@pixelzx/genesis 2026.5.3-2 → 2026.5.3-3

package/dist/http-utils-Dwz38Ezf.js

@@ -0,0 +1,924 @@
+import { a as normalizeLowercaseStringOrEmpty, c as normalizeOptionalString, f as readStringValue } from "./string-coerce-C1IzJjqi.js";
+import { n as emitDiagnosticEvent } from "./diagnostic-events-CD7YG9TK.js";
+import { s as resolveConfigPathCandidate } from "./paths-DmR9mjUX.js";
+import { r as authorizeHttpGatewayConnect } from "./auth-I7fIjFrM.js";
+import { a as loadConfig, i as getRuntimeConfig } from "./io-CRPT2IUI.js";
+import { o as parseAgentSessionKey } from "./session-key-utils-BT0y7mVK.js";
+import { c as normalizeAgentId, r as buildAgentMainSessionKey } from "./session-key-EpIbK3Oz.js";
+import { r as listChannelPlugins } from "./registry-DXDC8Wqv.js";
+import { g as listAgentIds, x as resolveDefaultAgentId } from "./agent-scope-CDjZLqNk.js";
+import "./config-DcheqK7J.js";
+import { u as normalizeMessageChannel } from "./message-channel-D2Y7UhTM.js";
+import { n as normalizeMessageChannel$1 } from "./message-channel-core-CtbksRwN.js";
+import { n as authorizeOperatorScopesForMethod, o as ADMIN_SCOPE, t as CLI_DEFAULT_OPERATOR_SCOPES } from "./method-scopes-Dut0EB9J.js";
+import "./plugins-CV-ZD2kz.js";
+import { x as parseModelRef, y as modelKey } from "./model-selection-shared-CyTG48aO.js";
+import { o as resolveDefaultModelForAgent, t as buildAllowedModelSet } from "./model-selection-CKrtE2-6.js";
+import { r as loadModelCatalog, s as resetModelCatalogCacheForTest } from "./model-catalog-B7Gss5Xr.js";
+import { c as requestBodyErrorToText, o as readJsonBodyWithLimit } from "./http-body-DmMOHMx8.js";
+import { n as resolveFunctionModuleExport, t as importFileModule } from "./module-loader-B2u3ajxy.js";
+import { t as resolveAllowedAgentIds } from "./hooks-policy-D0pHpNLz.js";
+import fs from "node:fs";
+import path from "node:path";
+import { randomUUID } from "node:crypto";
+//#region src/logging/diagnostic-payload.ts
+function logLargePayload(params) {
+	emitDiagnosticEvent({
+		type: "payload.large",
+		...params
+	});
+}
+function logRejectedLargePayload(params) {
+	logLargePayload({
+		action: "rejected",
+		...params
+	});
+}
+function parseContentLengthHeader(raw) {
+	const value = Array.isArray(raw) ? raw[0] : raw;
+	if (typeof value !== "string") return;
+	const trimmed = value.trim();
+	if (trimmed.length === 0 || !/^\d+$/.test(trimmed)) return;
+	const parsed = Number.parseInt(trimmed, 10);
+	return Number.isSafeInteger(parsed) && parsed >= 0 ? parsed : void 0;
+}
+//#endregion
+//#region src/gateway/hooks-mapping.ts
+const hookPresetMappings = { gmail: [{
+	id: "gmail",
+	match: { path: "gmail" },
+	action: "agent",
+	wakeMode: "now",
+	name: "Gmail",
+	sessionKey: "hook:gmail:{{messages[0].id}}",
+	messageTemplate: "New email from {{messages[0].from}}\nSubject: {{messages[0].subject}}\n{{messages[0].snippet}}\n{{messages[0].body}}"
+}] };
+const transformCache = /* @__PURE__ */ new Map();
+function resolveHookMappings(hooks, opts) {
+	const presets = hooks?.presets ?? [];
+	const gmailAllowUnsafe = hooks?.gmail?.allowUnsafeExternalContent;
+	const mappings = [];
+	if (hooks?.mappings) mappings.push(...hooks.mappings);
+	for (const preset of presets) {
+		const presetMappings = hookPresetMappings[preset];
+		if (!presetMappings) continue;
+		if (preset === "gmail" && typeof gmailAllowUnsafe === "boolean") {
+			mappings.push(...presetMappings.map((mapping) => ({
+				...mapping,
+				allowUnsafeExternalContent: gmailAllowUnsafe
+			})));
+			continue;
+		}
+		mappings.push(...presetMappings);
+	}
+	if (mappings.length === 0) return [];
+	const configDir = path.resolve(opts?.configDir ?? path.dirname(resolveConfigPathCandidate()));
+	const transformsDir = resolveOptionalContainedPath(path.join(configDir, "hooks", "transforms"), hooks?.transformsDir, "Hook transformsDir");
+	return mappings.map((mapping, index) => normalizeHookMapping(mapping, index, transformsDir));
+}
+async function applyHookMappings(mappings, ctx) {
+	if (mappings.length === 0) return null;
+	for (const mapping of mappings) {
+		if (!mappingMatches(mapping, ctx)) continue;
+		const base = buildActionFromMapping(mapping, ctx);
+		if (!base.ok) return base;
+		let override = null;
+		if (mapping.transform) {
+			override = await (await loadTransform(mapping.transform))(ctx);
+			if (override === null) return {
+				ok: true,
+				action: null,
+				skipped: true
+			};
+		}
+		if (!base.action) return {
+			ok: true,
+			action: null,
+			skipped: true
+		};
+		const merged = mergeAction(base.action, override, mapping.action);
+		if (!merged.ok) return merged;
+		return merged;
+	}
