projects/:id/pm2", async ({ headers, params, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const project = await db.projects.findById(params.id);
+  if (!project) {
+    set3.status = 404;
+    return { error: "Project not found" };
+  }
+  if (!project.pm2AppName) {
+    return { bound: false, message: "project has no pm2 app bound" };
+  }
+  const status2 = await getPm2AppStatus(project.pm2AppName);
+  return { bound: true, ...status2 };
+});
+
+// src/routes/tags.ts
+init_dist3();
+var ALLOWED_COLORS2 = new Set(["blue", "green", "yellow", "purple", "pink", "cyan", "gray"]);
+var COLOR_PALETTE2 = ["blue", "green", "yellow", "purple", "pink", "cyan", "gray"];
+function normalizeColor2(input) {
+  if (input === null || input === undefined || input === "")
+    return null;
+  if (typeof input !== "string")
+    return null;
+  return ALLOWED_COLORS2.has(input) ? input : null;
+}
+async function pickFreeColor2() {
+  const list = await db.tags.findAll();
+  const used = new Set;
+  for (const t2 of list) {
+    if (t2.color)
+      used.add(t2.color);
+  }
+  for (const color of COLOR_PALETTE2) {
+    if (!used.has(color))
+      return color;
+  }
+  return COLOR_PALETTE2[list.length % COLOR_PALETTE2.length];
+}
+function normalizeName2(input) {
+  if (typeof input !== "string")
+    return "";
+  return input.trim();
+}
+var tagRoutes = new Elysia().get("/api/tags", async ({ headers, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const tags2 = await db.tags.findAll();
+  const pairs = await db.projectTags.listAllPairs();
+  const counts = new Map;
+  for (const p of pairs)
+    counts.set(p.tagId, (counts.get(p.tagId) ?? 0) + 1);
+  return tags2.map((t2) => ({ ...t2, projectCount: counts.get(t2.id) ?? 0 }));
+}).post("/api/tags", async ({ headers, body, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const name = normalizeName2(body.name);
+  if (!name) {
+    set3.status = 400;
+    return { error: "标签名不能为空" };
+  }
+  if (name.length > 30) {
+    set3.status = 400;
+    return { error: "标签名过长（最多 30 字符）" };
+  }
+  const exist = await db.tags.findByName(name);
+  if (exist) {
+    set3.status = 409;
+    return { error: "标签名已存在", conflictTag: exist.name };
+  }
+  let color = normalizeColor2(body.color);
+  if (!color)
+    color = await pickFreeColor2();
+  const sortOrder = typeof body.sortOrder === "number" ? body.sortOrder : 0;
+  const created = await db.tags.create({ name, color, sortOrder });
+  await writeAudit({ headers }, {
+    action: "tag.create",
+    targetType: "tag",
+    targetId: created.id,
+    targetName: created.name,
+    before: null,
+    after: sanitize2(created),
+    summary: `创建标签 ${created.name}`
+  });
+  return { success: true, tag: created };
+}, {
+  body: t.Object({
+    name: t.String(),
+    color: t.Optional(t.Union([t.String(), t.Null()])),
+    sortOrder: t.Optional(t.Number())
+  })
+}).put("/api/tags/:id", async ({ headers, params, body, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const before = await db.tags.findById(params.id);
+  if (!before) {
+    set3.status = 404;
+    return { error: "Tag not found" };
+  }
+  const patch = {};
+  if (body.name !== undefined) {
+    const name = normalizeName2(body.name);
+    if (!name) {
+      set3.status = 400;
+      return { error: "标签名不能为空" };
+    }
+    if (name.length > 30) {
+      set3.status = 400;
+      return { error: "标签名过长（最多 30 字符）" };
+    }
+    if (name !== before.name) {
+      const conflict = await db.tags.findByName(name);
+      if (conflict && conflict.id !== params.id) {
+        set3.status = 409;
+        return { error: "标签名已存在", conflictTag: conflict.name };
+      }
+    }
+    patch.name = name;
+  }
+  if (body.color !== undefined)
+    patch.color = normalizeColor2(body.color);
+  if (body.sortOrder !== undefined && typeof body.sortOrder === "number") {
+    patch.sortOrder = body.sortOrder;
+  }
+  const after = await db.tags.update(params.id, patch);
+  if (!after) {
+    set3.status = 404;
+    return { error: "Tag not found" };
+  }
+  const diff = diffFields(before, after, Object.keys(patch));
+  if (Object.keys(diff.after).length > 0) {
+    await writeAudit({ headers }, {
+      action: "tag.update",
+      targetType: "tag",
+      targetId: params.id,
+      targetName: after.name,
+      before: diff.before,
+      after: diff.after,
+      summary: `更新标签配置：${Object.keys(diff.after).join(", ")}`
+    });
+  }
+  return { success: true, tag: after };
+}, {
+  body: t.Object({
+    name: t.Optional(t.String()),
+    color: t.Optional(t.Union([t.String(), t.Null()])),
+    sortOrder: t.Optional(t.Number())
+  })
+}).delete("/api/tags/:id", async ({ headers, params, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const before = await db.tags.findById(params.id);
+  if (!before) {
+    set3.status = 404;
+    return { error: "Tag not found" };
+  }
+  const projectCount = await db.tags.countProjects(params.id);
+  const success = await db.tags.remove(params.id);
+  if (!success) {
+    set3.status = 404;
+    return { error: "Tag not found" };
+  }
+  await writeAudit({ headers }, {
+    action: "tag.delete",
+    targetType: "tag",
