@qearlyao/familiar 0.3.0 → 0.4.1

package/dist/web/agent-routes.js

@@ -0,0 +1,104 @@
+import { getProviders } from "@earendil-works/pi-ai";
+import { addModel, loadAddedModels, removeModel } from "../models/added-models.js";
+import { PROVIDER_DEFAULTS, parseModelRef } from "../models/index.js";
+import { isRecord } from "../util/guards.js";
+import { errorMessage } from "./errors.js";
+import { HttpError, readJsonBody, sendJson } from "./http.js";
+import { agentSettingsPayload } from "./payloads.js";
+import { getChannelKeyFromRequest } from "./route-helpers.js";
+function agentModelsPayload(config) {
+    const models = [];
+    const added = [];
+    const seen = new Set();
+    for (const model of config.models.allow) {
+        if (seen.has(model))
+            continue;
+        seen.add(model);
+        models.push(model);
+    }
+    for (const model of loadAddedModels()) {
+        if (seen.has(model))
+            continue;
+        seen.add(model);
+        models.push(model);
+        added.push(model);
+    }
+    return { models, added };
+}
+function parseRequestedModel(value) {
+    if (typeof value !== "string")
+        throw new HttpError(400, "format must be provider/model-id");
+    const ref = parseModelRef(value);
+    if (!ref)
+        throw new HttpError(400, "format must be provider/model-id");
+    return { model: ref.key, ref };
+}
+export function registerWebAgentRoutes(options) {
+    const { route, config, familiarAgent, getRuntime, personaName, publish } = options;
+    route("GET", "/api/web/agent/settings", async (_request, response, url) => {
+        const runtime = await getRuntime(getChannelKeyFromRequest(url));
+        sendJson(response, 200, agentSettingsPayload(familiarAgent, runtime.channelKey, personaName));
+    });
+    route("GET", "/api/web/agent/models", async (_request, response) => {
+        sendJson(response, 200, agentModelsPayload(config));
+    });
+    route("POST", "/api/web/agent/models", async (request, response) => {
+        const body = await readJsonBody(request);
+        if (!isRecord(body)) {
+            throw new HttpError(400, "body is required");
+        }
+        const parsed = parseRequestedModel(body.model);
+        if (!Object.hasOwn(PROVIDER_DEFAULTS, parsed.ref.provider) &&
+            !getProviders().includes(parsed.ref.provider)) {
+            throw new HttpError(400, `unsupported provider: ${parsed.ref.provider}`);
+        }
+        if (config.models.allow.includes(parsed.model) || loadAddedModels().includes(parsed.model)) {
+            sendJson(response, 200, agentModelsPayload(config));
+            return;
+        }
+        await addModel(parsed.model);
+        sendJson(response, 200, agentModelsPayload(config));
+    });
+    route("DELETE", "/api/web/agent/models", async (request, response) => {
+        const body = await readJsonBody(request);
+        if (!isRecord(body)) {
+            throw new HttpError(400, "body is required");
+        }
+        const parsed = parseRequestedModel(body.model);
+        if (!loadAddedModels().includes(parsed.model)) {
+            throw new HttpError(400, "model is not user-added");
+        }
+        await removeModel(parsed.model);
+        sendJson(response, 200, agentModelsPayload(config));
+    });
+    route("POST", "/api/web/agent/settings", async (request, response, url) => {
+        const body = await readJsonBody(request);
+        const runtime = await getRuntime(getChannelKeyFromRequest(url, body));
+        if (!isRecord(body)) {
+            throw new HttpError(400, "body is required");
+        }
+        try {
+            if (typeof body.model === "string")
+                await familiarAgent.setModel(runtime.channelKey, body.model);
+            if (typeof body.thinking === "string")
+                await familiarAgent.setThinkingLevel(runtime.channelKey, body.thinking);
+        }
+        catch (error) {
+            throw new HttpError(400, errorMessage(error));
+        }
+        sendJson(response, 200, agentSettingsPayload(familiarAgent, runtime.channelKey, personaName));
+    });
+    route("POST", "/api/web/agent/new", async (request, response, url) => {
+        const body = await readJsonBody(request);
+        const runtime = await getRuntime(getChannelKeyFromRequest(url, body));
+        await familiarAgent.reset(runtime.channelKey);
+        await runtime.resetConversation("new conversation requested from web");
+        publish({
+            type: "status",
+            channelKey: runtime.channelKey,
+            kind: "idle",
+            detail: "started fresh from web",
+        });
+        sendJson(response, 200, { ok: true });
+    });
+}

