npm - @qwen-code/qwen-code - Versions diffs - 0.15.12-preview.3 → 0.16.0-preview.0 - Mend

@qwen-code/qwen-code 0.15.12-preview.3 → 0.16.0-preview.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/chunks/{serve-VJEEEXA6.js → serve-GAD2PEST.js} RENAMED Viewed

@@ -6,6 +6,17 @@ import {
   require_mime_db,
   require_type
 } from "./chunk-7RYW5LQV.js";
+import {
+  DEFAULT_RING_SIZE,
+  EVENT_SCHEMA_VERSION,
+  EventBus,
+  SERVE_STATUS_EXT_METHODS,
+  STATUS_SCHEMA_VERSION,
+  SubscriberLimitExceededError,
+  createIdleWorkspaceMcpStatus,
+  createIdleWorkspaceProvidersStatus,
+  createIdleWorkspaceSkillsStatus
+} from "./chunk-3MBY4GKN.js";
 import {
   writeStderrLine,
   writeStdoutLine
@@ -13076,6 +13087,20 @@ function bearerAuth(token) {
   };
 }
 __name(bearerAuth, "bearerAuth");
+function createMutationGate(deps) {
+  const passthrough = /* @__PURE__ */ __name((_req, _res, next) => next(), "passthrough");
+  if (deps.requireAuth || deps.tokenConfigured) {
+    return () => passthrough;
+  }
+  const strictDenier = /* @__PURE__ */ __name((_req, res) => {
+    res.status(401).json({
+      error: "This route requires the daemon to be configured with a bearer token. Set QWEN_SERVER_TOKEN or pass --token to enable bearer auth.",
+      code: "token_required"
+    });
+  }, "strictDenier");
+  return (opts = {}) => opts.strict ? strictDenier : passthrough;
+}
+__name(createMutationGate, "createMutationGate");
 // packages/cli/src/serve/httpAcpBridge.ts
 init_esbuild_shims();
@@ -13084,267 +13109,6 @@ import { randomUUID } from "node:crypto";
 import { promises as fs, realpathSync } from "node:fs";
 import * as path from "node:path";
 import { Readable, Writable } from "node:stream";
-// packages/cli/src/serve/eventBus.ts
-init_esbuild_shims();
-var EVENT_SCHEMA_VERSION = 1;
-var DEFAULT_MAX_QUEUED = 256;
-var DEFAULT_RING_SIZE = 4e3;
-var DEFAULT_MAX_SUBSCRIBERS = 64;
-var SubscriberLimitExceededError = class extends Error {
-  static {
-    __name(this, "SubscriberLimitExceededError");
-  }
-  limit;
-  constructor(limit) {
-    super(`EventBus subscriber limit reached (${limit})`);
-    this.name = "SubscriberLimitExceededError";
-    this.limit = limit;
-  }
-};
-var EventBus = class {
-  constructor(ringSize = DEFAULT_RING_SIZE, maxSubscribers = DEFAULT_MAX_SUBSCRIBERS) {
-    this.ringSize = ringSize;
-    this.maxSubscribers = maxSubscribers;
-  }
-  static {
-    __name(this, "EventBus");
-  }
-  nextId = 1;
-  ring = [];
-  subs = /* @__PURE__ */ new Set();
-  closed = false;
-  /** Most recent id ever assigned by `publish`. 0 if no events published. */
-  get lastEventId() {
-    return this.nextId - 1;
-  }
-  /** Snapshot of the live subscriber count. */
-  get subscriberCount() {
-    return this.subs.size;
-  }
-  /**
-   * Publish an event to the bus. Returns the constructed `BridgeEvent`
-   * (with `id` + `v` assigned) on success, or `undefined` when the
-   * bus is closed.
-   *
-   * **Never throws** (BX9_p contract). Closing the bus mid-publish
-   * is the only abnormal path and is handled as a return-undefined
-   * no-op; subscriber-enqueue failures are caught internally and
-   * translated to per-subscriber eviction. Call sites can rely on
-   * this — the historical `try { publish(...) } catch {}` blocks in
-   * `httpAcpBridge.ts` are defense-in-depth, not load-bearing, and
-   * may be removed in a future cleanup pass without changing
-   * behavior. Don't add new try/catch wrappers around `publish()`.
-   */
-  publish(input) {
-    if (this.closed) return void 0;
-    const event = {
-      id: this.nextId++,
-      v: EVENT_SCHEMA_VERSION,
-      ...input
-    };
-    this.ring.push(event);
-    if (this.ring.length > this.ringSize) this.ring.shift();
-    for (const sub of Array.from(this.subs)) {
-      if (sub.evicted) continue;
-      if (!sub.queue.push(event)) {
-        sub.evicted = true;
-        const evictionFrame = {
-          v: EVENT_SCHEMA_VERSION,
-          type: "client_evicted",
-          data: { reason: "queue_overflow", droppedAfter: event.id }
-        };
-        sub.queue.forcePush(evictionFrame);
-        sub.queue.close();
-        sub.dispose();
-      }
-    }
-    return event;
-  }
-  /**
-   * Note: registration is synchronous — by the time `subscribe()` returns,
-   * the subscriber is already attached and will receive any subsequent
-   * `publish()` even if the consumer hasn't started iterating yet. (A
-   * generator-style implementation would defer registration to the first
-   * `next()` call, which races with publishes that happen before the
-   * consumer's first await.)
-   *
-   * The returned iterator is NOT safe to drive from concurrent callers —
-   * two simultaneous `.next()` calls would race for the same event from
-   * the underlying queue. Daemon usage is sequential (`for await ... of`
-   * inside the SSE route), so this is safe in production. Callers that
-   * fan an iterator out to multiple consumers must serialize themselves.
