npm - @pixelbyte-software/pixcode - Versions diffs - 1.35.2 → 1.35.4 - Mend

@pixelbyte-software/pixcode 1.35.2 → 1.35.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (228) hide show

package/LICENSE +718 -718
package/README.de.md +248 -248
package/README.ja.md +240 -240
package/README.ko.md +240 -240
package/README.md +303 -303
package/README.ru.md +248 -248
package/README.tr.md +250 -250
package/README.zh-CN.md +240 -240
package/dist/api-docs.html +548 -548
package/dist/assets/index-BwmhA_le.css +32 -0
package/dist/assets/{index-D1-AIL_5.js → index-CyxRiNt0.js} +182 -182
package/dist/clear-cache.html +85 -85
package/dist/convert-icons.md +52 -52
package/dist/favicon.svg +8 -8
package/dist/generate-icons.js +48 -48
package/dist/icons/codex-white.svg +3 -3
package/dist/icons/codex.svg +3 -3
package/dist/icons/cursor-white.svg +11 -11
package/dist/icons/icon-128x128.svg +9 -9
package/dist/icons/icon-144x144.svg +9 -9
package/dist/icons/icon-152x152.svg +9 -9
package/dist/icons/icon-192x192.svg +9 -9
package/dist/icons/icon-384x384.svg +9 -9
package/dist/icons/icon-512x512.svg +9 -9
package/dist/icons/icon-72x72.svg +9 -9
package/dist/icons/icon-96x96.svg +9 -9
package/dist/icons/icon-template.svg +9 -9
package/dist/icons/qwen-logo.svg +14 -14
package/dist/index.html +59 -59
package/dist/logo.svg +12 -12
package/dist/manifest.json +60 -60
package/dist/openapi.yaml +1693 -1693
package/dist/sw.js +124 -124
package/dist-server/server/cli.js +96 -96
package/dist-server/server/cli.js.map +1 -1
package/dist-server/server/cursor-cli.js.map +1 -1
package/dist-server/server/daemon/manager.js +33 -33
package/dist-server/server/daemon-manager.js +64 -64
package/dist-server/server/gemini-cli.js +4 -4
package/dist-server/server/gemini-cli.js.map +1 -1
package/dist-server/server/index.js +11 -11
package/dist-server/server/index.js.map +1 -1
package/dist-server/server/load-env.js.map +1 -1
package/dist-server/server/middleware/auth.js.map +1 -1
package/dist-server/server/modules/orchestration/tasks/orchestration-task.routes.js.map +1 -1
package/dist-server/server/modules/providers/list/claude/claude-auth.provider.js +1 -1
package/dist-server/server/modules/providers/list/claude/claude-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/codex/codex-auth.provider.js +1 -1
package/dist-server/server/modules/providers/list/codex/codex-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/gemini/gemini-auth.provider.js +1 -1
package/dist-server/server/modules/providers/list/gemini/gemini-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/opencode/opencode-auth.provider.js +1 -1
package/dist-server/server/modules/providers/list/opencode/opencode-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/list/qwen/qwen-auth.provider.js +1 -1
package/dist-server/server/modules/providers/list/qwen/qwen-auth.provider.js.map +1 -1
package/dist-server/server/modules/providers/provider.routes.js +3 -6
package/dist-server/server/modules/providers/provider.routes.js.map +1 -1
package/dist-server/server/opencode-cli.js +1 -1
package/dist-server/server/opencode-cli.js.map +1 -1
package/dist-server/server/projects.js +2 -3
package/dist-server/server/projects.js.map +1 -1
package/dist-server/server/qwen-code-cli.js +1 -1
package/dist-server/server/qwen-code-cli.js.map +1 -1
package/dist-server/server/routes/agent.js +3 -3
package/dist-server/server/routes/agent.js.map +1 -1
package/dist-server/server/routes/auth.js.map +1 -1
package/dist-server/server/routes/codex.js.map +1 -1
package/dist-server/server/routes/commands.js +26 -26
package/dist-server/server/routes/commands.js.map +1 -1
package/dist-server/server/routes/cursor.js +1 -1
package/dist-server/server/routes/cursor.js.map +1 -1
package/dist-server/server/routes/gemini.js.map +1 -1
package/dist-server/server/routes/git.js +18 -18
package/dist-server/server/routes/git.js.map +1 -1
package/dist-server/server/routes/mcp-utils.js.map +1 -1
package/dist-server/server/routes/messages.js.map +1 -1
package/dist-server/server/routes/network.js +1 -1
package/dist-server/server/routes/network.js.map +1 -1
package/dist-server/server/routes/plugins.js +2 -2
package/dist-server/server/routes/plugins.js.map +1 -1
package/dist-server/server/routes/projects.js +1 -1
package/dist-server/server/routes/projects.js.map +1 -1
package/dist-server/server/routes/settings.js.map +1 -1
