@lightharu/krouter 1.8.0

package/out-server/server/index.js

@@ -0,0 +1,1272 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const http_1 = __importDefault(require("http"));
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
+const store_1 = require("./store");
+const kiroAccounts_1 = require("./services/kiroAccounts");
+const accountProfileHydration_1 = require("./services/accountProfileHydration");
+const localKiroCredentials_1 = require("./services/localKiroCredentials");
+const machineIdRuntime_1 = require("./services/machineIdRuntime");
+const kiroSettings_1 = require("./services/kiroSettings");
+const proxyRuntime_1 = require("./services/proxyRuntime");
+const kproxyRuntime_1 = require("./services/kproxyRuntime");
+const diagnostics_1 = require("./services/diagnostics");
+const accountExtras_1 = require("./services/accountExtras");
+const authFlows_1 = require("./services/authFlows");
+const registrationRuntime_1 = require("./services/registrationRuntime");
+const protonBrowserRuntime_1 = require("./services/protonBrowserRuntime");
+const dashboardTunnel_1 = require("./services/dashboardTunnel");
+const store = new store_1.WebStore();
+const sseClients = new Set();
+const dashboardTunnelRuntime = (0, dashboardTunnel_1.getDashboardTunnelRuntime)();
+const SESSION_COOKIE_NAME = 'krouter_session';
+const LEGACY_SESSION_COOKIE_NAME = 'kam_session';
+const TOKEN_REFRESH_BEFORE_EXPIRY_MS = 5 * 60 * 1000;
+const BACKEND_AUTO_REFRESH_MIN_INTERVAL_MS = 60 * 1000;
+const backendAutoRefreshTimers = new Map();
+const backendAutoRefreshRunning = new Set();
+function envFlag(name) {
+    const raw = process.env[name];
+    if (raw === undefined)
+        return undefined;
+    if (/^(1|true|yes|on)$/i.test(raw))
+        return true;
+    if (/^(0|false|no|off)$/i.test(raw))
+        return false;
+    return undefined;
+}
+function shouldServeStatic() {
+    if (process.argv.includes('--api-only') || process.argv.includes('--backend-only'))
+        return false;
+    if (process.argv.includes('--serve-static'))
+        return true;
+    const mode = (process.env.KROUTER_SERVER_MODE || process.env.KAM_SERVER_MODE || process.env.SERVER_MODE || '').trim().toLowerCase();
+    if (mode === 'api' || mode === 'backend' || mode === 'cli')
+        return false;
+    if (mode === 'fullstack' || mode === 'web')
+        return true;
+    return envFlag('SERVE_STATIC') ?? true;
+}
+function shouldAutoStartDashboardTunnel() {
+    return Boolean(envFlag('KROUTER_DASHBOARD_TUNNEL_AUTOSTART') ??
+        envFlag('KAM_DASHBOARD_TUNNEL_AUTOSTART') ??
+        envFlag('DASHBOARD_TUNNEL_AUTOSTART') ??
+        false);
+}
+const serveStaticAssets = shouldServeStatic();
+function packageVersion() {
+    try {
+        const raw = require('fs').readFileSync(path_1.default.join(process.cwd(), 'package.json'), 'utf8');
+        return JSON.parse(raw).version || '0.0.0';
+    }
+    catch {
+        return '0.0.0';
+    }
+}
+function sendJson(response, status, data) {
+    response.writeHead(status, {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Cache-Control': 'no-store'
+    });
+    response.end(JSON.stringify(data));
+}
+function sendHtml(response, status, html) {
+    response.writeHead(status, {
+        'Content-Type': 'text/html; charset=utf-8',
+        'Cache-Control': 'no-store'
+    });
+    response.end(html);
+}
+function parseCookies(request) {
+    const header = request.headers.cookie || '';
+    return Object.fromEntries(header
+        .split(';')
+        .map((part) => part.trim())
+        .filter(Boolean)
+        .map((part) => {
+        const index = part.indexOf('=');
+        if (index === -1)
+            return [part, ''];
+        return [decodeURIComponent(part.slice(0, index)), decodeURIComponent(part.slice(index + 1))];
+    }));
+}
+function sessionCookie(sessionId, expiresAt) {
+    const secure = process.env.COOKIE_SECURE === 'true' ? '; Secure' : '';
+    return [
+        `${SESSION_COOKIE_NAME}=${encodeURIComponent(sessionId)}`,
+        'HttpOnly',
+        'SameSite=Lax',
+        'Path=/',
+        `Expires=${new Date(expiresAt).toUTCString()}`,
+        secure
+    ].join('; ');
+}
+function clearCookie(name) {
+    return `${name}=; HttpOnly; SameSite=Lax; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+async function readJson(request) {
+    const chunks = [];
+    for await (const chunk of request)
+        chunks.push(Buffer.from(chunk));
+    if (chunks.length === 0)
+        return null;
+    return JSON.parse(Buffer.concat(chunks).toString('utf8'));
+}
+function getUser(request) {
+    const cookies = parseCookies(request);
+    return store.findUserBySession(cookies[SESSION_COOKIE_NAME] || cookies[LEGACY_SESSION_COOKIE_NAME]);
+}
+function publicUser(user) {
+    return { id: user.id, email: user.email, name: user.name, role: user.role };
+}
+function emit(channel, ...args) {
+    const payload = JSON.stringify({ channel, args });
+    for (const client of sseClients) {
+        client.write(`data: ${payload}\n\n`);
+    }
+}
+async function startAutoProxyRuntimes() {
+    for (const user of store.getUsers()) {
+        const runtime = (0, proxyRuntime_1.getProxyRuntime)(store, user.id, emit);
+        const result = await runtime.ensureAutoStarted('server-boot');
+        if (!result.success) {
+            console.error(`[Server] Proxy auto-start skipped for ${user.email}: ${result.error}`);
+        }
+    }
+}
+async function startDashboardTunnelIfConfigured() {
+    if (!shouldAutoStartDashboardTunnel())
+        return;
+    const result = await dashboardTunnelRuntime.start();
+    if (!result.success) {
+        console.error(`[Server] Dashboard tunnel auto-start skipped: ${result.error || result.status.error || 'unknown error'}`);
+    }
+    else if (result.status.publicUrl) {
+        console.log(`[Server] Dashboard tunnel running at ${result.status.publicUrl}`);
+    }
+    else {
+        console.log('[Server] Dashboard tunnel start requested; public URL is not ready yet');
+    }
+}
+function defaultAccountData() {
+    return {
+        accounts: {},
+        groups: {},
+        tags: {},
+        activeAccountId: null,
+        autoRefreshEnabled: true,
+        autoRefreshInterval: 5,
+        autoRefreshConcurrency: 100,
+        autoRefreshSyncInfo: true,
+        statusCheckInterval: 60,
+        privacyMode: false,
+        usagePrecision: false,
+        proxyEnabled: false,
+        proxyUrl: '',
+        autoSwitchEnabled: false,
+        autoSwitchThreshold: 0,
+        autoSwitchInterval: 5,
+        switchTarget: 'ide',
+        theme: 'default',
+        darkMode: false,
+        language: 'auto',
+        machineIdConfig: {
+            autoSwitchOnAccountChange: false,
+            bindMachineIdToAccount: false,
+            useBindedMachineId: true
+        },
+        currentMachineId: '',
+        originalMachineId: null,
+        originalBackupTime: null,
+        accountMachineIds: {},
+        machineIdHistory: [],
+        proxyPool: {},
+        proxyPoolConfig: {
+            enabled: false,
