@nextclaw/server 0.10.8 → 0.10.10

package/dist/index.d.ts

@@ -2,8 +2,8 @@ import * as NextclawCore from '@nextclaw/core';
 import { ThinkingLevel, CronService, Config, ConfigActionExecuteRequest as ConfigActionExecuteRequest$1, ConfigActionExecuteResult as ConfigActionExecuteResult$1 } from '@nextclaw/core';
 import { NcpAgentClientEndpoint, NcpSessionApi, NcpSessionSummary, NcpMessage } from '@nextclaw/ncp';
 import { NcpHttpAgentStreamProvider } from '@nextclaw/ncp-http-agent-server';
-import { Hono } from 'hono';
 import { IncomingMessage } from 'node:http';
+import { Hono } from 'hono';
 
 type MarketplaceItemType = "plugin" | "skill" | "mcp";
 type MarketplaceSort = "relevance" | "updated";
@@ -283,6 +283,67 @@ type MarketplaceApiConfig = {
     installer?: MarketplaceInstaller;
 };
 
+declare class UiAuthService {
+    private readonly configPath;
+    private readonly sessions;
+    constructor(configPath: string);
+    private loadCurrentConfig;
+    private saveCurrentConfig;
+    private readAuthConfig;
+    private isConfigured;
+    isProtectionEnabled(): boolean;
+    private getSessionIdFromCookieHeader;
+    private getValidSession;
+    isRequestAuthenticated(request: Request): boolean;
+    isSocketAuthenticated(request: IncomingMessage): boolean;
+    getStatus(request: Request): AuthStatusView;
+    private createSession;
+    private clearAllSessions;
+    private deleteRequestSession;
+    private buildLoginCookie;
+    buildTrustedRequestCookieHeader(): string | null;
+    buildLogoutCookie(request: Request): string;
+    setup(request: Request, payload: AuthSetupRequest): {
+        status: AuthStatusView;
+        cookie: string;
+    };
+    login(request: Request, payload: AuthLoginRequest): {
+        status: AuthStatusView;
+        cookie: string;
+    };
+    logout(request: Request): void;
+    updatePassword(request: Request, payload: AuthPasswordUpdateRequest): {
+        status: AuthStatusView;
+        cookie?: string;
+    };
+    updateEnabled(request: Request, payload: AuthEnabledUpdateRequest): {
+        status: AuthStatusView;
+        cookie?: string;
+    };
+}
+
+type UiRouterOptions = {
+    configPath: string;
+    productVersion?: string;
+    publish: (event: UiServerEvent) => void;
+    marketplace?: MarketplaceApiConfig;
+    cronService?: InstanceType<typeof NextclawCore.CronService>;
+    chatRuntime?: UiChatRuntime;
+    ncpAgent?: UiNcpAgent;
+    authService?: UiAuthService;
+    remoteAccess?: UiRemoteAccessHost;
+};
+type UiRemoteAccessHost = {
+    getStatus: () => Promise<RemoteAccessView> | RemoteAccessView;
+    login: (input: RemoteLoginRequest) => Promise<RemoteAccessView>;
+    startBrowserAuth: (input: RemoteBrowserAuthStartRequest) => Promise<RemoteBrowserAuthStartResult>;
+    pollBrowserAuth: (input: RemoteBrowserAuthPollRequest) => Promise<RemoteBrowserAuthPollResult>;
+    logout: () => Promise<RemoteAccessView> | RemoteAccessView;
+    updateSettings: (input: RemoteSettingsUpdateRequest) => Promise<RemoteAccessView> | RemoteAccessView;
+    runDoctor: () => Promise<RemoteDoctorView>;
+    controlService: (action: RemoteServiceAction) => Promise<RemoteServiceActionResult>;
+};
+
 type ChatSessionTypeCtaView = {
     kind: string;
     label?: string;
@@ -454,6 +515,96 @@ type AuthPasswordUpdateRequest = {
 type AuthEnabledUpdateRequest = {
     enabled: boolean;
 };
+type RemoteAccountView = {
+    loggedIn: boolean;
+    email?: string;
+    role?: string;
+    platformBase?: string | null;
+    apiBase?: string | null;
+};
+type RemoteRuntimeView = {
