@nextclaw/server 0.6.12 → 0.6.13

package/dist/index.js

@@ -10,8 +10,80 @@ import { join } from "path";
 
 // src/ui/router.ts
 import { Hono } from "hono";
-import * as NextclawCore from "@nextclaw/core";
-import { buildPluginStatusReport } from "@nextclaw/openclaw-compat";
+
+// src/ui/router/response.ts
+function ok(data) {
+  return { ok: true, data };
+}
+function err(code, message, details) {
+  return { ok: false, error: { code, message, details } };
+}
+async function readJson(req) {
+  try {
+    const data = await req.json();
+    return { ok: true, data };
+  } catch {
+    return { ok: false };
+  }
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function readErrorMessage(value, fallback) {
+  if (!isRecord(value)) {
+    return fallback;
+  }
+  const maybeError = value.error;
+  if (!isRecord(maybeError)) {
+    return fallback;
+  }
+  return typeof maybeError.message === "string" && maybeError.message.trim().length > 0 ? maybeError.message : fallback;
+}
+function readNonEmptyString(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed || void 0;
+}
+function formatUserFacingError(error, maxChars = 320) {
+  const raw = error instanceof Error ? error.message || error.name || "Unknown error" : String(error ?? "Unknown error");
+  const normalized = raw.replace(/\s+/g, " ").trim();
+  if (!normalized) {
+    return "Unknown error";
+  }
+  if (normalized.length <= maxChars) {
+    return normalized;
+  }
+  return `${normalized.slice(0, Math.max(0, maxChars - 3)).trimEnd()}...`;
+}
+
+// src/ui/router/app.controller.ts
+function buildAppMetaView(options) {
+  const productVersion = options.productVersion?.trim();
+  return {
+    name: "NextClaw",
+    productVersion: productVersion && productVersion.length > 0 ? productVersion : "0.0.0"
+  };
+}
+var AppRoutesController = class {
+  constructor(options) {
+    this.options = options;
+  }
+  health = (c) => c.json(
+    ok({
+      status: "ok",
+      services: {
+        chatRuntime: this.options.chatRuntime ? "ready" : "unavailable",
+        cronService: this.options.cronService ? "ready" : "unavailable"
+      }
+    })
+  );
+  appMeta = (c) => c.json(ok(buildAppMetaView(this.options)));
+};
+
+// src/ui/router/chat.controller.ts
+import * as NextclawCore2 from "@nextclaw/core";
 
 // src/ui/config.ts
 import {
@@ -1329,569 +1401,1761 @@ function updateSecrets(configPath, patch) {
   };
 }
 
-// src/ui/provider-auth.ts
-import { createHash, randomBytes, randomUUID } from "crypto";
-import { readFile } from "fs/promises";
-import { homedir } from "os";
-import { isAbsolute, resolve } from "path";
-import {
-  ConfigSchema as ConfigSchema2,
-  loadConfig as loadConfig2,
-  saveConfig as saveConfig2
-} from "@nextclaw/core";
-var authSessions = /* @__PURE__ */ new Map();
-var DEFAULT_AUTH_INTERVAL_MS = 2e3;
-var MAX_AUTH_INTERVAL_MS = 1e4;
-function normalizePositiveInt(value, fallback) {
-  if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
-    return fallback;
-  }
-  return Math.floor(value);
+// src/ui/router/chat-utils.ts
+import * as NextclawCore from "@nextclaw/core";
+function normalizeSessionType2(value) {
+  return readNonEmptyString(value)?.toLowerCase();
 }
-function normalizePositiveFloat(value) {
-  if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
-    return null;
+function resolveSessionTypeLabel(sessionType) {
+  if (sessionType === "native") {
+    return "Native";
   }
-  return value;
-}
-function toBase64Url(buffer) {
-  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function buildPkce() {
-  const verifier = toBase64Url(randomBytes(48));
-  const challenge = toBase64Url(createHash("sha256").update(verifier).digest());
-  return { verifier, challenge };
-}
-function withTrailingSlash(value) {
-  return value.endsWith("/") ? value : `${value}/`;
-}
-function cleanupExpiredAuthSessions(now = Date.now()) {
-  for (const [sessionId, session] of authSessions.entries()) {
-    if (session.expiresAtMs <= now) {
-      authSessions.delete(sessionId);
-    }
+  if (sessionType === "codex-sdk") {
+    return "Codex";
   }
-}
-function resolveDeviceCodeEndpoints(baseUrl, deviceCodePath, tokenPath) {
-  const deviceCodeEndpoint = new URL(deviceCodePath, withTrailingSlash(baseUrl)).toString();
-  const tokenEndpoint = new URL(tokenPath, withTrailingSlash(baseUrl)).toString();
-  return { deviceCodeEndpoint, tokenEndpoint };
-}
-function resolveAuthNote(params) {
-  return params.zh ?? params.en;
-}
-function resolveLocalizedMethodLabel(method, fallbackId) {
-  return method.label?.zh ?? method.label?.en ?? fallbackId;
-}
-function resolveLocalizedMethodHint(method) {
-  return method.hint?.zh ?? method.hint?.en;
-}
-function normalizeMethodId(value) {
-  if (typeof value !== "string") {
-    return void 0;
+  if (sessionType === "claude-agent-sdk") {
+    return "Claude Code";
   }
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : void 0;
+  return sessionType;
 }
-function resolveAuthMethod(auth, requestedMethodId) {
-  const protocol = auth.protocol ?? "rfc8628";
-  const methods = (auth.methods ?? []).filter((entry) => normalizeMethodId(entry.id));
-  const cleanRequestedMethodId = normalizeMethodId(requestedMethodId);
-  if (methods.length === 0) {
-    if (cleanRequestedMethodId) {
-      throw new Error(`provider auth method is not supported: ${cleanRequestedMethodId}`);
-    }
+async function buildChatSessionTypesView(chatRuntime) {
+  if (!chatRuntime?.listSessionTypes) {
     return {
-      protocol,
-      baseUrl: auth.baseUrl,
-      deviceCodePath: auth.deviceCodePath,
-      tokenPath: auth.tokenPath,
-      clientId: auth.clientId,
-      scope: auth.scope,
-      grantType: auth.grantType,
-      usePkce: Boolean(auth.usePkce)
+      defaultType: DEFAULT_SESSION_TYPE,
+      options: [{ value: DEFAULT_SESSION_TYPE, label: resolveSessionTypeLabel(DEFAULT_SESSION_TYPE) }]
     };
   }
-  let selectedMethod = methods.find((entry) => normalizeMethodId(entry.id) === cleanRequestedMethodId);
-  if (!selectedMethod) {
-    const fallbackMethodId = normalizeMethodId(auth.defaultMethodId) ?? normalizeMethodId(methods[0]?.id);
-    selectedMethod = methods.find((entry) => normalizeMethodId(entry.id) === fallbackMethodId) ?? methods[0];
+  const payload = await chatRuntime.listSessionTypes();
+  const deduped = /* @__PURE__ */ new Map();
+  for (const rawOption of payload.options ?? []) {
+    const normalized = normalizeSessionType2(rawOption.value);
+    if (!normalized) {
+      continue;
+    }
+    deduped.set(normalized, {
+      value: normalized,
+      label: readNonEmptyString(rawOption.label) ?? resolveSessionTypeLabel(normalized)
+    });
   }
-  const methodId = normalizeMethodId(selectedMethod?.id);
-  if (!selectedMethod || !methodId) {
-    throw new Error("provider auth method is not configured");
+  if (!deduped.has(DEFAULT_SESSION_TYPE)) {
+    deduped.set(DEFAULT_SESSION_TYPE, {
+      value: DEFAULT_SESSION_TYPE,
+      label: resolveSessionTypeLabel(DEFAULT_SESSION_TYPE)
+    });
   }
-  if (cleanRequestedMethodId && methodId !== cleanRequestedMethodId) {
-    throw new Error(`provider auth method is not supported: ${cleanRequestedMethodId}`);
+  const defaultType = normalizeSessionType2(payload.defaultType) ?? DEFAULT_SESSION_TYPE;
+  if (!deduped.has(defaultType)) {
+    deduped.set(defaultType, {
+      value: defaultType,
+      label: resolveSessionTypeLabel(defaultType)
+    });
   }
+  const options = Array.from(deduped.values()).sort((left, right) => {
+    if (left.value === DEFAULT_SESSION_TYPE) {
+      return -1;
+    }
+    if (right.value === DEFAULT_SESSION_TYPE) {
+      return 1;
+    }
+    return left.value.localeCompare(right.value);
+  });
   return {
-    id: methodId,
-    protocol,
-    baseUrl: selectedMethod.baseUrl ?? auth.baseUrl,
-    deviceCodePath: selectedMethod.deviceCodePath ?? auth.deviceCodePath,
-    tokenPath: selectedMethod.tokenPath ?? auth.tokenPath,
-    clientId: selectedMethod.clientId ?? auth.clientId,
-    scope: selectedMethod.scope ?? auth.scope,
-    grantType: selectedMethod.grantType ?? auth.grantType,
-    usePkce: selectedMethod.usePkce ?? Boolean(auth.usePkce),
-    defaultApiBase: selectedMethod.defaultApiBase
+    defaultType,
+    options
   };
 }
-function parseExpiresAtMs(value, fallbackFromNowMs) {
-  const normalized = normalizePositiveFloat(value);
-  if (normalized === null) {
-    return Date.now() + fallbackFromNowMs;
-  }
-  if (normalized >= 1e12) {
-    return Math.floor(normalized);
-  }
-  if (normalized >= 1e9) {
-    return Math.floor(normalized * 1e3);
-  }
-  return Date.now() + Math.floor(normalized * 1e3);
+function resolveAgentIdFromSessionKey(sessionKey) {
+  const parsed = NextclawCore.parseAgentScopedSessionKey(sessionKey);
+  const agentId = readNonEmptyString(parsed?.agentId);
+  return agentId;
 }
-function parsePollIntervalMs(value, fallbackMs) {
-  const normalized = normalizePositiveFloat(value);
-  if (normalized === null) {
-    return fallbackMs;
-  }
-  if (normalized <= 30) {
-    return Math.floor(normalized * 1e3);
-  }
-  return Math.floor(normalized);
+function createChatRunId() {
+  const now = Date.now().toString(36);
+  const rand = Math.random().toString(36).slice(2, 10);
+  return `run-${now}-${rand}`;
 }
-function buildMinimaxErrorMessage(payload, fallback) {
-  if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
-    return fallback;
-  }
-  const record = payload;
-  if (typeof record.error_description === "string" && record.error_description.trim()) {
-    return record.error_description.trim();
-  }
-  if (typeof record.error === "string" && record.error.trim()) {
-    return record.error.trim();
+function isChatRunState(value) {
+  return value === "queued" || value === "running" || value === "completed" || value === "failed" || value === "aborted";
+}
+function readChatRunStates(value) {
+  if (typeof value !== "string") {
+    return void 0;
   }
-  const baseMessage = record.base_resp?.status_msg;
-  if (typeof baseMessage === "string" && baseMessage.trim()) {
-    return baseMessage.trim();
+  const values = value.split(",").map((item) => item.trim().toLowerCase()).filter((item) => Boolean(item) && isChatRunState(item));
+  if (values.length === 0) {
+    return void 0;
   }
-  return fallback;
+  return Array.from(new Set(values));
 }
-function classifyMiniMaxErrorStatus(message) {
-  const normalized = message.toLowerCase();
-  if (normalized.includes("deny") || normalized.includes("rejected")) {
-    return "denied";
-  }
-  if (normalized.includes("expired") || normalized.includes("timeout") || normalized.includes("timed out")) {
-    return "expired";
-  }
-  return "error";
+function buildChatTurnView(params) {
+  const completedAt = /* @__PURE__ */ new Date();
+  return {
+    reply: String(params.result.reply ?? ""),
+    sessionKey: readNonEmptyString(params.result.sessionKey) ?? params.fallbackSessionKey,
+    ...readNonEmptyString(params.result.agentId) || params.requestedAgentId ? { agentId: readNonEmptyString(params.result.agentId) ?? params.requestedAgentId } : {},
+    ...readNonEmptyString(params.result.model) || params.requestedModel ? { model: readNonEmptyString(params.result.model) ?? params.requestedModel } : {},
+    requestedAt: params.requestedAt.toISOString(),
+    completedAt: completedAt.toISOString(),
+    durationMs: Math.max(0, completedAt.getTime() - params.startedAtMs)
+  };
 }
-function resolveHomePath(inputPath) {
-  const trimmed = inputPath.trim();
-  if (!trimmed) {
-    return trimmed;
-  }
-  if (trimmed === "~") {
-    return homedir();
-  }
-  if (trimmed.startsWith("~/")) {
-    return resolve(homedir(), trimmed.slice(2));
-  }
-  if (isAbsolute(trimmed)) {
-    return trimmed;
-  }
-  return resolve(trimmed);
+function buildChatTurnViewFromRun(params) {
+  const requestedAt = readNonEmptyString(params.run.requestedAt) ?? (/* @__PURE__ */ new Date()).toISOString();
+  const completedAt = readNonEmptyString(params.run.completedAt) ?? (/* @__PURE__ */ new Date()).toISOString();
+  const requestedAtMs = Date.parse(requestedAt);
+  const completedAtMs = Date.parse(completedAt);
+  return {
+    reply: readNonEmptyString(params.run.reply) ?? params.fallbackReply ?? "",
+    sessionKey: readNonEmptyString(params.run.sessionKey) ?? params.fallbackSessionKey,
+    ...readNonEmptyString(params.run.agentId) || params.fallbackAgentId ? { agentId: readNonEmptyString(params.run.agentId) ?? params.fallbackAgentId } : {},
+    ...readNonEmptyString(params.run.model) || params.fallbackModel ? { model: readNonEmptyString(params.run.model) ?? params.fallbackModel } : {},
+    requestedAt,
+    completedAt,
+    durationMs: Number.isFinite(requestedAtMs) && Number.isFinite(completedAtMs) ? Math.max(0, completedAtMs - requestedAtMs) : 0
+  };
 }
-function normalizeExpiresAt(value) {
-  if (typeof value === "number" && Number.isFinite(value) && value > 0) {
-    return Math.floor(value);
-  }
-  if (typeof value === "string" && value.trim()) {
-    const asNumber = Number(value);
-    if (Number.isFinite(asNumber) && asNumber > 0) {
-      return Math.floor(asNumber);
-    }
-    const parsedTime = Date.parse(value);
-    if (Number.isFinite(parsedTime) && parsedTime > 0) {
-      return parsedTime;
-    }
-  }
-  return null;
+function toSseFrame(event, data) {
+  return `event: ${event}
+data: ${JSON.stringify(data)}
+
+`;
 }
-function readFieldAsString(source, fieldName) {
-  if (!fieldName) {
-    return null;
-  }
-  const rawValue = source[fieldName];
-  if (typeof rawValue !== "string") {
-    return null;
+
+// src/ui/router/chat.controller.ts
+var ChatRoutesController = class {
+  constructor(options) {
+    this.options = options;
   }
-  const trimmed = rawValue.trim();
-  return trimmed.length > 0 ? trimmed : null;
-}
-function setProviderApiKey(params) {
-  const config = loadConfig2(params.configPath);
-  const providers = config.providers;
-  if (!providers[params.provider]) {
-    providers[params.provider] = {
-      displayName: "",
-      apiKey: "",
-      apiBase: null,
-      extraHeaders: null,
-      wireApi: "auto",
-      models: [],
-      modelThinking: {}
+  getCapabilities = async (c) => {
+    const chatRuntime = this.options.chatRuntime;
+    if (!chatRuntime) {
+      return c.json(err("NOT_AVAILABLE", "chat runtime unavailable"), 503);
+    }
+    const query = c.req.query();
+    const params = {
+      sessionKey: readNonEmptyString(query.sessionKey),
+      agentId: readNonEmptyString(query.agentId)
     };
-  }
-  const target = providers[params.provider];
-  target.apiKey = params.accessToken;
-  if (!target.apiBase && params.defaultApiBase) {
-    target.apiBase = params.defaultApiBase;
-  }
-  const next = ConfigSchema2.parse(config);
-  saveConfig2(next, params.configPath);
-}
-async function startProviderAuth(configPath, providerName, options) {
-  cleanupExpiredAuthSessions();
-  const spec = findServerBuiltinProviderByName(providerName);
-  if (!spec?.auth || spec.auth.kind !== "device_code") {
-    return null;
-  }
-  const resolvedMethod = resolveAuthMethod(spec.auth, options?.methodId);
-  const { deviceCodeEndpoint, tokenEndpoint } = resolveDeviceCodeEndpoints(
-    resolvedMethod.baseUrl,
-    resolvedMethod.deviceCodePath,
-    resolvedMethod.tokenPath
-  );
-  const pkce = resolvedMethod.usePkce ? buildPkce() : null;
-  let authorizationCode = "";
-  let tokenCodeField = "device_code";
-  let userCode = "";
-  let verificationUri = "";
-  let intervalMs = DEFAULT_AUTH_INTERVAL_MS;
-  let expiresAtMs = Date.now() + 6e5;
-  if (resolvedMethod.protocol === "minimax_user_code") {
-    if (!pkce) {
-      throw new Error("MiniMax OAuth requires PKCE");
+    try {
+      const capabilities = chatRuntime.getCapabilities ? await chatRuntime.getCapabilities(params) : { stopSupported: Boolean(chatRuntime.stopTurn) };
+      return c.json(ok(capabilities));
+    } catch (error) {
+      return c.json(err("CHAT_RUNTIME_FAILED", String(error)), 500);
     }
-    const state = toBase64Url(randomBytes(16));
-    const body = new URLSearchParams({
-      response_type: "code",
-      client_id: resolvedMethod.clientId,
-      scope: resolvedMethod.scope,
-      code_challenge: pkce.challenge,
-      code_challenge_method: "S256",
-      state
-    });
-    const response = await fetch(deviceCodeEndpoint, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json",
-        "x-request-id": randomUUID()
-      },
-      body
-    });
-    const payload = await response.json().catch(() => ({}));
-    if (!response.ok) {
-      throw new Error(buildMinimaxErrorMessage(payload, response.statusText || "MiniMax OAuth start failed"));
+  };
+  getSessionTypes = async (c) => {
+    try {
+      const payload = await buildChatSessionTypesView(this.options.chatRuntime);
+      return c.json(ok(payload));
+    } catch (error) {
+      return c.json(err("CHAT_SESSION_TYPES_FAILED", String(error)), 500);
     }
-    if (payload.state && payload.state !== state) {
-      throw new Error("MiniMax OAuth state mismatch");
+  };
+  getCommands = async (c) => {
+    try {
+      const config = loadConfigOrDefault(this.options.configPath);
+      const registry = new NextclawCore2.CommandRegistry(config);
+      const commands = registry.listSlashCommands().map((command) => ({
+        name: command.name,
+        description: command.description,
+        ...Array.isArray(command.options) && command.options.length > 0 ? {
+          options: command.options.map((option) => ({
+            name: option.name,
+            description: option.description,
+            type: option.type,
+            ...option.required === true ? { required: true } : {}
+          }))
+        } : {}
+      }));
+      const payload = {
+        commands,
+        total: commands.length
+      };
+      return c.json(ok(payload));
+    } catch (error) {
+      return c.json(err("CHAT_COMMANDS_FAILED", String(error)), 500);
     }
-    authorizationCode = payload.user_code?.trim() ?? "";
-    userCode = authorizationCode;
-    verificationUri = payload.verification_uri?.trim() ?? "";
-    if (!authorizationCode || !verificationUri) {
-      throw new Error("provider auth payload is incomplete");
+  };
+  processTurn = async (c) => {
+    if (!this.options.chatRuntime) {
+      return c.json(err("NOT_AVAILABLE", "chat runtime unavailable"), 503);
     }
-    tokenCodeField = "user_code";
-    intervalMs = Math.min(parsePollIntervalMs(payload.interval, DEFAULT_AUTH_INTERVAL_MS), MAX_AUTH_INTERVAL_MS);
-    expiresAtMs = parseExpiresAtMs(payload.expired_in, 6e5);
-  } else {
-    const body = new URLSearchParams({
-      client_id: resolvedMethod.clientId,
-      scope: resolvedMethod.scope
-    });
-    if (pkce) {
-      body.set("code_challenge", pkce.challenge);
-      body.set("code_challenge_method", "S256");
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
     }
-    const response = await fetch(deviceCodeEndpoint, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
-      },
-      body
-    });
-    const payload = await response.json().catch(() => ({}));
-    if (!response.ok) {
-      const message = payload.error_description || payload.error || response.statusText || "device code auth failed";
-      throw new Error(message);
+    const message = readNonEmptyString(body.data.message);
+    if (!message) {
+      return c.json(err("INVALID_BODY", "message is required"), 400);
     }
-    authorizationCode = payload.device_code?.trim() ?? "";
-    userCode = payload.user_code?.trim() ?? "";
-    verificationUri = payload.verification_uri_complete?.trim() || payload.verification_uri?.trim() || "";
-    if (!authorizationCode || !userCode || !verificationUri) {
-      throw new Error("provider auth payload is incomplete");
+    const sessionKey = readNonEmptyString(body.data.sessionKey) ?? `ui:${Date.now().toString(36)}:${Math.random().toString(36).slice(2, 8)}`;
+    const requestedAt = /* @__PURE__ */ new Date();
+    const startedAtMs = requestedAt.getTime();
+    const metadata = isRecord(body.data.metadata) ? body.data.metadata : void 0;
+    const requestedAgentId = readNonEmptyString(body.data.agentId) ?? resolveAgentIdFromSessionKey(sessionKey);
+    const requestedModel = readNonEmptyString(body.data.model);
+    const request = {
+      message,
+      sessionKey,
+      channel: readNonEmptyString(body.data.channel) ?? "ui",
+      chatId: readNonEmptyString(body.data.chatId) ?? "web-ui",
+      ...requestedAgentId ? { agentId: requestedAgentId } : {},
+      ...requestedModel ? { model: requestedModel } : {},
+      ...metadata ? { metadata } : {}
+    };
+    try {
+      const result = await this.options.chatRuntime.processTurn(request);
+      const response = buildChatTurnView({
+        result,
+        fallbackSessionKey: sessionKey,
+        requestedAgentId,
+        requestedModel,
+        requestedAt,
+        startedAtMs
+      });
+      this.options.publish({ type: "config.updated", payload: { path: "session" } });
+      return c.json(ok(response));
+    } catch (error) {
+      return c.json(err("CHAT_TURN_FAILED", formatUserFacingError(error)), 500);
     }
-    intervalMs = normalizePositiveInt(payload.interval, DEFAULT_AUTH_INTERVAL_MS / 1e3) * 1e3;
-    const expiresInSec = normalizePositiveInt(payload.expires_in, 600);
-    expiresAtMs = Date.now() + expiresInSec * 1e3;
-  }
-  const sessionId = randomUUID();
-  authSessions.set(sessionId, {
-    sessionId,
-    provider: providerName,
-    configPath,
-    authorizationCode,
-    tokenCodeField,
-    protocol: resolvedMethod.protocol,
-    methodId: resolvedMethod.id,
