@openacp/cli 2026.331.1 → 2026.331.3

package/dist/chunk-R2YLDQLI.js

@@ -1,1115 +0,0 @@
-import {
-  createChildLogger
-} from "./chunk-R6KZYF7D.js";
-import {
-  getAgentCapabilities
-} from "./chunk-ZSLHHQPQ.js";
-
-// src/plugins/api-server/api-server.ts
-import * as http from "http";
-import * as fs2 from "fs";
-import * as path2 from "path";
-import * as os from "os";
-import * as crypto from "crypto";
-import { fileURLToPath as fileURLToPath2 } from "url";
-
-// src/plugins/api-server/sse-manager.ts
-var SSEManager = class {
-  constructor(eventBus, getSessionStats, startedAt) {
-    this.eventBus = eventBus;
-    this.getSessionStats = getSessionStats;
-    this.startedAt = startedAt;
-  }
-  sseConnections = /* @__PURE__ */ new Set();
-  sseCleanupHandlers = /* @__PURE__ */ new Map();
-  healthInterval;
-  boundHandlers = [];
-  setup() {
-    if (!this.eventBus) return;
-    const events = [
-      "session:created",
-      "session:updated",
-      "session:deleted",
-      "agent:event",
-      "permission:request"
-    ];
-    for (const eventName of events) {
-      const handler = (data) => {
-        this.broadcast(eventName, data);
-      };
-      this.eventBus.on(eventName, handler);
-      this.boundHandlers.push({ event: eventName, handler });
-    }
-    this.healthInterval = setInterval(() => {
-      const mem = process.memoryUsage();
-      const stats = this.getSessionStats();
-      this.broadcast("health", {
-        uptime: Date.now() - this.startedAt,
-        memory: {
-          rss: mem.rss,
-          heapUsed: mem.heapUsed,
-          heapTotal: mem.heapTotal
-        },
-        sessions: stats
-      });
-    }, 3e4);
-  }
-  handleRequest(req, res) {
-    const parsedUrl = new URL(req.url || "", "http://localhost");
-    const sessionFilter = parsedUrl.searchParams.get("sessionId");
-    res.writeHead(200, {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache",
-      Connection: "keep-alive"
-    });
-    res.flushHeaders();
-    res.sessionFilter = sessionFilter ?? void 0;
-    this.sseConnections.add(res);
-    const cleanup = () => {
-      this.sseConnections.delete(res);
-      this.sseCleanupHandlers.delete(res);
-    };
-    this.sseCleanupHandlers.set(res, cleanup);
-    req.on("close", cleanup);
-  }
-  broadcast(event, data) {
-    const payload = `event: ${event}
-data: ${JSON.stringify(data)}
-
-`;
-    const sessionEvents = [
-      "agent:event",
-      "permission:request",
-      "session:updated"
-    ];
-    for (const res of this.sseConnections) {
-      const filter = res.sessionFilter;
-      if (filter && sessionEvents.includes(event)) {
-        const eventData = data;
-        if (eventData.sessionId !== filter) continue;
-      }
-      try {
-        if (res.writable) res.write(payload);
-      } catch {
-      }
-    }
-  }
-  stop() {
-    if (this.healthInterval) clearInterval(this.healthInterval);
-    if (this.eventBus) {
-      for (const { event, handler } of this.boundHandlers) {
-        this.eventBus.off(event, handler);
-      }
-    }
-    this.boundHandlers = [];
-    const entries = [...this.sseCleanupHandlers];
-    for (const [res, cleanup] of entries) {
-      res.end();
-      cleanup();
-    }
-  }
-};
-
-// src/plugins/api-server/static-server.ts
-import * as fs from "fs";
-import * as path from "path";
-import { fileURLToPath } from "url";
-var MIME_TYPES = {
-  ".html": "text/html; charset=utf-8",
-  ".js": "application/javascript; charset=utf-8",
-  ".css": "text/css; charset=utf-8",
-  ".json": "application/json; charset=utf-8",
-  ".png": "image/png",
-  ".jpg": "image/jpeg",
-  ".svg": "image/svg+xml",
-  ".ico": "image/x-icon",
-  ".woff": "font/woff",
-  ".woff2": "font/woff2"
-};
-var StaticServer = class {
-  uiDir;
-  constructor(uiDir) {
-    this.uiDir = uiDir;
-    if (!this.uiDir) {
-      const __filename = fileURLToPath(import.meta.url);
-      const candidate = path.resolve(path.dirname(__filename), "../../ui/dist");
-      if (fs.existsSync(path.join(candidate, "index.html"))) {
-        this.uiDir = candidate;
-      }
-      if (!this.uiDir) {
-        const publishCandidate = path.resolve(
-          path.dirname(__filename),
-          "../ui"
-        );
-        if (fs.existsSync(path.join(publishCandidate, "index.html"))) {
-          this.uiDir = publishCandidate;
-        }
-      }
-    }
-  }
-  isAvailable() {
-    return this.uiDir !== void 0;
-  }
-  serve(req, res) {