+    targetId: before.id,
+    targetName: before.name,
+    before: { ...sanitize2(before), projectCount },
+    after: null,
+    summary: `删除标签 ${before.name}（解除 ${projectCount} 个项目关联）`
+  });
+  return { success: true, detachedProjects: projectCount };
+});
+
+// src/routes/terminal.ts
+init_dist3();
+
+// src/lib/ip-allowlist.ts
+function normalizeIp(ip) {
+  if (!ip)
+    return "";
+  let s = ip.trim();
+  if (s.startsWith("[") && s.endsWith("]"))
+    s = s.slice(1, -1);
+  const pct = s.indexOf("%");
+  if (pct >= 0)
+    s = s.slice(0, pct);
+  const v4mapped = s.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
+  if (v4mapped)
+    return v4mapped[1];
+  if (s === "::1")
+    return "::1";
+  return s.toLowerCase();
+}
+function isIPv4(s) {
+  const m = s.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (!m)
+    return false;
+  for (let i = 1;i <= 4; i++) {
+    const n = Number(m[i]);
+    if (!Number.isInteger(n) || n < 0 || n > 255)
+      return false;
+  }
+  return true;
+}
+function ipv4ToInt(s) {
+  const parts = s.split(".").map((p) => Number(p));
+  return (parts[0] << 24 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
+}
+function isIPv6(s) {
+  return s.includes(":") && /^[0-9a-fA-F:]+$/.test(s);
+}
+function expandIPv6(s) {
+  if (s === "::")
+    return 0n;
+  const dq = s.indexOf("::");
+  let head;
+  let tail;
+  if (dq >= 0) {
+    head = s.slice(0, dq) ? s.slice(0, dq).split(":") : [];
+    tail = s.slice(dq + 2) ? s.slice(dq + 2).split(":") : [];
+  } else {
+    head = s.split(":");
+    tail = [];
+  }
+  const last = tail.length ? tail[tail.length - 1] : head.length ? head[head.length - 1] : "";
+  if (last && last.includes(".")) {
+    if (!isIPv4(last))
+      return null;
+    const v4 = ipv4ToInt(last);
+    const hi = v4 >>> 16 & 65535;
+    const lo = v4 & 65535;
+    if (tail.length) {
+      tail = tail.slice(0, -1).concat(hi.toString(16), lo.toString(16));
+    } else {
+      head = head.slice(0, -1).concat(hi.toString(16), lo.toString(16));
+    }
+  }
+  const totalGroups = head.length + tail.length;
+  if (totalGroups > 8)
+    return null;
+  if (dq < 0 && totalGroups !== 8)
+    return null;
+  const fill = 8 - totalGroups;
+  const groups = [...head, ...Array.from({ length: fill }, () => "0"), ...tail];
+  if (groups.length !== 8)
+    return null;
+  let result = 0n;
+  for (const g of groups) {
+    if (g.length === 0 || g.length > 4)
+      return null;
+    if (!/^[0-9a-fA-F]+$/.test(g))
+      return null;
+    result = result << 16n | BigInt(parseInt(g, 16));
+  }
+  return result;
+}
+function parseAllowlistEntry(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed)
+    return null;
+  const slash = trimmed.indexOf("/");
+  let host = trimmed;
+  let prefix = null;
+  if (slash >= 0) {
+    host = trimmed.slice(0, slash);
+    const p = Number(trimmed.slice(slash + 1));
+    if (!Number.isInteger(p) || p < 0)
+      return null;
+    prefix = p;
+  }
+  const norm = normalizeIp(host);
+  if (isIPv4(norm)) {
+    if (prefix === null)
+      prefix = 32;
+    if (prefix > 32)
+      return null;
+    const ipInt = BigInt(ipv4ToInt(norm));
+    const mask = prefix === 0 ? 0n : 0xffffffffn << BigInt(32 - prefix) & 0xffffffffn;
+    return { kind: "v4", base: ipInt & mask, mask, prefixLen: prefix, raw: trimmed };
+  }
+  if (isIPv6(norm)) {
+    if (prefix === null)
+      prefix = 128;
+    if (prefix > 128)
+      return null;
+    const ipInt = expandIPv6(norm);
+    if (ipInt === null)
+      return null;
+    const full = (1n << 128n) - 1n;
+    const mask = prefix === 0 ? 0n : full << BigInt(128 - prefix) & full;
+    return { kind: "v6", base: ipInt & mask, mask, prefixLen: prefix, raw: trimmed };
+  }
+  return null;
+}
+function parseAllowlist(entries) {
+  const parsed = [];
+  const invalid = [];
+  if (!Array.isArray(entries))
+    return { parsed, invalid };
+  for (const raw of entries) {
+    if (typeof raw !== "string")
+      continue;
+    const trimmed = raw.trim();
+    if (!trimmed)
+      continue;
+    const p = parseAllowlistEntry(trimmed);
+    if (p)
+      parsed.push(p);
+    else
+      invalid.push(trimmed);
+  }
+  return { parsed, invalid };
+}
+function ipMatchesEntry(ip, entry) {
+  const norm = normalizeIp(ip);
+  if (entry.kind === "v4") {
+    if (!isIPv4(norm))
+      return false;
+    const ipInt2 = BigInt(ipv4ToInt(norm));
+    return (ipInt2 & entry.mask) === entry.base;
+  }
+  if (!isIPv6(norm))
+    return false;
+  const ipInt = expandIPv6(norm);
+  if (ipInt === null)
+    return false;
+  return (ipInt & entry.mask) === entry.base;
+}
+function ipAllowed(ip, allowlist) {
+  if (!allowlist || allowlist.length === 0)
+    return true;
+  const { parsed } = parseAllowlist(allowlist);
+  if (parsed.length === 0)
+    return true;
+  for (const entry of parsed) {
+    if (ipMatchesEntry(ip, entry))
+      return true;
+  }
+  return false;
+}
+
+// src/lib/client-ip.ts
+function headerString(value2) {
+  if (Array.isArray(value2))
+    return value2[0];
+  return value2;
+}
+function resolveClientIp(input) {
+  const socketIp = normalizeIp(input.socketRemoteAddress || "");
