@qearlyao/familiar 0.1.0

package/dist/settings.js

@@ -0,0 +1,116 @@
+import { mkdir, readFile, rename, writeFile } from "node:fs/promises";
+import { dirname, resolve } from "node:path";
+function isThinkingLevel(value) {
+    return (value === "off" ||
+        value === "minimal" ||
+        value === "low" ||
+        value === "medium" ||
+        value === "high" ||
+        value === "xhigh");
+}
+function isChannelTrigger(value) {
+    return value === "mention" || value === "always";
+}
+function normalizeChannelSettings(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return {};
+    const input = value;
+    return {
+        model: typeof input.model === "string" && input.model.trim() ? input.model.trim() : undefined,
+        thinkingLevel: isThinkingLevel(input.thinkingLevel) ? input.thinkingLevel : undefined,
+        channelTrigger: isChannelTrigger(input.channelTrigger) ? input.channelTrigger : undefined,
+    };
+}
+function normalizeSettingsFile(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return { version: 1, channels: {} };
+    const input = value;
+    const channelsInput = input.channels && typeof input.channels === "object" && !Array.isArray(input.channels)
+        ? input.channels
+        : {};
+    const channels = {};
+    for (const [channelKey, settings] of Object.entries(channelsInput)) {
+        const normalized = normalizeChannelSettings(settings);
+        if (normalized.model || normalized.thinkingLevel || normalized.channelTrigger)
+            channels[channelKey] = normalized;
+    }
+    return { version: 1, channels };
+}
+async function readSettingsFile(path) {
+    try {
+        const raw = await readFile(path, "utf8");
+        return normalizeSettingsFile(JSON.parse(raw));
+    }
+    catch (error) {
+        if (error && typeof error === "object" && "code" in error && error.code === "ENOENT") {
+            return { version: 1, channels: {} };
+        }
+        throw error;
+    }
+}
+function pruneChannel(settings) {
+    const pruned = {};
+    if (settings.model)
+        pruned.model = settings.model;
+    if (settings.thinkingLevel)
+        pruned.thinkingLevel = settings.thinkingLevel;
+    if (settings.channelTrigger)
+        pruned.channelTrigger = settings.channelTrigger;
+    return pruned.model || pruned.thinkingLevel || pruned.channelTrigger ? pruned : undefined;
+}
+export async function loadSettingsStore(config) {
+    const path = resolve(config.workspace.dataDir, "settings", "channel-overrides.json");
+    let file = await readSettingsFile(path);
+    let writeQueue = Promise.resolve();
+    const persist = async () => {
+        await mkdir(dirname(path), { recursive: true });
+        const tmpPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+        await writeFile(tmpPath, `${JSON.stringify(file, null, 2)}\n`, "utf8");
+        await rename(tmpPath, path);
+    };
+    const enqueuePersist = () => {
+        const run = writeQueue.then(persist, () => persist());
+        writeQueue = run.then(() => undefined, () => undefined);
+        return run;
+    };
+    const updateChannel = async (channelKey, patch) => {
+        const next = pruneChannel({ ...file.channels[channelKey], ...patch });
+        const channels = { ...file.channels };
+        if (next)
+            channels[channelKey] = next;
+        else
+            delete channels[channelKey];
+        file = {
+            version: 1,
+            channels,
+        };
+        await enqueuePersist();
+    };
+    return {
+        path,
+        getChannelSettings(channelKey) {
+            return { ...file.channels[channelKey] };
+        },
+        getChannelModel(channelKey) {
+            const model = file.channels[channelKey]?.model;
+            return model ? { value: model, source: "override" } : { value: undefined, source: "config" };
+        },
+        getChannelThinkingLevel(channelKey, fallback) {
+            const thinkingLevel = file.channels[channelKey]?.thinkingLevel;
+            return thinkingLevel ? { value: thinkingLevel, source: "override" } : { value: fallback, source: "config" };
+        },
+        getChannelTrigger(channelKey, fallback) {
+            const channelTrigger = file.channels[channelKey]?.channelTrigger;
+            return channelTrigger ? { value: channelTrigger, source: "override" } : { value: fallback, source: "config" };
+        },
+        async setChannelModel(channelKey, model) {
+            await updateChannel(channelKey, { model });
+        },
+        async setChannelThinkingLevel(channelKey, thinkingLevel) {
+            await updateChannel(channelKey, { thinkingLevel });
+        },
+        async setChannelTrigger(channelKey, channelTrigger) {
+            await updateChannel(channelKey, { channelTrigger });
+        },
+    };
+}

