@qwen-code/qwen-code 0.18.0 → 0.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (111) hide show
  1. package/bundled/loop/SKILL.md +2 -1
  2. package/bundled/qc-helper/docs/configuration/auth.md +1 -1
  3. package/bundled/qc-helper/docs/configuration/model-providers.md +12 -5
  4. package/bundled/qc-helper/docs/configuration/settings.md +30 -27
  5. package/bundled/qc-helper/docs/features/dual-output.md +37 -3
  6. package/bundled/qc-helper/docs/features/skills.md +29 -3
  7. package/bundled/qc-helper/docs/features/sub-agents.md +2 -1
  8. package/bundled/qc-helper/docs/qwen-serve.md +26 -18
  9. package/chunks/{agent-LOTJK6AH.js → agent-XT7NHZ5H.js} +21 -20
  10. package/chunks/{agent-headless-TU3EPMYU.js → agent-headless-LNRE63ZL.js} +21 -20
  11. package/chunks/{anthropicContentGenerator-2HBRNQ3B.js → anthropicContentGenerator-DCI26OQF.js} +4 -4
  12. package/chunks/{askUserQuestion-OGCMIBQM.js → askUserQuestion-ITYUTWLR.js} +2 -2
  13. package/chunks/{ca-BARBRL6N.js → ca-RK4QPLIX.js} +18 -1
  14. package/chunks/{chunk-ZTZ4DDQE.js → chunk-3NRO6NHX.js} +2 -2
  15. package/chunks/{chunk-IWAYOW5Q.js → chunk-6T7Y7USE.js} +6566 -4195
  16. package/chunks/{chunk-MFBBBTNY.js → chunk-7KPZFE5A.js} +1 -1
  17. package/chunks/{chunk-XV4HCEVI.js → chunk-A2ZIEEGJ.js} +9 -22
  18. package/chunks/{chunk-A7B4ISQP.js → chunk-B4ZF2KSI.js} +1 -1
  19. package/chunks/chunk-BJ5HQ23U.js +178 -0
  20. package/chunks/{chunk-LBP46COL.js → chunk-BXYRCW2C.js} +83 -15
  21. package/chunks/{chunk-OHEGWO4L.js → chunk-CPVI5J2L.js} +1 -1
  22. package/chunks/{chunk-R7ODSGTK.js → chunk-DHZREJTG.js} +2 -2
  23. package/chunks/{chunk-SEGYWKIH.js → chunk-FIQECJTQ.js} +1 -1
  24. package/chunks/{chunk-HR7SV7AY.js → chunk-HA2UEYZP.js} +6 -2
  25. package/chunks/{chunk-JTQAQBTV.js → chunk-HED55F43.js} +5 -1
  26. package/chunks/{chunk-HLPLOD42.js → chunk-HQUWWSSP.js} +1 -1
  27. package/chunks/{chunk-2Y5SYSD3.js → chunk-IDYDPBBN.js} +3 -3
  28. package/chunks/{chunk-3HTIVKZE.js → chunk-IQHSD7K5.js} +1 -1
  29. package/chunks/{chunk-LEJ42GNY.js → chunk-IS7UA4W3.js} +6 -6
  30. package/chunks/{chunk-B7HXHOHU.js → chunk-LXYWINWF.js} +1 -1
  31. package/chunks/{chunk-IDX6COTE.js → chunk-LYRSMKLS.js} +2 -2
  32. package/chunks/{chunk-M6VTDSVR.js → chunk-LYSND7KR.js} +9 -4
  33. package/chunks/{chunk-EYENRK4D.js → chunk-NNIYWQIS.js} +1 -1
  34. package/chunks/chunk-OMX7CUOE.js +356 -0
  35. package/chunks/{chunk-BIVG75CP.js → chunk-QILTEBWS.js} +1 -1
  36. package/chunks/{chunk-6YIUGZTC.js → chunk-RON7LFNH.js} +281 -132
  37. package/chunks/{chunk-3DHXZ6EV.js → chunk-SFRV6BGY.js} +6 -4
  38. package/chunks/{chunk-7BCMOPIM.js → chunk-WJ3SND6W.js} +31 -12
  39. package/chunks/{chunk-J5MDQKJL.js → chunk-WPTCDQN6.js} +2 -347
  40. package/chunks/{chunk-PL3MVCWD.js → chunk-XZTNBSMW.js} +11 -11
  41. package/chunks/{chunk-72LDN5PP.js → chunk-Y7KMDUEP.js} +1 -1
  42. package/chunks/{chunk-SNGELLWX.js → chunk-ZMIBJS45.js} +1 -1
  43. package/chunks/{chunk-XBY7E2FX.js → chunk-ZOFNJQNJ.js} +6 -4
  44. package/chunks/computer-use-4YX3JGBV.js +2052 -0
  45. package/chunks/{contextCommand-K347QT6O.js → contextCommand-KS2H7MW5.js} +23 -22
  46. package/chunks/cron-create-CAPUKK7I.js +184 -0
  47. package/chunks/{cron-delete-WKWSJZQA.js → cron-delete-G3KAR26Q.js} +27 -4
  48. package/chunks/{cron-list-B52XEXAZ.js → cron-list-ZA4ZIUS5.js} +39 -6
  49. package/chunks/{de-YGKK2BC4.js → de-FGPM4KW5.js} +18 -1
  50. package/chunks/{dist-KAZ3SEBX.js → dist-7YWFWOCJ.js} +1 -1
  51. package/chunks/{dist-4LXD6L6X.js → dist-VEGFONCF.js} +2 -2
  52. package/chunks/{dist-H6ONXVLG.js → dist-X4EXN7W6.js} +1 -1
  53. package/chunks/{dist-PK7DFCAW.js → dist-YLS6NI7H.js} +1 -1
  54. package/chunks/{edit-KU4PJGEX.js → edit-2ARPEO4B.js} +22 -21