+  const headers = input.headers || {};
+  const xff = headerString(headers["x-forwarded-for"]) || headerString(headers["X-Forwarded-For"]);
+  const realIp = headerString(headers["x-real-ip"]) || headerString(headers["X-Real-IP"]);
+  let forwardedIp = null;
+  if (typeof xff === "string" && xff.length > 0) {
+    forwardedIp = normalizeIp(xff.split(",")[0].trim());
+  } else if (typeof realIp === "string" && realIp.length > 0) {
+    forwardedIp = normalizeIp(realIp.trim());
+  }
+  return {
+    socketIp,
+    forwardedIp,
+    trusted: socketIp || forwardedIp || ""
+  };
+}
+
+// src/lib/terminal.ts
+import os8 from "node:os";
+import fs12 from "node:fs";
+import path15 from "node:path";
+import { randomUUID as randomUUID3 } from "node:crypto";
+var termLog = moduleLogger("terminal");
+var TERMINAL_LIMITS = {
+  maxSessionsPerIp: 4,
+  maxTotalSessions: 16,
+  maxLifetimeMs: 2 * 60 * 60 * 1000,
+  idleTimeoutMs: 15 * 60 * 1000
+};
+var loadPromise = null;
+function isPlatformSupported() {
+  return process.platform === "darwin" || process.platform === "linux";
+}
+function isBunRuntime() {
+  return typeof globalThis.Bun !== "undefined" && typeof globalThis.Bun?.spawn === "function";
+}
+async function loadPty() {
+  if (!isPlatformSupported()) {
+    return { available: false, error: `当前平台不支持终端能力：${process.platform}` };
+  }
+  if (loadPromise)
+    return loadPromise;
+  loadPromise = (async () => {
+    if (isBunRuntime()) {
+      return { available: true, driver: "bun" };
+    }
+    try {
+      const mod = await import("node-pty");
+      const spawn3 = mod?.spawn || mod?.default?.spawn;
+      if (typeof spawn3 !== "function") {
+        return { available: false, error: "node-pty 加载成功但未导出 spawn 函数" };
+      }
+      return { available: true, driver: "node-pty", ptyMod: mod };
+    } catch (err) {
+      const msg = err?.message || String(err);
+      termLog.warn({ err: msg }, "加载 node-pty 失败，终端能力将不可用");
+      return { available: false, error: msg };
+    }
+  })();
+  return loadPromise;
+}
+var sessions = new Map;
+var sessionsByIp = new Map;
+function listSessionsCounts() {
+  const perIp = {};
+  for (const [ip, ids] of sessionsByIp)
+    perIp[ip] = ids.size;
+  return { total: sessions.size, perIp };
+}
+function defaultShell() {
+  if (process.platform === "darwin" || process.platform === "linux") {
+    return process.env.SHELL || "/bin/bash";
+  }
+  return process.env.SHELL || "/bin/sh";
+}
+function resolveCwd(candidate) {
+  const home = os8.homedir();
+  if (!candidate || typeof candidate !== "string")
+    return home;
+  try {
+    const resolved = path15.resolve(candidate);
+    const stat2 = fs12.statSync(resolved);
+    if (stat2.isDirectory())
+      return resolved;
+  } catch {}
+  return home;
+}
+function clampCols(c) {
+  return Math.max(2, Math.min(500, Math.floor(c) || 80));
+}
+function clampRows(r) {
+  return Math.max(2, Math.min(200, Math.floor(r) || 24));
+}
+function attachToBookkeeping(session, ip) {
+  sessions.set(session.id, session);
+  const bucket = sessionsByIp.get(ip);
+  if (!bucket)
+    sessionsByIp.set(ip, new Set([session.id]));
+  else
+    bucket.add(session.id);
+}
+function detachFromBookkeeping(session, ip) {
+  sessions.delete(session.id);
+  const bucket = sessionsByIp.get(ip);
+  if (bucket) {
+    bucket.delete(session.id);
+    if (bucket.size === 0)
+      sessionsByIp.delete(ip);
+  }
+}
+function makeSessionShell(params) {
+  const dataListeners = new Set;
+  const exitListeners = new Set;
+  const session = {
+    id: params.id,
+    pid: params.pid,
+    cwd: params.cwd,
+    shell: params.shell,
+    createdAt: Date.now(),
+    ip: params.ip,
+    dataListeners,
+    exitListeners,
+    lastActiveAt: Date.now(),
+    pendingChunks: [],
+    pendingExit: null,
+    lifetimeTimer: undefined,
+    idleTimer: undefined,
+    _killImpl: () => {},
+    _writeImpl: () => {},
+    _resizeImpl: () => {},
+    write(data) {
+      session.touch();
+      try {
+        session._writeImpl(data);
+      } catch {}
+    },
+    resize(c, r) {
+      session.touch();
+      try {
+        session._resizeImpl(clampCols(c), clampRows(r));
+      } catch {}
+    },
+    kill(signal) {
+      try {
+        session._killImpl(signal || "SIGTERM");
+      } catch {}
+    },
+    onData(listener) {
+      dataListeners.add(listener);
+      if (session.pendingChunks.length > 0) {
+        const buffered = session.pendingChunks.splice(0);
+        for (const chunk of buffered) {
+          try {
+            listener(chunk);
+          } catch {}
+        }
+      }
+    },
+    onExit(listener) {
+      exitListeners.add(listener);
+      if (session.pendingExit) {
+        const evt = session.pendingExit;
+        try {
+          listener(evt);
+        } catch {}
+      }
+    },
+    touch() {
+      session.lastActiveAt = Date.now();
+      if (session.idleTimer)
+        clearTimeout(session.idleTimer);
+      session.idleTimer = setTimeout(() => {
+        termLog.warn({ id: session.id, pid: session.pid }, "pty session idle timeout, killing");
+        try {
+          session.kill("SIGTERM");
+        } catch {}
+      }, TERMINAL_LIMITS.idleTimeoutMs);
