npm - @lobu/gateway - Versions diffs - 3.0.8 → 3.0.12 - Mend

@lobu/gateway 3.0.8 → 3.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (219) hide show

package/dist/api/platform.d.ts.map +1 -1
package/dist/api/platform.js +8 -26
package/dist/api/platform.js.map +1 -1
package/dist/auth/mcp/proxy.d.ts +14 -0
package/dist/auth/mcp/proxy.d.ts.map +1 -1
package/dist/auth/mcp/proxy.js +149 -13
package/dist/auth/mcp/proxy.js.map +1 -1
package/dist/cli/gateway.d.ts.map +1 -1
package/dist/cli/gateway.js +29 -0
package/dist/cli/gateway.js.map +1 -1
package/dist/cli/index.js +2 -2
package/dist/cli/index.js.map +1 -1
package/dist/connections/chat-instance-manager.d.ts.map +1 -1
package/dist/connections/chat-instance-manager.js +2 -1
package/dist/connections/chat-instance-manager.js.map +1 -1
package/dist/connections/interaction-bridge.d.ts +9 -2
package/dist/connections/interaction-bridge.d.ts.map +1 -1
package/dist/connections/interaction-bridge.js +132 -230
package/dist/connections/interaction-bridge.js.map +1 -1
package/dist/connections/message-handler-bridge.d.ts.map +1 -1
package/dist/connections/message-handler-bridge.js +44 -26
package/dist/connections/message-handler-bridge.js.map +1 -1
package/dist/interactions.d.ts +9 -43
package/dist/interactions.d.ts.map +1 -1
package/dist/interactions.js +10 -52
package/dist/interactions.js.map +1 -1
package/dist/orchestration/base-deployment-manager.js +7 -7
package/dist/orchestration/base-deployment-manager.js.map +1 -1
package/dist/platform/unified-thread-consumer.d.ts.map +1 -1
package/dist/platform/unified-thread-consumer.js +38 -34
package/dist/platform/unified-thread-consumer.js.map +1 -1
package/dist/routes/public/agent.d.ts +4 -0
package/dist/routes/public/agent.d.ts.map +1 -1
package/dist/routes/public/agent.js +21 -0
package/dist/routes/public/agent.js.map +1 -1
package/dist/services/core-services.d.ts.map +1 -1
package/dist/services/core-services.js +4 -0
package/dist/services/core-services.js.map +1 -1
package/package.json +2 -2
package/src/__tests__/agent-config-routes.test.ts +0 -254
package/src/__tests__/agent-history-routes.test.ts +0 -72
package/src/__tests__/agent-routes.test.ts +0 -68
package/src/__tests__/agent-schedules-routes.test.ts +0 -59
package/src/__tests__/agent-settings-store.test.ts +0 -323
package/src/__tests__/bedrock-model-catalog.test.ts +0 -40
package/src/__tests__/bedrock-openai-service.test.ts +0 -157
package/src/__tests__/bedrock-provider-module.test.ts +0 -56
package/src/__tests__/chat-instance-manager-slack.test.ts +0 -204
package/src/__tests__/chat-response-bridge.test.ts +0 -131
package/src/__tests__/config-memory-plugins.test.ts +0 -92
package/src/__tests__/config-request-store.test.ts +0 -127
package/src/__tests__/connection-routes.test.ts +0 -144
package/src/__tests__/core-services-store-selection.test.ts +0 -92
package/src/__tests__/docker-deployment.test.ts +0 -1211
package/src/__tests__/embedded-deployment.test.ts +0 -342
package/src/__tests__/grant-store.test.ts +0 -148
package/src/__tests__/http-proxy.test.ts +0 -281
package/src/__tests__/instruction-service.test.ts +0 -37
package/src/__tests__/link-buttons.test.ts +0 -112
package/src/__tests__/lobu.test.ts +0 -32
package/src/__tests__/mcp-config-service.test.ts +0 -347
package/src/__tests__/mcp-proxy.test.ts +0 -694
package/src/__tests__/message-handler-bridge.test.ts +0 -17
package/src/__tests__/model-selection.test.ts +0 -172
package/src/__tests__/oauth-templates.test.ts +0 -39
package/src/__tests__/platform-adapter-slack-send.test.ts +0 -114
package/src/__tests__/platform-helpers-model-resolution.test.ts +0 -253
package/src/__tests__/provider-inheritance.test.ts +0 -212
package/src/__tests__/routes/cli-auth.test.ts +0 -337
package/src/__tests__/routes/interactions.test.ts +0 -121
package/src/__tests__/secret-proxy.test.ts +0 -85
package/src/__tests__/session-manager.test.ts +0 -572
package/src/__tests__/setup.ts +0 -133
package/src/__tests__/skill-and-mcp-registry.test.ts +0 -203
package/src/__tests__/slack-routes.test.ts +0 -161
package/src/__tests__/system-config-resolver.test.ts +0 -75
package/src/__tests__/system-message-limiter.test.ts +0 -89
package/src/__tests__/system-skills-service.test.ts +0 -362
package/src/__tests__/transcription-service.test.ts +0 -222
package/src/__tests__/utils/rate-limiter.test.ts +0 -102
package/src/__tests__/worker-connection-manager.test.ts +0 -497
