npm - @pixelbyte-software/pixcode - Versions diffs - 1.30.2 → 1.31.0 - Mend

@pixelbyte-software/pixcode 1.30.2 → 1.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (202) hide show

package/LICENSE +718 -718
package/README.de.md +248 -248
package/README.ja.md +240 -240
package/README.ko.md +240 -240
package/README.md +295 -285
package/README.ru.md +248 -248
package/README.tr.md +250 -250
package/README.zh-CN.md +240 -240
package/dist/api-docs.html +879 -879
package/dist/assets/index-BRRJ47XQ.css +32 -0
package/dist/assets/index-EQohwyiC.js +837 -0
package/dist/clear-cache.html +85 -85
package/dist/convert-icons.md +52 -52
package/dist/favicon.png +0 -0
package/dist/favicon.svg +7 -8
package/dist/generate-icons.js +48 -48
package/dist/icons/codex-white.svg +3 -3
package/dist/icons/codex.svg +3 -3
package/dist/icons/cursor-white.svg +11 -11
package/dist/icons/icon-128x128.png +0 -0
package/dist/icons/icon-128x128.svg +9 -12
package/dist/icons/icon-144x144.png +0 -0
package/dist/icons/icon-144x144.svg +9 -12
package/dist/icons/icon-152x152.png +0 -0
package/dist/icons/icon-152x152.svg +9 -12
package/dist/icons/icon-192x192.png +0 -0
package/dist/icons/icon-192x192.svg +9 -12
package/dist/icons/icon-384x384.png +0 -0
package/dist/icons/icon-384x384.svg +9 -12
package/dist/icons/icon-512x512.png +0 -0
package/dist/icons/icon-512x512.svg +9 -12
package/dist/icons/icon-72x72.png +0 -0
package/dist/icons/icon-72x72.svg +9 -12
package/dist/icons/icon-96x96.png +0 -0
package/dist/icons/icon-96x96.svg +9 -12
package/dist/icons/icon-template.svg +9 -12
package/dist/icons/qwen-ai-icon.png +0 -0
package/dist/index.html +59 -49
package/dist/logo.png +0 -0
package/dist/logo.svg +11 -16
package/dist/manifest.json +60 -60
package/dist/sw.js +124 -124
package/dist-server/server/cli.js +100 -97
package/dist-server/server/cli.js.map +1 -1
package/dist-server/server/daemon/manager.js +33 -33
package/dist-server/server/daemon-manager.js +62 -62
package/dist-server/server/database/db.js +114 -22
package/dist-server/server/database/db.js.map +1 -1
package/dist-server/server/database/schema.js +122 -89
package/dist-server/server/database/schema.js.map +1 -1
package/dist-server/server/gemini-cli.js +6 -1
package/dist-server/server/gemini-cli.js.map +1 -1
package/dist-server/server/index.js +234 -64
package/dist-server/server/index.js.map +1 -1
package/dist-server/server/modules/providers/list/claude/claude-auth.provider.js +29 -2
package/dist-server/server/modules/providers/list/claude/claude-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/codex/codex-auth.provider.js +22 -2
package/dist-server/server/modules/providers/list/codex/codex-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/cursor/cursor-auth.provider.js +2 -2
package/dist-server/server/modules/providers/list/cursor/cursor-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/gemini/gemini-auth.provider.js +14 -2
package/dist-server/server/modules/providers/list/gemini/gemini-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/qwen/qwen-auth.provider.js +132 -0
package/dist-server/server/modules/providers/list/qwen/qwen-auth.provider.js.map +1 -0
package/dist-server/server/modules/providers/list/qwen/qwen-mcp.provider.js +87 -0
package/dist-server/server/modules/providers/list/qwen/qwen-mcp.provider.js.map +1 -0
package/dist-server/server/modules/providers/list/qwen/qwen-sessions.provider.js +201 -0
package/dist-server/server/modules/providers/list/qwen/qwen-sessions.provider.js.map +1 -0
package/dist-server/server/modules/providers/list/qwen/qwen.provider.js +19 -0
package/dist-server/server/modules/providers/list/qwen/qwen.provider.js.map +1 -0
package/dist-server/server/modules/providers/provider.registry.js +2 -0
package/dist-server/server/modules/providers/provider.registry.js.map +1 -1
package/dist-server/server/modules/providers/provider.routes.js +310 -1
package/dist-server/server/modules/providers/provider.routes.js.map +1 -1
package/dist-server/server/projects.js +197 -6
