@lelouchhe/webagent 0.1.0 → 0.1.3

package/README.md

@@ -1,5 +1,8 @@
 # WebAgent
 
+[![CI](https://github.com/LelouchHe/webagent/actions/workflows/ci.yml/badge.svg)](https://github.com/LelouchHe/webagent/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/@lelouchhe/webagent)](https://www.npmjs.com/package/@lelouchhe/webagent)
+
 A terminal-style web UI for ACP-compatible agents.
 
 Tech stack: Node.js + TypeScript (`--experimental-strip-types`), real-time WebSocket communication (`ws`), SQLite persistence (`better-sqlite3`), Zod validation.
@@ -42,7 +45,24 @@ Tech stack: Node.js + TypeScript (`--experimental-strip-types`), real-time WebSo
 ## Prerequisites
 
 - Node.js 22.6+ (requires `--experimental-strip-types`)
-- An ACP-compatible agent (e.g. [Copilot CLI](https://github.com/github/copilot-cli)) installed and authenticated
+- An ACP-compatible agent installed and authenticated
+
+### ACP-Compatible Agents
+
+WebAgent works with any agent that implements the [Agent Client Protocol](https://agentclientprotocol.com/). Some options:
+
+| Agent | Command | Notes |
+|---|---|---|
+| [Copilot CLI](https://github.com/github/copilot-cli) | `copilot --acp` | Default. GitHub's AI pair programmer |
+| [Claude Code](https://docs.anthropic.com/en/docs/agents/claude-code) | `claude --acp` | Anthropic's coding agent |
+| [Gemini CLI](https://github.com/google-gemini/gemini-cli) | `gemini --acp` | Google's Gemini models |
+| [OpenCode](https://opencode.ai/) | `opencode --acp` | Open-source, extensible |
+
+See the [ACP Registry](https://agentclientprotocol.com/get-started/agents) for the full list. To use a different agent, set `agent_cmd` in your config:
+
+```toml
+agent_cmd = "claude --acp"
+```
 
 ## Install
 

package/bin/webagent.mjs

@@ -5,15 +5,18 @@ import { fileURLToPath } from "node:url";
 import { dirname, join } from "node:path";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const server = join(__dirname, "..", "src", "server.ts");
+const server = join(__dirname, "..", "lib", "server.js");
 
 const child = spawn(
   process.execPath,
-  ["--experimental-strip-types", server, ...process.argv.slice(2)],
+  [server, ...process.argv.slice(2)],
   { stdio: "inherit" },
 );
 
-for (const sig of ["SIGINT", "SIGTERM", "SIGHUP"]) {
+const signals = process.platform === "win32"
+  ? ["SIGINT", "SIGTERM"]
+  : ["SIGINT", "SIGTERM", "SIGHUP"];
+for (const sig of signals) {
   process.on(sig, () => child.kill(sig));
 }
 

package/dist/index.html

@@ -13,7 +13,7 @@
 <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/dompurify@3.3.2/dist/purify.min.js"></script>
 <script>document.documentElement.setAttribute('data-theme', localStorage.getItem('theme') || 'auto');</script>
-<link rel="stylesheet" href="/styles.mmjqzu9r.css">
+<link rel="stylesheet" href="/styles.mmjvjb37.css">
 </head>
 <body>
 
@@ -41,6 +41,6 @@
   <input type="file" id="file-input" accept="image/*" multiple hidden>
 </div>
 
-<script type="module" src="/js/app.mmjqzu9r.js"></script>
+<script type="module" src="/js/app.mmjvjb37.js"></script>
 </body>
 </html>

package/dist/js/app.mmjvjb37.js

@@ -0,0 +1,10 @@
+// Boot entry point — imports all modules and starts the app
+
+import './render.mmjvjb37.js';    // theme, click-to-collapse listeners
+import './commands.mmjvjb37.js';  // slash menu listeners
+import './images.mmjvjb37.js';    // attach/paste listeners
+import './input.mmjvjb37.js';     // keyboard/send listeners
+import { connect } from './connection.mmjvjb37.js';
+
+connect();
+if ('serviceWorker' in navigator) navigator.serviceWorker.register('/sw.js');

