@openacp/cli 0.6.10 → 2026.326.2

package/dist/chunk-UNJUWWQO.js

@@ -0,0 +1,1108 @@
+import {
+  getAgentCapabilities
+} from "./chunk-ZSLHHQPQ.js";
+import {
+  createChildLogger
+} from "./chunk-XMMAGAT4.js";
+
+// src/plugins/api-server/api-server.ts
+import * as http from "http";
+import * as fs2 from "fs";
+import * as path2 from "path";
+import * as os from "os";
+import * as crypto from "crypto";
+import { fileURLToPath as fileURLToPath2 } from "url";
+
+// src/plugins/api-server/sse-manager.ts
+var SSEManager = class {
+  constructor(eventBus, getSessionStats, startedAt) {
+    this.eventBus = eventBus;
+    this.getSessionStats = getSessionStats;
+    this.startedAt = startedAt;
+  }
+  sseConnections = /* @__PURE__ */ new Set();
+  sseCleanupHandlers = /* @__PURE__ */ new Map();
+  healthInterval;
+  boundHandlers = [];
+  setup() {
+    if (!this.eventBus) return;
+    const events = [
+      "session:created",
+      "session:updated",
+      "session:deleted",
+      "agent:event",
+      "permission:request"
+    ];
+    for (const eventName of events) {
+      const handler = (data) => {
+        this.broadcast(eventName, data);
+      };
+      this.eventBus.on(eventName, handler);
+      this.boundHandlers.push({ event: eventName, handler });
+    }
+    this.healthInterval = setInterval(() => {
+      const mem = process.memoryUsage();
+      const stats = this.getSessionStats();
+      this.broadcast("health", {
+        uptime: Date.now() - this.startedAt,
+        memory: {
+          rss: mem.rss,
+          heapUsed: mem.heapUsed,
+          heapTotal: mem.heapTotal
+        },
+        sessions: stats
+      });
+    }, 3e4);
+  }
+  handleRequest(req, res) {
+    const parsedUrl = new URL(req.url || "", "http://localhost");
+    const sessionFilter = parsedUrl.searchParams.get("sessionId");
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive"
+    });
+    res.flushHeaders();
+    res.sessionFilter = sessionFilter ?? void 0;
+    this.sseConnections.add(res);
+    const cleanup = () => {
+      this.sseConnections.delete(res);
+      this.sseCleanupHandlers.delete(res);
+    };
+    this.sseCleanupHandlers.set(res, cleanup);
+    req.on("close", cleanup);
+  }
+  broadcast(event, data) {
+    const payload = `event: ${event}
+data: ${JSON.stringify(data)}
+
+`;
+    const sessionEvents = [
+      "agent:event",
+      "permission:request",
+      "session:updated"
+    ];
+    for (const res of this.sseConnections) {
+      const filter = res.sessionFilter;
+      if (filter && sessionEvents.includes(event)) {
+        const eventData = data;
+        if (eventData.sessionId !== filter) continue;
+      }
+      try {
+        if (res.writable) res.write(payload);
+      } catch {
+      }
+    }
+  }
+  stop() {
+    if (this.healthInterval) clearInterval(this.healthInterval);
+    if (this.eventBus) {
+      for (const { event, handler } of this.boundHandlers) {
+        this.eventBus.off(event, handler);
+      }
+    }
+    this.boundHandlers = [];
+    const entries = [...this.sseCleanupHandlers];
+    for (const [res, cleanup] of entries) {
+      res.end();
+      cleanup();
+    }
+  }
+};
+
+// src/plugins/api-server/static-server.ts
+import * as fs from "fs";
+import * as path from "path";
+import { fileURLToPath } from "url";
+var MIME_TYPES = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2"
+};
+var StaticServer = class {
+  uiDir;
+  constructor(uiDir) {
+    this.uiDir = uiDir;
+    if (!this.uiDir) {
+      const __filename = fileURLToPath(import.meta.url);
+      const candidate = path.resolve(path.dirname(__filename), "../../ui/dist");
+      if (fs.existsSync(path.join(candidate, "index.html"))) {
+        this.uiDir = candidate;
+      }
+      if (!this.uiDir) {
+        const publishCandidate = path.resolve(
+          path.dirname(__filename),
+          "../ui"
+        );
+        if (fs.existsSync(path.join(publishCandidate, "index.html"))) {
+          this.uiDir = publishCandidate;
+        }
+      }
+    }
+  }
+  isAvailable() {
+    return this.uiDir !== void 0;
+  }
+  serve(req, res) {
+    if (!this.uiDir) return false;
+    const urlPath = (req.url || "/").split("?")[0];
+    const safePath = path.normalize(urlPath);
+    const filePath = path.join(this.uiDir, safePath);
+    if (!filePath.startsWith(this.uiDir + path.sep) && filePath !== this.uiDir)