package/dist-server/server/routes/taskmaster.js +423 -424
package/dist-server/server/routes/taskmaster.js.map +1 -1
package/dist-server/server/routes/user.js +1 -1
package/dist-server/server/routes/user.js.map +1 -1
package/dist-server/server/services/external-access.js +0 -1
package/dist-server/server/services/external-access.js.map +1 -1
package/dist-server/server/services/notification-orchestrator.js.map +1 -1
package/dist-server/server/utils/commandParser.js.map +1 -1
package/dist-server/server/utils/plugin-process-manager.js.map +1 -1
package/dist-server/server/vite-daemon.js.map +1 -1
package/package.json +180 -180
package/scripts/fix-node-pty.js +67 -67
package/scripts/smoke/a2a-roundtrip.mjs +167 -167
package/scripts/smoke/orchestration-api.mjs +172 -172
package/scripts/smoke/orchestration-live-run.mjs +176 -176
package/server/claude-sdk.js +898 -898
package/server/cli.js +936 -935
package/server/constants/config.js +4 -4
package/server/cursor-cli.js +344 -342
package/server/daemon/manager.js +564 -564
package/server/daemon-manager.js +959 -959
package/server/database/db.js +794 -794
package/server/database/json-store.js +197 -197
package/server/gemini-cli.js +536 -535
package/server/gemini-response-handler.js +79 -79
package/server/index.js +3138 -3135
package/server/load-env.js +35 -34
package/server/middleware/auth.js +174 -173
package/server/modules/orchestration/a2a/adapter-registry.ts +108 -108
package/server/modules/orchestration/a2a/adapters/abstract-a2a.adapter.ts +55 -55
package/server/modules/orchestration/a2a/adapters/claude-code.adapter.ts +284 -284
package/server/modules/orchestration/a2a/adapters/codex.adapter.ts +244 -244
package/server/modules/orchestration/a2a/adapters/cursor.adapter.ts +249 -249
package/server/modules/orchestration/a2a/adapters/gemini.adapter.ts +248 -248
package/server/modules/orchestration/a2a/adapters/opencode.adapter.ts +248 -248
package/server/modules/orchestration/a2a/adapters/qwen.adapter.ts +248 -248
package/server/modules/orchestration/a2a/routes.ts +577 -577
package/server/modules/orchestration/a2a/task-store.ts +178 -178
package/server/modules/orchestration/a2a/types.ts +125 -125
package/server/modules/orchestration/a2a/validator.ts +113 -113
package/server/modules/orchestration/index.ts +66 -66
package/server/modules/orchestration/preview/port-watcher.ts +112 -112
package/server/modules/orchestration/preview/preview-proxy.ts +60 -60
package/server/modules/orchestration/preview/types.ts +19 -19
package/server/modules/orchestration/tasks/orchestration-task-store.ts +45 -45
package/server/modules/orchestration/tasks/orchestration-task.routes.ts +74 -73
package/server/modules/orchestration/tasks/orchestration-task.service.ts +145 -145
package/server/modules/orchestration/tasks/orchestration-task.types.ts +29 -29
package/server/modules/orchestration/workflows/built-in-workflows.ts +127 -127
package/server/modules/orchestration/workflows/workflow-runner.ts +1206 -1206
package/server/modules/orchestration/workflows/workflow-store.ts +97 -97
package/server/modules/orchestration/workflows/workflow.routes.ts +169 -169
package/server/modules/orchestration/workflows/workflow.types.ts +70 -70
package/server/modules/orchestration/workflows/workspace-target.ts +120 -120
package/server/modules/orchestration/workspace/docker-workspace.ts +135 -135
package/server/modules/orchestration/workspace/path-safety.ts +55 -55
package/server/modules/orchestration/workspace/types.ts +52 -52
package/server/modules/orchestration/workspace/workspace-manager.ts +97 -97
package/server/modules/orchestration/workspace/worktree-workspace.ts +125 -125
package/server/modules/providers/index.ts +2 -2
package/server/modules/providers/list/claude/claude-auth.provider.ts +146 -145
package/server/modules/providers/list/claude/claude-mcp.provider.ts +135 -135
package/server/modules/providers/list/claude/claude-sessions.provider.ts +306 -306
package/server/modules/providers/list/claude/claude.provider.ts +15 -15
package/server/modules/providers/list/codex/codex-auth.provider.ts +116 -115
package/server/modules/providers/list/codex/codex-mcp.provider.ts +135 -135
package/server/modules/providers/list/codex/codex-sessions.provider.ts +319 -319
package/server/modules/providers/list/codex/codex.provider.ts +15 -15