  55. package/chunks/{en-DHGYHIHX.js → en-VP6XPGEC.js} +5 -2
  56. package/chunks/{enter-worktree-PPYIDCWI.js → enter-worktree-IXNXNAW5.js} +21 -20
  57. package/chunks/{enterPlanMode-5CZDMCB4.js → enterPlanMode-TAKAGAYP.js} +21 -20
  58. package/chunks/{exit-worktree-UY3CGHKC.js → exit-worktree-LHTRV7ML.js} +21 -20
  59. package/chunks/{exitPlanMode-3DN4QNSG.js → exitPlanMode-MK5UAITL.js} +71 -31
  60. package/chunks/{fr-JXBKPJKQ.js → fr-ATYBVCLT.js} +18 -1
  61. package/chunks/{geminiContentGenerator-7A6I2RWB.js → geminiContentGenerator-HFJIGO77.js} +4 -4
  62. package/chunks/{glob-OFNQSS52.js → glob-I2USLUSC.js} +21 -20
  63. package/chunks/{grep-6J2MSUM5.js → grep-WBIF7THR.js} +30 -26
  64. package/chunks/{ja-TGPZSP2B.js → ja-W2QEA2OI.js} +18 -1
  65. package/chunks/{keychain-token-storage-6IU6ORQN.js → keychain-token-storage-QSTRHKKL.js} +2 -2
  66. package/chunks/{ls-V3O6A5PT.js → ls-2R5RHLX5.js} +3 -3
  67. package/chunks/{lsp-G2OCIFUA.js → lsp-XKH6ZIAN.js} +2 -2
  68. package/chunks/{monitor-FKLHV423.js → monitor-WU7UFATU.js} +21 -20
  69. package/chunks/{notebook-edit-KTBYFKWG.js → notebook-edit-KUHYPXEM.js} +22 -21
  70. package/chunks/{openaiContentGenerator-L5KSWQY7.js → openaiContentGenerator-5PLHYJQL.js} +11 -11
  71. package/chunks/{pt-TIBG6BIO.js → pt-ZKEWJFBW.js} +18 -1
  72. package/chunks/{qwenContentGenerator-PYOXLMBW.js → qwenContentGenerator-TSKW73KY.js} +23 -22
  73. package/chunks/{qwenOAuth2-2KCKWDCF.js → qwenOAuth2-KK433U33.js} +4 -4
  74. package/chunks/{read-file-JQVRK4NU.js → read-file-VIPF2PS6.js} +8 -8
  75. package/chunks/{ripGrep-2L4LPNAJ.js → ripGrep-XLIZTYE7.js} +21 -20
  76. package/chunks/{ru-JBCHCK4L.js → ru-VEKTPJ74.js} +18 -1
  77. package/chunks/{scheduler-FGNXY4JQ.js → scheduler-O66SLJGU.js} +21 -20
  78. package/chunks/{send-message-SZFWNOCL.js → send-message-CTME7DXD.js} +2 -2
  79. package/chunks/{serve-N2IBLA3G.js → serve-BWOLYT62.js} +998 -278
  80. package/chunks/{shell-PTEG6UX4.js → shell-XE7UYKOO.js} +21 -20
  81. package/chunks/{skill-X4NTK4NH.js → skill-RZWM6XMC.js} +10 -10
  82. package/chunks/{src-GLLQ3R5W.js → src-L5P7K4MH.js} +42 -26
  83. package/chunks/{syntheticOutput-IKAY5F6X.js → syntheticOutput-ZJGSU7OQ.js} +3 -3
  84. package/chunks/{task-create-MQICOJFV.js → task-create-EE6JEM7G.js} +7 -6
  85. package/chunks/{task-list-RIHJCH32.js → task-list-EESYAC65.js} +6 -5
  86. package/chunks/{task-stop-FWZRFANS.js → task-stop-XZVCFFYY.js} +2 -2
  87. package/chunks/{task-update-2LHPXOYM.js → task-update-EIO4HNE3.js} +7 -6
  88. package/chunks/{team-create-2E4PF4KN.js → team-create-R2H7Y3SG.js} +21 -20
  89. package/chunks/{team-delete-DAUDQS4J.js → team-delete-A7LXPGV7.js} +6 -5
  90. package/chunks/{todoWrite-HTUACZES.js → todoWrite-VRKSGAWM.js} +4 -4
  91. package/chunks/{tool-search-KTVULRES.js → tool-search-USSQMTMS.js} +8 -8
  92. package/chunks/{web-fetch-CZ7LLKPE.js → web-fetch-GHAZUA54.js} +4 -4
  93. package/chunks/{workflow-L2ZUUDT2.js → workflow-5LNNLNUR.js} +503 -49
  94. package/chunks/{write-file-ZEB2JDYH.js → write-file-2I7HP24C.js} +22 -21
  95. package/chunks/{zh-7H5OQC4I.js → zh-OIXDDQHB.js} +5 -2
  96. package/chunks/{zh-TW-P4IDHD3M.js → zh-TW-6YFNCKTA.js} +5 -2
  97. package/cli-entry.js +19 -0
  98. package/cli.js +6547 -4938
  99. package/locales/ca.js +20 -2
  100. package/locales/de.js +21 -2
  101. package/locales/en.js +7 -4
  102. package/locales/fr.js +22 -2
  103. package/locales/ja.js +22 -2
  104. package/locales/pt.js +21 -2
  105. package/locales/ru.js +20 -2
  106. package/locales/zh-TW.js +6 -4
  107. package/locales/zh.js +6 -4
  108. package/package.json +4 -3
  109. package/chunks/chunk-SKBPNJEW.js +0 -45
  110. package/chunks/computer-use-3RH2DOM6.js +0 -825
  111. package/chunks/cron-create-YJL3KFWI.js +0 -140