+	return null;
+}
+function normalizeHookMapping(mapping, index, transformsDir) {
+	const id = normalizeOptionalString(mapping.id) || `mapping-${index + 1}`;
+	const matchPath = normalizeMatchPath(mapping.match?.path);
+	const matchSource = mapping.match?.source?.trim();
+	const action = mapping.action ?? "agent";
+	const wakeMode = mapping.wakeMode ?? "now";
+	const transform = mapping.transform ? {
+		modulePath: resolveContainedPath(transformsDir, mapping.transform.module, "Hook transform"),
+		exportName: normalizeOptionalString(mapping.transform.export)
+	} : void 0;
+	return {
+		id,
+		matchPath,
+		matchSource,
+		action,
+		wakeMode,
+		name: mapping.name,
+		agentId: normalizeOptionalString(mapping.agentId),
+		sessionKey: mapping.sessionKey,
+		messageTemplate: mapping.messageTemplate,
+		textTemplate: mapping.textTemplate,
+		deliver: mapping.deliver,
+		allowUnsafeExternalContent: mapping.allowUnsafeExternalContent,
+		channel: mapping.channel,
+		to: mapping.to,
+		model: mapping.model,
+		thinking: mapping.thinking,
+		timeoutSeconds: mapping.timeoutSeconds,
+		transform
+	};
+}
+function mappingMatches(mapping, ctx) {
+	if (mapping.matchPath) {
+		if (mapping.matchPath !== normalizeMatchPath(ctx.path)) return false;
+	}
+	if (mapping.matchSource) {
+		const source = readStringValue(ctx.payload.source);
+		if (!source || source !== mapping.matchSource) return false;
+	}
+	return true;
+}
+function buildActionFromMapping(mapping, ctx) {
+	if (mapping.action === "wake") return {
+		ok: true,
+		action: {
+			kind: "wake",
+			text: renderTemplate(mapping.textTemplate ?? "", ctx),
+			mode: mapping.wakeMode ?? "now"
+		}
+	};
+	return {
+		ok: true,
+		action: {
+			kind: "agent",
+			message: renderTemplate(mapping.messageTemplate ?? "", ctx),
+			name: renderOptional(mapping.name, ctx),
+			agentId: mapping.agentId,
+			wakeMode: mapping.wakeMode ?? "now",
+			sessionKey: renderOptional(mapping.sessionKey, ctx),
+			sessionKeySource: getSessionKeyTemplateSource(mapping.sessionKey),
+			deliver: mapping.deliver,
+			allowUnsafeExternalContent: mapping.allowUnsafeExternalContent,
+			channel: mapping.channel,
+			to: renderOptional(mapping.to, ctx),
+			model: renderOptional(mapping.model, ctx),
+			thinking: renderOptional(mapping.thinking, ctx),
+			timeoutSeconds: mapping.timeoutSeconds
+		}
+	};
+}
+function mergeAction(base, override, defaultAction) {
+	if (!override) return validateAction(base);
+	if ((override.kind ?? base.kind ?? defaultAction) === "wake") {
+		const baseWake = base.kind === "wake" ? base : void 0;
+		return validateAction({
+			kind: "wake",
+			text: typeof override.text === "string" ? override.text : baseWake?.text ?? "",
+			mode: override.mode === "next-heartbeat" ? "next-heartbeat" : baseWake?.mode ?? "now"
+		});
+	}
+	const baseAgent = base.kind === "agent" ? base : void 0;
+	return validateAction({
+		kind: "agent",
+		message: typeof override.message === "string" ? override.message : baseAgent?.message ?? "",
+		wakeMode: override.wakeMode === "next-heartbeat" ? "next-heartbeat" : baseAgent?.wakeMode ?? "now",
+		name: override.name ?? baseAgent?.name,
+		agentId: override.agentId ?? baseAgent?.agentId,
+		sessionKey: override.sessionKey ?? baseAgent?.sessionKey,
+		sessionKeySource: resolveMergedSessionKeySource(baseAgent, override),
+		deliver: typeof override.deliver === "boolean" ? override.deliver : baseAgent?.deliver,
+		allowUnsafeExternalContent: typeof override.allowUnsafeExternalContent === "boolean" ? override.allowUnsafeExternalContent : baseAgent?.allowUnsafeExternalContent,
+		channel: override.channel ?? baseAgent?.channel,
+		to: override.to ?? baseAgent?.to,
+		model: override.model ?? baseAgent?.model,
+		thinking: override.thinking ?? baseAgent?.thinking,
+		timeoutSeconds: override.timeoutSeconds ?? baseAgent?.timeoutSeconds
+	});
+}
+function validateAction(action) {
+	if (action.kind === "wake") {
+		if (!action.text?.trim()) return {
+			ok: false,
+			error: "hook mapping requires text"
+		};
+		return {
+			ok: true,
+			action
+		};
+	}
+	if (!action.message?.trim()) return {
+		ok: false,
+		error: "hook mapping requires message"
+	};
+	return {
+		ok: true,
+		action
+	};
+}
+function getSessionKeyTemplateSource(sessionKeyTemplate) {
+	const normalizedTemplate = normalizeOptionalString(sessionKeyTemplate);
+	if (!normalizedTemplate) return;
+	return hasHookTemplateExpressions(normalizedTemplate) ? "templated" : "static";
+}
+function resolveMergedSessionKeySource(baseAgent, override) {
+	if (typeof override.sessionKey === "string") {
+		if (!normalizeOptionalString(override.sessionKey)) return;