+            strategy: 'round_robin',
+            validateOnStartup: false,
+            autoDisableDead: true,
+            failureThreshold: 3,
+            testUrl: 'https://api.ipify.org?format=json',
+            testTimeoutMs: 8000,
+            autoValidateIntervalMin: 0,
+            autoValidateConcurrency: 5,
+            upstreamProxy: ''
+        },
+        proxyPoolCursor: 0,
+        accountProxyBindings: {}
+    };
+}
+function mergeAccountData(currentRaw, incomingRaw) {
+    const current = currentRaw && typeof currentRaw === 'object'
+        ? currentRaw
+        : defaultAccountData();
+    const incoming = incomingRaw && typeof incomingRaw === 'object'
+        ? incomingRaw
+        : defaultAccountData();
+    const currentAccounts = current.accounts && typeof current.accounts === 'object'
+        ? current.accounts
+        : {};
+    const incomingAccounts = incoming.accounts && typeof incoming.accounts === 'object'
+        ? incoming.accounts
+        : {};
+    const deletedIds = new Set([
+        ...(Array.isArray(current._deletedAccountIds) ? current._deletedAccountIds.filter((id) => typeof id === 'string') : []),
+        ...(Array.isArray(incoming._deletedAccountIds) ? incoming._deletedAccountIds.filter((id) => typeof id === 'string') : [])
+    ]);
+    const accounts = { ...currentAccounts, ...incomingAccounts };
+    for (const id of deletedIds)
+        delete accounts[id];
+    return {
+        ...current,
+        ...incoming,
+        accounts,
+        _deletedAccountIds: Array.from(deletedIds)
+    };
+}
+function unsupported(method) {
+    return {
+        success: false,
+        error: `Web backend handler '${method}' has not been ported from Electron yet.`
+    };
+}
+async function httpProbe(params) {
+    const started = Date.now();
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), params.timeoutMs || 5000);
+    try {
+        const response = await fetch(params.url, {
+            method: params.method || 'GET',
+            signal: controller.signal
+        });
+        return { success: true, status: response.status, latencyMs: Date.now() - started };
+    }
+    catch (error) {
+        return { success: false, latencyMs: Date.now() - started, error: error instanceof Error ? error.message : String(error) };
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+async function checkForUpdatesManual() {
+    try {
+        const response = await fetch('https://api.github.com/repos/LightHaru/Krouter/releases/latest');
+        const release = await response.json();
+        const currentVersion = packageVersion();
+        const latestVersion = String(release.tag_name || '').replace(/^v/, '');
+        return {
+            hasUpdate: latestVersion !== currentVersion,
+            currentVersion,
+            latestVersion,
+            releaseName: release.name,
+            releaseNotes: release.body,
+            releaseUrl: release.html_url,
+            publishedAt: release.published_at,
+            assets: Array.isArray(release.assets)
+                ? release.assets.map((asset) => ({
+                    name: asset.name,
+                    downloadUrl: asset.browser_download_url,
+                    size: asset.size
+                }))
+                : []
+        };
+    }
+    catch (error) {
+        return { hasUpdate: false, currentVersion: packageVersion(), error: error instanceof Error ? error.message : String(error) };
+    }
+}
+function errorMessageFromResult(result) {
+    return result?.error?.message || result?.error || 'Unknown error';
+}
+function isPlainRecord(value) {
+    return Boolean(value && typeof value === 'object' && !Array.isArray(value));
+}
+function isBannedAccountError(error) {
+    if (!error)
+        return false;
+    const lowerError = error.toLowerCase();
+    return (lowerError.includes('accountsuspendedexception') ||
+        lowerError.includes('account suspended') ||
+        lowerError.includes('temporarily_suspended') ||
+        lowerError.includes('temporarily suspended') ||
+        (lowerError.includes('user id is') && lowerError.includes('suspended')) ||
+        lowerError.includes('account is locked') ||
+        lowerError.includes('security precaution') ||
+        lowerError.includes('账户已封禁') ||
+        lowerError.includes('已封禁') ||
+        /\b423\b/.test(lowerError));
+}
+function clampNumber(value, fallback, min, max) {
+    const parsed = Number(value);
+    if (!Number.isFinite(parsed))
+        return fallback;
+    return Math.max(min, Math.min(parsed, max));
+}
+function normalizeBackgroundStatusData(data) {
+    const credentials = data?.newCredentials;
+    const subscription = data?.subscription || {};
+    return {
+        accessToken: credentials?.accessToken,
+        refreshToken: credentials?.refreshToken,
+        expiresIn: credentials?.expiresAt ? Math.max(0, Math.floor((credentials.expiresAt - Date.now()) / 1000)) : undefined,
+        usage: data?.usage,
+        subscription: {
+            ...subscription,
+            type: data?.subscriptionType || subscription.type || subscription.rawType,
+            title: data?.subscriptionTitle || subscription.title,
+            daysRemaining: data?.daysRemaining,
+            expiresAt: data?.expiresAt,
+            subscriptionManagementTarget: subscription.subscriptionManagementTarget || subscription.managementTarget
+        },
+        userInfo: {
+            email: data?.email,
+            userId: data?.userId
+        },
+        profileArn: data?.profileArn,
+        status: data?.status,
+        errorMessage: data?.errorMessage
+    };
+}
+function accountForStatusCheck(account, allowRefresh) {
+    if (allowRefresh || !account.credentials?.accessToken)
+        return account;
+    return {
+        ...account,
+        credentials: {
+            ...account.credentials,
+            expiresAt: account.credentials.expiresAt || Date.now() + 3600000
+        }
+    };
+}
+function accountNeedsBackendRefresh(account, now) {
+    const credentials = account.credentials || {};
+    const expiresAt = Number(credentials.expiresAt || 0);
+    return !credentials.accessToken || !expiresAt || expiresAt - now <= TOKEN_REFRESH_BEFORE_EXPIRY_MS;
+}
+function getStoredAccounts(accountData) {
+    return isPlainRecord(accountData.accounts) ? accountData.accounts : {};
+}
+function applyRefreshDataToStoredAccount(id, account, data, now) {
+    const credentials = account.credentials || {};
+    const nextCredentials = { ...credentials };
+    if (typeof data?.accessToken === 'string' && data.accessToken) {
+        nextCredentials.accessToken = data.accessToken;
+    }
+    if (typeof data?.refreshToken === 'string' && data.refreshToken) {
+        nextCredentials.refreshToken = data.refreshToken;
+    }
+    const expiresIn = Number(data?.expiresIn);
+    if (Number.isFinite(expiresIn) && expiresIn > 0 && nextCredentials.accessToken) {
+        nextCredentials.expiresAt = now + expiresIn * 1000;
+    }
+    let usage = account.usage;
+    if (isPlainRecord(data?.usage)) {
+        const currentUsage = isPlainRecord(account.usage) ? account.usage : {};