package/dist/web/auth-routes.js

@@ -0,0 +1,39 @@
+import { isRecord } from "../util/guards.js";
+import { clearSessionCookie, requestAuthContext } from "./auth.js";
+import { HttpError, readJsonBody, sendJson } from "./http.js";
+export function registerWebAuthRoutes(route, auth, options) {
+    route("GET", "/api/web/auth/mode", async (_request, response) => {
+        sendJson(response, 200, { mode: options.authMode, personaName: options.personaName });
+    });
+    route("POST", "/api/web/auth/login", async (request, response) => {
+        const body = await readJsonBody(request);
+        const result = await auth.login(request, body);
+        sendJson(response, result.status, result.body, result.cookie ? { "set-cookie": result.cookie } : {});
+    });
+    route("GET", "/api/web/auth/session", async (request, response) => {
+        const device = await auth.currentDevice(request);
+        if (!device) {
+            throw new HttpError(401, "unauthorized");
+        }
+        sendJson(response, 200, { device });
+    });
+    route("GET", "/api/web/auth/devices", async (request, response) => {
+        sendJson(response, 200, { devices: auth.listDevices(request) });
+    });
+    route("DELETE", "/api/web/auth/devices", async (request, response) => {
+        const body = await readJsonBody(request);
+        if (!isRecord(body) || typeof body.id !== "string" || !body.id.trim()) {
+            throw new HttpError(400, "device id is required");
+        }
+        await auth.revokeDevice(body.id);
+        sendJson(response, 200, { ok: true });
+    });
+    route("POST", "/api/web/auth/devices/revoke-others", async (request, response) => {
+        const revoked = await auth.revokeOthers(request);
+        sendJson(response, 200, { ok: true, revoked });
+    });
+    route("POST", "/api/web/auth/logout", async (request, response) => {
+        await auth.logout(request);
+        sendJson(response, 200, { ok: true }, { "set-cookie": clearSessionCookie(requestAuthContext(request).secure) });
+    });
+}