package/dist/js/{commands.mmjqzu9r.js → commands.mmjvjb37.js}

@@ -4,9 +4,9 @@ import {
   state, dom, setBusy, resetSessionUI, requestNewSession, sendCancel,
   getConfigOption, getConfigValue, setHashSessionId, updateSessionInfo,
   updateNewBtnVisibility,
-} from './state.mmjqzu9r.js';
-import { addSystem, addMessage, scrollToBottom, escHtml, formatLocalTime } from './render.mmjqzu9r.js';
-import { loadHistory } from './events.mmjqzu9r.js';
+} from './state.mmjvjb37.js';
+import { addSystem, addMessage, scrollToBottom, escHtml, formatLocalTime } from './render.mmjvjb37.js';
+import { loadHistory } from './events.mmjvjb37.js';
 
 // --- Slash command execution ---
 

package/dist/js/{connection.mmjqzu9r.js → connection.mmjvjb37.js}

@@ -1,8 +1,8 @@
 // WebSocket connection lifecycle
 
-import { state, setBusy, getHashSessionId, requestNewSession, resetSessionUI, setConnectionStatus, clearCancelTimer } from './state.mmjqzu9r.js';
-import { addSystem, finishThinking, finishAssistant, finishBash, scrollToBottom } from './render.mmjqzu9r.js';
-import { handleEvent, loadHistory, loadNewEvents } from './events.mmjqzu9r.js';
+import { state, setBusy, getHashSessionId, requestNewSession, resetSessionUI, setConnectionStatus, clearCancelTimer } from './state.mmjvjb37.js';
+import { addSystem, finishThinking, finishAssistant, finishBash, scrollToBottom } from './render.mmjvjb37.js';
+import { handleEvent, loadHistory, loadNewEvents } from './events.mmjvjb37.js';
 
 export function connect() {
   const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';

package/dist/js/{events.mmjqzu9r.js → events.mmjvjb37.js}

@@ -4,12 +4,12 @@ import {
   state, dom, setBusy, setConfigValue, getConfigOption, updateConfigOptions,
   updateModeUI, resetSessionUI, requestNewSession, setHashSessionId, updateSessionInfo,
   setConnectionStatus, clearCancelTimer,
-} from './state.mmjqzu9r.js';
+} from './state.mmjvjb37.js';
 import {
   addMessage, addSystem, finishAssistant, finishThinking, hideWaiting,
   scrollToBottom, renderMd, escHtml, renderPatchDiff, addBashBlock, finishBash, appendMessageElement,
   formatLocalTime,
-} from './render.mmjqzu9r.js';
+} from './render.mmjvjb37.js';
 
 function finishPromptIfIdle() {
   if (!state.pendingPromptDone) return;

package/dist/js/{images.mmjqzu9r.js → images.mmjvjb37.js}

@@ -1,6 +1,6 @@
 // Image attach, preview, and paste handling
 
-import { state, dom } from './state.mmjqzu9r.js';
+import { state, dom } from './state.mmjvjb37.js';
 
 function readFileAsBase64(file) {
   return new Promise((resolve) => {

package/dist/js/{input.mmjqzu9r.js → input.mmjvjb37.js}

@@ -3,10 +3,10 @@
 import {
   state, dom, setBusy, sendCancel,
   getConfigOption, getConfigValue, updateNewBtnVisibility,
-} from './state.mmjqzu9r.js';
-import { addMessage, addSystem, addBashBlock, showWaiting } from './render.mmjqzu9r.js';
-import { handleSlashCommand, hideSlashMenu, handleSlashMenuKey, updateSlashMenu } from './commands.mmjqzu9r.js';
-import { renderAttachPreview } from './images.mmjqzu9r.js';
+} from './state.mmjvjb37.js';
+import { addMessage, addSystem, addBashBlock, showWaiting } from './render.mmjvjb37.js';
+import { handleSlashCommand, hideSlashMenu, handleSlashMenuKey, updateSlashMenu } from './commands.mmjvjb37.js';
+import { renderAttachPreview } from './images.mmjvjb37.js';
 
 // Wire up cancel-timeout feedback (state.js cannot import render.js directly)
 state._onCancelTimeout = () => addSystem('warn: Agent not responding to cancel');

package/dist/js/{render.mmjqzu9r.js → render.mmjvjb37.js}

@@ -1,6 +1,6 @@
 // Rendering functions, theme, markdown, bash UI
 
-import { dom, state } from './state.mmjqzu9r.js';
+import { dom, state } from './state.mmjvjb37.js';
 