+    enabled: boolean;
+    mode: "service" | "foreground";
+    state: "disabled" | "connecting" | "connected" | "disconnected" | "error";
+    deviceId?: string;
+    deviceName?: string;
+    platformBase?: string;
+    localOrigin?: string;
+    lastConnectedAt?: string | null;
+    lastError?: string | null;
+    updatedAt: string;
+};
+type RemoteServiceView = {
+    running: boolean;
+    pid?: number;
+    uiUrl?: string;
+    uiPort?: number;
+    currentProcess: boolean;
+};
+type RemoteSettingsView = {
+    enabled: boolean;
+    deviceName: string;
+    platformApiBase: string;
+};
+type RemoteAccessView = {
+    account: RemoteAccountView;
+    settings: RemoteSettingsView;
+    service: RemoteServiceView;
+    localOrigin: string;
+    configuredEnabled: boolean;
+    platformBase?: string | null;
+    runtime: RemoteRuntimeView | null;
+};
+type RemoteDoctorCheckView = {
+    name: string;
+    ok: boolean;
+    detail: string;
+};
+type RemoteDoctorView = {
+    generatedAt: string;
+    checks: RemoteDoctorCheckView[];
+    snapshot: {
+        configuredEnabled: boolean;
+        runtime: RemoteRuntimeView | null;
+    };
+};
+type RemoteLoginRequest = {
+    email: string;
+    password: string;
+    apiBase?: string;
+    register?: boolean;
+};
+type RemoteBrowserAuthStartRequest = {
+    apiBase?: string;
+};
+type RemoteBrowserAuthStartResult = {
+    sessionId: string;
+    verificationUri: string;
+    expiresAt: string;
+    intervalMs: number;
+};
+type RemoteBrowserAuthPollRequest = {
+    sessionId: string;
+    apiBase?: string;
+};
+type RemoteBrowserAuthPollResult = {
+    status: "pending" | "authorized" | "expired";
+    message?: string;
+    nextPollMs?: number;
+    email?: string;
+    role?: string;
+};
+type RemoteSettingsUpdateRequest = {
+    enabled?: boolean;
+    deviceName?: string;
+    platformApiBase?: string;
+};
+type RemoteServiceAction = "start" | "restart" | "stop";
+type RemoteServiceActionResult = {
+    accepted: boolean;
+    action: RemoteServiceAction;
+    message: string;
+};
 type AgentProfileView = {
     id: string;
     default?: boolean;
@@ -965,6 +1116,7 @@ type UiServerOptions = {
     cronService?: CronService;
     chatRuntime?: UiChatRuntime;
     ncpAgent?: UiNcpAgent;
+    remoteAccess?: UiRemoteAccessHost;
 };
 type UiServerHandle = {
     host: string;
@@ -975,56 +1127,6 @@ type UiServerHandle = {
 
 declare function startUiServer(options: UiServerOptions): UiServerHandle;
 
-declare class UiAuthService {
-    private readonly configPath;
-    private readonly sessions;
-    constructor(configPath: string);
-    private loadCurrentConfig;
-    private saveCurrentConfig;
-    private readAuthConfig;
-    private isConfigured;
-    isProtectionEnabled(): boolean;
-    private getSessionIdFromCookieHeader;
-    private getValidSession;
-    isRequestAuthenticated(request: Request): boolean;
-    isSocketAuthenticated(request: IncomingMessage): boolean;
-    getStatus(request: Request): AuthStatusView;
-    private createSession;
-    private clearAllSessions;
-    private deleteRequestSession;
-    private buildLoginCookie;
-    buildTrustedRequestCookieHeader(): string | null;
-    buildLogoutCookie(request: Request): string;
-    setup(request: Request, payload: AuthSetupRequest): {
-        status: AuthStatusView;
-        cookie: string;
-    };
-    login(request: Request, payload: AuthLoginRequest): {
-        status: AuthStatusView;
-        cookie: string;
-    };
-    logout(request: Request): void;
