@nordbyte/nordrelay 0.8.0 → 0.8.2

package/dist/{web-dashboard-access-routes.js → web/web-dashboard-access-routes.js}

@@ -1,5 +1,5 @@
-import { ALL_PERMISSIONS } from "./access-control.js";
-import { publicUser, publicUserSnapshot, } from "./user-management.js";
+import { ALL_PERMISSIONS } from "../access/access-control.js";
+import { publicUser, publicUserSnapshot, } from "../access/user-management.js";
 import { arrayNumberField, arrayStringField, numberField, numberParam, optionalBooleanField, optionalNumberField, optionalStringField, readJsonBody, sendJson, stringField, } from "./web-dashboard-http.js";
 export async function handleDashboardAccessRoute(req, res, url, options) {
     const { users, runtime, authUser } = options;

package/dist/{web-dashboard-assets.js → web/web-dashboard-assets.js}

@@ -6,6 +6,7 @@ const clientSources = [
     "client/core/api-routes.generated.js",
     "client/core/api-client.js",
     "client/core/runtime.js",
+    "client/core/components.js",
     "client/overview.js",
     "client/events.js",
     "client/workflows.js",
@@ -26,13 +27,34 @@ export function dashboardJs() {
 export function dashboardCss() {
     return readDashboardAsset("dashboard.css", styleSources);
 }
+const staticAssetTypes = {
+    "favicon.ico": "image/x-icon",
+    "favicon.png": "image/png",
+    "logo.png": "image/png",
+};
+export function dashboardStaticAsset(assetName) {
+    const contentType = staticAssetTypes[assetName];
+    if (!contentType) {
+        return null;
+    }
+    const filePath = dashboardStaticAssetPath(assetName);
+    return filePath ? { filePath, contentType } : null;
+}
 function readDashboardAsset(assetName, sourceFiles) {
-    const builtAsset = path.join(moduleDir, "webui-assets", assetName);
+    const builtAsset = path.resolve(moduleDir, "..", "webui-assets", assetName);
     if (existsSync(builtAsset)) {
         return readFileSync(builtAsset, "utf8");
     }
-    const sourceDir = path.join(moduleDir, "webui");
+    const sourceDir = path.join(moduleDir, "ui");
     return sourceFiles
         .map((file) => readFileSync(path.join(sourceDir, file), "utf8"))
         .join("\n");
 }
+function dashboardStaticAssetPath(assetName) {
+    const builtAsset = path.resolve(moduleDir, "..", "webui-assets", assetName);
+    if (existsSync(builtAsset)) {
+        return builtAsset;
+    }
+    const sourceAsset = path.join(moduleDir, "ui", "assets", assetName);
+    return existsSync(sourceAsset) ? sourceAsset : null;
+}