package/server/modules/providers/list/cursor/cursor-auth.provider.ts +143 -143
package/server/modules/providers/list/cursor/cursor-mcp.provider.ts +108 -108
package/server/modules/providers/list/cursor/cursor-sessions.provider.ts +421 -421
package/server/modules/providers/list/cursor/cursor.provider.ts +15 -15
package/server/modules/providers/list/gemini/gemini-auth.provider.ts +164 -163
package/server/modules/providers/list/gemini/gemini-mcp.provider.ts +110 -110
package/server/modules/providers/list/gemini/gemini-sessions.provider.ts +227 -227
package/server/modules/providers/list/gemini/gemini.provider.ts +15 -15
package/server/modules/providers/list/opencode/opencode-auth.provider.ts +131 -130
package/server/modules/providers/list/opencode/opencode-mcp.provider.ts +126 -126
package/server/modules/providers/list/opencode/opencode-sessions.provider.ts +232 -232
package/server/modules/providers/list/opencode/opencode.provider.ts +29 -29
package/server/modules/providers/list/qwen/qwen-auth.provider.ts +146 -145
package/server/modules/providers/list/qwen/qwen-mcp.provider.ts +114 -114
package/server/modules/providers/list/qwen/qwen-sessions.provider.ts +265 -265
package/server/modules/providers/list/qwen/qwen.provider.ts +21 -21
package/server/modules/providers/provider.registry.ts +40 -40
package/server/modules/providers/provider.routes.ts +822 -819
package/server/modules/providers/services/mcp.service.ts +86 -86
package/server/modules/providers/services/provider-auth.service.ts +26 -26
package/server/modules/providers/services/sessions.service.ts +45 -45
package/server/modules/providers/shared/base/abstract.provider.ts +20 -20
package/server/modules/providers/shared/mcp/mcp.provider.ts +151 -151
package/server/modules/providers/shared/provider-configs.ts +142 -142
package/server/modules/providers/tests/mcp.test.ts +293 -293
package/server/openai-codex.js +462 -462
package/server/opencode-cli.js +460 -459
package/server/opencode-response-handler.js +107 -107
package/server/projects.js +3106 -3105
package/server/qwen-code-cli.js +396 -395
package/server/qwen-response-handler.js +73 -73
package/server/routes/agent.js +1367 -1365
package/server/routes/auth.js +139 -138
package/server/routes/codex.js +20 -19
package/server/routes/commands.js +556 -554
package/server/routes/cursor.js +54 -52
package/server/routes/gemini.js +25 -24
package/server/routes/git.js +1490 -1488
package/server/routes/mcp-utils.js +32 -31
package/server/routes/messages.js +62 -61
package/server/routes/network.js +121 -120
package/server/routes/plugins.js +320 -318
package/server/routes/projects.js +917 -915
package/server/routes/qwen.js +27 -27
package/server/routes/settings.js +287 -286
package/server/routes/taskmaster.js +1498 -1496
package/server/routes/telegram.js +125 -125
package/server/routes/user.js +125 -123
package/server/services/external-access.js +171 -171
package/server/services/install-jobs.js +571 -571
package/server/services/notification-orchestrator.js +244 -242
package/server/services/provider-credentials.js +189 -189
package/server/services/provider-models.js +381 -381
package/server/services/telegram/bot.js +279 -279
package/server/services/telegram/telegram-http-client.js +130 -130
package/server/services/telegram/translations.js +170 -170
package/server/services/vapid-keys.js +36 -36
package/server/sessionManager.js +225 -225
package/server/shared/interfaces.ts +54 -54
package/server/shared/types.ts +172 -172
package/server/shared/utils.ts +193 -193
package/server/tsconfig.json +36 -36
package/server/utils/colors.js +21 -21
package/server/utils/commandParser.js +305 -303
package/server/utils/frontmatter.js +18 -18
package/server/utils/gitConfig.js +34 -34
package/server/utils/mcp-detector.js +147 -147
package/server/utils/plugin-loader.js +457 -457
package/server/utils/plugin-process-manager.js +185 -184
package/server/utils/port-access.js +209 -209
package/server/utils/runtime-paths.js +37 -37
package/server/utils/taskmaster-websocket.js +128 -128
package/server/utils/url-detection.js +71 -71
package/server/vite-daemon.js +79 -78
package/shared/modelConstants.js +162 -162
package/shared/networkHosts.js +22 -22
package/dist/assets/index-B8w57E1r.css +0 -32

package/server/services/external-access.js CHANGED Viewed

@@ -1,171 +1,171 @@
-import { spawn } from 'node:child_process';
-/**
- * External-access service.