package/dist-server/server/projects.js.map +1 -1
package/dist-server/server/qwen-code-cli.js +350 -0
package/dist-server/server/qwen-code-cli.js.map +1 -0
package/dist-server/server/qwen-response-handler.js +70 -0
package/dist-server/server/qwen-response-handler.js.map +1 -0
package/dist-server/server/routes/commands.js +25 -25
package/dist-server/server/routes/git.js +17 -17
package/dist-server/server/routes/network.js +116 -0
package/dist-server/server/routes/network.js.map +1 -0
package/dist-server/server/routes/projects.js +43 -0
package/dist-server/server/routes/projects.js.map +1 -1
package/dist-server/server/routes/qwen.js +23 -0
package/dist-server/server/routes/qwen.js.map +1 -0
package/dist-server/server/routes/taskmaster.js +419 -419
package/dist-server/server/routes/telegram.js +119 -0
package/dist-server/server/routes/telegram.js.map +1 -0
package/dist-server/server/services/external-access.js +228 -0
package/dist-server/server/services/external-access.js.map +1 -0
package/dist-server/server/services/install-jobs.js +394 -0
package/dist-server/server/services/install-jobs.js.map +1 -0
package/dist-server/server/services/notification-orchestrator.js +19 -5
package/dist-server/server/services/notification-orchestrator.js.map +1 -1
package/dist-server/server/services/provider-credentials.js +154 -0
package/dist-server/server/services/provider-credentials.js.map +1 -0
package/dist-server/server/services/provider-models.js +218 -0
package/dist-server/server/services/provider-models.js.map +1 -0
package/dist-server/server/services/telegram/bot.js +259 -0
package/dist-server/server/services/telegram/bot.js.map +1 -0
package/dist-server/server/services/telegram/translations.js +160 -0
package/dist-server/server/services/telegram/translations.js.map +1 -0
package/dist-server/server/utils/port-access.js +196 -0
package/dist-server/server/utils/port-access.js.map +1 -0
package/dist-server/shared/modelConstants.js +18 -0
package/dist-server/shared/modelConstants.js.map +1 -1
package/package.json +177 -168
package/scripts/fix-node-pty.js +67 -67
package/server/claude-sdk.js +834 -834
package/server/cli.js +940 -937
package/server/constants/config.js +4 -4
package/server/cursor-cli.js +342 -342
package/server/daemon/manager.js +564 -564
package/server/daemon-manager.js +920 -920
package/server/database/db.js +696 -593
package/server/database/schema.js +138 -102
package/server/gemini-cli.js +475 -469
package/server/gemini-response-handler.js +79 -79
package/server/index.js +2730 -2556
package/server/load-env.js +34 -34
package/server/middleware/auth.js +132 -132
package/server/modules/providers/list/claude/claude-auth.provider.ts +145 -123
package/server/modules/providers/list/claude/claude-mcp.provider.ts +135 -135
package/server/modules/providers/list/claude/claude-sessions.provider.ts +306 -306
package/server/modules/providers/list/claude/claude.provider.ts +15 -15
package/server/modules/providers/list/codex/codex-auth.provider.ts +115 -100
package/server/modules/providers/list/codex/codex-mcp.provider.ts +135 -135
package/server/modules/providers/list/codex/codex-sessions.provider.ts +319 -319
package/server/modules/providers/list/codex/codex.provider.ts +15 -15
package/server/modules/providers/list/cursor/cursor-auth.provider.ts +143 -143
package/server/modules/providers/list/cursor/cursor-mcp.provider.ts +108 -108
package/server/modules/providers/list/cursor/cursor-sessions.provider.ts +421 -421
package/server/modules/providers/list/cursor/cursor.provider.ts +15 -15
package/server/modules/providers/list/gemini/gemini-auth.provider.ts +163 -151
package/server/modules/providers/list/gemini/gemini-mcp.provider.ts +110 -110
package/server/modules/providers/list/gemini/gemini-sessions.provider.ts +227 -227
package/server/modules/providers/list/gemini/gemini.provider.ts +15 -15
package/server/modules/providers/list/qwen/qwen-auth.provider.ts +145 -0
package/server/modules/providers/list/qwen/qwen-mcp.provider.ts +114 -0