+    }
+  };
+  return session;
+}
+function emitData(session, chunk) {
+  session.touch();
+  if (session.dataListeners.size === 0) {
+    session.pendingChunks.push(chunk);
+    if (session.pendingChunks.length > 256) {
+      session.pendingChunks.splice(0, session.pendingChunks.length - 256);
+    }
+    return;
+  }
+  for (const l of session.dataListeners) {
+    try {
+      l(chunk);
+    } catch {}
+  }
+}
+function emitExit(session, ip, evt) {
+  if (session.lifetimeTimer)
+    clearTimeout(session.lifetimeTimer);
+  if (session.idleTimer)
+    clearTimeout(session.idleTimer);
+  detachFromBookkeeping(session, ip);
+  if (session.exitListeners.size === 0) {
+    session.pendingExit = evt;
+    return;
+  }
+  for (const l of session.exitListeners) {
+    try {
+      l(evt);
+    } catch {}
+  }
+  session.dataListeners.clear();
+  session.exitListeners.clear();
+}
+async function spawnTerminalSession(params) {
+  const load = await loadPty();
+  if (!load.available) {
+    return { ok: false, reason: "unavailable", message: load.error || "终端能力不可用" };
+  }
+  if (sessions.size >= TERMINAL_LIMITS.maxTotalSessions) {
+    return { ok: false, reason: "limit-total", message: `已达到全局并发上限 (${TERMINAL_LIMITS.maxTotalSessions})` };
+  }
+  const ipBucket = sessionsByIp.get(params.ip);
+  if (ipBucket && ipBucket.size >= TERMINAL_LIMITS.maxSessionsPerIp) {
+    return { ok: false, reason: "limit-per-ip", message: `单 IP 并发上限 (${TERMINAL_LIMITS.maxSessionsPerIp})` };
+  }
+  const shell = defaultShell();
+  const cwd = resolveCwd(params.cwd);
+  const cols = clampCols(params.cols);
+  const rows = clampRows(params.rows);
+  const env3 = {
+    ...process.env,
+    TERM: process.env.TERM || "xterm-256color",
+    LANG: process.env.LANG || "en_US.UTF-8",
+    KITE_TERMINAL: "1"
+  };
+  delete env3.ADMIN_TOKEN;
+  const id = "term_" + randomUUID3().replace(/-/g, "").slice(0, 16);
+  if (load.driver === "bun") {
+    return spawnViaBun({ id, shell, cwd, cols, rows, env: env3, ip: params.ip });
+  }
+  return spawnViaNodePty({ id, shell, cwd, cols, rows, env: env3, ip: params.ip, ptyMod: load.ptyMod });
+}
+function spawnViaNodePty(opts) {
+  let pty;
+  try {
+    pty = opts.ptyMod.spawn(opts.shell, [], {
+      name: opts.env.TERM,
+      cols: opts.cols,
+      rows: opts.rows,
+      cwd: opts.cwd,
+      env: opts.env
+    });
+  } catch (err) {
+    termLog.error({ err: err?.message || String(err) }, "spawn pty failed (node-pty)");
+    return { ok: false, reason: "spawn-error", message: err?.message || "spawn pty failed" };
+  }
+  const session = makeSessionShell({
+    id: opts.id,
+    pid: pty.pid,
+    cwd: opts.cwd,
+    shell: opts.shell,
+    ip: opts.ip
+  });
+  session._writeImpl = (data) => pty.write(data);
+  session._resizeImpl = (c, r) => pty.resize(c, r);
+  session._killImpl = (sig) => pty.kill(sig || "SIGTERM");
+  session.lifetimeTimer = setTimeout(() => {
+    termLog.warn({ id: opts.id, pid: pty.pid }, "pty session exceeded max lifetime, killing");
+    try {
+      pty.kill("SIGTERM");
+    } catch {}
+  }, TERMINAL_LIMITS.maxLifetimeMs);
+  session.idleTimer = setTimeout(() => {
+    termLog.warn({ id: opts.id, pid: pty.pid }, "pty session idle timeout, killing");
+    try {
+      pty.kill("SIGTERM");
+    } catch {}
+  }, TERMINAL_LIMITS.idleTimeoutMs);
+  attachToBookkeeping(session, opts.ip);
+  pty.onData((chunk) => emitData(session, chunk));
+  pty.onExit((evt) => emitExit(session, opts.ip, { exitCode: evt.exitCode ?? 0, signal: evt.signal }));
+  termLog.info({ id: opts.id, pid: pty.pid, cwd: opts.cwd, shell: opts.shell, ip: opts.ip, driver: "node-pty" }, "pty session started");
+  return { ok: true, handle: session };
+}
+function spawnViaBun(opts) {
+  const Bun2 = globalThis.Bun;
+  if (!Bun2 || typeof Bun2.spawn !== "function") {
+    return { ok: false, reason: "spawn-error", message: "Bun.spawn 不可用" };
+  }
+  const session = makeSessionShell({
+    id: opts.id,
+    pid: 0,
+    cwd: opts.cwd,
+    shell: opts.shell,
+    ip: opts.ip
+  });
+  let proc;
+  try {
+    proc = Bun2.spawn([opts.shell], {
+      cwd: opts.cwd,
+      env: opts.env,
+      terminal: {
+        cols: opts.cols,
+        rows: opts.rows,
+        data(_terminal, data) {
+          let str;
+          if (typeof data === "string")
+            str = data;
+          else if (data instanceof Uint8Array)
+            str = new TextDecoder("utf-8").decode(data);
+          else if (data?.toString)
+            str = data.toString();
+          else
+            str = "";
+          if (str)
+            emitData(session, str);
+        },
+        exit(_terminal, exitCode) {
+          emitExit(session, opts.ip, { exitCode: exitCode ?? 0 });
+        }
+      }
+    });
+  } catch (err) {
+    termLog.error({ err: err?.message || String(err) }, "spawn pty failed (bun)");
+    return { ok: false, reason: "spawn-error", message: err?.message || "spawn pty failed" };
+  }
+  const terminal = proc?.terminal;
+  if (!terminal) {
+    try {
+      proc?.kill?.("SIGTERM");
+    } catch {}
+    return { ok: false, reason: "spawn-error", message: "Bun.spawn 未返回 terminal 句柄（请升级到 Bun ≥ 1.3）" };