-    updatePassword(request: Request, payload: AuthPasswordUpdateRequest): {
-        status: AuthStatusView;
-        cookie?: string;
-    };
-    updateEnabled(request: Request, payload: AuthEnabledUpdateRequest): {
-        status: AuthStatusView;
-        cookie?: string;
-    };
-}
-
-type UiRouterOptions = {
-    configPath: string;
-    productVersion?: string;
-    publish: (event: UiServerEvent) => void;
-    marketplace?: MarketplaceApiConfig;
-    cronService?: InstanceType<typeof NextclawCore.CronService>;
-    chatRuntime?: UiChatRuntime;
-    ncpAgent?: UiNcpAgent;
-    authService?: UiAuthService;
-};
-
 declare function createUiRouter(options: UiRouterOptions): Hono;
 
 type ExecuteActionResult = {
@@ -1075,4 +1177,4 @@ declare function getUiBridgeSecretPath(): string;
 declare function readUiBridgeSecret(): string | null;
 declare function ensureUiBridgeSecret(): string;
 
-export { type AgentBindingView, type AgentProfileView, type ApiError, type ApiResponse, type AppMetaView, type AuthEnabledUpdateRequest, type AuthLoginRequest, type AuthPasswordUpdateRequest, type AuthSetupRequest, type AuthStatusView, type BindingPeerView, type BochaFreshnessValue, type ChannelSpecView, type ChatCapabilitiesView, type ChatCommandOptionView, type ChatCommandView, type ChatCommandsView, type ChatRunListView, type ChatRunState, type ChatRunView, type ChatSessionTypeCtaView, type ChatSessionTypeOptionView, type ChatSessionTypesView, type ChatTurnRequest, type ChatTurnResult, type ChatTurnStopRequest, type ChatTurnStopResult, type ChatTurnStreamEvent, type ChatTurnView, type ConfigActionExecuteRequest, type ConfigActionExecuteResult, type ConfigActionManifest, type ConfigActionType, type ConfigMetaView, type ConfigSchemaResponse, type ConfigUiHint, type ConfigUiHints, type ConfigView, type CronActionResult, type CronEnableRequest, type CronJobStateView, type CronJobView, type CronListView, type CronPayloadView, type CronRunRequest, type CronScheduleView, DEFAULT_SESSION_TYPE, type MarketplaceApiConfig, type MarketplaceInstallKind, type MarketplaceInstallSkillParams, type MarketplaceInstallSpec, type MarketplaceInstalledRecord, type MarketplaceInstalledView, type MarketplaceInstaller, type MarketplaceItemSummary, type MarketplaceItemType, type MarketplaceItemView, type MarketplaceListView, type MarketplaceLocalizedTextMap, type MarketplaceMcpContentView, type MarketplaceMcpDoctorResult, type MarketplaceMcpInstallKind, type MarketplaceMcpInstallRequest, type MarketplaceMcpInstallResult, type MarketplaceMcpInstallSpec, type MarketplaceMcpManageAction, type MarketplaceMcpManageRequest, type MarketplaceMcpManageResult, type MarketplaceMcpTemplateInput, type MarketplacePluginContentView, type MarketplacePluginInstallKind, type MarketplacePluginInstallRequest, type MarketplacePluginInstallResult, type MarketplacePluginManageAction, type MarketplacePluginManageRequest, type MarketplacePluginManageResult, type MarketplaceRecommendationView, type MarketplaceSkillContentView, type MarketplaceSkillInstallKind, type MarketplaceSkillInstallRequest, type MarketplaceSkillInstallResult, type MarketplaceSkillManageAction, type MarketplaceSkillManageRequest, type MarketplaceSkillManageResult, type MarketplaceSort, type ProviderAuthImportResult, type ProviderAuthPollRequest, type ProviderAuthPollResult, type ProviderAuthStartRequest, type ProviderAuthStartResult, type ProviderConfigUpdate, type ProviderConfigView, type ProviderConnectionTestRequest, type ProviderConnectionTestResult, type ProviderCreateRequest, type ProviderCreateResult, type ProviderDeleteResult, type