package/server/modules/providers/list/qwen/qwen-sessions.provider.ts +218 -0
package/server/modules/providers/list/qwen/qwen.provider.ts +21 -0
package/server/modules/providers/provider.registry.ts +38 -36
package/server/modules/providers/provider.routes.ts +583 -217
package/server/modules/providers/services/mcp.service.ts +94 -94
package/server/modules/providers/services/provider-auth.service.ts +26 -26
package/server/modules/providers/services/sessions.service.ts +45 -45
package/server/modules/providers/shared/base/abstract.provider.ts +20 -20
package/server/modules/providers/shared/mcp/mcp.provider.ts +151 -151
package/server/modules/providers/tests/mcp.test.ts +293 -293
package/server/openai-codex.js +426 -426
package/server/projects.js +2993 -2792
package/server/qwen-code-cli.js +392 -0
package/server/qwen-response-handler.js +73 -0
package/server/routes/agent.js +1245 -1245
package/server/routes/auth.js +134 -134
package/server/routes/codex.js +19 -19
package/server/routes/commands.js +554 -554
package/server/routes/cursor.js +52 -52
package/server/routes/gemini.js +24 -24
package/server/routes/git.js +1488 -1488
package/server/routes/mcp-utils.js +31 -31
package/server/routes/messages.js +61 -61
package/server/routes/network.js +128 -0
package/server/routes/plugins.js +307 -307
package/server/routes/projects.js +675 -627
package/server/routes/qwen.js +27 -0
package/server/routes/settings.js +286 -286
package/server/routes/taskmaster.js +1471 -1471
package/server/routes/telegram.js +125 -0
package/server/routes/user.js +123 -123
package/server/services/external-access.js +240 -0
package/server/services/install-jobs.js +410 -0
package/server/services/notification-orchestrator.js +242 -227
package/server/services/provider-credentials.js +151 -0
package/server/services/provider-models.js +225 -0
package/server/services/telegram/bot.js +280 -0
package/server/services/telegram/translations.js +170 -0
package/server/services/vapid-keys.js +35 -35
package/server/sessionManager.js +225 -225
package/server/shared/interfaces.ts +54 -54
package/server/shared/types.ts +172 -172
package/server/shared/utils.ts +193 -193
package/server/tsconfig.json +36 -36
package/server/utils/colors.js +21 -21
package/server/utils/commandParser.js +303 -303
package/server/utils/frontmatter.js +18 -18
package/server/utils/gitConfig.js +34 -34
package/server/utils/mcp-detector.js +147 -147
package/server/utils/plugin-loader.js +457 -457
package/server/utils/plugin-process-manager.js +184 -184
package/server/utils/port-access.js +209 -0
package/server/utils/runtime-paths.js +37 -37
package/server/utils/taskmaster-websocket.js +128 -128
package/server/utils/url-detection.js +71 -71
package/server/vite-daemon.js +78 -78
package/shared/modelConstants.js +117 -97
package/shared/networkHosts.js +22 -22
package/dist/assets/index-C2c9QNwK.css +0 -32
package/dist/assets/index-DyXDZED-.js +0 -1277

package/server/routes/telegram.js ADDED Viewed

@@ -0,0 +1,125 @@
+import express from 'express';
+import { telegramLinksDb } from '../database/db.js';
+import {
+  createPairingCode,
+  getBotState,
+  getPublicConfig,
+  removeBotConfig,
+  startBot,
+  stopBot,
+} from '../services/telegram/bot.js';
+import { SUPPORTED_LANGUAGES } from '../services/telegram/translations.js';
+const router = express.Router();
+const sanitizeLanguage = (raw) => {
+  if (typeof raw !== 'string') return 'en';
+  return SUPPORTED_LANGUAGES.includes(raw) ? raw : 'en';
+};
+// GET /api/telegram/status — combined bot + personal link state
+router.get('/status', (req, res) => {
+  try {
+    const bot = getBotState();
+    const config = getPublicConfig();
+    const link = telegramLinksDb.getByUserId(req.user.id);
+    res.json({
+      bot: { ...bot, ...config },
+      link: link
+        ? {
+            paired: Boolean(link.chat_id && link.verified_at),
+            telegramUsername: link.telegram_username,
+            language: link.language,