-   */
-  subscribe(opts = {}) {
-    if (this.closed) {
-      return emptyAsyncIterable();
-    }
-    if (this.subs.size >= this.maxSubscribers) {
-      throw new SubscriberLimitExceededError(this.maxSubscribers);
-    }
-    const queue = new BoundedAsyncQueue(
-      opts.maxQueued ?? DEFAULT_MAX_QUEUED
-    );
-    const sub = { queue, evicted: false, dispose: /* @__PURE__ */ __name(() => {
-    }, "dispose") };
-    this.subs.add(sub);
-    if (opts.lastEventId !== void 0) {
-      for (const e of this.ring) {
-        if (e.id !== void 0 && e.id > opts.lastEventId) {
-          queue.forcePush(e);
-        }
-      }
-    }
-    let disposed = false;
-    const dispose = /* @__PURE__ */ __name(() => {
-      if (disposed) return;
-      disposed = true;
-      this.subs.delete(sub);
-      opts.signal?.removeEventListener("abort", onAbort);
-    }, "dispose");
-    sub.dispose = dispose;
-    const onAbort = /* @__PURE__ */ __name(() => {
-      queue.close({ drain: false });
-      dispose();
-    }, "onAbort");
-    if (opts.signal) {
-      if (opts.signal.aborted) {
-        onAbort();
-      } else {
-        opts.signal.addEventListener("abort", onAbort, { once: true });
-      }
-    }
-    return {
-      [Symbol.asyncIterator]: () => ({
-        async next() {
-          const r = await queue.next();
-          if (r.done) dispose();
-          return r;
-        },
-        async return() {
-          queue.close();
-          dispose();
-          return { value: void 0, done: true };
-        }
-      })
-    };
-  }
-  /** Close all live subscribers and prevent further `publish`/`subscribe`. */
-  close() {
-    if (this.closed) return;
-    this.closed = true;
-    for (const sub of this.subs) sub.queue.close();
-    this.subs.clear();
-  }
-};
-function emptyAsyncIterable() {
-  return {
-    [Symbol.asyncIterator]: () => ({
-      async next() {
-        return { value: void 0, done: true };
-      }
-    })
-  };
-}
-__name(emptyAsyncIterable, "emptyAsyncIterable");
-var BoundedAsyncQueue = class {
-  constructor(maxSize) {
-    this.maxSize = maxSize;
-  }
-  static {
-    __name(this, "BoundedAsyncQueue");
-  }
-  buf = [];
-  resolvers = [];
-  closed = false;
-  /**
-   * Number of force-pushed items still in `buf`. The cap check in
-   * `push()` only applies to LIVE items; this counter tells us how
-   * many slots in `buf` are replay-injected and shouldn't count.
-   *
-   * Position invariant: under the bus's two callers,
-   *   1. subscribe-time replay (`Last-Event-ID` resume) — forcePush
-   *      fires BEFORE any live `push()`, so replay items are at the
-   *      front of `buf`;
-   *   2. eviction terminal frame — forcePush fires AFTER `push()`
-   *      rejection, then `close()` is called immediately, so the
-   *      eviction frame is at the BACK of `buf`.
-   *
-   * `next()` decrements `forcedInBuf` whenever the counter is > 0 on
-   * shift, which is correct for case (1). For case (2) it slightly
-   * misaccounts (decrements on the first live shift), but that's
-   * harmless: the queue is closed so no `push()` runs the cap check
-   * again. The counter only matters for live cap enforcement.
-   */
-  forcedInBuf = 0;
-  /** Returns true if accepted, false if dropped due to overflow. */
-  push(value) {
-    if (this.closed) return false;
-    const r = this.resolvers.shift();
-    if (r) {
-      r({ value, done: false });
-      return true;
-    }
-    if (this.buf.length - this.forcedInBuf >= this.maxSize) return false;
-    this.buf.push(value);
-    return true;
-  }
-  /** Bypasses the size cap. Used for replay frames and terminal eviction. */
-  forcePush(value) {
-    if (this.closed) return;
-    const r = this.resolvers.shift();
-    if (r) {
-      r({ value, done: false });
-      return;
-    }
-    this.buf.push(value);
-    this.forcedInBuf += 1;
-  }
-  /**
-   * Mark the queue closed. By default `next()` continues to drain
-   * any items already in `buf` before returning `done: true` —
-   * that's what the eviction path relies on (the synthetic
-   * `client_evicted` frame is force-pushed THEN close is called,
-   * and we want the consumer to see the terminal frame before the
-   * iterator unwinds).
-   *
-   * Pass `{ drain: false }` to drop buffered items immediately
-   * (the AbortSignal-driven unsubscribe path uses this — the
-   * subscribe docstring says abort should close the iterator
-   * promptly, but draining hundreds of queued events first
-   * contradicts that and adds post-abort work to the SSE route).