package/dist/{web-dashboard-http.js → web/web-dashboard-http.js}

@@ -1,5 +1,12 @@
 import { createReadStream } from "node:fs";
-const JSON_HEADERS = { "content-type": "application/json; charset=utf-8", "cache-control": "no-store" };
+const DEFAULT_JSON_BODY_LIMIT = 64 * 1024 * 1024;
+const BASE_SECURITY_HEADERS = {
+    "x-content-type-options": "nosniff",
+    "x-frame-options": "DENY",
+    "referrer-policy": "no-referrer",
+    "permissions-policy": "camera=(), microphone=(), geolocation=()",
+};
+const JSON_HEADERS = { ...webSecurityHeaders(), "content-type": "application/json; charset=utf-8", "cache-control": "no-store" };
 export function parseCookies(cookieHeader) {
     const cookies = {};
     for (const part of cookieHeader.split(";")) {
@@ -9,10 +16,22 @@ export function parseCookies(cookieHeader) {
     }
     return cookies;
 }
-export async function readJsonBody(req) {
+export class RequestBodyTooLargeError extends Error {
+    statusCode = 413;
+}
+export function isRequestBodyTooLargeError(error) {
+    return error instanceof RequestBodyTooLargeError;
+}
+export async function readJsonBody(req, maxBytes = DEFAULT_JSON_BODY_LIMIT) {
     const chunks = [];
+    let size = 0;
     for await (const chunk of req) {
-        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+        const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        size += buffer.length;
+        if (size > maxBytes) {
+            throw new RequestBodyTooLargeError(`Request body is too large. Max ${Math.round(maxBytes / 1024 / 1024)} MB.`);
+        }
+        chunks.push(buffer);
     }
     const text = Buffer.concat(chunks).toString("utf8").trim();
     if (!text) {
@@ -24,17 +43,26 @@ export function sendJson(res, status, value) {
     res.writeHead(status, JSON_HEADERS);
     res.end(`${JSON.stringify(value)}\n`);
 }
-export function sendText(res, status, text, contentType) {
-    res.writeHead(status, { "content-type": contentType, "cache-control": "no-store" });
+export function sendText(res, status, text, contentType, options = {}) {
+    res.writeHead(status, { ...webSecurityHeaders(options.cspNonce), "content-type": contentType, "cache-control": "no-store" });
     res.end(text);
 }
 export function sendFile(res, filePath, filename) {
     res.writeHead(200, {
+        ...webSecurityHeaders(),
         "content-type": "application/octet-stream",
         "content-disposition": `attachment; filename="${filename.replace(/"/g, "")}"`,
     });
     createReadStream(filePath).pipe(res);
 }
+export function sendStaticFile(res, filePath, contentType) {
+    res.writeHead(200, {
+        ...webSecurityHeaders(),
+        "content-type": contentType,
+        "cache-control": "public, max-age=86400",
+    });
+    createReadStream(filePath).pipe(res);
+}
 export function stringField(value, key) {
     const field = value[key];
     if (typeof field !== "string" || !field.trim()) {
@@ -141,3 +169,11 @@ function stripDataUrlPrefix(value) {
     const comma = value.indexOf(",");
     return value.startsWith("data:") && comma !== -1 ? value.slice(comma + 1) : value;
 }
+export function webSecurityHeaders(cspNonce) {
+    const scriptSrc = cspNonce ? `'self' 'nonce-${cspNonce}'` : "'self'";
+    const styleSrc = cspNonce ? `'self' 'nonce-${cspNonce}'` : "'self'";
+    return {
+        ...BASE_SECURITY_HEADERS,
+        "content-security-policy": `default-src 'self'; script-src ${scriptSrc}; style-src ${styleSrc}; connect-src 'self'; img-src 'self' data:; font-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'`,
+    };
+}