+            notificationsEnabled: Boolean(link.notifications_enabled),
+            bridgeEnabled: Boolean(link.bridge_enabled),
+            pairingCode: link.pairing_code,
+            pairingExpiresAt: link.pairing_code_expires_at,
+            verifiedAt: link.verified_at,
+          }
+        : null,
+    });
+  } catch (error) {
+    console.error('telegram/status failed:', error);
+    res.status(500).json({ error: 'Failed to read Telegram status' });
+  }
+});
+// POST /api/telegram/bot — save token and start the bot
+router.post('/bot', async (req, res) => {
+  const { token } = req.body || {};
+  if (typeof token !== 'string' || token.length < 10) {
+    return res.status(400).json({ error: 'A valid bot token is required' });
+  }
+  try {
+    const info = await startBot({ token });
+    res.json({ success: true, bot: { ...getBotState(), configured: true, username: info.username } });
+  } catch (error) {
+    console.error('telegram/bot start failed:', error);
+    const status = error?.code === 'INVALID_TOKEN' ? 400 : 502;
+    res.status(status).json({ error: error?.message || 'Failed to start bot' });
+  }
+});
+// DELETE /api/telegram/bot — stop and remove the configured bot
+router.delete('/bot', async (req, res) => {
+  try {
+    await removeBotConfig();
+    res.json({ success: true, bot: getBotState() });
+  } catch (error) {
+    console.error('telegram/bot remove failed:', error);
+    res.status(502).json({ error: 'Failed to remove bot' });
+  }
+});
+// POST /api/telegram/bot/stop — stop polling but keep the token
+router.post('/bot/stop', async (req, res) => {
+  try {
+    await stopBot();
+    res.json({ success: true, bot: getBotState() });
+  } catch (error) {
+    console.error('telegram/bot/stop failed:', error);
+    res.status(502).json({ error: 'Failed to stop bot' });
+  }
+});
+// POST /api/telegram/pairing-code — (re)generate a 6-digit code for this user
+router.post('/pairing-code', (req, res) => {
+  try {
+    const language = sanitizeLanguage(req.body?.language);
+    const { code, expiresAt } = createPairingCode(req.user.id, language);
+    res.json({ success: true, code, expiresAt, language });
+  } catch (error) {
+    console.error('telegram/pairing-code failed:', error);
+    res.status(500).json({ error: 'Failed to generate pairing code' });
+  }
+});
+// PATCH /api/telegram/link — update language / toggles on the user's link
+router.patch('/link', (req, res) => {
+  try {
+    const { language, notificationsEnabled, bridgeEnabled } = req.body || {};
+    const payload = {};
+    if (language !== undefined) payload.language = sanitizeLanguage(language);
+    if (notificationsEnabled !== undefined) payload.notificationsEnabled = Boolean(notificationsEnabled);
+    if (bridgeEnabled !== undefined) payload.bridgeEnabled = Boolean(bridgeEnabled);
+    telegramLinksDb.updatePreferences(req.user.id, payload);
+    res.json({ success: true, link: telegramLinksDb.getByUserId(req.user.id) });
+  } catch (error) {
+    console.error('telegram/link patch failed:', error);
+    res.status(500).json({ error: 'Failed to update link' });
+  }
+});
+// DELETE /api/telegram/link — unpair
+router.delete('/link', (req, res) => {
+  try {
+    telegramLinksDb.unlink(req.user.id);
+    res.json({ success: true });
+  } catch (error) {
+    console.error('telegram/link delete failed:', error);
+    res.status(500).json({ error: 'Failed to unpair' });
+  }
+});
+export default router;

package/server/routes/user.js CHANGED Viewed

@@ -1,123 +1,123 @@
-import express from 'express';
-import { userDb } from '../database/db.js';
-import { authenticateToken } from '../middleware/auth.js';
-import { getSystemGitConfig } from '../utils/gitConfig.js';
-import { spawn } from 'child_process';
-const router = express.Router();
-function spawnAsync(command, args, options = {}) {
-  return new Promise((resolve, reject) => {
-    const child = spawn(command, args, { ...options, shell: false });