+        usage = { ...currentUsage, ...data.usage, lastUpdated: now };
+    }
+    let subscription = account.subscription;
+    if (isPlainRecord(data?.subscription)) {
+        const currentSubscription = isPlainRecord(account.subscription) ? account.subscription : {};
+        subscription = { ...currentSubscription, ...data.subscription };
+        const managementTarget = data.subscription.subscriptionManagementTarget ?? data.subscription.managementTarget ?? currentSubscription.managementTarget;
+        if (managementTarget !== undefined)
+            subscription.managementTarget = managementTarget;
+    }
+    const userInfo = isPlainRecord(data?.userInfo) ? data.userInfo : {};
+    const status = data?.status === 'error' ? 'error' : 'active';
+    const errorMessage = typeof data?.errorMessage === 'string' && data.errorMessage ? data.errorMessage : undefined;
+    return {
+        ...account,
+        id: account.id || id,
+        email: typeof userInfo.email === 'string' && userInfo.email ? userInfo.email : account.email,
+        userId: typeof userInfo.userId === 'string' && userInfo.userId ? userInfo.userId : account.userId,
+        profileArn: typeof data?.profileArn === 'string' && data.profileArn ? data.profileArn : account.profileArn,
+        credentials: nextCredentials,
+        usage,
+        subscription,
+        status,
+        lastError: errorMessage,
+        lastCheckedAt: now
+    };
+}
+function applyBackendRefreshFailure(id, account, error, now) {
+    return {
+        ...account,
+        id: account.id || id,
+        status: 'error',
+        lastError: error,
+        lastCheckedAt: now
+    };
+}
+function backendAutoRefreshEnabled() {
+    return envFlag('KROUTER_BACKEND_AUTO_REFRESH') ?? envFlag('KAM_BACKEND_AUTO_REFRESH') ?? true;
+}
+async function runBackendAutoRefreshForUser(user, reason) {
+    if (!backendAutoRefreshEnabled())
+        return;
+    if (backendAutoRefreshRunning.has(user.id))
+        return;
+    backendAutoRefreshRunning.add(user.id);
+    try {
+        const accountData = (store.getAccountData(user.id) || defaultAccountData());
+        if (accountData.autoRefreshEnabled === false)
+            return;
+        const accounts = getStoredAccounts(accountData);
+        const entries = Object.entries(accounts);
+        const now = Date.now();
+        const syncInfo = accountData.autoRefreshSyncInfo !== false;
+        const autoSwitch = Boolean(accountData.autoSwitchEnabled);
+        const pending = entries
+            .map(([id, account]) => ({
+            id,
+            account,
+            needsTokenRefresh: accountNeedsBackendRefresh(account, now)
+        }))
+            .filter(({ account, needsTokenRefresh }) => {
+            if (isBannedAccountError(account.lastError))
+                return false;
+            if (!account.credentials?.refreshToken)
+                return false;
+            return needsTokenRefresh || syncInfo || autoSwitch;
+        });
+        if (pending.length === 0)
+            return;
+        const concurrency = clampNumber(accountData.autoRefreshConcurrency, 5, 1, 100);
+        let completed = 0;
+        let successCount = 0;
+        let failedCount = 0;
+        let changed = false;
+        console.log(`[BackendAutoRefresh] ${user.email}: processing ${pending.length} account(s), reason=${reason}, syncInfo=${syncInfo}`);
+        for (let index = 0; index < pending.length; index += concurrency) {
+            const batch = pending.slice(index, index + concurrency);
+            await Promise.all(batch.map(async ({ id, account, needsTokenRefresh }) => {
+                const backgroundAccount = {
+                    ...account,
+                    id,
+                    needsTokenRefresh
+                };
+                let payload;
+                try {
+                    if (!syncInfo && !autoSwitch) {
+                        const refresh = await (0, kiroAccounts_1.refreshAccountToken)(backgroundAccount);
+                        payload = refresh.success && refresh.data
+                            ? { id, success: true, data: refresh.data }
+                            : { id, success: false, error: errorMessageFromResult(refresh) };
+                    }
+                    else {
+                        const status = await (0, kiroAccounts_1.checkAccountStatus)(accountForStatusCheck(backgroundAccount, needsTokenRefresh));
+                        payload = status?.success && status.data
+                            ? { id, success: true, data: normalizeBackgroundStatusData(status.data) }
+                            : { id, success: false, error: errorMessageFromResult(status) };
+                    }
+                }
+                catch (error) {
+                    payload = { id, success: false, error: error instanceof Error ? error.message : String(error) };
+                }
+                const finishedAt = Date.now();
+                if (payload.success) {
+                    successCount++;
+                    accounts[id] = applyRefreshDataToStoredAccount(id, accounts[id] || account, payload.data, finishedAt);
+                }
+                else {
+                    failedCount++;
+                    accounts[id] = applyBackendRefreshFailure(id, accounts[id] || account, payload.error || 'Unknown error', finishedAt);
+                }
+                changed = true;
+                emit('background-refresh-result', payload);
+            }));
+            completed += batch.length;
+            emit('background-refresh-progress', { completed, total: pending.length, success: successCount, failed: failedCount });
+            if (index + concurrency < pending.length)
+                await new Promise((resolve) => setTimeout(resolve, 100));
+        }
+        if (changed) {
+            accountData.accounts = accounts;
+            await store.setAccountData(user.id, accountData);
+            await store.audit(user.id, 'backend-token-refresh', {
+                reason,
+                completed,
+                successCount,
+                failedCount
+            });
+        }
+    }
+    catch (error) {
+        console.error(`[BackendAutoRefresh] ${user.email}: failed`, error);
+    }
+    finally {
+        backendAutoRefreshRunning.delete(user.id);
+    }
+}
+function clearBackendAutoRefreshForUser(userId) {
+    const timer = backendAutoRefreshTimers.get(userId);
+    if (timer)
+        clearInterval(timer);
+    backendAutoRefreshTimers.delete(userId);
+}
+function scheduleBackendAutoRefreshForUser(user, runNow) {
+    clearBackendAutoRefreshForUser(user.id);
+    if (!backendAutoRefreshEnabled())
+        return;
+    const accountData = (store.getAccountData(user.id) || defaultAccountData());
+    if (accountData.autoRefreshEnabled === false) {
+        console.log(`[BackendAutoRefresh] ${user.email}: disabled by account settings`);
+        return;
+    }
+    const intervalMinutes = clampNumber(accountData.autoRefreshInterval, 5, 1, 1440);