package/dist/{web-dashboard-pages.js → web/web-dashboard-pages.js}

@@ -1,12 +1,18 @@
 import { renderDashboardNav } from "./web-dashboard-ui.js";
+const faviconLinks = `
+  <link rel="icon" href="/favicon.ico" sizes="any">
+  <link rel="icon" type="image/png" href="/assets/favicon.png">
+  <link rel="apple-touch-icon" href="/assets/logo.png">`;
 export function renderLoginPage(options) {
+    const nonce = nonceAttr(options.cspNonce);
     return `<!doctype html>
 <html lang="en">
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>NordRelay Login</title>
-  <style>
+${faviconLinks}
+  <style${nonce}>
     body{margin:0;min-height:100vh;display:grid;place-items:center;background:#f4f5f2;color:#181c19;font-family:Inter,system-ui,-apple-system,Segoe UI,sans-serif}
     form{width:min(420px,calc(100vw - 32px));background:white;border:1px solid #dfe3dc;border-radius:8px;padding:24px;box-shadow:0 20px 60px rgba(20,30,24,.08)}
     h1{font-size:24px;margin:0 0 8px}
@@ -26,7 +32,7 @@ export function renderLoginPage(options) {
     <button ${options.adminConfigured ? "" : "disabled"}>Sign in</button>
     <div class="error" id="error"></div>
   </form>
-  <script>
+  <script${nonce}>
     document.getElementById('login').addEventListener('submit', async (event) => {
       event.preventDefault();
       const payload = {
@@ -45,13 +51,15 @@ export function renderLoginPage(options) {
 </html>`;
 }
 export function renderFirstRunSetupPage(options) {
+    const nonce = nonceAttr(options.cspNonce);
     return `<!doctype html>
 <html lang="en">
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>NordRelay First Run</title>
-  <style>
+${faviconLinks}
+  <style${nonce}>
     body{margin:0;min-height:100vh;display:grid;place-items:center;background:#f4f5f2;color:#181c19;font-family:Inter,system-ui,-apple-system,Segoe UI,sans-serif}
     form{width:min(460px,calc(100vw - 32px));background:white;border:1px solid #dfe3dc;border-radius:8px;padding:24px;box-shadow:0 20px 60px rgba(20,30,24,.08)}
     h1{font-size:24px;margin:0 0 8px}
@@ -75,7 +83,7 @@ export function renderFirstRunSetupPage(options) {
     <button>Create admin</button>
     <div class="error" id="error"></div>
   </form>
-  <script>
+  <script${nonce}>
     document.getElementById('setup').addEventListener('submit', async (event) => {
       event.preventDefault();
       const payload = {
@@ -96,20 +104,23 @@ export function renderFirstRunSetupPage(options) {
 </body>
 </html>`;
 }
-export function renderDashboardApp() {
+export function renderDashboardApp(options = {}) {
+    const nonce = nonceAttr(options.cspNonce);
     return `<!doctype html>
 <html lang="en">
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>NordRelay Dashboard</title>
-  <script>document.documentElement.dataset.theme = localStorage.getItem('nordrelayTheme') || 'light';</script>
+${faviconLinks}
+  <script${nonce}>document.documentElement.dataset.theme = localStorage.getItem('nordrelayTheme') || 'light';</script>
   <link rel="stylesheet" href="/assets/dashboard.css">
 </head>
 <body>
   <div class="app">
     <aside class="sidebar" id="sidebar">
-      <div class="brand"><span class="mark">NR</span><div><strong>NordRelay</strong><small>Remote control</small></div></div>
+      <div class="brand"><img class="brand-mark" src="/assets/logo.png" alt="" width="44" height="44" aria-hidden="true"><div><strong>NordRelay</strong><small>Remote control</small></div></div>
+      <div class="brand-separator" aria-hidden="true"></div>
       <nav>
         ${renderDashboardNav()}
       </nav>
@@ -143,7 +154,7 @@ export function renderDashboardApp() {
       </section>
 
       <section class="page" id="page-chat">
-        <div class="chat-layout">
+        <div class="chat-layout tools-hidden" id="chatLayout">
           <div class="panel chat-panel">
             <div class="chat-toolbar">
               <button id="newSessionBtn">New session</button>
@@ -151,9 +162,19 @@ export function renderDashboardApp() {
               <button id="editLastBtn" class="secondary">Edit last</button>
               <button id="syncBtn" class="secondary">Sync</button>
               <button id="notifyBtn" class="secondary">Notify</button>
+              <label class="mirror-control" title="Mirror local CLI activity into this WebUI chat">
+                Mirror
+                <select id="mirrorModeSelect">
+                  <option value="off">Off</option>
+                  <option value="status">Status</option>
+                  <option value="final">Final</option>
+                  <option value="full">Full</option>
+                </select>
+              </label>
               <button id="clearChatBtn" class="secondary">Clear history</button>
               <button id="abortBtn">Abort</button>
               <button id="handbackBtn">Handback</button>
+              <button id="toggleToolsBtn" class="secondary" type="button" aria-controls="toolPanel" aria-expanded="false">Show Tools</button>
             </div>
             <div class="control-grid" id="sessionControls"></div>
             <div id="messages" class="messages"></div>
@@ -171,7 +192,7 @@ export function renderDashboardApp() {
               <button>Send</button>
             </form>
           </div>
-          <div class="panel side-panel"><h2>Tools / Plan</h2><div id="toolStream" class="tool-stream"></div></div>
+          <div class="panel side-panel" id="toolPanel" hidden><h2>Tools / Plan</h2><div id="toolStream" class="tool-stream"></div></div>
         </div>
       </section>
 
