@llui/agent 0.0.29

package/dist/server/lap/forward.js

@@ -0,0 +1,68 @@
+import { verifyAndReadTid } from './describe.js';
+/**
+ * Generic LAP handler. `parseArgs` is called with the parsed body (may be
+ * null for empty bodies); it returns the args object to forward or null
+ * to reject as invalid. `tool` is the browser-side tool name.
+ */
+export function makeForwardHandler(tool, parseArgs, auditDetail = () => ({})) {
+    return async (req, deps) => {
+        const auth = verifyAndReadTid(req, deps.signingKey);
+        if (!auth.ok)
+            return json({ error: { code: auth.code } }, auth.status);
+        const rec = await deps.tokenStore.findByTid(auth.tid);
+        if (!rec || rec.status === 'revoked')
+            return json({ error: { code: 'revoked' } }, 403);
+        if (!deps.registry.isPaired(auth.tid))
+            return json({ error: { code: 'paused' } }, 503);
+        const rlCheck = await deps.rateLimiter.check(auth.tid, 'token');
+        if (!rlCheck.allowed) {
+            return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429);
+        }
+        const rawBody = req.method === 'POST' ? await req.json().catch(() => null) : null;
+        const args = parseArgs(rawBody);
+        if (args === null)
+            return json({ error: { code: 'invalid' } }, 400);
+        try {
+            const result = await deps.registry.rpc(auth.tid, tool, args);
+            const nowMs = (deps.now ?? (() => Date.now()))();
+            await deps.tokenStore.touch(auth.tid, nowMs);
+            await deps.auditSink.write({
+                at: nowMs,
+                tid: auth.tid,
+                uid: rec.uid,
+                event: 'lap-call',
+                detail: { tool, ...auditDetail(auth.tid, args) },
+            });
+            return json(result, 200);
+        }
+        catch (e) {
+            const err = e;
+            const code = err.code ?? 'internal';
+            const status = code === 'paused' ? 503 : code === 'timeout' ? 504 : 500;
+            return json({ error: { code, detail: err.detail } }, status);
+        }
+    };
+}
+function json(b, s) {
+    return new Response(JSON.stringify(b), {
+        status: s,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+// Concrete handlers:
+export const handleLapState = makeForwardHandler('get_state', (body) => {
+    const b = (body ?? {});
+    if (b.path !== undefined && typeof b.path !== 'string')
+        return null;
+    return { path: b.path };
+});
+export const handleLapActions = makeForwardHandler('list_actions', () => ({}));
+export const handleLapQueryDom = makeForwardHandler('query_dom', (body) => {
+    const b = (body ?? {});
+    if (typeof b.name !== 'string')
+        return null;
+    return { name: b.name, multiple: !!b.multiple };
+});
+export const handleLapDescribeVisible = makeForwardHandler('describe_visible_content', () => ({}));
+export const handleLapContext = makeForwardHandler('describe_context', () => ({}));
+//# sourceMappingURL=forward.js.map

package/dist/server/lap/forward.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"forward.js","sourceRoot":"","sources":["../../../src/server/lap/forward.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAWhD;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAAY,EACZ,SAA2C,EAC3C,cAAsE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;IAEhF,OAAO,KAAK,EAAE,GAAY,EAAE,IAAiB,EAAqB,EAAE;QAClE,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;QACnD,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QAEtE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACrD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QACtF,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QAEtF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC/D,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QAC3F,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QACjF,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;QAC/B,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;QAEnE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA;YAC5D,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;YAChD,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAC5C,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;gBACzB,EAAE,EAAE,KAAK;gBACT,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,UAAU;gBACjB,MAAM,EAAE,EAAE,IAAI,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE;aACjD,CAAC,CAAA;YACF,OAAO,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAC1B,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,CAAuC,CAAA;YACnD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,UAAU,CAAA;YACnC,MAAM,MAAM,GAAG,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAA;YACvE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;QAC9D,CAAC;IACH,CAAC,CAAA;AACH,CAAC;AAED,SAAS,IAAI,CAAC,CAAU,EAAE,CAAS;IACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrC,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC;AAED,qBAAqB;AACrB,MAAM,CAAC,MAAM,cAAc,GAAG,kBAAkB,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,EAAE;IACrE,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAuB,CAAA;IAC5C,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IACnE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;AACzB,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;AAE9E,MAAM,CAAC,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,EAAE;IACxE,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAA2C,CAAA;IAChE,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IAC3C,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;AACjD,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,wBAAwB,GAAG,kBAAkB,CAAC,0BAA0B,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;AAElG,MAAM,CAAC,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,kBAAkB,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA","sourcesContent":["import type { TokenStore } from '../token-store.js'\nimport type { WsPairingRegistry } from '../ws/pairing-registry.js'\nimport type { AuditSink } from '../audit.js'\nimport type { RateLimiter } from '../rate-limit.js'\nimport { verifyAndReadTid } from './describe.js'\n\nexport type ForwardDeps = {\n  signingKey: string | Uint8Array\n  tokenStore: TokenStore\n  registry: WsPairingRegistry\n  auditSink: AuditSink\n  rateLimiter: RateLimiter\n  now?: () => number\n}\n\n/**\n * Generic LAP handler. `parseArgs` is called with the parsed body (may be\n * null for empty bodies); it returns the args object to forward or null\n * to reject as invalid. `tool` is the browser-side tool name.\n */\nexport function makeForwardHandler(\n  tool: string,\n  parseArgs: (body: unknown) => object | null,\n  auditDetail: (tid: string, args: object) => Record<string, unknown> = () => ({}),\n) {\n  return async (req: Request, deps: ForwardDeps): Promise<Response> => {\n    const auth = verifyAndReadTid(req, deps.signingKey)\n    if (!auth.ok) return json({ error: { code: auth.code } }, auth.status)\n\n    const rec = await deps.tokenStore.findByTid(auth.tid)\n    if (!rec || rec.status === 'revoked') return json({ error: { code: 'revoked' } }, 403)\n    if (!deps.registry.isPaired(auth.tid)) return json({ error: { code: 'paused' } }, 503)\n\n    const rlCheck = await deps.rateLimiter.check(auth.tid, 'token')\n    if (!rlCheck.allowed) {\n      return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429)\n    }\n\n    const rawBody = req.method === 'POST' ? await req.json().catch(() => null) : null\n    const args = parseArgs(rawBody)\n    if (args === null) return json({ error: { code: 'invalid' } }, 400)\n\n    try {\n      const result = await deps.registry.rpc(auth.tid, tool, args)\n      const nowMs = (deps.now ?? (() => Date.now()))()\n      await deps.tokenStore.touch(auth.tid, nowMs)\n      await deps.auditSink.write({\n        at: nowMs,\n        tid: auth.tid,\n        uid: rec.uid,\n        event: 'lap-call',\n        detail: { tool, ...auditDetail(auth.tid, args) },\n      })\n      return json(result, 200)\n    } catch (e: unknown) {\n      const err = e as { code?: string; detail?: string }\n      const code = err.code ?? 'internal'\n      const status = code === 'paused' ? 503 : code === 'timeout' ? 504 : 500\n      return json({ error: { code, detail: err.detail } }, status)\n    }\n  }\n}\n\nfunction json(b: unknown, s: number): Response {\n  return new Response(JSON.stringify(b), {\n    status: s,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n\n// Concrete handlers:\nexport const handleLapState = makeForwardHandler('get_state', (body) => {\n  const b = (body ?? {}) as { path?: unknown }\n  if (b.path !== undefined && typeof b.path !== 'string') return null\n  return { path: b.path }\n})\n\nexport const handleLapActions = makeForwardHandler('list_actions', () => ({}))\n\nexport const handleLapQueryDom = makeForwardHandler('query_dom', (body) => {\n  const b = (body ?? {}) as { name?: unknown; multiple?: unknown }\n  if (typeof b.name !== 'string') return null\n  return { name: b.name, multiple: !!b.multiple }\n})\n\nexport const handleLapDescribeVisible = makeForwardHandler('describe_visible_content', () => ({}))\n\nexport const handleLapContext = makeForwardHandler('describe_context', () => ({}))\n"]}