package/src/__tests__/worker-job-router.test.ts +0 -722
package/src/api/index.ts +0 -1
package/src/api/platform.ts +0 -292
package/src/api/response-renderer.ts +0 -157
package/src/auth/agent-metadata-store.ts +0 -168
package/src/auth/api-auth-middleware.ts +0 -69
package/src/auth/api-key-provider-module.ts +0 -213
package/src/auth/base-provider-module.ts +0 -201
package/src/auth/bedrock/provider-module.ts +0 -110
package/src/auth/chatgpt/chatgpt-oauth-module.ts +0 -185
package/src/auth/chatgpt/device-code-client.ts +0 -218
package/src/auth/chatgpt/index.ts +0 -1
package/src/auth/claude/oauth-module.ts +0 -280
package/src/auth/cli/token-service.ts +0 -249
package/src/auth/external/client.ts +0 -560
package/src/auth/external/device-code-client.ts +0 -235
package/src/auth/mcp/config-service.ts +0 -420
package/src/auth/mcp/proxy.ts +0 -1086
package/src/auth/mcp/string-substitution.ts +0 -17
package/src/auth/mcp/tool-cache.ts +0 -90
package/src/auth/oauth/base-client.ts +0 -267
package/src/auth/oauth/client.ts +0 -153
package/src/auth/oauth/credentials.ts +0 -7
package/src/auth/oauth/providers.ts +0 -69
package/src/auth/oauth/state-store.ts +0 -150
package/src/auth/oauth-templates.ts +0 -179
package/src/auth/provider-catalog.ts +0 -220
package/src/auth/provider-model-options.ts +0 -41
package/src/auth/settings/agent-settings-store.ts +0 -565
package/src/auth/settings/auth-profiles-manager.ts +0 -216
package/src/auth/settings/index.ts +0 -12
package/src/auth/settings/model-preference-store.ts +0 -52
package/src/auth/settings/model-selection.ts +0 -135
package/src/auth/settings/resolved-settings-view.ts +0 -298
package/src/auth/settings/template-utils.ts +0 -44
package/src/auth/settings/token-service.ts +0 -88
package/src/auth/system-env-store.ts +0 -98
package/src/auth/user-agents-store.ts +0 -68
package/src/channels/binding-service.ts +0 -214
package/src/channels/index.ts +0 -4
package/src/cli/gateway.ts +0 -1312
package/src/cli/index.ts +0 -74
package/src/commands/built-in-commands.ts +0 -80
package/src/commands/command-dispatcher.ts +0 -94
package/src/commands/command-reply-adapters.ts +0 -27
package/src/config/file-loader.ts +0 -618
package/src/config/index.ts +0 -588
package/src/config/network-allowlist.ts +0 -71
package/src/connections/chat-instance-manager.ts +0 -1284
package/src/connections/chat-response-bridge.ts +0 -618
package/src/connections/index.ts +0 -7
package/src/connections/interaction-bridge.ts +0 -831
package/src/connections/message-handler-bridge.ts +0 -415
package/src/connections/platform-auth-methods.ts +0 -15
package/src/connections/types.ts +0 -84
package/src/gateway/connection-manager.ts +0 -291
package/src/gateway/index.ts +0 -698
package/src/gateway/job-router.ts +0 -201
package/src/gateway-main.ts +0 -200
package/src/index.ts +0 -41
package/src/infrastructure/queue/index.ts +0 -12
package/src/infrastructure/queue/queue-producer.ts +0 -148
package/src/infrastructure/queue/redis-queue.ts +0 -361
package/src/infrastructure/queue/types.ts +0 -133
package/src/infrastructure/redis/system-message-limiter.ts +0 -94
package/src/interactions/config-request-store.ts +0 -198
package/src/interactions.ts +0 -363
package/src/lobu.ts +0 -311
package/src/metrics/prometheus.ts +0 -159
package/src/modules/module-system.ts +0 -179
package/src/orchestration/base-deployment-manager.ts +0 -900
package/src/orchestration/deployment-utils.ts +0 -98
package/src/orchestration/impl/docker-deployment.ts +0 -620
package/src/orchestration/impl/embedded-deployment.ts +0 -268
package/src/orchestration/impl/index.ts +0 -8
package/src/orchestration/impl/k8s/deployment.ts +0 -1061
package/src/orchestration/impl/k8s/helpers.ts +0 -610
package/src/orchestration/impl/k8s/index.ts +0 -1
package/src/orchestration/index.ts +0 -333
package/src/orchestration/message-consumer.ts +0 -584
package/src/orchestration/scheduled-wakeup.ts +0 -704
package/src/permissions/approval-policy.ts +0 -36
package/src/permissions/grant-store.ts +0 -219
package/src/platform/file-handler.ts +0 -66
package/src/platform/link-buttons.ts +0 -57
package/src/platform/renderer-utils.ts +0 -44
package/src/platform/response-renderer.ts +0 -84
package/src/platform/unified-thread-consumer.ts +0 -187
package/src/platform.ts +0 -318
package/src/proxy/http-proxy.ts +0 -752
package/src/proxy/proxy-manager.ts +0 -81
package/src/proxy/secret-proxy.ts +0 -402