+      return false;
+    if (fs.existsSync(filePath) && fs.statSync(filePath).isFile()) {
+      const ext = path.extname(filePath);
+      const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
+      const isHashed = /\.[a-zA-Z0-9]{8,}\.(js|css)$/.test(filePath);
+      const cacheControl = isHashed ? "public, max-age=31536000, immutable" : "no-cache";
+      res.writeHead(200, {
+        "Content-Type": contentType,
+        "Cache-Control": cacheControl
+      });
+      fs.createReadStream(filePath).pipe(res);
+      return true;
+    }
+    const indexPath = path.join(this.uiDir, "index.html");
+    if (fs.existsSync(indexPath)) {
+      res.writeHead(200, {
+        "Content-Type": "text/html; charset=utf-8",
+        "Cache-Control": "no-cache"
+      });
+      fs.createReadStream(indexPath).pipe(res);
+      return true;
+    }
+    return false;
+  }
+};
+
+// src/plugins/api-server/router.ts
+var Router = class {
+  routes = [];
+  get(path3, handler) {
+    this.add("GET", path3, handler);
+  }
+  post(path3, handler) {
+    this.add("POST", path3, handler);
+  }
+  put(path3, handler) {
+    this.add("PUT", path3, handler);
+  }
+  patch(path3, handler) {
+    this.add("PATCH", path3, handler);
+  }
+  delete(path3, handler) {
+    this.add("DELETE", path3, handler);
+  }
+  match(method, url) {
+    const pathname = url.split("?")[0];
+    for (const route of this.routes) {
+      if (route.method !== method) continue;
+      const m = pathname.match(route.pattern);
+      if (!m) continue;
+      const params = {};
+      for (let i = 0; i < route.keys.length; i++) {
+        params[route.keys[i]] = m[i + 1];
+      }
+      return { handler: route.handler, params };
+    }
+    return null;
+  }
+  add(method, path3, handler) {
+    const keys = [];
+    const pattern = path3.replace(/:(\w+)/g, (_, key) => {
+      keys.push(key);
+      return "([^/]+)";
+    });
+    this.routes.push({
+      method,
+      pattern: new RegExp(`^${pattern}$`),
+      keys,
+      handler
+    });
+  }
+};
+
+// src/plugins/api-server/routes/health.ts
+function registerHealthRoutes(router, deps) {
+  router.get("/api/health", async (_req, res) => {
+    const activeSessions = deps.core.sessionManager.listSessions();
+    const allRecords = deps.core.sessionManager.listRecords();
+    const mem = process.memoryUsage();
+    const tunnel = deps.core.tunnelService;
+    deps.sendJson(res, 200, {
+      status: "ok",
+      uptime: Date.now() - deps.startedAt,
+      version: deps.getVersion(),
+      memory: {
+        rss: mem.rss,
+        heapUsed: mem.heapUsed,
+        heapTotal: mem.heapTotal
+      },
+      sessions: {
+        active: activeSessions.filter(
+          (s) => s.status === "active" || s.status === "initializing"
+        ).length,
+        total: allRecords.length
+      },
+      adapters: Array.from(deps.core.adapters.keys()),
+      tunnel: tunnel ? { enabled: true, url: tunnel.getPublicUrl() } : { enabled: false }
+    });
+  });
+  router.get("/api/version", async (_req, res) => {
+    deps.sendJson(res, 200, { version: deps.getVersion() });
+  });
+  router.post("/api/restart", async (_req, res) => {
+    if (!deps.core.requestRestart) {
+      deps.sendJson(res, 501, { error: "Restart not available" });
+      return;
+    }
+    deps.sendJson(res, 200, { ok: true, message: "Restarting..." });
+    setImmediate(() => deps.core.requestRestart());
+  });
+  router.get("/api/adapters", async (_req, res) => {
+    const adapters = Array.from(deps.core.adapters.entries()).map(([name]) => ({
+      name,
+      type: "built-in"
+    }));
+    deps.sendJson(res, 200, { adapters });
+  });
+}
+
+// src/plugins/api-server/routes/sessions.ts
+var log = createChildLogger({ module: "api-server" });
+function registerSessionRoutes(router, deps) {
+  router.post("/api/sessions/adopt", async (req, res) => {
+    const body = await deps.readBody(req);
+    if (body === null) {
+      return deps.sendJson(res, 413, { error: "Request body too large" });
+    }
+    if (!body) {
+      return deps.sendJson(res, 400, {
+        error: "bad_request",
+        message: "Empty request body"
+      });
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(body);
+    } catch {
+      return deps.sendJson(res, 400, {
+        error: "bad_request",
