@pacaf/wizard-ux 2.0.0

package/dist/index.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="color-scheme" content="light dark" />
+    <title>Foundations — Power Apps Code App Setup</title>
+    <style>
+      html, body, #root { height: 100%; margin: 0; padding: 0; }
+      body {
+        font-family: 'Segoe UI Variable', 'Segoe UI', system-ui, -apple-system, sans-serif;
+        background: #0E1620;
+        color: #e8e8ec;
+        overflow: hidden;
+      }
+      /* Loader shown until React mounts — mirrors the landing page tri-color hero gradient */
+      #boot {
+        position: fixed; inset: 0;
+        display: flex; align-items: center; justify-content: center;
+        background: radial-gradient(ellipse at center, #003E70 0%, #0E1620 70%);
+      }
+      #boot .ring {
+        width: 48px; height: 48px;
+        border: 3px solid #0078D4;
+        border-top-color: transparent;
+        border-radius: 50%;
+        animation: spin 0.8s linear infinite;
+      }
+      @keyframes spin { to { transform: rotate(360deg); } }
+    </style>
+    <script type="module" crossorigin src="./assets/index-BVelUveV.js"></script>
+  </head>
+  <body>
+    <div id="root"><div id="boot"><div class="ring"></div></div></div>
+  </body>
+</html>

package/index.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="color-scheme" content="light dark" />
+    <title>Foundations — Power Apps Code App Setup</title>
+    <style>
+      html, body, #root { height: 100%; margin: 0; padding: 0; }
+      body {
+        font-family: 'Segoe UI Variable', 'Segoe UI', system-ui, -apple-system, sans-serif;
+        background: #0E1620;
+        color: #e8e8ec;
+        overflow: hidden;
+      }
+      /* Loader shown until React mounts — mirrors the landing page tri-color hero gradient */
+      #boot {
+        position: fixed; inset: 0;
+        display: flex; align-items: center; justify-content: center;
+        background: radial-gradient(ellipse at center, #003E70 0%, #0E1620 70%);
+      }
+      #boot .ring {
+        width: 48px; height: 48px;
+        border: 3px solid #0078D4;
+        border-top-color: transparent;
+        border-radius: 50%;
+        animation: spin 0.8s linear infinite;
+      }
+      @keyframes spin { to { transform: rotate(360deg); } }
+    </style>
+  </head>
+  <body>
+    <div id="root"><div id="boot"><div class="ring"></div></div></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "@pacaf/wizard-ux",
+  "version": "2.0.0",
+  "private": false,
+  "type": "module",
+  "description": "Browser-based setup wizard for Power Apps Code Apps (parallel to @pacaf/wizard CLI).",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/martycarreras-psnl/PAppsCAFoundations.git",
+    "directory": "packages/wizard-ux"
+  },
+  "homepage": "https://martycarreras-psnl.github.io/PAppsCAFoundations",
+  "bin": {
+    "pacaf-wizard-ux": "./bin/pacaf-wizard-ux.mjs"
+  },
+  "files": [
+    "bin/",
+    "dist/",
+    "server/",
+    "scripts/",
+    "index.html",
+    "README.md"
+  ],
+  "scripts": {
+    "dev": "node server/index.mjs",
+    "build": "vite build",
+    "preview": "vite preview --port 5174",
+    "postinstall": "node scripts/fix-pty-perms.mjs"
+  },
+  "dependencies": {
+    "@fastify/cors": "^9.0.1",
+    "@fastify/static": "^7.0.4",
+    "@fastify/websocket": "^10.0.1",
+    "@fluentui/react-components": "^9.56.0",
+    "@fluentui/react-icons": "^2.0.260",
+    "@tanstack/react-query": "^5.62.0",
+    "@xterm/addon-fit": "^0.10.0",
+    "@xterm/addon-web-links": "^0.11.0",
+    "@xterm/xterm": "^5.5.0",
+    "fastify": "^4.28.1",
+    "node-pty": "^1.1.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "react-resizable-panels": "^2.1.7",
+    "react-router-dom": "^7.1.0"
+  },
+  "devDependencies": {
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "@vitejs/plugin-react": "^4.3.0",
+    "typescript": "^5.7.0",
+    "vite": "^6.0.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "keywords": [
+    "power-apps",
+    "code-apps",
+    "power-platform",
+    "wizard",
+    "scaffold",
+    "browser",
+    "pacaf"
+  ]
+}