-    let stdout = '';
-    let stderr = '';
-    child.stdout.on('data', (data) => { stdout += data.toString(); });
-    child.stderr.on('data', (data) => { stderr += data.toString(); });
-    child.on('error', (error) => { reject(error); });
-    child.on('close', (code) => {
-      if (code === 0) { resolve({ stdout, stderr }); return; }
-      const error = new Error(`Command failed: ${command} ${args.join(' ')}`);
-      error.code = code;
-      error.stdout = stdout;
-      error.stderr = stderr;
-      reject(error);
-    });
-  });
-}
-router.get('/git-config', authenticateToken, async (req, res) => {
-  try {
-    const userId = req.user.id;
-    let gitConfig = userDb.getGitConfig(userId);
-    // If database is empty, try to get from system git config
-    if (!gitConfig || (!gitConfig.git_name && !gitConfig.git_email)) {
-      const systemConfig = await getSystemGitConfig();
-      // If system has values, save them to database for this user
-      if (systemConfig.git_name || systemConfig.git_email) {
-        userDb.updateGitConfig(userId, systemConfig.git_name, systemConfig.git_email);
-        gitConfig = systemConfig;
-        console.log(`Auto-populated git config from system for user ${userId}: ${systemConfig.git_name} <${systemConfig.git_email}>`);
-      }
-    }
-    res.json({
-      success: true,
-      gitName: gitConfig?.git_name || null,
-      gitEmail: gitConfig?.git_email || null
-    });
-  } catch (error) {
-    console.error('Error getting git config:', error);
-    res.status(500).json({ error: 'Failed to get git configuration' });
-  }
-});
-// Apply git config globally via git config --global
-router.post('/git-config', authenticateToken, async (req, res) => {
-  try {
-    const userId = req.user.id;
-    const { gitName, gitEmail } = req.body;
-    if (!gitName || !gitEmail) {
-      return res.status(400).json({ error: 'Git name and email are required' });
-    }
-    // Validate email format
-    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-    if (!emailRegex.test(gitEmail)) {
-      return res.status(400).json({ error: 'Invalid email format' });
-    }
-    userDb.updateGitConfig(userId, gitName, gitEmail);
-    try {
-      await spawnAsync('git', ['config', '--global', 'user.name', gitName]);
-      await spawnAsync('git', ['config', '--global', 'user.email', gitEmail]);
-      console.log(`Applied git config globally: ${gitName} <${gitEmail}>`);
-    } catch (gitError) {
-      console.error('Error applying git config:', gitError);
-    }
-    res.json({
-      success: true,
-      gitName,
-      gitEmail
-    });
-  } catch (error) {
-    console.error('Error updating git config:', error);
-    res.status(500).json({ error: 'Failed to update git configuration' });
-  }
-});
-router.post('/complete-onboarding', authenticateToken, async (req, res) => {
-  try {
-    const userId = req.user.id;
-    userDb.completeOnboarding(userId);
-    res.json({
-      success: true,
-      message: 'Onboarding completed successfully'
-    });
-  } catch (error) {
-    console.error('Error completing onboarding:', error);
-    res.status(500).json({ error: 'Failed to complete onboarding' });
-  }
-});
-router.get('/onboarding-status', authenticateToken, async (req, res) => {
-  try {
-    const userId = req.user.id;
-    const hasCompleted = userDb.hasCompletedOnboarding(userId);
-    res.json({
-      success: true,
-      hasCompletedOnboarding: hasCompleted
-    });
-  } catch (error) {
-    console.error('Error checking onboarding status:', error);
-    res.status(500).json({ error: 'Failed to check onboarding status' });
-  }
-});
-export default router;
+import express from 'express';
+import { userDb } from '../database/db.js';
+import { authenticateToken } from '../middleware/auth.js';
+import { getSystemGitConfig } from '../utils/gitConfig.js';
+import { spawn } from 'child_process';
+const router = express.Router();