package/dist/server/lap/message.d.ts

@@ -0,0 +1,14 @@
+import type { TokenStore } from '../token-store.js';
+import type { WsPairingRegistry } from '../ws/pairing-registry.js';
+import type { AuditSink } from '../audit.js';
+import type { RateLimiter } from '../rate-limit.js';
+export type LapMessageDeps = {
+    signingKey: string | Uint8Array;
+    tokenStore: TokenStore;
+    registry: WsPairingRegistry;
+    auditSink: AuditSink;
+    rateLimiter: RateLimiter;
+    now?: () => number;
+};
+export declare function handleLapMessage(req: Request, deps: LapMessageDeps): Promise<Response>;
+//# sourceMappingURL=message.d.ts.map

package/dist/server/lap/message.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"message.d.ts","sourceRoot":"","sources":["../../../src/server/lap/message.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAClE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAInD,MAAM,MAAM,cAAc,GAAG;IAC3B,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAC/B,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,iBAAiB,CAAA;IAC3B,SAAS,EAAE,SAAS,CAAA;IACpB,WAAW,EAAE,WAAW,CAAA;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB,CAAA;AAED,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,CAwG5F"}

package/dist/server/lap/message.js

@@ -0,0 +1,97 @@
+import { verifyAndReadTid } from './describe.js';
+export async function handleLapMessage(req, deps) {
+    const auth = verifyAndReadTid(req, deps.signingKey);
+    if (!auth.ok)
+        return json({ error: { code: auth.code } }, auth.status);
+    const rec = await deps.tokenStore.findByTid(auth.tid);
+    if (!rec || rec.status === 'revoked')
+        return json({ error: { code: 'revoked' } }, 403);
+    if (!deps.registry.isPaired(auth.tid))
+        return json({ error: { code: 'paused' } }, 503);
+    const rlCheck = await deps.rateLimiter.check(auth.tid, 'token');
+    if (!rlCheck.allowed) {
+        return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429);
+    }
+    const body = (await req.json().catch(() => null));
+    if (!body || !body.msg || typeof body.msg.type !== 'string') {
+        return json({ error: { code: 'invalid' } }, 400);
+    }
+    const timeoutMs = body.timeoutMs ?? 15_000;
+    let initial;
+    try {
+        initial = (await deps.registry.rpc(auth.tid, 'send_message', body, {
+            timeoutMs,
+        }));
+    }
+    catch (e) {
+        const err = e;
+        const status = err.code === 'paused' ? 503 : err.code === 'timeout' ? 504 : 500;
+        // Build a detail string that surfaces whatever info we have — the rpc-error
+        // frame from the browser sometimes lacks `detail` (e.g., when a JS TypeError
+        // bubbles out of the handler). Falling back to the code + any Error-like
+        // fields gives Claude something actionable instead of an opaque 500.
+        const detail = err.detail ??
+            (e instanceof Error ? `${e.name}: ${e.message}` : undefined) ??
+            (err.code ? `rpc rejected with code '${err.code}'` : 'rpc rejected without a code');
+        // Mirror to the server console so operators see the real cause even when
+        // the client just shows "internal".
+        console.error(`[llui-agent] /lap/v1/message 500 — code=${err.code ?? 'internal'}, detail=${detail}`);
+        return json({ error: { code: err.code ?? 'internal', detail } }, status);
+    }
+    const nowMs = (deps.now ?? (() => Date.now()))();
+    await deps.tokenStore.touch(auth.tid, nowMs);
+    if (initial.status === 'dispatched' ||
+        initial.status === 'confirmed' ||
+        initial.status === 'rejected') {
+        await deps.auditSink.write({
+            at: nowMs,
+            tid: auth.tid,
+            uid: rec.uid,
+            event: initial.status === 'rejected' ? 'msg-blocked' : 'msg-dispatched',
+            detail: { variant: body.msg.type, status: initial.status },
+        });
+        return json(initial, 200);
+    }
+    if (initial.status === 'pending-confirmation') {
+        await deps.auditSink.write({
+            at: nowMs,
+            tid: auth.tid,
+            uid: rec.uid,
+            event: 'confirm-proposed',
+            detail: { variant: body.msg.type, confirmId: initial.confirmId },
+        });
+        const resolved = await deps.registry.waitForConfirm(auth.tid, initial.confirmId, timeoutMs);
+        const nowMs2 = (deps.now ?? (() => Date.now()))();
+        if (resolved.outcome === 'confirmed') {
+            await deps.auditSink.write({
+                at: nowMs2,
+                tid: auth.tid,
+                uid: rec.uid,
+                event: 'confirm-approved',
+                detail: { variant: body.msg.type, confirmId: initial.confirmId },
+            });
+            return json({ status: 'confirmed', stateAfter: resolved.stateAfter }, 200);
+        }
+        await deps.auditSink.write({
+            at: nowMs2,
+            tid: auth.tid,
+            uid: rec.uid,
+            event: 'confirm-rejected',
+            detail: { variant: body.msg.type, confirmId: initial.confirmId },
+        });
+        return json({ status: 'rejected', reason: 'user-cancelled' }, 200);
+    }
+    return json({
+        error: {
+            code: 'internal',
+            detail: `unexpected browser status: ${String(initial.status ?? 'undefined')}`,
+        },
+    }, 500);
+}
+function json(b, s) {
+    return new Response(JSON.stringify(b), {
+        status: s,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+//# sourceMappingURL=message.js.map