@@ -233,10 +254,13 @@ export function renderDashboardApp() {
 
       <section class="page" id="page-peers">
         <div class="panel">
-          <div class="row"><button id="loadPeersBtn">Reload peers</button><button id="createPeerInviteBtn">Create invite</button><button id="addPeerBtn" class="secondary">Add peer</button></div>
+          <div class="row"><button id="loadPeersBtn">Reload peers</button><button id="createPeerInviteBtn">Create invite</button><button id="addPeerBtn" class="secondary">Add peer</button><button id="discoverPeersBtn" class="secondary">Discover LAN peers</button><button id="cancelPeerDiscoveryBtn" class="secondary">Cancel discovery</button><button id="exportPeerIdentityBtn" class="secondary">Export identity</button><button id="restorePeerIdentityBtn" class="secondary">Restore identity</button></div>
+          <div class="row"><input id="peerDiscoveryTargets" placeholder="Optional targets: 192.168.178.0/24, 192.168.178.10-50, host.local, https://host:31979"><input id="peerDiscoveryMaxHosts" type="number" min="1" max="65536" value="512" title="Max hosts"><input id="peerDiscoveryConcurrency" type="number" min="1" max="128" value="32" title="Concurrency"></div>
           <div id="peerStatus" class="list"></div>
           <h2>Configured peers</h2>
           <div id="peersList" class="list"></div>
+          <h2>LAN discovery</h2>
+          <div id="peerDiscovery" class="list"></div>
           <h2>Open invitations</h2>
           <div id="peerInvites" class="list"></div>
         </div>
@@ -361,3 +385,6 @@ export function renderDashboardApp() {
 </body>
 </html>`;
 }
+function nonceAttr(cspNonce) {
+    return cspNonce ? ` nonce="${cspNonce.replace(/"/g, "")}"` : "";
+}