package/dist/skills.js

@@ -0,0 +1,38 @@
+import { resolve } from "node:path";
+import { loadSkills } from "@earendil-works/pi-coding-agent";
+function escapeXml(value) {
+    return value
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&apos;");
+}
+export function loadFamiliarSkills(config) {
+    return loadSkills({
+        cwd: config.workspacePath,
+        agentDir: config.workspacePath,
+        skillPaths: [resolve(config.workspacePath, "skills")],
+        includeDefaults: false,
+    });
+}
+export function formatFamiliarSkillsForPrompt(skills) {
+    const visibleSkills = skills.filter((skill) => !skill.disableModelInvocation);
+    if (visibleSkills.length === 0)
+        return "";
+    const lines = ["<available_skills>"];
+    for (const skill of visibleSkills) {
+        lines.push("  <skill>");
+        lines.push(`    <name>${escapeXml(skill.name)}</name>`);
+        lines.push(`    <description>${escapeXml(skill.description)}</description>`);
+        lines.push(`    <location>${escapeXml(skill.filePath)}</location>`);
+        lines.push("  </skill>");
+    }
+    lines.push("</available_skills>");
+    return lines.join("\n");
+}
+export function logSkillDiagnostics(result) {
+    for (const diagnostic of result.diagnostics) {
+        console.warn(`skill ${diagnostic.type}: ${diagnostic.path}: ${diagnostic.message}`);
+    }
+}