package/scripts/fix-pty-perms.mjs

@@ -0,0 +1,34 @@
+// Ensures node-pty's prebuilt `spawn-helper` binary is executable after npm install.
+// Some npm/tarball extraction paths drop the +x bit on Linux/macOS, which causes
+// `posix_spawnp failed` at runtime. Idempotent and silent on Windows.
+import { chmodSync, statSync, existsSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+if (process.platform === 'win32') process.exit(0);
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ptyDir = resolve(__dirname, '..', 'node_modules', 'node-pty', 'prebuilds');
+if (!existsSync(ptyDir)) process.exit(0);
+
+const arch = process.arch;
+const platform = process.platform === 'darwin' ? 'darwin' : 'linux';
+const candidates = [
+  `${platform}-${arch}`,
+  `${platform}-x64`,
+  `${platform}-arm64`,
+];
+
+for (const folder of candidates) {
+  const helper = resolve(ptyDir, folder, 'spawn-helper');
+  if (!existsSync(helper)) continue;
+  try {
+    const mode = statSync(helper).mode;
+    if ((mode & 0o111) === 0) {
+      chmodSync(helper, mode | 0o755);
+      console.log(`[wizard-ux] chmod +x ${helper.replace(process.cwd(), '.')}`);
+    }
+  } catch (err) {
+    console.warn(`[wizard-ux] could not chmod ${helper}: ${err.message}`);
+  }
+}