+function spawnAsync(command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, { ...options, shell: false });
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', (data) => { stdout += data.toString(); });
+    child.stderr.on('data', (data) => { stderr += data.toString(); });
+    child.on('error', (error) => { reject(error); });
+    child.on('close', (code) => {
+      if (code === 0) { resolve({ stdout, stderr }); return; }
+      const error = new Error(`Command failed: ${command} ${args.join(' ')}`);
+      error.code = code;
+      error.stdout = stdout;
+      error.stderr = stderr;
+      reject(error);
+    });
+  });
+}
+router.get('/git-config', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    let gitConfig = userDb.getGitConfig(userId);
+    // If database is empty, try to get from system git config
+    if (!gitConfig || (!gitConfig.git_name && !gitConfig.git_email)) {
+      const systemConfig = await getSystemGitConfig();
+      // If system has values, save them to database for this user
+      if (systemConfig.git_name || systemConfig.git_email) {
+        userDb.updateGitConfig(userId, systemConfig.git_name, systemConfig.git_email);
+        gitConfig = systemConfig;
+        console.log(`Auto-populated git config from system for user ${userId}: ${systemConfig.git_name} <${systemConfig.git_email}>`);
+      }
+    }
+    res.json({
+      success: true,
+      gitName: gitConfig?.git_name || null,
+      gitEmail: gitConfig?.git_email || null
+    });
+  } catch (error) {
+    console.error('Error getting git config:', error);
+    res.status(500).json({ error: 'Failed to get git configuration' });
+  }
+});
+// Apply git config globally via git config --global
+router.post('/git-config', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const { gitName, gitEmail } = req.body;
+    if (!gitName || !gitEmail) {
+      return res.status(400).json({ error: 'Git name and email are required' });
+    }
+    // Validate email format
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(gitEmail)) {
+      return res.status(400).json({ error: 'Invalid email format' });
+    }
+    userDb.updateGitConfig(userId, gitName, gitEmail);
+    try {
+      await spawnAsync('git', ['config', '--global', 'user.name', gitName]);
+      await spawnAsync('git', ['config', '--global', 'user.email', gitEmail]);
+      console.log(`Applied git config globally: ${gitName} <${gitEmail}>`);
+    } catch (gitError) {
+      console.error('Error applying git config:', gitError);
+    }
+    res.json({
+      success: true,
+      gitName,
+      gitEmail
+    });
+  } catch (error) {
+    console.error('Error updating git config:', error);
+    res.status(500).json({ error: 'Failed to update git configuration' });
+  }
+});
+router.post('/complete-onboarding', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    userDb.completeOnboarding(userId);
+    res.json({
+      success: true,
+      message: 'Onboarding completed successfully'
+    });
+  } catch (error) {
+    console.error('Error completing onboarding:', error);
+    res.status(500).json({ error: 'Failed to complete onboarding' });
+  }
+});
+router.get('/onboarding-status', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const hasCompleted = userDb.hasCompletedOnboarding(userId);
+    res.json({
+      success: true,
+      hasCompletedOnboarding: hasCompleted
+    });
+  } catch (error) {
+    console.error('Error checking onboarding status:', error);
+    res.status(500).json({ error: 'Failed to check onboarding status' });
+  }
+});
+export default router;

package/server/services/external-access.js ADDED Viewed

@@ -0,0 +1,240 @@
+import { spawn } from 'node:child_process';
+import { createRequire } from 'node:module';
+const requireCjs = createRequire(import.meta.url);
+// nat-upnp is CommonJS and callback-based. We wrap it in promises and keep
+// one shared client per process. The client is lazily created so importing
+// this module does not try to bind SSDP sockets at boot.