package/dist/tts.js

@@ -0,0 +1,143 @@
+import { randomUUID } from "node:crypto";
+import { writeFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { Type } from "typebox";
+import { ensureGeneratedAttachmentsDir } from "./generated-media.js";
+const ELEVENLABS_TTS_BASE_URL = "https://api.elevenlabs.io/v1/text-to-speech";
+const AUDIO_EXTENSIONS = ["mp3", "opus", "pcm", "ulaw", "alaw"];
+const TTS_NOTICE_PREFIX = "Generated speech audio attachment:";
+const ttsSchema = Type.Object({
+    text: Type.String({ description: "Text to synthesize as speech." }),
+    voiceId: Type.Optional(Type.String({ description: "Optional ElevenLabs voice ID. Overrides the configured voice_id." })),
+}, { additionalProperties: false });
+export function audioExtension(outputFormat) {
+    for (const extension of AUDIO_EXTENSIONS) {
+        if (outputFormat.startsWith(`${extension}_`))
+            return extension;
+    }
+    return "mp3";
+}
+function formatTtsNotice(name) {
+    return `${TTS_NOTICE_PREFIX} ${name}`;
+}
+export function audioMimeType(outputFormat) {
+    if (outputFormat.startsWith("pcm_"))
+        return "audio/L16";
+    if (outputFormat.startsWith("ulaw_"))
+        return "audio/basic";
+    if (outputFormat.startsWith("alaw_"))
+        return "audio/basic";
+    if (outputFormat.startsWith("opus_"))
+        return "audio/ogg";
+    return "audio/mpeg";
+}
+export function isElevenLabsV3Model(modelId) {
+    return modelId === "eleven_v3" || modelId.startsWith("eleven_v3_");
+}
+export function buildElevenLabsVoiceSettings(config) {
+    const settings = config.tts.voiceSettings;
+    if (isElevenLabsV3Model(config.tts.modelId)) {
+        return {
+            stability: settings.stability,
+        };
+    }
+    return {
+        stability: settings.stability,
+        similarity_boost: settings.similarityBoost,
+        style: settings.style,
+        speed: settings.speed,
+        use_speaker_boost: settings.useSpeakerBoost,
+    };
+}
+async function readElevenLabsError(response) {
+    const text = await response.text().catch(() => "");
+    if (!text.trim())
+        return `${response.status} ${response.statusText}`.trim();
+    try {
+        const parsed = JSON.parse(text);
+        if (parsed && typeof parsed === "object" && "detail" in parsed) {
+            const detail = parsed.detail;
+            if (typeof detail === "string")
+                return detail;
+            if (detail && typeof detail === "object" && "message" in detail) {
+                const message = detail.message;
+                if (typeof message === "string")
+                    return message;
+            }
+        }
+    }
+    catch { }
+    return text;
+}
+export function createTtsTool(config, mediaSink) {
+    return {
+        name: "tts",
+        label: "tts",
+        description: "synthesize text into a voice message. bracketed tags steer delivery — voice tags like [laughs] or [whispers], sound effects like [applause] or [gunshot], special tags like [sings] or [strong Manchester accent]. tags go before the text they affect; combine when useful, like [excited][laughs]. keep them short.",
+        parameters: ttsSchema,
+        executionMode: "sequential",
+        async execute(_toolCallId, input, signal) {
+            const text = input.text.trim();
+            if (!text)
+                throw new Error("tts text is required.");
+            if (text.length > config.tts.maxInputChars) {
+                throw new Error(`tts text is too long (${text.length}/${config.tts.maxInputChars} chars).`);
+            }
+            const voiceId = input.voiceId?.trim() || config.tts.voiceId.trim();
+            if (!voiceId)
+                throw new Error("tts.voice_id is not configured and no voiceId was provided.");
+            const apiKey = process.env[config.tts.apiKeyEnv];
+            if (!apiKey)
+                throw new Error(`Missing ElevenLabs API key env: ${config.tts.apiKeyEnv}`);
+            const outputFormat = config.tts.outputFormat;
+            const url = new URL(`${ELEVENLABS_TTS_BASE_URL}/${encodeURIComponent(voiceId)}`);
+            url.searchParams.set("output_format", outputFormat);
+            const response = await fetch(url, {
+                method: "POST",
+                headers: {
+                    "content-type": "application/json",
+                    "xi-api-key": apiKey,
+                },
+                body: JSON.stringify({
+                    text,
+                    model_id: config.tts.modelId,
+                    voice_settings: buildElevenLabsVoiceSettings(config),
+                }),
+                signal,
+            });
+            if (!response.ok) {
+                throw new Error(`ElevenLabs TTS failed: ${await readElevenLabsError(response)}`);
+            }
+            const buffer = Buffer.from(await response.arrayBuffer());
+            const attachmentDir = await ensureGeneratedAttachmentsDir(config);
+            const extension = audioExtension(outputFormat);
+            const id = `tts_${randomUUID()}`;
+            const name = `${id}.${extension}`;
+            const localPath = resolve(attachmentDir, name);
+            await writeFile(localPath, buffer);
+            const mimeType = audioMimeType(outputFormat);
+            const attachment = {
+                id,
+                name,
+                mimeType,
+                size: buffer.length,
+                localPath,
+                provider: "elevenlabs",
+                toolName: "tts",
+            };
+            mediaSink.add(attachment);
+            return {
+                content: [{ type: "text", text: formatTtsNotice(name) }],
+                details: {
+                    provider: "elevenlabs",
+                    voiceId,
+                    modelId: config.tts.modelId,
+                    outputFormat,
+                    localPath,
+                    mimeType,
+                    size: buffer.length,
+                },
+            };
+        },
+    };
+}