package/src/proxy/token-refresh-job.ts +0 -143
package/src/routes/internal/audio.ts +0 -141
package/src/routes/internal/device-auth.ts +0 -652
package/src/routes/internal/files.ts +0 -226
package/src/routes/internal/history.ts +0 -69
package/src/routes/internal/images.ts +0 -127
package/src/routes/internal/interactions.ts +0 -84
package/src/routes/internal/middleware.ts +0 -23
package/src/routes/internal/schedule.ts +0 -226
package/src/routes/internal/types.ts +0 -22
package/src/routes/openapi-auto.ts +0 -239
package/src/routes/public/agent-access.ts +0 -23
package/src/routes/public/agent-config.ts +0 -675
package/src/routes/public/agent-history.ts +0 -422
package/src/routes/public/agent-schedules.ts +0 -296
package/src/routes/public/agent.ts +0 -1086
package/src/routes/public/agents.ts +0 -373
package/src/routes/public/channels.ts +0 -191
package/src/routes/public/cli-auth.ts +0 -896
package/src/routes/public/connections.ts +0 -574
package/src/routes/public/landing.ts +0 -16
package/src/routes/public/oauth.ts +0 -147
package/src/routes/public/settings-auth.ts +0 -104
package/src/routes/public/slack.ts +0 -173
package/src/routes/shared/agent-ownership.ts +0 -101
package/src/routes/shared/token-verifier.ts +0 -34
package/src/services/bedrock-model-catalog.ts +0 -217
package/src/services/bedrock-openai-service.ts +0 -658
package/src/services/core-services.ts +0 -1072
package/src/services/image-generation-service.ts +0 -257
package/src/services/instruction-service.ts +0 -318
package/src/services/mcp-registry.ts +0 -94
package/src/services/platform-helpers.ts +0 -287
package/src/services/session-manager.ts +0 -262
package/src/services/settings-resolver.ts +0 -74
package/src/services/system-config-resolver.ts +0 -89
package/src/services/system-skills-service.ts +0 -229
package/src/services/transcription-service.ts +0 -684
package/src/session.ts +0 -110
package/src/spaces/index.ts +0 -1
package/src/spaces/space-resolver.ts +0 -17
package/src/stores/in-memory-agent-store.ts +0 -403
package/src/stores/redis-agent-store.ts +0 -279
package/src/utils/public-url.ts +0 -44
package/src/utils/rate-limiter.ts +0 -94
package/tsconfig.json +0 -33

package/src/routes/public/cli-auth.ts DELETED Viewed

@@ -1,896 +0,0 @@
-import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
-import { createLogger } from "@lobu/core";
-import { type Context, Hono } from "hono";
-import { CliTokenService } from "../../auth/cli/token-service";
-import type { ExternalAuthClient } from "../../auth/external/client";
-import type { IMessageQueue } from "../../infrastructure/queue";
-import { resolvePublicUrl } from "../../utils/public-url";
-import {
-  getClientIp,
-  RedisFixedWindowRateLimiter,
-} from "../../utils/rate-limiter";
-import {
-  setSettingsSessionCookie,
-  verifySettingsSession,
-  verifySettingsToken,
-} from "./settings-auth";
-const logger = createLogger("cli-auth-routes");
-const AUTH_REQUEST_TTL_SECONDS = 10 * 60;
-const POLL_INTERVAL_MS = 2000;
-const CONNECT_OAUTH_TTL_SECONDS = 10 * 60;
-const ADMIN_LOGIN_RATE_LIMIT = {
-  limit: 5,
-  windowSeconds: 5 * 60,
-};
-interface CliAuthResult {
-  accessToken: string;
-  refreshToken: string;
-  expiresAt: number;
-  user: {
-    userId: string;
-    email?: string;
-    name?: string;
-  };
-}
-interface CliBrowserAuthState {
-  status: "pending" | "complete" | "error";
-  createdAt: number;
-  error?: string;
-  result?: CliAuthResult;
-}
-interface CliDeviceAuthState {
-  status: "pending" | "complete" | "error";
-  createdAt: number;
-  expiresAt: number;
-  interval: number;
-  userCode: string;
-  verificationUri: string;
-  verificationUriComplete?: string;
-  error?: string;
-  result?: CliAuthResult;
-}
-interface ConnectOauthState {
-  returnUrl: string;
-  codeVerifier: string;
-}
-export interface CliAuthRoutesConfig {
-  queue: IMessageQueue;
-  externalAuthClient?: ExternalAuthClient;
-  allowAdminPasswordLogin?: boolean;
-  adminPassword?: string;
-}
-function normalizeReturnUrl(
-  returnUrl: string | null | undefined
-): string | null {
-  const value = returnUrl?.trim();
-  if (!value || !value.startsWith("/") || value.startsWith("//")) {
-    return null;
-  }
-  return value;
-}
-function escapeHtml(str: string): string {
-  return str
-    .replace(/&/g, "&amp;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#39;");
-}