package/chunks/{serve-N2IBLA3G.js → serve-BWOLYT62.js} RENAMED
@@ -27,6 +27,7 @@ import {
27
27
  MissingCliEntryError,
28
28
  PermissionForbiddenError,
29
29
  PermissionPolicyNotImplementedError,
30
+ PromptQueueFullError,
30
31
  RestoreInProgressError,
31
32
  SERVE_CONTROL_EXT_METHODS,
32
33
  SERVE_ERROR_KINDS,
@@ -35,6 +36,8 @@ import {
35
36
  SessionBusyError,
36
37
  SessionLimitExceededError,
37
38
  SessionNotFoundError,
39
+ SessionShellClientRequiredError,
40
+ SessionShellDisabledError,
38
41
  SubscriberLimitExceededError,
39
42
  WorkspaceInitConflictError,
40
43
  WorkspaceInitPathEscapeError,
@@ -62,7 +65,7 @@ import {
62
65
  loadSettings,
63
66
  mapDomainErrorToErrorKind,
64
67
  reloadEnvironment
65
- } from "./chunk-LBP46COL.js";
68
+ } from "./chunk-BXYRCW2C.js";
66
69
  import {
67
70
  ClientSideConnection,
68
71
  PROTOCOL_VERSION,
@@ -73,15 +76,18 @@ import {
73
76
  SUPPORTED_LANGUAGES,
74
77
  writeStderrLine,
75
78
  writeStdoutLine
76
- } from "./chunk-PL3MVCWD.js";
79
+ } from "./chunk-XZTNBSMW.js";
77
80
  import {
78
81
  ALL_PROVIDERS,
79
82
  APPROVAL_MODES,
80
83
  BTW_MAX_INPUT_LENGTH,
81
84
  BuiltinAgentRegistry,
85
+ Client,
82
86
  SessionService,
83
87
  ShellExecutionService,
84
88
  StandardFileSystemService,
89
+ StdioClientTransport,
90
+ StreamableHTTPClientTransport,
85
91
  SubagentError,
86
92
  SubagentErrorCode,
87
93
  SubagentManager,
@@ -101,26 +107,28 @@ import {
101
107
  resolveBaseUrl,
102
108
  shouldShowStep,
103
109
  writeWorkspaceContextFile
104
- } from "./chunk-IWAYOW5Q.js";
110
+ } from "./chunk-6T7Y7USE.js";
105
111
  import "./chunk-K5PGHDBN.js";
106
- import "./chunk-SKBPNJEW.js";
107
- import "./chunk-HLPLOD42.js";
112
+ import "./chunk-HQUWWSSP.js";
108
113
  import "./chunk-O4PICXES.js";
109
114
  import "./chunk-TW522KN6.js";
110
- import "./chunk-3DHXZ6EV.js";
111
- import "./chunk-XBY7E2FX.js";
112
- import "./chunk-J5MDQKJL.js";
115
+ import "./chunk-BJ5HQ23U.js";
116
+ import "./chunk-SFRV6BGY.js";
117
+ import "./chunk-ZOFNJQNJ.js";
118
+ import "./chunk-WPTCDQN6.js";
119
+ import "./chunk-OMX7CUOE.js";
113
120
  import "./chunk-MLZQVCF3.js";
114
121
  import "./chunk-LD2XBG6Z.js";
115
- import "./chunk-OHEGWO4L.js";
116
- import "./chunk-SNGELLWX.js";
122
+ import "./chunk-CPVI5J2L.js";
123
+ import "./chunk-ZMIBJS45.js";
117
124
  import "./chunk-77WXWU44.js";
118
- import "./chunk-A7B4ISQP.js";
125
+ import "./chunk-B4ZF2KSI.js";
119
126
  import {
120
127
  DAEMON_TRACEPARENT_META_KEY,
121
128
  DAEMON_TRACESTATE_META_KEY,
122
129
  DEFAULT_OTLP_ENDPOINT,
123
130
  DEFAULT_TELEMETRY_TARGET,
131
+ addDaemonRequestAttribute,
124
132
  createDaemonBridgeTelemetry,
125
133
  decodeBufferWithEncodingInfo,
126
134
  emitDaemonLog,
@@ -145,14 +153,14 @@ import {
145
153
  resolveTelemetrySettings,
146
154
  shutdownTelemetry,
147
155
  withDaemonRequestSpan
148
- } from "./chunk-6YIUGZTC.js";
156
+ } from "./chunk-RON7LFNH.js";
149
157
  import "./chunk-3PJXIDKI.js";
150
158
  import "./chunk-UWCTAVOD.js";
151
159
  import "./chunk-OFEVLU4C.js";
152
- import "./chunk-3HTIVKZE.js";
153
- import "./chunk-IDX6COTE.js";
154
- import "./chunk-BIVG75CP.js";
155
- import "./chunk-XV4HCEVI.js";
160
+ import "./chunk-IQHSD7K5.js";
161
+ import "./chunk-LYRSMKLS.js";
162
+ import "./chunk-QILTEBWS.js";
163
+ import "./chunk-A2ZIEEGJ.js";
156
164
  import {
157
165
  QwenOAuth2Client,
158
166
  QwenOAuthPollError,
@@ -161,15 +169,15 @@ import {
161
169
  isDeviceAuthorizationSuccess,
162
170
  isDeviceTokenPending,
163
171
  isDeviceTokenSuccess
164
- } from "./chunk-2Y5SYSD3.js";
165
- import "./chunk-SEGYWKIH.js";
172
+ } from "./chunk-IDYDPBBN.js";
173
+ import "./chunk-FIQECJTQ.js";
166
174
  import "./chunk-64WXLC72.js";