-   */
-  close(opts = {}) {
-    if (this.closed) return;
-    this.closed = true;
-    if (opts.drain === false) {
-      this.buf.length = 0;
-      this.forcedInBuf = 0;
-    }
-    while (this.resolvers.length > 0) {
-      this.resolvers.shift()({
-        value: void 0,
-        done: true
-      });
-    }
-  }
-  next() {
-    if (this.buf.length > 0) {
-      const value = this.buf.shift();
-      if (this.forcedInBuf > 0) this.forcedInBuf -= 1;
-      return Promise.resolve({ value, done: false });
-    }
-    if (this.closed) {
-      return Promise.resolve({
-        value: void 0,
-        done: true
-      });
-    }
-    return new Promise((resolve2) => this.resolvers.push(resolve2));
-  }
-};
-// packages/cli/src/serve/httpAcpBridge.ts
 var SessionNotFoundError = class extends Error {
   static {
     __name(this, "SessionNotFoundError");
@@ -13454,6 +13218,28 @@ var InvalidPermissionOptionError = class extends Error {
     this.optionId = optionId;
   }
 };
+var MAX_DISPLAY_NAME_LENGTH = 256;
+function hasControlCharacter(value) {
+  for (let i = 0; i < value.length; i += 1) {
+    const code = value.charCodeAt(i);
+    if (code <= 31 || code === 127) {
+      return true;
+    }
+  }
+  return false;
+}
+__name(hasControlCharacter, "hasControlCharacter");
+var InvalidSessionMetadataError = class extends Error {
+  static {
+    __name(this, "InvalidSessionMetadataError");
+  }
+  field;
+  constructor(field, reason) {
+    super(`Invalid session metadata: ${field} ${reason}`);
+    this.name = "InvalidSessionMetadataError";
+    this.field = field;
+  }
+};
 var BridgeClient = class {
   constructor(resolveEntry, resolvePendingRestoreEvents, registerPending, rollbackPending, permissionTimeoutMs, maxPendingPerSession) {
     this.resolveEntry = resolveEntry;
@@ -13620,6 +13406,7 @@ var BridgeClient = class {
 };
 var DEFAULT_INIT_TIMEOUT_MS = 1e4;
 var DEFAULT_MAX_SESSIONS = 20;
+var MAX_EVENT_RING_SIZE = 1e6;
 var DEFAULT_PERMISSION_TIMEOUT_MS = 5 * 60 * 1e3;
 var DEFAULT_MAX_PENDING_PER_SESSION = 64;
 function createHttpAcpBridge(opts) {
@@ -13645,6 +13432,12 @@ function createHttpAcpBridge(opts) {
       `Invalid sessionScope: ${JSON.stringify(defaultSessionScope)}. Expected 'single' or 'thread'.`
     );
   }
+  const eventRingSize = opts.eventRingSize ?? DEFAULT_RING_SIZE;
+  if (!Number.isInteger(eventRingSize) || eventRingSize < 1 || eventRingSize > MAX_EVENT_RING_SIZE) {
+    throw new TypeError(
+      `Invalid eventRingSize: ${opts.eventRingSize}. Must be a positive integer in [1, ${MAX_EVENT_RING_SIZE}].`
+    );
+  }
   const channelFactory = opts.channelFactory ?? defaultSpawnChannelFactory;
   const initTimeoutMs = opts.initializeTimeoutMs ?? DEFAULT_INIT_TIMEOUT_MS;
   if (initTimeoutMs <= 0) {
@@ -13693,6 +13486,7 @@ function createHttpAcpBridge(opts) {
     if (count === void 0) return;
     if (count <= 1) {
       entry.clientIds.delete(clientId);
+      entry.clientLastSeenAt.delete(clientId);
     } else {
       entry.clientIds.set(clientId, count - 1);
     }
@@ -13935,7 +13729,8 @@ function createHttpAcpBridge(opts) {
       sessionId: entry.sessionId,
       workspaceCwd: entry.workspaceCwd,
       attached: false,
-      clientId
+      clientId,
+      createdAt: entry.createdAt
     };
   }
   __name(doSpawn, "doSpawn");
@@ -14010,10 +13805,58 @@ function createHttpAcpBridge(opts) {
     }
     return workspaceKey;
   }, "resolveWorkspaceKey");
-  const createSessionEntry = /* @__PURE__ */ __name((ci, sessionId, workspaceCwd, events = new EventBus()) => {
+  const liveChannelInfo = /* @__PURE__ */ __name(() => {
+    if (!channelInfo || channelInfo.isDying) return void 0;
+    return channelInfo;
+  }, "liveChannelInfo");
+  const channelInfoForEntry = /* @__PURE__ */ __name((entry) => {
+    if (channelInfo?.channel === entry.channel) return channelInfo;
+    for (const info of aliveChannels) {
+      if (info.channel === entry.channel) return info;
+    }
+    return void 0;
+  }, "channelInfoForEntry");
+  const getChannelClosedReject = /* @__PURE__ */ __name((info) => {
+    if (!info.statusClosedReject) {
+      info.statusClosedReject = info.channel.exited.then(() => {
+        throw new Error("agent channel closed mid-request (workspace status)");
+      });
+    }
+    return info.statusClosedReject;
+  }, "getChannelClosedReject");
+  const requestWorkspaceStatus = /* @__PURE__ */ __name(async (method, idle) => {
+    const info = liveChannelInfo();
+    if (!info) return idle();
+    const response = await withTimeout(
+      Promise.race([
+        info.connection.extMethod(method, { cwd: boundWorkspace }),
+        getChannelClosedReject(info)
+      ]),
+      initTimeoutMs,
+      method
+    );
+    return response;
+  }, "requestWorkspaceStatus");
+  const requestSessionStatus = /* @__PURE__ */ __name(async (sessionId, method) => {
+    const entry = byId.get(sessionId);
+    if (!entry) throw new SessionNotFoundError(sessionId);
+    const info = channelInfoForEntry(entry);
+    if (!info || info.isDying) throw new SessionNotFoundError(sessionId);
+    const response = await Promise.race([
+      withTimeout(
+        entry.connection.extMethod(method, { sessionId }),
+        initTimeoutMs,
+        method
+      ),
+      getTransportClosedReject(entry)
+    ]);
+    return response;
+  }, "requestSessionStatus");
+  const createSessionEntry = /* @__PURE__ */ __name((ci, sessionId, workspaceCwd, events = new EventBus(eventRingSize)) => {
     const entry = {
       sessionId,
       workspaceCwd,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
       channel: ci.channel,
       connection: ci.connection,
       events,
@@ -14021,6 +13864,7 @@ function createHttpAcpBridge(opts) {
       modelChangeQueue: Promise.resolve(),
       pendingPermissionIds: /* @__PURE__ */ new Set(),
       clientIds: /* @__PURE__ */ new Map(),
+      clientLastSeenAt: /* @__PURE__ */ new Map(),
       attachCount: 0,
       spawnOwnerWantedKill: false
     };
@@ -14052,6 +13896,7 @@ function createHttpAcpBridge(opts) {
         workspaceCwd: existing.workspaceCwd,
         attached: true,
         clientId,
+        createdAt: existing.createdAt,
         // Late attachers get the same ACP state the original restore
         // caller saw; spawn-only sessions don't carry a state payload.