package/dist/web/auth.js

@@ -1,5 +1,10 @@
-import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
-const SESSION_TTL_MS = 12 * 60 * 60 * 1000;
+import { createHash, createHmac, timingSafeEqual } from "node:crypto";
+import { isRecord } from "../util/guards.js";
+import { requestAuthContext } from "./request-context.js";
+import { SESSION_TTL_MS } from "./session-store.js";
+const LOGIN_WINDOW_MS = 10 * 60 * 1000;
+const LOGIN_LOCKOUT_MS = 30 * 60 * 1000;
+const LOGIN_MAX_FAILURES = 5;
 function safeEqual(a, b) {
     const left = Buffer.from(a);
     const right = Buffer.from(b);
@@ -67,45 +72,134 @@ function readBearerToken(request) {
     const match = header.match(/^Bearer (.+)$/i);
     return match?.[1];
 }
-export function createAuth(config) {
-    const sessions = new Map();
-    const pruneSessions = () => {
-        const now = Date.now();
-        for (const [id, session] of sessions) {
-            if (session.expiresAt <= now)
-                sessions.delete(id);
-        }
-    };
+function readSessionToken(request) {
+    return parseCookies(request.headers.cookie).familiar_session;
+}
+function sha256(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+function normalizeString(value) {
+    return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+function tokenFingerprint(token) {
+    return sha256(token).slice(0, 24);
+}
+export function sessionCookie(sessionToken, secure, maxAgeMs = SESSION_TTL_MS) {
+    return [
+        `familiar_session=${encodeURIComponent(sessionToken)}`,
+        "HttpOnly",
+        "SameSite=Lax",
+        `Max-Age=${Math.floor(maxAgeMs / 1000)}`,
+        "Path=/api/web",
+        ...(secure ? ["Secure"] : []),
+    ].join("; ");
+}
+export function clearSessionCookie(secure) {
+    return [
+        "familiar_session=",
+        "HttpOnly",
+        "SameSite=Lax",
+        "Max-Age=0",
+        "Path=/api/web",
+        ...(secure ? ["Secure"] : []),
+    ].join("; ");
+}
+export function createAuth(config, sessions) {
+    const ipBuckets = new Map();
+    const tokenBuckets = new Map();
     const hasBearer = (request) => {
         if (!config.web.bearerToken)
             return false;
         const token = readBearerToken(request);
         return token !== undefined && safeEqual(token, config.web.bearerToken);
     };
-    const hasSession = (request) => {
-        pruneSessions();
-        const sessionId = parseCookies(request.headers.cookie).familiar_session;
-        if (!sessionId)
+    const checkBucket = (bucket, now) => {
+        if (!bucket)
             return false;
-        return sessions.has(sessionId);
+        if (bucket.lockedUntil && bucket.lockedUntil > now)
+            return true;
+        if (now - bucket.windowStartedAt > LOGIN_WINDOW_MS) {
+            bucket.count = 0;
+            bucket.windowStartedAt = now;
+            bucket.lockedUntil = undefined;
+        }
+        return false;
     };
-    const authorize = (request, pathname) => {
-        if (pathname === "/api/web/auth/mode")
+    const recordFailure = (map, key, now) => {
+        const current = map.get(key);
+        const bucket = current && now - current.windowStartedAt <= LOGIN_WINDOW_MS ? current : { count: 0, windowStartedAt: now };
+        bucket.count += 1;
+        if (bucket.count >= LOGIN_MAX_FAILURES)
+            bucket.lockedUntil = now + LOGIN_LOCKOUT_MS;
+        map.set(key, bucket);
+    };
+    const clearFailures = (clientIp, token) => {
+        ipBuckets.delete(clientIp);
+        tokenBuckets.delete(tokenFingerprint(token));
+    };
+    const publicPath = (method, pathname) => {
+        if (method === "GET" && pathname === "/api/web/auth/mode")
+            return true;
+        if (method === "POST" && pathname === "/api/web/auth/login")
+            return config.web.authMode === "bearer";
+        return false;
+    };
+    const authorize = async (request, pathname) => {
+        if (publicPath(request.method, pathname))
             return true;
         if (config.web.authMode === "tailscale-only")
             return true;
-        if (config.web.authMode === "bearer")
-            return hasBearer(request);
-        return hasSession(request) || hasBearer(request);
+        if (hasBearer(request))
+            return true;
+        const token = readSessionToken(request);
+        return !!(await sessions.authenticateSession(token, requestAuthContext(request)));
     };
-    const createSession = () => {
-        pruneSessions();
-        const id = randomBytes(32).toString("base64url");
-        sessions.set(id, { expiresAt: Date.now() + SESSION_TTL_MS });
-        return id;
+    const currentDevice = (request) => sessions.authenticateSession(readSessionToken(request), requestAuthContext(request));
+    const login = async (request, body) => {
+        const context = requestAuthContext(request);
+        const token = isRecord(body) && typeof body.token === "string" ? body.token : "";
+        const fingerprint = tokenFingerprint(token);
+        if (checkBucket(ipBuckets.get(context.clientIp), context.now) ||
+            checkBucket(tokenBuckets.get(fingerprint), context.now)) {
+            return { status: 429, body: { error: "too many login attempts" } };
+        }
+        if (!config.web.bearerToken || !safeEqual(token, config.web.bearerToken)) {
+            recordFailure(ipBuckets, context.clientIp, context.now);
+            recordFailure(tokenBuckets, fingerprint, context.now);
+            return { status: 401, body: { error: "unauthorized" } };
+        }
+        clearFailures(context.clientIp, token);
+        const { token: sessionToken, device } = await sessions.createSession({
+            deviceName: isRecord(body) ? normalizeString(body.deviceName) : undefined,
+            context,
+        });
+        return {
+            status: 200,
+            body: { device },
+            cookie: sessionCookie(sessionToken, context.secure),
+        };
+    };
+    const createSession = (request, deviceName) => sessions.createSession({ deviceName, context: requestAuthContext(request) });
+    return {
+        authorize,
+        currentDevice,
+        createSession,
+        hasBearer,
+        login,
+        listDevices(request) {
+            return sessions.listDevices(readSessionToken(request));
+        },
+        revokeDevice(id) {
+            return sessions.revokeDevice(id);
+        },
+        revokeOthers(request) {
+            return sessions.revokeOthers(readSessionToken(request));
+        },
+        logout(request) {
+            return sessions.revokeCurrent(readSessionToken(request));
+        },
+        clearFailures,
     };
-    return { authorize, createSession };
-}
-export function sessionCookie(sessionId) {
-    return `familiar_session=${encodeURIComponent(sessionId)}; HttpOnly; SameSite=Lax; Max-Age=${Math.floor(SESSION_TTL_MS / 1000)}; Path=/api/web`;
 }
+export { requestAuthContext } from "./request-context.js";
+export { loadWebSessionStore } from "./session-store.js";