+        message: "Invalid JSON"
+      });
+    }
+    const { agent, agentSessionId, cwd, channel } = parsed;
+    if (!agent || !agentSessionId) {
+      return deps.sendJson(res, 400, {
+        error: "bad_request",
+        message: "Missing required fields: agent, agentSessionId"
+      });
+    }
+    const result = await deps.core.adoptSession(
+      agent,
+      agentSessionId,
+      cwd ?? process.cwd(),
+      channel
+    );
+    if (result.ok) {
+      return deps.sendJson(res, 200, result);
+    } else {
+      const status = result.error === "session_limit" ? 429 : result.error === "agent_not_supported" ? 400 : 500;
+      return deps.sendJson(res, status, result);
+    }
+  });
+  router.post("/api/sessions", async (req, res) => {
+    const body = await deps.readBody(req);
+    let agent;
+    let workspace;
+    if (body) {
+      try {
+        const parsed = JSON.parse(body);
+        agent = parsed.agent;
+        workspace = parsed.workspace;
+      } catch {
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
+        return;
+      }
+    }
+    const config = deps.core.configManager.get();
+    const activeSessions = deps.core.sessionManager.listSessions().filter((s) => s.status === "active" || s.status === "initializing");
+    if (activeSessions.length >= config.security.maxConcurrentSessions) {
+      deps.sendJson(res, 429, {
+        error: `Max concurrent sessions (${config.security.maxConcurrentSessions}) reached. Cancel a session first.`
+      });
+      return;
+    }
+    const [adapterId, adapter] = deps.core.adapters.entries().next().value ?? [
+      null,
+      null
+    ];
+    const channelId = adapterId ?? "api";
+    const resolvedAgent = agent || config.defaultAgent;
+    const resolvedWorkspace = deps.core.configManager.resolveWorkspace(
+      workspace || config.agents[resolvedAgent]?.workingDirectory
+    );
+    const session = await deps.core.createSession({
+      channelId,
+      agentName: resolvedAgent,
+      workingDirectory: resolvedWorkspace,
+      createThread: !!adapter,
+      initialName: `\u{1F504} ${resolvedAgent} \u2014 New Session`
+    });
+    if (!adapter) {
+      session.agentInstance.onPermissionRequest = async (request) => {
+        const allowOption = request.options.find((o) => o.isAllow);
+        log.debug(
+          {
+            sessionId: session.id,
+            permissionId: request.id,
+            option: allowOption?.id
+          },
+          "Auto-approving permission for API session"
+        );
+        return allowOption?.id ?? request.options[0]?.id ?? "";
+      };
+    }
+    session.warmup().catch(
+      (err) => log.warn({ err, sessionId: session.id }, "API session warmup failed")
+    );
+    deps.sendJson(res, 200, {
+      sessionId: session.id,
+      agent: session.agentName,
+      status: session.status,
+      workspace: session.workingDirectory
+    });
+  });
+  router.post("/api/sessions/:sessionId/prompt", async (req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const session = deps.core.sessionManager.getSession(sessionId);
+    if (!session) {
+      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+      return;
+    }
+    if (session.status === "cancelled" || session.status === "finished" || session.status === "error") {
+      deps.sendJson(res, 400, { error: `Session is ${session.status}` });
+      return;
+    }
+    const body = await deps.readBody(req);
+    let prompt;
+    if (body) {
+      try {
+        const parsed = JSON.parse(body);
+        prompt = parsed.prompt;
+      } catch {
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
+        return;
+      }
+    }
+    if (!prompt) {
+      deps.sendJson(res, 400, { error: "Missing prompt" });
+      return;
+    }
+    session.enqueuePrompt(prompt).catch(() => {
+    });
+    deps.sendJson(res, 200, {
+      ok: true,
+      sessionId,
+      queueDepth: session.queueDepth
+    });
+  });
+  router.post(
+    "/api/sessions/:sessionId/permission",
+    async (req, res, params) => {
+      const sessionId = decodeURIComponent(params.sessionId);
+      const session = deps.core.sessionManager.getSession(sessionId);
+      if (!session) {
+        deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+        return;
+      }
+      const body = await deps.readBody(req);
+      let permissionId;
+      let optionId;