         state: existing.restoreState ?? {}
@@ -14085,13 +13930,14 @@ function createHttpAcpBridge(opts) {
       return {
         ...restored,
         attached: true,
-        clientId: registerClient(entry, req.clientId)
+        clientId: registerClient(entry, req.clientId),
+        createdAt: entry.createdAt
       };
     }
     if (byId.size + inFlightSpawns.size + inFlightRestores.size >= maxSessions) {
       throw new SessionLimitExceededError(maxSessions);
     }
-    const restoreEvents = new EventBus();
+    const restoreEvents = new EventBus(eventRingSize);
     let registeredEntry;
     let ci;
     const coalesceState = { count: 0 };
@@ -14170,6 +14016,7 @@ function createHttpAcpBridge(opts) {
           workspaceCwd: racedEntry.workspaceCwd,
           attached: true,
           clientId: clientId2,
+          createdAt: racedEntry.createdAt,
           state: racedEntry.restoreState ?? {}
         };
       }
@@ -14188,6 +14035,7 @@ function createHttpAcpBridge(opts) {
         workspaceCwd: entry.workspaceCwd,
         attached: false,
         clientId,
+        createdAt: entry.createdAt,
         state
       };
     })().finally(() => {
@@ -14245,7 +14093,8 @@ function createHttpAcpBridge(opts) {
             sessionId: existing.sessionId,
             workspaceCwd: existing.workspaceCwd,
             attached: true,
-            clientId
+            clientId,
+            createdAt: existing.createdAt
           };
         }
         const inFlight = inFlightSpawns.get(workspaceKey);
@@ -14410,6 +14259,86 @@ function createHttpAcpBridge(opts) {
       }
       return resolvePending(requestId, response, originatorClientId);
     },
+    async closeSession(sessionId, context) {
+      const entry = byId.get(sessionId);
+      if (!entry) throw new SessionNotFoundError(sessionId);
+      let originatorClientId;
+      if (context?.clientId !== void 0) {
+        originatorClientId = resolveTrustedClientId(entry, context.clientId);
+      }
+      writeStderrLine(
+        `qwen serve: closing session ${JSON.stringify(sessionId)}` + (originatorClientId ? ` by client ${JSON.stringify(originatorClientId)}` : "")
+      );
+      if (defaultEntry === entry) defaultEntry = void 0;
+      const ci = channelInfo;
+      if (ci && ci.channel === entry.channel) {
+        ci.sessionIds.delete(sessionId);
+      }
+      for (const id of Array.from(entry.pendingPermissionIds)) {
+        resolvePending(id, { outcome: { outcome: "cancelled" } });
+      }
+      byId.delete(sessionId);
+      try {
+        entry.events.publish({
+          type: "session_closed",
+          data: {
+            sessionId,
+            reason: "client_close",
+            ...originatorClientId ? { closedBy: originatorClientId } : {}
+          }
+        });
+      } catch {
+      }
+      entry.events.close();
+      try {
+        await entry.connection.cancel({ sessionId });
+      } catch {
+      }
+      if (ci && ci.sessionIds.size === 0 && ci.pendingRestoreIds.size === 0) {
+        ci.isDying = true;
+        await ci.channel.kill().catch((err) => {
+          writeStderrLine(
+            `qwen serve: closeSession channel kill failed for session ${JSON.stringify(sessionId)}: ${String(err)}`
+          );
+        });
+      }
+    },
+    updateSessionMetadata(sessionId, metadata, context) {
+      const entry = byId.get(sessionId);
+      if (!entry) throw new SessionNotFoundError(sessionId);
+      if (context?.clientId !== void 0) {
+        resolveTrustedClientId(entry, context.clientId);
+      }
+      if (metadata.displayName !== void 0) {
+        if (typeof metadata.displayName !== "string" || metadata.displayName.length > MAX_DISPLAY_NAME_LENGTH) {
+          throw new InvalidSessionMetadataError(
+            "displayName",
+            `must be a string of at most ${MAX_DISPLAY_NAME_LENGTH} characters`
+          );
+        }
+        if (hasControlCharacter(metadata.displayName)) {
+          throw new InvalidSessionMetadataError(
+            "displayName",
+            "must not contain control characters"
+          );
+        }
+        const nextDisplayName = metadata.displayName || void 0;
+        if (entry.displayName !== nextDisplayName) {
+          entry.displayName = nextDisplayName;
+          writeStderrLine(
+            `qwen serve: updated session metadata ${JSON.stringify(sessionId)} displayName=${entry.displayName === void 0 ? "cleared" : "set"}` + (context?.clientId ? ` by client ${JSON.stringify(context.clientId)}` : "")
+          );
+          try {
+            entry.events.publish({
+              type: "session_metadata_updated",