ProviderSpecView, type RuntimeConfigUpdate, type SearchConfigUpdate, type SearchConfigView, type SearchProviderConfigView, type SearchProviderName, type SearchProviderSpecView, type SecretProviderEnvView, type SecretProviderExecView, type SecretProviderFileView, type SecretProviderView, type SecretRefView, type SecretSourceView, type SecretsConfigUpdate, type SecretsView, type SessionConfigView, type SessionEntryView, type SessionEventView, type SessionHistoryView, type SessionMessageView, type SessionPatchUpdate, SessionPatchValidationError, type SessionsListView, type UiChatRuntime, type UiNcpAgent, type UiNcpSessionListView, type UiNcpSessionMessagesView, type UiServerEvent, type UiServerHandle, type UiServerOptions, buildConfigMeta, buildConfigSchemaView, buildConfigView, createCustomProvider, createUiRouter, deleteCustomProvider, deleteSession, ensureUiBridgeSecret, executeConfigAction, getSessionHistory, getUiBridgeSecretPath, listSessions, loadConfigOrDefault, patchSession, readUiBridgeSecret, startUiServer, testProviderConnection, updateChannel, updateModel, updateProvider, updateRuntime, updateSearch, updateSecrets };
+export { type AgentBindingView, type AgentProfileView, type ApiError, type ApiResponse, type AppMetaView, type AuthEnabledUpdateRequest, type AuthLoginRequest, type AuthPasswordUpdateRequest, type AuthSetupRequest, type AuthStatusView, type BindingPeerView, type BochaFreshnessValue, type ChannelSpecView, type ChatCapabilitiesView, type ChatCommandOptionView, type ChatCommandView, type ChatCommandsView, type ChatRunListView, type ChatRunState, type ChatRunView, type ChatSessionTypeCtaView, type ChatSessionTypeOptionView, type ChatSessionTypesView, type ChatTurnRequest, type ChatTurnResult, type ChatTurnStopRequest, type ChatTurnStopResult, type ChatTurnStreamEvent, type ChatTurnView, type ConfigActionExecuteRequest, type ConfigActionExecuteResult, type ConfigActionManifest, type ConfigActionType, type ConfigMetaView, type ConfigSchemaResponse, type ConfigUiHint, type ConfigUiHints, type ConfigView, type CronActionResult, type CronEnableRequest, type CronJobStateView, type CronJobView, type CronListView, type CronPayloadView, type CronRunRequest, type CronScheduleView, DEFAULT_SESSION_TYPE, type MarketplaceApiConfig, type MarketplaceInstallKind, type MarketplaceInstallSkillParams, type MarketplaceInstallSpec, type MarketplaceInstalledRecord, type MarketplaceInstalledView, type MarketplaceInstaller, type MarketplaceItemSummary, type MarketplaceItemType, type MarketplaceItemView, type MarketplaceListView, type MarketplaceLocalizedTextMap, type MarketplaceMcpContentView, type MarketplaceMcpDoctorResult, type MarketplaceMcpInstallKind, type MarketplaceMcpInstallRequest, type MarketplaceMcpInstallResult, type MarketplaceMcpInstallSpec, type MarketplaceMcpManageAction, type MarketplaceMcpManageRequest, type MarketplaceMcpManageResult, type MarketplaceMcpTemplateInput, type MarketplacePluginContentView, type MarketplacePluginInstallKind, type MarketplacePluginInstallRequest, type MarketplacePluginInstallResult, type MarketplacePluginManageAction, type MarketplacePluginManageRequest, type MarketplacePluginManageResult, type MarketplaceRecommendationView, type MarketplaceSkillContentView, type MarketplaceSkillInstallKind, type MarketplaceSkillInstallRequest, type MarketplaceSkillInstallResult, type MarketplaceSkillManageAction, type MarketplaceSkillManageRequest, type MarketplaceSkillManageResult, type MarketplaceSort, type ProviderAuthImportResult, type ProviderAuthPollRequest, type