package/server/index.mjs

@@ -0,0 +1,144 @@
+// wizard-ux/server/index.mjs — Fastify server bridging WizardUX UI to wizard internals.
+// Binds to 127.0.0.1 only. Single CSRF token issued at startup; required on mutating routes.
+import Fastify from 'fastify';
+import cors from '@fastify/cors';
+import { existsSync, readFileSync } from 'node:fs';
+import { resolve, dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { randomBytes } from 'node:crypto';
+import { spawn } from 'node:child_process';
+import { createServer as createViteServer } from 'vite';
+
+import stateRoutes from './routes/state.mjs';
+import systemRoutes from './routes/system.mjs';
+import stepsRoutes from './routes/steps.mjs';
+import streamRoutes from './routes/stream.mjs';
+import ptyRoutes from './routes/pty.mjs';
+import onepasswordRoutes from './routes/onepassword.mjs';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const UX_DIR = resolve(__dirname, '..');
+const ROOT_DIR = resolve(UX_DIR, '..');
+
+const HOST = '127.0.0.1';
+const PORT = Number(process.env.WIZARD_UX_PORT || 5174);
+const IS_PROD = process.env.NODE_ENV === 'production';
+
+const CSRF_TOKEN = randomBytes(24).toString('hex');
+
+const app = Fastify({
+  logger: { level: process.env.LOG_LEVEL || 'info' },
+});
+
+await app.register(cors, {
+  origin: (origin, cb) => {
+    // Same-origin requests have no Origin header; accept those.
+    // Otherwise only accept the well-known localhost origins.
+    if (!origin) return cb(null, true);
+    if (origin === `http://${HOST}:${PORT}` || origin === `http://localhost:${PORT}`) return cb(null, true);
+    if (!IS_PROD && (origin === `http://${HOST}:5175` || origin === 'http://localhost:5175')) return cb(null, true);
+    cb(new Error('Origin not allowed'), false);
+  },
+  credentials: true,
+});
+
+// Expose the CSRF token to the UI on a single endpoint. UI stores it in memory and
+// echoes it on mutating calls. Token rotates per server start.
+app.get('/api/handshake', async () => ({
+  csrfToken: CSRF_TOKEN,
+  rootDir: ROOT_DIR,
+  startedAt: new Date().toISOString(),
+}));
+
+// Guard mutating routes
+app.addHook('onRequest', async (req, reply) => {
+  if (!req.url.startsWith('/api/')) return;
+  if (req.method === 'GET' || req.method === 'HEAD' || req.method === 'OPTIONS') return;
+  if (req.url === '/api/handshake') return;
+  const token = req.headers['x-wizard-token'];
+  if (token !== CSRF_TOKEN) {
+    reply.code(403).send({ error: 'Invalid or missing CSRF token' });
+  }
+});
+
+// Activity tracker for auto-shutdown (10 min idle)
+let lastActivity = Date.now();
+app.addHook('onRequest', async (req) => {
+  if (req.url.startsWith('/api/')) lastActivity = Date.now();
+});
+
+// Routes
+await app.register(stateRoutes, { prefix: '/api/state', rootDir: ROOT_DIR });
+await app.register(systemRoutes, { prefix: '/api/system', rootDir: ROOT_DIR });
+await app.register(stepsRoutes, { prefix: '/api/steps', rootDir: ROOT_DIR });
+await app.register(streamRoutes, { prefix: '/api/steps', rootDir: ROOT_DIR });
+await app.register(ptyRoutes, { rootDir: ROOT_DIR, csrfToken: CSRF_TOKEN });
+await app.register(onepasswordRoutes, { prefix: '/api/1password' });
+
+// Serve the UI — Vite middleware in dev, static dist/ in prod
+if (IS_PROD) {
+  const distDir = join(UX_DIR, 'dist');
+  if (existsSync(distDir)) {
+    const fastifyStatic = (await import('@fastify/static')).default;
+    await app.register(fastifyStatic, { root: distDir, prefix: '/' });
+    app.setNotFoundHandler((req, reply) => {
+      if (req.url.startsWith('/api/')) return reply.code(404).send({ error: 'Not found' });
+      // SPA fallback
+      reply.sendFile('index.html');
+    });
+  } else {
+    app.log.warn('Production build not found in dist/. Run `npm run build` inside wizard-ux.');
+  }
+} else {
+  const vite = await createViteServer({
+    root: UX_DIR,
+    server: { middlewareMode: true, hmr: { port: 5176 } },
+    appType: 'custom',
+  });
+  // Mount Vite's connect-style middleware
+  app.addHook('onRequest', async (req, reply) => {
+    if (req.url.startsWith('/api/') || req.url.startsWith('/ws/')) return;
+    return new Promise((resolveP) => {
+      vite.middlewares(req.raw, reply.raw, () => resolveP());
+      reply.raw.on('finish', () => resolveP());
+    });
+  });
+  app.setNotFoundHandler(async (req, reply) => {
+    if (req.url.startsWith('/api/') || req.url.startsWith('/ws/')) return reply.code(404).send({ error: 'Not found' });
+    try {
+      const indexHtml = readFileSync(join(UX_DIR, 'index.html'), 'utf-8');
+      const html = await vite.transformIndexHtml(req.url, indexHtml);
+      reply.type('text/html').send(html);
+    } catch (e) {
+      reply.code(500).send(String(e));
+    }
+  });
+}
+
+await app.listen({ host: HOST, port: PORT });
+
+const url = `http://${HOST}:${PORT}`;
+console.log('');
+console.log('  ╭─────────────────────────────────────────────╮');
+console.log('  │  WizardUX is running                        │');
+console.log(`  │  ${url.padEnd(43)}│`);
+console.log('  ╰─────────────────────────────────────────────╯');
+console.log('');
+
+if (process.env.WIZARD_UX_OPEN !== '0') {
+  // Best-effort browser open
+  const opener = process.platform === 'win32'
+    ? spawn('cmd', ['/c', 'start', '', url], { detached: true, stdio: 'ignore' })
+    : spawn(process.platform === 'darwin' ? 'open' : 'xdg-open', [url], { detached: true, stdio: 'ignore' });
+  opener.on('error', () => { /* best effort */ });
+  opener.unref();
+}
+
+// Idle auto-shutdown
+const IDLE_MS = 10 * 60 * 1000;
+setInterval(() => {
+  if (Date.now() - lastActivity > IDLE_MS) {
+    app.log.info('Idle for 10 minutes — shutting down.');
+    app.close().then(() => process.exit(0));
+  }
+}, 60_000).unref();