 // --- Markdown ---
 marked.setOptions({ breaks: true, gfm: true });

package/lib/bridge.js

@@ -0,0 +1,284 @@
+import { spawn, ChildProcess } from "node:child_process";
+import { Writable, Readable } from "node:stream";
+import { EventEmitter } from "node:events";
+import * as acp from "@agentclientprotocol/sdk";
+export class AgentBridge extends EventEmitter {
+    proc = null;
+    conn = null;
+    permissionResolvers = new Map();
+    permissionRequestSessions = new Map();
+    silentSessions = new Set(); // Sessions that don't emit events
+    silentBuffers = new Map(); // Text buffers for silent sessions
+    agentCmd;
+    constructor(agentCmd) {
+        super();
+        this.agentCmd = agentCmd;
+    }
+    async start() {
+        const [cmd, ...args] = this.agentCmd.split(/\s+/);
+        this.proc = spawn(cmd, args, {
+            stdio: ["pipe", "pipe", "inherit"],
+        });
+        if (!this.proc.stdin || !this.proc.stdout) {
+            throw new Error(`Failed to start: ${this.agentCmd}`);
+        }
+        const input = Writable.toWeb(this.proc.stdin);
+        const output = Readable.toWeb(this.proc.stdout);
+        const stream = acp.ndJsonStream(input, output);
+        const client = {
+            requestPermission: async (params) => this.handlePermission(params),
+            sessionUpdate: async (params) => this.handleSessionUpdate(params),
+            readTextFile: async (params) => this.handleReadFile(params),
+            writeTextFile: async (params) => this.handleWriteFile(params),
+        };
+        this.conn = new acp.ClientSideConnection((_agent) => client, stream);
+        const init = await this.conn.initialize({
+            protocolVersion: acp.PROTOCOL_VERSION,
+            clientCapabilities: {
+                fs: { readTextFile: true, writeTextFile: true },
+                terminal: true,
+            },
+        });
+        const agentInfo = init.agentInfo;
+        this.emit("event", {
+            type: "connected",
+            agent: {
+                name: agentInfo?.name ?? "unknown",
+                version: agentInfo?.version ?? "?",
+            },
+            configOptions: [],
+        });
+    }
+    async newSession(cwd, opts) {
+        if (!this.conn)
+            throw new Error("Not connected");
+        const session = await this.conn.newSession({ cwd, mcpServers: [] });
+        if (!opts?.silent) {
+            this.emit("event", {
+                type: "session_created",
+                sessionId: session.sessionId,
+                cwd,
+                configOptions: session.configOptions ?? [],
+            });
+        }
+        return session.sessionId;
+    }
+    async loadSession(sessionId, cwd) {
+        if (!this.conn)
+            throw new Error("Not connected");
+        const session = await this.conn.loadSession({ sessionId, cwd, mcpServers: [] });
+        this.emit("event", {
+            type: "session_created",
+            sessionId: session.sessionId,
+            cwd,
+            configOptions: session.configOptions ?? [],
+        });
+        return { sessionId: session.sessionId, configOptions: session.configOptions ?? [] };
+    }
+    async setConfigOption(sessionId, configId, value) {
+        if (!this.conn)
+            throw new Error("Not connected");
+        const result = await this.conn.setSessionConfigOption({ sessionId, configId, value });
+        return result.configOptions ?? [];
+    }
+    async prompt(sessionId, text, images) {
+        if (!this.conn)
+            throw new Error("Not connected");
+        try {
+            const promptParts = [];
+            if (images) {
+                for (const img of images) {
+                    promptParts.push({ type: "image", data: img.data, mimeType: img.mimeType });
+                }
+            }
+            promptParts.push({ type: "text", text });
+            const result = await this.conn.prompt({
+                sessionId,
+                prompt: promptParts,
+            });
+            this.emit("event", {
+                type: "prompt_done",
+                sessionId,
+                stopReason: result.stopReason ?? "end_turn",
+            });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : (typeof err === "string" ? err : JSON.stringify(err));
+            if (/cancel/i.test(message)) {
+                this.emit("event", {
+                    type: "prompt_done",
+                    sessionId,
+                    stopReason: "cancelled",
+                });
+                return;
+            }
+            this.emit("event", { type: "error", sessionId, message });
+        }
+    }
+    async cancel(sessionId) {
+        for (const [requestId, requestSessionId] of this.permissionRequestSessions) {
+            if (requestSessionId === sessionId) {
+                this.denyPermission(requestId);
+            }
+        }
+        await this.conn?.cancel({ sessionId });
+    }
+    /** Send a prompt and collect the full text response without emitting events. */
+    async promptForText(sessionId, text) {
+        if (!this.conn)
+            throw new Error("Not connected");
+        this.silentSessions.add(sessionId);
+        this.silentBuffers.set(sessionId, "");
+        try {
+            await this.conn.prompt({ sessionId, prompt: [{ type: "text", text }] });
+            return this.silentBuffers.get(sessionId) ?? "";
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : (typeof err === "string" ? err : JSON.stringify(err));
+            if (/cancel/i.test(message)) {
+                return "";