+      if (body) {
+        try {
+          const parsed = JSON.parse(body);
+          permissionId = parsed.permissionId;
+          optionId = parsed.optionId;
+        } catch {
+          deps.sendJson(res, 400, { error: "Invalid JSON body" });
+          return;
+        }
+      }
+      if (!permissionId || !optionId) {
+        deps.sendJson(res, 400, {
+          error: "Missing permissionId or optionId"
+        });
+        return;
+      }
+      if (!session.permissionGate.isPending || session.permissionGate.requestId !== permissionId) {
+        deps.sendJson(res, 400, {
+          error: "No matching pending permission request"
+        });
+        return;
+      }
+      session.permissionGate.resolve(optionId);
+      deps.sendJson(res, 200, { ok: true });
+    }
+  );
+  router.patch(
+    "/api/sessions/:sessionId/dangerous",
+    async (req, res, params) => {
+      const sessionId = decodeURIComponent(params.sessionId);
+      const session = deps.core.sessionManager.getSession(sessionId);
+      if (!session) {
+        deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+        return;
+      }
+      const body = await deps.readBody(req);
+      let enabled;
+      if (body) {
+        try {
+          const parsed = JSON.parse(body);
+          enabled = parsed.enabled;
+        } catch {
+          deps.sendJson(res, 400, { error: "Invalid JSON body" });
+          return;
+        }
+      }
+      if (typeof enabled !== "boolean") {
+        deps.sendJson(res, 400, { error: "Missing enabled boolean" });
+        return;
+      }
+      session.dangerousMode = enabled;
+      await deps.core.sessionManager.patchRecord(sessionId, {
+        dangerousMode: enabled
+      });
+      deps.sendJson(res, 200, { ok: true, dangerousMode: enabled });
+    }
+  );
+  router.get("/api/sessions/:sessionId", async (_req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const session = deps.core.sessionManager.getSession(sessionId);
+    if (!session) {
+      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+      return;
+    }
+    deps.sendJson(res, 200, {
+      session: {
+        id: session.id,
+        agent: session.agentName,
+        status: session.status,
+        name: session.name ?? null,
+        workspace: session.workingDirectory,
+        createdAt: session.createdAt.toISOString(),
+        dangerousMode: session.dangerousMode,
+        queueDepth: session.queueDepth,
+        promptRunning: session.promptRunning,
+        threadId: session.threadId,
+        channelId: session.channelId,
+        agentSessionId: session.agentSessionId
+      }
+    });
+  });
+  router.post("/api/sessions/:sessionId/summary", async (_req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const result = await deps.core.summarizeSession(sessionId);
+    if (result.ok) {
+      deps.sendJson(res, 200, result);
+    } else {
+      deps.sendJson(res, 400, result);
+    }
+  });
+  router.post("/api/sessions/:sessionId/archive", async (_req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const result = await deps.core.archiveSession(sessionId);
+    if (result.ok) {
+      deps.sendJson(res, 200, result);
+    } else {
+      deps.sendJson(res, 400, result);
+    }
+  });
+  router.delete("/api/sessions/:sessionId", async (_req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const session = deps.core.sessionManager.getSession(sessionId);
+    if (!session) {
+      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+      return;
+    }
+    await deps.core.sessionManager.cancelSession(sessionId);
+    deps.sendJson(res, 200, { ok: true });
+  });
+  router.get("/api/sessions", async (_req, res) => {
+    const sessions = deps.core.sessionManager.listSessions();
+    deps.sendJson(res, 200, {
+      sessions: sessions.map((s) => ({
+        id: s.id,
+        agent: s.agentName,
+        status: s.status,
+        name: s.name ?? null,
+        workspace: s.workingDirectory,
+        createdAt: s.createdAt.toISOString(),
+        dangerousMode: s.dangerousMode,
+        queueDepth: s.queueDepth,
+        promptRunning: s.promptRunning,
+        lastActiveAt: deps.core.sessionManager.getSessionRecord(s.id)?.lastActiveAt ?? null
+      }))
+    });
+  });
+}
+
+// src/plugins/api-server/routes/config.ts
+var SENSITIVE_KEYS = [
+  "botToken",
+  "token",