package/server/lib/dataverse-bridge.mjs

@@ -0,0 +1,51 @@
+// wizard-ux/server/lib/dataverse-bridge.mjs
+// Refreshes wizard/lib/state.mjs from disk before each Dataverse call so the
+// existing dvGet/dvPost helpers see the latest state written by WizardUX.
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const WIZARD_LIB = resolve(__dirname, '..', '..', '..', 'wizard', 'lib');
+
+const stateMod = await import(pathToFileURL(resolve(WIZARD_LIB, 'state.mjs')).href);
+const dvMod = await import(pathToFileURL(resolve(WIZARD_LIB, 'dataverse.mjs')).href);
+const secretsMod = await import(pathToFileURL(resolve(WIZARD_LIB, 'secrets.mjs')).href);
+
+function refresh() {
+  // Reload disk state into the wizard's in-memory singleton
+  stateMod.loadState();
+}
+
+export async function dvGet(path) {
+  refresh();
+  dvMod.clearTokenCache();
+  return dvMod.dvGet(path);
+}
+
+export async function dvPost(path, body, opts) {
+  refresh();
+  dvMod.clearTokenCache();
+  return dvMod.dvPost(path, body, opts);
+}
+
+export function setSecret(value) {
+  secretsMod.setSecret(value);
+}
+
+export function getSecret() {
+  return secretsMod.getSecret();
+}
+
+export function recoverSecret() {
+  refresh();
+  return secretsMod.recoverSecret();
+}
+
+export function clearSecret() {
+  secretsMod.clearSecret();
+}
+
+export function hasUsableSecret() {
+  if (secretsMod.getSecret()) return true;
+  return Boolean(secretsMod.recoverSecret());
+}

package/server/lib/process-runner.mjs

@@ -0,0 +1,117 @@
+// wizard-ux/server/lib/process-runner.mjs
+// Wraps child_process.spawn and emits stdout/stderr lines on an EventEmitter so SSE
+// routes can subscribe. Holds at most the last 1000 lines per run for late joiners.
+import { spawn } from 'node:child_process';
+import { EventEmitter } from 'node:events';
+import { randomBytes } from 'node:crypto';
+
+const runs = new Map(); // runId -> Run
+
+class Run extends EventEmitter {
+  constructor(id) {
+    super();
+    this.id = id;
+    this.lines = []; // { stream: 'stdout'|'stderr', text, ts }
+    this.status = 'pending'; // pending | running | done | error
+    this.exitCode = null;
+    this.error = null;
+    this.startedAt = null;
+    this.endedAt = null;
+    this.child = null;
+  }
+
+  push(stream, text) {
+    const evt = { stream, text, ts: Date.now() };
+    this.lines.push(evt);
+    if (this.lines.length > 1000) this.lines.shift();
+    this.emit('line', evt);
+    // Detect device code prompts from pac auth create
+    const codeMatch = text.match(/enter the code\s+([A-Z0-9]{6,12})/i);
+    const urlMatch = text.match(/(https:\/\/microsoft\.com\/devicelogin)/i);
+    if (codeMatch) {
+      this.deviceCode = { code: codeMatch[1], url: 'https://microsoft.com/devicelogin', ts: Date.now() };
+      this.emit('deviceCode', this.deviceCode);
+    } else if (urlMatch && !this.deviceCode) {
+      this.deviceCode = { code: null, url: urlMatch[1], ts: Date.now() };
+      this.emit('deviceCode', this.deviceCode);
+    }
+  }
+
+  cancel() {
+    if (this.child && !this.child.killed) {
+      try { this.child.kill('SIGINT'); } catch { /* best-effort */ }
+    }
+  }
+}
+
+export function newRun() {
+  const id = randomBytes(8).toString('hex');
+  const run = new Run(id);
+  runs.set(id, run);
+  // GC: clean up runs older than 30 minutes
+  setTimeout(() => runs.delete(id), 30 * 60 * 1000).unref?.();
+  return run;
+}
+
+export function getRun(id) {
+  return runs.get(id);
+}
+
+export function spawnInRun(run, file, args, opts = {}) {
+  return new Promise((resolveP) => {
+    run.status = 'running';
+    run.startedAt = Date.now();
+    run.push('stdout', `$ ${file} ${args.join(' ')}\n`);
+    const child = spawn(file, args, { ...opts, stdio: ['ignore', 'pipe', 'pipe'] });
+    run.child = child;
+    child.stdout.setEncoding('utf-8');
+    child.stderr.setEncoding('utf-8');
+    child.stdout.on('data', (chunk) => run.push('stdout', chunk));
+    child.stderr.on('data', (chunk) => run.push('stderr', chunk));
+    child.on('error', (err) => {
+      run.status = 'error';
+      run.error = err.message;
+      run.endedAt = Date.now();
+      run.emit('end');
+      resolveP({ ok: false, code: -1, error: err.message });
+    });
+    child.on('close', (code) => {
+      run.exitCode = code;
+      run.status = code === 0 ? 'done' : 'error';
+      run.endedAt = Date.now();
+      run.emit('end');
+      resolveP({ ok: code === 0, code });
+    });
+  });
+}
+
+/**
+ * Run an async function with a "logger" that pushes lines into the run.
+ * Use for steps that don't shell out — e.g. Dataverse API calls, file writes.
+ */
+export async function runInline(run, fn) {
+  run.status = 'running';
+  run.startedAt = Date.now();
+  const log = {
+    info: (msg) => run.push('stdout', `${msg}\n`),
+    ok: (msg) => run.push('stdout', `✓ ${msg}\n`),
+    warn: (msg) => run.push('stderr', `⚠ ${msg}\n`),
+    fail: (msg) => run.push('stderr', `✗ ${msg}\n`),
+  };
+  try {
+    const result = await fn(log);
+    run.status = 'done';
+    run.exitCode = 0;
+    run.endedAt = Date.now();
+    run.emit('end');
+    return { ok: true, result };
+  } catch (err) {
+    run.status = 'error';
+    run.error = err.message;
+    run.exitCode = -1;
+    run.endedAt = Date.now();
+    log.fail(err.message);
+    run.emit('end');
+    return { ok: false, error: err.message };
+  }
+}