+            }
+            throw err;
+        }
+        finally {
+            this.silentSessions.delete(sessionId);
+            this.silentBuffers.delete(sessionId);
+        }
+    }
+    resolvePermission(requestId, optionId) {
+        const resolve = this.permissionResolvers.get(requestId);
+        if (resolve) {
+            resolve({ outcome: { outcome: "selected", optionId } });
+            this.permissionResolvers.delete(requestId);
+            this.permissionRequestSessions.delete(requestId);
+        }
+    }
+    denyPermission(requestId) {
+        const resolve = this.permissionResolvers.get(requestId);
+        if (resolve) {
+            resolve({ outcome: { outcome: "cancelled" } });
+            this.permissionResolvers.delete(requestId);
+            this.permissionRequestSessions.delete(requestId);
+        }
+    }
+    async shutdown() {
+        // Reject all pending permissions
+        for (const [id, resolve] of this.permissionResolvers) {
+            resolve({ outcome: { outcome: "cancelled" } });
+        }
+        this.permissionResolvers.clear();
+        this.permissionRequestSessions.clear();
+        if (this.proc && this.proc.exitCode === null) {
+            this.proc.kill();
+            await new Promise((resolve) => {
+                const timer = setTimeout(() => {
+                    this.proc?.kill(process.platform === "win32" ? undefined : "SIGKILL");
+                    resolve();
+                }, 5000);
+                this.proc?.on("exit", () => {
+                    clearTimeout(timer);
+                    resolve();
+                });
+            });
+        }
+        this.proc = null;
+        this.conn = null;
+    }
+    // --- ACP Client callbacks ---
+    handlePermission(params) {
+        const requestId = crypto.randomUUID();
+        const title = params.toolCall?.title ?? "Permission requested";
+        const toolCallId = params.toolCall?.toolCallId ?? null;
+        return new Promise((resolve) => {
+            // Register resolver BEFORE emitting, so synchronous auto-approve can find it
+            this.permissionResolvers.set(requestId, resolve);
+            this.permissionRequestSessions.set(requestId, params.sessionId);
+            this.emit("event", {
+                type: "permission_request",
+                requestId,
+                sessionId: params.sessionId,
+                title,
+                toolCallId,
+                options: params.options,
+            });
+        });
+    }
+    handleSessionUpdate(params) {
+        const update = params.update;
+        const sessionId = params.sessionId;
+        // Silent sessions: only buffer text, don't emit events
+        if (this.silentSessions.has(sessionId)) {
+            if (update.sessionUpdate === "agent_message_chunk" && update.content.type === "text") {
+                const buf = (this.silentBuffers.get(sessionId) ?? "") + update.content.text;
+                this.silentBuffers.set(sessionId, buf);
+            }
+            return Promise.resolve();
+        }
+        switch (update.sessionUpdate) {
+            case "agent_message_chunk":
+                if (update.content.type === "text") {
+                    this.emit("event", {
+                        type: "message_chunk",
+                        sessionId,
+                        text: update.content.text,
+                    });
+                }
+                break;
+            case "agent_thought_chunk":
+                if (update.content.type === "text") {
+                    this.emit("event", {
+                        type: "thought_chunk",
+                        sessionId,
+                        text: update.content.text,
+                    });
+                }
+                break;
+            case "tool_call":
+                this.emit("event", {
+                    type: "tool_call",
+                    sessionId,
+                    id: update.toolCallId ?? "",
+                    title: update.title ?? "",
+                    kind: update.kind ?? "unknown",
+                    rawInput: update.rawInput,
+                });
+                break;
+            case "tool_call_update":
+                this.emit("event", {
+                    type: "tool_call_update",
+                    sessionId,
+                    id: update.toolCallId ?? "",
+                    status: update.status ?? "",
+                    content: update.content ?? undefined,
+                });
+                break;
+            case "plan":
+                this.emit("event", {
+                    type: "plan",
+                    sessionId,
+                    entries: update.entries ?? [],
+                });
+                break;
+            case "config_option_update":
+                this.emit("event", {
+                    type: "config_option_update",
+                    sessionId,
+                    configOptions: update.configOptions ?? [],
+                });
+                break;
+        }
+        return Promise.resolve();
+    }
+    async handleReadFile(params) {
+        const { readFile } = await import("node:fs/promises");
+        const content = await readFile(params.path, "utf-8");
+        return { content };
+    }
+    async handleWriteFile(params) {
+        const { writeFile, mkdir } = await import("node:fs/promises");
+        const { dirname } = await import("node:path");
+        await mkdir(dirname(params.path), { recursive: true });
+        await writeFile(params.path, params.content);
+        return {};
+    }
+}