+  "apiKey",
+  "secret",
+  "password",
+  "webhookSecret"
+];
+function redactConfig(config) {
+  const redacted = structuredClone(config);
+  redactDeep(redacted);
+  return redacted;
+}
+function redactDeep(obj) {
+  for (const [key, value] of Object.entries(obj)) {
+    if (SENSITIVE_KEYS.includes(key) && typeof value === "string") {
+      obj[key] = "***";
+    } else if (Array.isArray(value)) {
+      for (const item of value) {
+        if (item && typeof item === "object")
+          redactDeep(item);
+      }
+    } else if (value && typeof value === "object") {
+      redactDeep(value);
+    }
+  }
+}
+function registerConfigRoutes(router, deps) {
+  router.get("/api/config/editable", async (_req, res) => {
+    const { getSafeFields, resolveOptions, getConfigValue } = await import("./config-registry-CUMNXFGK.js");
+    const config = deps.core.configManager.get();
+    const safeFields = getSafeFields();
+    const fields = safeFields.map((def) => ({
+      path: def.path,
+      displayName: def.displayName,
+      group: def.group,
+      type: def.type,
+      options: resolveOptions(def, config),
+      value: getConfigValue(config, def.path),
+      hotReload: def.hotReload
+    }));
+    deps.sendJson(res, 200, { fields });
+  });
+  router.get("/api/config", async (_req, res) => {
+    const config = deps.core.configManager.get();
+    deps.sendJson(res, 200, { config: redactConfig(config) });
+  });
+  router.patch("/api/config", async (req, res) => {
+    const body = await deps.readBody(req);
+    let configPath;
+    let value;
+    if (body) {
+      try {
+        const parsed = JSON.parse(body);
+        configPath = parsed.path;
+        value = parsed.value;
+      } catch {
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
+        return;
+      }
+    }
+    if (!configPath) {
+      deps.sendJson(res, 400, { error: "Missing path" });
+      return;
+    }
+    const BLOCKED_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+    const parts = configPath.split(".");
+    if (parts.some((p) => BLOCKED_KEYS.has(p))) {
+      deps.sendJson(res, 400, { error: "Invalid config path" });
+      return;
+    }
+    const { getFieldDef } = await import("./config-registry-CUMNXFGK.js");
+    const fieldDef = getFieldDef(configPath);
+    if (!fieldDef || fieldDef.scope !== "safe") {
+      deps.sendJson(res, 403, {
+        error: "This config field cannot be modified via the API"
+      });
+      return;
+    }
+    const currentConfig = deps.core.configManager.get();
+    const cloned = structuredClone(currentConfig);
+    let target = cloned;
+    for (let i = 0; i < parts.length - 1; i++) {
+      const part = parts[i];
+      if (target[part] && typeof target[part] === "object" && !Array.isArray(target[part])) {
+        target = target[part];
+      } else if (target[part] === void 0 || target[part] === null) {
+        target[part] = {};
+        target = target[part];
+      } else {
+        deps.sendJson(res, 400, { error: "Invalid config path" });
+        return;
+      }
+    }
+    const lastKey = parts[parts.length - 1];
+    target[lastKey] = value;
+    const { ConfigSchema } = await import("./config-I4FMCJGZ.js");
+    const result = ConfigSchema.safeParse(cloned);
+    if (!result.success) {
+      deps.sendJson(res, 400, {
+        error: "Validation failed",
+        details: result.error.issues.map((i) => ({
+          path: i.path.join("."),
+          message: i.message
+        }))
+      });
+      return;
+    }
+    const updates = {};
+    let updateTarget = updates;
+    for (let i = 0; i < parts.length - 1; i++) {
+      updateTarget[parts[i]] = {};
+      updateTarget = updateTarget[parts[i]];
+    }
+    updateTarget[lastKey] = value;
+    await deps.core.configManager.save(updates, configPath);
+    const { isHotReloadable } = await import("./config-registry-CUMNXFGK.js");
+    const needsRestart = !isHotReloadable(configPath);
+    deps.sendJson(res, 200, {
+      ok: true,
+      needsRestart,
+      config: redactConfig(deps.core.configManager.get())
+    });
+  });
+}
+
+// src/plugins/api-server/routes/topics.ts
+function registerTopicRoutes(router, deps) {
+  router.get("/api/topics", async (req, res) => {
+    if (!deps.topicManager) {
+      deps.sendJson(res, 501, { error: "Topic management not available" });
+      return;