package/dist/web/config-routes.js

@@ -0,0 +1,55 @@
+import { loadConfigOverrides } from "../config/overrides.js";
+import { CONFIG_KEYS, CONFIG_REGISTRY, clearConfigChange, commitConfigChange, isConfigKey, } from "../config/registry.js";
+import { isRecord } from "../util/guards.js";
+import { errorMessage } from "./errors.js";
+import { HttpError, readJsonBody, sendJson } from "./http.js";
+function configPayload(config) {
+    const overrides = loadConfigOverrides();
+    const values = {};
+    for (const key of CONFIG_KEYS) {
+        const entry = CONFIG_REGISTRY[key];
+        values[key] = {
+            value: entry.read(config),
+            source: key in overrides ? "override" : "config",
+        };
+    }
+    return { values };
+}
+function configChangeFromBody(body) {
+    if (!isRecord(body) || typeof body.key !== "string") {
+        throw new HttpError(400, "key is required");
+    }
+    if (!isConfigKey(body.key)) {
+        throw new HttpError(400, `unknown config key: ${body.key}`);
+    }
+    return { key: body.key, value: body.value };
+}
+export function registerWebConfigRoutes(route, config, agentCore) {
+    route("GET", "/api/web/config", async (_request, response) => {
+        sendJson(response, 200, configPayload(config));
+    });
+    route("POST", "/api/web/config", async (request, response) => {
+        const body = await readJsonBody(request);
+        const { key, value } = configChangeFromBody(body);
+        const entry = CONFIG_REGISTRY[key];
+        try {
+            const validated = entry.validate(value, config);
+            await commitConfigChange(key, validated, { config, scheduler: agentCore });
+        }
+        catch (error) {
+            throw new HttpError(400, errorMessage(error));
+        }
+        sendJson(response, 200, configPayload(config));
+    });
+    route("DELETE", "/api/web/config", async (request, response) => {
+        const body = await readJsonBody(request);
+        const { key } = configChangeFromBody(body);
+        try {
+            await clearConfigChange(key, { config, scheduler: agentCore });
+        }
+        catch (error) {
+            throw new HttpError(400, errorMessage(error));
+        }
+        sendJson(response, 200, configPayload(config));
+    });
+}