+		return override.sessionKeySource === "static" ? "static" : "templated";
+	}
+	return baseAgent?.sessionKeySource;
+}
+function hasHookTemplateExpressions(template) {
+	return /\{\{\s*[^}]+\s*\}\}/.test(template);
+}
+async function loadTransform(transform) {
+	const cacheKey = `${transform.modulePath}::${transform.exportName ?? "default"}`;
+	const cached = transformCache.get(cacheKey);
+	if (cached) return cached;
+	const fn = resolveTransformFn(await importFileModule({ modulePath: transform.modulePath }), transform.exportName);
+	transformCache.set(cacheKey, fn);
+	return fn;
+}
+function resolveTransformFn(mod, exportName) {
+	const candidate = resolveFunctionModuleExport({
+		mod,
+		exportName,
+		fallbackExportNames: ["default", "transform"]
+	});
+	if (!candidate) throw new Error("hook transform module must export a function");
+	return candidate;
+}
+function resolvePath(baseDir, target) {
+	if (!target) return path.resolve(baseDir);
+	return path.isAbsolute(target) ? path.resolve(target) : path.resolve(baseDir, target);
+}
+function escapesBase(baseDir, candidate) {
+	const relative = path.relative(baseDir, candidate);
+	return relative === ".." || relative.startsWith(`..${path.sep}`) || path.isAbsolute(relative);
+}
+function safeRealpathSync(candidate) {
+	try {
+		const nativeRealpath = fs.realpathSync.native;
+		return nativeRealpath ? nativeRealpath(candidate) : fs.realpathSync(candidate);
+	} catch {
+		return null;
+	}
+}
+function resolveExistingAncestor(candidate) {
+	let current = path.resolve(candidate);
+	while (true) {
+		if (fs.existsSync(current)) return current;
+		const parent = path.dirname(current);
+		if (parent === current) return null;
+		current = parent;
+	}
+}
+function resolveContainedPath(baseDir, target, label) {
+	const base = path.resolve(baseDir);
+	const trimmed = target?.trim();
+	if (!trimmed) throw new Error(`${label} module path is required`);
+	const resolved = resolvePath(base, trimmed);
+	if (escapesBase(base, resolved)) throw new Error(`${label} module path must be within ${base}: ${target}`);
+	const baseRealpath = safeRealpathSync(base);
+	const existingAncestor = resolveExistingAncestor(resolved);
+	const existingAncestorRealpath = existingAncestor ? safeRealpathSync(existingAncestor) : null;
+	if (baseRealpath && existingAncestorRealpath && escapesBase(baseRealpath, existingAncestorRealpath)) throw new Error(`${label} module path must be within ${base}: ${target}`);
+	return resolved;
+}
+function resolveOptionalContainedPath(baseDir, target, label) {
+	const trimmed = target?.trim();
+	if (!trimmed) return path.resolve(baseDir);
+	return resolveContainedPath(baseDir, trimmed, label);
+}
+function normalizeMatchPath(raw) {
+	if (!raw) return;
+	const trimmed = raw.trim();
+	if (!trimmed) return;
+	return trimmed.replace(/^\/+/, "").replace(/\/+$/, "");
+}
+function renderOptional(value, ctx) {
+	if (!value) return;
+	const rendered = renderTemplate(value, ctx).trim();
+	return rendered ? rendered : void 0;
+}
+function renderTemplate(template, ctx) {
+	if (!template) return "";
+	return template.replace(/\{\{\s*([^}]+)\s*\}\}/g, (_, expr) => {
+		const value = resolveTemplateExpr(expr.trim(), ctx);
+		if (value === void 0 || value === null) return "";
+		if (typeof value === "string") return value;
+		if (typeof value === "number" || typeof value === "boolean") return String(value);
+		return JSON.stringify(value);
+	});
+}
+function resolveTemplateExpr(expr, ctx) {
+	if (expr === "path") return ctx.path;
+	if (expr === "now") return (/* @__PURE__ */ new Date()).toISOString();
+	if (expr.startsWith("headers.")) return getByPath(ctx.headers, expr.slice(8));
+	if (expr.startsWith("query.")) return getByPath(Object.fromEntries(ctx.url.searchParams.entries()), expr.slice(6));
+	if (expr.startsWith("payload.")) return getByPath(ctx.payload, expr.slice(8));
+	return getByPath(ctx.payload, expr);
+}
+const BLOCKED_PATH_KEYS = new Set([
+	"__proto__",
+	"prototype",
+	"constructor"
+]);
+function getByPath(input, pathExpr) {
+	if (!pathExpr) return;
+	const parts = [];
+	const re = /([^.[\]]+)|(\[(\d+)\])/g;
+	let match = re.exec(pathExpr);
+	while (match) {
+		if (match[1]) parts.push(match[1]);
+		else if (match[3]) parts.push(Number(match[3]));
+		match = re.exec(pathExpr);
+	}
+	let current = input;
+	for (const part of parts) {
+		if (current === null || current === void 0) return;
+		if (typeof part === "number") {
+			if (!Array.isArray(current)) return;
+			current = current[part];
+			continue;
+		}
+		if (BLOCKED_PATH_KEYS.has(part)) return;
+		if (typeof current !== "object") return;
+		current = current[part];
+	}
+	return current;
+}
+//#endregion