package/dist/server/lap/message.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"message.js","sourceRoot":"","sources":["../../../src/server/lap/message.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAYhD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAAY,EAAE,IAAoB;IACvE,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IACnD,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;IAEtE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IACtF,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAEtF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IAC/D,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAC3F,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAA6B,CAAA;IAC7E,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC5D,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAClD,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAA;IAE1C,IAAI,OAA2B,CAAA;IAC/B,IAAI,CAAC;QACH,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE;YACjE,SAAS;SACV,CAAC,CAAuB,CAAA;IAC3B,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,CAAuC,CAAA;QACnD,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAA;QAC/E,4EAA4E;QAC5E,6EAA6E;QAC7E,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,MAAM,GACV,GAAG,CAAC,MAAM;YACV,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,2BAA2B,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAA;QACrF,yEAAyE;QACzE,oCAAoC;QACpC,OAAO,CAAC,KAAK,CACX,2CAA2C,GAAG,CAAC,IAAI,IAAI,UAAU,YAAY,MAAM,EAAE,CACtF,CAAA;QACD,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAA;IAC1E,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;IAChD,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAE5C,IACE,OAAO,CAAC,MAAM,KAAK,YAAY;QAC/B,OAAO,CAAC,MAAM,KAAK,WAAW;QAC9B,OAAO,CAAC,MAAM,KAAK,UAAU,EAC7B,CAAC;QACD,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;YACzB,EAAE,EAAE,KAAK;YACT,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,KAAK,EAAE,OAAO,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,gBAAgB;YACvE,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE;SAC3D,CAAC,CAAA;QACF,OAAO,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;IAC3B,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,sBAAsB,EAAE,CAAC;QAC9C,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;YACzB,EAAE,EAAE,KAAK;YACT,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,KAAK,EAAE,kBAAkB;YACzB,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE;SACjE,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;QAC3F,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;QACjD,IAAI,QAAQ,CAAC,OAAO,KAAK,WAAW,EAAE,CAAC;YACrC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;gBACzB,EAAE,EAAE,MAAM;gBACV,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,kBAAkB;gBACzB,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE;aACjE,CAAC,CAAA;YACF,OAAO,IAAI,CACT,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,EAA+B,EACrF,GAAG,CACJ,CAAA;QACH,CAAC;QACD,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;YACzB,EAAE,EAAE,MAAM;YACV,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,KAAK,EAAE,kBAAkB;YACzB,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE;SACjE,CAAC,CAAA;QACF,OAAO,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,gBAAgB,EAA+B,EAAE,GAAG,CAAC,CAAA;IACjG,CAAC;IAED,OAAO,IAAI,CACT;QACE,KAAK,EAAE;YACL,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,8BAA8B,MAAM,CAAE,OAAgC,CAAC,MAAM,IAAI,WAAW,CAAC,EAAE;SACxG;KACF,EACD,GAAG,CACJ,CAAA;AACH,CAAC;AAED,SAAS,IAAI,CAAC,CAAU,EAAE,CAAS;IACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrC,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import type { TokenStore } from '../token-store.js'\nimport type { WsPairingRegistry } from '../ws/pairing-registry.js'\nimport type { AuditSink } from '../audit.js'\nimport type { RateLimiter } from '../rate-limit.js'\nimport { verifyAndReadTid } from './describe.js'\nimport type { LapMessageRequest, LapMessageResponse } from '../../protocol.js'\n\nexport type LapMessageDeps = {\n  signingKey: string | Uint8Array\n  tokenStore: TokenStore\n  registry: WsPairingRegistry\n  auditSink: AuditSink\n  rateLimiter: RateLimiter\n  now?: () => number\n}\n\nexport async function handleLapMessage(req: Request, deps: LapMessageDeps): Promise<Response> {\n  const auth = verifyAndReadTid(req, deps.signingKey)\n  if (!auth.ok) return json({ error: { code: auth.code } }, auth.status)\n\n  const rec = await deps.tokenStore.findByTid(auth.tid)\n  if (!rec || rec.status === 'revoked') return json({ error: { code: 'revoked' } }, 403)\n  if (!deps.registry.isPaired(auth.tid)) return json({ error: { code: 'paused' } }, 503)\n\n  const rlCheck = await deps.rateLimiter.check(auth.tid, 'token')\n  if (!rlCheck.allowed) {\n    return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429)\n  }\n\n  const body = (await req.json().catch(() => null)) as LapMessageRequest | null\n  if (!body || !body.msg || typeof body.msg.type !== 'string') {\n    return json({ error: { code: 'invalid' } }, 400)\n  }\n\n  const timeoutMs = body.timeoutMs ?? 15_000\n\n  let initial: LapMessageResponse\n  try {\n    initial = (await deps.registry.rpc(auth.tid, 'send_message', body, {\n      timeoutMs,\n    })) as LapMessageResponse\n  } catch (e: unknown) {\n    const err = e as { code?: string; detail?: string }\n    const status = err.code === 'paused' ? 503 : err.code === 'timeout' ? 504 : 500\n    // Build a detail string that surfaces whatever info we have — the rpc-error\n    // frame from the browser sometimes lacks `detail` (e.g., when a JS TypeError\n    // bubbles out of the handler). Falling back to the code + any Error-like\n    // fields gives Claude something actionable instead of an opaque 500.\n    const detail =\n      err.detail ??\n      (e instanceof Error ? `${e.name}: ${e.message}` : undefined) ??\n      (err.code ? `rpc rejected with code '${err.code}'` : 'rpc rejected without a code')\n    // Mirror to the server console so operators see the real cause even when\n    // the client just shows \"internal\".\n    console.error(\n      `[llui-agent] /lap/v1/message 500 — code=${err.code ?? 'internal'}, detail=${detail}`,\n    )\n    return json({ error: { code: err.code ?? 'internal', detail } }, status)\n  }\n\n  const nowMs = (deps.now ?? (() => Date.now()))()\n  await deps.tokenStore.touch(auth.tid, nowMs)\n\n  if (\n    initial.status === 'dispatched' ||\n    initial.status === 'confirmed' ||\n    initial.status === 'rejected'\n  ) {\n    await deps.auditSink.write({\n      at: nowMs,\n      tid: auth.tid,\n      uid: rec.uid,\n      event: initial.status === 'rejected' ? 'msg-blocked' : 'msg-dispatched',\n      detail: { variant: body.msg.type, status: initial.status },\n    })\n    return json(initial, 200)\n  }\n\n  if (initial.status === 'pending-confirmation') {\n    await deps.auditSink.write({\n      at: nowMs,\n      tid: auth.tid,\n      uid: rec.uid,\n      event: 'confirm-proposed',\n      detail: { variant: body.msg.type, confirmId: initial.confirmId },\n    })\n    const resolved = await deps.registry.waitForConfirm(auth.tid, initial.confirmId, timeoutMs)\n    const nowMs2 = (deps.now ?? (() => Date.now()))()\n    if (resolved.outcome === 'confirmed') {\n      await deps.auditSink.write({\n        at: nowMs2,\n        tid: auth.tid,\n        uid: rec.uid,\n        event: 'confirm-approved',\n        detail: { variant: body.msg.type, confirmId: initial.confirmId },\n      })\n      return json(\n        { status: 'confirmed', stateAfter: resolved.stateAfter } satisfies LapMessageResponse,\n        200,\n      )\n    }\n    await deps.auditSink.write({\n      at: nowMs2,\n      tid: auth.tid,\n      uid: rec.uid,\n      event: 'confirm-rejected',\n      detail: { variant: body.msg.type, confirmId: initial.confirmId },\n    })\n    return json({ status: 'rejected', reason: 'user-cancelled' } satisfies LapMessageResponse, 200)\n  }\n\n  return json(\n    {\n      error: {\n        code: 'internal',\n        detail: `unexpected browser status: ${String((initial as { status?: unknown }).status ?? 'undefined')}`,\n      },\n    },\n    500,\n  )\n}\n\nfunction json(b: unknown, s: number): Response {\n  return new Response(JSON.stringify(b), {\n    status: s,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n"]}