+  }
+  session.pid = proc.pid || 0;
+  session._writeImpl = (data) => terminal.write(data);
+  session._resizeImpl = (c, r) => {
+    try {
+      terminal.resize(c, r);
+    } catch {}
+  };
+  session._killImpl = (sig) => {
+    try {
+      proc.kill?.(sig || "SIGTERM");
+    } catch {}
+    try {
+      terminal.close?.();
+    } catch {}
+  };
+  session.lifetimeTimer = setTimeout(() => {
+    termLog.warn({ id: opts.id, pid: session.pid }, "pty session exceeded max lifetime, killing");
+    try {
+      proc.kill?.("SIGTERM");
+    } catch {}
+  }, TERMINAL_LIMITS.maxLifetimeMs);
+  session.idleTimer = setTimeout(() => {
+    termLog.warn({ id: opts.id, pid: session.pid }, "pty session idle timeout, killing");
+    try {
+      proc.kill?.("SIGTERM");
+    } catch {}
+  }, TERMINAL_LIMITS.idleTimeoutMs);
+  attachToBookkeeping(session, opts.ip);
+  if (proc.exited && typeof proc.exited.then === "function") {
+    proc.exited.then((code) => {
+      if (!sessions.has(session.id))
+        return;
+      emitExit(session, opts.ip, { exitCode: typeof code === "number" ? code : 0 });
+    }).catch(() => {
+      if (!sessions.has(session.id))
+        return;
+      emitExit(session, opts.ip, { exitCode: 1 });
+    });
+  }
+  termLog.info({ id: opts.id, pid: session.pid, cwd: opts.cwd, shell: opts.shell, ip: opts.ip, driver: "bun" }, "pty session started");
+  return { ok: true, handle: session };
+}
+function shutdownAllSessions(reason = "shutdown") {
+  for (const s of sessions.values()) {
+    try {
+      s.kill("SIGTERM");
+    } catch {}
+  }
+  termLog.info({ count: sessions.size, reason }, "killed all pty sessions");
+}
+
+// src/routes/terminal.ts
+import os9 from "node:os";
+var termLog2 = moduleLogger("terminal-route");
+var TERMINAL_ALLOWLIST_KEY = "terminal.ipAllowlist";
+var TERMINAL_SUBPROTOCOL = "kite-admin-token";
+async function loadTerminalAllowlist() {
+  try {
+    const raw = await db.settings.get(TERMINAL_ALLOWLIST_KEY);
+    if (!raw)
+      return [];
+    const v = JSON.parse(raw);
+    if (Array.isArray(v))
+      return v.map((x) => String(x)).filter(Boolean);
+    return [];
+  } catch {
+    return [];
+  }
+}
+async function saveTerminalAllowlist(entries) {
+  await db.settings.set(TERMINAL_ALLOWLIST_KEY, JSON.stringify(entries));
+}
+var terminalRoutes = new Elysia().get("/api/terminal/whoami", ({ request, headers, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const sockRemote = request?.socket?.remoteAddress || headers["x-kite-socket-ip"] || null;
+  const info = resolveClientIp({
+    socketRemoteAddress: sockRemote || undefined,
+    headers
+  });
+  return {
+    socketIp: info.socketIp || null,
+    forwardedIp: info.forwardedIp,
+    trustedIp: info.trusted || null
+  };
+}).get("/api/terminal/info", async ({ headers, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const platformOk = isPlatformSupported();
+  const load = platformOk ? await loadPty() : { available: false, error: `当前平台不支持终端能力：${process.platform}` };
+  const allowlist = await loadTerminalAllowlist();
+  const counts = listSessionsCounts();
+  return {
+    available: load.available,
+    reason: load.available ? null : load.error || "unknown",
+    shell: defaultShell(),
+    platform: process.platform,
+    defaultCwd: os9.homedir(),
+    limits: TERMINAL_LIMITS,
+    sessions: counts,
+    allowlist,
+    allowlistEnabled: allowlist.length > 0
+  };
+}).get("/api/terminal/allowlist", async ({ headers, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const allowlist = await loadTerminalAllowlist();
+  const { invalid } = parseAllowlist(allowlist);
+  return { entries: allowlist, invalid };
+}).put("/api/terminal/allowlist", async ({ headers, body, set: set3 }) => {
+  if (!verifyAdminToken(headers)) {
+    set3.status = 401;
+    return { error: "Unauthorized" };
+  }
+  const input = body?.entries;
+  if (!Array.isArray(input)) {
+    set3.status = 400;
+    return { error: "entries 必须是字符串数组" };
+  }
+  const normalized = [];
+  const invalid = [];
+  for (const raw of input) {
+    if (typeof raw !== "string")
+      continue;
+    const trimmed = raw.trim();
+    if (!trimmed)
+      continue;
+    const { parsed } = parseAllowlist([trimmed]);
+    if (parsed.length === 1)
+      normalized.push(trimmed);
+    else
+      invalid.push(trimmed);
+  }
+  if (invalid.length > 0) {
+    set3.status = 400;
+    return { error: `存在无效的 IP / CIDR：${invalid.join(", ")}` };
+  }
+  const before = await loadTerminalAllowlist();
+  await saveTerminalAllowlist(normalized);
+  await writeAudit({ headers }, {
+    action: "terminal.allowlist.update",
+    targetType: "settings",
+    before: { entries: before },
+    after: { entries: normalized },
+    summary: `更新终端 IP 白名单（${normalized.length} 条）`
+  });
+  return { success: true, entries: normalized };
+});
+function parseSubprotocols(headerValue) {
+  if (!headerValue)
+    return [];
+  const raw = Array.isArray(headerValue) ? headerValue.join(",") : headerValue;
+  return raw.split(",").map((s) => s.trim()).filter(Boolean);
+}
+async function decideTerminalUpgrade(ctx) {
+  if (!ctx.url.pathname.startsWith("/api/terminal/ws")) {