+    const intervalMs = Math.max(BACKEND_AUTO_REFRESH_MIN_INTERVAL_MS, intervalMinutes * 60 * 1000);
+    const timer = setInterval(() => {
+        void runBackendAutoRefreshForUser(user, 'interval');
+    }, intervalMs);
+    timer.unref?.();
+    backendAutoRefreshTimers.set(user.id, timer);
+    if (runNow) {
+        const initialTimer = setTimeout(() => {
+            void runBackendAutoRefreshForUser(user, 'server-boot');
+        }, 2000);
+        initialTimer.unref?.();
+    }
+}
+async function startBackendAutoRefreshRuntimes() {
+    if (!backendAutoRefreshEnabled()) {
+        console.log('[BackendAutoRefresh] Disabled by environment');
+        return;
+    }
+    for (const user of store.getUsers()) {
+        scheduleBackendAutoRefreshForUser(user, true);
+    }
+}
+async function handleBackgroundBatch(method, args) {
+    const accounts = Array.isArray(args[0]) ? args[0] : [];
+    const concurrency = Math.max(1, Math.min(Number(args[1]) || 5, 100));
+    const syncInfo = Boolean(args[2]);
+    const isRefresh = method === 'backgroundBatchRefresh';
+    const resultChannel = isRefresh ? 'background-refresh-result' : 'background-check-result';
+    const progressChannel = isRefresh ? 'background-refresh-progress' : 'background-check-progress';
+    let completed = 0;
+    let successCount = 0;
+    let failedCount = 0;
+    for (let index = 0; index < accounts.length; index += concurrency) {
+        const batch = accounts.slice(index, index + concurrency);
+        await Promise.all(batch.map(async (account) => {
+            let payload;
+            try {
+                if (isRefresh && !syncInfo) {
+                    const refresh = await (0, kiroAccounts_1.refreshAccountToken)(account);
+                    payload = refresh.success && refresh.data
+                        ? { id: account.id, success: true, data: refresh.data }
+                        : { id: account.id, success: false, error: errorMessageFromResult(refresh) };
+                }
+                else {
+                    const allowRefresh = isRefresh && Boolean(account.needsTokenRefresh);
+                    const status = await (0, kiroAccounts_1.checkAccountStatus)(accountForStatusCheck(account, allowRefresh));
+                    payload = status?.success && status.data
+                        ? { id: account.id, success: true, data: normalizeBackgroundStatusData(status.data) }
+                        : { id: account.id, success: false, error: errorMessageFromResult(status) };
+                }
+            }
+            catch (error) {
+                payload = { id: account.id, success: false, error: error instanceof Error ? error.message : String(error) };
+            }
+            if (payload.success)
+                successCount++;
+            else
+                failedCount++;
+            emit(resultChannel, payload);
+        }));
+        completed += batch.length;
+        emit(progressChannel, { completed, total: accounts.length, success: successCount, failed: failedCount });
+        if (index + concurrency < accounts.length)
+            await new Promise((resolve) => setTimeout(resolve, 100));
+    }
+    return { success: true, completed, successCount, failedCount };
+}
+async function handleIpc(method, args, user) {
+    const settings = store.getUserSettings(user.id);
+    const proxyRuntime = (0, proxyRuntime_1.getProxyRuntime)(store, user.id, emit);
+    const kproxyRuntime = (0, kproxyRuntime_1.getKProxyRuntime)(store, user.id, emit);
+    switch (method) {
+        case 'getAppVersion':
+            return packageVersion();
+        case 'loadAccounts':
+            {
+                const accountData = (store.getAccountData(user.id) || defaultAccountData());
+                const hydrated = await (0, accountProfileHydration_1.hydrateAccountDataProfileArns)(accountData);
+                if (hydrated.changed)
+                    await store.setAccountData(user.id, hydrated.data);
+                return hydrated.data;
+            }
+        case 'saveAccounts':
+            {
+                const merged = mergeAccountData(store.getAccountData(user.id), args[0]);
+                const hydrated = await (0, accountProfileHydration_1.hydrateAccountDataProfileArns)(merged);
+                await store.setAccountData(user.id, hydrated.data);
+                scheduleBackendAutoRefreshForUser(user, false);
+            }
+            return null;
+        case 'getLocalActiveAccount':
+            return (0, localKiroCredentials_1.getLocalActiveAccount)();
+        case 'loadKiroCredentials':
+            return (0, localKiroCredentials_1.loadKiroCredentials)();
+        case 'importFromSsoToken':
+            return (0, authFlows_1.importFromSsoToken)(String(args[0] || ''), String(args[1] || 'us-east-1'));
+        case 'startBuilderIdLogin':
+            return (0, authFlows_1.startBuilderIdLogin)(String(args[0] || 'us-east-1'));
+        case 'pollBuilderIdAuth':
+            return (0, authFlows_1.pollBuilderIdAuth)(String(args[0] || 'us-east-1'));
+        case 'cancelBuilderIdLogin':
+            return (0, authFlows_1.cancelBuilderIdLogin)();
+        case 'startIamSsoLogin':
+            return (0, authFlows_1.startIamSsoLogin)(String(args[0] || ''), String(args[1] || 'us-east-1'));
+        case 'pollIamSsoAuth':
+            return (0, authFlows_1.pollIamSsoAuth)();
+        case 'completeIamSsoLogin':
+            return (0, authFlows_1.completeIamSsoLogin)(String(args[0] || ''));
+        case 'cancelIamSsoLogin':
+            return (0, authFlows_1.cancelIamSsoLogin)();
+        case 'startSocialLogin':
+            return (0, authFlows_1.startSocialLogin)(args[0]);
+        case 'exchangeSocialToken':
+            return (0, authFlows_1.exchangeSocialToken)(String(args[0] || ''), String(args[1] || ''));
+        case 'cancelSocialLogin':
+            return (0, authFlows_1.cancelSocialLogin)();
+        case 'switchAccount':
+            return (0, localKiroCredentials_1.switchAccount)(args[0]);
+        case 'switchAccountCli':
+            return (0, localKiroCredentials_1.switchAccountCli)(args[0]);
+        case 'logoutAccount':
+            return (0, localKiroCredentials_1.logoutAccount)();
+        case 'refreshAccountToken':
+            return (0, kiroAccounts_1.refreshAccountToken)(args[0]);
+        case 'verifyAccountCredentials':
+            return (0, kiroAccounts_1.verifyAccountCredentials)(args[0]);
+        case 'checkAccountStatus':
+            return (0, kiroAccounts_1.checkAccountStatus)(args[0]);
+        case 'accountGetModels':
+            return (0, accountExtras_1.accountGetModels)(args);
+        case 'accountGetSubscriptions':
+            return (0, accountExtras_1.accountGetSubscriptions)(args);
+        case 'accountGetSubscriptionUrl':
+            return (0, accountExtras_1.accountGetSubscriptionUrl)(args);
+        case 'accountSetOverage':
+            return (0, accountExtras_1.accountSetOverage)(args);
+        case 'machineIdGetOSType':
+            return (0, machineIdRuntime_1.machineIdGetOSType)();
+        case 'machineIdGenerateRandom':