167
- import "./chunk-B7HXHOHU.js";
175
+ import "./chunk-LXYWINWF.js";
168
176
  import {
169
177
  detectRuntime,
170
178
  redactProxyCredentials
171
- } from "./chunk-EYENRK4D.js";
172
- import "./chunk-M6VTDSVR.js";
179
+ } from "./chunk-NNIYWQIS.js";
180
+ import "./chunk-LYSND7KR.js";
173
181
  import "./chunk-55ZMG67I.js";
174
182
  import {
175
183
  import_websocket_server
@@ -178,7 +186,7 @@ import "./chunk-5IFG2VC4.js";
178
186
  import {
179
187
  Storage,
180
188
  updateSymlink
181
- } from "./chunk-HR7SV7AY.js";
189
+ } from "./chunk-HA2UEYZP.js";
182
190
  import "./chunk-ZERZSAZL.js";
183
191
  import {
184
192
  require_src
@@ -9230,11 +9238,11 @@ var require_mime_types = __commonJS({
9230
9238
  return exts[0];
9231
9239
  }
9232
9240
  __name(extension, "extension");
9233
- function lookup(path13) {
9234
- if (!path13 || typeof path13 !== "string") {
9241
+ function lookup(path14) {
9242
+ if (!path14 || typeof path14 !== "string") {
9235
9243
  return false;
9236
9244
  }
9237
- var extension2 = extname("x." + path13).toLowerCase().slice(1);
9245
+ var extension2 = extname("x." + path14).toLowerCase().slice(1);
9238
9246
  if (!extension2) {
9239
9247
  return false;
9240
9248
  }
@@ -10365,13 +10373,13 @@ var require_view = __commonJS({
10365
10373
  "use strict";
10366
10374
  init_esbuild_shims();
10367
10375
  var debug = require_src()("express:view");
10368
- var path13 = __require("node:path");
10376
+ var path14 = __require("node:path");
10369
10377
  var fs7 = __require("node:fs");
10370
- var dirname5 = path13.dirname;
10371
- var basename3 = path13.basename;
10372
- var extname = path13.extname;
10373
- var join5 = path13.join;
10374
- var resolve6 = path13.resolve;
10378
+ var dirname5 = path14.dirname;
10379
+ var basename3 = path14.basename;
10380
+ var extname = path14.extname;
10381
+ var join6 = path14.join;
10382
+ var resolve6 = path14.resolve;
10375
10383
  module.exports = View;
10376
10384
  function View(name, options) {
10377
10385
  var opts = options || {};
@@ -10401,17 +10409,17 @@ var require_view = __commonJS({
10401
10409
  }
10402
10410
  __name(View, "View");
10403
10411
  View.prototype.lookup = /* @__PURE__ */ __name(function lookup(name) {
10404
- var path14;
10412
+ var path15;
10405
10413
  var roots = [].concat(this.root);
10406
10414
  debug('lookup "%s"', name);
10407
- for (var i = 0; i < roots.length && !path14; i++) {
10415
+ for (var i = 0; i < roots.length && !path15; i++) {
10408
10416
  var root = roots[i];
10409
10417
  var loc = resolve6(root, name);
10410
10418
  var dir = dirname5(loc);
10411
10419
  var file = basename3(loc);
10412
- path14 = this.resolve(dir, file);
10420
+ path15 = this.resolve(dir, file);
10413
10421
  }
10414
- return path14;
10422
+ return path15;
10415
10423
  }, "lookup");
10416
10424
  View.prototype.render = /* @__PURE__ */ __name(function render(options, callback) {
10417
10425
  var sync = true;
@@ -10433,21 +10441,21 @@ var require_view = __commonJS({
10433
10441
  }, "render");
10434
10442
  View.prototype.resolve = /* @__PURE__ */ __name(function resolve7(dir, file) {
10435
10443
  var ext = this.ext;
10436
- var path14 = join5(dir, file);
10437
- var stat = tryStat(path14);
10444
+ var path15 = join6(dir, file);
10445
+ var stat = tryStat(path15);
10438
10446
  if (stat && stat.isFile()) {
10439
- return path14;
10447
+ return path15;
10440
10448
  }
10441
- path14 = join5(dir, basename3(file, ext), "index" + ext);
10442
- stat = tryStat(path14);
10449
+ path15 = join6(dir, basename3(file, ext), "index" + ext);
10450
+ stat = tryStat(path15);
10443
10451
  if (stat && stat.isFile()) {
10444
- return path14;
10452
+ return path15;
10445
10453
  }
10446
10454
  }, "resolve");
10447