+    }
+    const url = req.url || "";
+    const params = new URL(url, "http://localhost").searchParams;
+    const statusParam = params.get("status");
+    const filter = statusParam ? { statuses: statusParam.split(",") } : void 0;
+    const topics = deps.topicManager.listTopics(filter);
+    deps.sendJson(res, 200, { topics });
+  });
+  router.post("/api/topics/cleanup", async (req, res) => {
+    if (!deps.topicManager) {
+      deps.sendJson(res, 501, { error: "Topic management not available" });
+      return;
+    }
+    const body = await deps.readBody(req);
+    let statuses;
+    if (body) {
+      try {
+        statuses = JSON.parse(body).statuses;
+      } catch {
+      }
+    }
+    const result = await deps.topicManager.cleanup(statuses);
+    deps.sendJson(res, 200, result);
+  });
+  router.delete("/api/topics/:sessionId", async (req, res, params) => {
+    if (!deps.topicManager) {
+      deps.sendJson(res, 501, { error: "Topic management not available" });
+      return;
+    }
+    const sessionId = decodeURIComponent(params.sessionId);
+    const url = req.url || "";
+    const urlParams = new URL(url, "http://localhost").searchParams;
+    const force = urlParams.get("force") === "true";
+    const result = await deps.topicManager.deleteTopic(
+      sessionId,
+      force ? { confirmed: true } : void 0
+    );
+    if (result.ok) {
+      deps.sendJson(res, 200, result);
+    } else if (result.needsConfirmation) {
+      deps.sendJson(res, 409, {
+        error: "Session is active",
+        needsConfirmation: true,
+        session: result.session
+      });
+    } else if (result.error === "Cannot delete system topic") {
+      deps.sendJson(res, 403, { error: result.error });
+    } else {
+      deps.sendJson(res, 404, { error: result.error ?? "Not found" });
+    }
+  });
+}
+
+// src/plugins/api-server/routes/tunnel.ts
+function registerTunnelRoutes(router, deps) {
+  router.get("/api/tunnel", async (_req, res) => {
+    const tunnel = deps.core.tunnelService;
+    if (tunnel) {
+      deps.sendJson(res, 200, {
+        enabled: true,
+        url: tunnel.getPublicUrl(),
+        provider: deps.core.configManager.get().tunnel.provider
+      });
+    } else {
+      deps.sendJson(res, 200, { enabled: false });
+    }
+  });
+  router.get("/api/tunnel/list", async (_req, res) => {
+    const tunnel = deps.core.tunnelService;
+    if (!tunnel) {
+      deps.sendJson(res, 200, []);
+      return;
+    }
+    deps.sendJson(res, 200, tunnel.listTunnels());
+  });
+  router.post("/api/tunnel", async (req, res) => {
+    const tunnel = deps.core.tunnelService;
+    if (!tunnel) {
+      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
+      return;
+    }
+    const body = await deps.readBody(req);
+    if (body === null) {
+      deps.sendJson(res, 413, { error: "Request body too large" });
+      return;
+    }
+    if (!body) {
+      deps.sendJson(res, 400, { error: "Missing request body" });
+      return;
+    }
+    try {
+      const { port, label, sessionId } = JSON.parse(body);
+      if (!port || typeof port !== "number") {
+        deps.sendJson(res, 400, {
+          error: "port is required and must be a number"
+        });
+        return;
+      }
+      const entry = await tunnel.addTunnel(port, { label, sessionId });
+      deps.sendJson(res, 200, entry);
+    } catch (err) {
+      deps.sendJson(res, 400, { error: err.message });
+    }
+  });
+  router.delete("/api/tunnel/:port", async (_req, res, params) => {
+    const tunnel = deps.core.tunnelService;
+    if (!tunnel) {
+      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
+      return;
+    }
+    const port = parseInt(params.port, 10);
+    try {
+      await tunnel.stopTunnel(port);
+      deps.sendJson(res, 200, { ok: true });
+    } catch (err) {
+      deps.sendJson(res, 400, { error: err.message });
+    }
+  });
+  router.delete("/api/tunnel", async (_req, res) => {
+    const tunnel = deps.core.tunnelService;
+    if (!tunnel) {
+      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
+      return;
+    }
+    const count = tunnel.listTunnels().length;
+    await tunnel.stopAllUser();
+    deps.sendJson(res, 200, { ok: true, stopped: count });
+  });
+}
+
+// src/plugins/api-server/routes/agents.ts
+function registerAgentRoutes(router, deps) {