-    if (!this.uiDir) return false;
-    const urlPath = (req.url || "/").split("?")[0];
-    const safePath = path.normalize(urlPath);
-    const filePath = path.join(this.uiDir, safePath);
-    if (!filePath.startsWith(this.uiDir + path.sep) && filePath !== this.uiDir)
-      return false;
-    if (fs.existsSync(filePath) && fs.statSync(filePath).isFile()) {
-      const ext = path.extname(filePath);
-      const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
-      const isHashed = /\.[a-zA-Z0-9]{8,}\.(js|css)$/.test(filePath);
-      const cacheControl = isHashed ? "public, max-age=31536000, immutable" : "no-cache";
-      res.writeHead(200, {
-        "Content-Type": contentType,
-        "Cache-Control": cacheControl
-      });
-      fs.createReadStream(filePath).pipe(res);
-      return true;
-    }
-    const indexPath = path.join(this.uiDir, "index.html");
-    if (fs.existsSync(indexPath)) {
-      res.writeHead(200, {
-        "Content-Type": "text/html; charset=utf-8",
-        "Cache-Control": "no-cache"
-      });
-      fs.createReadStream(indexPath).pipe(res);
-      return true;
-    }
-    return false;
-  }
-};
-
-// src/plugins/api-server/router.ts
-var Router = class {
-  routes = [];
-  get(path3, handler) {
-    this.add("GET", path3, handler);
-  }
-  post(path3, handler) {
-    this.add("POST", path3, handler);
-  }
-  put(path3, handler) {
-    this.add("PUT", path3, handler);
-  }
-  patch(path3, handler) {
-    this.add("PATCH", path3, handler);
-  }
-  delete(path3, handler) {
-    this.add("DELETE", path3, handler);
-  }
-  match(method, url) {
-    const pathname = url.split("?")[0];
-    for (const route of this.routes) {
-      if (route.method !== method) continue;
-      const m = pathname.match(route.pattern);
-      if (!m) continue;
-      const params = {};
-      for (let i = 0; i < route.keys.length; i++) {
-        params[route.keys[i]] = m[i + 1];
-      }
-      return { handler: route.handler, params };
-    }
-    return null;
-  }
-  add(method, path3, handler) {
-    const keys = [];
-    const pattern = path3.replace(/:(\w+)/g, (_, key) => {
-      keys.push(key);
-      return "([^/]+)";
-    });
-    this.routes.push({
-      method,
-      pattern: new RegExp(`^${pattern}$`),
-      keys,
-      handler
-    });
-  }
-};
-
-// src/plugins/api-server/routes/health.ts
-function registerHealthRoutes(router, deps) {
-  router.get("/api/health", async (_req, res) => {
-    const activeSessions = deps.core.sessionManager.listSessions();
-    const allRecords = deps.core.sessionManager.listRecords();
-    const mem = process.memoryUsage();
-    const tunnel = deps.core.tunnelService;
-    deps.sendJson(res, 200, {
-      status: "ok",
-      uptime: Date.now() - deps.startedAt,
-      version: deps.getVersion(),
-      memory: {
-        rss: mem.rss,
-        heapUsed: mem.heapUsed,
-        heapTotal: mem.heapTotal
-      },
-      sessions: {
-        active: activeSessions.filter(
-          (s) => s.status === "active" || s.status === "initializing"
-        ).length,
-        total: allRecords.length
-      },
-      adapters: Array.from(deps.core.adapters.keys()),
-      tunnel: tunnel ? { enabled: true, url: tunnel.getPublicUrl() } : { enabled: false }
-    });
-  });
-  router.get("/api/version", async (_req, res) => {
-    deps.sendJson(res, 200, { version: deps.getVersion() });
-  });
-  router.post("/api/restart", async (_req, res) => {
-    if (!deps.core.requestRestart) {
-      deps.sendJson(res, 501, { error: "Restart not available" });
-      return;
-    }
-    deps.sendJson(res, 200, { ok: true, message: "Restarting..." });
-    setImmediate(() => deps.core.requestRestart());
-  });
-  router.get("/api/adapters", async (_req, res) => {
-    const adapters = Array.from(deps.core.adapters.entries()).map(([name]) => ({
-      name,
-      type: "built-in"
-    }));
-    deps.sendJson(res, 200, { adapters });
-  });
-}
-
-// src/plugins/api-server/routes/sessions.ts
-var log = createChildLogger({ module: "api-server" });
-function registerSessionRoutes(router, deps) {
-  router.post("/api/sessions/adopt", async (req, res) => {
-    const body = await deps.readBody(req);
-    if (body === null) {
-      return deps.sendJson(res, 413, { error: "Request body too large" });
-    }
-    if (!body) {
-      return deps.sendJson(res, 400, {
-        error: "bad_request",
-        message: "Empty request body"
-      });
-    }
-    let parsed;
-    try {