package/dist/server/lap/router.d.ts

@@ -0,0 +1,4 @@
+import { type ForwardDeps } from './forward.js';
+export type LapRouterDeps = ForwardDeps;
+export declare function createLapRouter(deps: LapRouterDeps, basePath: string): (req: Request) => Promise<Response | null>;
+//# sourceMappingURL=router.d.ts.map

package/dist/server/lap/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../../src/server/lap/router.ts"],"names":[],"mappings":"AACA,OAAO,EAML,KAAK,WAAW,EACjB,MAAM,cAAc,CAAA;AAKrB,MAAM,MAAM,aAAa,GAAG,WAAW,CAAA;AAEvC,wBAAgB,eAAe,CAC7B,IAAI,EAAE,aAAa,EACnB,QAAQ,EAAE,MAAM,GACf,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA6B5C"}

package/dist/server/lap/router.js

@@ -0,0 +1,37 @@
+import { handleLapDescribe } from './describe.js';
+import { handleLapState, handleLapActions, handleLapQueryDom, handleLapDescribeVisible, handleLapContext, } from './forward.js';
+import { handleLapMessage } from './message.js';
+import { handleLapWait } from './wait.js';
+import { handleLapConfirmResult } from './confirm-result.js';
+export function createLapRouter(deps, basePath) {
+    return async (req) => {
+        const url = new URL(req.url);
+        const path = url.pathname;
+        if (!path.startsWith(basePath + '/'))
+            return null;
+        const tail = path.slice(basePath.length);
+        switch (tail) {
+            case '/describe':
+                return handleLapDescribe(req, deps);
+            case '/state':
+                return handleLapState(req, deps);
+            case '/actions':
+                return handleLapActions(req, deps);
+            case '/message':
+                return handleLapMessage(req, deps);
+            case '/confirm-result':
+                return handleLapConfirmResult(req, deps);
+            case '/wait':
+                return handleLapWait(req, deps);
+            case '/query-dom':
+                return handleLapQueryDom(req, deps);
+            case '/describe-visible':
+                return handleLapDescribeVisible(req, deps);
+            case '/context':
+                return handleLapContext(req, deps);
+            default:
+                return null;
+        }
+    };
+}
+//# sourceMappingURL=router.js.map

package/dist/server/lap/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../../../src/server/lap/router.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACjD,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,wBAAwB,EACxB,gBAAgB,GAEjB,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAI5D,MAAM,UAAU,eAAe,CAC7B,IAAmB,EACnB,QAAgB;IAEhB,OAAO,KAAK,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC5B,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAA;QACzB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QACxC,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,WAAW;gBACd,OAAO,iBAAiB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YACrC,KAAK,QAAQ;gBACX,OAAO,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YAClC,KAAK,UAAU;gBACb,OAAO,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YACpC,KAAK,UAAU;gBACb,OAAO,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YACpC,KAAK,iBAAiB;gBACpB,OAAO,sBAAsB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YAC1C,KAAK,OAAO;gBACV,OAAO,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YACjC,KAAK,YAAY;gBACf,OAAO,iBAAiB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YACrC,KAAK,mBAAmB;gBACtB,OAAO,wBAAwB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YAC5C,KAAK,UAAU;gBACb,OAAO,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YACpC;gBACE,OAAO,IAAI,CAAA;QACf,CAAC;IACH,CAAC,CAAA;AACH,CAAC","sourcesContent":["import { handleLapDescribe } from './describe.js'\nimport {\n  handleLapState,\n  handleLapActions,\n  handleLapQueryDom,\n  handleLapDescribeVisible,\n  handleLapContext,\n  type ForwardDeps,\n} from './forward.js'\nimport { handleLapMessage } from './message.js'\nimport { handleLapWait } from './wait.js'\nimport { handleLapConfirmResult } from './confirm-result.js'\n\nexport type LapRouterDeps = ForwardDeps\n\nexport function createLapRouter(\n  deps: LapRouterDeps,\n  basePath: string,\n): (req: Request) => Promise<Response | null> {\n  return async (req) => {\n    const url = new URL(req.url)\n    const path = url.pathname\n    if (!path.startsWith(basePath + '/')) return null\n    const tail = path.slice(basePath.length)\n    switch (tail) {\n      case '/describe':\n        return handleLapDescribe(req, deps)\n      case '/state':\n        return handleLapState(req, deps)\n      case '/actions':\n        return handleLapActions(req, deps)\n      case '/message':\n        return handleLapMessage(req, deps)\n      case '/confirm-result':\n        return handleLapConfirmResult(req, deps)\n      case '/wait':\n        return handleLapWait(req, deps)\n      case '/query-dom':\n        return handleLapQueryDom(req, deps)\n      case '/describe-visible':\n        return handleLapDescribeVisible(req, deps)\n      case '/context':\n        return handleLapContext(req, deps)\n      default:\n        return null\n    }\n  }\n}\n"]}