-function renderPage(title: string, message: string, tone: "success" | "error") {
-  title = escapeHtml(title);
-  message = escapeHtml(message);
-  const border = tone === "success" ? "#15803d" : "#b91c1c";
-  const bg = tone === "success" ? "#f0fdf4" : "#fef2f2";
-  const fg = tone === "success" ? "#166534" : "#991b1b";
-  return `<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>${title}</title>
-    <style>
-      body {
-        margin: 0;
-        font-family: ui-sans-serif, system-ui, sans-serif;
-        background: #f8fafc;
-        color: #0f172a;
-        display: grid;
-        place-items: center;
-        min-height: 100vh;
-      }
-      .card {
-        width: min(34rem, calc(100vw - 2rem));
-        background: white;
-        border: 1px solid #e2e8f0;
-        border-top: 4px solid ${border};
-        border-radius: 0.75rem;
-        padding: 1.25rem;
-        box-shadow: 0 12px 30px rgba(15, 23, 42, 0.08);
-      }
-      .status {
-        margin-top: 0.75rem;
-        padding: 0.875rem 1rem;
-        border-radius: 0.5rem;
-        background: ${bg};
-        color: ${fg};
-        line-height: 1.5;
-      }
-      h1 {
-        margin: 0;
-        font-size: 1.125rem;
-      }
-      p {
-        margin: 0.5rem 0 0;
-        color: #475569;
-      }
-    </style>
-  </head>
-  <body>
-    <main class="card">
-      <h1>${title}</h1>
-      <p>You can return to the terminal after this page updates.</p>
-      <div class="status">${message}</div>
-    </main>
-  </body>
-</html>`;
-}
-export function createCliAuthRoutes(config: CliAuthRoutesConfig): Hono {
-  const router = new Hono();
-  const redis = config.queue.getRedisClient();
-  const tokenService = new CliTokenService(redis);
-  const rateLimiter = new RedisFixedWindowRateLimiter(redis);
-  async function loadBrowserRequest(
-    requestId: string
-  ): Promise<CliBrowserAuthState | null> {
-    const raw = await redis.get(getRequestKey(requestId));
-    if (!raw) {
-      return null;
-    }
-    try {
-      return JSON.parse(raw) as CliBrowserAuthState;
-    } catch (error) {
-      logger.error("Failed to parse CLI browser auth request", {
-        requestId,
-        error,
-      });
-      await redis.del(getRequestKey(requestId));
-      return null;
-    }
-  }
-  async function saveBrowserRequest(
-    requestId: string,
-    value: CliBrowserAuthState
-  ): Promise<void> {
-    await redis.setex(
-      getRequestKey(requestId),
-      AUTH_REQUEST_TTL_SECONDS,
-      JSON.stringify(value)
-    );
-  }
-  async function loadDeviceRequest(
-    deviceAuthId: string
-  ): Promise<CliDeviceAuthState | null> {
-    const raw = await redis.get(getDeviceRequestKey(deviceAuthId));
-    if (!raw) {
-      return null;
-    }
-    try {
-      return JSON.parse(raw) as CliDeviceAuthState;
-    } catch (error) {
-      logger.error("Failed to parse CLI device auth request", {
-        deviceAuthId,
-        error,
-      });
-      await redis.del(getDeviceRequestKey(deviceAuthId));
-      return null;
-    }
-  }
-  async function saveDeviceRequest(
-    deviceAuthId: string,
-    value: CliDeviceAuthState
-  ): Promise<void> {
-    const ttlSeconds = Math.max(
-      60,
-      Math.ceil((value.expiresAt - Date.now()) / 1000)
-    );
-    await redis.setex(
-      getDeviceRequestKey(deviceAuthId),
-      ttlSeconds,
-      JSON.stringify(value)
-    );
-  }
-  async function mintCliTokens(user: {
-    userId: string;
-    email?: string;
-    name?: string;
-  }): Promise<CliAuthResult> {
-    return tokenService.issueTokens(user);
-  }
-  function verifyPassword(input: string, expected: string): boolean {
-    const a = createHash("sha256").update(input).digest();
-    const b = createHash("sha256").update(expected).digest();
-    return timingSafeEqual(a, b);
-  }
-  async function startBrowserRequest(c: Context) {
-    const requestId = randomBytes(24).toString("base64url");
-    await saveBrowserRequest(requestId, {
-      status: "pending",
-      createdAt: Date.now(),
-    });
-    const loginUrl = resolvePublicUrl(
-      `/api/v1/auth/cli/session/login?request=${encodeURIComponent(requestId)}`,
-      {
-        requestUrl: c.req.url,
-      }
-    );
-    return c.json({
-      mode: "browser",
-      requestId,
-      loginUrl,
-      pollIntervalMs: POLL_INTERVAL_MS,
-      expiresAt: Date.now() + AUTH_REQUEST_TTL_SECONDS * 1000,
-    });
-  }