-      parsed = JSON.parse(body);
-    } catch {
-      return deps.sendJson(res, 400, {
-        error: "bad_request",
-        message: "Invalid JSON"
-      });
-    }
-    const { agent, agentSessionId, cwd, channel } = parsed;
-    if (!agent || !agentSessionId) {
-      return deps.sendJson(res, 400, {
-        error: "bad_request",
-        message: "Missing required fields: agent, agentSessionId"
-      });
-    }
-    const result = await deps.core.adoptSession(
-      agent,
-      agentSessionId,
-      cwd ?? process.cwd(),
-      channel
-    );
-    if (result.ok) {
-      return deps.sendJson(res, 200, result);
-    } else {
-      const status = result.error === "session_limit" ? 429 : result.error === "agent_not_supported" ? 400 : 500;
-      return deps.sendJson(res, status, result);
-    }
-  });
-  router.post("/api/sessions", async (req, res) => {
-    const body = await deps.readBody(req);
-    let agent;
-    let workspace;
-    let channel;
-    if (body) {
-      try {
-        const parsed = JSON.parse(body);
-        agent = parsed.agent;
-        workspace = parsed.workspace;
-        channel = parsed.channel;
-      } catch {
-        deps.sendJson(res, 400, { error: "Invalid JSON body" });
-        return;
-      }
-    }
-    const config = deps.core.configManager.get();
-    const activeSessions = deps.core.sessionManager.listSessions().filter((s) => s.status === "active" || s.status === "initializing");
-    if (activeSessions.length >= config.security.maxConcurrentSessions) {
-      deps.sendJson(res, 429, {
-        error: `Max concurrent sessions (${config.security.maxConcurrentSessions}) reached. Cancel a session first.`
-      });
-      return;
-    }
-    let adapterId = null;
-    let adapter = null;
-    if (channel) {
-      if (!deps.core.adapters.has(channel)) {
-        const available = Array.from(deps.core.adapters.keys()).join(", ") || "none";
-        deps.sendJson(res, 400, {
-          error: `Adapter '${channel}' is not connected. Available: ${available}`
-        });
-        return;
-      }
-      adapterId = channel;
-      adapter = deps.core.adapters.get(channel) ?? null;
-    } else {
-      const firstEntry = deps.core.adapters.entries().next().value;
-      if (firstEntry) {
-        [adapterId, adapter] = firstEntry;
-      }
-    }
-    const channelId = adapterId ?? "api";
-    const resolvedAgent = agent || config.defaultAgent;
-    const agentDef = deps.core.agentCatalog.resolve(resolvedAgent);
-    const resolvedWorkspace = deps.core.configManager.resolveWorkspace(
-      workspace || agentDef?.workingDirectory
-    );
-    const session = await deps.core.createSession({
-      channelId,
-      agentName: resolvedAgent,
-      workingDirectory: resolvedWorkspace,
-      createThread: !!adapter,
-      initialName: `\u{1F504} ${resolvedAgent} \u2014 New Session`
-    });
-    if (!adapter) {
-      session.agentInstance.onPermissionRequest = async (request) => {
-        const allowOption = request.options.find((o) => o.isAllow);
-        log.debug(
-          {
-            sessionId: session.id,
-            permissionId: request.id,
-            option: allowOption?.id
-          },
-          "Auto-approving permission for API session"
-        );
-        return allowOption?.id ?? request.options[0]?.id ?? "";
-      };
-    }
-    session.warmup().catch(
-      (err) => log.warn({ err, sessionId: session.id }, "API session warmup failed")
-    );
-    deps.sendJson(res, 200, {
-      sessionId: session.id,
-      agent: session.agentName,
-      status: session.status,
-      workspace: session.workingDirectory
-    });
-  });
-  router.post("/api/sessions/:sessionId/prompt", async (req, res, params) => {
-    const sessionId = decodeURIComponent(params.sessionId);
-    const session = deps.core.sessionManager.getSession(sessionId);
-    if (!session) {
-      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
-      return;
-    }
-    if (session.status === "cancelled" || session.status === "finished" || session.status === "error") {
-      deps.sendJson(res, 400, { error: `Session is ${session.status}` });
-      return;
-    }
-    const body = await deps.readBody(req);
-    let prompt;
-    if (body) {
-      try {
-        const parsed = JSON.parse(body);
-        prompt = parsed.prompt;
-      } catch {
-        deps.sendJson(res, 400, { error: "Invalid JSON body" });
-        return;
-      }
-    }
-    if (!prompt) {