package/dist/web/conversation-routes.js

@@ -0,0 +1,122 @@
+import { readFile } from "node:fs/promises";
+import { getContactNickname } from "../conversation/contact-note.js";
+import { messageId } from "../conversation/ids.js";
+import { materializeInboundAttachments } from "../media/inbound-attachments.js";
+import { isRecord } from "../util/guards.js";
+import { requestAuthContext, sessionCookie, verifyTotp } from "./auth.js";
+import { HttpError, readJsonBody, sendJson } from "./http.js";
+import { memeCatalogPath, parseMemeCatalog } from "./memes.js";
+import { webHistoryPayload } from "./messages.js";
+import { isMultipartContentType, isWebUploadAttachment, readMultipartBody, } from "./multipart.js";
+import { commandArgs, sessionDto } from "./payloads.js";
+import { getChannelKeyFromRequest } from "./route-helpers.js";
+import { WEB_USER_NAME } from "./types.js";
+export function registerWebConversationRoutes(options) {
+    const { route, config, auth, authMode, agentCore, getRuntime, personaName, actions } = options;
+    route("GET", "/api/web/sessions", async (_request, response) => {
+        if (!agentCore.hasSessionSource()) {
+            sendJson(response, 200, { sessions: [] });
+            return;
+        }
+        const sessions = await agentCore.getWebSessions();
+        sendJson(response, 200, { sessions: sessions.map(sessionDto) });
+    });
+    route("GET", "/api/web/history", async (_request, response, url) => {
+        const runtime = await getRuntime(getChannelKeyFromRequest(url));
+        const limit = Math.min(Math.max(Number(url.searchParams.get("limit") ?? 50) || 50, 1), 200);
+        const before = url.searchParams.get("before") ?? undefined;
+        sendJson(response, 200, webHistoryPayload(config, runtime.getRecords(), personaName, runtime.channelKey, { limit, before }));
+    });
+    route("GET", "/api/web/memes", async (_request, response) => {
+        try {
+            const markdown = await readFile(memeCatalogPath(config), "utf8");
+            sendJson(response, 200, { families: parseMemeCatalog(markdown) });
+        }
+        catch {
+            sendJson(response, 500, { error: "memes catalog unavailable" });
+        }
+    });
+    route("POST", "/api/web/send", async (request, response, url) => {
+        const contentType = request.headers["content-type"] ?? "";
+        const isMultipart = isMultipartContentType(contentType);
+        const body = isMultipart ? await readMultipartBody(request, contentType) : await readJsonBody(request);
+        const runtime = await getRuntime(getChannelKeyFromRequest(url, body));
+        if (!isRecord(body) || typeof body.text !== "string") {
+            throw new HttpError(400, "text is required");
+        }
+        if (!isMultipart && isRecord(body) && Array.isArray(body.attachments) && body.attachments.length > 0) {
+            throw new HttpError(400, "attachments require multipart form data");
+        }
+        const rawAttachments = Array.isArray(body.attachments) ? body.attachments : [];
+        const attachments = await materializeInboundAttachments(config, rawAttachments
+            .filter((attachment) => isWebUploadAttachment(attachment))
+            .map((attachment) => ({ ...attachment, source: "web" })));
+        if (!body.text.trim() && attachments.length === 0) {
+            throw new HttpError(400, "text or attachment is required");
+        }
+        const id = messageId("user");
+        const ts = Date.now();
+        const input = {
+            messageId: id,
+            authorId: config.discord.ownerId,
+            authorName: getContactNickname(WEB_USER_NAME),
+            text: body.text,
+            isBot: false,
+            mentionedBot: true,
+            remoteTimestamp: new Date(ts).toISOString(),
+            checkpoint: { messageId: id },
+            attachments,
+        };
+        await runtime.ingestInbound(input, { mode: "queue" });
+        void actions.drainJobs(runtime).catch((error) => console.error("Web job drain failed", error));
+        sendJson(response, 200, { id, ts, channelKey: runtime.channelKey });
+    });
+    route("POST", "/api/web/retry", async (request, response, url) => {
+        const body = await readJsonBody(request);
+        const runtime = await getRuntime(getChannelKeyFromRequest(url, body));
+        void actions.retryLatestAssistant(runtime).catch((error) => console.error("Web retry failed", error));
+        sendJson(response, 200, { ok: true, channelKey: runtime.channelKey });
+    });
+    route("POST", "/api/web/delete", async (request, response, url) => {
+        const body = await readJsonBody(request);
+        const runtime = await getRuntime(getChannelKeyFromRequest(url, body));
+        void actions.deleteLatestAssistant(runtime).catch((error) => console.error("Web delete failed", error));
+        sendJson(response, 200, { ok: true, channelKey: runtime.channelKey });
+    });
+    route("POST", "/api/web/control", async (request, response, url) => {
+        const body = await readJsonBody(request);
+        const runtime = await getRuntime(getChannelKeyFromRequest(url, body));
+        if (!isRecord(body) || typeof body.command !== "string") {
+            throw new HttpError(400, "command is required");
+        }
+        if (authMode === "public-2fa" && body.command === "login") {
+            const token = isRecord(body.args) && typeof body.args.token === "string" ? body.args.token : "";
+            if (!config.web.totpSecret || !verifyTotp(config.web.totpSecret, token)) {
+                sendJson(response, 401, { ok: false, message: "Invalid TOTP token." });
+                return;
+            }
+            const session = await auth.createSession(request, "2fa login");
+            sendJson(response, 200, { ok: true, message: "Authenticated.", device: session.device }, { "set-cookie": sessionCookie(session.token, requestAuthContext(request).secure) });
+            return;
+        }
+        const args = commandArgs(body.command, body.args);
+        const input = {
+            messageId: messageId("control"),
+            authorId: config.discord.ownerId,
+            authorName: getContactNickname(WEB_USER_NAME),
+            text: `/${body.command}${args ? ` ${args}` : ""}`,
+            isBot: false,
+            mentionedBot: true,
+            remoteTimestamp: new Date().toISOString(),
+        };
+        const control = runtime.parseControlCommand(input);
+        if (!control) {
+            sendJson(response, 400, { ok: false, message: "Unsupported command." });
+            return;
+        }
+        await runtime.noteControlCommand(input, control);
+        const message = await actions.applyControlCommand(runtime, control);
+        await runtime.noteOutbound({ text: message, messageIds: [], control: control.command });
+        sendJson(response, 200, { ok: true, message, channelKey: runtime.channelKey });
+    });
+}