ProviderAuthPollResult, type ProviderAuthStartRequest, type ProviderAuthStartResult, type ProviderConfigUpdate, type ProviderConfigView, type ProviderConnectionTestRequest, type ProviderConnectionTestResult, type ProviderCreateRequest, type ProviderCreateResult, type ProviderDeleteResult, type ProviderSpecView, type RemoteAccessView, type RemoteAccountView, type RemoteBrowserAuthPollRequest, type RemoteBrowserAuthPollResult, type RemoteBrowserAuthStartRequest, type RemoteBrowserAuthStartResult, type RemoteDoctorCheckView, type RemoteDoctorView, type RemoteLoginRequest, type RemoteRuntimeView, type RemoteServiceAction, type RemoteServiceActionResult, type RemoteServiceView, type RemoteSettingsUpdateRequest, type RemoteSettingsView, type RuntimeConfigUpdate, type SearchConfigUpdate, type SearchConfigView, type SearchProviderConfigView, type SearchProviderName, type SearchProviderSpecView, type SecretProviderEnvView, type SecretProviderExecView, type SecretProviderFileView, type SecretProviderView, type SecretRefView, type SecretSourceView, type SecretsConfigUpdate, type SecretsView, type SessionConfigView, type SessionEntryView, type SessionEventView, type SessionHistoryView, type SessionMessageView, type SessionPatchUpdate, SessionPatchValidationError, type SessionsListView, type UiChatRuntime, type UiNcpAgent, type UiNcpSessionListView, type UiNcpSessionMessagesView, type UiRemoteAccessHost, type UiServerEvent, type UiServerHandle, type UiServerOptions, buildConfigMeta, buildConfigSchemaView, buildConfigView, createCustomProvider, createUiRouter, deleteCustomProvider, deleteSession, ensureUiBridgeSecret, executeConfigAction, getSessionHistory, getUiBridgeSecretPath, listSessions, loadConfigOrDefault, patchSession, readUiBridgeSecret, startUiServer, testProviderConnection, updateChannel, updateModel, updateProvider, updateRuntime, updateSearch, updateSecrets };

package/dist/index.js

@@ -4847,6 +4847,119 @@ var SkillMarketplaceController = class {
   };
 };
 
+// src/ui/router/remote.controller.ts
+var REMOTE_SERVICE_ACTIONS = /* @__PURE__ */ new Set(["start", "restart", "stop"]);
+function readBoolean(value) {
+  return typeof value === "boolean" ? value : void 0;
+}
+function readTrimmedString(value) {
+  return typeof value === "string" ? value.trim() : void 0;
+}
+var RemoteRoutesController = class {
+  constructor(host) {
+    this.host = host;
+  }
+  getStatus = async (c) => {
+    try {
+      return c.json(ok(await this.host.getStatus()));
+    } catch (error) {
+      return c.json(err("REMOTE_STATUS_FAILED", formatUserFacingError(error)), 500);
+    }
+  };
+  getDoctor = async (c) => {
+    try {
+      return c.json(ok(await this.host.runDoctor()));
+    } catch (error) {
+      return c.json(err("REMOTE_DOCTOR_FAILED", formatUserFacingError(error)), 500);
+    }
+  };
+  login = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const email = readNonEmptyString(body.data.email);
+    const password = readNonEmptyString(body.data.password);
+    if (!email || !password) {
+      return c.json(err("INVALID_BODY", "email and password are required"), 400);
+    }
+    try {
+      return c.json(ok(await this.host.login({
+        email,
+        password,
+        apiBase: readTrimmedString(body.data.apiBase),
+        register: readBoolean(body.data.register)
+      })));
+    } catch (error) {
+      return c.json(err("REMOTE_LOGIN_FAILED", formatUserFacingError(error)), 400);
+    }
+  };
+  startBrowserAuth = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    try {
+      return c.json(ok(await this.host.startBrowserAuth({