+  router.get("/api/agents", async (_req, res) => {
+    const agents = deps.core.agentManager.getAvailableAgents();
+    const defaultAgent = deps.core.configManager.get().defaultAgent;
+    const agentsWithCaps = agents.map((a) => ({
+      ...a,
+      capabilities: getAgentCapabilities(a.name)
+    }));
+    deps.sendJson(res, 200, { agents: agentsWithCaps, default: defaultAgent });
+  });
+}
+
+// src/plugins/api-server/routes/notify.ts
+function registerNotifyRoutes(router, deps) {
+  router.post("/api/notify", async (req, res) => {
+    const body = await deps.readBody(req);
+    let message;
+    if (body) {
+      try {
+        const parsed = JSON.parse(body);
+        message = parsed.message;
+      } catch {
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
+        return;
+      }
+    }
+    if (!message) {
+      deps.sendJson(res, 400, { error: "Missing message" });
+      return;
+    }
+    await deps.core.notificationManager.notifyAll({
+      sessionId: "system",
+      type: "completed",
+      summary: message
+    });
+    deps.sendJson(res, 200, { ok: true });
+  });
+}
+
+// src/plugins/api-server/api-server.ts
+var log2 = createChildLogger({ module: "api-server" });
+var DEFAULT_PORT_FILE = path2.join(os.homedir(), ".openacp", "api.port");
+var cachedVersion;
+function getVersion() {
+  if (cachedVersion) return cachedVersion;
+  try {
+    const __filename = fileURLToPath2(import.meta.url);
+    const pkgPath = path2.resolve(
+      path2.dirname(__filename),
+      "../../../package.json"
+    );
+    const pkg = JSON.parse(fs2.readFileSync(pkgPath, "utf-8"));
+    cachedVersion = pkg.version ?? "0.0.0-dev";
+  } catch {
+    cachedVersion = "0.0.0-dev";
+  }
+  return cachedVersion;
+}
+var ApiServer = class {
+  constructor(core, config, portFilePath, topicManager, secretFilePath, uiDir) {
+    this.core = core;
+    this.config = config;
+    this.topicManager = topicManager;
+    this.portFilePath = portFilePath ?? DEFAULT_PORT_FILE;
+    this.secretFilePath = secretFilePath ?? path2.join(os.homedir(), ".openacp", "api-secret");
+    this.staticServer = new StaticServer(uiDir);
+    this.sseManager = new SSEManager(
+      core.eventBus,
+      () => {
+        const sessions = this.core.sessionManager.listSessions();
+        return {
+          active: sessions.filter(
+            (s) => s.status === "active" || s.status === "initializing"
+          ).length,
+          total: sessions.length
+        };
+      },
+      this.startedAt
+    );
+    this.router = new Router();
+    const deps = {
+      core: this.core,
+      topicManager: this.topicManager,
+      startedAt: this.startedAt,
+      getVersion,
+      sendJson: this.sendJson.bind(this),
+      readBody: this.readBody.bind(this)
+    };
+    registerHealthRoutes(this.router, deps);
+    registerSessionRoutes(this.router, deps);
+    registerConfigRoutes(this.router, deps);
+    registerTopicRoutes(this.router, deps);
+    registerTunnelRoutes(this.router, deps);
+    registerAgentRoutes(this.router, deps);
+    registerNotifyRoutes(this.router, deps);
+  }
+  server = null;
+  actualPort = 0;
+  portFilePath;
+  startedAt = Date.now();
+  secret = "";
+  secretFilePath;
+  sseManager;
+  staticServer;
+  router;
+  async start() {
+    this.loadOrCreateSecret();
+    this.server = http.createServer((req, res) => this.handleRequest(req, res));
+    await new Promise((resolve3, reject) => {
+      this.server.on("error", (err) => {
+        if (err.code === "EADDRINUSE") {
+          log2.warn(
+            { port: this.config.port },
+            "API port in use, continuing without API server"
+          );
+          this.server = null;
+          resolve3();
+        } else {
+          reject(err);
+        }
+      });
+      this.server.listen(this.config.port, this.config.host, () => {
+        const addr = this.server.address();
+        if (addr && typeof addr === "object") {
+          this.actualPort = addr.port;
+        }
+        this.writePortFile();
+        log2.info(
+          { host: this.config.host, port: this.actualPort },
+          "API server listening"
+        );
+        this.sseManager.setup();
+        if (this.config.host !== "127.0.0.1" && this.config.host !== "localhost") {
+          log2.warn(
+            "API server binding to non-localhost. Ensure api-secret file is secured."