-    codeVerifier: pkce?.verifier,
-    tokenEndpoint,
-    clientId: resolvedMethod.clientId,
-    grantType: resolvedMethod.grantType,
-    defaultApiBase: resolvedMethod.defaultApiBase ?? spec.defaultApiBase,
-    expiresAtMs,
-    intervalMs
-  });
-  const methodConfig = (spec.auth.methods ?? []).find((entry) => normalizeMethodId(entry.id) === resolvedMethod.id);
-  const methodLabel = methodConfig ? resolveLocalizedMethodLabel(methodConfig, resolvedMethod.id ?? "") : void 0;
-  const methodHint = methodConfig ? resolveLocalizedMethodHint(methodConfig) : void 0;
-  return {
-    provider: providerName,
-    kind: "device_code",
-    methodId: resolvedMethod.id,
-    sessionId,
-    verificationUri,
-    userCode,
-    expiresAt: new Date(expiresAtMs).toISOString(),
-    intervalMs,
-    note: methodHint ?? methodLabel ?? resolveAuthNote(spec.auth.note ?? {})
   };
-}
-async function pollProviderAuth(params) {
-  cleanupExpiredAuthSessions();
-  const session = authSessions.get(params.sessionId);
-  if (!session || session.provider !== params.providerName || session.configPath !== params.configPath) {
-    return null;
-  }
-  if (Date.now() >= session.expiresAtMs) {
-    authSessions.delete(params.sessionId);
-    return {
-      provider: params.providerName,
-      status: "expired",
-      message: "authorization session expired"
+  stopTurn = async (c) => {
+    const chatRuntime = this.options.chatRuntime;
+    if (!chatRuntime?.stopTurn) {
+      return c.json(err("NOT_AVAILABLE", "chat turn stop is not supported by runtime"), 503);
+    }
+    const body = await readJson(c.req.raw);
+    if (!body.ok || !body.data || typeof body.data !== "object") {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const runId = readNonEmptyString(body.data.runId);
+    if (!runId) {
+      return c.json(err("INVALID_BODY", "runId is required"), 400);
+    }
+    const request = {
+      runId,
+      ...readNonEmptyString(body.data.sessionKey) ? { sessionKey: readNonEmptyString(body.data.sessionKey) } : {},
+      ...readNonEmptyString(body.data.agentId) ? { agentId: readNonEmptyString(body.data.agentId) } : {}
     };
-  }
-  const body = new URLSearchParams({
-    grant_type: session.grantType,
-    client_id: session.clientId
-  });
-  body.set(session.tokenCodeField, session.authorizationCode);
-  if (session.codeVerifier) {
-    body.set("code_verifier", session.codeVerifier);
-  }
-  const response = await fetch(session.tokenEndpoint, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Accept: "application/json"
-    },
-    body
-  });
-  let accessToken = "";
-  if (session.protocol === "minimax_user_code") {
-    const raw = await response.text();
-    let payload = {};
-    if (raw) {
-      try {
-        payload = JSON.parse(raw);
-      } catch {
-        payload = {};
-      }
+    try {
+      const result = await chatRuntime.stopTurn(request);
+      return c.json(ok(result));
+    } catch (error) {
+      return c.json(err("CHAT_TURN_STOP_FAILED", String(error)), 500);
     }
-    if (!response.ok) {
-      const message = buildMinimaxErrorMessage(payload, raw || response.statusText || "authorization failed");
-      return {
-        provider: params.providerName,
-        status: "error",
-        message
-      };
+  };
+  streamTurn = async (c) => {
+    const chatRuntime = this.options.chatRuntime;
+    if (!chatRuntime) {
+      return c.json(err("NOT_AVAILABLE", "chat runtime unavailable"), 503);
     }
-    const status = payload.status?.trim().toLowerCase();
-    if (status === "success") {
-      accessToken = payload.access_token?.trim() ?? "";
-      if (!accessToken) {
-        return {
-          provider: params.providerName,
-          status: "error",
-          message: "provider token response missing access token"
-        };
-      }
-    } else if (status === "error") {
-      const message = buildMinimaxErrorMessage(payload, "authorization failed");
-      const classified = classifyMiniMaxErrorStatus(message);
-      if (classified === "denied" || classified === "expired") {
-        authSessions.delete(params.sessionId);
-      }
-      return {
-        provider: params.providerName,
-        status: classified,
-        message
-      };
-    } else {
-      const nextPollMs = Math.min(Math.floor(session.intervalMs * 1.5), MAX_AUTH_INTERVAL_MS);
-      session.intervalMs = nextPollMs;
-      authSessions.set(params.sessionId, session);
-      return {
-        provider: params.providerName,
-        status: "pending",
-        nextPollMs
-      };
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
     }
-  } else {
-    const payload = await response.json().catch(() => ({}));
-    if (!response.ok) {
-      const errorCode = payload.error?.trim().toLowerCase();
-      if (errorCode === "authorization_pending") {
-        return {
-          provider: params.providerName,
-          status: "pending",
-          nextPollMs: session.intervalMs
-        };
-      }
-      if (errorCode === "slow_down") {
-        const nextPollMs = Math.min(Math.floor(session.intervalMs * 1.5), MAX_AUTH_INTERVAL_MS);
-        session.intervalMs = nextPollMs;
-        authSessions.set(params.sessionId, session);
-        return {
-          provider: params.providerName,
-          status: "pending",
-          nextPollMs
+    const message = readNonEmptyString(body.data.message);
+    if (!message) {
+      return c.json(err("INVALID_BODY", "message is required"), 400);
+    }
+    const sessionKey = readNonEmptyString(body.data.sessionKey) ?? `ui:${Date.now().toString(36)}:${Math.random().toString(36).slice(2, 8)}`;
+    const requestedAt = /* @__PURE__ */ new Date();
+    const startedAtMs = requestedAt.getTime();
+    const metadata = isRecord(body.data.metadata) ? body.data.metadata : void 0;
+    const requestedAgentId = readNonEmptyString(body.data.agentId) ?? resolveAgentIdFromSessionKey(sessionKey);
+    const requestedModel = readNonEmptyString(body.data.model);
+    let runId = createChatRunId();
+    const supportsManagedRuns = Boolean(chatRuntime.startTurnRun && chatRuntime.streamRun);
+    let stopCapabilities = { stopSupported: Boolean(chatRuntime.stopTurn) };
+    if (chatRuntime.getCapabilities) {
+      try {
+        stopCapabilities = await chatRuntime.getCapabilities({
+          sessionKey,
+          ...requestedAgentId ? { agentId: requestedAgentId } : {}
+        });
+      } catch {
+        stopCapabilities = {
+          stopSupported: false,
+          stopReason: "failed to resolve runtime stop capability"
         };
       }
-      if (errorCode === "access_denied") {
-        authSessions.delete(params.sessionId);
-        return {
-          provider: params.providerName,
-          status: "denied",
-          message: payload.error_description || "authorization denied"
-        };
+    }
+    const request = {
+      message,
+      sessionKey,
+      channel: readNonEmptyString(body.data.channel) ?? "ui",
+      chatId: readNonEmptyString(body.data.chatId) ?? "web-ui",
+      runId,
+      ...requestedAgentId ? { agentId: requestedAgentId } : {},
+      ...requestedModel ? { model: requestedModel } : {},
+      ...metadata ? { metadata } : {}
+    };
+    let managedRun = null;
+    if (supportsManagedRuns && chatRuntime.startTurnRun) {
+      try {
+        managedRun = await chatRuntime.startTurnRun(request);
+      } catch (error) {
+        return c.json(err("CHAT_TURN_FAILED", formatUserFacingError(error)), 500);
       }
-      if (errorCode === "expired_token") {
-        authSessions.delete(params.sessionId);
-        return {
-          provider: params.providerName,
-          status: "expired",
-          message: payload.error_description || "authorization session expired"
-        };
+      if (readNonEmptyString(managedRun.runId)) {
+        runId = readNonEmptyString(managedRun.runId);
       }
-      return {
-        provider: params.providerName,
-        status: "error",
-        message: payload.error_description || payload.error || response.statusText || "authorization failed"
-      };
-    }
-    accessToken = payload.access_token?.trim() ?? "";
-    if (!accessToken) {
-      return {
-        provider: params.providerName,
-        status: "error",
-        message: "provider token response missing access token"
+      stopCapabilities = {
+        stopSupported: managedRun.stopSupported,
+        ...readNonEmptyString(managedRun.stopReason) ? { stopReason: readNonEmptyString(managedRun.stopReason) } : {}
       };
     }
-  }
-  setProviderApiKey({
-    configPath: params.configPath,
-    provider: params.providerName,
-    accessToken,
-    defaultApiBase: session.defaultApiBase
-  });
-  authSessions.delete(params.sessionId);
-  return {
-    provider: params.providerName,
-    status: "authorized"
-  };
-}
-async function importProviderAuthFromCli(configPath, providerName) {
-  const spec = findServerBuiltinProviderByName(providerName);
-  if (!spec?.auth || spec.auth.kind !== "device_code" || !spec.auth.cliCredential) {
-    return null;
-  }
-  const credentialPath = resolveHomePath(spec.auth.cliCredential.path);
-  if (!credentialPath) {
-    throw new Error("provider cli credential path is empty");
-  }
-  let rawContent = "";
-  try {
-    rawContent = await readFile(credentialPath, "utf8");
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    throw new Error(`failed to read CLI credential: ${message}`);
-  }
-  let payload;
-  try {
-    const parsed = JSON.parse(rawContent);
+    const encoder = new TextEncoder();
+    const stream = new ReadableStream({
+      start: async (controller) => {
+        const push = (event, data) => {
+          controller.enqueue(encoder.encode(toSseFrame(event, data)));
+        };
+        try {
+          push("ready", {
+            sessionKey: managedRun?.sessionKey ?? sessionKey,
+            requestedAt: managedRun?.requestedAt ?? requestedAt.toISOString(),
+            runId,
+            stopSupported: stopCapabilities.stopSupported,
+            ...readNonEmptyString(stopCapabilities.stopReason) ? { stopReason: readNonEmptyString(stopCapabilities.stopReason) } : {}
+          });
+          if (supportsManagedRuns && chatRuntime.streamRun) {
+            let hasFinal2 = false;
+            for await (const event of chatRuntime.streamRun({ runId })) {
+              const typed = event;
+              if (typed.type === "delta") {
+                if (typed.delta) {
+                  push("delta", { delta: typed.delta });
+                }
+                continue;
+              }
+              if (typed.type === "session_event") {
+                push("session_event", typed.event);
+                continue;
+              }
+              if (typed.type === "final") {
+                const latestRun = chatRuntime.getRun ? await chatRuntime.getRun({ runId }) : null;
+                const response = latestRun ? buildChatTurnViewFromRun({
+                  run: latestRun,
+                  fallbackSessionKey: sessionKey,
+                  fallbackAgentId: requestedAgentId,
+                  fallbackModel: requestedModel,
+                  fallbackReply: typed.result.reply
+                }) : buildChatTurnView({
+                  result: typed.result,
+                  fallbackSessionKey: sessionKey,
+                  requestedAgentId,
+                  requestedModel,
+                  requestedAt,
+                  startedAtMs
+                });
+                hasFinal2 = true;
+                push("final", response);
+                this.options.publish({ type: "config.updated", payload: { path: "session" } });
+                continue;
+              }
+              if (typed.type === "error") {
+                push("error", {
+                  code: "CHAT_TURN_FAILED",
+                  message: formatUserFacingError(typed.error)
+                });
+                return;
+              }
+            }
+            if (!hasFinal2) {
+              push("error", {
+                code: "CHAT_TURN_FAILED",
+                message: "stream ended without a final result"
+              });
+              return;
+            }
+            push("done", { ok: true });
+            return;
+          }
+          const streamTurn = chatRuntime.processTurnStream;
+          if (!streamTurn) {
+            const result = await chatRuntime.processTurn(request);
+            const response = buildChatTurnView({
+              result,
+              fallbackSessionKey: sessionKey,
+              requestedAgentId,
+              requestedModel,
+              requestedAt,
+              startedAtMs
+            });
+            push("final", response);
+            this.options.publish({ type: "config.updated", payload: { path: "session" } });
+            push("done", { ok: true });
+            return;
+          }
+          let hasFinal = false;
+          for await (const event of streamTurn(request)) {
+            const typed = event;
+            if (typed.type === "delta") {
+              if (typed.delta) {
+                push("delta", { delta: typed.delta });
+              }
+              continue;
+            }
+            if (typed.type === "session_event") {
+              push("session_event", typed.event);
+              continue;
+            }
+            if (typed.type === "final") {
+              const response = buildChatTurnView({
+                result: typed.result,
+                fallbackSessionKey: sessionKey,
+                requestedAgentId,
+                requestedModel,
+                requestedAt,
+                startedAtMs
+              });
+              hasFinal = true;
+              push("final", response);
+              this.options.publish({ type: "config.updated", payload: { path: "session" } });
+              continue;
+            }
+            if (typed.type === "error") {
+              push("error", {
+                code: "CHAT_TURN_FAILED",
+                message: formatUserFacingError(typed.error)
+              });
+              return;
+            }
+          }
+          if (!hasFinal) {
+            push("error", {
+              code: "CHAT_TURN_FAILED",
+              message: "stream ended without a final result"
+            });
+            return;
+          }
+          push("done", { ok: true });
+        } catch (error) {
+          push("error", {
+            code: "CHAT_TURN_FAILED",
+            message: formatUserFacingError(error)
+          });
+        } finally {
+          controller.close();
+        }
+      }
+    });
+    return new Response(stream, {
+      status: 200,
+      headers: {
+        "Content-Type": "text/event-stream; charset=utf-8",
+        "Cache-Control": "no-cache, no-transform",
+        "Connection": "keep-alive",
+        "X-Accel-Buffering": "no"
+      }
+    });
+  };
+  listRuns = async (c) => {
+    const chatRuntime = this.options.chatRuntime;
+    if (!chatRuntime?.listRuns) {
+      return c.json(err("NOT_AVAILABLE", "chat run management unavailable"), 503);
+    }
+    const query = c.req.query();
+    const sessionKey = readNonEmptyString(query.sessionKey);
+    const states = readChatRunStates(query.states);
+    const limit = typeof query.limit === "string" ? Number.parseInt(query.limit, 10) : void 0;
+    try {
+      const data = await chatRuntime.listRuns({
+        ...sessionKey ? { sessionKey } : {},
+        ...states ? { states } : {},
+        ...Number.isFinite(limit) ? { limit } : {}
+      });
+      return c.json(ok(data));
+    } catch (error) {
+      return c.json(err("CHAT_RUN_QUERY_FAILED", String(error)), 500);
+    }
+  };
+  getRun = async (c) => {
+    const chatRuntime = this.options.chatRuntime;
+    if (!chatRuntime?.getRun) {
+      return c.json(err("NOT_AVAILABLE", "chat run management unavailable"), 503);
+    }
+    const runId = readNonEmptyString(c.req.param("runId"));
+    if (!runId) {
+      return c.json(err("INVALID_PATH", "runId is required"), 400);
+    }
+    try {
+      const run = await chatRuntime.getRun({ runId });
+      if (!run) {
+        return c.json(err("NOT_FOUND", `chat run not found: ${runId}`), 404);
+      }
+      return c.json(ok(run));
+    } catch (error) {
+      return c.json(err("CHAT_RUN_QUERY_FAILED", String(error)), 500);
+    }
+  };
+  streamRun = async (c) => {
+    const chatRuntime = this.options.chatRuntime;
+    const streamRun = chatRuntime?.streamRun;
+    const getRun = chatRuntime?.getRun;
+    if (!streamRun || !getRun) {
+      return c.json(err("NOT_AVAILABLE", "chat run stream unavailable"), 503);
+    }
+    const runId = readNonEmptyString(c.req.param("runId"));
+    if (!runId) {
+      return c.json(err("INVALID_PATH", "runId is required"), 400);
+    }
+    const query = c.req.query();
+    const fromEventIndex = typeof query.fromEventIndex === "string" ? Number.parseInt(query.fromEventIndex, 10) : void 0;
+    const run = await getRun({ runId });
+    if (!run) {
+      return c.json(err("NOT_FOUND", `chat run not found: ${runId}`), 404);
+    }
+    const encoder = new TextEncoder();
+    const stream = new ReadableStream({
+      start: async (controller) => {
+        const push = (event, data) => {
+          controller.enqueue(encoder.encode(toSseFrame(event, data)));
+        };
+        try {
+          push("ready", {
+            sessionKey: run.sessionKey,
+            requestedAt: run.requestedAt,
+            runId: run.runId,
+            stopSupported: run.stopSupported,
+            ...readNonEmptyString(run.stopReason) ? { stopReason: readNonEmptyString(run.stopReason) } : {}
+          });
+          let hasFinal = false;
+          for await (const event of streamRun({
+            runId: run.runId,
+            ...Number.isFinite(fromEventIndex) ? { fromEventIndex } : {}
+          })) {
+            const typed = event;
+            if (typed.type === "delta") {
+              if (typed.delta) {
+                push("delta", { delta: typed.delta });
+              }
+              continue;
+            }
+            if (typed.type === "session_event") {
+              push("session_event", typed.event);
+              continue;
+            }
+            if (typed.type === "final") {
+              const latestRun = await getRun({ runId: run.runId });
+              const response = latestRun ? buildChatTurnViewFromRun({
+                run: latestRun,
+                fallbackSessionKey: run.sessionKey,
+                fallbackAgentId: run.agentId,
+                fallbackModel: run.model,
+                fallbackReply: typed.result.reply
+              }) : buildChatTurnView({
+                result: typed.result,
+                fallbackSessionKey: run.sessionKey,
+                requestedAgentId: run.agentId,
+                requestedModel: run.model,
+                requestedAt: new Date(run.requestedAt),
+                startedAtMs: Date.parse(run.requestedAt)
+              });
+              hasFinal = true;
+              push("final", response);
+              continue;
+            }
+            if (typed.type === "error") {
+              push("error", {
+                code: "CHAT_TURN_FAILED",
+                message: formatUserFacingError(typed.error)
+              });
+              return;
+            }
+          }
+          if (!hasFinal) {
+            const latestRun = await getRun({ runId: run.runId });
+            if (latestRun?.state === "failed") {
+              push("error", {
+                code: "CHAT_TURN_FAILED",
+                message: formatUserFacingError(latestRun.error ?? "chat run failed")
+              });
+              return;
+            }
+          }
+          push("done", { ok: true });
+        } catch (error) {
+          push("error", {
+            code: "CHAT_TURN_FAILED",
+            message: formatUserFacingError(error)
+          });
+        } finally {
+          controller.close();
+        }
+      }
+    });
+    return new Response(stream, {
+      status: 200,
+      headers: {
+        "Content-Type": "text/event-stream; charset=utf-8",
+        "Cache-Control": "no-cache, no-transform",
+        "Connection": "keep-alive",
+        "X-Accel-Buffering": "no"
+      }
+    });
+  };
+};
+
+// src/ui/provider-auth.ts
+import { createHash, randomBytes, randomUUID } from "crypto";
+import { readFile } from "fs/promises";
+import { homedir } from "os";
+import { isAbsolute, resolve } from "path";
+import {
+  ConfigSchema as ConfigSchema2,
+  loadConfig as loadConfig2,
+  saveConfig as saveConfig2
+} from "@nextclaw/core";
+var authSessions = /* @__PURE__ */ new Map();
+var DEFAULT_AUTH_INTERVAL_MS = 2e3;
+var MAX_AUTH_INTERVAL_MS = 1e4;
+function normalizePositiveInt(value, fallback) {
+  if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+function normalizePositiveFloat(value) {
+  if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
+    return null;
+  }
+  return value;
+}
+function toBase64Url(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function buildPkce() {
+  const verifier = toBase64Url(randomBytes(48));
+  const challenge = toBase64Url(createHash("sha256").update(verifier).digest());
+  return { verifier, challenge };
+}
+function withTrailingSlash(value) {
+  return value.endsWith("/") ? value : `${value}/`;
+}
+function cleanupExpiredAuthSessions(now = Date.now()) {
+  for (const [sessionId, session] of authSessions.entries()) {
+    if (session.expiresAtMs <= now) {
+      authSessions.delete(sessionId);
+    }
+  }
+}
+function resolveDeviceCodeEndpoints(baseUrl, deviceCodePath, tokenPath) {