+            return (0, machineIdRuntime_1.machineIdGenerateRandom)();
+        case 'machineIdCheckAdmin':
+            return (0, machineIdRuntime_1.machineIdCheckAdmin)();
+        case 'machineIdGetCurrent':
+            return (0, machineIdRuntime_1.machineIdGetCurrent)();
+        case 'machineIdSet':
+            return (0, machineIdRuntime_1.machineIdSet)(String(args[0] || ''));
+        case 'machineIdRequestAdminRestart':
+            return false;
+        case 'machineIdBackupToFile':
+            return (0, machineIdRuntime_1.machineIdBackupToFile)(String(args[0] || ''));
+        case 'machineIdRestoreFromFile':
+            return (0, machineIdRuntime_1.machineIdRestoreFromFile)();
+        case 'setProxy':
+            await store.setUserSetting(user.id, 'proxy', { enabled: args[0], url: args[1] });
+            return { success: true, normalizedUrl: args[1] };
+        case 'getUsageApiType':
+            return store.getUserSetting(user.id, 'usageApiType', 'rest');
+        case 'setUsageApiType':
+            await store.setUserSetting(user.id, 'usageApiType', args[0]);
+            return { success: true, type: args[0] };
+        case 'getUseKProxyForApi':
+            return store.getUserSetting(user.id, 'useKProxyForApi', false);
+        case 'setUseKProxyForApi':
+            await store.setUserSetting(user.id, 'useKProxyForApi', Boolean(args[0]));
+            return { success: true, enabled: Boolean(args[0]) };
+        case 'getShowWindowShortcut':
+            return store.getUserSetting(user.id, 'showWindowShortcut', 'Ctrl+Shift+K');
+        case 'setShowWindowShortcut':
+            await store.setUserSetting(user.id, 'showWindowShortcut', args[0]);
+            return { success: true };
+        case 'getTraySettings':
+            return store.getUserSetting(user.id, 'traySettings', {
+                enabled: false,
+                closeAction: 'quit',
+                showNotifications: false,
+                minimizeOnStart: false
+            });
+        case 'saveTraySettings':
+            await store.setUserSetting(user.id, 'traySettings', { ...(settings.traySettings || {}), ...(args[0] || {}) });
+            return { success: true };
+        case 'checkForUpdates':
+            return checkForUpdatesManual();
+        case 'checkForUpdatesManual':
+            return checkForUpdatesManual();
+        case 'proxyGetStatus':
+            return proxyRuntime.getStatus();
+        case 'proxyStart':
+            return proxyRuntime.start(args[0]);
+        case 'proxyStop':
+            return proxyRuntime.stop();
+        case 'proxyUpdateConfig':
+            return proxyRuntime.updateConfig(args[0]);
+        case 'proxyNeedsRestart':
+            return proxyRuntime.needsRestart();
+        case 'proxyRestart':
+            return proxyRuntime.restart();
+        case 'proxyGetLogs':
+            return proxyRuntime.getLogs(args[0]);
+        case 'proxyGetLogsCount':
+            return proxyRuntime.getLogsCount();
+        case 'proxyClearLogs':
+            return proxyRuntime.clearLogs();
+        case 'proxySaveLogs':
+            await store.setUserSetting(user.id, 'proxyLogs', args[0] || []);
+            return { success: true };
+        case 'proxyLoadLogs':
+            return { success: true, logs: store.getUserSetting(user.id, 'proxyLogs', []) };
+        case 'proxyAuditLog':
+            return proxyRuntime.auditLog();
+        case 'proxyResetCredits':
+            return proxyRuntime.resetCredits();
+        case 'proxyResetTokens':
+            return proxyRuntime.resetTokens();
+        case 'proxyResetRequestStats':
+            return proxyRuntime.resetRequestStats();
+        case 'proxyResetPool':
+            return proxyRuntime.resetPool();
+        case 'proxyClearAccountSuspended':
+            return proxyRuntime.clearAccountSuspended(String(args[0] || ''));
+        case 'proxySelfSignedCertInfo':
+            return proxyRuntime.selfSignedCertInfo();
+        case 'proxySelfSignedCertRegenerate':
+            return proxyRuntime.selfSignedCertRegenerate();
+        case 'proxyAddAccount':
+            return proxyRuntime.addAccount(args[0]);
+        case 'proxyRemoveAccount':
+            return proxyRuntime.removeAccount(String(args[0] || ''));
+        case 'proxySyncAccounts':
+            return proxyRuntime.syncAccounts(args[0]);
+        case 'proxySyncAccountsFromStore':
+            return proxyRuntime.syncAccountsFromStoreAsync();
+        case 'proxyGetAccounts':
+            return proxyRuntime.getAccounts();
+        case 'proxyRefreshModels':
+            return proxyRuntime.refreshModels();
+        case 'proxyGetModels':
+            return proxyRuntime.getModels();
+        case 'getKiroAvailableModels':
+            return proxyRuntime.getModels();
+        case 'getKiroSettings':
+            return (0, kiroSettings_1.getKiroSettings)();
+        case 'saveKiroSettings':
+            return (0, kiroSettings_1.saveKiroSettings)(args[0]);
+        case 'openKiroSettingsFile':
+            return (0, kiroSettings_1.ensureKiroSettingsFile)();
+        case 'openKiroMcpConfig':
+            return (0, kiroSettings_1.ensureMcpConfig)(args[0] || 'user');
+        case 'openKiroSteeringFolder':
+            return (0, kiroSettings_1.ensureSteeringFolder)();
+        case 'openKiroSteeringFile':
+            return (0, kiroSettings_1.readSteeringFile)(String(args[0] || ''));
+        case 'createKiroDefaultRules':
+            return (0, kiroSettings_1.createDefaultRules)();
+        case 'readKiroSteeringFile':
+            return (0, kiroSettings_1.readSteeringFile)(String(args[0] || ''));
+        case 'saveKiroSteeringFile':
+            return (0, kiroSettings_1.saveSteeringFile)(String(args[0] || ''), String(args[1] || ''));
+        case 'deleteKiroSteeringFile':
+            return (0, kiroSettings_1.deleteSteeringFile)(String(args[0] || ''));
+        case 'saveMcpServer':
+            return (0, kiroSettings_1.saveMcpServer)(String(args[0] || ''), args[1], args[2]);
+        case 'deleteMcpServer':
+            return (0, kiroSettings_1.deleteMcpServer)(String(args[0] || ''));
+        case 'proxyGetApiKeys':
+            return proxyRuntime.getApiKeys();
+        case 'proxyAddApiKey':
+            return proxyRuntime.addApiKey(args[0]);
+        case 'proxyUpdateApiKey':
+            return proxyRuntime.updateApiKey(String(args[0] || ''), args[1]);
+        case 'proxyDeleteApiKey':
+            return proxyRuntime.deleteApiKey(String(args[0] || ''));
+        case 'proxyResetApiKeyUsage':
+            return proxyRuntime.resetApiKeyUsage(String(args[0] || ''));
+        case 'proxyConfigureClients':
+            return proxyRuntime.configureClients(args[0]);
+        case 'proxyPoolValidate':
+            return (0, diagnostics_1.proxyPoolValidate)(args[0]);
+        case 'networkRouteValidate':
+            return (0, diagnostics_1.networkRouteValidate)(args[0]);
+        case 'proxyPoolDiagnoseChain':
+            return (0, diagnostics_1.proxyPoolDiagnoseChain)(args[0]);