+        apiBase: readTrimmedString(body.data.apiBase)
+      })));
+    } catch (error) {
+      return c.json(err("REMOTE_BROWSER_AUTH_START_FAILED", formatUserFacingError(error)), 400);
+    }
+  };
+  pollBrowserAuth = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const sessionId = readNonEmptyString(body.data.sessionId);
+    if (!sessionId) {
+      return c.json(err("INVALID_BODY", "sessionId is required"), 400);
+    }
+    try {
+      return c.json(ok(await this.host.pollBrowserAuth({
+        sessionId,
+        apiBase: readTrimmedString(body.data.apiBase)
+      })));
+    } catch (error) {
+      return c.json(err("REMOTE_BROWSER_AUTH_POLL_FAILED", formatUserFacingError(error)), 400);
+    }
+  };
+  logout = async (c) => {
+    try {
+      return c.json(ok(await this.host.logout()));
+    } catch (error) {
+      return c.json(err("REMOTE_LOGOUT_FAILED", formatUserFacingError(error)), 500);
+    }
+  };
+  updateSettings = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    try {
+      return c.json(ok(await this.host.updateSettings({
+        enabled: readBoolean(body.data.enabled),
+        deviceName: readTrimmedString(body.data.deviceName),
+        platformApiBase: readTrimmedString(body.data.platformApiBase)
+      })));
+    } catch (error) {
+      return c.json(err("REMOTE_SETTINGS_FAILED", formatUserFacingError(error)), 400);
+    }
+  };
+  controlService = async (c) => {
+    const action = c.req.param("action");
+    if (!REMOTE_SERVICE_ACTIONS.has(action)) {
+      return c.json(err("INVALID_ACTION", "unsupported remote service action"), 400);
+    }
+    try {
+      return c.json(ok(await this.host.controlService(action)));
+    } catch (error) {
+      return c.json(err("REMOTE_SERVICE_FAILED", formatUserFacingError(error)), 400);
+    }
+  };
+};
+
 // src/ui/router/session.controller.ts
 var SessionRoutesController = class {
   constructor(options) {
@@ -4926,37 +5039,7 @@ function registerAuthRoutes(app, authController) {
   app.put("/api/auth/enabled", authController.updateEnabled);
   app.post("/api/auth/bridge", authController.issueBridgeSession);
 }
-function createUiRouter(options) {
-  const app = new Hono();
-  const marketplaceBaseUrl = normalizeMarketplaceBaseUrl(options);
-  const authService = options.authService ?? new UiAuthService(options.configPath);
-  const appController = new AppRoutesController(options);
-  const authController = new AuthRoutesController(authService);
-  const configController = new ConfigRoutesController(options);
-  const chatController = new ChatRoutesController(options);
-  const sessionController = new SessionRoutesController(options);
-  const cronController = new CronRoutesController(options);
-  const ncpSessionController = new NcpSessionRoutesController(options);
-  const pluginMarketplaceController = new PluginMarketplaceController(options, marketplaceBaseUrl);
-  const skillMarketplaceController = new SkillMarketplaceController(options, marketplaceBaseUrl);
-  const mcpMarketplaceController = new McpMarketplaceController(options, marketplaceBaseUrl);
-  app.notFound((c) => c.json(err("NOT_FOUND", "endpoint not found"), 404));
-  app.use("/api/*", async (c, next) => {
-    const path = c.req.path;
-    if (path === "/api/health" || path.startsWith("/api/auth/")) {
-      await next();
-      return;
-    }
-    if (!authService.isProtectionEnabled() || authService.isRequestAuthenticated(c.req.raw)) {
-      await next();
-      return;
-    }
-    c.status(401);
-    return c.json(err("UNAUTHORIZED", "Authentication required."), 401);