+  const deviceCodeEndpoint = new URL(deviceCodePath, withTrailingSlash(baseUrl)).toString();
+  const tokenEndpoint = new URL(tokenPath, withTrailingSlash(baseUrl)).toString();
+  return { deviceCodeEndpoint, tokenEndpoint };
+}
+function resolveAuthNote(params) {
+  return params.zh ?? params.en;
+}
+function resolveLocalizedMethodLabel(method, fallbackId) {
+  return method.label?.zh ?? method.label?.en ?? fallbackId;
+}
+function resolveLocalizedMethodHint(method) {
+  return method.hint?.zh ?? method.hint?.en;
+}
+function normalizeMethodId(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+function resolveAuthMethod(auth, requestedMethodId) {
+  const protocol = auth.protocol ?? "rfc8628";
+  const methods = (auth.methods ?? []).filter((entry) => normalizeMethodId(entry.id));
+  const cleanRequestedMethodId = normalizeMethodId(requestedMethodId);
+  if (methods.length === 0) {
+    if (cleanRequestedMethodId) {
+      throw new Error(`provider auth method is not supported: ${cleanRequestedMethodId}`);
+    }
+    return {
+      protocol,
+      baseUrl: auth.baseUrl,
+      deviceCodePath: auth.deviceCodePath,
+      tokenPath: auth.tokenPath,
+      clientId: auth.clientId,
+      scope: auth.scope,
+      grantType: auth.grantType,
+      usePkce: Boolean(auth.usePkce)
+    };
+  }
+  let selectedMethod = methods.find((entry) => normalizeMethodId(entry.id) === cleanRequestedMethodId);
+  if (!selectedMethod) {
+    const fallbackMethodId = normalizeMethodId(auth.defaultMethodId) ?? normalizeMethodId(methods[0]?.id);
+    selectedMethod = methods.find((entry) => normalizeMethodId(entry.id) === fallbackMethodId) ?? methods[0];
+  }
+  const methodId = normalizeMethodId(selectedMethod?.id);
+  if (!selectedMethod || !methodId) {
+    throw new Error("provider auth method is not configured");
+  }
+  if (cleanRequestedMethodId && methodId !== cleanRequestedMethodId) {
+    throw new Error(`provider auth method is not supported: ${cleanRequestedMethodId}`);
+  }
+  return {
+    id: methodId,
+    protocol,
+    baseUrl: selectedMethod.baseUrl ?? auth.baseUrl,
+    deviceCodePath: selectedMethod.deviceCodePath ?? auth.deviceCodePath,
+    tokenPath: selectedMethod.tokenPath ?? auth.tokenPath,
+    clientId: selectedMethod.clientId ?? auth.clientId,
+    scope: selectedMethod.scope ?? auth.scope,
+    grantType: selectedMethod.grantType ?? auth.grantType,
+    usePkce: selectedMethod.usePkce ?? Boolean(auth.usePkce),
+    defaultApiBase: selectedMethod.defaultApiBase
+  };
+}
+function parseExpiresAtMs(value, fallbackFromNowMs) {
+  const normalized = normalizePositiveFloat(value);
+  if (normalized === null) {
+    return Date.now() + fallbackFromNowMs;
+  }
+  if (normalized >= 1e12) {
+    return Math.floor(normalized);
+  }
+  if (normalized >= 1e9) {
+    return Math.floor(normalized * 1e3);
+  }
+  return Date.now() + Math.floor(normalized * 1e3);
+}
+function parsePollIntervalMs(value, fallbackMs) {
+  const normalized = normalizePositiveFloat(value);
+  if (normalized === null) {
+    return fallbackMs;
+  }
+  if (normalized <= 30) {
+    return Math.floor(normalized * 1e3);
+  }
+  return Math.floor(normalized);
+}
+function buildMinimaxErrorMessage(payload, fallback) {
+  if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+    return fallback;
+  }
+  const record = payload;
+  if (typeof record.error_description === "string" && record.error_description.trim()) {
+    return record.error_description.trim();
+  }
+  if (typeof record.error === "string" && record.error.trim()) {
+    return record.error.trim();
+  }
+  const baseMessage = record.base_resp?.status_msg;
+  if (typeof baseMessage === "string" && baseMessage.trim()) {
+    return baseMessage.trim();
+  }
+  return fallback;
+}
+function classifyMiniMaxErrorStatus(message) {
+  const normalized = message.toLowerCase();
+  if (normalized.includes("deny") || normalized.includes("rejected")) {
+    return "denied";
+  }
+  if (normalized.includes("expired") || normalized.includes("timeout") || normalized.includes("timed out")) {
+    return "expired";
+  }
+  return "error";
+}
+function resolveHomePath(inputPath) {
+  const trimmed = inputPath.trim();
+  if (!trimmed) {
+    return trimmed;
+  }
+  if (trimmed === "~") {
+    return homedir();
+  }
+  if (trimmed.startsWith("~/")) {
+    return resolve(homedir(), trimmed.slice(2));
+  }
+  if (isAbsolute(trimmed)) {
+    return trimmed;
+  }
+  return resolve(trimmed);
+}
+function normalizeExpiresAt(value) {
+  if (typeof value === "number" && Number.isFinite(value) && value > 0) {
+    return Math.floor(value);
+  }
+  if (typeof value === "string" && value.trim()) {
+    const asNumber = Number(value);
+    if (Number.isFinite(asNumber) && asNumber > 0) {
+      return Math.floor(asNumber);
+    }
+    const parsedTime = Date.parse(value);
+    if (Number.isFinite(parsedTime) && parsedTime > 0) {
+      return parsedTime;
+    }
+  }
+  return null;
+}
+function readFieldAsString(source, fieldName) {
+  if (!fieldName) {
+    return null;
+  }
+  const rawValue = source[fieldName];
+  if (typeof rawValue !== "string") {
+    return null;
+  }
+  const trimmed = rawValue.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function setProviderApiKey(params) {
+  const config = loadConfig2(params.configPath);
+  const providers = config.providers;
+  if (!providers[params.provider]) {
+    providers[params.provider] = {
+      displayName: "",
+      apiKey: "",
+      apiBase: null,
+      extraHeaders: null,
+      wireApi: "auto",
+      models: [],
+      modelThinking: {}
+    };
+  }
+  const target = providers[params.provider];
+  target.apiKey = params.accessToken;
+  if (!target.apiBase && params.defaultApiBase) {
+    target.apiBase = params.defaultApiBase;
+  }
+  const next = ConfigSchema2.parse(config);
+  saveConfig2(next, params.configPath);
+}
+async function startProviderAuth(configPath, providerName, options) {
+  cleanupExpiredAuthSessions();
+  const spec = findServerBuiltinProviderByName(providerName);
+  if (!spec?.auth || spec.auth.kind !== "device_code") {
+    return null;
+  }
+  const resolvedMethod = resolveAuthMethod(spec.auth, options?.methodId);
+  const { deviceCodeEndpoint, tokenEndpoint } = resolveDeviceCodeEndpoints(
+    resolvedMethod.baseUrl,
+    resolvedMethod.deviceCodePath,
+    resolvedMethod.tokenPath
+  );
+  const pkce = resolvedMethod.usePkce ? buildPkce() : null;
+  let authorizationCode = "";
+  let tokenCodeField = "device_code";
+  let userCode = "";
+  let verificationUri = "";
+  let intervalMs = DEFAULT_AUTH_INTERVAL_MS;
+  let expiresAtMs = Date.now() + 6e5;
+  if (resolvedMethod.protocol === "minimax_user_code") {
+    if (!pkce) {
+      throw new Error("MiniMax OAuth requires PKCE");
+    }
+    const state = toBase64Url(randomBytes(16));
+    const body = new URLSearchParams({
+      response_type: "code",
+      client_id: resolvedMethod.clientId,
+      scope: resolvedMethod.scope,
+      code_challenge: pkce.challenge,
+      code_challenge_method: "S256",
+      state
+    });
+    const response = await fetch(deviceCodeEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+        "x-request-id": randomUUID()
+      },
+      body
+    });
+    const payload = await response.json().catch(() => ({}));
+    if (!response.ok) {
+      throw new Error(buildMinimaxErrorMessage(payload, response.statusText || "MiniMax OAuth start failed"));
+    }
+    if (payload.state && payload.state !== state) {
+      throw new Error("MiniMax OAuth state mismatch");
+    }
+    authorizationCode = payload.user_code?.trim() ?? "";
+    userCode = authorizationCode;
+    verificationUri = payload.verification_uri?.trim() ?? "";
+    if (!authorizationCode || !verificationUri) {
+      throw new Error("provider auth payload is incomplete");
+    }
+    tokenCodeField = "user_code";
+    intervalMs = Math.min(parsePollIntervalMs(payload.interval, DEFAULT_AUTH_INTERVAL_MS), MAX_AUTH_INTERVAL_MS);
+    expiresAtMs = parseExpiresAtMs(payload.expired_in, 6e5);
+  } else {
+    const body = new URLSearchParams({
+      client_id: resolvedMethod.clientId,
+      scope: resolvedMethod.scope
+    });
+    if (pkce) {
+      body.set("code_challenge", pkce.challenge);
+      body.set("code_challenge_method", "S256");
+    }
+    const response = await fetch(deviceCodeEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body
+    });
+    const payload = await response.json().catch(() => ({}));
+    if (!response.ok) {
+      const message = payload.error_description || payload.error || response.statusText || "device code auth failed";
+      throw new Error(message);
+    }
+    authorizationCode = payload.device_code?.trim() ?? "";
+    userCode = payload.user_code?.trim() ?? "";
+    verificationUri = payload.verification_uri_complete?.trim() || payload.verification_uri?.trim() || "";
+    if (!authorizationCode || !userCode || !verificationUri) {
+      throw new Error("provider auth payload is incomplete");
+    }
+    intervalMs = normalizePositiveInt(payload.interval, DEFAULT_AUTH_INTERVAL_MS / 1e3) * 1e3;
+    const expiresInSec = normalizePositiveInt(payload.expires_in, 600);
+    expiresAtMs = Date.now() + expiresInSec * 1e3;
+  }
+  const sessionId = randomUUID();
+  authSessions.set(sessionId, {
+    sessionId,
+    provider: providerName,
+    configPath,
+    authorizationCode,
+    tokenCodeField,
+    protocol: resolvedMethod.protocol,
+    methodId: resolvedMethod.id,
+    codeVerifier: pkce?.verifier,
+    tokenEndpoint,
+    clientId: resolvedMethod.clientId,
+    grantType: resolvedMethod.grantType,
+    defaultApiBase: resolvedMethod.defaultApiBase ?? spec.defaultApiBase,
+    expiresAtMs,
+    intervalMs
+  });
+  const methodConfig = (spec.auth.methods ?? []).find((entry) => normalizeMethodId(entry.id) === resolvedMethod.id);
+  const methodLabel = methodConfig ? resolveLocalizedMethodLabel(methodConfig, resolvedMethod.id ?? "") : void 0;
+  const methodHint = methodConfig ? resolveLocalizedMethodHint(methodConfig) : void 0;
+  return {
+    provider: providerName,
+    kind: "device_code",
+    methodId: resolvedMethod.id,
+    sessionId,
+    verificationUri,
+    userCode,
+    expiresAt: new Date(expiresAtMs).toISOString(),
+    intervalMs,
+    note: methodHint ?? methodLabel ?? resolveAuthNote(spec.auth.note ?? {})
+  };
+}
+async function pollProviderAuth(params) {
+  cleanupExpiredAuthSessions();
+  const session = authSessions.get(params.sessionId);
+  if (!session || session.provider !== params.providerName || session.configPath !== params.configPath) {
+    return null;
+  }
+  if (Date.now() >= session.expiresAtMs) {
+    authSessions.delete(params.sessionId);
+    return {
+      provider: params.providerName,
+      status: "expired",
+      message: "authorization session expired"
+    };
+  }
+  const body = new URLSearchParams({
+    grant_type: session.grantType,
+    client_id: session.clientId
+  });
+  body.set(session.tokenCodeField, session.authorizationCode);
+  if (session.codeVerifier) {
+    body.set("code_verifier", session.codeVerifier);
+  }
+  const response = await fetch(session.tokenEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body
+  });
+  let accessToken = "";
+  if (session.protocol === "minimax_user_code") {
+    const raw = await response.text();
+    let payload = {};
+    if (raw) {
+      try {
+        payload = JSON.parse(raw);
+      } catch {
+        payload = {};
+      }
+    }
+    if (!response.ok) {
+      const message = buildMinimaxErrorMessage(payload, raw || response.statusText || "authorization failed");
+      return {
+        provider: params.providerName,
+        status: "error",
+        message
+      };
+    }
+    const status = payload.status?.trim().toLowerCase();
+    if (status === "success") {
+      accessToken = payload.access_token?.trim() ?? "";
+      if (!accessToken) {
+        return {
+          provider: params.providerName,
+          status: "error",
+          message: "provider token response missing access token"
+        };
+      }
+    } else if (status === "error") {
+      const message = buildMinimaxErrorMessage(payload, "authorization failed");
+      const classified = classifyMiniMaxErrorStatus(message);
+      if (classified === "denied" || classified === "expired") {
+        authSessions.delete(params.sessionId);
+      }
+      return {
+        provider: params.providerName,
+        status: classified,
+        message
+      };
+    } else {
+      const nextPollMs = Math.min(Math.floor(session.intervalMs * 1.5), MAX_AUTH_INTERVAL_MS);
+      session.intervalMs = nextPollMs;
+      authSessions.set(params.sessionId, session);
+      return {
+        provider: params.providerName,
+        status: "pending",
+        nextPollMs
+      };
+    }
+  } else {
+    const payload = await response.json().catch(() => ({}));
+    if (!response.ok) {
+      const errorCode = payload.error?.trim().toLowerCase();
+      if (errorCode === "authorization_pending") {
+        return {
+          provider: params.providerName,
+          status: "pending",
+          nextPollMs: session.intervalMs
+        };
+      }
+      if (errorCode === "slow_down") {
+        const nextPollMs = Math.min(Math.floor(session.intervalMs * 1.5), MAX_AUTH_INTERVAL_MS);
+        session.intervalMs = nextPollMs;
+        authSessions.set(params.sessionId, session);
+        return {
+          provider: params.providerName,
+          status: "pending",
+          nextPollMs
+        };
+      }
+      if (errorCode === "access_denied") {
+        authSessions.delete(params.sessionId);
+        return {
+          provider: params.providerName,
+          status: "denied",
+          message: payload.error_description || "authorization denied"
+        };
+      }
+      if (errorCode === "expired_token") {
+        authSessions.delete(params.sessionId);
+        return {
+          provider: params.providerName,
+          status: "expired",
+          message: payload.error_description || "authorization session expired"
+        };
+      }
+      return {
+        provider: params.providerName,
+        status: "error",
+        message: payload.error_description || payload.error || response.statusText || "authorization failed"
+      };
+    }
+    accessToken = payload.access_token?.trim() ?? "";
+    if (!accessToken) {
+      return {
+        provider: params.providerName,
+        status: "error",
+        message: "provider token response missing access token"
+      };
+    }
+  }
+  setProviderApiKey({
+    configPath: params.configPath,
+    provider: params.providerName,
+    accessToken,
+    defaultApiBase: session.defaultApiBase
+  });
+  authSessions.delete(params.sessionId);
+  return {
+    provider: params.providerName,
+    status: "authorized"
+  };
+}
+async function importProviderAuthFromCli(configPath, providerName) {
+  const spec = findServerBuiltinProviderByName(providerName);
+  if (!spec?.auth || spec.auth.kind !== "device_code" || !spec.auth.cliCredential) {
+    return null;
+  }
+  const credentialPath = resolveHomePath(spec.auth.cliCredential.path);
+  if (!credentialPath) {
+    throw new Error("provider cli credential path is empty");
+  }
+  let rawContent = "";
+  try {
+    rawContent = await readFile(credentialPath, "utf8");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`failed to read CLI credential: ${message}`);
+  }
+  let payload;
+  try {
+    const parsed = JSON.parse(rawContent);
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       throw new Error("credential payload is not an object");
     }
-    payload = parsed;
+    payload = parsed;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`invalid CLI credential JSON: ${message}`);
+  }
+  const accessToken = readFieldAsString(payload, spec.auth.cliCredential.accessTokenField);
+  if (!accessToken) {
+    throw new Error(
+      `CLI credential missing access token field: ${spec.auth.cliCredential.accessTokenField}`
+    );
+  }
+  const expiresAtMs = normalizeExpiresAt(
+    spec.auth.cliCredential.expiresAtField ? payload[spec.auth.cliCredential.expiresAtField] : void 0
+  );
+  if (typeof expiresAtMs === "number" && expiresAtMs <= Date.now()) {
+    throw new Error("CLI credential has expired, please login again");
+  }
+  setProviderApiKey({
+    configPath,
+    provider: providerName,
+    accessToken,
+    defaultApiBase: spec.defaultApiBase
+  });
+  return {
+    provider: providerName,
+    status: "imported",
+    source: "cli",
+    expiresAt: expiresAtMs ? new Date(expiresAtMs).toISOString() : void 0
+  };
+}
+
+// src/ui/router/config.controller.ts
+var ConfigRoutesController = class {
+  constructor(options) {
+    this.options = options;
+  }
+  getConfig = (c) => {
+    const config = loadConfigOrDefault(this.options.configPath);
+    return c.json(ok(buildConfigView(config)));
+  };
+  getConfigMeta = (c) => {
+    const config = loadConfigOrDefault(this.options.configPath);
+    return c.json(ok(buildConfigMeta(config)));
+  };
+  getConfigSchema = (c) => {
+    const config = loadConfigOrDefault(this.options.configPath);
+    return c.json(ok(buildConfigSchemaView(config)));
+  };
+  updateConfigModel = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const hasModel = typeof body.data.model === "string";
+    if (!hasModel) {
+      return c.json(err("INVALID_BODY", "model is required"), 400);
+    }
+    const view = updateModel(this.options.configPath, {
+      model: body.data.model
+    });
+    if (hasModel) {
+      this.options.publish({ type: "config.updated", payload: { path: "agents.defaults.model" } });
+    }
+    return c.json(ok({
+      model: view.agents.defaults.model
+    }));
+  };
+  updateConfigSearch = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = updateSearch(this.options.configPath, body.data);
+    this.options.publish({ type: "config.updated", payload: { path: "search" } });
+    return c.json(ok(result));
+  };
+  updateProvider = async (c) => {
+    const provider = c.req.param("provider");
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = updateProvider(this.options.configPath, provider, body.data);
+    if (!result) {
+      return c.json(err("NOT_FOUND", `unknown provider: ${provider}`), 404);
+    }
+    this.options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
+    return c.json(ok(result));
+  };
+  createProvider = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = createCustomProvider(
+      this.options.configPath,
+      body.data
+    );
+    this.options.publish({ type: "config.updated", payload: { path: `providers.${result.name}` } });
+    return c.json(ok({
+      name: result.name,
+      provider: result.provider
+    }));
+  };
+  deleteProvider = async (c) => {
+    const provider = c.req.param("provider");
+    const result = deleteCustomProvider(this.options.configPath, provider);
+    if (result === null) {
+      return c.json(err("NOT_FOUND", `custom provider not found: ${provider}`), 404);
+    }
+    this.options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
+    return c.json(ok({
+      deleted: true,
+      provider
+    }));
+  };
+  testProviderConnection = async (c) => {
+    const provider = c.req.param("provider");
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = await testProviderConnection(
+      this.options.configPath,
+      provider,
+      body.data
+    );
+    if (!result) {
+      return c.json(err("NOT_FOUND", `unknown provider: ${provider}`), 404);
+    }
+    return c.json(ok(result));
+  };
+  startProviderAuth = async (c) => {
+    const provider = c.req.param("provider");
+    let payload = {};
+    const rawBody = await c.req.raw.text();
+    if (rawBody.trim().length > 0) {
+      try {
+        payload = JSON.parse(rawBody);
+      } catch {
+        return c.json(err("INVALID_BODY", "invalid json body"), 400);
+      }
+    }
+    const methodId = typeof payload.methodId === "string" ? payload.methodId.trim() : void 0;
+    try {
+      const result = await startProviderAuth(this.options.configPath, provider, {
+        methodId
+      });
+      if (!result) {
+        return c.json(err("NOT_SUPPORTED", `provider auth is not supported: ${provider}`), 404);
+      }
+      return c.json(ok(result));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json(err("AUTH_START_FAILED", message), 400);
+    }
+  };
+  pollProviderAuth = async (c) => {
+    const provider = c.req.param("provider");
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const sessionId = typeof body.data.sessionId === "string" ? body.data.sessionId.trim() : "";
+    if (!sessionId) {
+      return c.json(err("INVALID_BODY", "sessionId is required"), 400);
+    }
+    const result = await pollProviderAuth({
+      configPath: this.options.configPath,
+      providerName: provider,
+      sessionId
+    });
+    if (!result) {
+      return c.json(err("NOT_FOUND", "provider auth session not found"), 404);
+    }
+    if (result.status === "authorized") {
+      this.options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
+    }
+    return c.json(ok(result));
+  };
+  importProviderAuthFromCli = async (c) => {
+    const provider = c.req.param("provider");
+    try {
+      const result = await importProviderAuthFromCli(this.options.configPath, provider);
+      if (!result) {
+        return c.json(err("NOT_SUPPORTED", `provider cli auth import is not supported: ${provider}`), 404);
+      }
+      this.options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
+      return c.json(ok(result));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json(err("AUTH_IMPORT_FAILED", message), 400);