+//#region src/gateway/hooks.ts
+const DEFAULT_HOOKS_PATH = "/hooks";
+const DEFAULT_HOOKS_MAX_BODY_BYTES = 256 * 1024;
+const MAX_HOOK_IDEMPOTENCY_KEY_LENGTH = 256;
+function resolveHooksConfig(cfg) {
+	if (cfg.hooks?.enabled !== true) return null;
+	const token = normalizeOptionalString(cfg.hooks?.token);
+	if (!token) throw new Error("hooks.enabled requires hooks.token");
+	const rawPath = normalizeOptionalString(cfg.hooks?.path) || DEFAULT_HOOKS_PATH;
+	const withSlash = rawPath.startsWith("/") ? rawPath : `/${rawPath}`;
+	const trimmed = withSlash.length > 1 ? withSlash.replace(/\/+$/, "") : withSlash;
+	if (trimmed === "/") throw new Error("hooks.path may not be '/'");
+	const maxBodyBytes = cfg.hooks?.maxBodyBytes && cfg.hooks.maxBodyBytes > 0 ? cfg.hooks.maxBodyBytes : DEFAULT_HOOKS_MAX_BODY_BYTES;
+	const mappings = resolveHookMappings(cfg.hooks);
+	const defaultAgentId = resolveDefaultAgentId(cfg);
+	const knownAgentIds = resolveKnownAgentIds(cfg, defaultAgentId);
+	const allowedAgentIds = resolveAllowedAgentIds(cfg.hooks?.allowedAgentIds);
+	const defaultSessionKey = resolveSessionKey$1(cfg.hooks?.defaultSessionKey);
+	const allowedSessionKeyPrefixes = resolveAllowedSessionKeyPrefixes(cfg.hooks?.allowedSessionKeyPrefixes);
+	if (defaultSessionKey && allowedSessionKeyPrefixes && !isSessionKeyAllowedByPrefix(defaultSessionKey, allowedSessionKeyPrefixes)) throw new Error("hooks.defaultSessionKey must match hooks.allowedSessionKeyPrefixes");
+	if (!defaultSessionKey && allowedSessionKeyPrefixes && !isSessionKeyAllowedByPrefix("hook:example", allowedSessionKeyPrefixes)) throw new Error("hooks.allowedSessionKeyPrefixes must include 'hook:' when hooks.defaultSessionKey is unset");
+	if (hasEffectiveTemplatedHookSessionKeyMapping(mappings) && !allowedSessionKeyPrefixes) throw new Error("hooks.allowedSessionKeyPrefixes is required when a hook mapping sessionKey uses templates, even if hooks.allowRequestSessionKey=true");
+	return {
+		basePath: trimmed,
+		token,
+		maxBodyBytes,
+		mappings,
+		agentPolicy: {
+			defaultAgentId,
+			knownAgentIds,
+			allowedAgentIds
+		},
+		sessionPolicy: {
+			defaultSessionKey,
+			allowRequestSessionKey: cfg.hooks?.allowRequestSessionKey === true,
+			allowedSessionKeyPrefixes
+		}
+	};
+}
+function resolveKnownAgentIds(cfg, defaultAgentId) {
+	const known = new Set(listAgentIds(cfg));
+	known.add(defaultAgentId);
+	return known;
+}
+function resolveSessionKey$1(raw) {
+	return normalizeOptionalString(raw);
+}
+function normalizeSessionKeyPrefix(raw) {
+	const value = normalizeLowercaseStringOrEmpty(raw);
+	return value ? value : void 0;
+}
+function resolveAllowedSessionKeyPrefixes(raw) {
+	if (!Array.isArray(raw)) return;
+	const set = /* @__PURE__ */ new Set();
+	for (const prefix of raw) {
+		const normalized = normalizeSessionKeyPrefix(prefix);
+		if (!normalized) continue;
+		set.add(normalized);
+	}
+	return set.size > 0 ? Array.from(set) : void 0;
+}
+function isSessionKeyAllowedByPrefix(sessionKey, prefixes) {
+	const normalized = normalizeLowercaseStringOrEmpty(sessionKey);
+	if (!normalized) return false;
+	return prefixes.some((prefix) => normalized.startsWith(prefix));
+}
+function extractHookToken(req) {
+	const auth = normalizeOptionalString(req.headers.authorization) ?? "";
+	if (normalizeLowercaseStringOrEmpty(auth).startsWith("bearer ")) {
+		const token = auth.slice(7).trim();
+		if (token) return token;
+	}
+	const headerToken = normalizeOptionalString(req.headers["x-genesis-token"]) ?? "";
+	if (headerToken) return headerToken;
+}
+async function readJsonBody(req, maxBytes) {
+	const result = await readJsonBodyWithLimit(req, {
+		maxBytes,
+		emptyObjectOnEmpty: true
+	});
+	if (result.ok) return result;
+	if (result.code === "PAYLOAD_TOO_LARGE") return {
+		ok: false,
+		error: "payload too large"
+	};
+	if (result.code === "REQUEST_BODY_TIMEOUT") return {
+		ok: false,
+		error: "request body timeout"
+	};
+	if (result.code === "CONNECTION_CLOSED") return {
+		ok: false,
+		error: requestBodyErrorToText("CONNECTION_CLOSED")
+	};
+	return {
+		ok: false,
+		error: result.error
+	};
+}
+function normalizeHookHeaders(req) {
+	const headers = {};
+	for (const [key, value] of Object.entries(req.headers)) {
+		const normalizedKey = normalizeLowercaseStringOrEmpty(key);
+		if (typeof value === "string") headers[normalizedKey] = value;
+		else if (Array.isArray(value) && value.length > 0) headers[normalizedKey] = value.join(", ");
+	}
+	return headers;
+}
+function normalizeWakePayload(payload) {
+	const normalizedText = normalizeOptionalString(payload.text) ?? "";
+	if (!normalizedText) return {
+		ok: false,