+              data: { sessionId, displayName: entry.displayName }
+            });
+          } catch {
+          }
+        }
+      }
+      return { displayName: entry.displayName };
+    },
     listWorkspaceSessions(workspaceCwd) {
       if (!path.isAbsolute(workspaceCwd)) return [];
       const key = workspaceCwd === boundWorkspace ? boundWorkspace : canonicalizeWorkspace(workspaceCwd);
@@ -14419,12 +14348,69 @@ function createHttpAcpBridge(opts) {
         if (entry.workspaceCwd === key) {
           out.push({
             sessionId: entry.sessionId,
-            workspaceCwd: entry.workspaceCwd
+            workspaceCwd: entry.workspaceCwd,
+            createdAt: entry.createdAt,
+            displayName: entry.displayName,
+            clientCount: entry.clientIds.size,
+            hasActivePrompt: entry.activePromptOriginatorClientId !== void 0
           });
         }
       }
       return out;
     },
+    recordHeartbeat(sessionId, context) {
+      const entry = byId.get(sessionId);
+      if (!entry) throw new SessionNotFoundError(sessionId);
+      const clientId = resolveTrustedClientId(entry, context?.clientId);
+      const lastSeenAt = Date.now();
+      entry.sessionLastSeenAt = lastSeenAt;
+      if (clientId !== void 0) {
+        entry.clientLastSeenAt.set(clientId, lastSeenAt);
+      }
+      return {
+        sessionId: entry.sessionId,
+        ...clientId !== void 0 ? { clientId } : {},
+        lastSeenAt
+      };
+    },
+    getHeartbeatState(sessionId) {
+      const entry = byId.get(sessionId);
+      if (!entry) return void 0;
+      return {
+        ...entry.sessionLastSeenAt !== void 0 ? { sessionLastSeenAt: entry.sessionLastSeenAt } : {},
+        clientLastSeenAt: new Map(entry.clientLastSeenAt)
+      };
+    },
+    async getWorkspaceMcpStatus() {
+      return requestWorkspaceStatus(
+        SERVE_STATUS_EXT_METHODS.workspaceMcp,
+        () => createIdleWorkspaceMcpStatus(boundWorkspace)
+      );
+    },
+    async getWorkspaceSkillsStatus() {
+      return requestWorkspaceStatus(
+        SERVE_STATUS_EXT_METHODS.workspaceSkills,
+        () => createIdleWorkspaceSkillsStatus(boundWorkspace)
+      );
+    },
+    async getWorkspaceProvidersStatus() {
+      return requestWorkspaceStatus(
+        SERVE_STATUS_EXT_METHODS.workspaceProviders,
+        () => createIdleWorkspaceProvidersStatus(boundWorkspace)
+      );
+    },
+    async getSessionContextStatus(sessionId) {
+      return requestSessionStatus(
+        sessionId,
+        SERVE_STATUS_EXT_METHODS.sessionContext
+      );
+    },
+    async getSessionSupportedCommandsStatus(sessionId) {
+      return requestSessionStatus(
+        sessionId,
+        SERVE_STATUS_EXT_METHODS.sessionSupportedCommands
+      );
+    },
     async setSessionModel(sessionId, req, context) {
       const entry = byId.get(sessionId);
       if (!entry) throw new SessionNotFoundError(sessionId);
@@ -14779,11 +14765,41 @@ var SERVE_CAPABILITY_REGISTRY = {
   session_prompt: { since: "v1" },
   session_cancel: { since: "v1" },
   session_events: { since: "v1" },
+  // Daemon emits `slow_client_warning` synthetic frames at 75% queue
+  // fill and honors `?maxQueued=N` (range [16, 2048]) on
+  // `GET /session/:id/events`. Old daemons silently lack both — SDK
+  // clients pre-flight this tag before opting in.
+  slow_client_warning: { since: "v1" },
+  // SDK consumers can detect `KnownDaemonEvent` schema support without
+  // pinning against this SDK release — `narrowDaemonEvent` falls back
+  // to `kind: 'unknown'` for daemons that don't advertise the tag,
+  // so the tag is purely informational.
+  typed_event_schema: { since: "v1" },
   session_set_model: { since: "v1" },
   client_identity: { since: "v1" },
+  client_heartbeat: { since: "v1" },
   session_permission_vote: { since: "v1" },
-  permission_vote: { since: "v1" }
+  permission_vote: { since: "v1" },
+  workspace_mcp: { since: "v1" },
+  workspace_skills: { since: "v1" },
+  workspace_providers: { since: "v1" },
+  session_context: { since: "v1" },
+  session_supported_commands: { since: "v1" },
+  session_close: { since: "v1" },
+  session_metadata: { since: "v1" },
+  // Issue #4175 PR 15. Daemon was booted with `--require-auth` (or
+  // `requireAuth: true`), so even loopback callers must carry a bearer
+  // token. Advertised CONDITIONALLY — only when the flag is on — so
+  // SDK clients can branch on its presence to surface a clear "this
+  // deployment requires auth" hint instead of speculatively trying
+  // requests and parsing the resulting 401 body. Loopback developer
+  // defaults (no flag) omit the tag, preserving the bit-for-bit shape
+  // older clients expect.