+    }
+  };
+  updateChannel = async (c) => {
+    const channel = c.req.param("channel");
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = updateChannel(this.options.configPath, channel, body.data);
+    if (!result) {
+      return c.json(err("NOT_FOUND", `unknown channel: ${channel}`), 404);
+    }
+    this.options.publish({ type: "config.updated", payload: { path: `channels.${channel}` } });
+    return c.json(ok(result));
+  };
+  updateSecrets = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = updateSecrets(this.options.configPath, body.data);
+    this.options.publish({ type: "config.updated", payload: { path: "secrets" } });
+    return c.json(ok(result));
+  };
+  updateRuntime = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok || !body.data || typeof body.data !== "object") {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = updateRuntime(this.options.configPath, body.data);
+    if (body.data.agents?.defaults && Object.prototype.hasOwnProperty.call(body.data.agents.defaults, "contextTokens")) {
+      this.options.publish({ type: "config.updated", payload: { path: "agents.defaults.contextTokens" } });
+    }
+    if (body.data.agents?.defaults && Object.prototype.hasOwnProperty.call(body.data.agents.defaults, "engine")) {
+      this.options.publish({ type: "config.updated", payload: { path: "agents.defaults.engine" } });
+    }
+    if (body.data.agents?.defaults && Object.prototype.hasOwnProperty.call(body.data.agents.defaults, "engineConfig")) {
+      this.options.publish({ type: "config.updated", payload: { path: "agents.defaults.engineConfig" } });
+    }
+    this.options.publish({ type: "config.updated", payload: { path: "agents.list" } });
+    this.options.publish({ type: "config.updated", payload: { path: "bindings" } });
+    this.options.publish({ type: "config.updated", payload: { path: "session" } });
+    return c.json(ok(result));
+  };
+  executeAction = async (c) => {
+    const actionId = c.req.param("actionId");
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const result = await executeConfigAction(this.options.configPath, actionId, body.data ?? {});
+    if (!result.ok) {
+      return c.json(err(result.code, result.message, result.details), 400);
+    }
+    return c.json(ok(result.data));
+  };
+};
+
+// src/ui/router/cron.controller.ts
+function toIsoTime(value) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    return null;
+  }
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) {
+    return null;
+  }
+  return date.toISOString();
+}
+function buildCronJobView(job) {
+  return {
+    id: job.id,
+    name: job.name,
+    enabled: job.enabled,
+    schedule: job.schedule,
+    payload: job.payload,
+    state: {
+      nextRunAt: toIsoTime(job.state.nextRunAtMs),
+      lastRunAt: toIsoTime(job.state.lastRunAtMs),
+      lastStatus: job.state.lastStatus ?? null,
+      lastError: job.state.lastError ?? null
+    },
+    createdAt: new Date(job.createdAtMs).toISOString(),
+    updatedAt: new Date(job.updatedAtMs).toISOString(),
+    deleteAfterRun: job.deleteAfterRun
+  };
+}
+function findCronJob(service, id) {
+  const jobs = service.listJobs(true);
+  return jobs.find((job) => job.id === id) ?? null;
+}
+var CronRoutesController = class {
+  constructor(options) {
+    this.options = options;
+  }
+  listJobs = (c) => {
+    if (!this.options.cronService) {
+      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
+    }
+    const query = c.req.query();
+    const includeDisabled = query.all === "1" || query.all === "true" || query.all === "yes";
+    const jobs = this.options.cronService.listJobs(includeDisabled).map((job) => buildCronJobView(job));
+    return c.json(ok({ jobs, total: jobs.length }));
+  };
+  deleteJob = (c) => {
+    if (!this.options.cronService) {
+      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
+    }
+    const id = decodeURIComponent(c.req.param("id"));
+    const deleted = this.options.cronService.removeJob(id);
+    if (!deleted) {
+      return c.json(err("NOT_FOUND", `cron job not found: ${id}`), 404);
+    }
+    return c.json(ok({ deleted: true }));
+  };
+  enableJob = async (c) => {
+    if (!this.options.cronService) {
+      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
+    }
+    const id = decodeURIComponent(c.req.param("id"));
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    if (typeof body.data.enabled !== "boolean") {
+      return c.json(err("INVALID_BODY", "enabled must be boolean"), 400);
+    }
+    const job = this.options.cronService.enableJob(id, body.data.enabled);
+    if (!job) {
+      return c.json(err("NOT_FOUND", `cron job not found: ${id}`), 404);
+    }
+    const data = { job: buildCronJobView(job) };
+    return c.json(ok(data));
+  };
+  runJob = async (c) => {
+    if (!this.options.cronService) {
+      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
+    }
+    const id = decodeURIComponent(c.req.param("id"));
+    const body = await readJson(c.req.raw);
+    if (!body.ok) {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    }
+    const existing = findCronJob(this.options.cronService, id);
+    if (!existing) {
+      return c.json(err("NOT_FOUND", `cron job not found: ${id}`), 404);
+    }
+    const executed = await this.options.cronService.runJob(id, Boolean(body.data.force));
+    const after = findCronJob(this.options.cronService, id);
+    const data = {
+      job: after ? buildCronJobView(after) : null,
+      executed
+    };
+    return c.json(ok(data));
+  };
+};
+
+// src/ui/router/marketplace/constants.ts
+var DEFAULT_MARKETPLACE_API_BASE = "https://marketplace-api.nextclaw.io";
+var NEXTCLAW_PLUGIN_NPM_PREFIX = "@nextclaw/channel-plugin-";
+var CLAWBAY_CHANNEL_PLUGIN_NPM_SPEC = "@clawbay/clawbay-channel";
+var BUILTIN_CHANNEL_PLUGIN_ID_PREFIX = "builtin-channel-";
+var MARKETPLACE_REMOTE_PAGE_SIZE = 100;
+var MARKETPLACE_REMOTE_MAX_PAGES = 20;
+var MARKETPLACE_ZH_COPY_BY_SLUG = {
+  weather: {
+    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u5929\u6C14\u67E5\u8BE2\u5DE5\u4F5C\u6D41\u3002",
+    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u5FEB\u901F\u5929\u6C14\u67E5\u8BE2\u5DE5\u4F5C\u6D41\u3002"
+  },
+  summarize: {
+    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u7ED3\u6784\u5316\u6458\u8981\u3002",
+    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u6587\u4EF6\u4E0E\u957F\u6587\u672C\u7684\u6458\u8981\u5DE5\u4F5C\u6D41\u3002"
+  },
+  github: {
+    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E GitHub \u5DE5\u4F5C\u6D41\u3002",
+    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B Issue\u3001PR \u4E0E\u4ED3\u5E93\u76F8\u5173\u5DE5\u4F5C\u6D41\u6307\u5F15\u3002"
+  },
+  tmux: {
+    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u7EC8\u7AEF/Tmux \u534F\u4F5C\u5DE5\u4F5C\u6D41\u3002",
+    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u57FA\u4E8E Tmux \u7684\u4EFB\u52A1\u6267\u884C\u5DE5\u4F5C\u6D41\u6307\u5F15\u3002"
+  },
+  gog: {
+    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u56FE\u8C31\u5BFC\u5411\u751F\u6210\u5DE5\u4F5C\u6D41\u3002",
+    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u56FE\u8C31\u4E0E\u89C4\u5212\u5BFC\u5411\u5DE5\u4F5C\u6D41\u6307\u5F15\u3002"
+  },
+  pdf: {
+    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E PDF \u8BFB\u53D6/\u5408\u5E76/\u62C6\u5206/OCR \u5DE5\u4F5C\u6D41\u3002",
+    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u8BFB\u53D6\u3001\u63D0\u53D6\u3001\u5408\u5E76\u3001\u62C6\u5206\u3001\u65CB\u8F6C\u5E76\u5BF9 PDF \u6267\u884C OCR \u5904\u7406\u3002"
+  },
+  docx: {
+    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E\u521B\u5EFA\u548C\u7F16\u8F91 Word \u6587\u6863\u3002",
+    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u521B\u5EFA\u3001\u8BFB\u53D6\u3001\u7F16\u8F91\u5E76\u91CD\u6784 .docx \u6587\u6863\u3002"
+  },
+  pptx: {
+    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E\u6F14\u793A\u6587\u7A3F\u64CD\u4F5C\u3002",
+    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u521B\u5EFA\u3001\u89E3\u6790\u3001\u7F16\u8F91\u5E76\u91CD\u7EC4 .pptx \u6F14\u793A\u6587\u7A3F\u3002"
+  },
+  xlsx: {
+    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E\u8868\u683C\u6587\u6863\u5DE5\u4F5C\u6D41\u3002",
+    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u6253\u5F00\u3001\u7F16\u8F91\u3001\u6E05\u6D17\u5E76\u8F6C\u6362 .xlsx \u4E0E .csv \u7B49\u8868\u683C\u6587\u4EF6\u3002"
+  },
+  bird: {
+    summary: "OpenClaw \u793E\u533A\u6280\u80FD\uFF0C\u7528\u4E8E X/Twitter \u8BFB\u53D6/\u641C\u7D22/\u53D1\u5E03\u5DE5\u4F5C\u6D41\u3002",
+    description: "\u4F7F\u7528 bird CLI \u5728\u4EE3\u7406\u5DE5\u4F5C\u6D41\u4E2D\u8BFB\u53D6\u7EBF\u7A0B\u3001\u641C\u7D22\u5E16\u5B50\u5E76\u8D77\u8349\u63A8\u6587/\u56DE\u590D\u3002"
+  },
+  "cloudflare-deploy": {
+    summary: "OpenAI \u7CBE\u9009\u6280\u80FD\uFF0C\u7528\u4E8E\u5728 Cloudflare \u4E0A\u90E8\u7F72\u5E94\u7528\u4E0E\u57FA\u7840\u8BBE\u65BD\u3002",
+    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u9009\u62E9 Cloudflare \u4EA7\u54C1\u5E76\u90E8\u7F72 Workers\u3001Pages \u53CA\u76F8\u5173\u670D\u52A1\u3002"
+  },
+  "channel-plugin-discord": {
+    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Discord \u6E20\u9053\u96C6\u6210\u3002",
+    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Discord \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
+  },
+  "channel-plugin-telegram": {
+    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Telegram \u6E20\u9053\u96C6\u6210\u3002",
+    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Telegram \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
+  },
+  "channel-plugin-slack": {
+    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Slack \u6E20\u9053\u96C6\u6210\u3002",
+    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Slack \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
+  },
+  "channel-plugin-wecom": {
+    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E\u4F01\u4E1A\u5FAE\u4FE1\u6E20\u9053\u96C6\u6210\u3002",
+    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B\u4F01\u4E1A\u5FAE\u4FE1\u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
+  },
+  "channel-plugin-email": {
+    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Email \u6E20\u9053\u96C6\u6210\u3002",
+    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Email \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
+  },
+  "channel-plugin-whatsapp": {
+    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E WhatsApp \u6E20\u9053\u96C6\u6210\u3002",
+    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B WhatsApp \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
+  },
+  "channel-plugin-clawbay": {
+    summary: "Clawbay \u5B98\u65B9\u6E20\u9053\u63D2\u4EF6\uFF0C\u7528\u4E8E NextClaw \u96C6\u6210\u3002",
+    description: "\u901A\u8FC7\u63D2\u4EF6\u8FD0\u884C\u65F6\u4E3A NextClaw \u63D0\u4F9B Clawbay \u6E20\u9053\u80FD\u529B\u3002"
+  }
+};
+
+// src/ui/router/marketplace/catalog.ts
+function normalizeMarketplaceBaseUrl(options) {
+  const configured = options.marketplace?.apiBaseUrl?.trim();
+  if (!configured) {
+    return DEFAULT_MARKETPLACE_API_BASE;
+  }
+  return configured.replace(/\/$/, "");
+}
+function toMarketplaceUrl(baseUrl, path, query = {}) {
+  const url = new URL(path, `${baseUrl.replace(/\/$/, "")}/`);
+  for (const [key, value] of Object.entries(query)) {
+    if (typeof value === "string" && value.length > 0) {
+      url.searchParams.set(key, value);
+    }
+  }
+  return url.toString();
+}
+async function fetchMarketplaceData(params) {
+  const endpoint = toMarketplaceUrl(params.baseUrl, params.path, params.query);
+  let response;
+  try {
+    response = await fetch(endpoint, {
+      method: "GET",
+      headers: {
+        Accept: "application/json"
+      }
+    });
   } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    throw new Error(`invalid CLI credential JSON: ${message}`);
+    return {
+      ok: false,
+      status: 503,
+      message: error instanceof Error ? error.message : String(error)
+    };
   }
-  const accessToken = readFieldAsString(payload, spec.auth.cliCredential.accessTokenField);
-  if (!accessToken) {
-    throw new Error(
-      `CLI credential missing access token field: ${spec.auth.cliCredential.accessTokenField}`
-    );
+  let payload = null;
+  try {
+    payload = await response.json();
+  } catch {
+    if (!response.ok) {
+      return {
+        ok: false,
+        status: response.status,
+        message: `marketplace request failed (${response.status})`
+      };
+    }
+    return {
+      ok: false,
+      status: 502,
+      message: "invalid marketplace response"
+    };
   }
-  const expiresAtMs = normalizeExpiresAt(
-    spec.auth.cliCredential.expiresAtField ? payload[spec.auth.cliCredential.expiresAtField] : void 0
-  );
-  if (typeof expiresAtMs === "number" && expiresAtMs <= Date.now()) {
-    throw new Error("CLI credential has expired, please login again");
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      message: readErrorMessage(payload, `marketplace request failed (${response.status})`)
+    };
+  }
+  if (!payload || typeof payload !== "object" || !("ok" in payload)) {
+    return {
+      ok: false,
+      status: 502,
+      message: "invalid marketplace response"
+    };
+  }
+  const typed = payload;
+  if (!typed.ok) {
+    return {
+      ok: false,
+      status: 502,
+      message: readErrorMessage(payload, "marketplace response returned error")
+    };
   }
-  setProviderApiKey({
-    configPath,
-    provider: providerName,
-    accessToken,
-    defaultApiBase: spec.defaultApiBase
-  });
   return {
-    provider: providerName,
-    status: "imported",
-    source: "cli",
-    expiresAt: expiresAtMs ? new Date(expiresAtMs).toISOString() : void 0
+    ok: true,
+    data: typed.data
   };
 }
-
-// src/ui/router.ts
-function buildAppMetaView(options) {
-  const productVersion = options.productVersion?.trim();
-  return {
-    name: "NextClaw",
-    productVersion: productVersion && productVersion.length > 0 ? productVersion : "0.0.0"
+function sanitizeMarketplaceItem(item) {
+  const next = { ...item };
+  delete next.sourceType;
+  return next;
+}
+function readLocalizedMap(value) {
+  const localized = {};
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return localized;
+  }
+  for (const [key, entry] of Object.entries(value)) {
+    if (typeof entry !== "string" || entry.trim().length === 0) {
+      continue;
+    }
+    localized[key] = entry.trim();
+  }
+  return localized;
+}
+function normalizeLocaleTag(value) {
+  return value.trim().toLowerCase().replace(/_/g, "-");
+}
+function pickLocaleFamilyValue(localized, localeFamily) {
+  const normalizedFamily = normalizeLocaleTag(localeFamily).split("-")[0];
+  if (!normalizedFamily) {
+    return void 0;
+  }
+  let familyMatch;
+  for (const [locale, text] of Object.entries(localized)) {
+    const normalizedLocale = normalizeLocaleTag(locale);
+    if (!normalizedLocale) {
+      continue;
+    }
+    if (normalizedLocale === normalizedFamily) {
+      return text;
+    }
+    if (!familyMatch && normalizedLocale.startsWith(`${normalizedFamily}-`)) {
+      familyMatch = text;
+    }
+  }
+  return familyMatch;
+}
+function normalizeLocalizedTextMap(primaryText, localized, zhFallback) {
+  const next = readLocalizedMap(localized);
+  if (!next.en) {
+    next.en = pickLocaleFamilyValue(next, "en") ?? primaryText;
+  }
+  if (!next.zh) {
+    next.zh = pickLocaleFamilyValue(next, "zh") ?? (zhFallback && zhFallback.trim().length > 0 ? zhFallback.trim() : next.en);
+  }
+  return next;
+}
+function normalizeMarketplaceItemForUi(item) {
+  const zhCopy = MARKETPLACE_ZH_COPY_BY_SLUG[item.slug];
+  const next = {
+    ...item,
+    summaryI18n: normalizeLocalizedTextMap(item.summary, item.summaryI18n, zhCopy?.summary)
   };
+  if ("description" in item && typeof item.description === "string" && item.description.trim().length > 0) {
+    next.descriptionI18n = normalizeLocalizedTextMap(
+      item.description,
+      item.descriptionI18n,
+      zhCopy?.description
+    );
+  }
+  return next;
 }
-var DEFAULT_MARKETPLACE_API_BASE = "https://marketplace-api.nextclaw.io";
-var NEXTCLAW_PLUGIN_NPM_PREFIX = "@nextclaw/channel-plugin-";
-var CLAWBAY_CHANNEL_PLUGIN_NPM_SPEC = "@clawbay/clawbay-channel";
-var BUILTIN_CHANNEL_PLUGIN_ID_PREFIX = "builtin-channel-";
-var MARKETPLACE_REMOTE_PAGE_SIZE = 100;
-var MARKETPLACE_REMOTE_MAX_PAGES = 20;
-var getWorkspacePathFromConfig3 = NextclawCore.getWorkspacePathFromConfig;
-function createSkillsLoader(workspace) {
-  const ctor = NextclawCore.SkillsLoader;
-  if (!ctor) {
-    return null;
+function toPositiveInt(raw, fallback) {
+  if (!raw) {
+    return fallback;
   }
-  return new ctor(workspace);
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return parsed;
+}
+async function fetchAllMarketplaceItems(params) {
+  const items = [];
+  let sort = "relevance";
+  let query;
+  for (let page = 1; page <= MARKETPLACE_REMOTE_MAX_PAGES; page += 1) {
+    const result = await fetchMarketplaceData({
+      baseUrl: params.baseUrl,
+      path: params.path,
+      query: {
+        ...params.query,
+        page: String(page),
+        pageSize: String(MARKETPLACE_REMOTE_PAGE_SIZE)
+      }
+    });
+    if (!result.ok) {
+      return result;
+    }
+    const pageItems = Array.isArray(result.data.items) ? result.data.items : [];
+    if (pageItems.length === 0) {
+      break;
+    }
+    sort = result.data.sort;
+    query = result.data.query;
+    items.push(...pageItems);
+    const pageSize = typeof result.data.pageSize === "number" && Number.isFinite(result.data.pageSize) && result.data.pageSize > 0 ? result.data.pageSize : MARKETPLACE_REMOTE_PAGE_SIZE;
+    if (pageItems.length < pageSize) {
+      break;
+    }
+  }
+  return {
+    ok: true,
+    data: {
+      sort,
+      ...typeof query === "string" ? { query } : {},
+      items
+    }
+  };
+}
+async function fetchAllPluginMarketplaceItems(params) {
+  return fetchAllMarketplaceItems({
+    baseUrl: params.baseUrl,
+    path: "/api/v1/plugins/items",
+    query: params.query
+  });
 }
+async function fetchAllSkillMarketplaceItems(params) {
+  return fetchAllMarketplaceItems({
+    baseUrl: params.baseUrl,
+    path: "/api/v1/skills/items",
+    query: params.query
+  });
+}
+function sanitizeMarketplaceListItems(items) {
+  return items.map((item) => sanitizeMarketplaceItem(item));
+}
+function sanitizeMarketplaceItemView(item) {
+  return sanitizeMarketplaceItem(item);
+}
+
+// src/ui/router/marketplace/installed.ts
+import * as NextclawCore3 from "@nextclaw/core";
+import { buildPluginStatusReport } from "@nextclaw/openclaw-compat";
+
+// src/ui/router/marketplace/spec.ts
 function normalizePluginNpmSpec(rawSpec) {
   const spec = rawSpec.trim();
   if (!spec.startsWith("@")) {
@@ -1940,308 +3204,68 @@ function readPluginOriginPriority(origin) {
   if (origin === "bundled") {
     return 80;
   }
-  if (origin === "workspace") {
-    return 70;
-  }
-  if (origin === "global") {
-    return 60;
-  }
-  if (origin === "config") {
-    return 50;
-  }
-  return 10;
-}
-function readInstalledPluginRecordPriority(record) {
-  const installScore = record.installPath ? 20 : 0;
-  const timestampScore = record.installedAt ? 10 : 0;
-  return readPluginRuntimeStatusPriority(record.runtimeStatus) + readPluginOriginPriority(record.origin) + installScore + timestampScore;
-}
-function mergeInstalledPluginRecords(primary, secondary) {
-  return {
-    ...primary,
-    id: primary.id ?? secondary.id,
-    label: primary.label ?? secondary.label,
-    source: primary.source ?? secondary.source,
-    installedAt: primary.installedAt ?? secondary.installedAt,
-    enabled: primary.enabled ?? secondary.enabled,
-    runtimeStatus: primary.runtimeStatus ?? secondary.runtimeStatus,
-    origin: primary.origin ?? secondary.origin,
-    installPath: primary.installPath ?? secondary.installPath
-  };
-}
-function dedupeInstalledPluginRecordsByCanonicalSpec(records) {
-  const deduped = /* @__PURE__ */ new Map();
-  for (const record of records) {
-    const canonicalSpec = normalizePluginNpmSpec(record.spec).trim();
-    if (!canonicalSpec) {
-      continue;
-    }
-    const key = canonicalSpec.toLowerCase();
-    const normalizedRecord = { ...record, spec: canonicalSpec };
-    const existing = deduped.get(key);
-    if (!existing) {
-      deduped.set(key, normalizedRecord);
-      continue;
-    }
-    const normalizedScore = readInstalledPluginRecordPriority(normalizedRecord);
-    const existingScore = readInstalledPluginRecordPriority(existing);
-    if (normalizedScore > existingScore) {
-      deduped.set(key, mergeInstalledPluginRecords(normalizedRecord, existing));
-      continue;
-    }
-    deduped.set(key, mergeInstalledPluginRecords(existing, normalizedRecord));
-  }
-  return Array.from(deduped.values());
-}
-function ok(data) {
-  return { ok: true, data };
-}
-function err(code, message, details) {
-  return { ok: false, error: { code, message, details } };
-}
-function toIsoTime(value) {
-  if (typeof value !== "number" || !Number.isFinite(value)) {
-    return null;
-  }
-  const date = new Date(value);
-  if (Number.isNaN(date.getTime())) {
-    return null;
-  }
-  return date.toISOString();
-}
-function buildCronJobView(job) {
-  return {
-    id: job.id,
-    name: job.name,
-    enabled: job.enabled,
-    schedule: job.schedule,
-    payload: job.payload,
-    state: {
-      nextRunAt: toIsoTime(job.state.nextRunAtMs),