- function tryStat(path14) {
10448
- debug('stat "%s"', path14);
10455
+ function tryStat(path15) {
10456
+ debug('stat "%s"', path15);
10449
10457
  try {
10450
- return fs7.statSync(path14);
10458
+ return fs7.statSync(path15);
10451
10459
  } catch (e) {
10452
10460
  return void 0;
10453
10461
  }
@@ -11637,9 +11645,9 @@ var require_dist2 = __commonJS({
11637
11645
  function consume(endType) {
11638
11646
  const tokens2 = [];
11639
11647
  while (true) {
11640
- const path13 = it.text();
11641
- if (path13)
11642
- tokens2.push({ type: "text", value: encodePath(path13) });
11648
+ const path14 = it.text();
11649
+ if (path14)
11650
+ tokens2.push({ type: "text", value: encodePath(path14) });
11643
11651
  const param = it.tryConsume("PARAM");
11644
11652
  if (param) {
11645
11653
  tokens2.push({
@@ -11673,16 +11681,16 @@ var require_dist2 = __commonJS({
11673
11681
  return new TokenData(tokens);
11674
11682
  }
11675
11683
  __name(parse, "parse");
11676
- function compile(path13, options = {}) {
11684
+ function compile(path14, options = {}) {
11677
11685
  const { encode = encodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
11678
- const data = path13 instanceof TokenData ? path13 : parse(path13, options);
11686
+ const data = path14 instanceof TokenData ? path14 : parse(path14, options);
11679
11687
  const fn = tokensToFunction(data.tokens, delimiter, encode);
11680
- return /* @__PURE__ */ __name(function path14(data2 = {}) {
11681
- const [path15, ...missing] = fn(data2);
11688
+ return /* @__PURE__ */ __name(function path15(data2 = {}) {
11689
+ const [path16, ...missing] = fn(data2);
11682
11690
  if (missing.length) {
11683
11691
  throw new TypeError(`Missing parameters: ${missing.join(", ")}`);
11684
11692
  }
11685
- return path15;
11693
+ return path16;
11686
11694
  }, "path");
11687
11695
  }
11688
11696
  __name(compile, "compile");
@@ -11741,9 +11749,9 @@ var require_dist2 = __commonJS({
11741
11749
  };
11742
11750
  }
11743
11751
  __name(tokenToFunction, "tokenToFunction");
11744
- function match(path13, options = {}) {
11752
+ function match(path14, options = {}) {
11745
11753
  const { decode = decodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
11746
- const { regexp, keys } = pathToRegexp(path13, options);
11754
+ const { regexp, keys } = pathToRegexp(path14, options);
11747
11755
  const decoders = keys.map((key) => {
11748
11756
  if (decode === false)
11749
11757
  return NOOP_VALUE;
@@ -11755,7 +11763,7 @@ var require_dist2 = __commonJS({
11755
11763
  const m = regexp.exec(input);
11756
11764
  if (!m)
11757
11765
  return false;
11758
- const path14 = m[0];
11766
+ const path15 = m[0];
11759
11767
  const params = /* @__PURE__ */ Object.create(null);
11760
11768
  for (let i = 1; i < m.length; i++) {
11761
11769
  if (m[i] === void 0)
@@ -11764,17 +11772,17 @@ var require_dist2 = __commonJS({
11764
11772
  const decoder = decoders[i - 1];
11765
11773
  params[key.name] = decoder(m[i]);
11766
11774
  }
11767
- return { path: path14, params };
11775
+ return { path: path15, params };
11768
11776
  }, "match");
11769
11777
  }
11770
11778
  __name(match, "match");
11771
- function pathToRegexp(path13, options = {}) {
11779
+ function pathToRegexp(path14, options = {}) {
11772
11780
  const { delimiter = DEFAULT_DELIMITER, end = true, sensitive = false, trailing = true } = options;
11773
11781
  const keys = [];
11774
11782
  const sources = [];
11775
11783
  const flags = sensitive ? "" : "i";
11776
- const paths = Array.isArray(path13) ? path13 : [path13];
11777
- const items = paths.map((path14) => path14 instanceof TokenData ? path14 : parse(path14, options));
11784
+ const paths = Array.isArray(path14) ? path14 : [path14];
11785