+		error: "text required"
+	};
+	return {
+		ok: true,
+		value: {
+			text: normalizedText,
+			mode: payload.mode === "next-heartbeat" ? "next-heartbeat" : "now"
+		}
+	};
+}
+const listHookChannelValues = () => ["last", ...listChannelPlugins().map((plugin) => plugin.id)];
+const getHookChannelSet = () => new Set(listHookChannelValues());
+const getHookChannelError = () => `channel must be ${listHookChannelValues().join("|")}`;
+function resolveHookChannel(raw) {
+	if (raw === void 0) return "last";
+	if (typeof raw !== "string") return null;
+	const normalized = normalizeMessageChannel$1(raw);
+	if (!normalized || !getHookChannelSet().has(normalized)) return null;
+	return normalized;
+}
+function resolveHookDeliver(raw) {
+	return raw !== false;
+}
+function resolveOptionalHookIdempotencyKey(raw) {
+	if (typeof raw !== "string") return;
+	const trimmed = raw.trim();
+	if (!trimmed || trimmed.length > MAX_HOOK_IDEMPOTENCY_KEY_LENGTH) return;
+	return trimmed;
+}
+function resolveHookIdempotencyKey(params) {
+	return resolveOptionalHookIdempotencyKey(params.headers?.["idempotency-key"]) || resolveOptionalHookIdempotencyKey(params.headers?.["x-genesis-idempotency-key"]) || resolveOptionalHookIdempotencyKey(params.payload.idempotencyKey);
+}
+function resolveHookTargetAgentId(hooksConfig, agentId) {
+	const raw = normalizeOptionalString(agentId);
+	if (!raw) return;
+	const normalized = normalizeAgentId(raw);
+	if (hooksConfig.agentPolicy.knownAgentIds.has(normalized)) return normalized;
+	return hooksConfig.agentPolicy.defaultAgentId;
+}
+function isHookAgentAllowed(hooksConfig, agentId) {
+	const raw = normalizeOptionalString(agentId);
+	if (!raw) return true;
+	const allowed = hooksConfig.agentPolicy.allowedAgentIds;
+	if (allowed === void 0) return true;
+	const resolved = resolveHookTargetAgentId(hooksConfig, raw);
+	return resolved ? allowed.has(resolved) : false;
+}
+const getHookAgentPolicyError = () => "agentId is not allowed by hooks.allowedAgentIds";
+const getHookSessionKeyRequestPolicyError = () => "sessionKey is disabled for externally supplied hook payload values; set hooks.allowRequestSessionKey=true to enable";
+const getHookSessionKeyPrefixError = (prefixes) => `sessionKey must start with one of: ${prefixes.join(", ")}`;
+function resolveHookSessionKey(params) {
+	const requested = resolveSessionKey$1(params.sessionKey);
+	if (requested) {
+		if ((params.source === "request" || params.source === "mapping-templated") && !params.hooksConfig.sessionPolicy.allowRequestSessionKey) return {
+			ok: false,
+			error: getHookSessionKeyRequestPolicyError()
+		};
+		const allowedPrefixes = params.hooksConfig.sessionPolicy.allowedSessionKeyPrefixes;
+		if (allowedPrefixes && !isSessionKeyAllowedByPrefix(requested, allowedPrefixes)) return {
+			ok: false,
+			error: getHookSessionKeyPrefixError(allowedPrefixes)
+		};
+		return {
+			ok: true,
+			value: requested
+		};
+	}
+	const defaultSessionKey = params.hooksConfig.sessionPolicy.defaultSessionKey;
+	if (defaultSessionKey) return {
+		ok: true,
+		value: defaultSessionKey
+	};
+	const generated = `hook:${(params.idFactory ?? randomUUID)()}`;
+	const allowedPrefixes = params.hooksConfig.sessionPolicy.allowedSessionKeyPrefixes;
+	if (allowedPrefixes && !isSessionKeyAllowedByPrefix(generated, allowedPrefixes)) return {
+		ok: false,
+		error: getHookSessionKeyPrefixError(allowedPrefixes)
+	};
+	return {
+		ok: true,
+		value: generated
+	};
+}
+function hasTemplatedHookSessionKey(sessionKey) {
+	return typeof sessionKey === "string" && hasHookTemplateExpressions(sessionKey);
+}
+function hasEffectiveTemplatedHookSessionKeyMapping(mappings) {
+	const effectiveMappings = [];
+	for (const mapping of mappings) {
+		if (isHookMappingShadowed(mapping, effectiveMappings)) continue;
+		effectiveMappings.push(mapping);
+		if (mapping.action === "agent" && hasTemplatedHookSessionKey(mapping.sessionKey)) return true;
+	}
+	return false;
+}
+function isHookMappingShadowed(mapping, earlierMappings) {
+	return earlierMappings.some((earlier) => {
+		if (earlier.matchPath && earlier.matchPath !== mapping.matchPath) return false;
+		return !earlier.matchSource || earlier.matchSource === mapping.matchSource;
+	});
+}
+function normalizeHookDispatchSessionKey(params) {
+	const trimmed = normalizeOptionalString(params.sessionKey) ?? "";
+	if (!trimmed || !params.targetAgentId) return trimmed;
+	const parsed = parseAgentSessionKey(trimmed);
+	if (!parsed) return trimmed;
+	return `agent:${normalizeAgentId(params.targetAgentId)}:${parsed.rest}`;
+}
+function normalizeAgentPayload(payload) {
+	const message = normalizeOptionalString(payload.message) ?? "";