-      deps.sendJson(res, 400, { error: "Missing prompt" });
-      return;
-    }
-    session.enqueuePrompt(prompt).catch(() => {
-    });
-    deps.sendJson(res, 200, {
-      ok: true,
-      sessionId,
-      queueDepth: session.queueDepth
-    });
-  });
-  router.post(
-    "/api/sessions/:sessionId/permission",
-    async (req, res, params) => {
-      const sessionId = decodeURIComponent(params.sessionId);
-      const session = deps.core.sessionManager.getSession(sessionId);
-      if (!session) {
-        deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
-        return;
-      }
-      const body = await deps.readBody(req);
-      let permissionId;
-      let optionId;
-      if (body) {
-        try {
-          const parsed = JSON.parse(body);
-          permissionId = parsed.permissionId;
-          optionId = parsed.optionId;
-        } catch {
-          deps.sendJson(res, 400, { error: "Invalid JSON body" });
-          return;
-        }
-      }
-      if (!permissionId || !optionId) {
-        deps.sendJson(res, 400, {
-          error: "Missing permissionId or optionId"
-        });
-        return;
-      }
-      if (!session.permissionGate.isPending || session.permissionGate.requestId !== permissionId) {
-        deps.sendJson(res, 400, {
-          error: "No matching pending permission request"
-        });
-        return;
-      }
-      session.permissionGate.resolve(optionId);
-      deps.sendJson(res, 200, { ok: true });
-    }
-  );
-  router.patch(
-    "/api/sessions/:sessionId/dangerous",
-    async (req, res, params) => {
-      const sessionId = decodeURIComponent(params.sessionId);
-      const session = deps.core.sessionManager.getSession(sessionId);
-      if (!session) {
-        deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
-        return;
-      }
-      const body = await deps.readBody(req);
-      let enabled;
-      if (body) {
-        try {
-          const parsed = JSON.parse(body);
-          enabled = parsed.enabled;
-        } catch {
-          deps.sendJson(res, 400, { error: "Invalid JSON body" });
-          return;
-        }
-      }
-      if (typeof enabled !== "boolean") {
-        deps.sendJson(res, 400, { error: "Missing enabled boolean" });
-        return;
-      }
-      session.dangerousMode = enabled;
-      await deps.core.sessionManager.patchRecord(sessionId, {
-        dangerousMode: enabled
-      });
-      deps.sendJson(res, 200, { ok: true, dangerousMode: enabled });
-    }
-  );
-  router.get("/api/sessions/:sessionId", async (_req, res, params) => {
-    const sessionId = decodeURIComponent(params.sessionId);
-    const session = deps.core.sessionManager.getSession(sessionId);
-    if (!session) {
-      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
-      return;
-    }
-    deps.sendJson(res, 200, {
-      session: {
-        id: session.id,
-        agent: session.agentName,
-        status: session.status,
-        name: session.name ?? null,
-        workspace: session.workingDirectory,
-        createdAt: session.createdAt.toISOString(),
-        dangerousMode: session.dangerousMode,
-        queueDepth: session.queueDepth,
-        promptRunning: session.promptRunning,
-        threadId: session.threadId,
-        channelId: session.channelId,
-        agentSessionId: session.agentSessionId
-      }
-    });
-  });
-  router.post("/api/sessions/:sessionId/archive", async (_req, res, params) => {
-    const sessionId = decodeURIComponent(params.sessionId);
-    const result = await deps.core.archiveSession(sessionId);
-    if (result.ok) {
-      deps.sendJson(res, 200, result);
-    } else {
-      deps.sendJson(res, 400, result);
-    }
-  });
-  router.delete("/api/sessions/:sessionId", async (_req, res, params) => {
-    const sessionId = decodeURIComponent(params.sessionId);
-    const session = deps.core.sessionManager.getSession(sessionId);
-    if (!session) {
-      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
-      return;
-    }
-    await deps.core.sessionManager.cancelSession(sessionId);
-    deps.sendJson(res, 200, { ok: true });
-  });
-  router.get("/api/sessions", async (_req, res) => {
-    const sessions = deps.core.sessionManager.listSessions();
-    deps.sendJson(res, 200, {
-      sessions: sessions.map((s) => ({
-        id: s.id,
-        agent: s.agentName,
-        status: s.status,
-        name: s.name ?? null,
-        workspace: s.workingDirectory,
-        createdAt: s.createdAt.toISOString(),