package/dist/server/lap/wait.d.ts

@@ -0,0 +1,14 @@
+import type { TokenStore } from '../token-store.js';
+import type { WsPairingRegistry } from '../ws/pairing-registry.js';
+import type { AuditSink } from '../audit.js';
+import type { RateLimiter } from '../rate-limit.js';
+export type LapWaitDeps = {
+    signingKey: string | Uint8Array;
+    tokenStore: TokenStore;
+    registry: WsPairingRegistry;
+    auditSink: AuditSink;
+    rateLimiter: RateLimiter;
+    now?: () => number;
+};
+export declare function handleLapWait(req: Request, deps: LapWaitDeps): Promise<Response>;
+//# sourceMappingURL=wait.d.ts.map

package/dist/server/lap/wait.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wait.d.ts","sourceRoot":"","sources":["../../../src/server/lap/wait.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAClE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAC5C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAInD,MAAM,MAAM,WAAW,GAAG;IACxB,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAC/B,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,iBAAiB,CAAA;IAC3B,SAAS,EAAE,SAAS,CAAA;IACpB,WAAW,EAAE,WAAW,CAAA;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAA;CACnB,CAAA;AAED,wBAAsB,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CA2BtF"}

package/dist/server/lap/wait.js

@@ -0,0 +1,35 @@
+import { verifyAndReadTid } from './describe.js';
+export async function handleLapWait(req, deps) {
+    const auth = verifyAndReadTid(req, deps.signingKey);
+    if (!auth.ok)
+        return json({ error: { code: auth.code } }, auth.status);
+    const rec = await deps.tokenStore.findByTid(auth.tid);
+    if (!rec || rec.status === 'revoked')
+        return json({ error: { code: 'revoked' } }, 403);
+    if (!deps.registry.isPaired(auth.tid))
+        return json({ error: { code: 'paused' } }, 503);
+    const rlCheck = await deps.rateLimiter.check(auth.tid, 'token');
+    if (!rlCheck.allowed) {
+        return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429);
+    }
+    const body = ((await req.json().catch(() => null)) ?? {});
+    const timeoutMs = body.timeoutMs ?? 10_000;
+    const result = await deps.registry.waitForChange(auth.tid, body.path, timeoutMs);
+    const out = result;
+    const nowMs = (deps.now ?? (() => Date.now()))();
+    await deps.auditSink.write({
+        at: nowMs,
+        tid: auth.tid,
+        uid: rec.uid,
+        event: 'lap-call',
+        detail: { path: '/lap/v1/wait', outcome: result.status },
+    });
+    return json(out, 200);
+}
+function json(b, s) {
+    return new Response(JSON.stringify(b), {
+        status: s,
+        headers: { 'content-type': 'application/json' },
+    });
+}
+//# sourceMappingURL=wait.js.map

package/dist/server/lap/wait.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wait.js","sourceRoot":"","sources":["../../../src/server/lap/wait.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAYhD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAY,EAAE,IAAiB;IACjE,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IACnD,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;IAEtE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACrD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IACtF,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAEtF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IAC/D,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,EAAE,EAAE,GAAG,CAAC,CAAA;IAC3F,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAmB,CAAA;IAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAA;IAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;IAChF,MAAM,GAAG,GAAoB,MAAM,CAAA;IAEnC,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAA;IAChD,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QACzB,EAAE,EAAE,KAAK;QACT,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,KAAK,EAAE,UAAU;QACjB,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE;KACzD,CAAC,CAAA;IACF,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACvB,CAAC;AAED,SAAS,IAAI,CAAC,CAAU,EAAE,CAAS;IACjC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACrC,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import type { TokenStore } from '../token-store.js'\nimport type { WsPairingRegistry } from '../ws/pairing-registry.js'\nimport type { AuditSink } from '../audit.js'\nimport type { RateLimiter } from '../rate-limit.js'\nimport { verifyAndReadTid } from './describe.js'\nimport type { LapWaitRequest, LapWaitResponse } from '../../protocol.js'\n\nexport type LapWaitDeps = {\n  signingKey: string | Uint8Array\n  tokenStore: TokenStore\n  registry: WsPairingRegistry\n  auditSink: AuditSink\n  rateLimiter: RateLimiter\n  now?: () => number\n}\n\nexport async function handleLapWait(req: Request, deps: LapWaitDeps): Promise<Response> {\n  const auth = verifyAndReadTid(req, deps.signingKey)\n  if (!auth.ok) return json({ error: { code: auth.code } }, auth.status)\n\n  const rec = await deps.tokenStore.findByTid(auth.tid)\n  if (!rec || rec.status === 'revoked') return json({ error: { code: 'revoked' } }, 403)\n  if (!deps.registry.isPaired(auth.tid)) return json({ error: { code: 'paused' } }, 503)\n\n  const rlCheck = await deps.rateLimiter.check(auth.tid, 'token')\n  if (!rlCheck.allowed) {\n    return json({ error: { code: 'rate-limited', retryAfterMs: rlCheck.retryAfterMs } }, 429)\n  }\n\n  const body = ((await req.json().catch(() => null)) ?? {}) as LapWaitRequest\n  const timeoutMs = body.timeoutMs ?? 10_000\n  const result = await deps.registry.waitForChange(auth.tid, body.path, timeoutMs)\n  const out: LapWaitResponse = result\n\n  const nowMs = (deps.now ?? (() => Date.now()))()\n  await deps.auditSink.write({\n    at: nowMs,\n    tid: auth.tid,\n    uid: rec.uid,\n    event: 'lap-call',\n    detail: { path: '/lap/v1/wait', outcome: result.status },\n  })\n  return json(out, 200)\n}\n\nfunction json(b: unknown, s: number): Response {\n  return new Response(JSON.stringify(b), {\n    status: s,\n    headers: { 'content-type': 'application/json' },\n  })\n}\n"]}