+  require_auth: { since: "v1" }
 };
+var CONDITIONAL_SERVE_FEATURES = /* @__PURE__ */ new Map([
+  ["require_auth", (toggles) => toggles.requireAuth === true]
+]);
 var SERVE_FEATURES = Object.freeze(
   Object.keys(SERVE_CAPABILITY_REGISTRY)
 );
@@ -14799,10 +14815,13 @@ function getRegisteredServeFeatures() {
   return [...SERVE_FEATURES];
 }
 __name(getRegisteredServeFeatures, "getRegisteredServeFeatures");
-function getAdvertisedServeFeatures(protocolVersion = SERVE_PROTOCOL_VERSION) {
-  return SERVE_FEATURES.filter(
-    (feature) => isFeatureAvailableInProtocol(feature, protocolVersion)
-  );
+function getAdvertisedServeFeatures(protocolVersion = SERVE_PROTOCOL_VERSION, toggles = {}) {
+  return SERVE_FEATURES.filter((feature) => {
+    if (!isFeatureAvailableInProtocol(feature, protocolVersion)) return false;
+    const predicate = CONDITIONAL_SERVE_FEATURES.get(feature);
+    if (predicate !== void 0) return predicate(toggles);
+    return true;
+  });
 }
 __name(getAdvertisedServeFeatures, "getAdvertisedServeFeatures");
 function getServeFeatures() {
@@ -14828,6 +14847,11 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
   const boundWorkspace = deps.boundWorkspace ?? canonicalizeWorkspace(opts.workspace ?? process.cwd());
   const bridge = deps.bridge ?? createHttpAcpBridge({
     maxSessions: opts.maxSessions,
+    // Symmetric with `runQwenServe.ts` — direct embeds / tests that
+    // call `createServeApp` without supplying their own bridge and
+    // pass `ServeOptions.eventRingSize` would otherwise silently
+    // get the default 8000 ring instead of their configured value.
+    ...opts.eventRingSize !== void 0 ? { eventRingSize: opts.eventRingSize } : {},
     boundWorkspace
   });
   app.use(denyBrowserOriginCors);
@@ -14853,20 +14877,31 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
     }
   }, "healthHandler");
   const loopback = isLoopbackBind(opts.hostname);
-  if (loopback) {
+  const exposeHealthPreAuth = loopback && !opts.requireAuth;
+  if (exposeHealthPreAuth) {
     app.get("/health", healthHandler);
   }
   app.use(bearerAuth(opts.token));
   app.use(import_express.default.json({ limit: "10mb" }));
-  if (!loopback) {
+  if (!exposeHealthPreAuth) {
     app.get("/health", healthHandler);
   }
+  const mutate = createMutationGate({
+    tokenConfigured: opts.token !== void 0,
+    requireAuth: opts.requireAuth === true
+  });
   app.get("/capabilities", (_req, res) => {
     const envelope = {
       v: CAPABILITIES_SCHEMA_VERSION,
       protocolVersions: getServeProtocolVersions(),
       mode: opts.mode,
-      features: getAdvertisedServeFeatures(),
+      // PR 15. Pass `requireAuth` so the `require_auth` tag appears
+      // ONLY when the operator opted in. Tag presence = behavior is
+      // on; older daemons without this PR omit the tag and SDKs that
+      // post-PR feature-detect on it stay backward compatible.
+      features: getAdvertisedServeFeatures(void 0, {
+        requireAuth: opts.requireAuth === true
+      }),
       modelServices: [],
       // #3803 §02: surface the bound workspace so clients can detect
       // mismatch pre-flight and omit `cwd` on `POST /session`.
@@ -14874,7 +14909,28 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
     };
     res.status(200).json(envelope);
   });
-  app.post("/session", async (req, res) => {
+  app.get("/workspace/mcp", async (_req, res) => {
+    try {
+      res.status(200).json(await bridge.getWorkspaceMcpStatus());
+    } catch (err) {
+      sendBridgeError(res, err, { route: "GET /workspace/mcp" });
+    }
+  });
+  app.get("/workspace/skills", async (_req, res) => {
+    try {
+      res.status(200).json(await bridge.getWorkspaceSkillsStatus());
+    } catch (err) {
+      sendBridgeError(res, err, { route: "GET /workspace/skills" });
+    }
+  });
+  app.get("/workspace/providers", async (_req, res) => {
+    try {
+      res.status(200).json(await bridge.getWorkspaceProvidersStatus());
+    } catch (err) {
+      sendBridgeError(res, err, { route: "GET /workspace/providers" });
+    }
+  });
+  app.post("/session", mutate(), async (req, res) => {
     const body = safeBody(req);
     const hasCwd = "cwd" in body;
     if (hasCwd && typeof body["cwd"] !== "string") {
@@ -14968,9 +15024,39 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
       });
     }
   }, "restoreSessionHandler");
-  app.post("/session/:id/load", restoreSessionHandler("load"));
-  app.post("/session/:id/resume", restoreSessionHandler("resume"));
-  app.post("/session/:id/prompt", async (req, res) => {
+  app.post("/session/:id/load", mutate(), restoreSessionHandler("load"));
+  app.post("/session/:id/resume", mutate(), restoreSessionHandler("resume"));
+  app.get("/session/:id/context", async (req, res) => {
+    const sessionId = req.params["id"];
+    if (!sessionId) {
+      res.status(400).json({ error: "`sessionId` route parameter is required" });
+      return;
+    }
+    try {
+      res.status(200).json(await bridge.getSessionContextStatus(sessionId));
+    } catch (err) {
+      sendBridgeError(res, err, {