-        dangerousMode: s.dangerousMode,
-        queueDepth: s.queueDepth,
-        promptRunning: s.promptRunning,
-        lastActiveAt: deps.core.sessionManager.getSessionRecord(s.id)?.lastActiveAt ?? null
-      }))
-    });
-  });
-}
-
-// src/plugins/api-server/routes/config.ts
-var SENSITIVE_KEYS = [
-  "botToken",
-  "token",
-  "apiKey",
-  "secret",
-  "password",
-  "webhookSecret"
-];
-function redactConfig(config) {
-  const redacted = structuredClone(config);
-  redactDeep(redacted);
-  return redacted;
-}
-function redactDeep(obj) {
-  for (const [key, value] of Object.entries(obj)) {
-    if (SENSITIVE_KEYS.includes(key) && typeof value === "string") {
-      obj[key] = "***";
-    } else if (Array.isArray(value)) {
-      for (const item of value) {
-        if (item && typeof item === "object")
-          redactDeep(item);
-      }
-    } else if (value && typeof value === "object") {
-      redactDeep(value);
-    }
-  }
-}
-function registerConfigRoutes(router, deps) {
-  router.get("/api/config/editable", async (_req, res) => {
-    const { getSafeFields, resolveOptions, getConfigValue } = await import("./config-registry-M3FFWEVM.js");
-    const config = deps.core.configManager.get();
-    const safeFields = getSafeFields();
-    const fields = safeFields.map((def) => ({
-      path: def.path,
-      displayName: def.displayName,
-      group: def.group,
-      type: def.type,
-      options: resolveOptions(def, config),
-      value: getConfigValue(config, def.path),
-      hotReload: def.hotReload
-    }));
-    deps.sendJson(res, 200, { fields });
-  });
-  router.get("/api/config", async (_req, res) => {
-    const config = deps.core.configManager.get();
-    deps.sendJson(res, 200, { config: redactConfig(config) });
-  });
-  router.patch("/api/config", async (req, res) => {
-    const body = await deps.readBody(req);
-    let configPath;
-    let value;
-    if (body) {
-      try {
-        const parsed = JSON.parse(body);
-        configPath = parsed.path;
-        value = parsed.value;
-      } catch {
-        deps.sendJson(res, 400, { error: "Invalid JSON body" });
-        return;
-      }
-    }
-    if (!configPath) {
-      deps.sendJson(res, 400, { error: "Missing path" });
-      return;
-    }
-    const BLOCKED_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
-    const parts = configPath.split(".");
-    if (parts.some((p) => BLOCKED_KEYS.has(p))) {
-      deps.sendJson(res, 400, { error: "Invalid config path" });
-      return;
-    }
-    const { getFieldDef } = await import("./config-registry-M3FFWEVM.js");
-    const fieldDef = getFieldDef(configPath);
-    if (!fieldDef || fieldDef.scope !== "safe") {
-      deps.sendJson(res, 403, {
-        error: "This config field cannot be modified via the API"
-      });
-      return;
-    }
-    const currentConfig = deps.core.configManager.get();
-    const cloned = structuredClone(currentConfig);
-    let target = cloned;
-    for (let i = 0; i < parts.length - 1; i++) {
-      const part = parts[i];
-      if (target[part] && typeof target[part] === "object" && !Array.isArray(target[part])) {
-        target = target[part];
-      } else if (target[part] === void 0 || target[part] === null) {
-        target[part] = {};
-        target = target[part];
-      } else {
-        deps.sendJson(res, 400, { error: "Invalid config path" });
-        return;
-      }
-    }
-    const lastKey = parts[parts.length - 1];
-    target[lastKey] = value;
-    const { ConfigSchema } = await import("./config-X4UP7H6R.js");
-    const result = ConfigSchema.safeParse(cloned);
-    if (!result.success) {
-      deps.sendJson(res, 400, {
-        error: "Validation failed",
-        details: result.error.issues.map((i) => ({
-          path: i.path.join("."),
-          message: i.message
-        }))
-      });
-      return;
-    }
-    const updates = {};
-    let updateTarget = updates;
-    for (let i = 0; i < parts.length - 1; i++) {
-      updateTarget[parts[i]] = {};
-      updateTarget = updateTarget[parts[i]];
-    }
-    updateTarget[lastKey] = value;
-    await deps.core.configManager.save(updates, configPath);
-    const { isHotReloadable } = await import("./config-registry-M3FFWEVM.js");
-    const needsRestart = !isHotReloadable(configPath);
-    deps.sendJson(res, 200, {
-      ok: true,
-      needsRestart,
-      config: redactConfig(deps.core.configManager.get())
-    });
-  });
-}
-