package/dist/server/options.d.ts

@@ -0,0 +1,41 @@
+import type { IncomingMessage } from 'node:http';
+import type { Duplex } from 'node:stream';
+import type { TokenStore } from './token-store.js';
+import type { IdentityResolver } from './identity.js';
+import type { AuditSink } from './audit.js';
+import type { RateLimiter } from './rate-limit.js';
+/**
+ * Options accepted by `createLluiAgentServer`. All values except
+ * `signingKey` are optional and fall back to in-memory defaults.
+ * See spec §10.1.
+ */
+export type ServerOptions = {
+    /** HMAC key for signing tokens. ≥32 bytes; rotation invalidates all tokens. */
+    signingKey: string | Uint8Array;
+    /** Token store. Defaults to an `InMemoryTokenStore`. */
+    tokenStore?: TokenStore;
+    /** Identity resolver. Defaults to anonymous (always null). */
+    identityResolver?: IdentityResolver;
+    /** Audit sink. Defaults to `consoleAuditSink`. */
+    auditSink?: AuditSink;
+    /** Rate limiter. Defaults to `defaultRateLimiter` with 30/minute. */
+    rateLimiter?: RateLimiter;
+    /** Base path prefix for LAP endpoints. Defaults to `/agent/lap/v1`. */
+    lapBasePath?: string;
+    /** Pairing grace window after a tab closes, in ms. Default 15 min. */
+    pairingGraceMs?: number;
+    /** Sliding TTL for active tokens, in ms. Default 1 h. */
+    slidingTtlMs?: number;
+    /** Allowed origins for the HTTP surface (CORS). Empty = any. */
+    corsOrigins?: readonly string[];
+};
+/**
+ * Value returned by `createLluiAgentServer`. `router` matches any
+ * `/agent/*` request and returns a Response (or null to fall through).
+ * `wsUpgrade` handles Node HTTP upgrade events for `/agent/ws`.
+ */
+export type AgentServerHandle = {
+    router: (req: Request) => Promise<Response | null>;
+    wsUpgrade: (req: IncomingMessage, socket: Duplex, head: Buffer) => void;
+};
+//# sourceMappingURL=options.d.ts.map

package/dist/server/options.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"options.d.ts","sourceRoot":"","sources":["../../src/server/options.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAChD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AACrD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAElD;;;;GAIG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B,+EAA+E;IAC/E,UAAU,EAAE,MAAM,GAAG,UAAU,CAAA;IAE/B,wDAAwD;IACxD,UAAU,CAAC,EAAE,UAAU,CAAA;IAEvB,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC,kDAAkD;IAClD,SAAS,CAAC,EAAE,SAAS,CAAA;IAErB,qEAAqE;IACrE,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB,sEAAsE;IACtE,cAAc,CAAC,EAAE,MAAM,CAAA;IAEvB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB,gEAAgE;IAChE,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CAChC,CAAA;AAED;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,MAAM,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAClD,SAAS,EAAE,CAAC,GAAG,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,IAAI,CAAA;CACxE,CAAA"}

package/dist/server/options.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=options.js.map

package/dist/server/options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"options.js","sourceRoot":"","sources":["../../src/server/options.ts"],"names":[],"mappings":"","sourcesContent":["import type { IncomingMessage } from 'node:http'\nimport type { Duplex } from 'node:stream'\nimport type { TokenStore } from './token-store.js'\nimport type { IdentityResolver } from './identity.js'\nimport type { AuditSink } from './audit.js'\nimport type { RateLimiter } from './rate-limit.js'\n\n/**\n * Options accepted by `createLluiAgentServer`. All values except\n * `signingKey` are optional and fall back to in-memory defaults.\n * See spec §10.1.\n */\nexport type ServerOptions = {\n  /** HMAC key for signing tokens. ≥32 bytes; rotation invalidates all tokens. */\n  signingKey: string | Uint8Array\n\n  /** Token store. Defaults to an `InMemoryTokenStore`. */\n  tokenStore?: TokenStore\n\n  /** Identity resolver. Defaults to anonymous (always null). */\n  identityResolver?: IdentityResolver\n\n  /** Audit sink. Defaults to `consoleAuditSink`. */\n  auditSink?: AuditSink\n\n  /** Rate limiter. Defaults to `defaultRateLimiter` with 30/minute. */\n  rateLimiter?: RateLimiter\n\n  /** Base path prefix for LAP endpoints. Defaults to `/agent/lap/v1`. */\n  lapBasePath?: string\n\n  /** Pairing grace window after a tab closes, in ms. Default 15 min. */\n  pairingGraceMs?: number\n\n  /** Sliding TTL for active tokens, in ms. Default 1 h. */\n  slidingTtlMs?: number\n\n  /** Allowed origins for the HTTP surface (CORS). Empty = any. */\n  corsOrigins?: readonly string[]\n}\n\n/**\n * Value returned by `createLluiAgentServer`. `router` matches any\n * `/agent/*` request and returns a Response (or null to fall through).\n * `wsUpgrade` handles Node HTTP upgrade events for `/agent/ws`.\n */\nexport type AgentServerHandle = {\n  router: (req: Request) => Promise<Response | null>\n  wsUpgrade: (req: IncomingMessage, socket: Duplex, head: Buffer) => void\n}\n"]}

package/dist/server/rate-limit.d.ts

@@ -0,0 +1,14 @@
+export type RateLimitResult = {
+    allowed: true;
+} | {
+    allowed: false;
+    retryAfterMs: number;
+};
+export interface RateLimiter {
+    check(key: string, bucket: 'token' | 'identity'): Promise<RateLimitResult>;
+}
+export type RateLimitConfig = {
+    perBucket: string;
+};
+export declare function defaultRateLimiter(cfg: RateLimitConfig, now?: () => number): RateLimiter;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/server/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/server/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG;IAAE,OAAO,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAAA;AAE1F,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC3E;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAiBD,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,eAAe,EACpB,GAAG,GAAE,MAAM,MAAyB,GACnC,WAAW,CA4Bb"}