+let upnpClient = null;
+const getUpnpClient = () => {
+  if (!upnpClient) {
+    const nat = requireCjs('nat-upnp');
+    upnpClient = nat.createClient();
+  }
+  return upnpClient;
+};
+let upnpState = {
+  mapped: false,
+  port: null,
+  externalIp: null,
+  externalUrl: null,
+  error: null,
+};
+// A UPnP mapping request can hang forever if the router never answers SSDP.
+// Cap every call so the HTTP endpoint doesn't dangle — we surface a clean
+// failure and the user can try tunnel mode instead.
+const withTimeout = (promise, ms, label) =>
+  Promise.race([
+    promise,
+    new Promise((_, reject) => setTimeout(() => reject(new Error(`${label} timed out after ${ms}ms`)), ms)),
+  ]);
+const promisifyUpnp = (method, arg) =>
+  new Promise((resolve, reject) => {
+    const client = getUpnpClient();
+    const cb = (err, result) => (err ? reject(err) : resolve(result));
+    if (arg === undefined) {
+      client[method](cb);
+    } else {
+      client[method](arg, cb);
+    }
+  });
+export const enableUpnp = async ({ port }) => {
+  upnpState = { ...upnpState, error: null };
+  try {
+    await withTimeout(
+      promisifyUpnp('portMapping', {
+        public: port,
+        private: port,
+        // ttl:0 is documented as "never expire" — routers honor it differently,
+        // but it's the least surprising default. We leave renewal to the user
+        // clicking "enable" again if the router drops the lease.
+        ttl: 0,
+        description: 'Pixcode',
+        protocol: 'tcp',
+      }),
+      8000,
+      'UPnP portMapping',
+    );
+    const externalIp = await withTimeout(promisifyUpnp('externalIp'), 5000, 'UPnP externalIp');
+    upnpState = {
+      mapped: true,
+      port,
+      externalIp,
+      externalUrl: externalIp ? `http://${externalIp}:${port}` : null,
+      error: null,
+    };
+    return upnpState;
+  } catch (err) {
+    upnpState = {
+      mapped: false,
+      port,
+      externalIp: null,
+      externalUrl: null,
+      error: err?.message || String(err),
+    };
+    throw err;
+  }
+};
+export const disableUpnp = async ({ port }) => {
+  try {
+    await withTimeout(promisifyUpnp('portUnmapping', { public: port, protocol: 'tcp' }), 5000, 'UPnP portUnmapping');
+  } catch (err) {
+    upnpState = { ...upnpState, error: err?.message || String(err) };
+    throw err;
+  }
+  upnpState = { mapped: false, port: null, externalIp: null, externalUrl: null, error: null };
+  return upnpState;
+};
+export const getUpnpState = () => upnpState;
+// ============================================================================
+// Tunnel: detect cloudflared / ngrok and spawn; extract the public URL from
+// stdout. We keep a single live tunnel per process — starting a new one
+// stops the previous one to avoid dangling child processes.
+// ============================================================================
+let tunnelProc = null;
+let tunnelState = {
+  running: false,
+  binary: null, // 'cloudflared' | 'ngrok'
+  url: null,
+  error: null,
+  log: [],
+};
+const appendLog = (line) => {
+  // Tunnels can be noisy. Cap the tail we retain so a long-running tunnel
+  // doesn't grow the log into an OOM risk.
+  tunnelState.log.push(line);
+  if (tunnelState.log.length > 200) tunnelState.log.shift();
+};
+const detectBinary = async () => {
+  const candidates = ['cloudflared', 'ngrok'];
+  for (const name of candidates) {
+    try {
+      // `which` isn't guaranteed on Windows; we probe with `--version` instead
+      // so the same code path works on Unix and Windows Command Prompt.