- *
- * Previously exposed a UPnP auto-port-forward path via `nat-upnp`, but that
- * package pulled in the deprecated `request` / `har-validator` / `uuid@3`
- * chain (noise at every install). Cloudflared and ngrok cover the same
- * "publish my laptop to the internet" use case with a better security
- * posture (no permanent port in the router firewall), so we kept the
- * tunnel flow and dropped UPnP entirely. If UPnP becomes a user-demanded
- * feature again we can bring it back via a maintained package like
- * `@achingbrain/nat-port-mapper`.
- */
-// Keep the UPnP getter + no-op togglers so callers still compile, but they
-// always report "unavailable". This is transitional — the routes layer no
-// longer surfaces them either, so nothing in the live codebase hits these.
-const UPNP_UNAVAILABLE = Object.freeze({
-  mapped: false,
-  port: null,
-  externalIp: null,
-  externalUrl: null,
-  error: 'UPnP auto-port-forward was removed in v1.32. Use cloudflared or ngrok tunnels instead.',
-});
-export const getUpnpState = () => UPNP_UNAVAILABLE;
-// ============================================================================
-// Tunnel: detect cloudflared / ngrok and spawn; extract the public URL from
-// stdout. We keep a single live tunnel per process — starting a new one
-// stops the previous one to avoid dangling child processes.
-// ============================================================================
-let tunnelProc = null;
-let tunnelState = {
-  running: false,
-  binary: null, // 'cloudflared' | 'ngrok'
-  url: null,
-  error: null,
-  log: [],
-};
-const appendLog = (line) => {
-  // Tunnels can be noisy. Cap the tail we retain so a long-running tunnel
-  // doesn't grow the log into an OOM risk.
-  tunnelState.log.push(line);
-  if (tunnelState.log.length > 200) tunnelState.log.shift();
-};
-const detectBinary = async () => {
-  const candidates = ['cloudflared', 'ngrok'];
-  for (const name of candidates) {
-    try {
-      // `which` isn't guaranteed on Windows; we probe with `--version` instead
-      // so the same code path works on Unix and Windows Command Prompt.
-      await new Promise((resolve, reject) => {
-        const child = spawn(name, ['--version'], { stdio: 'ignore' });
-        child.on('error', reject);
-        child.on('exit', (code) => (code === 0 ? resolve() : reject(new Error(`exit ${code}`))));
-      });
-      return name;
-    } catch {
-      // try next
-    }
-  }
-  return null;
-};
-const cloudflareUrlRegex = /https?:\/\/[a-z0-9.-]+trycloudflare\.com/i;
-const ngrokUrlRegex = /https?:\/\/[a-z0-9.-]+\.ngrok(-free)?\.(app|io)/i;
-const buildTunnelArgs = (binary, port) => {
-  if (binary === 'cloudflared') return ['tunnel', '--url', `http://localhost:${port}`];
-  if (binary === 'ngrok') return ['http', String(port), '--log', 'stdout', '--log-format', 'logfmt'];
-  throw new Error(`Unsupported tunnel binary: ${binary}`);
-};
-const extractUrl = (binary, text) => {
-  if (binary === 'cloudflared') return text.match(cloudflareUrlRegex)?.[0] ?? null;
-  if (binary === 'ngrok') return text.match(ngrokUrlRegex)?.[0] ?? null;
-  return null;
-};
-export const startTunnel = async ({ port }) => {
-  if (tunnelProc) {
-    // Already running — tell the caller to stop it first rather than silently
-    // replacing, which would orphan the old child and lie about state.