package/dist/server/rate-limit.js

@@ -0,0 +1,43 @@
+const UNIT_MS = {
+    second: 1000,
+    minute: 60_000,
+    hour: 3_600_000,
+};
+function parseRate(spec) {
+    const m = spec.match(/^(\d+)\/(second|minute|hour)$/);
+    if (!m)
+        throw new Error(`invalid rate spec: ${spec}`);
+    const count = Number(m[1]);
+    const windowMs = UNIT_MS[m[2]];
+    if (!windowMs)
+        throw new Error(`invalid rate spec: ${spec}`);
+    return { count, windowMs };
+}
+export function defaultRateLimiter(cfg, now = () => Date.now()) {
+    const { count, windowMs } = parseRate(cfg.perBucket);
+    const refillPerMs = count / windowMs;
+    const state = new Map();
+    return {
+        async check(key, bucket) {
+            const k = `${bucket}:${key}`;
+            const nowMs = now();
+            let b = state.get(k);
+            if (!b) {
+                b = { tokens: count, lastCheck: nowMs };
+                state.set(k, b);
+            }
+            else {
+                const delta = nowMs - b.lastCheck;
+                b.tokens = Math.min(count, b.tokens + delta * refillPerMs);
+                b.lastCheck = nowMs;
+            }
+            if (b.tokens >= 1) {
+                b.tokens -= 1;
+                return { allowed: true };
+            }
+            const retryAfterMs = Math.ceil((1 - b.tokens) / refillPerMs);
+            return { allowed: false, retryAfterMs };
+        },
+    };
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/server/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/server/rate-limit.ts"],"names":[],"mappings":"AAUA,MAAM,OAAO,GAA2B;IACtC,MAAM,EAAE,IAAI;IACZ,MAAM,EAAE,MAAM;IACd,IAAI,EAAE,SAAS;CAChB,CAAA;AAED,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAA;IACrD,IAAI,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAA;IACrD,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAC1B,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAyB,CAAC,CAAA;IACtD,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAA;IAC5D,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAA;AAC5B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,GAAoB,EACpB,MAAoB,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;IAEpC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,CAAA;IAGpC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAuB,CAAA;IAE5C,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM;YACrB,MAAM,CAAC,GAAG,GAAG,MAAM,IAAI,GAAG,EAAE,CAAA;YAC5B,MAAM,KAAK,GAAG,GAAG,EAAE,CAAA;YACnB,IAAI,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;YACpB,IAAI,CAAC,CAAC,EAAE,CAAC;gBACP,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;gBACvC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;YACjB,CAAC;iBAAM,CAAC;gBACN,MAAM,KAAK,GAAG,KAAK,GAAG,CAAC,CAAC,SAAS,CAAA;gBACjC,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,MAAM,GAAG,KAAK,GAAG,WAAW,CAAC,CAAA;gBAC1D,CAAC,CAAC,SAAS,GAAG,KAAK,CAAA;YACrB,CAAC;YACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBAClB,CAAC,CAAC,MAAM,IAAI,CAAC,CAAA;gBACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;YAC1B,CAAC;YACD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,GAAG,WAAW,CAAC,CAAA;YAC5D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,CAAA;QACzC,CAAC;KACF,CAAA;AACH,CAAC","sourcesContent":["export type RateLimitResult = { allowed: true } | { allowed: false; retryAfterMs: number }\n\nexport interface RateLimiter {\n  check(key: string, bucket: 'token' | 'identity'): Promise<RateLimitResult>\n}\n\nexport type RateLimitConfig = {\n  perBucket: string\n}\n\nconst UNIT_MS: Record<string, number> = {\n  second: 1000,\n  minute: 60_000,\n  hour: 3_600_000,\n}\n\nfunction parseRate(spec: string): { count: number; windowMs: number } {\n  const m = spec.match(/^(\\d+)\\/(second|minute|hour)$/)\n  if (!m) throw new Error(`invalid rate spec: ${spec}`)\n  const count = Number(m[1])\n  const windowMs = UNIT_MS[m[2] as keyof typeof UNIT_MS]\n  if (!windowMs) throw new Error(`invalid rate spec: ${spec}`)\n  return { count, windowMs }\n}\n\nexport function defaultRateLimiter(\n  cfg: RateLimitConfig,\n  now: () => number = () => Date.now(),\n): RateLimiter {\n  const { count, windowMs } = parseRate(cfg.perBucket)\n  const refillPerMs = count / windowMs\n\n  type BucketState = { tokens: number; lastCheck: number }\n  const state = new Map<string, BucketState>()\n\n  return {\n    async check(key, bucket) {\n      const k = `${bucket}:${key}`\n      const nowMs = now()\n      let b = state.get(k)\n      if (!b) {\n        b = { tokens: count, lastCheck: nowMs }\n        state.set(k, b)\n      } else {\n        const delta = nowMs - b.lastCheck\n        b.tokens = Math.min(count, b.tokens + delta * refillPerMs)\n        b.lastCheck = nowMs\n      }\n      if (b.tokens >= 1) {\n        b.tokens -= 1\n        return { allowed: true }\n      }\n      const retryAfterMs = Math.ceil((1 - b.tokens) / refillPerMs)\n      return { allowed: false, retryAfterMs }\n    },\n  }\n}\n"]}

package/dist/server/token-store.d.ts

@@ -0,0 +1,27 @@
+import type { TokenRecord } from '../protocol.js';
+/**
+ * Append-only, read-friendly storage for token records. See spec §10.3.
+ */
+export interface TokenStore {
+    create(record: TokenRecord): Promise<void>;
+    findByTid(tid: string): Promise<TokenRecord | null>;
+    listByIdentity(uid: string): Promise<TokenRecord[]>;
+    touch(tid: string, now: number): Promise<void>;
+    markPendingResume(tid: string, until: number): Promise<void>;
+    /** Transition to awaiting-claude: browser WS is connected, waiting for Claude's first call. */
+    markAwaitingClaude(tid: string, now: number): Promise<void>;
+    markActive(tid: string, label: string, now: number): Promise<void>;
+    revoke(tid: string): Promise<void>;
+}
+export declare class InMemoryTokenStore implements TokenStore {
+    private byTid;
+    create(record: TokenRecord): Promise<void>;
+    findByTid(tid: string): Promise<TokenRecord | null>;
+    listByIdentity(uid: string): Promise<TokenRecord[]>;
+    touch(tid: string, now: number): Promise<void>;
+    markPendingResume(tid: string, until: number): Promise<void>;
+    markAwaitingClaude(tid: string, now: number): Promise<void>;
+    markActive(tid: string, label: string, now: number): Promise<void>;
+    revoke(tid: string): Promise<void>;
+}
+//# sourceMappingURL=token-store.d.ts.map

package/dist/server/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/server/token-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAEjD;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC1C,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IACnD,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAA;IACnD,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC9C,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC5D,+FAA+F;IAC/F,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC3D,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAClE,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACnC;AAED,qBAAa,kBAAmB,YAAW,UAAU;IACnD,OAAO,CAAC,KAAK,CAAiC;IAExC,MAAM,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1C,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAKnD,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAQnD,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM9C,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM5D,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM3D,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYlE,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAKzC"}