+ const items = paths.map((path15) => path15 instanceof TokenData ? path15 : parse(path15, options));
11778
11786
  for (const { tokens } of items) {
11779
11787
  for (const seq of flatten(tokens, 0, [])) {
11780
11788
  const regexp2 = sequenceToRegExp(seq, delimiter, keys);
@@ -11892,18 +11900,18 @@ var require_layer = __commonJS({
11892
11900
  var TRAILING_SLASH_REGEXP = /\/+$/;
11893
11901
  var MATCHING_GROUP_REGEXP = /\((?:\?<(.*?)>)?(?!\?)/g;
11894
11902
  module.exports = Layer;
11895
- function Layer(path13, options, fn) {
11903
+ function Layer(path14, options, fn) {
11896
11904
  if (!(this instanceof Layer)) {
11897
- return new Layer(path13, options, fn);
11905
+ return new Layer(path14, options, fn);
11898
11906
  }
11899
- debug("new %o", path13);
11907
+ debug("new %o", path14);
11900
11908
  const opts = options || {};
11901
11909
  this.handle = fn;
11902
11910
  this.keys = [];
11903
11911
  this.name = fn.name || "<anonymous>";
11904
11912
  this.params = void 0;
11905
11913
  this.path = void 0;
11906
- this.slash = path13 === "/" && opts.end === false;
11914
+ this.slash = path14 === "/" && opts.end === false;
11907
11915
  function matcher(_path) {
11908
11916
  if (_path instanceof RegExp) {
11909
11917
  const keys = [];
@@ -11943,7 +11951,7 @@ var require_layer = __commonJS({
11943
11951
  });
11944
11952
  }
11945
11953
  __name(matcher, "matcher");
11946
- this.matchers = Array.isArray(path13) ? path13.map(matcher) : [matcher(path13)];
11954
+ this.matchers = Array.isArray(path14) ? path14.map(matcher) : [matcher(path14)];
11947
11955
  }
11948
11956
  __name(Layer, "Layer");
11949
11957
  Layer.prototype.handleError = /* @__PURE__ */ __name(function handleError(error2, req, res, next) {
@@ -11984,9 +11992,9 @@ var require_layer = __commonJS({
11984
11992
  next(err);
11985
11993
  }
11986
11994
  }, "handleRequest");
11987
- Layer.prototype.match = /* @__PURE__ */ __name(function match(path13) {
11995
+ Layer.prototype.match = /* @__PURE__ */ __name(function match(path14) {
11988
11996
  let match2;
11989
- if (path13 != null) {
11997
+ if (path14 != null) {
11990
11998
  if (this.slash) {
11991
11999
  this.params = {};
11992
12000
  this.path = "";
@@ -11994,7 +12002,7 @@ var require_layer = __commonJS({
11994
12002
  }
11995
12003
  let i = 0;
11996
12004
  while (!match2 && i < this.matchers.length) {
11997
- match2 = this.matchers[i](path13);
12005
+ match2 = this.matchers[i](path14);
11998
12006
  i++;
11999
12007
  }
12000
12008
  }
@@ -12023,13 +12031,13 @@ var require_layer = __commonJS({
12023
12031
  }
12024
12032
  }
12025
12033
  __name(decodeParam, "decodeParam");
12026
- function loosen(path13) {
12027
- if (path13 instanceof RegExp || path13 === "/") {
12028
- return path13;
12034
+ function loosen(path14) {
12035
+ if (path14 instanceof RegExp || path14 === "/") {
12036
+ return path14;
12029
12037
  }
12030
- return Array.isArray(path13) ? path13.map(function(p) {
12038
+ return Array.isArray(path14) ? path14.map(function(p) {
12031
12039
  return loosen(p);
12032
- }) : String(path13).replace(TRAILING_SLASH_REGEXP, "");
12040
+ }) : String(path14).replace(TRAILING_SLASH_REGEXP, "");
12033
12041
  }
12034
12042
  __name(loosen, "loosen");
12035
12043
  }
@@ -12047,9 +12055,9 @@ var require_route = __commonJS({
12047
12055
  var flatten = Array.prototype.flat;
12048
12056
  var methods = METHODS.map((method) => method.toLowerCase());
12049
12057
  module.exports = Route;
12050
- function Route(path13) {
12051
- debug("new %o", path13);
12052
- this.path = path13;
12058
+ function Route(path14) {
12059
+ debug("new %o", path14);
12060
+ this.path = path14;
12053
12061
  this.stack = [];
12054
12062
  this.methods = /* @__PURE__ */ Object.create(null);