+        route: "GET /session/:id/context",
+        sessionId
+      });
+    }
+  });
+  app.get("/session/:id/supported-commands", async (req, res) => {
+    const sessionId = req.params["id"];
+    if (!sessionId) {
+      res.status(400).json({ error: "`sessionId` route parameter is required" });
+      return;
+    }
+    try {
+      res.status(200).json(await bridge.getSessionSupportedCommandsStatus(sessionId));
+    } catch (err) {
+      sendBridgeError(res, err, {
+        route: "GET /session/:id/supported-commands",
+        sessionId
+      });
+    }
+  });
+  app.post("/session/:id/prompt", mutate(), async (req, res) => {
     const sessionId = req.params["id"];
     const body = safeBody(req);
     const prompt = body["prompt"];
@@ -15030,7 +15116,28 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
       res.off("close", onResClose);
     }
   });
-  app.post("/session/:id/cancel", async (req, res) => {
+  app.post("/session/:id/heartbeat", mutate(), (req, res) => {
+    const sessionId = req.params["id"];
+    if (!sessionId) {
+      res.status(400).json({ error: "`sessionId` route parameter is required" });
+      return;
+    }
+    const clientId = parseClientIdHeader(req, res);
+    if (clientId === null) return;
+    try {
+      const result = bridge.recordHeartbeat(
+        sessionId,
+        clientId !== void 0 ? { clientId } : void 0
+      );
+      res.status(200).json(result);
+    } catch (err) {
+      sendBridgeError(res, err, {
+        route: "POST /session/:id/heartbeat",
+        sessionId
+      });
+    }
+  });
+  app.post("/session/:id/cancel", mutate(), async (req, res) => {
     const sessionId = req.params["id"];
     const body = safeBody(req);
     const clientId = parseClientIdHeader(req, res);
@@ -15052,6 +15159,51 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
       });
     }
   });
+  app.delete("/session/:id", async (req, res) => {
+    const sessionId = req.params["id"];
+    const clientId = parseClientIdHeader(req, res);
+    if (clientId === null) return;
+    try {
+      await bridge.closeSession(
+        sessionId,
+        clientId !== void 0 ? { clientId } : void 0
+      );
+      res.status(204).end();
+    } catch (err) {
+      sendBridgeError(res, err, {
+        route: "DELETE /session/:id",
+        sessionId
+      });
+    }
+  });
+  app.patch("/session/:id/metadata", (req, res) => {
+    const sessionId = req.params["id"];
+    const body = safeBody(req);
+    const clientId = parseClientIdHeader(req, res);
+    if (clientId === null) return;
+    const displayName = body["displayName"];
+    if (displayName !== void 0 && typeof displayName !== "string") {
+      res.status(400).json({
+        error: "`displayName` must be a string",
+        code: "invalid_metadata",
+        field: "displayName"
+      });
+      return;
+    }
+    try {
+      const effective = bridge.updateSessionMetadata(
+        sessionId,
+        { displayName },
+        clientId !== void 0 ? { clientId } : void 0
+      );
+      res.status(200).json({ sessionId, ...effective });
+    } catch (err) {
+      sendBridgeError(res, err, {
+        route: "PATCH /session/:id/metadata",
+        sessionId
+      });
+    }
+  });
   app.get("/workspace/:id/sessions", (req, res) => {
     const workspaceCwd = req.params["id"] ?? "";
     if (!path2.isAbsolute(workspaceCwd)) {
@@ -15071,7 +15223,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
     const sessions = bridge.listWorkspaceSessions(workspaceCwd);
     res.status(200).json({ sessions });
   });
-  app.post("/session/:id/model", async (req, res) => {
+  app.post("/session/:id/model", mutate(), async (req, res) => {
     const sessionId = req.params["id"];
     const body = safeBody(req);
     const modelId = body["modelId"];
@@ -15101,7 +15253,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
       });
     }
   });
-  app.post("/session/:id/permission/:requestId", (req, res) => {
+  app.post("/session/:id/permission/:requestId", mutate(), (req, res) => {
     const sessionId = req.params["id"];
     const requestId = req.params["requestId"];
     const response = parsePermissionVoteBody(req, res);
@@ -15133,7 +15285,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
     }
     res.status(200).json({});
   });
-  app.post("/permission/:requestId", (req, res) => {
+  app.post("/permission/:requestId", mutate(), (req, res) => {
     const requestId = req.params["requestId"];
     const response = parsePermissionVoteBody(req, res);
     if (response === void 0) return;
@@ -15161,12 +15313,15 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
   app.get("/session/:id/events", (req, res) => {
     const sessionId = req.params["id"];
     const lastEventId = parseLastEventId(req.headers["last-event-id"]);
+    const maxQueued = parseMaxQueuedQuery(req.query["maxQueued"], res);
+    if (maxQueued === null) return;
     let iter;
     const abort = new AbortController();
     try {
       const iterable = bridge.subscribeEvents(sessionId, {
         signal: abort.signal,