package/lib/config.js

@@ -0,0 +1,57 @@
+import { readFileSync } from "node:fs";
+import { parse as parseTOML } from "smol-toml";
+import { z } from "zod";
+const ConfigSchema = z.object({
+    port: z.number().int().positive().default(6800),
+    data_dir: z.string().default("data"),
+    default_cwd: z.string().default(process.cwd()),
+    public_dir: z.string().default("dist"),
+    agent_cmd: z.string().default("copilot --acp"),
+    limits: z.object({
+        bash_output: z.number().int().positive().default(1_048_576), // 1 MB
+        image_upload: z.number().int().positive().default(10_485_760), // 10 MB
+        cancel_timeout: z.number().int().nonnegative().default(10_000), // 10s; 0 disables
+    }).default({
+        bash_output: 1_048_576,
+        image_upload: 10_485_760,
+        cancel_timeout: 10_000,
+    }),
+});
+let _config = null;
+function parseArgs() {
+    const idx = process.argv.indexOf("--config");
+    if (idx !== -1 && idx + 1 < process.argv.length) {
+        return process.argv[idx + 1];
+    }
+    return null;
+}
+export function loadConfig() {
+    const configPath = parseArgs();
+    let raw = {};
+    if (configPath) {
+        try {
+            const content = readFileSync(configPath, "utf-8");
+            raw = parseTOML(content);
+            console.log(`[config] loaded: ${configPath}`);
+        }
+        catch (err) {
+            console.error(`[config] failed to read ${configPath}:`, err);
+            process.exit(1);
+        }
+    }
+    else {
+        console.log("[config] no --config provided, using defaults");
+    }
+    const result = ConfigSchema.safeParse(raw);
+    if (!result.success) {
+        console.error("[config] validation error:", result.error.format());
+        process.exit(1);
+    }
+    _config = result.data;
+    return _config;
+}
+export function getConfig() {
+    if (!_config)
+        throw new Error("Config not loaded. Call loadConfig() first.");
+    return _config;
+}