-// src/plugins/api-server/routes/topics.ts
-function registerTopicRoutes(router, deps) {
-  router.get("/api/topics", async (req, res) => {
-    if (!deps.topicManager) {
-      deps.sendJson(res, 501, { error: "Topic management not available" });
-      return;
-    }
-    const url = req.url || "";
-    const params = new URL(url, "http://localhost").searchParams;
-    const statusParam = params.get("status");
-    const filter = statusParam ? { statuses: statusParam.split(",") } : void 0;
-    const topics = deps.topicManager.listTopics(filter);
-    deps.sendJson(res, 200, { topics });
-  });
-  router.post("/api/topics/cleanup", async (req, res) => {
-    if (!deps.topicManager) {
-      deps.sendJson(res, 501, { error: "Topic management not available" });
-      return;
-    }
-    const body = await deps.readBody(req);
-    let statuses;
-    if (body) {
-      try {
-        statuses = JSON.parse(body).statuses;
-      } catch {
-      }
-    }
-    const result = await deps.topicManager.cleanup(statuses);
-    deps.sendJson(res, 200, result);
-  });
-  router.delete("/api/topics/:sessionId", async (req, res, params) => {
-    if (!deps.topicManager) {
-      deps.sendJson(res, 501, { error: "Topic management not available" });
-      return;
-    }
-    const sessionId = decodeURIComponent(params.sessionId);
-    const url = req.url || "";
-    const urlParams = new URL(url, "http://localhost").searchParams;
-    const force = urlParams.get("force") === "true";
-    const result = await deps.topicManager.deleteTopic(
-      sessionId,
-      force ? { confirmed: true } : void 0
-    );
-    if (result.ok) {
-      deps.sendJson(res, 200, result);
-    } else if (result.needsConfirmation) {
-      deps.sendJson(res, 409, {
-        error: "Session is active",
-        needsConfirmation: true,
-        session: result.session
-      });
-    } else if (result.error === "Cannot delete system topic") {
-      deps.sendJson(res, 403, { error: result.error });
-    } else {
-      deps.sendJson(res, 404, { error: result.error ?? "Not found" });
-    }
-  });
-}
-
-// src/plugins/api-server/routes/tunnel.ts
-function registerTunnelRoutes(router, deps) {
-  router.get("/api/tunnel", async (_req, res) => {
-    const tunnel = deps.core.tunnelService;
-    if (tunnel) {
-      deps.sendJson(res, 200, {
-        enabled: true,
-        url: tunnel.getPublicUrl(),
-        provider: deps.core.configManager.get().tunnel.provider
-      });
-    } else {
-      deps.sendJson(res, 200, { enabled: false });
-    }
-  });
-  router.get("/api/tunnel/list", async (_req, res) => {
-    const tunnel = deps.core.tunnelService;
-    if (!tunnel) {
-      deps.sendJson(res, 200, []);
-      return;
-    }
-    deps.sendJson(res, 200, tunnel.listTunnels());
-  });
-  router.post("/api/tunnel", async (req, res) => {
-    const tunnel = deps.core.tunnelService;
-    if (!tunnel) {
-      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
-      return;
-    }
-    const body = await deps.readBody(req);
-    if (body === null) {
-      deps.sendJson(res, 413, { error: "Request body too large" });
-      return;
-    }
-    if (!body) {
-      deps.sendJson(res, 400, { error: "Missing request body" });
-      return;
-    }
-    try {
-      const { port, label, sessionId } = JSON.parse(body);
-      if (!port || typeof port !== "number") {
-        deps.sendJson(res, 400, {
-          error: "port is required and must be a number"
-        });
-        return;
-      }
-      const entry = await tunnel.addTunnel(port, { label, sessionId });
-      deps.sendJson(res, 200, entry);
-    } catch (err) {
-      deps.sendJson(res, 400, { error: err.message });
-    }
-  });
-  router.delete("/api/tunnel/:port", async (_req, res, params) => {
-    const tunnel = deps.core.tunnelService;
-    if (!tunnel) {
-      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
-      return;
-    }
-    const port = parseInt(params.port, 10);
-    try {
-      await tunnel.stopTunnel(port);
-      deps.sendJson(res, 200, { ok: true });
-    } catch (err) {
-      deps.sendJson(res, 400, { error: err.message });
-    }
-  });
-  router.delete("/api/tunnel", async (_req, res) => {
-    const tunnel = deps.core.tunnelService;
-    if (!tunnel) {
-      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
-      return;
-    }
-    const count = tunnel.listTunnels().length;
-    await tunnel.stopAllUser();
-    deps.sendJson(res, 200, { ok: true, stopped: count });