+	if (!message) return {
+		ok: false,
+		error: "message required"
+	};
+	const nameRaw = payload.name;
+	const name = normalizeOptionalString(nameRaw) ?? "Hook";
+	const agentIdRaw = payload.agentId;
+	const agentId = normalizeOptionalString(agentIdRaw);
+	const idempotencyKey = resolveOptionalHookIdempotencyKey(payload.idempotencyKey);
+	const wakeMode = payload.wakeMode === "next-heartbeat" ? "next-heartbeat" : "now";
+	const sessionKeyRaw = payload.sessionKey;
+	const sessionKey = normalizeOptionalString(sessionKeyRaw);
+	const channel = resolveHookChannel(payload.channel);
+	if (!channel) return {
+		ok: false,
+		error: getHookChannelError()
+	};
+	const toRaw = payload.to;
+	const to = normalizeOptionalString(toRaw);
+	const modelRaw = payload.model;
+	const model = normalizeOptionalString(modelRaw);
+	if (modelRaw !== void 0 && !model) return {
+		ok: false,
+		error: "model required"
+	};
+	const deliver = resolveHookDeliver(payload.deliver);
+	const thinkingRaw = payload.thinking;
+	const thinking = normalizeOptionalString(thinkingRaw);
+	const timeoutRaw = payload.timeoutSeconds;
+	return {
+		ok: true,
+		value: {
+			message,
+			name,
+			agentId,
+			idempotencyKey,
+			wakeMode,
+			sessionKey,
+			deliver,
+			channel,
+			to,
+			model,
+			thinking,
+			timeoutSeconds: typeof timeoutRaw === "number" && Number.isFinite(timeoutRaw) && timeoutRaw > 0 ? Math.floor(timeoutRaw) : void 0
+		}
+	};
+}
+//#endregion
+//#region src/gateway/http-common.ts
+/**
+* Apply baseline security headers that are safe for all response types (API JSON,
+* HTML pages, static assets, SSE streams). Headers that restrict framing or set a
+* Content-Security-Policy are intentionally omitted here because some handlers
+* (canvas host, A2UI) serve content that may be loaded inside frames.
+*/
+function setDefaultSecurityHeaders(res, opts) {
+	res.setHeader("X-Content-Type-Options", "nosniff");
+	res.setHeader("Referrer-Policy", "no-referrer");
+	res.setHeader("Permissions-Policy", "camera=(), microphone=(self), geolocation=()");
+	const strictTransportSecurity = opts?.strictTransportSecurity;
+	if (typeof strictTransportSecurity === "string" && strictTransportSecurity.length > 0) res.setHeader("Strict-Transport-Security", strictTransportSecurity);
+}
+function sendJson(res, status, body) {
+	res.statusCode = status;
+	res.setHeader("Content-Type", "application/json; charset=utf-8");
+	res.end(JSON.stringify(body));
+}
+function sendText(res, status, body) {
+	res.statusCode = status;
+	res.setHeader("Content-Type", "text/plain; charset=utf-8");
+	res.end(body);
+}
+function sendMethodNotAllowed(res, allow = "POST") {
+	res.setHeader("Allow", allow);
+	sendText(res, 405, "Method Not Allowed");
+}
+function sendUnauthorized(res) {
+	sendJson(res, 401, { error: {
+		message: "Unauthorized",
+		type: "unauthorized"
+	} });
+}
+function sendRateLimited(res, retryAfterMs) {
+	if (retryAfterMs && retryAfterMs > 0) res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1e3)));
+	sendJson(res, 429, { error: {
+		message: "Too many failed authentication attempts. Please try again later.",
+		type: "rate_limited"
+	} });
+}
+function sendGatewayAuthFailure(res, authResult) {
+	if (authResult.rateLimited) {
+		sendRateLimited(res, authResult.retryAfterMs);
+		return;
+	}
+	sendUnauthorized(res);
+}
+function sendInvalidRequest(res, message) {
+	sendJson(res, 400, { error: {
+		message,
+		type: "invalid_request_error"
+	} });
+}
+async function readJsonBodyOrError(req, res, maxBytes) {
+	const body = await readJsonBody(req, maxBytes);
+	if (!body.ok) {
+		if (body.error === "payload too large") {
+			const contentLength = parseContentLengthHeader(req.headers?.["content-length"]);
+			logRejectedLargePayload({
+				surface: "gateway.http.json",
+				limitBytes: maxBytes,
+				reason: "json_body_limit",
+				...contentLength !== void 0 ? { bytes: contentLength } : {}
+			});
+			sendJson(res, 413, { error: {
+				message: "Payload too large",
+				type: "invalid_request_error"
+			} });
+			return;
+		}
+		if (body.error === "request body timeout") {
+			sendJson(res, 408, { error: {
+				message: "Request body timeout",
+				type: "invalid_request_error"
+			} });
+			return;
+		}
+		sendInvalidRequest(res, body.error);
+		return;
+	}
+	return body.value;
+}
+function writeDone(res) {
+	res.write("data: [DONE]\n\n");
+}
+function setSseHeaders(res) {
+	res.statusCode = 200;
+	res.setHeader("Content-Type", "text/event-stream; charset=utf-8");
+	res.setHeader("Cache-Control", "no-cache");
+	res.setHeader("Connection", "keep-alive");
+	res.flushHeaders?.();
+}
+function watchClientDisconnect(req, res, abortController, onDisconnect) {