+        case 'diagnoseHttpProbe':
+            return httpProbe(args[0]);
+        case 'diagnoseRun': {
+            const input = args[0];
+            const targets = input?.targets || [];
+            const results = await Promise.all(targets.map(async (target) => {
+                const result = await httpProbe({ url: target.url, timeoutMs: target.timeoutMs });
+                return {
+                    id: target.id,
+                    label: target.label,
+                    url: target.url,
+                    success: result.success && (!target.expectStatus || target.expectStatus.includes(result.status || 0)),
+                    httpStatus: result.status,
+                    latencyMs: result.latencyMs,
+                    error: result.error
+                };
+            }));
+            return { results };
+        }
+        case 'diagnoseAccountLiveness':
+            return (0, diagnostics_1.diagnoseAccountLiveness)(args[0]);
+        case 'dashboardTunnelGetStatus':
+            return dashboardTunnelRuntime.getStatus();
+        case 'dashboardTunnelStart':
+            return dashboardTunnelRuntime.start(args[0]);
+        case 'dashboardTunnelStop':
+            return dashboardTunnelRuntime.stop();
+        case 'registrationStartAuto':
+            return (0, registrationRuntime_1.registrationStartAuto)(args[0], emit);
+        case 'registrationManualPhase1':
+            return (0, registrationRuntime_1.registrationManualPhase1)(args[0], emit);
+        case 'registrationManualPhase2':
+            return (0, registrationRuntime_1.registrationManualPhase2)(String(args[0] || ''), args[1]);
+        case 'registrationManualPhase3':
+            return (0, registrationRuntime_1.registrationManualPhase3)(String(args[0] || ''));
+        case 'registrationStatus':
+            return (0, registrationRuntime_1.registrationStatus)();
+        case 'registrationCancel':
+            return (0, registrationRuntime_1.registrationCancel)(args[0]);
+        case 'protonOpenLogin':
+            return (0, registrationRuntime_1.protonOpenLogin)();
+        case 'protonLoginStatus':
+            return (0, registrationRuntime_1.protonLoginStatus)();
+        case 'protonClose':
+            return (0, registrationRuntime_1.protonClose)();
+        case 'kproxyGetStatus':
+            return kproxyRuntime.getStatus();
+        case 'kproxyGenerateDeviceId':
+            return kproxyRuntime.generateDeviceId();
+        case 'kproxyGetDeviceMappings':
+            return kproxyRuntime.getDeviceMappings();
+        case 'kproxyInit':
+            return kproxyRuntime.init();
+        case 'kproxyStart':
+            return kproxyRuntime.start(args[0]);
+        case 'kproxyStop':
+            return kproxyRuntime.stop();
+        case 'kproxyUpdateConfig':
+            return kproxyRuntime.updateConfig(args[0]);
+        case 'kproxySetDeviceId':
+            return kproxyRuntime.setDeviceId(String(args[0] || ''));
+        case 'kproxyAddDeviceMapping':
+            return kproxyRuntime.addDeviceMapping(args[0]);
+        case 'kproxySwitchToAccount':
+            return kproxyRuntime.switchToAccount(String(args[0] || ''));
+        case 'kproxyGetCaCert':
+            return kproxyRuntime.getCaCert();
+        case 'kproxyExportCaCert':
+            return kproxyRuntime.exportCaCert(args[0]);
+        case 'kproxyCheckCaCertInstalled':
+            return kproxyRuntime.checkCaCertInstalled();
+        case 'kproxyInstallCaCert':
+            return kproxyRuntime.installCaCert();
+        case 'kproxyUninstallCaCert':
+            return kproxyRuntime.uninstallCaCert();
+        case 'kproxyResetStats':
+            return kproxyRuntime.resetStats();
+        case 'accountSetProxyBinding': {
+            const [accountId, proxyUrl] = args;
+            const accountData = (store.getAccountData(user.id) || defaultAccountData());
+            accountData.accountProxyBindings = { ...(accountData.accountProxyBindings || {}), [accountId]: proxyUrl };
+            if (!proxyUrl)
+                delete accountData.accountProxyBindings[accountId];
+            await store.setAccountData(user.id, accountData);
+            return { success: true };
+        }
+        case 'backgroundBatchRefresh':
+        case 'backgroundBatchCheck':
+            return handleBackgroundBatch(method, args);
+        default:
+            return unsupported(method);
+    }
+}
+async function handleAuth(request, response, pathname) {
+    if (pathname === '/api/auth/social/callback' && request.method === 'GET') {
+        const callbackUrl = new URL(request.url || '/', `http://${request.headers.host || 'localhost'}`);
+        const result = (0, authFlows_1.handleSocialCallback)(callbackUrl, emit);
+        (0, authFlows_1.sendAuthHtml)(response, result.title, result.body);
+        return;
+    }
+    if (pathname === '/api/auth/iam-sso/callback' && request.method === 'GET') {
+        const callbackUrl = new URL(request.url || '/', `http://${request.headers.host || 'localhost'}`);
+        const result = await (0, authFlows_1.handleIamSsoCallback)(callbackUrl);
+        (0, authFlows_1.sendAuthHtml)(response, result.title, result.body);
+        return;
+    }
+    if (pathname === '/api/auth/session' && request.method === 'GET') {
+        const user = getUser(request);
+        sendJson(response, 200, user
+            ? { authenticated: true, setupRequired: false, user: publicUser(user) }
+            : { authenticated: false, setupRequired: store.isSetupRequired() });
+        return;
+    }
+    if (pathname === '/api/auth/setup/status' && request.method === 'GET') {
+        sendJson(response, 200, { setupRequired: store.isSetupRequired() });
+        return;
+    }
+    if (pathname === '/api/auth/setup' && request.method === 'POST') {
+        if (!store.isSetupRequired()) {
+            sendJson(response, 409, { error: 'Krouter is already set up' });
+            return;
+        }
+        const body = await readJson(request);
+        const mode = String(body?.mode || '').trim();
+        const generatedPassword = mode === 'random' ? store_1.WebStore.generateAdminPassword() : undefined;
+        const password = generatedPassword || String(body?.password || '');
+        if (mode !== 'random' && mode !== 'custom') {
+            sendJson(response, 400, { error: 'Choose random or custom password setup' });
+            return;
+        }
+        try {
+            const user = await store.createInitialAdmin({
+                email: String(body?.email || '').trim() || undefined,
+                password
+            });
+            const session = await store.createSession(user.id);
+            scheduleBackendAutoRefreshForUser(user, false);
+            response.setHeader('Set-Cookie', sessionCookie(session.id, session.expiresAt));
+            sendJson(response, 200, {
+                authenticated: true,
+                setupRequired: false,
+                user: publicUser(user),
+                generatedPassword
+            });
+        }
+        catch (error) {