-        lastEventId
+        lastEventId,
+        ...maxQueued !== void 0 ? { maxQueued } : {}
       });
       iter = iterable[Symbol.asyncIterator]();
     } catch (err) {
@@ -15376,11 +15531,43 @@ function isValidOutcome(raw) {
   return obj["outcome"] === "selected" && typeof obj["optionId"] === "string" && obj["optionId"].length > 0;
 }
 __name(isValidOutcome, "isValidOutcome");
+var MIN_QUERY_MAX_QUEUED = 16;
+var MAX_QUERY_MAX_QUEUED = 2048;
+function parseMaxQueuedQuery(raw, res) {
+  if (raw === void 0) return void 0;
+  if (typeof raw !== "string" || !/^\d+$/.test(raw)) {
+    writeStderrLine(
+      `qwen serve: rejected ?maxQueued ${safeLogValue(raw)} (not a decimal integer)`
+    );
+    res.status(400).json({
+      error: "`maxQueued` must be a decimal integer",
+      code: "invalid_max_queued"
+    });
+    return null;
+  }
+  const n = Number.parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < MIN_QUERY_MAX_QUEUED || n > MAX_QUERY_MAX_QUEUED) {
+    writeStderrLine(
+      `qwen serve: rejected ?maxQueued ${safeLogValue(raw)} (outside [${MIN_QUERY_MAX_QUEUED}, ${MAX_QUERY_MAX_QUEUED}])`
+    );
+    res.status(400).json({
+      error: `\`maxQueued\` must be in [${MIN_QUERY_MAX_QUEUED}, ${MAX_QUERY_MAX_QUEUED}]`,
+      code: "invalid_max_queued"
+    });
+    return null;
+  }
+  return n;
+}
+__name(parseMaxQueuedQuery, "parseMaxQueuedQuery");
+function safeLogValue(raw) {
+  return JSON.stringify(String(raw)).slice(0, 82);
+}
+__name(safeLogValue, "safeLogValue");
 function parseLastEventId(raw) {
   if (typeof raw !== "string" || !/^\d+$/.test(raw)) {
     if (typeof raw === "string" && raw.length > 0) {
       writeStderrLine(
-        `qwen serve: rejected Last-Event-ID "${raw.slice(0, 80)}" (not a decimal integer)`
+        `qwen serve: rejected Last-Event-ID ${safeLogValue(raw)} (not a decimal integer)`
       );
     }
     return void 0;
@@ -15388,7 +15575,7 @@ function parseLastEventId(raw) {
   const n = Number.parseInt(raw, 10);
   if (!Number.isFinite(n) || n > Number.MAX_SAFE_INTEGER) {
     writeStderrLine(
-      `qwen serve: rejected Last-Event-ID "${raw.slice(0, 80)}" (exceeds Number.MAX_SAFE_INTEGER)`
+      `qwen serve: rejected Last-Event-ID ${safeLogValue(raw)} (exceeds Number.MAX_SAFE_INTEGER)`
     );
     return void 0;
   }
@@ -15451,6 +15638,14 @@ function sendBridgeError(res, err, ctx) {
     });
     return;
   }
+  if (err instanceof InvalidSessionMetadataError) {
+    res.status(400).json({
+      error: err.message,
+      code: "invalid_metadata",
+      field: err.field
+    });
+    return;
+  }
   if (err instanceof SessionLimitExceededError) {
     res.set("Retry-After", "5");
     res.status(503).json({
@@ -15538,6 +15733,11 @@ async function runQwenServe(optsIn, deps = {}) {
       `Refusing to bind ${opts.hostname}:${opts.port} without a bearer token. Set ${QWEN_SERVER_TOKEN_ENV} or pass --token, or rebind to loopback (127.0.0.1, localhost, ::1, or [::1]).`
     );
   }
+  if (opts.requireAuth && !token) {
+    throw new Error(
+      `Refusing to start with --require-auth set but no bearer token configured. Set ${QWEN_SERVER_TOKEN_ENV} or pass --token, or omit --require-auth to keep the loopback developer default.`
+    );
+  }
   const rawWorkspace = opts.workspace ?? process.cwd();
   if (!path3.isAbsolute(rawWorkspace)) {
     throw new Error(
@@ -15570,6 +15770,7 @@ async function runQwenServe(optsIn, deps = {}) {
   const boundWorkspace = canonicalizeWorkspace(rawWorkspace);
   const bridge = deps.bridge ?? createHttpAcpBridge({
     maxSessions: opts.maxSessions,
+    ...opts.eventRingSize !== void 0 ? { eventRingSize: opts.eventRingSize } : {},
     boundWorkspace
   });
   let actualPort = opts.port;
@@ -15618,6 +15819,10 @@ async function runQwenServe(optsIn, deps = {}) {
         writeStderrLine(
           `qwen serve: bearer auth disabled (loopback default). Set ${QWEN_SERVER_TOKEN_ENV} to enable.`
         );
+      } else if (opts.requireAuth) {
+        writeStderrLine(
+          "qwen serve: --require-auth enabled (bearer token mandatory on every route, including loopback /health)."
+        );
       }
       let shuttingDown = false;
       let closePromise;
@@ -15732,22 +15937,32 @@ function createInMemoryChannel() {
 __name(createInMemoryChannel, "createInMemoryChannel");
 export {
   CAPABILITIES_SCHEMA_VERSION,
+  CONDITIONAL_SERVE_FEATURES,
   EVENT_SCHEMA_VERSION,
   EventBus,
   SERVE_CAPABILITY_REGISTRY,
   SERVE_FEATURES,
   SERVE_PROTOCOL_VERSION,
+  SERVE_STATUS_EXT_METHODS,
   STAGE1_FEATURES,
+  STATUS_SCHEMA_VERSION,
   SUPPORTED_SERVE_PROTOCOL_VERSIONS,
   SessionNotFoundError,
+  bearerAuth,
   createHttpAcpBridge,
+  createIdleWorkspaceMcpStatus,
+  createIdleWorkspaceProvidersStatus,
+  createIdleWorkspaceSkillsStatus,
   createInMemoryChannel,
+  createMutationGate,
   createServeApp,
   defaultSpawnChannelFactory,
+  denyBrowserOriginCors,
   getAdvertisedServeFeatures,
   getRegisteredServeFeatures,
   getServeFeatures,
   getServeProtocolVersions,
+  hostAllowlist,
   runQwenServe
 };
 /**