+	const sockets = Array.from(new Set([req.socket, res.socket].filter((socket) => socket !== null)));
+	if (sockets.length === 0) return () => {};
+	const handleClose = () => {
+		onDisconnect?.();
+		if (!abortController.signal.aborted) abortController.abort();
+	};
+	for (const socket of sockets) socket.on("close", handleClose);
+	return () => {
+		for (const socket of sockets) socket.off("close", handleClose);
+	};
+}
+//#endregion
+//#region src/gateway/server-model-catalog.ts
+function __resetModelCatalogCacheForTest() {
+	resetModelCatalogCacheForTest();
+}
+async function loadGatewayModelCatalog(params) {
+	return await loadModelCatalog({ config: (params?.getConfig ?? getRuntimeConfig)() });
+}
+//#endregion
+//#region src/gateway/http-utils.ts
+const GENESIS_MODEL_ID = "genesis";
+const GENESIS_DEFAULT_MODEL_ID = "genesis/default";
+function getHeader(req, name) {
+	const raw = req.headers[normalizeLowercaseStringOrEmpty(name)];
+	if (typeof raw === "string") return raw;
+	if (Array.isArray(raw)) return raw[0];
+}
+function getBearerToken(req) {
+	const raw = normalizeOptionalString(getHeader(req, "authorization")) ?? "";
+	if (!normalizeLowercaseStringOrEmpty(raw).startsWith("bearer ")) return;
+	return normalizeOptionalString(raw.slice(7));
+}
+function resolveHttpBrowserOriginPolicy(req, cfg = loadConfig()) {
+	return {
+		requestHost: getHeader(req, "host"),
+		origin: getHeader(req, "origin"),
+		allowedOrigins: cfg.gateway?.controlUi?.allowedOrigins,
+		allowHostHeaderOriginFallback: cfg.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback === true
+	};
+}
+function usesSharedSecretHttpAuth(auth) {
+	return auth?.mode === "token" || auth?.mode === "password";
+}
+function usesSharedSecretGatewayMethod(method) {
+	return method === "token" || method === "password";
+}
+function shouldTrustDeclaredHttpOperatorScopes(req, authOrRequest) {
+	if (authOrRequest && "trustDeclaredOperatorScopes" in authOrRequest) return authOrRequest.trustDeclaredOperatorScopes;
+	return !isGatewayBearerHttpRequest(req, authOrRequest);
+}
+async function authorizeGatewayHttpRequestOrReply(params) {
+	const result = await checkGatewayHttpRequestAuth(params);
+	if (!result.ok) {
+		sendGatewayAuthFailure(params.res, result.authResult);
+		return null;
+	}
+	return result.requestAuth;
+}
+async function checkGatewayHttpRequestAuth(params) {
+	const token = getBearerToken(params.req);
+	const browserOriginPolicy = resolveHttpBrowserOriginPolicy(params.req, params.cfg);
+	const authResult = await authorizeHttpGatewayConnect({
+		auth: params.auth,
+		connectAuth: token ? {
+			token,
+			password: token
+		} : null,
+		req: params.req,
+		trustedProxies: params.trustedProxies,
+		allowRealIpFallback: params.allowRealIpFallback,
+		rateLimiter: params.rateLimiter,
+		browserOriginPolicy
+	});
+	if (!authResult.ok) return {
+		ok: false,
+		authResult
+	};
+	return {
+		ok: true,
+		requestAuth: {
+			authMethod: authResult.method,
+			trustDeclaredOperatorScopes: !usesSharedSecretGatewayMethod(authResult.method)
+		}
+	};
+}
+async function authorizeScopedGatewayHttpRequestOrReply(params) {
+	const cfg = loadConfig();
+	const requestAuth = await authorizeGatewayHttpRequestOrReply({
+		req: params.req,
+		res: params.res,
+		auth: params.auth,
+		trustedProxies: params.trustedProxies ?? cfg.gateway?.trustedProxies,
+		allowRealIpFallback: params.allowRealIpFallback ?? cfg.gateway?.allowRealIpFallback,
+		rateLimiter: params.rateLimiter
+	});
+	if (!requestAuth) return null;
+	const requestedScopes = params.resolveOperatorScopes(params.req, requestAuth);
+	const scopeAuth = authorizeOperatorScopesForMethod(params.operatorMethod, requestedScopes);
+	if (!scopeAuth.allowed) {
+		sendJson(params.res, 403, {
+			ok: false,
+			error: {
+				type: "forbidden",
+				message: `missing scope: ${scopeAuth.missingScope}`
+			}
+		});
+		return null;
+	}
+	return {
+		cfg,
+		requestAuth
+	};
+}
+function isGatewayBearerHttpRequest(req, auth) {
+	return usesSharedSecretHttpAuth(auth) && Boolean(getBearerToken(req));
+}
+function resolveTrustedHttpOperatorScopes(req, authOrRequest) {
+	if (!shouldTrustDeclaredHttpOperatorScopes(req, authOrRequest)) return [];
+	const headerValue = getHeader(req, "x-genesis-scopes");
+	if (headerValue === void 0) return [...CLI_DEFAULT_OPERATOR_SCOPES];
+	const raw = headerValue.trim();
+	if (!raw) return [];
+	return raw.split(",").map((scope) => scope.trim()).filter((scope) => scope.length > 0);
+}
+function resolveOpenAiCompatibleHttpOperatorScopes(req, requestAuth) {
+	if (usesSharedSecretGatewayMethod(requestAuth.authMethod)) return [...CLI_DEFAULT_OPERATOR_SCOPES];