-      lastRunAt: toIsoTime(job.state.lastRunAtMs),
-      lastStatus: job.state.lastStatus ?? null,
-      lastError: job.state.lastError ?? null
-    },
-    createdAt: new Date(job.createdAtMs).toISOString(),
-    updatedAt: new Date(job.updatedAtMs).toISOString(),
-    deleteAfterRun: job.deleteAfterRun
-  };
-}
-function findCronJob(service, id) {
-  const jobs = service.listJobs(true);
-  return jobs.find((job) => job.id === id) ?? null;
-}
-async function readJson(req) {
-  try {
-    const data = await req.json();
-    return { ok: true, data };
-  } catch {
-    return { ok: false };
-  }
-}
-function isRecord(value) {
-  return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-function readErrorMessage(value, fallback) {
-  if (!isRecord(value)) {
-    return fallback;
-  }
-  const maybeError = value.error;
-  if (!isRecord(maybeError)) {
-    return fallback;
-  }
-  return typeof maybeError.message === "string" && maybeError.message.trim().length > 0 ? maybeError.message : fallback;
-}
-function readNonEmptyString(value) {
-  if (typeof value !== "string") {
-    return void 0;
-  }
-  const trimmed = value.trim();
-  return trimmed || void 0;
-}
-function formatUserFacingError(error, maxChars = 320) {
-  const raw = error instanceof Error ? error.message || error.name || "Unknown error" : String(error ?? "Unknown error");
-  const normalized = raw.replace(/\s+/g, " ").trim();
-  if (!normalized) {
-    return "Unknown error";
-  }
-  if (normalized.length <= maxChars) {
-    return normalized;
-  }
-  return `${normalized.slice(0, Math.max(0, maxChars - 3)).trimEnd()}...`;
-}
-function normalizeSessionType2(value) {
-  return readNonEmptyString(value)?.toLowerCase();
-}
-function resolveSessionTypeLabel(sessionType) {
-  if (sessionType === "native") {
-    return "Native";
-  }
-  if (sessionType === "codex-sdk") {
-    return "Codex";
-  }
-  if (sessionType === "claude-agent-sdk") {
-    return "Claude Code";
-  }
-  return sessionType;
-}
-async function buildChatSessionTypesView(chatRuntime) {
-  if (!chatRuntime?.listSessionTypes) {
-    return {
-      defaultType: DEFAULT_SESSION_TYPE,
-      options: [{ value: DEFAULT_SESSION_TYPE, label: resolveSessionTypeLabel(DEFAULT_SESSION_TYPE) }]
-    };
-  }
-  const payload = await chatRuntime.listSessionTypes();
-  const deduped = /* @__PURE__ */ new Map();
-  for (const rawOption of payload.options ?? []) {
-    const normalized = normalizeSessionType2(rawOption.value);
-    if (!normalized) {
-      continue;
-    }
-    deduped.set(normalized, {
-      value: normalized,
-      label: readNonEmptyString(rawOption.label) ?? resolveSessionTypeLabel(normalized)
-    });
-  }
-  if (!deduped.has(DEFAULT_SESSION_TYPE)) {
-    deduped.set(DEFAULT_SESSION_TYPE, {
-      value: DEFAULT_SESSION_TYPE,
-      label: resolveSessionTypeLabel(DEFAULT_SESSION_TYPE)
-    });
-  }
-  const defaultType = normalizeSessionType2(payload.defaultType) ?? DEFAULT_SESSION_TYPE;
-  if (!deduped.has(defaultType)) {
-    deduped.set(defaultType, {
-      value: defaultType,
-      label: resolveSessionTypeLabel(defaultType)
-    });
-  }
-  const options = Array.from(deduped.values()).sort((left, right) => {
-    if (left.value === DEFAULT_SESSION_TYPE) {
-      return -1;
-    }
-    if (right.value === DEFAULT_SESSION_TYPE) {
-      return 1;
-    }
-    return left.value.localeCompare(right.value);
-  });
-  return {
-    defaultType,
-    options
-  };
-}
-function resolveAgentIdFromSessionKey(sessionKey) {
-  const parsed = NextclawCore.parseAgentScopedSessionKey(sessionKey);
-  const agentId = readNonEmptyString(parsed?.agentId);
-  return agentId;
-}
-function createChatRunId() {
-  const now = Date.now().toString(36);
-  const rand = Math.random().toString(36).slice(2, 10);
-  return `run-${now}-${rand}`;
-}
-function isChatRunState(value) {
-  return value === "queued" || value === "running" || value === "completed" || value === "failed" || value === "aborted";
-}
-function readChatRunStates(value) {
-  if (typeof value !== "string") {
-    return void 0;
-  }
-  const values = value.split(",").map((item) => item.trim().toLowerCase()).filter((item) => Boolean(item) && isChatRunState(item));
-  if (values.length === 0) {
-    return void 0;
-  }
-  return Array.from(new Set(values));
-}
-function buildChatTurnView(params) {
-  const completedAt = /* @__PURE__ */ new Date();
-  return {
-    reply: String(params.result.reply ?? ""),
-    sessionKey: readNonEmptyString(params.result.sessionKey) ?? params.fallbackSessionKey,
-    ...readNonEmptyString(params.result.agentId) || params.requestedAgentId ? { agentId: readNonEmptyString(params.result.agentId) ?? params.requestedAgentId } : {},
-    ...readNonEmptyString(params.result.model) || params.requestedModel ? { model: readNonEmptyString(params.result.model) ?? params.requestedModel } : {},
-    requestedAt: params.requestedAt.toISOString(),
-    completedAt: completedAt.toISOString(),
-    durationMs: Math.max(0, completedAt.getTime() - params.startedAtMs)
-  };
-}
-function buildChatTurnViewFromRun(params) {
-  const requestedAt = readNonEmptyString(params.run.requestedAt) ?? (/* @__PURE__ */ new Date()).toISOString();
-  const completedAt = readNonEmptyString(params.run.completedAt) ?? (/* @__PURE__ */ new Date()).toISOString();
-  const requestedAtMs = Date.parse(requestedAt);
-  const completedAtMs = Date.parse(completedAt);
-  return {
-    reply: readNonEmptyString(params.run.reply) ?? params.fallbackReply ?? "",
-    sessionKey: readNonEmptyString(params.run.sessionKey) ?? params.fallbackSessionKey,
-    ...readNonEmptyString(params.run.agentId) || params.fallbackAgentId ? { agentId: readNonEmptyString(params.run.agentId) ?? params.fallbackAgentId } : {},
-    ...readNonEmptyString(params.run.model) || params.fallbackModel ? { model: readNonEmptyString(params.run.model) ?? params.fallbackModel } : {},
-    requestedAt,
-    completedAt,
-    durationMs: Number.isFinite(requestedAtMs) && Number.isFinite(completedAtMs) ? Math.max(0, completedAtMs - requestedAtMs) : 0
-  };
-}
-function toSseFrame(event, data) {
-  return `event: ${event}
-data: ${JSON.stringify(data)}
-
-`;
+  if (origin === "workspace") {
+    return 70;
+  }
+  if (origin === "global") {
+    return 60;
+  }
+  if (origin === "config") {
+    return 50;
+  }
+  return 10;
 }
-function normalizeMarketplaceBaseUrl(options) {
-  const fromOptions = options.marketplace?.apiBaseUrl?.trim();
-  const fromEnv = process.env.NEXTCLAW_MARKETPLACE_API_BASE?.trim();
-  const value = fromOptions || fromEnv || DEFAULT_MARKETPLACE_API_BASE;
-  return value.endsWith("/") ? value.slice(0, -1) : value;
+function readInstalledPluginRecordPriority(record) {
+  const installScore = record.installPath ? 20 : 0;
+  const timestampScore = record.installedAt ? 10 : 0;
+  return readPluginRuntimeStatusPriority(record.runtimeStatus) + readPluginOriginPriority(record.origin) + installScore + timestampScore;
 }
-function toMarketplaceUrl(baseUrl, path, query = {}) {
-  const url = new URL(path, `${baseUrl}/`);
-  for (const [key, value] of Object.entries(query)) {
-    if (typeof value === "string" && value.trim().length > 0) {
-      url.searchParams.set(key, value);
-    }
-  }
-  return url.toString();
+function mergeInstalledPluginRecords(primary, secondary) {
+  return {
+    ...primary,
+    id: primary.id ?? secondary.id,
+    label: primary.label ?? secondary.label,
+    source: primary.source ?? secondary.source,
+    installedAt: primary.installedAt ?? secondary.installedAt,
+    enabled: primary.enabled ?? secondary.enabled,
+    runtimeStatus: primary.runtimeStatus ?? secondary.runtimeStatus,
+    origin: primary.origin ?? secondary.origin,
+    installPath: primary.installPath ?? secondary.installPath
+  };
 }
-async function fetchMarketplaceData(params) {
-  const url = toMarketplaceUrl(params.baseUrl, params.path, params.query ?? {});
-  try {
-    const response = await fetch(url, {
-      method: "GET",
-      headers: {
-        Accept: "application/json"
-      }
-    });
-    let payload = null;
-    try {
-      payload = await response.json();
-    } catch {
-      payload = null;
+function dedupeInstalledPluginRecordsByCanonicalSpec(records) {
+  const deduped = /* @__PURE__ */ new Map();
+  for (const record of records) {
+    const canonicalSpec = normalizePluginNpmSpec(record.spec).trim();
+    if (!canonicalSpec) {
+      continue;
     }
-    if (!response.ok) {
-      return {
-        ok: false,
-        status: response.status,
-        message: readErrorMessage(payload, `marketplace request failed: ${response.status}`)
-      };
+    const key = canonicalSpec.toLowerCase();
+    const normalizedRecord = { ...record, spec: canonicalSpec };
+    const existing = deduped.get(key);
+    if (!existing) {
+      deduped.set(key, normalizedRecord);
+      continue;
     }
-    if (!isRecord(payload) || payload.ok !== true || !Object.prototype.hasOwnProperty.call(payload, "data")) {
-      return {
-        ok: false,
-        status: 502,
-        message: "invalid marketplace response"
-      };
+    const normalizedScore = readInstalledPluginRecordPriority(normalizedRecord);
+    const existingScore = readInstalledPluginRecordPriority(existing);
+    if (normalizedScore > existingScore) {
+      deduped.set(key, mergeInstalledPluginRecords(normalizedRecord, existing));
+      continue;
     }
-    return {
-      ok: true,
-      data: payload.data
-    };
-  } catch (error) {
-    return {
-      ok: false,
-      status: 502,
-      message: `marketplace fetch failed: ${String(error)}`
-    };
+    deduped.set(key, mergeInstalledPluginRecords(existing, normalizedRecord));
+  }
+  return Array.from(deduped.values());
+}
+
+// src/ui/router/marketplace/installed.ts
+var getWorkspacePathFromConfig3 = NextclawCore3.getWorkspacePathFromConfig;
+function createSkillsLoader(workspace) {
+  const ctor = NextclawCore3.SkillsLoader;
+  if (!ctor) {
+    return null;
   }
+  return new ctor(workspace);
 }
 function collectInstalledPluginRecords(options) {
   const config = loadConfigOrDefault(options.configPath);
@@ -2393,191 +3417,41 @@ function collectSkillMarketplaceInstalledView(options) {
     type: "skill",
     total: installed.records.length,
     specs: installed.specs,
-    records: installed.records
-  };
-}
-function resolvePluginManageTargetId(options, rawTargetId, rawSpec) {
-  const targetId = rawTargetId.trim();
-  if (!targetId && !rawSpec) {
-    return rawTargetId;
-  }
-  const normalizedTarget = targetId ? normalizePluginNpmSpec(targetId).toLowerCase() : "";
-  const normalizedSpec = rawSpec ? normalizePluginNpmSpec(rawSpec).toLowerCase() : "";
-  const pluginRecords = collectInstalledPluginRecords(options).records;
-  const lowerTargetId = targetId.toLowerCase();
-  for (const record of pluginRecords) {
-    const recordId = record.id?.trim();
-    if (recordId && recordId.toLowerCase() === lowerTargetId) {
-      return recordId;
-    }
-  }
-  if (normalizedTarget) {
-    for (const record of pluginRecords) {
-      const normalizedRecordSpec = normalizePluginNpmSpec(record.spec).toLowerCase();
-      if (normalizedRecordSpec === normalizedTarget && record.id && record.id.trim().length > 0) {
-        return record.id;
-      }
-    }
-  }
-  if (normalizedSpec && normalizedSpec !== normalizedTarget) {
-    for (const record of pluginRecords) {
-      const normalizedRecordSpec = normalizePluginNpmSpec(record.spec).toLowerCase();
-      if (normalizedRecordSpec === normalizedSpec && record.id && record.id.trim().length > 0) {
-        return record.id;
-      }
-    }
-  }
-  return targetId || rawSpec || rawTargetId;
-}
-function sanitizeMarketplaceItem(item) {
-  const next = { ...item };
-  delete next.metrics;
-  return next;
-}
-var MARKETPLACE_ZH_COPY_BY_SLUG = {
-  weather: {
-    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u5929\u6C14\u67E5\u8BE2\u5DE5\u4F5C\u6D41\u3002",
-    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u5FEB\u901F\u5929\u6C14\u67E5\u8BE2\u5DE5\u4F5C\u6D41\u3002"
-  },
-  summarize: {
-    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u7ED3\u6784\u5316\u6458\u8981\u3002",
-    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u6587\u4EF6\u4E0E\u957F\u6587\u672C\u7684\u6458\u8981\u5DE5\u4F5C\u6D41\u3002"
-  },
-  github: {
-    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E GitHub \u5DE5\u4F5C\u6D41\u3002",
-    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B Issue\u3001PR \u4E0E\u4ED3\u5E93\u76F8\u5173\u5DE5\u4F5C\u6D41\u6307\u5F15\u3002"
-  },
-  tmux: {
-    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u7EC8\u7AEF/Tmux \u534F\u4F5C\u5DE5\u4F5C\u6D41\u3002",
-    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u57FA\u4E8E Tmux \u7684\u4EFB\u52A1\u6267\u884C\u5DE5\u4F5C\u6D41\u6307\u5F15\u3002"
-  },
-  gog: {
-    summary: "NextClaw \u5185\u7F6E\u6280\u80FD\uFF0C\u7528\u4E8E\u56FE\u8C31\u5BFC\u5411\u751F\u6210\u5DE5\u4F5C\u6D41\u3002",
-    description: "\u5728 NextClaw \u4E2D\u63D0\u4F9B\u56FE\u8C31\u4E0E\u89C4\u5212\u5BFC\u5411\u5DE5\u4F5C\u6D41\u6307\u5F15\u3002"
-  },
-  pdf: {
-    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E PDF \u8BFB\u53D6/\u5408\u5E76/\u62C6\u5206/OCR \u5DE5\u4F5C\u6D41\u3002",
-    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u8BFB\u53D6\u3001\u63D0\u53D6\u3001\u5408\u5E76\u3001\u62C6\u5206\u3001\u65CB\u8F6C\u5E76\u5BF9 PDF \u6267\u884C OCR \u5904\u7406\u3002"
-  },
-  docx: {
-    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E\u521B\u5EFA\u548C\u7F16\u8F91 Word \u6587\u6863\u3002",
-    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u521B\u5EFA\u3001\u8BFB\u53D6\u3001\u7F16\u8F91\u5E76\u91CD\u6784 .docx \u6587\u6863\u3002"
-  },
-  pptx: {
-    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E\u6F14\u793A\u6587\u7A3F\u64CD\u4F5C\u3002",
-    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u521B\u5EFA\u3001\u89E3\u6790\u3001\u7F16\u8F91\u5E76\u91CD\u7EC4 .pptx \u6F14\u793A\u6587\u7A3F\u3002"
-  },
-  xlsx: {
-    summary: "Anthropic \u6280\u80FD\uFF0C\u7528\u4E8E\u8868\u683C\u6587\u6863\u5DE5\u4F5C\u6D41\u3002",
-    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u6253\u5F00\u3001\u7F16\u8F91\u3001\u6E05\u6D17\u5E76\u8F6C\u6362 .xlsx \u4E0E .csv \u7B49\u8868\u683C\u6587\u4EF6\u3002"
-  },
-  bird: {
-    summary: "OpenClaw \u793E\u533A\u6280\u80FD\uFF0C\u7528\u4E8E X/Twitter \u8BFB\u53D6/\u641C\u7D22/\u53D1\u5E03\u5DE5\u4F5C\u6D41\u3002",
-    description: "\u4F7F\u7528 bird CLI \u5728\u4EE3\u7406\u5DE5\u4F5C\u6D41\u4E2D\u8BFB\u53D6\u7EBF\u7A0B\u3001\u641C\u7D22\u5E16\u5B50\u5E76\u8D77\u8349\u63A8\u6587/\u56DE\u590D\u3002"
-  },
-  "cloudflare-deploy": {
-    summary: "OpenAI \u7CBE\u9009\u6280\u80FD\uFF0C\u7528\u4E8E\u5728 Cloudflare \u4E0A\u90E8\u7F72\u5E94\u7528\u4E0E\u57FA\u7840\u8BBE\u65BD\u3002",
-    description: "\u4F7F\u7528\u8BE5\u6280\u80FD\u53EF\u9009\u62E9 Cloudflare \u4EA7\u54C1\u5E76\u90E8\u7F72 Workers\u3001Pages \u53CA\u76F8\u5173\u670D\u52A1\u3002"
-  },
-  "channel-plugin-discord": {
-    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Discord \u6E20\u9053\u96C6\u6210\u3002",
-    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Discord \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
-  },
-  "channel-plugin-telegram": {
-    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Telegram \u6E20\u9053\u96C6\u6210\u3002",
-    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Telegram \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
-  },
-  "channel-plugin-slack": {
-    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Slack \u6E20\u9053\u96C6\u6210\u3002",
-    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Slack \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
-  },
-  "channel-plugin-wecom": {
-    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E\u4F01\u4E1A\u5FAE\u4FE1\u6E20\u9053\u96C6\u6210\u3002",
-    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B\u4F01\u4E1A\u5FAE\u4FE1\u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
-  },
-  "channel-plugin-email": {
-    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E Email \u6E20\u9053\u96C6\u6210\u3002",
-    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B Email \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
-  },
-  "channel-plugin-whatsapp": {
-    summary: "NextClaw \u5B98\u65B9\u63D2\u4EF6\uFF0C\u7528\u4E8E WhatsApp \u6E20\u9053\u96C6\u6210\u3002",
-    description: "\u901A\u8FC7 NextClaw \u63D2\u4EF6\u8FD0\u884C\u65F6\u63D0\u4F9B WhatsApp \u6E20\u9053\u7684\u5165\u7AD9/\u51FA\u7AD9\u652F\u6301\u3002"
-  },
-  "channel-plugin-clawbay": {
-    summary: "Clawbay \u5B98\u65B9\u6E20\u9053\u63D2\u4EF6\uFF0C\u7528\u4E8E NextClaw \u96C6\u6210\u3002",
-    description: "\u901A\u8FC7\u63D2\u4EF6\u8FD0\u884C\u65F6\u4E3A NextClaw \u63D0\u4F9B Clawbay \u6E20\u9053\u80FD\u529B\u3002"
-  }
-};
-function readLocalizedMap(value) {
-  const localized = {};
-  if (!isRecord(value)) {
-    return localized;
-  }
-  for (const [key, entry] of Object.entries(value)) {
-    if (typeof entry !== "string" || entry.trim().length === 0) {
-      continue;
-    }
-    localized[key] = entry.trim();
-  }
-  return localized;
-}
-function normalizeLocaleTag(value) {
-  return value.trim().toLowerCase().replace(/_/g, "-");
-}
-function pickLocaleFamilyValue(localized, localeFamily) {
-  const normalizedFamily = normalizeLocaleTag(localeFamily).split("-")[0];
-  if (!normalizedFamily) {
-    return void 0;
-  }
-  let familyMatch;
-  for (const [locale, text] of Object.entries(localized)) {
-    const normalizedLocale = normalizeLocaleTag(locale);
-    if (!normalizedLocale) {
-      continue;
-    }
-    if (normalizedLocale === normalizedFamily) {
-      return text;
-    }
-    if (!familyMatch && normalizedLocale.startsWith(`${normalizedFamily}-`)) {
-      familyMatch = text;
-    }
-  }
-  return familyMatch;
-}
-function normalizeLocalizedTextMap(primaryText, localized, zhFallback) {
-  const next = readLocalizedMap(localized);
-  if (!next.en) {
-    next.en = pickLocaleFamilyValue(next, "en") ?? primaryText;
-  }
-  if (!next.zh) {
-    next.zh = pickLocaleFamilyValue(next, "zh") ?? (zhFallback && zhFallback.trim().length > 0 ? zhFallback.trim() : next.en);
-  }
-  return next;
-}
-function normalizeMarketplaceItemForUi(item) {
-  const zhCopy = MARKETPLACE_ZH_COPY_BY_SLUG[item.slug];
-  const next = {
-    ...item,
-    summaryI18n: normalizeLocalizedTextMap(item.summary, item.summaryI18n, zhCopy?.summary)
-  };
-  if ("description" in item && typeof item.description === "string" && item.description.trim().length > 0) {
-    next.descriptionI18n = normalizeLocalizedTextMap(
-      item.description,
-      item.descriptionI18n,
-      zhCopy?.description
-    );
-  }
-  return next;
+    records: installed.records
+  };
 }
-function toPositiveInt(raw, fallback) {
-  if (!raw) {
-    return fallback;
+function resolvePluginManageTargetId(options, rawTargetId, rawSpec) {
+  const targetId = rawTargetId.trim();
+  if (!targetId && !rawSpec) {
+    return rawTargetId;
   }
-  const parsed = Number.parseInt(raw, 10);
-  if (!Number.isFinite(parsed) || parsed <= 0) {
-    return fallback;
+  const normalizedTarget = targetId ? normalizePluginNpmSpec(targetId).toLowerCase() : "";
+  const normalizedSpec = rawSpec ? normalizePluginNpmSpec(rawSpec).toLowerCase() : "";
+  const pluginRecords = collectInstalledPluginRecords(options).records;
+  const lowerTargetId = targetId.toLowerCase();
+  for (const record of pluginRecords) {
+    const recordId = record.id?.trim();
+    if (recordId && recordId.toLowerCase() === lowerTargetId) {
+      return recordId;
+    }
   }
-  return parsed;
+  if (normalizedTarget) {
+    for (const record of pluginRecords) {
+      const normalizedRecordSpec = normalizePluginNpmSpec(record.spec).toLowerCase();
+      if (normalizedRecordSpec === normalizedTarget && record.id && record.id.trim().length > 0) {
+        return record.id;
+      }
+    }
+  }
+  if (normalizedSpec && normalizedSpec !== normalizedTarget) {
+    for (const record of pluginRecords) {
+      const normalizedRecordSpec = normalizePluginNpmSpec(record.spec).toLowerCase();
+      if (normalizedRecordSpec === normalizedSpec && record.id && record.id.trim().length > 0) {
+        return record.id;
+      }
+    }
+  }
+  return targetId || rawSpec || rawTargetId;
 }
 function collectKnownSkillNames(options) {
   const config = loadConfigOrDefault(options.configPath);
@@ -2608,6 +3482,8 @@ function findUnsupportedSkillInstallKind(items) {
   }
   return null;
 }
+
+// src/ui/router/marketplace/plugin.controller.ts
 async function loadPluginReadmeFromNpm(spec) {
   const encodedSpec = encodeURIComponent(spec);
   const registryUrl = `https://registry.npmjs.org/${encodedSpec}`;
@@ -2673,54 +3549,6 @@ async function buildPluginContentView(item) {
     }, null, 2)
   };
 }
-async function fetchAllMarketplaceItems(params) {
-  const allItems = [];
-  let remotePage = 1;
-  let remoteTotalPages = 1;
-  let sort = "relevance";
-  let query;
-  while (remotePage <= remoteTotalPages && remotePage <= MARKETPLACE_REMOTE_MAX_PAGES) {
-    const result = await fetchMarketplaceData({
-      baseUrl: params.baseUrl,
-      path: `/api/v1/${params.segment}/items`,
-      query: {
-        ...params.query,
-        page: String(remotePage),
-        pageSize: String(MARKETPLACE_REMOTE_PAGE_SIZE)
-      }
-    });
-    if (!result.ok) {
-      return result;
-    }
-    allItems.push(...result.data.items);
-    remoteTotalPages = result.data.totalPages;
-    sort = result.data.sort;
-    query = result.data.query;