package/dist/web-auth.js

@@ -0,0 +1,105 @@
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+const SESSION_TTL_MS = 12 * 60 * 60 * 1000;
+function safeEqual(a, b) {
+    const left = Buffer.from(a);
+    const right = Buffer.from(b);
+    return left.length === right.length && timingSafeEqual(left, right);
+}
+function parseCookies(header) {
+    const cookies = {};
+    for (const part of (header ?? "").split(";")) {
+        const [name, ...valueParts] = part.trim().split("=");
+        if (!name)
+            continue;
+        cookies[name] = decodeURIComponent(valueParts.join("="));
+    }
+    return cookies;
+}
+function decodeTotpSecret(secret) {
+    const normalized = secret.replace(/\s+/g, "").replace(/=+$/g, "").toUpperCase();
+    if (!/^[A-Z2-7]+$/.test(normalized))
+        return Buffer.from(secret, "utf8");
+    const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+    let bits = "";
+    for (const char of normalized) {
+        const value = alphabet.indexOf(char);
+        if (value < 0)
+            return Buffer.from(secret, "utf8");
+        bits += value.toString(2).padStart(5, "0");
+    }
+    const bytes = [];
+    for (let offset = 0; offset + 8 <= bits.length; offset += 8) {
+        bytes.push(Number.parseInt(bits.slice(offset, offset + 8), 2));
+    }
+    return Buffer.from(bytes);
+}
+export function verifyTotp(secret, token, now = Date.now()) {
+    const normalized = token.replace(/\s+/g, "");
+    if (!/^\d{6}$/.test(normalized))
+        return false;
+    const secretBuffer = decodeTotpSecret(secret);
+    const counter = Math.floor(now / 30000);
+    for (let offset = -1; offset <= 1; offset++) {
+        const counterBuffer = Buffer.alloc(8);
+        counterBuffer.writeBigUInt64BE(BigInt(counter + offset));
+        const hmac = createHmac("sha1", secretBuffer).update(counterBuffer).digest();
+        const digestOffset = hmac[hmac.length - 1] & 0x0f;
+        const code = (((hmac[digestOffset] & 0x7f) << 24) |
+            ((hmac[digestOffset + 1] & 0xff) << 16) |
+            ((hmac[digestOffset + 2] & 0xff) << 8) |
+            (hmac[digestOffset + 3] & 0xff)) %
+            1000000;
+        if (safeEqual(code.toString().padStart(6, "0"), normalized))
+            return true;
+    }
+    return false;
+}
+function readBearerToken(request) {
+    const header = request.headers.authorization;
+    if (!header)
+        return undefined;
+    const match = header.match(/^Bearer\s+(.+)$/i);
+    return match?.[1];
+}
+export function createAuth(config) {
+    const sessions = new Map();
+    const pruneSessions = () => {
+        const now = Date.now();
+        for (const [id, session] of sessions) {
+            if (session.expiresAt <= now)
+                sessions.delete(id);
+        }
+    };
+    const hasBearer = (request) => {
+        if (!config.web.bearerToken)
+            return false;
+        const token = readBearerToken(request);
+        return token !== undefined && safeEqual(token, config.web.bearerToken);
+    };
+    const hasSession = (request) => {
+        pruneSessions();
+        const sessionId = parseCookies(request.headers.cookie).familiar_session;
+        if (!sessionId)
+            return false;
+        return sessions.has(sessionId);
+    };
+    const authorize = (request, pathname) => {
+        if (pathname === "/api/web/auth/mode")
+            return true;
+        if (config.web.authMode === "tailscale-only")
+            return true;
+        if (config.web.authMode === "bearer")
+            return hasBearer(request);
+        return hasSession(request) || hasBearer(request);
+    };
+    const createSession = () => {
+        pruneSessions();
+        const id = randomBytes(32).toString("base64url");
+        sessions.set(id, { expiresAt: Date.now() + SESSION_TTL_MS });
+        return id;
+    };
+    return { authorize, createSession };
+}
+export function sessionCookie(sessionId) {
+    return `familiar_session=${encodeURIComponent(sessionId)}; HttpOnly; SameSite=Lax; Max-Age=${Math.floor(SESSION_TTL_MS / 1000)}; Path=/api/web`;
+}