-    throw new Error('Tunnel already running; stop it first');
-  }
-  const binary = await detectBinary();
-  if (!binary) {
-    tunnelState = { running: false, binary: null, url: null, error: 'No tunnel binary found', log: [] };
-    const err = new Error('No tunnel binary found (tried cloudflared, ngrok)');
-    err.code = 'ENOENT_TUNNEL';
-    throw err;
-  }
-  const args = buildTunnelArgs(binary, port);
-  const child = spawn(binary, args, { stdio: ['ignore', 'pipe', 'pipe'] });
-  tunnelProc = child;
-  tunnelState = { running: true, binary, url: null, error: null, log: [] };
-  const handleChunk = (chunk) => {
-    const text = chunk.toString();
-    text.split(/\r?\n/).filter(Boolean).forEach(appendLog);
-    if (!tunnelState.url) {
-      const url = extractUrl(binary, text);
-      if (url) tunnelState.url = url;
-    }
-  };
-  child.stdout.on('data', handleChunk);
-  child.stderr.on('data', handleChunk);
-  child.on('exit', (code) => {
-    tunnelProc = null;
-    tunnelState = {
-      running: false,
-      binary,
-      url: null,
-      error: code === 0 ? null : `Tunnel exited with code ${code}`,
-      log: tunnelState.log,
-    };
-  });
-  // Wait up to 15s for the public URL to appear in the log. We don't block
-  // indefinitely — if the binary is hanging on login/auth, the UI should see
-  // a clear failure instead of a spinner that never resolves.
-  const start = Date.now();
-  while (Date.now() - start < 15000) {
-    if (tunnelState.url) return tunnelState;
-    if (!tunnelProc) break; // process died early
-    // eslint-disable-next-line no-await-in-loop
-    await new Promise((r) => setTimeout(r, 250));
-  }
-  if (!tunnelState.url) {
-    // If we never captured a URL, kill the child so we don't leak it.
-    try { child.kill(); } catch { /* ignore */ }
-    tunnelProc = null;
-    tunnelState = { ...tunnelState, running: false, error: 'Tunnel did not report a public URL' };
-    throw new Error(tunnelState.error);
-  }
-  return tunnelState;
-};
-export const stopTunnel = async () => {
-  if (!tunnelProc) {
-    tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
-    return tunnelState;
-  }
-  try {
-    tunnelProc.kill();
-  } catch {
-    // already dead
-  }
-  tunnelProc = null;
-  tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
-  return tunnelState;
-};
-export const getTunnelState = () => tunnelState;
-// Explicit cleanup so the server process can shut down without leaking the
-// child tunnel process.
-process.on('exit', () => {
-  if (tunnelProc) {
-    try { tunnelProc.kill(); } catch { /* ignore */ }
-  }
-});
+import { spawn } from 'node:child_process';
+/**
+ * External-access service.
+ *
+ * Previously exposed a UPnP auto-port-forward path via `nat-upnp`, but that
+ * package pulled in the deprecated `request` / `har-validator` / `uuid@3`
+ * chain (noise at every install). Cloudflared and ngrok cover the same
+ * "publish my laptop to the internet" use case with a better security
+ * posture (no permanent port in the router firewall), so we kept the
+ * tunnel flow and dropped UPnP entirely. If UPnP becomes a user-demanded
+ * feature again we can bring it back via a maintained package like
+ * `@achingbrain/nat-port-mapper`.
+ */
+// Keep the UPnP getter + no-op togglers so callers still compile, but they
+// always report "unavailable". This is transitional — the routes layer no
+// longer surfaces them either, so nothing in the live codebase hits these.
+const UPNP_UNAVAILABLE = Object.freeze({
+  mapped: false,
+  port: null,
+  externalIp: null,
+  externalUrl: null,
+  error: 'UPnP auto-port-forward was removed in v1.32. Use cloudflared or ngrok tunnels instead.',
+});
+export const getUpnpState = () => UPNP_UNAVAILABLE;
+// ============================================================================
+// Tunnel: detect cloudflared / ngrok and spawn; extract the public URL from
+// stdout. We keep a single live tunnel per process — starting a new one
+// stops the previous one to avoid dangling child processes.
+// ============================================================================
+let tunnelProc = null;
+let tunnelState = {
+  running: false,
+  binary: null, // 'cloudflared' | 'ngrok'
+  url: null,
+  error: null,
+  log: [],
+};
+const appendLog = (line) => {
+  // Tunnels can be noisy. Cap the tail we retain so a long-running tunnel
+  // doesn't grow the log into an OOM risk.