-    remotePage += 1;
-  }
-  return {
-    ok: true,
-    data: {
-      sort,
-      query,
-      items: allItems
-    }
-  };
-}
-async function fetchAllPluginMarketplaceItems(params) {
-  return await fetchAllMarketplaceItems({
-    baseUrl: params.baseUrl,
-    segment: "plugins",
-    query: params.query
-  });
-}
-async function fetchAllSkillMarketplaceItems(params) {
-  return await fetchAllMarketplaceItems({
-    baseUrl: params.baseUrl,
-    segment: "skills",
-    query: params.query
-  });
-}
 async function installMarketplacePlugin(params) {
   const spec = typeof params.body.spec === "string" ? params.body.spec.trim() : "";
   if (!spec) {
@@ -2742,33 +3570,6 @@ async function installMarketplacePlugin(params) {
     output: result.output
   };
 }
-async function installMarketplaceSkill(params) {
-  const spec = typeof params.body.spec === "string" ? params.body.spec.trim() : "";
-  if (!spec) {
-    throw new Error("INVALID_BODY:non-empty spec is required");
-  }
-  const installer = params.options.marketplace?.installer;
-  if (!installer) {
-    throw new Error("NOT_AVAILABLE:marketplace installer is not configured");
-  }
-  if (!installer.installSkill) {
-    throw new Error("NOT_AVAILABLE:skill installer is not configured");
-  }
-  const result = await installer.installSkill({
-    slug: spec,
-    kind: params.body.kind,
-    skill: params.body.skill,
-    installPath: params.body.installPath,
-    force: params.body.force
-  });
-  params.options.publish({ type: "config.updated", payload: { path: "skills" } });
-  return {
-    type: "skill",
-    spec,
-    message: result.message,
-    output: result.output
-  };
-}
 async function manageMarketplacePlugin(params) {
   const action = params.body.action;
   const requestedTargetId = typeof params.body.id === "string" && params.body.id.trim().length > 0 ? params.body.id.trim() : typeof params.body.spec === "string" && params.body.spec.trim().length > 0 ? params.body.spec.trim() : "";
@@ -2783,197 +3584,42 @@ async function manageMarketplacePlugin(params) {
   }
   let result;
   if (action === "enable") {
-    if (!installer.enablePlugin) {
-      throw new Error("NOT_AVAILABLE:plugin enable is not configured");
-    }
-    result = await installer.enablePlugin(targetId);
-  } else if (action === "disable") {
-    if (!installer.disablePlugin) {
-      throw new Error("NOT_AVAILABLE:plugin disable is not configured");
-    }
-    result = await installer.disablePlugin(targetId);
-  } else {
-    if (!installer.uninstallPlugin) {
-      throw new Error("NOT_AVAILABLE:plugin uninstall is not configured");
-    }
-    result = await installer.uninstallPlugin(targetId);
-  }
-  params.options.publish({ type: "config.updated", payload: { path: "plugins" } });
-  return {
-    type: "plugin",
-    action,
-    id: targetId,
-    message: result.message,
-    output: result.output
-  };
-}
-async function manageMarketplaceSkill(params) {
-  const action = params.body.action;
-  const targetId = typeof params.body.id === "string" && params.body.id.trim().length > 0 ? params.body.id.trim() : typeof params.body.spec === "string" && params.body.spec.trim().length > 0 ? params.body.spec.trim() : "";
-  if (action !== "uninstall" || !targetId) {
-    throw new Error("INVALID_BODY:skill manage requires uninstall action and non-empty id/spec");
-  }
-  const installer = params.options.marketplace?.installer;
-  if (!installer) {
-    throw new Error("NOT_AVAILABLE:marketplace installer is not configured");
-  }
-  if (!installer.uninstallSkill) {
-    throw new Error("NOT_AVAILABLE:skill uninstall is not configured");
-  }
-  const result = await installer.uninstallSkill(targetId);
-  params.options.publish({ type: "config.updated", payload: { path: "skills" } });
-  return {
-    type: "skill",
-    action,
-    id: targetId,
-    message: result.message,
-    output: result.output
-  };
-}
-function registerPluginMarketplaceRoutes(app, options, marketplaceBaseUrl) {
-  app.get("/api/marketplace/plugins/installed", (c) => {
-    return c.json(ok(collectPluginMarketplaceInstalledView(options)));
-  });
-  app.get("/api/marketplace/plugins/items", async (c) => {
-    const query = c.req.query();
-    const result = await fetchAllPluginMarketplaceItems({
-      baseUrl: marketplaceBaseUrl,
-      query: {
-        q: query.q,
-        tag: query.tag,
-        sort: query.sort,
-        page: query.page,
-        pageSize: query.pageSize
-      }
-    });
-    if (!result.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
-    }
-    const filteredItems = result.data.items.map((item) => normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(item))).filter((item) => isSupportedMarketplacePluginItem(item));
-    const pageSize = Math.min(100, toPositiveInt(query.pageSize, 20));
-    const requestedPage = toPositiveInt(query.page, 1);
-    const totalPages = filteredItems.length === 0 ? 0 : Math.ceil(filteredItems.length / pageSize);
-    const currentPage = totalPages === 0 ? 1 : Math.min(requestedPage, totalPages);
-    return c.json(ok({
-      total: filteredItems.length,
-      page: currentPage,
-      pageSize,
-      totalPages,
-      sort: result.data.sort,
-      query: result.data.query,
-      items: filteredItems.slice((currentPage - 1) * pageSize, currentPage * pageSize)
-    }));
-  });
-  app.get("/api/marketplace/plugins/items/:slug", async (c) => {
-    const slug = encodeURIComponent(c.req.param("slug"));
-    const result = await fetchMarketplaceData({
-      baseUrl: marketplaceBaseUrl,
-      path: `/api/v1/plugins/items/${slug}`
-    });
-    if (!result.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
-    }
-    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(result.data));
-    if (!isSupportedMarketplacePluginItem(sanitized)) {
-      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
-    }
-    return c.json(ok(sanitized));
-  });
-  app.get("/api/marketplace/plugins/items/:slug/content", async (c) => {
-    const slug = encodeURIComponent(c.req.param("slug"));
-    const result = await fetchMarketplaceData({
-      baseUrl: marketplaceBaseUrl,
-      path: `/api/v1/plugins/items/${slug}`
-    });
-    if (!result.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
-    }
-    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(result.data));
-    if (!isSupportedMarketplacePluginItem(sanitized)) {
-      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
-    }
-    const content = await buildPluginContentView(sanitized);
-    return c.json(ok(content));
-  });
-  app.post("/api/marketplace/plugins/install", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok || !body.data || typeof body.data !== "object") {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    if (body.data.type && body.data.type !== "plugin") {
-      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
-    }
-    try {
-      const payload = await installMarketplacePlugin({
-        options,
-        body: body.data
-      });
-      return c.json(ok(payload));
-    } catch (error) {
-      const message = String(error);
-      if (message.startsWith("INVALID_BODY:")) {
-        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
-      }
-      if (message.startsWith("NOT_AVAILABLE:")) {
-        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
-      }
-      return c.json(err("INSTALL_FAILED", message), 400);
-    }
-  });
-  app.post("/api/marketplace/plugins/manage", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok || !body.data || typeof body.data !== "object") {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    if (body.data.type && body.data.type !== "plugin") {
-      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
-    }
-    try {
-      const payload = await manageMarketplacePlugin({
-        options,
-        body: body.data
-      });
-      return c.json(ok(payload));
-    } catch (error) {
-      const message = String(error);
-      if (message.startsWith("INVALID_BODY:")) {
-        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
-      }
-      if (message.startsWith("NOT_AVAILABLE:")) {
-        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
-      }
-      return c.json(err("MANAGE_FAILED", message), 400);
-    }
-  });
-  app.get("/api/marketplace/plugins/recommendations", async (c) => {
-    const query = c.req.query();
-    const result = await fetchMarketplaceData({
-      baseUrl: marketplaceBaseUrl,
-      path: "/api/v1/plugins/recommendations",
-      query: {
-        scene: query.scene,
-        limit: query.limit
-      }
-    });
-    if (!result.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
+    if (!installer.enablePlugin) {
+      throw new Error("NOT_AVAILABLE:plugin enable is not configured");
     }
-    const filteredItems = result.data.items.map((item) => normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(item))).filter((item) => isSupportedMarketplacePluginItem(item));
-    return c.json(ok({
-      ...result.data,
-      total: filteredItems.length,
-      items: filteredItems
-    }));
-  });
+    result = await installer.enablePlugin(targetId);
+  } else if (action === "disable") {
+    if (!installer.disablePlugin) {
+      throw new Error("NOT_AVAILABLE:plugin disable is not configured");
+    }
+    result = await installer.disablePlugin(targetId);
+  } else {
+    if (!installer.uninstallPlugin) {
+      throw new Error("NOT_AVAILABLE:plugin uninstall is not configured");
+    }
+    result = await installer.uninstallPlugin(targetId);
+  }
+  params.options.publish({ type: "config.updated", payload: { path: "plugins" } });
+  return {
+    type: "plugin",
+    action,
+    id: targetId,
+    message: result.message,
+    output: result.output
+  };
 }
-function registerSkillMarketplaceRoutes(app, options, marketplaceBaseUrl) {
-  app.get("/api/marketplace/skills/installed", (c) => {
-    return c.json(ok(collectSkillMarketplaceInstalledView(options)));
-  });
-  app.get("/api/marketplace/skills/items", async (c) => {
+var PluginMarketplaceController = class {
+  constructor(options, marketplaceBaseUrl) {
+    this.options = options;
+    this.marketplaceBaseUrl = marketplaceBaseUrl;
+  }
+  getInstalled = (c) => {
+    return c.json(ok(collectPluginMarketplaceInstalledView(this.options)));
+  };
+  listItems = async (c) => {
     const query = c.req.query();
-    const result = await fetchAllSkillMarketplaceItems({
-      baseUrl: marketplaceBaseUrl,
+    const result = await fetchAllPluginMarketplaceItems({
+      baseUrl: this.marketplaceBaseUrl,
       query: {
         q: query.q,
         tag: query.tag,
@@ -2985,16 +3631,7 @@ function registerSkillMarketplaceRoutes(app, options, marketplaceBaseUrl) {
     if (!result.ok) {
       return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
     }
-    const normalizedItems = result.data.items.map((item) => normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(item)));
-    const unsupportedKind = findUnsupportedSkillInstallKind(normalizedItems);
-    if (unsupportedKind) {
-      return c.json(
-        err("MARKETPLACE_CONTRACT_MISMATCH", `unsupported skill install kind from marketplace api: ${unsupportedKind}`),
-        502
-      );
-    }
-    const knownSkillNames = collectKnownSkillNames(options);
-    const filteredItems = normalizedItems.filter((item) => isSupportedMarketplaceSkillItem(item, knownSkillNames));
+    const filteredItems = sanitizeMarketplaceListItems(result.data.items).map((item) => normalizeMarketplaceItemForUi(item)).filter((item) => isSupportedMarketplacePluginItem(item));
     const pageSize = Math.min(100, toPositiveInt(query.pageSize, 20));
     const requestedPage = toPositiveInt(query.page, 1);
     const totalPages = filteredItems.length === 0 ? 0 : Math.ceil(filteredItems.length / pageSize);
@@ -3008,825 +3645,362 @@ function registerSkillMarketplaceRoutes(app, options, marketplaceBaseUrl) {
       query: result.data.query,
       items: filteredItems.slice((currentPage - 1) * pageSize, currentPage * pageSize)
     }));
-  });
-  app.get("/api/marketplace/skills/items/:slug", async (c) => {
-    const slug = encodeURIComponent(c.req.param("slug"));
-    const result = await fetchMarketplaceData({
-      baseUrl: marketplaceBaseUrl,
-      path: `/api/v1/skills/items/${slug}`
-    });
-    if (!result.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
-    }
-    const knownSkillNames = collectKnownSkillNames(options);
-    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(result.data));
-    const unsupportedKind = findUnsupportedSkillInstallKind([sanitized]);
-    if (unsupportedKind) {
-      return c.json(
-        err("MARKETPLACE_CONTRACT_MISMATCH", `unsupported skill install kind from marketplace api: ${unsupportedKind}`),
-        502
-      );
-    }
-    if (!isSupportedMarketplaceSkillItem(sanitized, knownSkillNames)) {
-      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
-    }
-    return c.json(ok(sanitized));
-  });
-  app.get("/api/marketplace/skills/items/:slug/content", async (c) => {
+  };
+  getItem = async (c) => {
     const slug = encodeURIComponent(c.req.param("slug"));
     const result = await fetchMarketplaceData({
-      baseUrl: marketplaceBaseUrl,
-      path: `/api/v1/skills/items/${slug}`
-    });
-    if (!result.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
-    }
-    const knownSkillNames = collectKnownSkillNames(options);
-    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(result.data));
-    const unsupportedKind = findUnsupportedSkillInstallKind([sanitized]);
-    if (unsupportedKind) {
-      return c.json(
-        err("MARKETPLACE_CONTRACT_MISMATCH", `unsupported skill install kind from marketplace api: ${unsupportedKind}`),
-        502
-      );
-    }
-    if (!isSupportedMarketplaceSkillItem(sanitized, knownSkillNames)) {
-      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
-    }
-    const contentResult = await fetchMarketplaceData({
-      baseUrl: marketplaceBaseUrl,
-      path: `/api/v1/skills/items/${slug}/content`
-    });
-    if (!contentResult.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", contentResult.message), contentResult.status);
-    }
-    return c.json(ok(contentResult.data));
-  });
-  app.post("/api/marketplace/skills/install", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok || !body.data || typeof body.data !== "object") {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    if (body.data.type && body.data.type !== "skill") {
-      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
-    }
-    try {
-      const payload = await installMarketplaceSkill({
-        options,
-        body: body.data
-      });
-      return c.json(ok(payload));
-    } catch (error) {
-      const message = String(error);
-      if (message.startsWith("INVALID_BODY:")) {
-        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
-      }
-      if (message.startsWith("NOT_AVAILABLE:")) {
-        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
-      }
-      return c.json(err("INSTALL_FAILED", message), 400);
-    }
-  });
-  app.post("/api/marketplace/skills/manage", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok || !body.data || typeof body.data !== "object") {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    if (body.data.type && body.data.type !== "skill") {
-      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
-    }
-    try {
-      const payload = await manageMarketplaceSkill({
-        options,
-        body: body.data
-      });
-      return c.json(ok(payload));
-    } catch (error) {
-      const message = String(error);
-      if (message.startsWith("INVALID_BODY:")) {
-        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
-      }
-      if (message.startsWith("NOT_AVAILABLE:")) {
-        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
-      }
-      return c.json(err("MANAGE_FAILED", message), 400);
-    }
-  });
-  app.get("/api/marketplace/skills/recommendations", async (c) => {
-    const query = c.req.query();
-    const result = await fetchMarketplaceData({
-      baseUrl: marketplaceBaseUrl,
-      path: "/api/v1/skills/recommendations",
-      query: {
-        scene: query.scene,
-        limit: query.limit
-      }
+      baseUrl: this.marketplaceBaseUrl,
+      path: `/api/v1/plugins/items/${slug}`
     });
     if (!result.ok) {
-      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
-    }
-    const knownSkillNames = collectKnownSkillNames(options);
-    const filteredItems = result.data.items.map((item) => normalizeMarketplaceItemForUi(sanitizeMarketplaceItem(item))).filter((item) => isSupportedMarketplaceSkillItem(item, knownSkillNames));
-    return c.json(ok({
-      ...result.data,
-      total: filteredItems.length,
-      items: filteredItems
-    }));
-  });
-}
-function registerMarketplaceRoutes(app, options, marketplaceBaseUrl) {
-  registerPluginMarketplaceRoutes(app, options, marketplaceBaseUrl);
-  registerSkillMarketplaceRoutes(app, options, marketplaceBaseUrl);
-}
-function createUiRouter(options) {
-  const app = new Hono();
-  const marketplaceBaseUrl = normalizeMarketplaceBaseUrl(options);
-  app.notFound((c) => c.json(err("NOT_FOUND", "endpoint not found"), 404));
-  app.get(
-    "/api/health",
-    (c) => c.json(
-      ok({
-        status: "ok",
-        services: {
-          chatRuntime: options.chatRuntime ? "ready" : "unavailable",
-          cronService: options.cronService ? "ready" : "unavailable"
-        }
-      })
-    )
-  );
-  app.get("/api/app/meta", (c) => c.json(ok(buildAppMetaView(options))));
-  app.get("/api/config", (c) => {
-    const config = loadConfigOrDefault(options.configPath);
-    return c.json(ok(buildConfigView(config)));
-  });
-  app.get("/api/config/meta", (c) => {
-    const config = loadConfigOrDefault(options.configPath);
-    return c.json(ok(buildConfigMeta(config)));
-  });
-  app.get("/api/config/schema", (c) => {
-    const config = loadConfigOrDefault(options.configPath);
-    return c.json(ok(buildConfigSchemaView(config)));
-  });
-  app.put("/api/config/model", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const hasModel = typeof body.data.model === "string";
-    if (!hasModel) {
-      return c.json(err("INVALID_BODY", "model is required"), 400);
-    }
-    const view = updateModel(options.configPath, {
-      model: body.data.model
-    });
-    if (hasModel) {
-      options.publish({ type: "config.updated", payload: { path: "agents.defaults.model" } });
-    }
-    return c.json(ok({
-      model: view.agents.defaults.model
-    }));
-  });
-  app.put("/api/config/search", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const result = updateSearch(options.configPath, body.data);
-    options.publish({ type: "config.updated", payload: { path: "search" } });
-    return c.json(ok(result));
-  });
-  app.put("/api/config/providers/:provider", async (c) => {
-    const provider = c.req.param("provider");
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const result = updateProvider(options.configPath, provider, body.data);
-    if (!result) {
-      return c.json(err("NOT_FOUND", `unknown provider: ${provider}`), 404);
-    }
-    options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
-    return c.json(ok(result));
-  });
-  app.post("/api/config/providers", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const result = createCustomProvider(
-      options.configPath,
-      body.data
-    );
-    options.publish({ type: "config.updated", payload: { path: `providers.${result.name}` } });
-    return c.json(ok({
-      name: result.name,
-      provider: result.provider
-    }));
-  });
-  app.delete("/api/config/providers/:provider", async (c) => {
-    const provider = c.req.param("provider");
-    const result = deleteCustomProvider(options.configPath, provider);
-    if (result === null) {
-      return c.json(err("NOT_FOUND", `custom provider not found: ${provider}`), 404);
-    }
-    options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
-    return c.json(ok({
-      deleted: true,
-      provider
-    }));
-  });
-  app.post("/api/config/providers/:provider/test", async (c) => {
-    const provider = c.req.param("provider");
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const result = await testProviderConnection(
-      options.configPath,
-      provider,
-      body.data
-    );
-    if (!result) {
-      return c.json(err("NOT_FOUND", `unknown provider: ${provider}`), 404);
-    }
-    return c.json(ok(result));
-  });
-  app.post("/api/config/providers/:provider/auth/start", async (c) => {
-    const provider = c.req.param("provider");
-    let payload = {};
-    const rawBody = await c.req.raw.text();
-    if (rawBody.trim().length > 0) {
-      try {
-        payload = JSON.parse(rawBody);
-      } catch {
-        return c.json(err("INVALID_BODY", "invalid json body"), 400);
-      }
-    }
-    const methodId = typeof payload.methodId === "string" ? payload.methodId.trim() : void 0;
-    try {
-      const result = await startProviderAuth(options.configPath, provider, {
-        methodId
-      });
-      if (!result) {
-        return c.json(err("NOT_SUPPORTED", `provider auth is not supported: ${provider}`), 404);
-      }
-      return c.json(ok(result));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      return c.json(err("AUTH_START_FAILED", message), 400);
-    }
-  });
-  app.post("/api/config/providers/:provider/auth/poll", async (c) => {
-    const provider = c.req.param("provider");
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