+    return { ok: false, status: 404, reason: "not-terminal-route" };
+  }
+  const allowlist = await loadTerminalAllowlist();
+  if (allowlist.length > 0 && ctx.origin && ctx.expectedOrigin) {
+    try {
+      const a = new URL(ctx.origin);
+      const b = new URL(ctx.expectedOrigin);
+      if (a.host !== b.host) {
+        const isLocalDev = /(^|:)(localhost|127\.0\.0\.1)(:|$)/.test(a.host) && /(^|:)(localhost|127\.0\.0\.1)(:|$)/.test(b.host);
+        if (!isLocalDev)
+          return { ok: false, status: 403, reason: "origin-mismatch" };
+      }
+    } catch {
+      return { ok: false, status: 400, reason: "invalid-origin" };
+    }
+  }
+  const subs = parseSubprotocols(ctx.subprotocols.length ? ctx.subprotocols.join(", ") : ctx.headers["sec-websocket-protocol"]);
+  const protoIdx = subs.findIndex((s) => s === TERMINAL_SUBPROTOCOL);
+  if (protoIdx < 0 || protoIdx + 1 >= subs.length) {
+    return { ok: false, status: 401, reason: "missing-token-protocol" };
+  }
+  const token = subs[protoIdx + 1];
+  const ipInfo = resolveClientIp({
+    socketRemoteAddress: ctx.socketRemoteAddress || undefined,
+    headers: ctx.headers
+  });
+  const ip = ipInfo.socketIp || ipInfo.forwardedIp || "unknown";
+  const guard4 = await loginGuard(ip);
+  if (guard4.locked) {
+    return { ok: false, status: 429, reason: "rate-limited" };
+  }
+  const tokenValid = verifyAdminTokenValue(token) && safeEqual(token, process.env.ADMIN_TOKEN || "");
+  if (!tokenValid) {
+    loginFailure(ip);
+    return { ok: false, status: 401, reason: "invalid-token" };
+  }
+  loginSuccess(ip);
+  if (allowlist.length > 0 && !ipAllowed(ip, allowlist)) {
+    await writeAudit({ headers: ctx.headers }, {
+      action: "terminal.denied",
+      targetType: "terminal",
+      summary: `终端访问被 IP 白名单拒绝：${ip}`,
+      status: "failed",
+      errorMessage: `IP ${ip} 不在白名单中`
+    });
+    termLog2.warn({ ip }, "terminal connection rejected by allowlist");
+    return { ok: false, status: 403, reason: "ip-not-allowed" };
+  }
+  const projectId = ctx.url.searchParams.get("projectId");
+  let cwd = os9.homedir();
+  if (projectId) {
+    const proj = await db.projects.findById(projectId);
+    if (proj && proj.deployPath) {
+      cwd = resolveCwd(proj.deployPath);
+    }
+  } else {
+    const cwdParam = ctx.url.searchParams.get("cwd");
+    if (cwdParam)
+      cwd = resolveCwd(cwdParam);
+  }
+  const cols = Number(ctx.url.searchParams.get("cols")) || 80;
+  const rows = Number(ctx.url.searchParams.get("rows")) || 24;
+  return {
+    ok: true,
+    status: 101,
+    selectedProtocol: TERMINAL_SUBPROTOCOL,
+    token,
+    ip,
+    cwd,
+    projectId: projectId || null,
+    cols,
+    rows
+  };
+}
+var OPEN = 1;
+function safeJsonParse(value2) {
+  try {
+    return JSON.parse(value2);
+  } catch {
+    return null;
+  }
+}
+async function attachTerminalSocket(params) {
+  const startedAt = Date.now();
+  let handle = null;
+  let exitedCode = null;
+  const sendJson = (obj) => {
+    try {
+      if (params.socket.readyState === OPEN)
+        params.socket.send(JSON.stringify(obj));
+    } catch {}
+  };
+  const spawnResult = await spawnTerminalSession({
+    cwd: params.cwd,
+    cols: params.cols,
+    rows: params.rows,
+    ip: params.ip
+  });
+  if (!spawnResult.ok || !spawnResult.handle) {
+    sendJson({ type: "error", reason: spawnResult.reason, message: spawnResult.message });
+    try {
+      params.socket.close(4000, spawnResult.message || "spawn failed");
+    } catch {}
+    return;
+  }
+  handle = spawnResult.handle;
+  handle.onData((chunk) => {
+    if (params.socket.readyState !== OPEN)
+      return;
+    try {
+      params.socket.send(JSON.stringify({ type: "data", data: chunk }));
+    } catch {}
+  });
+  handle.onExit((info) => {
+    exitedCode = info.exitCode ?? 0;
+    sendJson({ type: "exit", exitCode: info.exitCode, signal: info.signal ?? null });
+    try {
+      params.socket.close(1000, "pty exited");
+    } catch {}
+  });
+  sendJson({
+    type: "ready",
+    sessionId: handle.id,
+    pid: handle.pid,
+    shell: handle.shell,
+    cwd: handle.cwd,
+    projectId: params.projectId
+  });
+  writeAudit({ headers: params.headers }, {
+    action: "terminal.open",
+    targetType: "terminal",
+    targetId: handle.id,
+    targetName: params.projectId ? `project:${params.projectId}` : "global",
+    summary: `打开终端 cwd=${handle.cwd} pid=${handle.pid}`
+  });
+  params.socket.on("message", (data, isBinary) => {
+    if (!handle)
+      return;
+    let raw;
+    if (typeof data === "string")
+      raw = data;
+    else if (data instanceof Buffer)
+      raw = data.toString("utf8");
+    else if (data?.toString)
+      raw = data.toString();
+    else
+      raw = "";
+    if (isBinary === false || typeof data === "string") {
+      const msg = safeJsonParse(raw);
+      if (!msg || typeof msg !== "object")
+        return;
+      if (msg.type === "input" && typeof msg.data === "string") {
+        handle.write(msg.data);
+      } else if (msg.type === "resize") {
+        const c = Number(msg.cols) || 80;
+        const r = Number(msg.rows) || 24;
+        handle.resize(c, r);