package/server/lib/state-bridge.mjs

@@ -0,0 +1,40 @@
+// wizard-ux/server/lib/state-bridge.mjs
+// Reads/writes the shared .wizard-state.json file. Mirrors wizard/lib/state.mjs but
+// keeps zero global state — every call reads from disk to stay correct across multiple
+// browser windows and concurrent CLI runs.
+import { existsSync, readFileSync, writeFileSync, unlinkSync, chmodSync } from 'node:fs';
+import { platform } from 'node:os';
+import { resolve } from 'node:path';
+
+export function stateFilePath(rootDir) {
+  return resolve(rootDir, '.wizard-state.json');
+}
+
+export function readState(rootDir) {
+  const path = stateFilePath(rootDir);
+  if (!existsSync(path)) return {};
+  try { return JSON.parse(readFileSync(path, 'utf-8')); } catch { return {}; }
+}
+
+export function writeState(rootDir, partial) {
+  const merged = { ...readState(rootDir), ...partial };
+  const path = stateFilePath(rootDir);
+  writeFileSync(path, JSON.stringify(merged, null, 2) + '\n', 'utf-8');
+  if (platform() !== 'win32') {
+    try { chmodSync(path, 0o600); } catch { /* best-effort */ }
+  }
+  return merged;
+}
+
+export function resetStateFile(rootDir) {
+  const path = stateFilePath(rootDir);
+  if (existsSync(path)) unlinkSync(path);
+}
+
+export function getCompletedStep(state) {
+  return parseInt(state.COMPLETED_STEP ?? '0', 10);
+}
+
+export function setCompletedStep(rootDir, step) {
+  return writeState(rootDir, { COMPLETED_STEP: step });
+}

package/server/routes/onepassword.mjs

@@ -0,0 +1,16 @@
+// Routes for /api/1password — dynamic vault/item discovery
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const STEP3_PATH = resolve(__dirname, '..', 'steps', '03-app-registration.mjs');
+const step3 = await import(pathToFileURL(STEP3_PATH).href);
+
+export default async function onepasswordRoutes(fastify, opts) {
+  fastify.get('/items', async (req) => {
+    const vault = String(req.query.vault || '').trim();
+    if (!vault) return { items: [] };
+    const items = step3.listOpItems(vault);
+    return { items };
+  });
+}