package/lib/routes.js

@@ -0,0 +1,137 @@
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { join, extname } from "node:path";
+const SAFE_ID = /^[a-zA-Z0-9_-]+$/;
+const MIME = {
+    ".html": "text/html",
+    ".js": "application/javascript",
+    ".css": "text/css",
+    ".json": "application/json",
+    ".svg": "image/svg+xml",
+    ".png": "image/png",
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+    ".gif": "image/gif",
+    ".webp": "image/webp",
+};
+export function createRequestHandler(store, publicDir, dataDir, limits) {
+    return async (req, res) => {
+        const url = req.url ?? "/";
+        // --- API routes ---
+        if (url.startsWith("/api/")) {
+            res.setHeader("Content-Type", "application/json");
+            // GET /api/sessions
+            if (url === "/api/sessions" && req.method === "GET") {
+                res.end(JSON.stringify(store.listSessions()));
+                return;
+            }
+            // GET /api/sessions/:id/events?thinking=0|1
+            const eventsMatch = url.match(/^\/api\/sessions\/([^/]+)\/events(\?.*)?$/);
+            if (eventsMatch && req.method === "GET") {
+                const sessionId = decodeURIComponent(eventsMatch[1]);
+                const params = new URLSearchParams(eventsMatch[2]?.slice(1) ?? "");
+                const excludeThinking = params.get("thinking") === "0";
+                const afterSeqRaw = params.get("after_seq");
+                const afterSeq = afterSeqRaw != null ? Number(afterSeqRaw) : undefined;
+                const session = store.getSession(sessionId);
+                if (!session) {
+                    res.writeHead(404);
+                    res.end(JSON.stringify({ error: "Session not found" }));
+                    return;
+                }
+                const events = store.getEvents(sessionId, { excludeThinking, afterSeq });
+                res.end(JSON.stringify(events));
+                return;
+            }
+            // POST /api/images/:sessionId
+            const imgMatch = url.match(/^\/api\/images\/([^/]+)$/);
+            if (imgMatch && req.method === "POST") {
+                const sessionId = decodeURIComponent(imgMatch[1]);
+                if (!SAFE_ID.test(sessionId)) {
+                    res.writeHead(400);
+                    res.end(JSON.stringify({ error: "Invalid session ID" }));
+                    return;
+                }
+                // Enforce upload size limit
+                const contentLength = parseInt(req.headers["content-length"] ?? "0", 10);
+                if (contentLength > limits.image_upload) {
+                    res.writeHead(413);
+                    res.end(JSON.stringify({ error: "Upload too large" }));
+                    return;
+                }
+                const chunks = [];
+                let totalSize = 0;
+                for await (const chunk of req) {
+                    totalSize += chunk.length;
+                    if (totalSize > limits.image_upload) {
+                        res.writeHead(413);
+                        res.end(JSON.stringify({ error: "Upload too large" }));
+                        return;
+                    }
+                    chunks.push(chunk);
+                }
+                let body;
+                try {
+                    body = JSON.parse(Buffer.concat(chunks).toString());
+                }
+                catch {
+                    res.writeHead(400);
+                    res.end(JSON.stringify({ error: "Invalid JSON" }));
+                    return;
+                }
+                const { data, mimeType } = body;
+                const ext = mimeType.split("/")[1]?.replace("jpeg", "jpg") ?? "png";
+                const seq = Date.now();
+                const relPath = `images/${sessionId}/${seq}.${ext}`;
+                const absPath = join(dataDir, relPath);
+                await mkdir(join(dataDir, "images", sessionId), { recursive: true });
+                await writeFile(absPath, Buffer.from(data, "base64"));
+                const imgUrl = `/data/${relPath}`;
+                res.end(JSON.stringify({ path: relPath, url: imgUrl }));
+                return;
+            }
+            res.writeHead(404);
+            res.end(JSON.stringify({ error: "Not found" }));
+            return;
+        }
+        // --- Serve uploaded images: /data/images/... ---
+        if (url.startsWith("/data/images/")) {
+            const filePath = join(dataDir, url.slice(6)); // strip "/data/"
+            if (!filePath.startsWith(join(dataDir, "images"))) {
+                res.writeHead(403);
+                res.end("Forbidden");
+                return;
+            }
+            try {
+                const data = await readFile(filePath);
+                const ext = extname(filePath);
+                res.writeHead(200, {
+                    "Content-Type": MIME[ext] ?? "application/octet-stream",
+                    "Cache-Control": "public, max-age=31536000, immutable",
+                });
+                res.end(data);
+            }
+            catch {
+                res.writeHead(404);
+                res.end("Not found");
+            }
+            return;
+        }
+        // --- Static files ---
+        const filePath = join(publicDir, url === "/" ? "/index.html" : url);
+        if (!filePath.startsWith(publicDir)) {
+            res.writeHead(403);
+            res.end("Forbidden");
+            return;
+        }
+        try {
+            const data = await readFile(filePath);
+            const ext = extname(filePath);
+            res.writeHead(200, { "Content-Type": MIME[ext] ?? "application/octet-stream" });
+            res.end(data);
+        }
+        catch {
+            res.writeHead(404);
+            res.end("Not found");
+        }
+    };
+}