-  });
-  app.get("/api/health", appController.health);
-  app.get("/api/app/meta", appController.appMeta);
-  registerAuthRoutes(app, authController);
+function registerConfigRoutes(app, configController) {
   app.get("/api/config", configController.getConfig);
   app.get("/api/config/meta", configController.getConfigMeta);
   app.get("/api/config/schema", configController.getConfigSchema);
@@ -4973,6 +5056,8 @@ function createUiRouter(options) {
   app.put("/api/config/secrets", configController.updateSecrets);
   app.put("/api/config/runtime", configController.updateRuntime);
   app.post("/api/config/actions/:actionId/execute", configController.executeAction);
+}
+function registerChatRoutes(app, chatController) {
   app.get("/api/chat/capabilities", chatController.getCapabilities);
   app.get("/api/chat/session-types", chatController.getSessionTypes);
   app.get("/api/chat/commands", chatController.getCommands);
@@ -4982,27 +5067,86 @@ function createUiRouter(options) {
   app.get("/api/chat/runs", chatController.listRuns);
   app.get("/api/chat/runs/:runId", chatController.getRun);
   app.get("/api/chat/runs/:runId/stream", chatController.streamRun);
+}
+function registerSessionRoutes(app, sessionController) {
   app.get("/api/sessions", sessionController.listSessions);
   app.get("/api/sessions/:key/history", sessionController.getSessionHistory);
   app.put("/api/sessions/:key", sessionController.patchSession);
   app.delete("/api/sessions/:key", sessionController.deleteSession);
-  if (options.ncpAgent) {
-    mountNcpHttpAgentRoutes(app, {
-      basePath: options.ncpAgent.basePath ?? "/api/ncp/agent",
-      agentClientEndpoint: options.ncpAgent.agentClientEndpoint,
-      streamProvider: options.ncpAgent.streamProvider
-    });
-    app.get("/api/ncp/session-types", ncpSessionController.getSessionTypes);
-    app.get("/api/ncp/sessions", ncpSessionController.listSessions);
-    app.get("/api/ncp/sessions/:sessionId", ncpSessionController.getSession);
-    app.put("/api/ncp/sessions/:sessionId", ncpSessionController.patchSession);
-    app.get("/api/ncp/sessions/:sessionId/messages", ncpSessionController.listSessionMessages);
-    app.delete("/api/ncp/sessions/:sessionId", ncpSessionController.deleteSession);
+}
+function registerNcpRoutes(app, options, ncpSessionController) {
+  if (!options.ncpAgent) {
+    return;
   }
+  mountNcpHttpAgentRoutes(app, {
+    basePath: options.ncpAgent.basePath ?? "/api/ncp/agent",
+    agentClientEndpoint: options.ncpAgent.agentClientEndpoint,
+    streamProvider: options.ncpAgent.streamProvider
+  });
+  app.get("/api/ncp/session-types", ncpSessionController.getSessionTypes);
+  app.get("/api/ncp/sessions", ncpSessionController.listSessions);
+  app.get("/api/ncp/sessions/:sessionId", ncpSessionController.getSession);
+  app.put("/api/ncp/sessions/:sessionId", ncpSessionController.patchSession);
+  app.get("/api/ncp/sessions/:sessionId/messages", ncpSessionController.listSessionMessages);
+  app.delete("/api/ncp/sessions/:sessionId", ncpSessionController.deleteSession);
+}
+function registerCronRoutes(app, cronController) {
   app.get("/api/cron", cronController.listJobs);
   app.delete("/api/cron/:id", cronController.deleteJob);
   app.put("/api/cron/:id/enable", cronController.enableJob);
   app.post("/api/cron/:id/run", cronController.runJob);
+}
+function registerRemoteRoutes(app, remoteController) {
+  if (!remoteController) {
+    return;
+  }
+  app.get("/api/remote/status", remoteController.getStatus);