-  async function pollBrowserRequest(c: Context, requestId: string) {
-    const authRequest = await loadBrowserRequest(requestId);
-    if (!authRequest) {
-      return c.json(
-        {
-          status: "error",
-          error: "This login request expired. Run `lobu login` again.",
-        },
-        410
-      );
-    }
-    if (authRequest.status === "pending") {
-      return c.json({ status: "pending" });
-    }
-    if (authRequest.status === "error") {
-      await redis.del(getRequestKey(requestId));
-      return c.json(
-        {
-          status: "error",
-          error: authRequest.error || "CLI login failed.",
-        },
-        400
-      );
-    }
-    await redis.del(getRequestKey(requestId));
-    return c.json({
-      status: "complete",
-      ...authRequest.result,
-    });
-  }
-  async function pollDeviceRequest(c: Context, deviceAuthId: string) {
-    const externalAuthClient = config.externalAuthClient;
-    if (!externalAuthClient) {
-      return c.json(
-        { error: "CLI login is not configured on this gateway." },
-        501
-      );
-    }
-    const authRequest = await loadDeviceRequest(deviceAuthId);
-    if (!authRequest) {
-      return c.json(
-        {
-          status: "error",
-          error: "This device login request expired. Run `lobu login` again.",
-        },
-        410
-      );
-    }
-    if (authRequest.status === "complete") {
-      await redis.del(getDeviceRequestKey(deviceAuthId));
-      return c.json({
-        status: "complete",
-        ...authRequest.result,
-      });
-    }
-    if (authRequest.status === "error") {
-      await redis.del(getDeviceRequestKey(deviceAuthId));
-      return c.json(
-        {
-          status: "error",
-          error: authRequest.error || "CLI login failed.",
-        },
-        400
-      );
-    }
-    try {
-      const pollResult = await externalAuthClient.pollDeviceAuthorization(
-        deviceAuthId,
-        authRequest.interval
-      );
-      if (pollResult.status === "pending") {
-        const nextState: CliDeviceAuthState = {
-          ...authRequest,
-          interval: Math.max(pollResult.interval ?? authRequest.interval, 1),
-        };
-        await saveDeviceRequest(deviceAuthId, nextState);
-        return c.json({ status: "pending" });
-      }
-      if (pollResult.status === "error") {
-        await redis.del(getDeviceRequestKey(deviceAuthId));
-        return c.json(
-          {
-            status: "error",
-            error: pollResult.error,
-          },
-          400
-        );
-      }
-      const user = pollResult.user;
-      if (!user?.sub) {
-        await redis.del(getDeviceRequestKey(deviceAuthId));
-        return c.json(
-          {
-            status: "error",
-            error:
-              "External auth completed, but no user identity was returned.",
-          },
-          502
-        );
-      }
-      const issued = await mintCliTokens({
-        userId: user.sub,
-        email: user.email,
-        name: user.name,
-      });
-      await redis.del(getDeviceRequestKey(deviceAuthId));
-      return c.json({
-        status: "complete",
-        ...issued,
-      });
-    } catch (error) {
-      logger.error("Failed to poll CLI device auth flow", {
-        deviceAuthId,
-        error,
-      });
-      await redis.del(getDeviceRequestKey(deviceAuthId));
-      return c.json(
-        {
-          status: "error",
-          error: "Failed to complete device login.",
-        },
-        500
-      );
-    }
-  }
-  router.post("/cli/start", async (c) => {
-    if (!config.externalAuthClient) {
-      return c.json(
-        { error: "CLI login is not configured on this gateway." },
-        501
-      );
-    }
-    try {
-      const capabilities = await config.externalAuthClient.getCapabilities();
-      if (capabilities.device) {
-        const started =
-          await config.externalAuthClient.startDeviceAuthorization();
-        const expiresAt = Date.now() + started.expiresIn * 1000;
-        await saveDeviceRequest(started.deviceAuthId, {
-          status: "pending",
-          createdAt: Date.now(),
-          expiresAt,
-          interval: Math.max(started.interval, 1),
-          userCode: started.userCode,
-          verificationUri: started.verificationUri,
-          verificationUriComplete: started.verificationUriComplete,