-  });
-}
-
-// src/plugins/api-server/routes/agents.ts
-function registerAgentRoutes(router, deps) {
-  router.get("/api/agents", async (_req, res) => {
-    const agents = deps.core.agentManager.getAvailableAgents();
-    const defaultAgent = deps.core.configManager.get().defaultAgent;
-    const agentsWithCaps = agents.map((a) => ({
-      ...a,
-      capabilities: getAgentCapabilities(a.name)
-    }));
-    deps.sendJson(res, 200, { agents: agentsWithCaps, default: defaultAgent });
-  });
-}
-
-// src/plugins/api-server/routes/notify.ts
-function registerNotifyRoutes(router, deps) {
-  router.post("/api/notify", async (req, res) => {
-    const body = await deps.readBody(req);
-    let message;
-    if (body) {
-      try {
-        const parsed = JSON.parse(body);
-        message = parsed.message;
-      } catch {
-        deps.sendJson(res, 400, { error: "Invalid JSON body" });
-        return;
-      }
-    }
-    if (!message) {
-      deps.sendJson(res, 400, { error: "Missing message" });
-      return;
-    }
-    await deps.core.notificationManager.notifyAll({
-      sessionId: "system",
-      type: "completed",
-      summary: message
-    });
-    deps.sendJson(res, 200, { ok: true });
-  });
-}
-
-// src/plugins/api-server/api-server.ts
-var log2 = createChildLogger({ module: "api-server" });
-var cachedVersion;
-function getVersion() {
-  if (cachedVersion) return cachedVersion;
-  try {
-    const __filename = fileURLToPath2(import.meta.url);
-    const pkgPath = path2.resolve(
-      path2.dirname(__filename),
-      "../../../package.json"
-    );
-    const pkg = JSON.parse(fs2.readFileSync(pkgPath, "utf-8"));
-    cachedVersion = pkg.version ?? "0.0.0-dev";
-  } catch {
-    cachedVersion = "0.0.0-dev";
-  }
-  return cachedVersion;
-}
-var ApiServer = class {
-  constructor(core, config, portFilePath, topicManager, secretFilePath, uiDir) {
-    this.core = core;
-    this.config = config;
-    this.topicManager = topicManager;
-    this.portFilePath = portFilePath ?? path2.join(os.homedir(), ".openacp", "api.port");
-    this.secretFilePath = secretFilePath ?? path2.join(os.homedir(), ".openacp", "api-secret");
-    this.staticServer = new StaticServer(uiDir);
-    this.sseManager = new SSEManager(
-      core.eventBus,
-      () => {
-        const sessions = this.core.sessionManager.listSessions();
-        return {
-          active: sessions.filter(
-            (s) => s.status === "active" || s.status === "initializing"
-          ).length,
-          total: sessions.length
-        };
-      },
-      this.startedAt
-    );
-    this.router = new Router();
-    const deps = {
-      core: this.core,
-      topicManager: this.topicManager,
-      startedAt: this.startedAt,
-      getVersion,
-      sendJson: this.sendJson.bind(this),
-      readBody: this.readBody.bind(this)
-    };
-    registerHealthRoutes(this.router, deps);
-    registerSessionRoutes(this.router, deps);
-    registerConfigRoutes(this.router, deps);
-    registerTopicRoutes(this.router, deps);
-    registerTunnelRoutes(this.router, deps);
-    registerAgentRoutes(this.router, deps);
-    registerNotifyRoutes(this.router, deps);
-  }
-  server = null;
-  actualPort = 0;
-  portFilePath;
-  startedAt = Date.now();
-  secret = "";
-  secretFilePath;
-  sseManager;
-  staticServer;
-  router;
-  async start() {
-    this.loadOrCreateSecret();
-    this.server = http.createServer((req, res) => this.handleRequest(req, res));
-    await new Promise((resolve3, reject) => {
-      this.server.on("error", (err) => {
-        if (err.code === "EADDRINUSE") {
-          log2.warn(
-            { port: this.config.port },
-            "API port in use, continuing without API server"
-          );
-          this.server = null;
-          resolve3();
-        } else {
-          reject(err);
-        }
-      });
-      this.server.listen(this.config.port, this.config.host, () => {
-        const addr = this.server.address();
-        if (addr && typeof addr === "object") {
-          this.actualPort = addr.port;
-        }
-        this.writePortFile();
-        log2.info(
-          { host: this.config.host, port: this.actualPort },
-          "API server listening"
-        );
-        this.sseManager.setup();
-        if (this.config.host !== "127.0.0.1" && this.config.host !== "localhost") {
-          log2.warn(
-            "API server binding to non-localhost. Ensure api-secret file is secured."