package/dist/web-events.js

@@ -0,0 +1,114 @@
+import { createHash } from "node:crypto";
+export function encodeFrame(text) {
+    const payload = Buffer.from(text, "utf8");
+    let header;
+    if (payload.length < 126) {
+        header = Buffer.from([0x81, payload.length]);
+    }
+    else if (payload.length <= 0xffff) {
+        header = Buffer.alloc(4);
+        header[0] = 0x81;
+        header[1] = 126;
+        header.writeUInt16BE(payload.length, 2);
+    }
+    else {
+        header = Buffer.alloc(10);
+        header[0] = 0x81;
+        header[1] = 127;
+        header.writeBigUInt64BE(BigInt(payload.length), 2);
+    }
+    return Buffer.concat([header, payload]);
+}
+export function decodeFrames(buffer) {
+    const messages = [];
+    let offset = 0;
+    let close = false;
+    while (offset + 2 <= buffer.length) {
+        const first = buffer[offset];
+        const second = buffer[offset + 1];
+        const opcode = first & 0x0f;
+        const masked = (second & 0x80) !== 0;
+        let length = second & 0x7f;
+        let headerLength = 2;
+        if (length === 126) {
+            if (offset + 4 > buffer.length)
+                break;
+            length = buffer.readUInt16BE(offset + 2);
+            headerLength = 4;
+        }
+        else if (length === 127) {
+            if (offset + 10 > buffer.length)
+                break;
+            const bigLength = buffer.readBigUInt64BE(offset + 2);
+            if (bigLength > BigInt(Number.MAX_SAFE_INTEGER))
+                throw new Error("WebSocket frame too large");
+            length = Number(bigLength);
+            headerLength = 10;
+        }
+        const maskLength = masked ? 4 : 0;
+        const frameEnd = offset + headerLength + maskLength + length;
+        if (frameEnd > buffer.length)
+            break;
+        const payloadStart = offset + headerLength + maskLength;
+        const payload = Buffer.from(buffer.subarray(payloadStart, frameEnd));
+        if (masked) {
+            const mask = buffer.subarray(offset + headerLength, offset + headerLength + 4);
+            for (let index = 0; index < payload.length; index++)
+                payload[index] ^= mask[index % 4];
+        }
+        if (opcode === 0x8)
+            close = true;
+        if (opcode === 0x1)
+            messages.push(payload.toString("utf8"));
+        offset = frameEnd;
+    }
+    return { messages, remaining: buffer.subarray(offset), close };
+}
+export function acceptWebSocket(request, socket) {
+    const key = request.headers["sec-websocket-key"];
+    if (typeof key !== "string") {
+        socket.write("HTTP/1.1 400 Bad Request\r\n\r\n");
+        socket.destroy();
+        return false;
+    }
+    const responseKey = createHash("sha1").update(`${key}258EAFA5-E914-47DA-95CA-C5AB0DC85B11`).digest("base64");
+    socket.write([
+        "HTTP/1.1 101 Switching Protocols",
+        "Upgrade: websocket",
+        "Connection: Upgrade",
+        `Sec-WebSocket-Accept: ${responseKey}`,
+        "",
+        "",
+    ].join("\r\n"));
+    return true;
+}
+export function replayEvents(client, events, lastEventId, onReplayWindowLost) {
+    if (!lastEventId) {
+        client.authed = true;
+        for (const event of client.pendingEvents ?? []) {
+            client.socket.write(encodeFrame(JSON.stringify(event)));
+        }
+        client.pendingEvents = undefined;
+        return;
+    }
+    const pending = client.pendingEvents ?? [];
+    const index = events.findIndex((event) => event.eventId === lastEventId);
+    if (index < 0) {
+        client.authed = true;
+        client.socket.write(encodeFrame(JSON.stringify(onReplayWindowLost())));
+        for (const event of pending) {
+            client.socket.write(encodeFrame(JSON.stringify(event)));
+        }
+        client.pendingEvents = undefined;
+        return;
+    }
+    client.authed = true;
+    const eventIds = new Set();
+    for (const event of [...events.slice(index + 1), ...pending]) {
+        if (eventIds.has(event.eventId))
+            continue;
+        eventIds.add(event.eventId);
+        client.socket.write(encodeFrame(JSON.stringify(event)));
+    }
+    client.pendingEvents = undefined;
+}

package/dist/web-http.js

@@ -0,0 +1,29 @@
+export const MAX_BODY_BYTES = 64 * 1024;
+export function sendJson(response, status, body, headers = {}) {
+    response.writeHead(status, {
+        "content-type": "application/json; charset=utf-8",
+        "cache-control": "no-store",
+        ...headers,
+    });
+    response.end(JSON.stringify(body));
+}
+export function sendText(response, status, text) {
+    response.writeHead(status, { "content-type": "text/plain; charset=utf-8", "cache-control": "no-store" });
+    response.end(text);
+}
+export async function readJsonBody(request) {
+    const chunks = [];
+    let total = 0;
+    for await (const chunk of request) {
+        const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        total += buffer.length;
+        if (total > MAX_BODY_BYTES)
+            throw new Error("Request body too large");
+        chunks.push(buffer);
+    }
+    const raw = Buffer.concat(chunks).toString("utf8").trim();
+    return raw ? JSON.parse(raw) : {};
+}
+export function isObject(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}