-        });
-        return c.json({
-          mode: "device",
-          deviceAuthId: started.deviceAuthId,
-          userCode: started.userCode,
-          verificationUri: started.verificationUri,
-          verificationUriComplete: started.verificationUriComplete,
-          interval: Math.max(started.interval, 1),
-          expiresAt,
-        });
-      }
-      if (capabilities.browser) {
-        return startBrowserRequest(c);
-      }
-      return c.json({ error: "CLI login is unavailable." }, 501);
-    } catch (error) {
-      logger.error("Failed to start CLI auth flow", { error });
-      return c.json({ error: "CLI login is unavailable." }, 500);
-    }
-  });
-  router.post("/cli/poll", async (c) => {
-    const rawBody = (await c.req.json().catch(() => ({}))) as {
-      requestId?: string;
-      deviceAuthId?: string;
-    };
-    const requestId = rawBody.requestId?.trim();
-    const deviceAuthId = rawBody.deviceAuthId?.trim();
-    if (deviceAuthId) {
-      return pollDeviceRequest(c, deviceAuthId);
-    }
-    if (requestId) {
-      return pollBrowserRequest(c, requestId);
-    }
-    return c.json({ error: "Missing requestId or deviceAuthId" }, 400);
-  });
-  router.post("/cli/admin-login", async (c) => {
-    if (!config.allowAdminPasswordLogin || !config.adminPassword) {
-      return c.json(
-        { error: "Admin password login is only available in development." },
-        403
-      );
-    }
-    const clientIp = getClientIp({
-      forwardedFor: c.req.header("x-forwarded-for"),
-      realIp: c.req.header("x-real-ip"),
-    });
-    const rateLimit = await rateLimiter.consume({
-      key: `rate-limit:cli:admin-login:${clientIp}`,
-      limit: ADMIN_LOGIN_RATE_LIMIT.limit,
-      windowSeconds: ADMIN_LOGIN_RATE_LIMIT.windowSeconds,
-    });
-    if (!rateLimit.allowed) {
-      c.header("Retry-After", String(rateLimit.retryAfterSeconds));
-      return c.json(
-        {
-          error: "Too many admin password login attempts. Try again later.",
-        },
-        429
-      );
-    }
-    const rawBody = (await c.req.json().catch(() => ({}))) as {
-      password?: string;
-    };
-    const password = rawBody.password?.trim();
-    if (!password) {
-      return c.json({ error: "Missing password" }, 400);
-    }
-    if (!verifyPassword(password, config.adminPassword)) {
-      return c.json({ error: "Invalid admin password." }, 401);
-    }
-    const issued = await mintCliTokens({
-      userId: "admin",
-      name: "Admin (dev)",
-    });
-    await rateLimiter.reset(`rate-limit:cli:admin-login:${clientIp}`);
-    logger.info("CLI admin password login completed", {
-      userId: "admin",
-    });
-    return c.json({
-      status: "complete",
-      ...issued,
-    });
-  });
-  router.get("/cli/session/login", async (c) => {
-    if (!config.externalAuthClient) {
-      return c.html(
-        renderPage(
-          "CLI Login Unavailable",
-          "This gateway does not have settings OAuth configured.",
-          "error"
-        ),
-        501
-      );
-    }
-    const requestId = c.req.query("request")?.trim();
-    if (!requestId) {
-      return c.html(
-        renderPage("CLI Login Failed", "Missing login request ID.", "error"),
-        400
-      );
-    }
-    const authRequest = await loadBrowserRequest(requestId);
-    if (!authRequest) {
-      return c.html(
-        renderPage(
-          "CLI Login Expired",
-          "This login request has expired. Run `lobu login` again.",
-          "error"
-        ),
-        410
-      );
-    }
-    const returnUrl = `/api/v1/auth/cli/session/complete?request=${encodeURIComponent(requestId)}`;
-    return c.redirect(
-      `/connect/oauth/login?returnUrl=${encodeURIComponent(returnUrl)}`
-    );
-  });
-  router.get("/cli/session/complete", async (c) => {
-    const requestId = c.req.query("request")?.trim();
-    if (!requestId) {
-      return c.html(
-        renderPage("CLI Login Failed", "Missing login request ID.", "error"),
-        400
-      );
-    }
-    const authRequest = await loadBrowserRequest(requestId);
-    if (!authRequest) {
-      return c.html(
-        renderPage(
-          "CLI Login Expired",
-          "This login request has expired. Run `lobu login` again.",
-          "error"
-        ),
-        410
-      );
-    }
-    const session = verifySettingsSession(c);