     }
-    const sessionId = typeof body.data.sessionId === "string" ? body.data.sessionId.trim() : "";
-    if (!sessionId) {
-      return c.json(err("INVALID_BODY", "sessionId is required"), 400);
+    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItemView(result.data));
+    if (!isSupportedMarketplacePluginItem(sanitized)) {
+      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
     }
-    const result = await pollProviderAuth({
-      configPath: options.configPath,
-      providerName: provider,
-      sessionId
+    return c.json(ok(sanitized));
+  };
+  getItemContent = async (c) => {
+    const slug = encodeURIComponent(c.req.param("slug"));
+    const result = await fetchMarketplaceData({
+      baseUrl: this.marketplaceBaseUrl,
+      path: `/api/v1/plugins/items/${slug}`
     });
-    if (!result) {
-      return c.json(err("NOT_FOUND", "provider auth session not found"), 404);
-    }
-    if (result.status === "authorized") {
-      options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
+    if (!result.ok) {
+      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
     }
-    return c.json(ok(result));
-  });
-  app.post("/api/config/providers/:provider/auth/import-cli", async (c) => {
-    const provider = c.req.param("provider");
-    try {
-      const result = await importProviderAuthFromCli(options.configPath, provider);
-      if (!result) {
-        return c.json(err("NOT_SUPPORTED", `provider cli auth import is not supported: ${provider}`), 404);
-      }
-      options.publish({ type: "config.updated", payload: { path: `providers.${provider}` } });
-      return c.json(ok(result));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      return c.json(err("AUTH_IMPORT_FAILED", message), 400);
+    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItemView(result.data));
+    if (!isSupportedMarketplacePluginItem(sanitized)) {
+      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
     }
-  });
-  app.put("/api/config/channels/:channel", async (c) => {
-    const channel = c.req.param("channel");
+    const content = await buildPluginContentView(sanitized);
+    return c.json(ok(content));
+  };
+  install = async (c) => {
     const body = await readJson(c.req.raw);
-    if (!body.ok) {
+    if (!body.ok || !body.data || typeof body.data !== "object") {
       return c.json(err("INVALID_BODY", "invalid json body"), 400);
     }
-    const result = updateChannel(options.configPath, channel, body.data);
-    if (!result) {
-      return c.json(err("NOT_FOUND", `unknown channel: ${channel}`), 404);
+    if (body.data.type && body.data.type !== "plugin") {
+      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
     }
-    options.publish({ type: "config.updated", payload: { path: `channels.${channel}` } });
-    return c.json(ok(result));
-  });
-  app.put("/api/config/secrets", async (c) => {
+    try {
+      const payload = await installMarketplacePlugin({
+        options: this.options,
+        body: body.data
+      });
+      return c.json(ok(payload));
+    } catch (error) {
+      const message = String(error);
+      if (message.startsWith("INVALID_BODY:")) {
+        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
+      }
+      if (message.startsWith("NOT_AVAILABLE:")) {
+        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
+      }
+      return c.json(err("INSTALL_FAILED", message), 400);
+    }
+  };
+  manage = async (c) => {
     const body = await readJson(c.req.raw);
-    if (!body.ok) {
+    if (!body.ok || !body.data || typeof body.data !== "object") {
       return c.json(err("INVALID_BODY", "invalid json body"), 400);
     }
-    const result = updateSecrets(options.configPath, body.data);
-    options.publish({ type: "config.updated", payload: { path: "secrets" } });
-    return c.json(ok(result));
-  });
-  app.get("/api/chat/capabilities", async (c) => {
-    const chatRuntime = options.chatRuntime;
-    if (!chatRuntime) {
-      return c.json(err("NOT_AVAILABLE", "chat runtime unavailable"), 503);
-    }
-    const query = c.req.query();
-    const params = {
-      sessionKey: readNonEmptyString(query.sessionKey),
-      agentId: readNonEmptyString(query.agentId)
-    };
-    try {
-      const capabilities = chatRuntime.getCapabilities ? await chatRuntime.getCapabilities(params) : { stopSupported: Boolean(chatRuntime.stopTurn) };
-      return c.json(ok(capabilities));
-    } catch (error) {
-      return c.json(err("CHAT_RUNTIME_FAILED", String(error)), 500);
+    if (body.data.type && body.data.type !== "plugin") {
+      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
     }
-  });
-  app.get("/api/chat/session-types", async (c) => {
     try {
-      const payload = await buildChatSessionTypesView(options.chatRuntime);
+      const payload = await manageMarketplacePlugin({
+        options: this.options,
+        body: body.data
+      });
       return c.json(ok(payload));
     } catch (error) {
-      return c.json(err("CHAT_SESSION_TYPES_FAILED", String(error)), 500);
+      const message = String(error);
+      if (message.startsWith("INVALID_BODY:")) {
+        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
+      }
+      if (message.startsWith("NOT_AVAILABLE:")) {
+        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
+      }
+      return c.json(err("MANAGE_FAILED", message), 400);
     }
-  });
-  app.get("/api/chat/commands", async (c) => {
-    try {
-      const config = loadConfigOrDefault(options.configPath);
-      const registry = new NextclawCore.CommandRegistry(config);
-      const commands = registry.listSlashCommands().map((command) => ({
-        name: command.name,
-        description: command.description,
-        ...Array.isArray(command.options) && command.options.length > 0 ? {
-          options: command.options.map((option) => ({
-            name: option.name,
-            description: option.description,
-            type: option.type,
-            ...option.required === true ? { required: true } : {}
-          }))
-        } : {}
-      }));
-      const payload = {
-        commands,
-        total: commands.length
-      };
-      return c.json(ok(payload));
-    } catch (error) {
-      return c.json(err("CHAT_COMMANDS_FAILED", String(error)), 500);
+  };
+  getRecommendations = async (c) => {
+    const query = c.req.query();
+    const result = await fetchMarketplaceData({
+      baseUrl: this.marketplaceBaseUrl,
+      path: "/api/v1/plugins/recommendations",
+      query: {
+        scene: query.scene,
+        limit: query.limit
+      }
+    });
+    if (!result.ok) {
+      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
     }
+    const filteredItems = sanitizeMarketplaceListItems(result.data.items).map((item) => normalizeMarketplaceItemForUi(item)).filter((item) => isSupportedMarketplacePluginItem(item));
+    return c.json(ok({
+      ...result.data,
+      total: filteredItems.length,
+      items: filteredItems
+    }));
+  };
+};
+
+// src/ui/router/marketplace/skill.controller.ts
+async function installMarketplaceSkill(params) {
+  const spec = typeof params.body.spec === "string" ? params.body.spec.trim() : "";
+  if (!spec) {
+    throw new Error("INVALID_BODY:non-empty spec is required");
+  }
+  const installer = params.options.marketplace?.installer;
+  if (!installer) {
+    throw new Error("NOT_AVAILABLE:marketplace installer is not configured");
+  }
+  if (!installer.installSkill) {
+    throw new Error("NOT_AVAILABLE:skill installer is not configured");
+  }
+  const result = await installer.installSkill({
+    slug: spec,
+    kind: params.body.kind,
+    skill: params.body.skill,
+    installPath: params.body.installPath,
+    force: params.body.force
   });
-  app.post("/api/chat/turn", async (c) => {
-    if (!options.chatRuntime) {
-      return c.json(err("NOT_AVAILABLE", "chat runtime unavailable"), 503);
-    }
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+  params.options.publish({ type: "config.updated", payload: { path: "skills" } });
+  return {
+    type: "skill",
+    spec,
+    message: result.message,
+    output: result.output
+  };
+}
+async function manageMarketplaceSkill(params) {
+  const action = params.body.action;
+  const targetId = typeof params.body.id === "string" && params.body.id.trim().length > 0 ? params.body.id.trim() : typeof params.body.spec === "string" && params.body.spec.trim().length > 0 ? params.body.spec.trim() : "";
+  if (action !== "uninstall" || !targetId) {
+    throw new Error("INVALID_BODY:skill manage requires uninstall action and non-empty id/spec");
+  }
+  const installer = params.options.marketplace?.installer;
+  if (!installer) {
+    throw new Error("NOT_AVAILABLE:marketplace installer is not configured");
+  }
+  if (!installer.uninstallSkill) {
+    throw new Error("NOT_AVAILABLE:skill uninstall is not configured");
+  }
+  const result = await installer.uninstallSkill(targetId);
+  params.options.publish({ type: "config.updated", payload: { path: "skills" } });
+  return {
+    type: "skill",
+    action,
+    id: targetId,
+    message: result.message,
+    output: result.output
+  };
+}
+var SkillMarketplaceController = class {
+  constructor(options, marketplaceBaseUrl) {
+    this.options = options;
+    this.marketplaceBaseUrl = marketplaceBaseUrl;
+  }
+  getInstalled = (c) => {
+    return c.json(ok(collectSkillMarketplaceInstalledView(this.options)));
+  };
+  listItems = async (c) => {
+    const query = c.req.query();
+    const result = await fetchAllSkillMarketplaceItems({
+      baseUrl: this.marketplaceBaseUrl,
+      query: {
+        q: query.q,
+        tag: query.tag,
+        sort: query.sort,
+        page: query.page,
+        pageSize: query.pageSize
+      }
+    });
+    if (!result.ok) {
+      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
     }
-    const message = readNonEmptyString(body.data.message);
-    if (!message) {
-      return c.json(err("INVALID_BODY", "message is required"), 400);
+    const normalizedItems = sanitizeMarketplaceListItems(result.data.items).map((item) => normalizeMarketplaceItemForUi(item));
+    const unsupportedKind = findUnsupportedSkillInstallKind(normalizedItems);
+    if (unsupportedKind) {
+      return c.json(
+        err("MARKETPLACE_CONTRACT_MISMATCH", `unsupported skill install kind from marketplace api: ${unsupportedKind}`),
+        502
+      );
     }
-    const sessionKey = readNonEmptyString(body.data.sessionKey) ?? `ui:${Date.now().toString(36)}:${Math.random().toString(36).slice(2, 8)}`;
-    const requestedAt = /* @__PURE__ */ new Date();
-    const startedAtMs = requestedAt.getTime();
-    const metadata = isRecord(body.data.metadata) ? body.data.metadata : void 0;
-    const requestedAgentId = readNonEmptyString(body.data.agentId) ?? resolveAgentIdFromSessionKey(sessionKey);
-    const requestedModel = readNonEmptyString(body.data.model);
-    const request = {
-      message,
-      sessionKey,
-      channel: readNonEmptyString(body.data.channel) ?? "ui",
-      chatId: readNonEmptyString(body.data.chatId) ?? "web-ui",
-      ...requestedAgentId ? { agentId: requestedAgentId } : {},
-      ...requestedModel ? { model: requestedModel } : {},
-      ...metadata ? { metadata } : {}
-    };
-    try {
-      const result = await options.chatRuntime.processTurn(request);
-      const response = buildChatTurnView({
-        result,
-        fallbackSessionKey: sessionKey,
-        requestedAgentId,
-        requestedModel,
-        requestedAt,
-        startedAtMs
-      });
-      options.publish({ type: "config.updated", payload: { path: "session" } });
-      return c.json(ok(response));
-    } catch (error) {
-      return c.json(err("CHAT_TURN_FAILED", formatUserFacingError(error)), 500);
+    const knownSkillNames = collectKnownSkillNames(this.options);
+    const filteredItems = normalizedItems.filter((item) => isSupportedMarketplaceSkillItem(item, knownSkillNames));
+    const pageSize = Math.min(100, toPositiveInt(query.pageSize, 20));
+    const requestedPage = toPositiveInt(query.page, 1);
+    const totalPages = filteredItems.length === 0 ? 0 : Math.ceil(filteredItems.length / pageSize);
+    const currentPage = totalPages === 0 ? 1 : Math.min(requestedPage, totalPages);
+    return c.json(ok({
+      total: filteredItems.length,
+      page: currentPage,
+      pageSize,
+      totalPages,
+      sort: result.data.sort,
+      query: result.data.query,
+      items: filteredItems.slice((currentPage - 1) * pageSize, currentPage * pageSize)
+    }));
+  };
+  getItem = async (c) => {
+    const slug = encodeURIComponent(c.req.param("slug"));
+    const result = await fetchMarketplaceData({
+      baseUrl: this.marketplaceBaseUrl,
+      path: `/api/v1/skills/items/${slug}`
+    });
+    if (!result.ok) {
+      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
     }
-  });
-  app.post("/api/chat/turn/stop", async (c) => {
-    const chatRuntime = options.chatRuntime;
-    if (!chatRuntime?.stopTurn) {
-      return c.json(err("NOT_AVAILABLE", "chat turn stop is not supported by runtime"), 503);
+    const knownSkillNames = collectKnownSkillNames(this.options);
+    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItemView(result.data));
+    const unsupportedKind = findUnsupportedSkillInstallKind([sanitized]);
+    if (unsupportedKind) {
+      return c.json(
+        err("MARKETPLACE_CONTRACT_MISMATCH", `unsupported skill install kind from marketplace api: ${unsupportedKind}`),
+        502
+      );
     }
-    const body = await readJson(c.req.raw);
-    if (!body.ok || !body.data || typeof body.data !== "object") {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
+    if (!isSupportedMarketplaceSkillItem(sanitized, knownSkillNames)) {
+      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
     }
-    const runId = readNonEmptyString(body.data.runId);
-    if (!runId) {
-      return c.json(err("INVALID_BODY", "runId is required"), 400);
+    return c.json(ok(sanitized));
+  };
+  getItemContent = async (c) => {
+    const slug = encodeURIComponent(c.req.param("slug"));
+    const result = await fetchMarketplaceData({
+      baseUrl: this.marketplaceBaseUrl,
+      path: `/api/v1/skills/items/${slug}`
+    });
+    if (!result.ok) {
+      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
     }
-    const request = {
-      runId,
-      ...readNonEmptyString(body.data.sessionKey) ? { sessionKey: readNonEmptyString(body.data.sessionKey) } : {},
-      ...readNonEmptyString(body.data.agentId) ? { agentId: readNonEmptyString(body.data.agentId) } : {}
-    };
-    try {
-      const result = await chatRuntime.stopTurn(request);
-      return c.json(ok(result));
-    } catch (error) {
-      return c.json(err("CHAT_TURN_STOP_FAILED", String(error)), 500);
+    const knownSkillNames = collectKnownSkillNames(this.options);
+    const sanitized = normalizeMarketplaceItemForUi(sanitizeMarketplaceItemView(result.data));
+    const unsupportedKind = findUnsupportedSkillInstallKind([sanitized]);
+    if (unsupportedKind) {
+      return c.json(
+        err("MARKETPLACE_CONTRACT_MISMATCH", `unsupported skill install kind from marketplace api: ${unsupportedKind}`),
+        502
+      );
     }
-  });
-  app.post("/api/chat/turn/stream", async (c) => {
-    const chatRuntime = options.chatRuntime;
-    if (!chatRuntime) {
-      return c.json(err("NOT_AVAILABLE", "chat runtime unavailable"), 503);
+    if (!isSupportedMarketplaceSkillItem(sanitized, knownSkillNames)) {
+      return c.json(err("NOT_FOUND", "marketplace item not supported by nextclaw"), 404);
+    }
+    const contentResult = await fetchMarketplaceData({
+      baseUrl: this.marketplaceBaseUrl,
+      path: `/api/v1/skills/items/${slug}/content`
+    });
+    if (!contentResult.ok) {
+      return c.json(err("MARKETPLACE_UNAVAILABLE", contentResult.message), contentResult.status);
     }
+    return c.json(ok(contentResult.data));
+  };
+  install = async (c) => {
     const body = await readJson(c.req.raw);
-    if (!body.ok) {
+    if (!body.ok || !body.data || typeof body.data !== "object") {
       return c.json(err("INVALID_BODY", "invalid json body"), 400);
     }
-    const message = readNonEmptyString(body.data.message);
-    if (!message) {
-      return c.json(err("INVALID_BODY", "message is required"), 400);
-    }
-    const sessionKey = readNonEmptyString(body.data.sessionKey) ?? `ui:${Date.now().toString(36)}:${Math.random().toString(36).slice(2, 8)}`;
-    const requestedAt = /* @__PURE__ */ new Date();
-    const startedAtMs = requestedAt.getTime();
-    const metadata = isRecord(body.data.metadata) ? body.data.metadata : void 0;
-    const requestedAgentId = readNonEmptyString(body.data.agentId) ?? resolveAgentIdFromSessionKey(sessionKey);
-    const requestedModel = readNonEmptyString(body.data.model);
-    let runId = createChatRunId();
-    const supportsManagedRuns = Boolean(chatRuntime.startTurnRun && chatRuntime.streamRun);
-    let stopCapabilities = { stopSupported: Boolean(chatRuntime.stopTurn) };
-    if (chatRuntime.getCapabilities) {
-      try {
-        stopCapabilities = await chatRuntime.getCapabilities({
-          sessionKey,
-          ...requestedAgentId ? { agentId: requestedAgentId } : {}
-        });
-      } catch {
-        stopCapabilities = {
-          stopSupported: false,
-          stopReason: "failed to resolve runtime stop capability"
-        };
-      }
-    }
-    const request = {
-      message,
-      sessionKey,
-      channel: readNonEmptyString(body.data.channel) ?? "ui",
-      chatId: readNonEmptyString(body.data.chatId) ?? "web-ui",
-      runId,
-      ...requestedAgentId ? { agentId: requestedAgentId } : {},
-      ...requestedModel ? { model: requestedModel } : {},
-      ...metadata ? { metadata } : {}
-    };
-    let managedRun = null;
-    if (supportsManagedRuns && chatRuntime.startTurnRun) {
-      try {
-        managedRun = await chatRuntime.startTurnRun(request);
-      } catch (error) {
-        return c.json(err("CHAT_TURN_FAILED", formatUserFacingError(error)), 500);
-      }
-      if (readNonEmptyString(managedRun.runId)) {
-        runId = readNonEmptyString(managedRun.runId);
-      }
-      stopCapabilities = {
-        stopSupported: managedRun.stopSupported,
-        ...readNonEmptyString(managedRun.stopReason) ? { stopReason: readNonEmptyString(managedRun.stopReason) } : {}
-      };
-    }
-    const encoder = new TextEncoder();
-    const stream = new ReadableStream({
-      start: async (controller) => {
-        const push = (event, data) => {
-          controller.enqueue(encoder.encode(toSseFrame(event, data)));
-        };
-        try {
-          push("ready", {
-            sessionKey: managedRun?.sessionKey ?? sessionKey,
-            requestedAt: managedRun?.requestedAt ?? requestedAt.toISOString(),
-            runId,
-            stopSupported: stopCapabilities.stopSupported,
-            ...readNonEmptyString(stopCapabilities.stopReason) ? { stopReason: readNonEmptyString(stopCapabilities.stopReason) } : {}
-          });
-          if (supportsManagedRuns && chatRuntime.streamRun) {
-            let hasFinal2 = false;
-            for await (const event of chatRuntime.streamRun({ runId })) {
-              const typed = event;
-              if (typed.type === "delta") {
-                if (typed.delta) {
-                  push("delta", { delta: typed.delta });
-                }
-                continue;
-              }
-              if (typed.type === "session_event") {
-                push("session_event", typed.event);
-                continue;
-              }
-              if (typed.type === "final") {
-                const latestRun = chatRuntime.getRun ? await chatRuntime.getRun({ runId }) : null;
-                const response = latestRun ? buildChatTurnViewFromRun({
-                  run: latestRun,
-                  fallbackSessionKey: sessionKey,
-                  fallbackAgentId: requestedAgentId,
-                  fallbackModel: requestedModel,
-                  fallbackReply: typed.result.reply
-                }) : buildChatTurnView({
-                  result: typed.result,
-                  fallbackSessionKey: sessionKey,
-                  requestedAgentId,
-                  requestedModel,
-                  requestedAt,
-                  startedAtMs
-                });
-                hasFinal2 = true;
-                push("final", response);
-                options.publish({ type: "config.updated", payload: { path: "session" } });
-                continue;
-              }
-              if (typed.type === "error") {
-                push("error", {
-                  code: "CHAT_TURN_FAILED",
-                  message: formatUserFacingError(typed.error)
-                });
-                return;
-              }
-            }
-            if (!hasFinal2) {
-              push("error", {
-                code: "CHAT_TURN_FAILED",
-                message: "stream ended without a final result"
-              });
-              return;
-            }
-            push("done", { ok: true });
-            return;
-          }
-          const streamTurn = chatRuntime.processTurnStream;
-          if (!streamTurn) {
-            const result = await chatRuntime.processTurn(request);
-            const response = buildChatTurnView({
-              result,
-              fallbackSessionKey: sessionKey,
-              requestedAgentId,
-              requestedModel,
-              requestedAt,
-              startedAtMs
-            });