package/server/routes/pty.mjs

@@ -0,0 +1,124 @@
+// wizard-ux/server/routes/pty.mjs
+// WebSocket-backed PTY bridge. Spawns a real shell in the repo root so wizard
+// commands like `pac auth create`, `op signin`, and `pac code push` get the
+// device-code prompts, biometric prompts, and progress bars they need.
+//
+// Protocol:
+//   - Binary frames (Buffer) from client = stdin bytes
+//   - Binary frames (Buffer) from server = stdout/stderr bytes
+//   - JSON text frames are control messages:
+//       client -> server: { type: 'resize', cols, rows }
+//                         { type: 'init',   cols, rows, cmd? }   // optional cmd auto-typed once shell is ready
+//       server -> client: { type: 'exit', code, signal }
+//
+// Security:
+//   - Connection upgrade requires `?token=<csrf>` query parameter that matches
+//     the CSRF token issued by /api/handshake.
+//   - Server is bound to 127.0.0.1; CORS already restricts origins.
+
+import websocketPlugin from '@fastify/websocket';
+import * as pty from 'node-pty';
+
+export default async function ptyRoutes(app, opts) {
+  const { rootDir, csrfToken } = opts;
+  if (!csrfToken) throw new Error('ptyRoutes requires csrfToken');
+
+  await app.register(websocketPlugin, {
+    options: { maxPayload: 1024 * 1024 },
+  });
+
+  app.get('/ws/pty', { websocket: true }, (socket, req) => {
+    const url = new URL(req.url, 'http://localhost');
+    const token = url.searchParams.get('token');
+    if (token !== csrfToken) {
+      app.log.warn({ ip: req.ip }, 'pty: rejected — bad token');
+      try { socket.close(4401, 'unauthorized'); } catch { /* ignore */ }
+      return;
+    }
+
+    const isWin = process.platform === 'win32';
+    const shell = isWin
+      ? (process.env.COMSPEC || 'powershell.exe')
+      : (process.env.SHELL || '/bin/zsh');
+    const shellArgs = isWin ? [] : ['-l'];
+
+    let term;
+    try {
+      term = pty.spawn(shell, shellArgs, {
+        name: 'xterm-256color',
+        cols: 80,
+        rows: 24,
+        cwd: rootDir,
+        env: { ...process.env, TERM: 'xterm-256color', WIZARD_UX: '1' },
+      });
+    } catch (err) {
+      app.log.error({ err }, 'pty: spawn failed');
+      try {
+        socket.send(JSON.stringify({ type: 'error', message: `Failed to spawn shell: ${err.message}` }));
+        socket.close(1011, 'spawn-failed');
+      } catch { /* ignore */ }
+      return;
+    }
+
+    app.log.info({ pid: term.pid, shell, cwd: rootDir }, 'pty: spawned');
+
+    term.onData((data) => {
+      try { socket.send(data); } catch { /* socket likely closed */ }
+    });
+
+    term.onExit(({ exitCode, signal }) => {
+      try {
+        socket.send(JSON.stringify({ type: 'exit', code: exitCode, signal }));
+        socket.close(1000, 'exit');
+      } catch { /* ignore */ }
+    });
+
+    socket.on('message', (raw, isBinary) => {
+      if (isBinary) {
+        try { term.write(raw); } catch { /* ignore */ }
+        return;
+      }
+      const text = raw.toString('utf8');
+      let msg;
+      try { msg = JSON.parse(text); } catch {
+        try { term.write(text); } catch { /* ignore */ }
+        return;
+      }
+      if (!msg || typeof msg !== 'object') return;
+
+      switch (msg.type) {
+        case 'init': {
+          const cols = Number.isFinite(msg.cols) ? Math.max(1, msg.cols | 0) : 80;
+          const rows = Number.isFinite(msg.rows) ? Math.max(1, msg.rows | 0) : 24;
+          try { term.resize(cols, rows); } catch { /* ignore */ }
+          if (typeof msg.cmd === 'string' && msg.cmd.trim()) {
+            const cmd = msg.cmd;
+            setTimeout(() => {
+              try { term.write(`${cmd}\r`); } catch { /* ignore */ }
+            }, 350);
+          }
+          break;
+        }
+        case 'resize': {
+          const cols = Math.max(1, (msg.cols | 0) || 80);
+          const rows = Math.max(1, (msg.rows | 0) || 24);
+          try { term.resize(cols, rows); } catch { /* ignore */ }
+          break;
+        }
+        case 'data': {
+          if (typeof msg.data === 'string') {
+            try { term.write(msg.data); } catch { /* ignore */ }
+          }
+          break;
+        }
+        default:
+          break;
+      }
+    });
+
+    socket.on('close', () => {
+      app.log.info({ pid: term.pid }, 'pty: socket closed; killing shell');
+      try { term.kill(); } catch { /* ignore */ }
+    });
+  });
+}