package/dist/{web-dashboard-peer-routes.js → web/web-dashboard-peer-routes.js}

@@ -1,10 +1,11 @@
-import { isPermission } from "./access-control.js";
-import { AGENT_IDS, isAgentId } from "./agent.js";
-import { ensurePeerTlsFiles, loadOrCreatePeerIdentity, } from "./peer-identity.js";
-import { checkPeerEndpoint, pairPeer, RemoteRelayClient } from "./peer-client.js";
-import { buildPeerReadiness, peerListenUrl } from "./peer-readiness.js";
-import { PeerStore } from "./peer-store.js";
-import { publicPeer } from "./peer-types.js";
+import { isPermission } from "../access/access-control.js";
+import { AGENT_IDS, isAgentId } from "../agents/shared/agent.js";
+import { exportPeerIdentityBackup, ensurePeerTlsFiles, loadOrCreatePeerIdentity, restorePeerIdentityBackup, } from "../peers/peer-identity.js";
+import { checkPeerEndpoint, checkPeerIdentityEndpoint, pairPeer, RemoteRelayClient } from "../peers/peer-client.js";
+import { buildPeerReadiness, peerListenUrl } from "../peers/peer-readiness.js";
+import { discoverLanPeers } from "../peers/peer-discovery.js";
+import { PeerStore } from "../peers/peer-store.js";
+import { publicPeer } from "../peers/peer-types.js";
 import { arrayStringField, objectRecord, optionalBooleanField, optionalNumberField, optionalStringField, readJsonBody, sendJson, } from "./web-dashboard-http.js";
 export async function handleDashboardPeerRoute(req, res, url, options) {
     const store = new PeerStore(options.home);
@@ -25,6 +26,7 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         const readiness = await buildPeerReadiness(options.config);
         const created = store.createInvitation({
             name: optionalStringField(body, "name"),
+            group: optionalStringField(body, "group"),
             expiresInMs: (optionalNumberField(body, "expiresMinutes") ?? 10) * 60 * 1000,
             scopes: parseScopes(arrayStringField(body, "scopes")),
             allowedAgents: parseAgents(arrayStringField(body, "allowedAgents")),
@@ -53,11 +55,63 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         if (peerId) {
             const probe = await new RemoteRelayClient(store).rpc(peerId, "peer.probe", {}, options.activityActor);
             sendJson(res, 200, { type: "remote", peerId, readiness, probe });
+            options.auditPeerAction?.("peer_probe", peerId);
             return true;
         }
         const expectedTlsFingerprint = options.config.peerPublicUrl ? undefined : tls?.fingerprint;
         const probe = await checkPeerEndpoint(readiness.listenUrl, { expectedTlsFingerprint });
         sendJson(res, 200, { type: "local", readiness, probe });
+        options.auditPeerAction?.("peer_probe", readiness.listenUrl);
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/discover") {
+        const result = await discoverLanPeers(options.config, discoveryOptionsFromQuery(url));
+        sendJson(res, 200, result);
+        options.auditPeerAction?.("peer_discovery_started", `sync scan ${result.scanned} targets`);
+        return true;
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/discovery-jobs") {
+        sendJson(res, 200, { jobs: options.discoveryJobs?.list() ?? [] });
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/peers/discovery-jobs") {
+        const body = await readJsonBody(req);
+        const job = await options.discoveryJobs.start(discoveryOptionsFromBody(body));
+        sendJson(res, 202, { job });
+        options.auditPeerAction?.("peer_discovery_started", job.id);
+        return true;
+    }
+    const discoveryJobMatch = url.pathname.match(/^\/api\/peers\/discovery-jobs\/([^/]+)(?:\/(cancel|log))?$/);
+    if (discoveryJobMatch?.[1]) {
+        const id = decodeURIComponent(discoveryJobMatch[1]);
+        const action = discoveryJobMatch[2];
+        if (req.method === "GET" && action === "log") {
+            sendJson(res, 200, { id, plain: options.discoveryJobs?.log(id) ?? "" });
+            return true;
+        }
+        if (req.method === "POST" && action === "cancel") {
+            const job = options.discoveryJobs?.cancel(id);
+            sendJson(res, 200, { job });
+            options.auditPeerAction?.("peer_discovery_cancelled", id);
+            return true;
+        }
+        if (req.method === "GET" && !action) {
+            sendJson(res, 200, { job: options.discoveryJobs?.get(id) ?? null });
+            return true;
+        }
+    }
+    if (req.method === "GET" && url.pathname === "/api/peers/identity/backup") {
+        const backup = exportPeerIdentityBackup(options.home, options.config.peerName);
+        sendJson(res, 200, { backup });
+        options.auditPeerAction?.("peer_identity_backup_exported", backup.identity.nodeId);
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/peers/identity/restore") {
+        const body = await readJsonBody(req);
+        const backup = objectRecord(body.backup);
+        const restored = restorePeerIdentityBackup(backup, options.home);
+        sendJson(res, 200, { identity: restored.public });
+        options.auditPeerAction?.("peer_identity_restored", restored.public.nodeId);
         return true;
     }
     const invitationMatch = url.pathname.match(/^\/api\/peers\/invitations\/([^/]+)$/);
@@ -86,6 +140,7 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         const body = await readJsonBody(req);
         const peer = store.updatePeer(decodeURIComponent(peerMatch[1]), {
             name: optionalStringField(body, "name"),
+            group: optionalStringField(body, "group"),
             url: optionalStringField(body, "url"),
             enabled: optionalBooleanField(body, "enabled"),
             scopes: body.scopes === undefined ? undefined : parseScopes(arrayStringField(body, "scopes")),
@@ -97,6 +152,25 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         options.auditPeerAction?.("peer_updated", `${peer.name} (${peer.id})`);
         return true;
     }
+    const repinMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/repin$/);
+    if (repinMatch?.[1] && req.method === "POST") {
+        const peerId = decodeURIComponent(repinMatch[1]);
+        const peer = store.get(peerId);
+        if (!peer?.url) {
+            throw new Error("Peer URL is required before TLS re-pin.");
+        }
+        const probe = await checkPeerIdentityEndpoint(peer.url, { timeoutMs: options.config.peerDiscoveryTimeoutMs });
+        if (!probe.ok || !probe.identity) {
+            throw new Error(`Peer identity could not be verified: ${probe.detail}`);
+        }
+        if (probe.identity.nodeId !== peer.nodeId || probe.identity.publicKey !== peer.publicKey || probe.identity.fingerprint !== peer.fingerprint) {
+            throw new Error("Peer identity changed. Re-pair this peer instead of re-pinning TLS.");
+        }
+        const updated = store.updatePeerTlsFingerprint(peer.id, probe.tlsFingerprint);
+        sendJson(res, 200, { peer: publicPeer(updated), probe });
+        options.auditPeerAction?.("peer_tls_repinned", `${updated.name} (${updated.id})`);
+        return true;
+    }
     if (req.method === "GET" && url.pathname === "/api/peers/global-sessions") {
         const query = optionalStringField(Object.fromEntries(url.searchParams), "query") ?? "";
         const agent = parseAgent(optionalStringField(Object.fromEntries(url.searchParams), "agent"));
@@ -152,6 +226,7 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
         const peerId = decodeURIComponent(healthMatch[1]);
         const data = await new RemoteRelayClient(store).rpc(peerId, "peer.ping", undefined, options.activityActor);
         sendJson(res, 200, { data, peer: publicPeer(store.get(peerId)) });
+        options.auditPeerAction?.("peer_health_checked", peerId);
         return true;
     }
     const eventsMatch = url.pathname.match(/^\/api\/peers\/([^/]+)\/events$/);
@@ -189,6 +264,26 @@ export async function handleDashboardPeerRoute(req, res, url, options) {
 function parseScopes(values) {
     return values.filter(isPermission);
 }
+function discoveryOptionsFromQuery(url) {
+    return {
+        targets: url.searchParams.getAll("target").concat((url.searchParams.get("targets") ?? "").split(/[\n,]/)).map((value) => value.trim()).filter(Boolean),
+        timeoutMs: optionalPositiveNumber(url.searchParams.get("timeoutMs")),
+        concurrency: optionalPositiveNumber(url.searchParams.get("concurrency")),
+        maxHosts: optionalPositiveNumber(url.searchParams.get("maxHosts")),
+    };
+}
+function discoveryOptionsFromBody(body) {
+    return {
+        targets: arrayStringField(body, "targets"),
+        timeoutMs: optionalNumberField(body, "timeoutMs"),
+        concurrency: optionalNumberField(body, "concurrency"),
+        maxHosts: optionalNumberField(body, "maxHosts"),
+    };
+}
+function optionalPositiveNumber(value) {
+    const parsed = Number(value);
+    return Number.isInteger(parsed) && parsed > 0 ? parsed : undefined;
+}
 function parseAgents(values) {
     const parsed = values.filter(isAgentId);
     return parsed.length > 0 ? parsed : [...AGENT_IDS];