+  app.get("/api/remote/doctor", remoteController.getDoctor);
+  app.post("/api/remote/login", remoteController.login);
+  app.post("/api/remote/auth/start", remoteController.startBrowserAuth);
+  app.post("/api/remote/auth/poll", remoteController.pollBrowserAuth);
+  app.post("/api/remote/logout", remoteController.logout);
+  app.put("/api/remote/settings", remoteController.updateSettings);
+  app.post("/api/remote/service/:action", remoteController.controlService);
+}
+function createUiRouter(options) {
+  const app = new Hono();
+  const marketplaceBaseUrl = normalizeMarketplaceBaseUrl(options);
+  const authService = options.authService ?? new UiAuthService(options.configPath);
+  const appController = new AppRoutesController(options);
+  const authController = new AuthRoutesController(authService);
+  const configController = new ConfigRoutesController(options);
+  const chatController = new ChatRoutesController(options);
+  const sessionController = new SessionRoutesController(options);
+  const cronController = new CronRoutesController(options);
+  const ncpSessionController = new NcpSessionRoutesController(options);
+  const remoteController = options.remoteAccess ? new RemoteRoutesController(options.remoteAccess) : null;
+  const pluginMarketplaceController = new PluginMarketplaceController(options, marketplaceBaseUrl);
+  const skillMarketplaceController = new SkillMarketplaceController(options, marketplaceBaseUrl);
+  const mcpMarketplaceController = new McpMarketplaceController(options, marketplaceBaseUrl);
+  app.notFound((c) => c.json(err("NOT_FOUND", "endpoint not found"), 404));
+  app.use("/api/*", async (c, next) => {
+    const path = c.req.path;
+    if (path === "/api/health" || path.startsWith("/api/auth/")) {
+      await next();
+      return;
+    }
+    if (!authService.isProtectionEnabled() || authService.isRequestAuthenticated(c.req.raw)) {
+      await next();
+      return;
+    }
+    c.status(401);
+    return c.json(err("UNAUTHORIZED", "Authentication required."), 401);
+  });
+  app.get("/api/health", appController.health);
+  app.get("/api/app/meta", appController.appMeta);
+  registerAuthRoutes(app, authController);
+  registerConfigRoutes(app, configController);
+  registerChatRoutes(app, chatController);
+  registerSessionRoutes(app, sessionController);
+  registerNcpRoutes(app, options, ncpSessionController);
+  registerCronRoutes(app, cronController);
+  registerRemoteRoutes(app, remoteController);
   mountMarketplaceRoutes(app, {
     plugin: pluginMarketplaceController,
     skill: skillMarketplaceController,
@@ -5047,7 +5191,8 @@ function startUiServer(options) {
       cronService: options.cronService,
       chatRuntime: options.chatRuntime,
       ncpAgent: options.ncpAgent,
-      authService
+      authService,
+      remoteAccess: options.remoteAccess
     })
   );
   const staticDir = options.staticDir;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextclaw/server",
-  "version": "0.10.8",
+  "version": "0.10.10",
   "private": false,
   "description": "Nextclaw UI/API server.",
   "type": "module",
@@ -18,12 +18,12 @@
     "@hono/node-server": "^1.13.3",
     "hono": "^4.6.2",
     "ws": "^8.18.0",
+    "@nextclaw/mcp": "0.1.10",
     "@nextclaw/ncp": "0.3.1",
     "@nextclaw/openclaw-compat": "0.3.8",
-    "@nextclaw/ncp-http-agent-server": "0.3.1",
-    "@nextclaw/runtime": "0.2.5",
     "@nextclaw/core": "0.9.5",
-    "@nextclaw/mcp": "0.1.8"
+    "@nextclaw/ncp-http-agent-server": "0.3.1",
+    "@nextclaw/runtime": "0.2.5"
   },
   "devDependencies": {
     "@types/node": "^20.17.6",