package/dist/web-static.js

@@ -0,0 +1,106 @@
+import { createReadStream, existsSync } from "node:fs";
+import { lstat, realpath, stat } from "node:fs/promises";
+import { extname, join, relative, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { attachmentsDir, browserScreenshotsDir, generatedAttachmentsDir } from "./generated-media.js";
+import { sendText } from "./web-http.js";
+function getProjectRoot() {
+    return resolve(fileURLToPath(import.meta.url), "../..");
+}
+function mimeType(path) {
+    const extension = extname(path).toLowerCase();
+    if (extension === ".html")
+        return "text/html; charset=utf-8";
+    if (extension === ".js")
+        return "text/javascript; charset=utf-8";
+    if (extension === ".css")
+        return "text/css; charset=utf-8";
+    if (extension === ".svg")
+        return "image/svg+xml";
+    if (extension === ".png")
+        return "image/png";
+    if (extension === ".jpg" || extension === ".jpeg")
+        return "image/jpeg";
+    if (extension === ".gif")
+        return "image/gif";
+    if (extension === ".webp")
+        return "image/webp";
+    if (extension === ".ico")
+        return "image/x-icon";
+    if (extension === ".mp3")
+        return "audio/mpeg";
+    if (extension === ".opus" || extension === ".ogg")
+        return "audio/ogg";
+    if (extension === ".wav")
+        return "audio/wav";
+    return "application/octet-stream";
+}
+export async function serveStatic(response, requestPath) {
+    const distDir = resolve(getProjectRoot(), "web/dist");
+    if (!existsSync(distDir))
+        return false;
+    const pathname = decodeURIComponent(requestPath.split("?")[0] || "/");
+    const candidate = resolve(distDir, pathname === "/" ? "index.html" : pathname.slice(1));
+    if (!candidate.startsWith(distDir)) {
+        sendText(response, 403, "Forbidden");
+        return true;
+    }
+    let filePath = candidate;
+    const fileStat = await stat(filePath).catch(() => undefined);
+    if (!fileStat?.isFile())
+        filePath = join(distDir, "index.html");
+    const stream = createReadStream(filePath);
+    response.writeHead(200, { "content-type": mimeType(filePath) });
+    stream.pipe(response);
+    return true;
+}
+export async function serveAttachment(config, response, requestPath) {
+    const relativePath = decodeURIComponent(requestPath.replace(/^\/api\/web\/attachments\/?/, ""));
+    if (!relativePath) {
+        sendText(response, 404, "Not found");
+        return true;
+    }
+    const candidates = [
+        { root: generatedAttachmentsDir(config), relativePath },
+        { root: attachmentsDir(config), relativePath },
+        { root: browserScreenshotsDir(config), relativePath: relativePath.replace(/^screenshot[\\/]/, "") },
+    ];
+    for (const { root, relativePath: candidateRelativePath } of candidates) {
+        const rootRealPath = await realpath(root).catch(() => undefined);
+        if (!rootRealPath)
+            continue;
+        const filePath = resolve(root, candidateRelativePath);
+        const rel = relative(root, filePath);
+        if (rel.startsWith("..") || rel.startsWith("/") || rel.startsWith("\\") || rel === "") {
+            sendText(response, 403, "Forbidden");
+            return true;
+        }
+        const linkStat = await lstat(filePath).catch(() => undefined);
+        if (!linkStat)
+            continue;
+        if (linkStat.isSymbolicLink()) {
+            sendText(response, 403, "Forbidden");
+            return true;
+        }
+        const fileRealPath = await realpath(filePath).catch(() => undefined);
+        if (!fileRealPath)
+            continue;
+        const realRel = relative(rootRealPath, fileRealPath);
+        if (realRel.startsWith("..") || realRel.startsWith("/") || realRel.startsWith("\\") || realRel === "") {
+            sendText(response, 403, "Forbidden");
+            return true;
+        }
+        const fileStat = await stat(fileRealPath).catch(() => undefined);
+        if (!fileStat?.isFile())
+            continue;
+        response.writeHead(200, {
+            "content-type": mimeType(filePath),
+            "content-length": String(fileStat.size),
+            "cache-control": "private, max-age=31536000, immutable",
+        });
+        createReadStream(fileRealPath).pipe(response);
+        return true;
+    }
+    sendText(response, 404, "Not found");
+    return true;
+}