12055
12063
  }
@@ -12262,8 +12270,8 @@ var require_router = __commonJS({
12262
12270
  if (++sync > 100) {
12263
12271
  return setImmediate(next, err);
12264
12272
  }
12265
- const path13 = getPathname(req);
12266
- if (path13 == null) {
12273
+ const path14 = getPathname(req);
12274
+ if (path14 == null) {
12267
12275
  return done(layerError);
12268
12276
  }
12269
12277
  let layer;
@@ -12271,7 +12279,7 @@ var require_router = __commonJS({
12271
12279
  let route;
12272
12280
  while (match !== true && idx < stack.length) {
12273
12281
  layer = stack[idx++];
12274
- match = matchLayer(layer, path13);
12282
+ match = matchLayer(layer, path14);
12275
12283
  route = layer.route;
12276
12284
  if (typeof match !== "boolean") {
12277
12285
  layerError = layerError || match;
@@ -12309,19 +12317,19 @@ var require_router = __commonJS({
12309
12317
  } else if (route) {
12310
12318
  layer.handleRequest(req, res, next);
12311
12319
  } else {
12312
- trimPrefix(layer, layerError, layerPath, path13);
12320
+ trimPrefix(layer, layerError, layerPath, path14);
12313
12321
  }
12314
12322
  sync = 0;
12315
12323
  });
12316
12324
  }
12317
12325
  __name(next, "next");
12318
- function trimPrefix(layer, layerError, layerPath, path13) {
12326
+ function trimPrefix(layer, layerError, layerPath, path14) {
12319
12327
  if (layerPath.length !== 0) {
12320
- if (layerPath !== path13.substring(0, layerPath.length)) {
12328
+ if (layerPath !== path14.substring(0, layerPath.length)) {
12321
12329
  next(layerError);
12322
12330
  return;
12323
12331
  }
12324
- const c = path13[layerPath.length];
12332
+ const c = path14[layerPath.length];
12325
12333
  if (c && c !== "/") {
12326
12334
  next(layerError);
12327
12335
  return;
@@ -12346,7 +12354,7 @@ var require_router = __commonJS({
12346
12354
  }, "handle");
12347
12355
  Router.prototype.use = /* @__PURE__ */ __name(function use(handler) {
12348
12356
  let offset = 0;
12349
- let path13 = "/";
12357
+ let path14 = "/";
12350
12358
  if (typeof handler !== "function") {
12351
12359
  let arg = handler;
12352
12360
  while (Array.isArray(arg) && arg.length !== 0) {
@@ -12354,7 +12362,7 @@ var require_router = __commonJS({
12354
12362
  }
12355
12363
  if (typeof arg !== "function") {
12356
12364
  offset = 1;
12357
- path13 = handler;
12365
+ path14 = handler;
12358
12366
  }
12359
12367
  }
12360
12368
  const callbacks = flatten.call(slice.call(arguments, offset), Infinity);
@@ -12366,8 +12374,8 @@ var require_router = __commonJS({
12366
12374
  if (typeof fn !== "function") {
12367
12375
  throw new TypeError("argument handler must be a function");
12368
12376
  }
12369
- debug("use %o %s", path13, fn.name || "<anonymous>");
12370
- const layer = new Layer(path13, {
12377
+ debug("use %o %s", path14, fn.name || "<anonymous>");
12378
+ const layer = new Layer(path14, {
12371
12379
  sensitive: this.caseSensitive,
12372
12380
  strict: false,
12373
12381
  end: false
@@ -12377,9 +12385,9 @@ var require_router = __commonJS({
12377
12385
  }
12378
12386
  return this;
12379
12387
  }, "use");
12380
- Router.prototype.route = /* @__PURE__ */ __name(function route(path13) {
12381
- const route2 = new Route(path13);
12382
- const layer = new Layer(path13, {
12388
+ Router.prototype.route = /* @__PURE__ */ __name(function route(path14) {
12389
+ const route2 = new Route(path14);
12390
+ const layer = new Layer(path14, {
12383
12391
  sensitive: this.caseSensitive,
12384
12392
  strict: this.strict,
12385
12393
  end: true
@@ -12393,8 +12401,8 @@ var require_router = __commonJS({
12393
12401
  return route2;
12394
12402
  }, "route");
12395
12403
  methods.concat("all").forEach(function(method) {
12396
- Router.prototype[method] = function(path13) {
12397