+	return resolveTrustedHttpOperatorScopes(req, requestAuth);
+}
+function resolveHttpSenderIsOwner(req, authOrRequest) {
+	return resolveTrustedHttpOperatorScopes(req, authOrRequest).includes(ADMIN_SCOPE);
+}
+function resolveOpenAiCompatibleHttpSenderIsOwner(req, requestAuth) {
+	if (usesSharedSecretGatewayMethod(requestAuth.authMethod)) return true;
+	return resolveHttpSenderIsOwner(req, requestAuth);
+}
+function resolveAgentIdFromHeader(req) {
+	const raw = normalizeOptionalString(getHeader(req, "x-genesis-agent-id")) || normalizeOptionalString(getHeader(req, "x-genesis-agent")) || "";
+	if (!raw) return;
+	return normalizeAgentId(raw);
+}
+function resolveAgentIdFromModel(model, cfg = loadConfig()) {
+	const raw = model?.trim();
+	if (!raw) return;
+	const lowered = normalizeLowercaseStringOrEmpty(raw);
+	if (lowered === "genesis" || lowered === "genesis/default") return resolveDefaultAgentId(cfg);
+	const agentId = (raw.match(/^genesis[:/](?<agentId>[a-z0-9][a-z0-9_-]{0,63})$/i) ?? raw.match(/^agent:(?<agentId>[a-z0-9][a-z0-9_-]{0,63})$/i))?.groups?.agentId;
+	if (!agentId) return;
+	return normalizeAgentId(agentId);
+}
+async function resolveOpenAiCompatModelOverride(params) {
+	const requestModel = params.model?.trim();
+	if (requestModel && !resolveAgentIdFromModel(requestModel)) return { errorMessage: "Invalid `model`. Use `genesis` or `genesis/<agentId>`." };
+	const raw = getHeader(params.req, "x-genesis-model")?.trim();
+	if (!raw) return {};
+	const cfg = loadConfig();
+	const defaultProvider = resolveDefaultModelForAgent({
+		cfg,
+		agentId: params.agentId
+	}).provider;
+	const parsed = parseModelRef(raw, defaultProvider);
+	if (!parsed) return { errorMessage: "Invalid `x-genesis-model`." };
+	const allowed = buildAllowedModelSet({
+		cfg,
+		catalog: await loadGatewayModelCatalog(),
+		defaultProvider,
+		agentId: params.agentId
+	});
+	const normalized = modelKey(parsed.provider, parsed.model);
+	if (!allowed.allowAny && !allowed.allowedKeys.has(normalized)) return { errorMessage: `Model '${normalized}' is not allowed for agent '${params.agentId}'.` };
+	return { modelOverride: raw };
+}
+function resolveAgentIdForRequest(params) {
+	const cfg = loadConfig();
+	const fromHeader = resolveAgentIdFromHeader(params.req);
+	if (fromHeader) return fromHeader;
+	return resolveAgentIdFromModel(params.model, cfg) ?? resolveDefaultAgentId(cfg);
+}
+function resolveSessionKey(params) {
+	const explicit = getHeader(params.req, "x-genesis-session-key")?.trim();
+	if (explicit) return explicit;
+	const user = params.user?.trim();
+	const mainKey = user ? `${params.prefix}-user:${user}` : `${params.prefix}:${randomUUID()}`;
+	return buildAgentMainSessionKey({
+		agentId: params.agentId,
+		mainKey
+	});
+}
+function resolveGatewayRequestContext(params) {
+	const agentId = resolveAgentIdForRequest({
+		req: params.req,
+		model: params.model
+	});
+	return {
+		agentId,
+		sessionKey: resolveSessionKey({
+			req: params.req,
+			agentId,
+			user: params.user,
+			prefix: params.sessionPrefix
+		}),
+		messageChannel: params.useMessageChannelHeader ? normalizeMessageChannel(getHeader(params.req, "x-genesis-message-channel")) ?? params.defaultMessageChannel : params.defaultMessageChannel
+	};
+}
+//#endregion
+export { getHookSessionKeyPrefixError as A, resolveHookIdempotencyKey as B, setDefaultSecurityHeaders as C, extractHookToken as D, writeDone as E, normalizeHookHeaders as F, logLargePayload as G, resolveHookTargetAgentId as H, normalizeWakePayload as I, logRejectedLargePayload as K, readJsonBody as L, isSessionKeyAllowedByPrefix as M, normalizeAgentPayload as N, getHookAgentPolicyError as O, normalizeHookDispatchSessionKey as P, resolveHookChannel as R, sendMethodNotAllowed as S, watchClientDisconnect as T, resolveHooksConfig as U, resolveHookSessionKey as V, applyHookMappings as W, loadGatewayModelCatalog as _, checkGatewayHttpRequestAuth as a, sendInvalidRequest as b, resolveAgentIdForRequest as c, resolveHttpBrowserOriginPolicy as d, resolveOpenAiCompatModelOverride as f, __resetModelCatalogCacheForTest as g, resolveTrustedHttpOperatorScopes as h, authorizeScopedGatewayHttpRequestOrReply as i, isHookAgentAllowed as j, getHookChannelError as k, resolveAgentIdFromModel as l, resolveOpenAiCompatibleHttpSenderIsOwner as m, GENESIS_MODEL_ID as n, getBearerToken as o, resolveOpenAiCompatibleHttpOperatorScopes as p, authorizeGatewayHttpRequestOrReply as r, getHeader as s, GENESIS_DEFAULT_MODEL_ID as t, resolveGatewayRequestContext as u, readJsonBodyOrError as v, setSseHeaders as w, sendJson as x, sendGatewayAuthFailure as y, resolveHookDeliver as z };