+      await new Promise((resolve, reject) => {
+        const child = spawn(name, ['--version'], { stdio: 'ignore' });
+        child.on('error', reject);
+        child.on('exit', (code) => (code === 0 ? resolve() : reject(new Error(`exit ${code}`))));
+      });
+      return name;
+    } catch {
+      // try next
+    }
+  }
+  return null;
+};
+const cloudflareUrlRegex = /https?:\/\/[a-z0-9.-]+trycloudflare\.com/i;
+const ngrokUrlRegex = /https?:\/\/[a-z0-9.-]+\.ngrok(-free)?\.(app|io)/i;
+const buildTunnelArgs = (binary, port) => {
+  if (binary === 'cloudflared') return ['tunnel', '--url', `http://localhost:${port}`];
+  if (binary === 'ngrok') return ['http', String(port), '--log', 'stdout', '--log-format', 'logfmt'];
+  throw new Error(`Unsupported tunnel binary: ${binary}`);
+};
+const extractUrl = (binary, text) => {
+  if (binary === 'cloudflared') return text.match(cloudflareUrlRegex)?.[0] ?? null;
+  if (binary === 'ngrok') return text.match(ngrokUrlRegex)?.[0] ?? null;
+  return null;
+};
+export const startTunnel = async ({ port }) => {
+  if (tunnelProc) {
+    // Already running — tell the caller to stop it first rather than silently
+    // replacing, which would orphan the old child and lie about state.
+    throw new Error('Tunnel already running; stop it first');
+  }
+  const binary = await detectBinary();
+  if (!binary) {
+    tunnelState = { running: false, binary: null, url: null, error: 'No tunnel binary found', log: [] };
+    const err = new Error('No tunnel binary found (tried cloudflared, ngrok)');
+    err.code = 'ENOENT_TUNNEL';
+    throw err;
+  }
+  const args = buildTunnelArgs(binary, port);
+  const child = spawn(binary, args, { stdio: ['ignore', 'pipe', 'pipe'] });
+  tunnelProc = child;
+  tunnelState = { running: true, binary, url: null, error: null, log: [] };
+  const handleChunk = (chunk) => {
+    const text = chunk.toString();
+    text.split(/\r?\n/).filter(Boolean).forEach(appendLog);
+    if (!tunnelState.url) {
+      const url = extractUrl(binary, text);
+      if (url) tunnelState.url = url;
+    }
+  };
+  child.stdout.on('data', handleChunk);
+  child.stderr.on('data', handleChunk);
+  child.on('exit', (code) => {
+    tunnelProc = null;
+    tunnelState = {
+      running: false,
+      binary,
+      url: null,
+      error: code === 0 ? null : `Tunnel exited with code ${code}`,
+      log: tunnelState.log,
+    };
+  });
+  // Wait up to 15s for the public URL to appear in the log. We don't block
+  // indefinitely — if the binary is hanging on login/auth, the UI should see
+  // a clear failure instead of a spinner that never resolves.
+  const start = Date.now();
+  while (Date.now() - start < 15000) {
+    if (tunnelState.url) return tunnelState;
+    if (!tunnelProc) break; // process died early
+    // eslint-disable-next-line no-await-in-loop
+    await new Promise((r) => setTimeout(r, 250));
+  }
+  if (!tunnelState.url) {
+    // If we never captured a URL, kill the child so we don't leak it.
+    try { child.kill(); } catch { /* ignore */ }
+    tunnelProc = null;
+    tunnelState = { ...tunnelState, running: false, error: 'Tunnel did not report a public URL' };
+    throw new Error(tunnelState.error);
+  }
+  return tunnelState;
+};
+export const stopTunnel = async () => {
+  if (!tunnelProc) {
+    tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
+    return tunnelState;
+  }
+  try {
+    tunnelProc.kill();
+  } catch {
+    // already dead
+  }
+  tunnelProc = null;
+  tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
+  return tunnelState;
+};
+export const getTunnelState = () => tunnelState;
+// Explicit cleanup so the server process can shut down without leaking the
+// child tunnel process.
+process.on('exit', () => {
+  if (tunnelProc) {
+    try { tunnelProc.kill(); } catch { /* ignore */ }
+  }
+});