-            push("final", response);
-            options.publish({ type: "config.updated", payload: { path: "session" } });
-            push("done", { ok: true });
-            return;
-          }
-          let hasFinal = false;
-          for await (const event of streamTurn(request)) {
-            const typed = event;
-            if (typed.type === "delta") {
-              if (typed.delta) {
-                push("delta", { delta: typed.delta });
-              }
-              continue;
-            }
-            if (typed.type === "session_event") {
-              push("session_event", typed.event);
-              continue;
-            }
-            if (typed.type === "final") {
-              const response = buildChatTurnView({
-                result: typed.result,
-                fallbackSessionKey: sessionKey,
-                requestedAgentId,
-                requestedModel,
-                requestedAt,
-                startedAtMs
-              });
-              hasFinal = true;
-              push("final", response);
-              options.publish({ type: "config.updated", payload: { path: "session" } });
-              continue;
-            }
-            if (typed.type === "error") {
-              push("error", {
-                code: "CHAT_TURN_FAILED",
-                message: formatUserFacingError(typed.error)
-              });
-              return;
-            }
-          }
-          if (!hasFinal) {
-            push("error", {
-              code: "CHAT_TURN_FAILED",
-              message: "stream ended without a final result"
-            });
-            return;
-          }
-          push("done", { ok: true });
-        } catch (error) {
-          push("error", {
-            code: "CHAT_TURN_FAILED",
-            message: formatUserFacingError(error)
-          });
-        } finally {
-          controller.close();
-        }
-      }
-    });
-    return new Response(stream, {
-      status: 200,
-      headers: {
-        "Content-Type": "text/event-stream; charset=utf-8",
-        "Cache-Control": "no-cache, no-transform",
-        "Connection": "keep-alive",
-        "X-Accel-Buffering": "no"
-      }
-    });
-  });
-  app.get("/api/chat/runs", async (c) => {
-    const chatRuntime = options.chatRuntime;
-    if (!chatRuntime?.listRuns) {
-      return c.json(err("NOT_AVAILABLE", "chat run management unavailable"), 503);
+    if (body.data.type && body.data.type !== "skill") {
+      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
     }
-    const query = c.req.query();
-    const sessionKey = readNonEmptyString(query.sessionKey);
-    const states = readChatRunStates(query.states);
-    const limit = typeof query.limit === "string" ? Number.parseInt(query.limit, 10) : void 0;
     try {
-      const data = await chatRuntime.listRuns({
-        ...sessionKey ? { sessionKey } : {},
-        ...states ? { states } : {},
-        ...Number.isFinite(limit) ? { limit } : {}
+      const payload = await installMarketplaceSkill({
+        options: this.options,
+        body: body.data
       });
-      return c.json(ok(data));
+      return c.json(ok(payload));
     } catch (error) {
-      return c.json(err("CHAT_RUN_QUERY_FAILED", String(error)), 500);
+      const message = String(error);
+      if (message.startsWith("INVALID_BODY:")) {
+        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
+      }
+      if (message.startsWith("NOT_AVAILABLE:")) {
+        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
+      }
+      return c.json(err("INSTALL_FAILED", message), 400);
     }
-  });
-  app.get("/api/chat/runs/:runId", async (c) => {
-    const chatRuntime = options.chatRuntime;
-    if (!chatRuntime?.getRun) {
-      return c.json(err("NOT_AVAILABLE", "chat run management unavailable"), 503);
+  };
+  manage = async (c) => {
+    const body = await readJson(c.req.raw);
+    if (!body.ok || !body.data || typeof body.data !== "object") {
+      return c.json(err("INVALID_BODY", "invalid json body"), 400);
     }
-    const runId = readNonEmptyString(c.req.param("runId"));
-    if (!runId) {
-      return c.json(err("INVALID_PATH", "runId is required"), 400);
+    if (body.data.type && body.data.type !== "skill") {
+      return c.json(err("INVALID_BODY", "body.type does not match route type"), 400);
     }
     try {
-      const run = await chatRuntime.getRun({ runId });
-      if (!run) {
-        return c.json(err("NOT_FOUND", `chat run not found: ${runId}`), 404);
-      }
-      return c.json(ok(run));
+      const payload = await manageMarketplaceSkill({
+        options: this.options,
+        body: body.data
+      });
+      return c.json(ok(payload));
     } catch (error) {
-      return c.json(err("CHAT_RUN_QUERY_FAILED", String(error)), 500);
-    }
-  });
-  app.get("/api/chat/runs/:runId/stream", async (c) => {
-    const chatRuntime = options.chatRuntime;
-    const streamRun = chatRuntime?.streamRun;
-    const getRun = chatRuntime?.getRun;
-    if (!streamRun || !getRun) {
-      return c.json(err("NOT_AVAILABLE", "chat run stream unavailable"), 503);
-    }
-    const runId = readNonEmptyString(c.req.param("runId"));
-    if (!runId) {
-      return c.json(err("INVALID_PATH", "runId is required"), 400);
+      const message = String(error);
+      if (message.startsWith("INVALID_BODY:")) {
+        return c.json(err("INVALID_BODY", message.slice("INVALID_BODY:".length)), 400);
+      }
+      if (message.startsWith("NOT_AVAILABLE:")) {
+        return c.json(err("NOT_AVAILABLE", message.slice("NOT_AVAILABLE:".length)), 503);
+      }
+      return c.json(err("MANAGE_FAILED", message), 400);
     }
+  };
+  getRecommendations = async (c) => {
     const query = c.req.query();
-    const fromEventIndex = typeof query.fromEventIndex === "string" ? Number.parseInt(query.fromEventIndex, 10) : void 0;
-    const run = await getRun({ runId });
-    if (!run) {
-      return c.json(err("NOT_FOUND", `chat run not found: ${runId}`), 404);
-    }
-    const encoder = new TextEncoder();
-    const stream = new ReadableStream({
-      start: async (controller) => {
-        const push = (event, data) => {
-          controller.enqueue(encoder.encode(toSseFrame(event, data)));
-        };
-        try {
-          push("ready", {
-            sessionKey: run.sessionKey,
-            requestedAt: run.requestedAt,
-            runId: run.runId,
-            stopSupported: run.stopSupported,
-            ...readNonEmptyString(run.stopReason) ? { stopReason: readNonEmptyString(run.stopReason) } : {}
-          });
-          let hasFinal = false;
-          for await (const event of streamRun({
-            runId: run.runId,
-            ...Number.isFinite(fromEventIndex) ? { fromEventIndex } : {}
-          })) {
-            const typed = event;
-            if (typed.type === "delta") {
-              if (typed.delta) {
-                push("delta", { delta: typed.delta });
-              }
-              continue;
-            }
-            if (typed.type === "session_event") {
-              push("session_event", typed.event);
-              continue;
-            }
-            if (typed.type === "final") {
-              const latestRun = await getRun({ runId: run.runId });
-              const response = latestRun ? buildChatTurnViewFromRun({
-                run: latestRun,
-                fallbackSessionKey: run.sessionKey,
-                fallbackAgentId: run.agentId,
-                fallbackModel: run.model,
-                fallbackReply: typed.result.reply
-              }) : buildChatTurnView({
-                result: typed.result,
-                fallbackSessionKey: run.sessionKey,
-                requestedAgentId: run.agentId,
-                requestedModel: run.model,
-                requestedAt: new Date(run.requestedAt),
-                startedAtMs: Date.parse(run.requestedAt)
-              });
-              hasFinal = true;
-              push("final", response);
-              continue;
-            }
-            if (typed.type === "error") {
-              push("error", {
-                code: "CHAT_TURN_FAILED",
-                message: formatUserFacingError(typed.error)
-              });
-              return;
-            }
-          }
-          if (!hasFinal) {
-            const latestRun = await getRun({ runId: run.runId });
-            if (latestRun?.state === "failed") {
-              push("error", {
-                code: "CHAT_TURN_FAILED",
-                message: formatUserFacingError(latestRun.error ?? "chat run failed")
-              });
-              return;
-            }
-          }
-          push("done", { ok: true });
-        } catch (error) {
-          push("error", {
-            code: "CHAT_TURN_FAILED",
-            message: formatUserFacingError(error)
-          });
-        } finally {
-          controller.close();
-        }
-      }
-    });
-    return new Response(stream, {
-      status: 200,
-      headers: {
-        "Content-Type": "text/event-stream; charset=utf-8",
-        "Cache-Control": "no-cache, no-transform",
-        "Connection": "keep-alive",
-        "X-Accel-Buffering": "no"
+    const result = await fetchMarketplaceData({
+      baseUrl: this.marketplaceBaseUrl,
+      path: "/api/v1/skills/recommendations",
+      query: {
+        scene: query.scene,
+        limit: query.limit
       }
     });
-  });
-  app.get("/api/sessions", (c) => {
+    if (!result.ok) {
+      return c.json(err("MARKETPLACE_UNAVAILABLE", result.message), result.status);
+    }
+    const knownSkillNames = collectKnownSkillNames(this.options);
+    const filteredItems = sanitizeMarketplaceListItems(result.data.items).map((item) => normalizeMarketplaceItemForUi(item)).filter((item) => isSupportedMarketplaceSkillItem(item, knownSkillNames));
+    return c.json(ok({
+      ...result.data,
+      total: filteredItems.length,
+      items: filteredItems
+    }));
+  };
+};
+
+// src/ui/router/session.controller.ts
+var SessionRoutesController = class {
+  constructor(options) {
+    this.options = options;
+  }
+  listSessions = (c) => {
     const query = c.req.query();
     const q = typeof query.q === "string" ? query.q : void 0;
     const limit = typeof query.limit === "string" ? Number.parseInt(query.limit, 10) : void 0;
     const activeMinutes = typeof query.activeMinutes === "string" ? Number.parseInt(query.activeMinutes, 10) : void 0;
-    const data = listSessions(options.configPath, {
+    const data = listSessions(this.options.configPath, {
       q,
       limit: Number.isFinite(limit) ? limit : void 0,
       activeMinutes: Number.isFinite(activeMinutes) ? activeMinutes : void 0
     });
     return c.json(ok(data));
-  });
-  app.get("/api/sessions/:key/history", (c) => {
+  };
+  getSessionHistory = (c) => {
     const key = decodeURIComponent(c.req.param("key"));
     const query = c.req.query();
     const limit = typeof query.limit === "string" ? Number.parseInt(query.limit, 10) : void 0;
-    const data = getSessionHistory(options.configPath, key, Number.isFinite(limit) ? limit : void 0);
+    const data = getSessionHistory(this.options.configPath, key, Number.isFinite(limit) ? limit : void 0);
     if (!data) {
       return c.json(err("NOT_FOUND", `session not found: ${key}`), 404);
     }
     return c.json(ok(data));
-  });
-  app.put("/api/sessions/:key", async (c) => {
+  };
+  patchSession = async (c) => {
     const key = decodeURIComponent(c.req.param("key"));
     const body = await readJson(c.req.raw);
     if (!body.ok || !body.data || typeof body.data !== "object") {
@@ -3834,12 +4008,12 @@ function createUiRouter(options) {
     }
     let availableSessionTypes;
     if (Object.prototype.hasOwnProperty.call(body.data, "sessionType")) {
-      const sessionTypes = await buildChatSessionTypesView(options.chatRuntime);
+      const sessionTypes = await buildChatSessionTypesView(this.options.chatRuntime);
       availableSessionTypes = sessionTypes.options.map((item) => item.value);
     }
     let data;
     try {
-      data = patchSession(options.configPath, key, body.data, {
+      data = patchSession(this.options.configPath, key, body.data, {
         ...availableSessionTypes ? { availableSessionTypes } : {}
       });
     } catch (error) {
@@ -3854,111 +4028,81 @@ function createUiRouter(options) {
     if (!data) {
       return c.json(err("NOT_FOUND", `session not found: ${key}`), 404);
     }
-    options.publish({ type: "config.updated", payload: { path: "session" } });
+    this.options.publish({ type: "config.updated", payload: { path: "session" } });
     return c.json(ok(data));
-  });
-  app.delete("/api/sessions/:key", (c) => {
+  };
+  deleteSession = (c) => {
     const key = decodeURIComponent(c.req.param("key"));
-    const deleted = deleteSession(options.configPath, key);
+    const deleted = deleteSession(this.options.configPath, key);
     if (!deleted) {
       return c.json(err("NOT_FOUND", `session not found: ${key}`), 404);
     }
-    options.publish({ type: "config.updated", payload: { path: "session" } });
-    return c.json(ok({ deleted: true }));
-  });
-  app.get("/api/cron", (c) => {
-    if (!options.cronService) {
-      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
-    }
-    const query = c.req.query();
-    const includeDisabled = query.all === "1" || query.all === "true" || query.all === "yes";
-    const jobs = options.cronService.listJobs(includeDisabled).map((job) => buildCronJobView(job));
-    return c.json(ok({ jobs, total: jobs.length }));
-  });
-  app.delete("/api/cron/:id", (c) => {
-    if (!options.cronService) {
-      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
-    }
-    const id = decodeURIComponent(c.req.param("id"));
-    const deleted = options.cronService.removeJob(id);
-    if (!deleted) {
-      return c.json(err("NOT_FOUND", `cron job not found: ${id}`), 404);
-    }
+    this.options.publish({ type: "config.updated", payload: { path: "session" } });
     return c.json(ok({ deleted: true }));
-  });
-  app.put("/api/cron/:id/enable", async (c) => {
-    if (!options.cronService) {
-      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
-    }
-    const id = decodeURIComponent(c.req.param("id"));
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    if (typeof body.data.enabled !== "boolean") {
-      return c.json(err("INVALID_BODY", "enabled must be boolean"), 400);
-    }
-    const job = options.cronService.enableJob(id, body.data.enabled);
-    if (!job) {
-      return c.json(err("NOT_FOUND", `cron job not found: ${id}`), 404);
-    }
-    const data = { job: buildCronJobView(job) };
-    return c.json(ok(data));
-  });
-  app.post("/api/cron/:id/run", async (c) => {
-    if (!options.cronService) {
-      return c.json(err("NOT_AVAILABLE", "cron service unavailable"), 503);
-    }
-    const id = decodeURIComponent(c.req.param("id"));
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const existing = findCronJob(options.cronService, id);
-    if (!existing) {
-      return c.json(err("NOT_FOUND", `cron job not found: ${id}`), 404);
-    }
-    const executed = await options.cronService.runJob(id, Boolean(body.data.force));
-    const after = findCronJob(options.cronService, id);
-    const data = {
-      job: after ? buildCronJobView(after) : null,
-      executed
-    };
-    return c.json(ok(data));
-  });
-  app.put("/api/config/runtime", async (c) => {
-    const body = await readJson(c.req.raw);
-    if (!body.ok || !body.data || typeof body.data !== "object") {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const result = updateRuntime(options.configPath, body.data);
-    if (body.data.agents?.defaults && Object.prototype.hasOwnProperty.call(body.data.agents.defaults, "contextTokens")) {
-      options.publish({ type: "config.updated", payload: { path: "agents.defaults.contextTokens" } });
-    }
-    if (body.data.agents?.defaults && Object.prototype.hasOwnProperty.call(body.data.agents.defaults, "engine")) {
-      options.publish({ type: "config.updated", payload: { path: "agents.defaults.engine" } });
-    }
-    if (body.data.agents?.defaults && Object.prototype.hasOwnProperty.call(body.data.agents.defaults, "engineConfig")) {
-      options.publish({ type: "config.updated", payload: { path: "agents.defaults.engineConfig" } });
-    }
-    options.publish({ type: "config.updated", payload: { path: "agents.list" } });
-    options.publish({ type: "config.updated", payload: { path: "bindings" } });
-    options.publish({ type: "config.updated", payload: { path: "session" } });
-    return c.json(ok(result));
-  });
-  app.post("/api/config/actions/:actionId/execute", async (c) => {
-    const actionId = c.req.param("actionId");
-    const body = await readJson(c.req.raw);
-    if (!body.ok) {
-      return c.json(err("INVALID_BODY", "invalid json body"), 400);
-    }
-    const result = await executeConfigAction(options.configPath, actionId, body.data ?? {});
-    if (!result.ok) {
-      return c.json(err(result.code, result.message, result.details), 400);
-    }
-    return c.json(ok(result.data));
-  });
-  registerMarketplaceRoutes(app, options, marketplaceBaseUrl);
+  };
+};
+
+// src/ui/router.ts
+function createUiRouter(options) {
+  const app = new Hono();
+  const marketplaceBaseUrl = normalizeMarketplaceBaseUrl(options);
+  const appController = new AppRoutesController(options);
+  const configController = new ConfigRoutesController(options);
+  const chatController = new ChatRoutesController(options);
+  const sessionController = new SessionRoutesController(options);
+  const cronController = new CronRoutesController(options);
+  const pluginMarketplaceController = new PluginMarketplaceController(options, marketplaceBaseUrl);
+  const skillMarketplaceController = new SkillMarketplaceController(options, marketplaceBaseUrl);
+  app.notFound((c) => c.json(err("NOT_FOUND", "endpoint not found"), 404));
+  app.get("/api/health", appController.health);
+  app.get("/api/app/meta", appController.appMeta);
+  app.get("/api/config", configController.getConfig);
+  app.get("/api/config/meta", configController.getConfigMeta);
+  app.get("/api/config/schema", configController.getConfigSchema);
+  app.put("/api/config/model", configController.updateConfigModel);
+  app.put("/api/config/search", configController.updateConfigSearch);
+  app.put("/api/config/providers/:provider", configController.updateProvider);
+  app.post("/api/config/providers", configController.createProvider);
+  app.delete("/api/config/providers/:provider", configController.deleteProvider);
+  app.post("/api/config/providers/:provider/test", configController.testProviderConnection);
+  app.post("/api/config/providers/:provider/auth/start", configController.startProviderAuth);
+  app.post("/api/config/providers/:provider/auth/poll", configController.pollProviderAuth);
+  app.post("/api/config/providers/:provider/auth/import-cli", configController.importProviderAuthFromCli);
+  app.put("/api/config/channels/:channel", configController.updateChannel);
+  app.put("/api/config/secrets", configController.updateSecrets);
+  app.put("/api/config/runtime", configController.updateRuntime);
+  app.post("/api/config/actions/:actionId/execute", configController.executeAction);
+  app.get("/api/chat/capabilities", chatController.getCapabilities);
+  app.get("/api/chat/session-types", chatController.getSessionTypes);
+  app.get("/api/chat/commands", chatController.getCommands);
+  app.post("/api/chat/turn", chatController.processTurn);
+  app.post("/api/chat/turn/stop", chatController.stopTurn);
+  app.post("/api/chat/turn/stream", chatController.streamTurn);
+  app.get("/api/chat/runs", chatController.listRuns);
+  app.get("/api/chat/runs/:runId", chatController.getRun);
+  app.get("/api/chat/runs/:runId/stream", chatController.streamRun);
+  app.get("/api/sessions", sessionController.listSessions);
+  app.get("/api/sessions/:key/history", sessionController.getSessionHistory);
+  app.put("/api/sessions/:key", sessionController.patchSession);
+  app.delete("/api/sessions/:key", sessionController.deleteSession);
+  app.get("/api/cron", cronController.listJobs);
+  app.delete("/api/cron/:id", cronController.deleteJob);
+  app.put("/api/cron/:id/enable", cronController.enableJob);
+  app.post("/api/cron/:id/run", cronController.runJob);
+  app.get("/api/marketplace/plugins/installed", pluginMarketplaceController.getInstalled);
+  app.get("/api/marketplace/plugins/items", pluginMarketplaceController.listItems);
+  app.get("/api/marketplace/plugins/items/:slug", pluginMarketplaceController.getItem);
+  app.get("/api/marketplace/plugins/items/:slug/content", pluginMarketplaceController.getItemContent);
+  app.post("/api/marketplace/plugins/install", pluginMarketplaceController.install);
+  app.post("/api/marketplace/plugins/manage", pluginMarketplaceController.manage);
+  app.get("/api/marketplace/plugins/recommendations", pluginMarketplaceController.getRecommendations);
+  app.get("/api/marketplace/skills/installed", skillMarketplaceController.getInstalled);
+  app.get("/api/marketplace/skills/items", skillMarketplaceController.listItems);
+  app.get("/api/marketplace/skills/items/:slug", skillMarketplaceController.getItem);
+  app.get("/api/marketplace/skills/items/:slug/content", skillMarketplaceController.getItemContent);
+  app.post("/api/marketplace/skills/install", skillMarketplaceController.install);
+  app.post("/api/marketplace/skills/manage", skillMarketplaceController.manage);
+  app.get("/api/marketplace/skills/recommendations", skillMarketplaceController.getRecommendations);
   return app;
 }