package/dist/web/daemon.js

@@ -0,0 +1,108 @@
+import { createServer } from "node:http";
+import { refreshContactNote, setContactNotePath } from "../conversation/contact-note.js";
+import { setAddedModelsPath } from "../models/added-models.js";
+import { loadPersona, parsePersonaName } from "../prompting/persona.js";
+import { registerWebAgentRoutes } from "./agent-routes.js";
+import { createAuth, loadWebSessionStore } from "./auth.js";
+import { registerWebAuthRoutes } from "./auth-routes.js";
+import { registerWebConfigRoutes } from "./config-routes.js";
+import { registerWebConversationRoutes } from "./conversation-routes.js";
+import { registerWebDiaryRoutes } from "./diary-routes.js";
+import { createWebEventHub } from "./event-hub.js";
+import { HttpError, sendText } from "./http.js";
+import { createWebRouteRegistry } from "./routes.js";
+import { createWebRuntimeActions } from "./runtime-actions.js";
+import { serveStatic } from "./static.js";
+import { attachWebSocketStream } from "./stream.js";
+export async function startWebDaemon(config, familiarAgent, agentCore, options = {}) {
+    setAddedModelsPath(config.workspace.dataDir);
+    setContactNotePath(config.persona.contact);
+    await refreshContactNote();
+    const persona = await loadPersona(config);
+    const personaName = parsePersonaName(persona.soul);
+    const webSessions = await loadWebSessionStore(config);
+    const auth = createAuth(config, webSessions);
+    const eventHub = createWebEventHub(config, personaName);
+    const getRuntime = async (channelKey) => {
+        if (!agentCore.hasSessionSource())
+            throw new HttpError(503, "Owner identity is not established yet.");
+        const runtime = await agentCore.getRuntimeForWebChannel(channelKey);
+        eventHub.subscribeRuntime(runtime);
+        return runtime;
+    };
+    const subscribeKnownRuntimes = async () => {
+        if (!agentCore.hasSessionSource())
+            return;
+        const sessions = await agentCore.getWebSessions();
+        await Promise.all(sessions.map(async (session) => {
+            const runtime = await agentCore.getRuntimeForWebChannel(session.key);
+            eventHub.subscribeRuntime(runtime);
+        }));
+    };
+    const { route, handleApi } = createWebRouteRegistry(config, auth);
+    const actions = createWebRuntimeActions({
+        config,
+        familiarAgent,
+        agentCore,
+        eventHub,
+        personaName,
+        restart: options.restart,
+    });
+    registerWebAuthRoutes(route, auth, { authMode: config.web.authMode, personaName });
+    registerWebConversationRoutes({
+        route,
+        config,
+        auth,
+        authMode: config.web.authMode,
+        agentCore,
+        getRuntime,
+        personaName,
+        actions,
+    });
+    registerWebAgentRoutes({
+        route,
+        config,
+        familiarAgent,
+        getRuntime,
+        personaName,
+        publish: eventHub.publish,
+    });
+    registerWebConfigRoutes(route, config, agentCore);
+    registerWebDiaryRoutes(route, config);
+    await subscribeKnownRuntimes();
+    const server = createServer((request, response) => {
+        const url = new URL(request.url ?? "/", `http://${request.headers.host ?? "localhost"}`);
+        void handleApi(request, response, url).then(async (handled) => {
+            if (handled)
+                return;
+            if (await serveStatic(response, url.pathname))
+                return;
+            sendText(response, 404, "Not found");
+        });
+    });
+    attachWebSocketStream(server, {
+        authorize: (request, pathname) => auth.authorize(request, pathname),
+        eventHub,
+        getRuntime,
+        abort: (runtime) => familiarAgent.abort(runtime.channelKey),
+        retry: actions.retryLatestAssistant,
+        deleteLatest: actions.deleteLatestAssistant,
+    });
+    await new Promise((resolveListen, rejectListen) => {
+        server.once("error", rejectListen);
+        server.listen(config.web.port, config.web.bindAddress, () => {
+            server.off("error", rejectListen);
+            resolveListen();
+        });
+    });
+    console.log(`Web side-door listening on http://${config.web.bindAddress}:${config.web.port}`);
+    return {
+        server,
+        async stop() {
+            eventHub.stop();
+            await new Promise((resolveClose, rejectClose) => {
+                server.close((error) => (error ? rejectClose(error) : resolveClose()));
+            });
+        },
+    };
+}