-    const userId = session?.oauthUserId || session?.userId;
-    if (!session || !userId) {
-      await saveBrowserRequest(requestId, {
-        status: "error",
-        createdAt: authRequest.createdAt,
-        error:
-          "OAuth completed, but no authenticated settings session was found.",
-      });
-      return c.html(
-        renderPage(
-          "CLI Login Failed",
-          "OAuth completed, but the gateway could not establish a login session.",
-          "error"
-        ),
-        401
-      );
-    }
-    try {
-      const issued = await mintCliTokens({
-        userId,
-        email: session.email,
-        name: session.name,
-      });
-      await saveBrowserRequest(requestId, {
-        status: "complete",
-        createdAt: authRequest.createdAt,
-        result: issued,
-      });
-      logger.info("CLI browser login completed", {
-        requestId,
-        userId,
-        email: session.email,
-      });
-      return c.html(
-        renderPage(
-          "CLI Login Complete",
-          "Authentication succeeded. You can close this tab and return to the terminal.",
-          "success"
-        )
-      );
-    } catch (error) {
-      logger.error("Failed to issue CLI tokens", { requestId, error });
-      await saveBrowserRequest(requestId, {
-        status: "error",
-        createdAt: authRequest.createdAt,
-        error: "Failed to mint CLI tokens.",
-      });
-      return c.html(
-        renderPage(
-          "CLI Login Failed",
-          "The gateway could not mint CLI tokens for this login attempt.",
-          "error"
-        ),
-        500
-      );
-    }
-  });
-  router.post("/refresh", async (c) => {
-    const rawBody = (await c.req.json().catch(() => ({}))) as {
-      refreshToken?: string;
-    };
-    const refreshToken = rawBody.refreshToken?.trim();
-    if (!refreshToken) {
-      return c.json({ error: "Missing refreshToken" }, 400);
-    }
-    const refreshed = await tokenService.refreshTokens(refreshToken);
-    if (!refreshed) {
-      return c.json({ error: "Invalid or expired refresh token." }, 401);
-    }
-    return c.json(refreshed);
-  });
-  router.post("/logout", async (c) => {
-    const rawBody = (await c.req.json().catch(() => ({}))) as {
-      refreshToken?: string;
-    };
-    const refreshToken = rawBody.refreshToken?.trim();
-    if (!refreshToken) {
-      return c.json({ error: "Missing refreshToken" }, 400);
-    }
-    await tokenService.revokeSessionByRefreshToken(refreshToken);
-    return c.json({ ok: true });
-  });
-  router.get("/whoami", async (c) => {
-    const authHeader = c.req.header("authorization");
-    if (!authHeader?.startsWith("Bearer ")) {
-      return c.json({ error: "Missing or invalid Authorization header." }, 401);
-    }
-    const token = authHeader.slice("Bearer ".length).trim();
-    const identity = await tokenService.verifyAccessToken(token);
-    if (!identity) {
-      return c.json({ error: "Invalid or expired access token." }, 401);
-    }
-    return c.json({
-      user: {
-        id: identity.userId,
-        email: identity.email,
-        name: identity.name,
-      },
-      email: identity.email,
-      name: identity.name,
-      userId: identity.userId,
-      expiresAt: identity.expiresAt,
-    });
-  });
-  return router;
-}
-export function createConnectAuthRoutes(config: CliAuthRoutesConfig): Hono {
-  const router = new Hono();
-  const redis = config.queue.getRedisClient();
-  async function loadConnectState(
-    state: string
-  ): Promise<ConnectOauthState | null> {
-    const raw = await redis.get(getConnectStateKey(state));
-    if (!raw) return null;
-    try {
-      return JSON.parse(raw) as ConnectOauthState;
-    } catch {
-      await redis.del(getConnectStateKey(state));
-      return null;
-    }
-  }
-  router.get("/connect/oauth/login", async (c) => {
-    if (!config.externalAuthClient) {
-      return c.html(
-        renderPage(
-          "OAuth Unavailable",
-          "Browser OAuth login is not configured on this gateway.",
-          "error"
-        ),
-        501
-      );
-    }
-    const returnUrl = normalizeReturnUrl(c.req.query("returnUrl"));
-    if (!returnUrl) {
-      return c.html(
-        renderPage(
-          "OAuth Login Failed",
-          "Missing or invalid returnUrl.",
-          "error"
-        ),
-        400