+  tunnelState.log.push(line);
+  if (tunnelState.log.length > 200) tunnelState.log.shift();
+};
+const detectBinary = async () => {
+  const candidates = ['cloudflared', 'ngrok'];
+  for (const name of candidates) {
+    try {
+      // `which` isn't guaranteed on Windows; we probe with `--version` instead
+      // so the same code path works on Unix and Windows Command Prompt.
+      await new Promise((resolve, reject) => {
+        const child = spawn(name, ['--version'], { stdio: 'ignore' });
+        child.on('error', reject);
+        child.on('exit', (code) => (code === 0 ? resolve() : reject(new Error(`exit ${code}`))));
+      });
+      return name;
+    } catch {
+      // try next
+    }
+  }
+  return null;
+};
+const cloudflareUrlRegex = /https?:\/\/[a-z0-9.-]+trycloudflare\.com/i;
+const ngrokUrlRegex = /https?:\/\/[a-z0-9.-]+\.ngrok(-free)?\.(app|io)/i;
+const buildTunnelArgs = (binary, port) => {
+  if (binary === 'cloudflared') return ['tunnel', '--url', `http://localhost:${port}`];
+  if (binary === 'ngrok') return ['http', String(port), '--log', 'stdout', '--log-format', 'logfmt'];
+  throw new Error(`Unsupported tunnel binary: ${binary}`);
+};
+const extractUrl = (binary, text) => {
+  if (binary === 'cloudflared') return text.match(cloudflareUrlRegex)?.[0] ?? null;
+  if (binary === 'ngrok') return text.match(ngrokUrlRegex)?.[0] ?? null;
+  return null;
+};
+export const startTunnel = async ({ port }) => {
+  if (tunnelProc) {
+    // Already running — tell the caller to stop it first rather than silently
+    // replacing, which would orphan the old child and lie about state.
+    throw new Error('Tunnel already running; stop it first');
+  }
+  const binary = await detectBinary();
+  if (!binary) {
+    tunnelState = { running: false, binary: null, url: null, error: 'No tunnel binary found', log: [] };
+    const err = new Error('No tunnel binary found (tried cloudflared, ngrok)');
+    err.code = 'ENOENT_TUNNEL';
+    throw err;
+  }
+  const args = buildTunnelArgs(binary, port);
+  const child = spawn(binary, args, { stdio: ['ignore', 'pipe', 'pipe'] });
+  tunnelProc = child;
+  tunnelState = { running: true, binary, url: null, error: null, log: [] };
+  const handleChunk = (chunk) => {
+    const text = chunk.toString();
+    text.split(/\r?\n/).filter(Boolean).forEach(appendLog);
+    if (!tunnelState.url) {
+      const url = extractUrl(binary, text);
+      if (url) tunnelState.url = url;
+    }
+  };
+  child.stdout.on('data', handleChunk);
+  child.stderr.on('data', handleChunk);
+  child.on('exit', (code) => {
+    tunnelProc = null;
+    tunnelState = {
+      running: false,
+      binary,
+      url: null,
+      error: code === 0 ? null : `Tunnel exited with code ${code}`,
+      log: tunnelState.log,
+    };
+  });
+  // Wait up to 15s for the public URL to appear in the log. We don't block
+  // indefinitely — if the binary is hanging on login/auth, the UI should see
+  // a clear failure instead of a spinner that never resolves.
+  const start = Date.now();
+  while (Date.now() - start < 15000) {
+    if (tunnelState.url) return tunnelState;
+    if (!tunnelProc) break; // process died early
+    await new Promise((r) => setTimeout(r, 250));
+  }
+  if (!tunnelState.url) {
+    // If we never captured a URL, kill the child so we don't leak it.
+    try { child.kill(); } catch { /* ignore */ }
+    tunnelProc = null;
+    tunnelState = { ...tunnelState, running: false, error: 'Tunnel did not report a public URL' };
+    throw new Error(tunnelState.error);
+  }
+  return tunnelState;
+};
+export const stopTunnel = async () => {
+  if (!tunnelProc) {
+    tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
+    return tunnelState;
+  }
+  try {
+    tunnelProc.kill();
+  } catch {
+    // already dead
+  }
+  tunnelProc = null;
+  tunnelState = { running: false, binary: null, url: null, error: null, log: [] };
+  return tunnelState;
+};
+export const getTunnelState = () => tunnelState;
+// Explicit cleanup so the server process can shut down without leaking the
+// child tunnel process.
+process.on('exit', () => {
+  if (tunnelProc) {
+    try { tunnelProc.kill(); } catch { /* ignore */ }
+  }
+});