+          );
+        }
+        resolve3();
+      });
+    });
+  }
+  async stop() {
+    this.sseManager.stop();
+    this.removePortFile();
+    if (this.server) {
+      await new Promise((resolve3) => {
+        this.server.close(() => resolve3());
+      });
+      this.server = null;
+    }
+  }
+  getPort() {
+    return this.actualPort;
+  }
+  getSecret() {
+    return this.secret;
+  }
+  writePortFile() {
+    const dir = path2.dirname(this.portFilePath);
+    fs2.mkdirSync(dir, { recursive: true });
+    fs2.writeFileSync(this.portFilePath, String(this.actualPort));
+  }
+  removePortFile() {
+    try {
+      fs2.unlinkSync(this.portFilePath);
+    } catch {
+    }
+  }
+  loadOrCreateSecret() {
+    const dir = path2.dirname(this.secretFilePath);
+    fs2.mkdirSync(dir, { recursive: true });
+    try {
+      this.secret = fs2.readFileSync(this.secretFilePath, "utf-8").trim();
+      if (this.secret) {
+        try {
+          const stat = fs2.statSync(this.secretFilePath);
+          const mode = stat.mode & 511;
+          if (mode & 63) {
+            log2.warn(
+              { path: this.secretFilePath, mode: "0" + mode.toString(8) },
+              "API secret file has insecure permissions (should be 0600). Run: chmod 600 %s",
+              this.secretFilePath
+            );
+          }
+        } catch {
+        }
+        return;
+      }
+    } catch {
+    }
+    this.secret = crypto.randomBytes(32).toString("hex");
+    fs2.writeFileSync(this.secretFilePath, this.secret, { mode: 384 });
+  }
+  authenticate(req, allowQueryParam = false) {
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) {
+      const token = authHeader.slice(7);
+      if (token.length === this.secret.length && crypto.timingSafeEqual(
+        Buffer.from(token, "utf-8"),
+        Buffer.from(this.secret, "utf-8")
+      )) {
+        return true;
+      }
+    }
+    if (allowQueryParam) {
+      const parsedUrl = new URL(req.url || "", "http://localhost");
+      const qToken = parsedUrl.searchParams.get("token");
+      if (qToken && qToken.length === this.secret.length && crypto.timingSafeEqual(
+        Buffer.from(qToken, "utf-8"),
+        Buffer.from(this.secret, "utf-8")
+      )) {
+        return true;
+      }
+    }
+    return false;
+  }
+  async handleRequest(req, res) {
+    const method = req.method?.toUpperCase();
+    const url = req.url || "";
+    if (url.startsWith("/api/")) {
+      const isExempt = method === "GET" && (url === "/api/health" || url === "/api/version" || url.startsWith("/api/events"));
+      if (!isExempt && !this.authenticate(req)) {
+        this.sendJson(res, 401, { error: "Unauthorized" });
+        return;
+      }
+    }
+    try {
+      if (method === "GET" && url.startsWith("/api/events")) {
+        if (!this.authenticate(req, true)) {
+          this.sendJson(res, 401, { error: "Unauthorized" });
+          return;
+        }
+        this.sseManager.handleRequest(req, res);
+        return;
+      }
+      if (url.startsWith("/api/")) {
+        const match = this.router.match(method, url);
+        if (match) {
+          await match.handler(req, res, match.params);
+        } else {
+          this.sendJson(res, 404, { error: "Not found" });
+        }
+        return;
+      }
+      if (!this.staticServer.serve(req, res)) {
+        this.sendJson(res, 404, { error: "Not found" });
+      }
+    } catch (err) {
+      log2.error({ err }, "API request error");
+      this.sendJson(res, 500, { error: "Internal server error" });
+    }
+  }
+  sendJson(res, status, data) {
+    res.writeHead(status, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(data));
+  }
+  readBody(req) {
+    const MAX_BODY_SIZE = 1024 * 1024;
+    return new Promise((resolve3) => {
+      let data = "";
+      let size = 0;
+      let destroyed = false;
+      req.on("data", (chunk) => {
+        size += chunk.length;
+        if (size > MAX_BODY_SIZE && !destroyed) {
+          destroyed = true;
+          req.destroy();
+          resolve3(null);
+          return;
+        }
+        if (!destroyed) data += chunk;
+      });
+      req.on("end", () => {
+        if (!destroyed) resolve3(data);
+      });
+      req.on("error", () => {
+        if (!destroyed) resolve3("");
+      });
+    });
+  }
+};
+
+export {
+  SSEManager,
+  StaticServer,
+  ApiServer
+};
+//# sourceMappingURL=chunk-UNJUWWQO.js.map