+      } else if (msg.type === "ping") {
+        sendJson({ type: "pong", ts: Date.now() });
+      }
+    }
+  });
+  const cleanup = async () => {
+    if (handle) {
+      const id = handle.id;
+      const pid = handle.pid;
+      try {
+        handle.kill("SIGHUP");
+      } catch {}
+      handle = null;
+      await writeAudit({ headers: params.headers }, {
+        action: "terminal.close",
+        targetType: "terminal",
+        targetId: id,
+        summary: `关闭终端 pid=${pid} durationMs=${Date.now() - startedAt} exitCode=${exitedCode ?? "n/a"}`
+      });
+    }
+  };
+  params.socket.on("close", () => {
+    cleanup();
+  });
+  params.socket.on("error", (err) => {
+    termLog2.warn({ err: err?.message }, "terminal socket error");
+    cleanup();
+  });
+}
+
+// src/static.ts
+init_dist3();
+import path16 from "node:path";
+var MIME_TYPES = {
+  ".html": "text/html; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2",
+  ".ttf": "font/ttf",
+  ".eot": "application/vnd.ms-fontobject",
+  ".map": "application/json",
+  ".txt": "text/plain; charset=utf-8",
+  ".xml": "application/xml"
+};
+function getMimeType(filePath) {
+  const ext2 = path16.extname(filePath).toLowerCase();
+  return MIME_TYPES[ext2] || "application/octet-stream";
+}
+var staticPlugin = new Elysia().get("/*", async ({ request, set: set3 }) => {
+  const webDir = process.env.KITE_WEB_DIR;
+  const url = new URL(request.url);
+  let pathname = url.pathname;
+  if (!webDir) {
+    if (pathname === "/")
+      return "Deploy Server is running!";
+    set3.status = 404;
+    return { error: "Web console not available" };
+  }
+  const filePath = path16.resolve(webDir, "." + pathname);
+  if (!filePath.startsWith(path16.resolve(webDir))) {
+    set3.status = 403;
+    return { error: "Access denied" };
+  }
+  const { stat: stat2, access } = await import("node:fs/promises");
+  try {
+    const fileStat = await stat2(filePath);
+    if (fileStat.isFile()) {
+      const buffer = await readFileBuffer(filePath);
+      set3.headers["Content-Type"] = getMimeType(filePath);
+      set3.headers["Cache-Control"] = pathname.startsWith("/assets/") ? "public, max-age=31536000, immutable" : "no-cache";
+      return new Response(buffer);
+    }
   } catch {}
-  const indexPath = path12.resolve(webDir, "index.html");
+  const indexPath = path16.resolve(webDir, "index.html");
   try {
     await access(indexPath);
     const buffer = await readFileBuffer(indexPath);
@@ -38907,7 +41528,7 @@ var staticPlugin = new Elysia().get("/*", async ({ request, set: set3 }) => {
 });
 
 // src/index.ts
-import { randomUUID as randomUUID3 } from "node:crypto";
+import { randomUUID as randomUUID4 } from "node:crypto";
 import http from "node:http";
 await ensureDbReady();
 var port = Number(process.env.PORT) || 5430;
@@ -38921,8 +41542,60 @@ if (!isBun3) {
   adapter = node2();
 }
 var httpLog = moduleLogger("http");
-var app = new Elysia({ adapter }).derive({ as: "global" }, ({ request, headers, set: set3 }) => {
-  const traceId = pickTraceId(headers) || randomUUID3();
+var wsLog = moduleLogger("ws");
+async function buildTerminalWss() {
+  try {
+    const { WebSocketServer } = await import("ws");
+    return new WebSocketServer({ noServer: true });
+  } catch (err) {
+    wsLog.warn({ err: err?.message }, "加载 ws 包失败，终端 WebSocket 将不可用");
+    return null;
+  }
+}
+var terminalWss = await buildTerminalWss();
+function headersFromIncoming(req) {
+  return req.headers;
+}
+async function handleTerminalUpgrade(req, socket, head, expectedOrigin) {
+  if (!terminalWss) {
+    socket.destroy();
+    return;
+  }
+  const url = new URL(req.url || "/", `http://${req.headers.host || expectedOrigin}`);
+  const subs = req.headers["sec-websocket-protocol"]?.split(",").map((s) => s.trim()).filter(Boolean) || [];
+  const decision = await decideTerminalUpgrade({
+    url,
+    headers: headersFromIncoming(req),
+    socketRemoteAddress: req.socket?.remoteAddress || null,
+    origin: req.headers.origin || null,
+    expectedOrigin,
+    subprotocols: subs
+  });
+  if (!decision.ok) {
+    const status2 = decision.status || 400;
+    const reason = decision.reason || "rejected";
+    wsLog.warn({ status: status2, reason, path: url.pathname }, "terminal upgrade rejected");
+    socket.write(`HTTP/1.1 ${status2} ${reason}\r
+Content-Length: 0\r
+\r
+`);
+    socket.destroy();
+    return;
+  }
+  terminalWss.handleUpgrade(req, socket, head, (ws) => {
+    attachTerminalSocket({
+      socket: ws,
+      ip: decision.ip,
+      cwd: decision.cwd,
+      projectId: decision.projectId ?? null,
+      cols: decision.cols,
+      rows: decision.rows,
+      headers: headersFromIncoming(req)
+    });
+  });
+}
+var app = new Elysia({ adapter }).derive({ as: "global" }, ({ request: _request, headers, set: set3 }) => {
+  const traceId = pickTraceId(headers) || randomUUID4();
   set3.headers = { ...set3.headers || {}, "x-kite-trace-id": traceId };
   return { _start: performance.now(), traceId };
 }).onAfterHandle({ as: "global" }, ({ request, set: set3, _start, traceId }) => {
@@ -38931,54 +41604,71 @@ var app = new Elysia({ adapter }).derive({ as: "global" }, ({ request, headers,