+            sendJson(response, 400, { error: error instanceof Error ? error.message : String(error) });
+        }
+        return;
+    }
+    if (pathname === '/api/auth/login' && request.method === 'POST') {
+        if (store.isSetupRequired()) {
+            sendJson(response, 428, { error: 'Krouter setup is required first', setupRequired: true });
+            return;
+        }
+        const body = await readJson(request);
+        const email = String(body?.email || '').trim();
+        const user = email
+            ? store.findUserByEmail(email)
+            : store.getUsers().find(item => item.role === 'admin') || store.getUsers()[0];
+        if (!user || !(0, store_1.verifyPassword)(String(body?.password || ''), user)) {
+            sendJson(response, 401, { error: email ? 'Invalid email or password' : 'Invalid password' });
+            return;
+        }
+        const session = await store.createSession(user.id);
+        response.setHeader('Set-Cookie', sessionCookie(session.id, session.expiresAt));
+        sendJson(response, 200, { authenticated: true, user: publicUser(user) });
+        return;
+    }
+    if (pathname === '/api/auth/logout' && request.method === 'POST') {
+        const cookies = parseCookies(request);
+        await store.deleteSession(cookies[SESSION_COOKIE_NAME] || cookies[LEGACY_SESSION_COOKIE_NAME]);
+        response.setHeader('Set-Cookie', [clearCookie(SESSION_COOKIE_NAME), clearCookie(LEGACY_SESSION_COOKIE_NAME)]);
+        sendJson(response, 200, { success: true });
+        return;
+    }
+    sendJson(response, 404, { error: 'Not found' });
+}
+function protonLoginPageHtml() {
+    return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Proton Login</title>
+  <style>
+    :root { color-scheme: dark; font-family: Inter, ui-sans-serif, system-ui, -apple-system, Segoe UI, sans-serif; }
+    body { margin: 0; min-height: 100vh; background: #111827; color: #e5e7eb; }
+    .bar { position: sticky; top: 0; z-index: 2; display: flex; flex-wrap: wrap; gap: 8px; align-items: center; padding: 10px; background: #0f172a; border-bottom: 1px solid #334155; }
+    button, input { height: 34px; border-radius: 6px; border: 1px solid #475569; background: #1e293b; color: #f8fafc; font: inherit; }
+    button { padding: 0 12px; cursor: pointer; }
+    button:hover { background: #334155; }
+    input { min-width: 220px; padding: 0 10px; }
+    .status { flex: 1 1 320px; min-width: 260px; color: #cbd5e1; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
+    .wrap { padding: 12px; }
+    .screen { display: block; max-width: 100%; height: auto; margin: 0 auto; border: 1px solid #334155; background: #020617; cursor: crosshair; }
+    .hint { padding: 8px 12px 0; color: #94a3b8; font-size: 13px; }
+    .error { color: #fca5a5; }
+  </style>
+</head>
+<body>
+  <div class="bar">
+    <button id="refresh">Refresh</button>
+    <button id="inbox">Inbox</button>
+    <button id="statusBtn">Check</button>
+    <input id="text" autocomplete="off" placeholder="Text for focused field">
+    <button id="typeBtn">Type</button>
+    <button data-key="Tab">Tab</button>
+    <button data-key="Enter">Enter</button>
+    <button data-key="Backspace">Backspace</button>
+    <button data-key="Escape">Esc</button>
+    <button id="closeBtn">Close Browser</button>
+    <span class="status" id="status">Starting Proton browser...</span>
+  </div>
+  <div class="hint">Click the screenshot to interact with the server browser. Use the text box to type into the currently focused Proton field.</div>
+  <div class="wrap"><img id="screen" class="screen" alt="Proton browser screenshot"></div>
+  <script>
+    const screen = document.getElementById("screen");
+    const statusEl = document.getElementById("status");
+    const textInput = document.getElementById("text");
+    let lastWidth = 1280;
+    let lastHeight = 900;
+    let busy = false;
+
+    function setStatus(text, isError) {
+      statusEl.textContent = text;
+      statusEl.className = isError ? "status error" : "status";
+    }
+
+    async function api(path, body) {
+      const init = body === undefined
+        ? { credentials: "include" }
+        : { method: "POST", credentials: "include", headers: { "Content-Type": "application/json" }, body: JSON.stringify(body) };
+      const response = await fetch(path, init);
+      const data = await response.json();
+      if (!response.ok || data.success === false) throw new Error(data.error || response.statusText);
+      return data;
+    }
+
+    async function refresh() {
+      if (busy) return;
+      busy = true;
+      try {
+        setStatus("Refreshing screenshot...", false);
+        const width = Math.max(900, Math.min(1280, Math.floor(window.innerWidth - 32)));
+        const data = await api("/api/proton/screenshot?width=" + width + "&height=900");
+        lastWidth = data.width || lastWidth;
+        lastHeight = data.height || lastHeight;
+        screen.src = data.dataUrl;
+        setStatus((data.loggedIn ? "Logged in" : "Not logged in") + " - " + (data.url || ""), false);
+      } catch (error) {
+        setStatus(error.message || String(error), true);
+      } finally {
+        busy = false;
+      }
+    }
+
+    async function sendAction(path, body, delayMs) {
+      try {
+        await api(path, body);
+        setTimeout(refresh, delayMs || 350);
+      } catch (error) {
+        setStatus(error.message || String(error), true);
+      }
+    }
+
+    screen.addEventListener("click", (event) => {
+      const rect = screen.getBoundingClientRect();
+      const x = (event.clientX - rect.left) * lastWidth / rect.width;
+      const y = (event.clientY - rect.top) * lastHeight / rect.height;
+      sendAction("/api/proton/click", { x, y });
+    });
+
+    screen.addEventListener("wheel", (event) => {
+      event.preventDefault();
+      const rect = screen.getBoundingClientRect();
+      const x = (event.clientX - rect.left) * lastWidth / rect.width;
+      const y = (event.clientY - rect.top) * lastHeight / rect.height;
+      sendAction("/api/proton/scroll", { x, y, deltaY: event.deltaY }, 200);
+    }, { passive: false });
+
+    document.getElementById("refresh").onclick = refresh;
+    document.getElementById("inbox").onclick = () => sendAction("/api/proton/navigate", {});
+    document.getElementById("statusBtn").onclick = async () => {
+      try {
+        const data = await api("/api/proton/status");
+        setStatus((data.loggedIn ? "Logged in" : "Not logged in") + " - " + (data.url || ""), false);
+      } catch (error) {
+        setStatus(error.message || String(error), true);
+      }
+    };
+    document.getElementById("typeBtn").onclick = () => {
+      const text = textInput.value;
+      textInput.value = "";
+      sendAction("/api/proton/type", { text });
+    };
+    document.querySelectorAll("[data-key]").forEach((button) => {
+      button.onclick = () => sendAction("/api/proton/key", { key: button.getAttribute("data-key") });
+    });
+    document.getElementById("closeBtn").onclick = () => sendAction("/api/proton/close", {}, 0);