-      );
-    }
-    const existingSession = verifySettingsSession(c);
-    if (existingSession) {
-      return c.redirect(returnUrl);
-    }
-    try {
-      const state = randomBytes(24).toString("base64url");
-      const codeVerifier = config.externalAuthClient.generateCodeVerifier();
-      await redis.setex(
-        getConnectStateKey(state),
-        CONNECT_OAUTH_TTL_SECONDS,
-        JSON.stringify({ returnUrl, codeVerifier } satisfies ConnectOauthState)
-      );
-      const redirectUri = resolvePublicUrl("/connect/oauth/callback", {
-        requestUrl: c.req.url,
-      });
-      const authUrl = await config.externalAuthClient.buildAuthUrl(
-        state,
-        codeVerifier,
-        redirectUri
-      );
-      return c.redirect(authUrl);
-    } catch (error) {
-      logger.error("Failed to start browser OAuth handoff", { error });
-      return c.html(
-        renderPage(
-          "OAuth Login Failed",
-          "The gateway could not start the browser OAuth flow.",
-          "error"
-        ),
-        500
-      );
-    }
-  });
-  /**
-   * Claim route — validates an encrypted claim token and establishes a
-   * settings session cookie, then redirects to the agent config page.
-   */
-  router.get("/connect/claim", async (c) => {
-    const claim = c.req.query("claim")?.trim();
-    const agentParam = c.req.query("agent")?.trim();
-    if (!claim) {
-      return c.html(
-        renderPage("Invalid Link", "Missing claim token.", "error"),
-        400
-      );
-    }
-    const payload = verifySettingsToken(claim);
-    if (!payload) {
-      return c.html(
-        renderPage(
-          "Link Expired",
-          "This settings link has expired or is invalid. Ask the bot to send a new one.",
-          "error"
-        ),
-        410
-      );
-    }
-    setSettingsSessionCookie(c, payload);
-    const targetAgentId = agentParam || payload.agentId;
-    const redirectUrl = targetAgentId
-      ? `/api/v1/agents/${encodeURIComponent(targetAgentId)}/config`
-      : "/api/v1/agents";
-    return c.redirect(redirectUrl);
-  });
-  router.get("/connect/oauth/callback", async (c) => {
-    if (!config.externalAuthClient) {
-      return c.html(
-        renderPage(
-          "OAuth Unavailable",
-          "Browser OAuth login is not configured on this gateway.",
-          "error"
-        ),
-        501
-      );
-    }
-    const code = c.req.query("code")?.trim();
-    const state = c.req.query("state")?.trim();
-    if (!code || !state) {
-      return c.html(
-        renderPage(
-          "OAuth Login Failed",
-          "Missing OAuth code or state.",
-          "error"
-        ),
-        400
-      );
-    }
-    const connectState = await loadConnectState(state);
-    await redis.del(getConnectStateKey(state));
-    if (!connectState) {
-      return c.html(
-        renderPage(
-          "OAuth Login Expired",
-          "This OAuth login request has expired. Start the flow again.",
-          "error"
-        ),
-        410
-      );
-    }
-    try {
-      const redirectUri = resolvePublicUrl("/connect/oauth/callback", {
-        requestUrl: c.req.url,
-      });
-      const credentials = await config.externalAuthClient.exchangeCodeForToken(
-        code,
-        connectState.codeVerifier,
-        redirectUri
-      );
-      const user = await config.externalAuthClient.fetchUserInfo(
-        credentials.accessToken
-      );
-      setSettingsSessionCookie(c, {
-        userId: user.sub,
-        platform: "external",
-        oauthUserId: user.sub,
-        email: user.email,
-        name: user.name,
-        exp: Date.now() + AUTH_REQUEST_TTL_SECONDS * 1000,
-      });
-      return c.redirect(connectState.returnUrl);
-    } catch (error) {
-      logger.error("Failed to complete browser OAuth handoff", { error });
-      return c.html(
-        renderPage(
-          "OAuth Login Failed",
-          "The gateway could not complete the browser OAuth flow.",
-          "error"
-        ),
-        500
-      );
-    }
-  });
-  return router;
-}
-function getRequestKey(requestId: string): string {
-  return `cli:auth:request:${requestId}`;
-}
-function getDeviceRequestKey(deviceAuthId: string): string {
-  return `cli:auth:device:${deviceAuthId}`;
-}
-function getConnectStateKey(state: string): string {
-  return `cli:auth:connect:${state}`;
-}