   httpLog.info({ traceId, method: request.method, path: new URL(request.url).pathname, status: status2, ms }, `${request.method} ${new URL(request.url).pathname} ${status2} ${ms}ms`);
 }).onError({ as: "global" }, ({ request, error: error3, traceId }) => {
   httpLog.error({ traceId, method: request?.method, path: request ? new URL(request.url).pathname : undefined, err: { name: error3?.name, message: error3?.message, stack: error3?.stack } }, "request error");
-}).use(deployRoutes).use(settingsRoutes).use(migrationRoutes).use(auditRoutes).use(healthRoutes).use(diskRoutes).use(statsRoutes).use(fsRoutes).use(categoryRoutes).use(staticPlugin);
-if (isBun3) {
-  app.listen({ port, hostname: host });
-  rootLogger.info({ module: "boot", runtime: runtimeName, version: serverVersion2, host: app.server?.hostname, port: app.server?.port }, `Kite server listening on http://${app.server?.hostname}:${app.server?.port}`);
-} else {
-  const fetchHandler = app.fetch;
-  const server = http.createServer(async (req, res) => {
-    const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
-    const headers = new Headers;
-    for (const [key, value2] of Object.entries(req.headers)) {
-      if (value2) {
-        headers.set(key, Array.isArray(value2) ? value2.join(", ") : value2);
-      }
+}).use(deployRoutes).use(settingsRoutes).use(migrationRoutes).use(auditRoutes).use(healthRoutes).use(diskRoutes).use(statsRoutes).use(fsRoutes).use(categoryRoutes).use(logSourceRoutes).use(systemRoutes).use(pm2Routes).use(tagRoutes).use(terminalRoutes).use(staticPlugin);
+var fetchHandler = app.fetch;
+var server = http.createServer(async (req, res) => {
+  const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+  const headers = new Headers;
+  for (const [key, value2] of Object.entries(req.headers)) {
+    if (value2) {
+      headers.set(key, Array.isArray(value2) ? value2.join(", ") : value2);
     }
-    const hasBody = req.method !== "GET" && req.method !== "HEAD";
-    const request = new Request(url.toString(), {
-      method: req.method,
-      headers,
-      body: hasBody ? new ReadableStream({
-        start(controller) {
-          req.on("data", (chunk) => controller.enqueue(new Uint8Array(chunk)));
-          req.on("end", () => controller.close());
-          req.on("error", (err) => controller.error(err));
-        }
-      }) : undefined,
-      duplex: hasBody ? "half" : undefined
-    });
-    const response = await fetchHandler(request);
-    res.writeHead(response.status, Object.fromEntries(response.headers));
-    if (response.body) {
-      const reader = response.body.getReader();
-      const pump = async () => {
-        const { done, value: value2 } = await reader.read();
-        if (done) {
-          res.end();
-          return;
-        }
-        res.write(value2);
-        await pump();
-      };
+  }
+  const hasBody = req.method !== "GET" && req.method !== "HEAD";
+  const request = new Request(url.toString(), {
+    method: req.method,
+    headers,
+    body: hasBody ? new ReadableStream({
+      start(controller) {
+        req.on("data", (chunk) => controller.enqueue(new Uint8Array(chunk)));
+        req.on("end", () => controller.close());
+        req.on("error", (err) => controller.error(err));
+      }
+    }) : undefined,
+    duplex: hasBody ? "half" : undefined
+  });
+  const response = await fetchHandler(request);
+  res.writeHead(response.status, Object.fromEntries(response.headers));
+  if (response.body) {
+    const reader = response.body.getReader();
+    const pump = async () => {
+      const { done, value: value2 } = await reader.read();
+      if (done) {
+        res.end();
+        return;
+      }
+      res.write(value2);
       await pump();
-    } else {
-      res.end();
+    };
+    await pump();
+  } else {
+    res.end();
+  }
+});
+if (terminalWss) {
+  server.on("upgrade", (req, socket, head) => {
+    const url = new URL(req.url || "/", `http://${req.headers.host || `${host}:${port}`}`);
+    if (!url.pathname.startsWith("/api/terminal/ws")) {
+      socket.destroy();
+      return;
     }
+    const reqHost = req.headers.host || `${host}:${port}`;
+    const expectedOrigin = `http://${reqHost}`;
+    handleTerminalUpgrade(req, socket, head, expectedOrigin);
   });
-  server.listen(port, host, () => {
-    rootLogger.info({ module: "boot", runtime: runtimeName, version: serverVersion2, host, port }, `Kite server listening on http://${host}:${port}`);
-  });
+} else {
+  rootLogger.warn({ module: "terminal" }, "ws 包不可用，终端 WebSocket 已关闭");
 }
+server.listen(port, host, () => {
+  rootLogger.info({ module: "boot", runtime: runtimeName, version: serverVersion2, host, port }, `Kite server listening on http://${host}:${port}`);
+});
 var adminTokenPreview = process.env.ADMIN_TOKEN ? `${process.env.ADMIN_TOKEN.slice(0, 4)}****${process.env.ADMIN_TOKEN.slice(-4)}` : "未设置 (请通过 .env.local 配置)";
 rootLogger.info({ module: "boot" }, `Admin token: ${adminTokenPreview}`);
+for (const sig of ["SIGINT", "SIGTERM"]) {
+  process.on(sig, () => {
+    try {
+      shutdownAllSessions(sig);
+    } catch {}
+    process.exit(0);
+  });
+}