package/dist/server/token-store.js

@@ -0,0 +1,55 @@
+export class InMemoryTokenStore {
+    byTid = new Map();
+    async create(record) {
+        this.byTid.set(record.tid, { ...record });
+    }
+    async findByTid(tid) {
+        const r = this.byTid.get(tid);
+        return r ? { ...r } : null;
+    }
+    async listByIdentity(uid) {
+        const out = [];
+        for (const r of this.byTid.values()) {
+            if (r.uid === uid)
+                out.push({ ...r });
+        }
+        return out;
+    }
+    async touch(tid, now) {
+        const r = this.byTid.get(tid);
+        if (!r)
+            return;
+        this.byTid.set(tid, { ...r, lastSeenAt: now });
+    }
+    async markPendingResume(tid, until) {
+        const r = this.byTid.get(tid);
+        if (!r)
+            return;
+        this.byTid.set(tid, { ...r, status: 'pending-resume', pendingResumeUntil: until });
+    }
+    async markAwaitingClaude(tid, now) {
+        const r = this.byTid.get(tid);
+        if (!r)
+            return;
+        this.byTid.set(tid, { ...r, status: 'awaiting-claude', lastSeenAt: now });
+    }
+    async markActive(tid, label, now) {
+        const r = this.byTid.get(tid);
+        if (!r)
+            return;
+        this.byTid.set(tid, {
+            ...r,
+            status: 'active',
+            label,
+            lastSeenAt: now,
+            pendingResumeUntil: null,
+        });
+    }
+    async revoke(tid) {
+        const r = this.byTid.get(tid);
+        if (!r)
+            return;
+        this.byTid.set(tid, { ...r, status: 'revoked', pendingResumeUntil: null });
+    }
+}
+//# sourceMappingURL=token-store.js.map

package/dist/server/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/server/token-store.ts"],"names":[],"mappings":"AAiBA,MAAM,OAAO,kBAAkB;IACrB,KAAK,GAAG,IAAI,GAAG,EAAuB,CAAA;IAE9C,KAAK,CAAC,MAAM,CAAC,MAAmB;QAC9B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IAC3C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7B,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;IAC5B,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,GAAW;QAC9B,MAAM,GAAG,GAAkB,EAAE,CAAA;QAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACpC,IAAI,CAAC,CAAC,GAAG,KAAK,GAAG;gBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAA;QACvC,CAAC;QACD,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,GAAW;QAClC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7B,IAAI,CAAC,CAAC;YAAE,OAAM;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAA;IAChD,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAW,EAAE,KAAa;QAChD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7B,IAAI,CAAC,CAAC;YAAE,OAAM;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAA;IACpF,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,GAAW,EAAE,GAAW;QAC/C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7B,IAAI,CAAC,CAAC;YAAE,OAAM;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAA;IAC3E,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,KAAa,EAAE,GAAW;QACtD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7B,IAAI,CAAC,CAAC;YAAE,OAAM;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;YAClB,GAAG,CAAC;YACJ,MAAM,EAAE,QAAQ;YAChB,KAAK;YACL,UAAU,EAAE,GAAG;YACf,kBAAkB,EAAE,IAAI;SACzB,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC7B,IAAI,CAAC,CAAC;YAAE,OAAM;QACd,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAA;IAC5E,CAAC;CACF","sourcesContent":["import type { TokenRecord } from '../protocol.js'\n\n/**\n * Append-only, read-friendly storage for token records. See spec §10.3.\n */\nexport interface TokenStore {\n  create(record: TokenRecord): Promise<void>\n  findByTid(tid: string): Promise<TokenRecord | null>\n  listByIdentity(uid: string): Promise<TokenRecord[]>\n  touch(tid: string, now: number): Promise<void>\n  markPendingResume(tid: string, until: number): Promise<void>\n  /** Transition to awaiting-claude: browser WS is connected, waiting for Claude's first call. */\n  markAwaitingClaude(tid: string, now: number): Promise<void>\n  markActive(tid: string, label: string, now: number): Promise<void>\n  revoke(tid: string): Promise<void>\n}\n\nexport class InMemoryTokenStore implements TokenStore {\n  private byTid = new Map<string, TokenRecord>()\n\n  async create(record: TokenRecord): Promise<void> {\n    this.byTid.set(record.tid, { ...record })\n  }\n\n  async findByTid(tid: string): Promise<TokenRecord | null> {\n    const r = this.byTid.get(tid)\n    return r ? { ...r } : null\n  }\n\n  async listByIdentity(uid: string): Promise<TokenRecord[]> {\n    const out: TokenRecord[] = []\n    for (const r of this.byTid.values()) {\n      if (r.uid === uid) out.push({ ...r })\n    }\n    return out\n  }\n\n  async touch(tid: string, now: number): Promise<void> {\n    const r = this.byTid.get(tid)\n    if (!r) return\n    this.byTid.set(tid, { ...r, lastSeenAt: now })\n  }\n\n  async markPendingResume(tid: string, until: number): Promise<void> {\n    const r = this.byTid.get(tid)\n    if (!r) return\n    this.byTid.set(tid, { ...r, status: 'pending-resume', pendingResumeUntil: until })\n  }\n\n  async markAwaitingClaude(tid: string, now: number): Promise<void> {\n    const r = this.byTid.get(tid)\n    if (!r) return\n    this.byTid.set(tid, { ...r, status: 'awaiting-claude', lastSeenAt: now })\n  }\n\n  async markActive(tid: string, label: string, now: number): Promise<void> {\n    const r = this.byTid.get(tid)\n    if (!r) return\n    this.byTid.set(tid, {\n      ...r,\n      status: 'active',\n      label,\n      lastSeenAt: now,\n      pendingResumeUntil: null,\n    })\n  }\n\n  async revoke(tid: string): Promise<void> {\n    const r = this.byTid.get(tid)\n    if (!r) return\n    this.byTid.set(tid, { ...r, status: 'revoked', pendingResumeUntil: null })\n  }\n}\n"]}

package/dist/server/token.d.ts

@@ -0,0 +1,24 @@
+import type { AgentToken } from '../protocol.js';
+export type TokenPayload = {
+    tid: string;
+    iat: number;
+    exp: number;
+    scope: 'agent';
+};
+export type VerifyResult = {
+    kind: 'ok';
+    payload: TokenPayload;
+} | {
+    kind: 'invalid';
+    reason: 'malformed' | 'bad-signature' | 'expired';
+};
+/**
+ * Serialize a payload to `llui-agent_<base64url(json)>.<base64url(hmac)>`.
+ * See spec §6.1.
+ */
+export declare function signToken(payload: TokenPayload, key: string | Uint8Array): AgentToken;
+/**
+ * Verify the signature, parse the payload, and check expiry.
+ */
+export declare function verifyToken(token: string, key: string | Uint8Array, nowSec?: number): VerifyResult;
+//# sourceMappingURL=token.d.ts.map

package/dist/server/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/server/token.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAEhD,MAAM,MAAM,YAAY,GAAG;IACzB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,OAAO,CAAA;CACf,CAAA;AAED,MAAM,MAAM,YAAY,GACpB;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,YAAY,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,WAAW,GAAG,eAAe,GAAG,SAAS,CAAA;CAAE,CAAA;AAsB1E;;;GAGG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,CAOrF;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,MAAM,GAAG,UAAU,EACxB,MAAM,GAAE,MAAsC,GAC7C,YAAY,CA6Bd"}