package/dist/web/web-dashboard-security.js

@@ -0,0 +1,14 @@
+import { randomBytes } from "node:crypto";
+export function createCspNonce() {
+    return randomBytes(16).toString("base64url");
+}
+export function requiresWebCsrf(method, pathname) {
+    const verb = (method ?? "GET").toUpperCase();
+    if (verb === "GET" || verb === "HEAD" || verb === "OPTIONS") {
+        return false;
+    }
+    return pathname.startsWith("/api/");
+}
+export function isMutatingWebApiRequest(method, pathname) {
+    return requiresWebCsrf(method, pathname);
+}

package/dist/{web-dashboard-session-routes.js → web/web-dashboard-session-routes.js}

@@ -1,4 +1,4 @@
-import { isAgentId } from "./agent.js";
+import { isAgentId } from "../agents/shared/agent.js";
 import { numberParam, optionalBooleanField, optionalStringField, parseUploadFiles, readJsonBody, requiredSearch, sendJson, stringField, } from "./web-dashboard-http.js";
 export async function handleDashboardSessionRoute(req, res, url, options) {
     const { runtime, authUser } = options;
@@ -190,6 +190,17 @@ export async function handleDashboardSessionRoute(req, res, url, options) {
         sendJson(res, 200, { messages: await runtime.chatHistory(numberParam(url, "limit", 200)) });
         return true;
     }
+    if (req.method === "GET" && url.pathname === "/api/chat/mirror") {
+        await options.assertCurrentSessionScope(authUser);
+        sendJson(res, 200, await runtime.webMirrorPreference(""));
+        return true;
+    }
+    if (req.method === "POST" && url.pathname === "/api/chat/mirror") {
+        const body = await readJsonBody(req);
+        await options.assertCurrentSessionScope(authUser);
+        sendJson(res, 200, await runtime.webMirrorPreference(optionalStringField(body, "argument") ?? optionalStringField(body, "mode") ?? "", options.activityActor));
+        return true;
+    }
     if (req.method === "DELETE" && url.pathname === "/api/chat/history") {
         await options.assertCurrentSessionScope(authUser);
         sendJson(res, 200, await runtime.clearChatHistory(options.activityActor));