+    window.addEventListener("resize", () => setTimeout(refresh, 250));
+    refresh();
+  </script>
+</body>
+</html>`;
+}
+async function handleProtonRemote(request, response, pathname, url) {
+    if (pathname === '/api/proton/status' && request.method === 'GET') {
+        sendJson(response, 200, await (0, registrationRuntime_1.protonLoginStatus)());
+        return;
+    }
+    if (pathname === '/api/proton/screenshot' && request.method === 'GET') {
+        sendJson(response, 200, await (0, protonBrowserRuntime_1.captureProtonScreenshot)(Number(url.searchParams.get('width') || 0), Number(url.searchParams.get('height') || 0)));
+        return;
+    }
+    if (pathname === '/api/proton/click' && request.method === 'POST') {
+        const body = await readJson(request);
+        sendJson(response, 200, await (0, protonBrowserRuntime_1.clickProtonPage)(Number(body?.x || 0), Number(body?.y || 0)));
+        return;
+    }
+    if (pathname === '/api/proton/type' && request.method === 'POST') {
+        const body = await readJson(request);
+        sendJson(response, 200, await (0, protonBrowserRuntime_1.typeProtonText)(String(body?.text || '')));
+        return;
+    }
+    if (pathname === '/api/proton/key' && request.method === 'POST') {
+        const body = await readJson(request);
+        sendJson(response, 200, await (0, protonBrowserRuntime_1.pressProtonKey)(String(body?.key || 'Enter')));
+        return;
+    }
+    if (pathname === '/api/proton/scroll' && request.method === 'POST') {
+        const body = await readJson(request);
+        sendJson(response, 200, await (0, protonBrowserRuntime_1.scrollProtonPage)(Number(body?.deltaY || 0), Number(body?.x || 0), Number(body?.y || 0)));
+        return;
+    }
+    if (pathname === '/api/proton/navigate' && request.method === 'POST') {
+        const body = await readJson(request);
+        sendJson(response, 200, await (0, protonBrowserRuntime_1.navigateProton)(String(body?.url || '')));
+        return;
+    }
+    if (pathname === '/api/proton/close' && request.method === 'POST') {
+        sendJson(response, 200, await (0, registrationRuntime_1.protonClose)());
+        return;
+    }
+    sendJson(response, 404, { error: 'Not found' });
+}
+async function serveStatic(response, pathname) {
+    const dist = path_1.default.join(process.cwd(), 'dist-web');
+    const requested = pathname === '/' ? '/index.html' : pathname;
+    const filePath = path_1.default.normalize(path_1.default.join(dist, requested));
+    if (!filePath.startsWith(dist)) {
+        response.writeHead(403);
+        response.end();
+        return;
+    }
+    try {
+        const data = await fs_1.promises.readFile(filePath);
+        const ext = path_1.default.extname(filePath);
+        const contentType = ext === '.html' ? 'text/html; charset=utf-8'
+            : ext === '.js' ? 'text/javascript; charset=utf-8'
+                : ext === '.css' ? 'text/css; charset=utf-8'
+                    : ext === '.svg' ? 'image/svg+xml'
+                        : ext === '.png' ? 'image/png'
+                            : 'application/octet-stream';
+        response.writeHead(200, { 'Content-Type': contentType });
+        response.end(data);
+    }
+    catch {
+        const indexPath = path_1.default.join(dist, 'index.html');
+        try {
+            response.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+            response.end(await fs_1.promises.readFile(indexPath));
+        }
+        catch {
+            sendJson(response, 404, { error: 'Web build not found. Run npm run build:web first.' });
+        }
+    }
+}
+async function route(request, response) {
+    const url = new URL(request.url || '/', `http://${request.headers.host || 'localhost'}`);
+    if (url.pathname === '/healthz') {
+        sendJson(response, 200, {
+            ok: true,
+            version: packageVersion(),
+            mode: serveStaticAssets ? 'fullstack' : 'backend-cli',
+            static: serveStaticAssets
+        });
+        return;
+    }
+    if (url.pathname.startsWith('/api/auth/')) {
+        await handleAuth(request, response, url.pathname);
+        return;
+    }
+    if (url.pathname === '/proton-login' && request.method === 'GET') {
+        const user = getUser(request);
+        if (!user) {
+            sendHtml(response, 401, '<!doctype html><title>Unauthorized</title><body>Unauthorized</body>');
+            return;
+        }
+        sendHtml(response, 200, protonLoginPageHtml());
+        return;
+    }
+    if (url.pathname === '/api/events') {
+        const user = getUser(request);
+        if (!user) {
+            sendJson(response, 401, { error: 'Unauthorized' });
+            return;
+        }
+        response.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-store',
+            Connection: 'keep-alive'
+        });
+        response.write('data: {"channel":"connected","args":[]}\n\n');
+        sseClients.add(response);
+        request.on('close', () => sseClients.delete(response));
+        return;
+    }
+    if (url.pathname === '/api/ipc' && request.method === 'POST') {
+        const user = getUser(request);
+        if (!user) {
+            sendJson(response, 401, { error: 'Unauthorized' });
+            return;
+        }
+        const body = await readJson(request);
+        const method = String(body?.method || '');
+        const args = Array.isArray(body?.args) ? body.args : [];
+        const result = await handleIpc(method, args, user);
+        sendJson(response, 200, result);
+        return;
+    }
+    if (url.pathname.startsWith('/api/proton/')) {
+        const user = getUser(request);
+        if (!user) {
+            sendJson(response, 401, { error: 'Unauthorized' });
+            return;
+        }
+        await handleProtonRemote(request, response, url.pathname, url);
+        return;
+    }
+    if (url.pathname.startsWith('/api/')) {
+        sendJson(response, 404, { error: 'Not found' });
+        return;
+    }
+    if (serveStaticAssets) {
+        await serveStatic(response, url.pathname);
+        return;
+    }
+    sendJson(response, 404, {
+        error: 'Frontend static serving is disabled because this process is running in backend CLI mode.'
+    });
+}
+async function main() {
+    await store.load();
+    void startAutoProxyRuntimes();
+    void startBackendAutoRefreshRuntimes();
+    const port = Number(process.env.PORT || 4010);
+    const host = process.env.HOST || '127.0.0.1';
+    const server = http_1.default.createServer((request, response) => {
+        route(request, response).catch((error) => {
+            console.error('[Server] Request failed:', error);
+            sendJson(response, 500, { error: error instanceof Error ? error.message : 'Internal server error' });
+        });
+    });
+    server.listen(port, host, () => {
+        const mode = serveStaticAssets ? 'fullstack web/API' : 'backend CLI API';
+        void startDashboardTunnelIfConfigured();
+        console.log(`[Server] Krouter ${mode} đang chạy tại http://${host}:${port}`);
+    });
+}
+void main();