-          );
-        }
-        resolve3();
-      });
-    });
-  }
-  async stop() {
-    this.sseManager.stop();
-    this.removePortFile();
-    if (this.server) {
-      await new Promise((resolve3) => {
-        this.server.close(() => resolve3());
-      });
-      this.server = null;
-    }
-  }
-  getPort() {
-    return this.actualPort;
-  }
-  getSecret() {
-    return this.secret;
-  }
-  writePortFile() {
-    const dir = path2.dirname(this.portFilePath);
-    fs2.mkdirSync(dir, { recursive: true });
-    fs2.writeFileSync(this.portFilePath, String(this.actualPort));
-  }
-  removePortFile() {
-    try {
-      fs2.unlinkSync(this.portFilePath);
-    } catch {
-    }
-  }
-  loadOrCreateSecret() {
-    const dir = path2.dirname(this.secretFilePath);
-    fs2.mkdirSync(dir, { recursive: true });
-    try {
-      this.secret = fs2.readFileSync(this.secretFilePath, "utf-8").trim();
-      if (this.secret) {
-        try {
-          const stat = fs2.statSync(this.secretFilePath);
-          const mode = stat.mode & 511;
-          if (mode & 63) {
-            log2.warn(
-              { path: this.secretFilePath, mode: "0" + mode.toString(8) },
-              "API secret file has insecure permissions (should be 0600). Run: chmod 600 %s",
-              this.secretFilePath
-            );
-          }
-        } catch {
-        }
-        return;
-      }
-    } catch {
-    }
-    this.secret = crypto.randomBytes(32).toString("hex");
-    fs2.writeFileSync(this.secretFilePath, this.secret, { mode: 384 });
-  }
-  authenticate(req, allowQueryParam = false) {
-    const authHeader = req.headers.authorization;
-    if (authHeader?.startsWith("Bearer ")) {
-      const token = authHeader.slice(7);
-      if (token.length === this.secret.length && crypto.timingSafeEqual(
-        Buffer.from(token, "utf-8"),
-        Buffer.from(this.secret, "utf-8")
-      )) {
-        return true;
-      }
-    }
-    if (allowQueryParam) {
-      const parsedUrl = new URL(req.url || "", "http://localhost");
-      const qToken = parsedUrl.searchParams.get("token");
-      if (qToken && qToken.length === this.secret.length && crypto.timingSafeEqual(
-        Buffer.from(qToken, "utf-8"),
-        Buffer.from(this.secret, "utf-8")
-      )) {
-        return true;
-      }
-    }
-    return false;
-  }
-  async handleRequest(req, res) {
-    const method = req.method?.toUpperCase();
-    const url = req.url || "";
-    if (url.startsWith("/api/")) {
-      const isExempt = method === "GET" && (url === "/api/health" || url === "/api/version" || url.startsWith("/api/events"));
-      if (!isExempt && !this.authenticate(req)) {
-        this.sendJson(res, 401, { error: "Unauthorized" });
-        return;
-      }
-    }
-    try {
-      if (method === "GET" && url.startsWith("/api/events")) {
-        if (!this.authenticate(req, true)) {
-          this.sendJson(res, 401, { error: "Unauthorized" });
-          return;
-        }
-        this.sseManager.handleRequest(req, res);
-        return;
-      }
-      if (url.startsWith("/api/")) {
-        const match = this.router.match(method, url);
-        if (match) {
-          await match.handler(req, res, match.params);
-        } else {
-          this.sendJson(res, 404, { error: "Not found" });
-        }
-        return;
-      }
-      if (!this.staticServer.serve(req, res)) {
-        this.sendJson(res, 404, { error: "Not found" });
-      }
-    } catch (err) {
-      log2.error({ err }, "API request error");
-      this.sendJson(res, 500, { error: "Internal server error" });
-    }
-  }
-  sendJson(res, status, data) {
-    res.writeHead(status, { "Content-Type": "application/json" });
-    res.end(JSON.stringify(data));
-  }
-  readBody(req) {
-    const MAX_BODY_SIZE = 1024 * 1024;
-    return new Promise((resolve3) => {
-      let data = "";
-      let size = 0;
-      let destroyed = false;
-      req.on("data", (chunk) => {
-        size += chunk.length;
-        if (size > MAX_BODY_SIZE && !destroyed) {
-          destroyed = true;
-          req.destroy();
-          resolve3(null);
-          return;
-        }
-        if (!destroyed) data += chunk;
-      });
-      req.on("end", () => {
-        if (!destroyed) resolve3(data);
-      });
-      req.on("error", () => {
-        if (!destroyed) resolve3("");
-      });
-    });
-  }
-};
-
-export {
-  SSEManager,
-  StaticServer,
-  ApiServer
-};
-//# sourceMappingURL=chunk-R2YLDQLI.js.map