- const route = this.route(path13);
12404
+ Router.prototype[method] = function(path14) {
12405
+ const route = this.route(path14);
12398
12406
  route[method].apply(route, slice.call(arguments, 1));
12399
12407
  return this;
12400
12408
  };
@@ -12426,9 +12434,9 @@ var require_router = __commonJS({
12426
12434
  return fqdnIndex !== -1 ? url.substring(0, url.indexOf("/", 3 + fqdnIndex)) : void 0;
12427
12435
  }
12428
12436
  __name(getProtohost, "getProtohost");
12429
- function matchLayer(layer, path13) {
12437
+ function matchLayer(layer, path14) {
12430
12438
  try {
12431
- return layer.match(path13);
12439
+ return layer.match(path14);
12432
12440
  } catch (err) {
12433
12441
  return err;
12434
12442
  }
@@ -12666,7 +12674,7 @@ var require_application = __commonJS({
12666
12674
  }, "handle");
12667
12675
  app.use = /* @__PURE__ */ __name(function use(fn) {
12668
12676
  var offset = 0;
12669
- var path13 = "/";
12677
+ var path14 = "/";
12670
12678
  if (typeof fn !== "function") {
12671
12679
  var arg = fn;
12672
12680
  while (Array.isArray(arg) && arg.length !== 0) {
@@ -12674,7 +12682,7 @@ var require_application = __commonJS({
12674
12682
  }
12675
12683
  if (typeof arg !== "function") {
12676
12684
  offset = 1;
12677
- path13 = fn;
12685
+ path14 = fn;
12678
12686
  }
12679
12687
  }
12680
12688
  var fns = flatten.call(slice.call(arguments, offset), Infinity);
@@ -12684,12 +12692,12 @@ var require_application = __commonJS({
12684
12692
  var router = this.router;
12685
12693
  fns.forEach(function(fn2) {
12686
12694
  if (!fn2 || !fn2.handle || !fn2.set) {
12687
- return router.use(path13, fn2);
12695
+ return router.use(path14, fn2);
12688
12696
  }
12689
- debug(".use app under %s", path13);
12690
- fn2.mountpath = path13;
12697
+ debug(".use app under %s", path14);
12698
+ fn2.mountpath = path14;
12691
12699
  fn2.parent = this;
12692
- router.use(path13, /* @__PURE__ */ __name(function mounted_app(req, res, next) {
12700
+ router.use(path14, /* @__PURE__ */ __name(function mounted_app(req, res, next) {
12693
12701
  var orig = req.app;
12694
12702
  fn2.handle(req, res, function(err) {
12695
12703
  Object.setPrototypeOf(req, orig.request);
@@ -12701,8 +12709,8 @@ var require_application = __commonJS({
12701
12709
  }, this);
12702
12710
  return this;
12703
12711
  }, "use");
12704
- app.route = /* @__PURE__ */ __name(function route(path13) {
12705
- return this.router.route(path13);
12712
+ app.route = /* @__PURE__ */ __name(function route(path14) {
12713
+ return this.router.route(path14);
12706
12714
  }, "route");
12707
12715
  app.engine = /* @__PURE__ */ __name(function engine(ext, fn) {
12708
12716
  if (typeof fn !== "function") {
@@ -12745,7 +12753,7 @@ var require_application = __commonJS({
12745
12753
  }
12746
12754
  return this;
12747
12755
  }, "set");
12748
- app.path = /* @__PURE__ */ __name(function path13() {
12756
+ app.path = /* @__PURE__ */ __name(function path14() {
12749
12757
  return this.parent ? this.parent.path() + this.mountpath : "";
12750
12758
  }, "path");
12751
12759
  app.enabled = /* @__PURE__ */ __name(function enabled(setting) {
@@ -12761,17 +12769,17 @@ var require_application = __commonJS({
12761
12769
  return this.set(setting, false);
12762
12770
  }, "disable");
12763
12771
  methods.forEach(function(method) {
12764
- app[method] = function(path13) {
12772
+ app[method] = function(path14) {
12765
12773
  if (method === "get" && arguments.length === 1) {
12766
- return this.set(path13);
12774
+ return this.set(path14);
12767
12775
  }
12768
- var route = this.route(path13);
12776
+ var route = this.route(path14);
12769
12777
  route[method].apply(route, slice.call(arguments, 1));
12770
12778
  return this;
12771
12779
  };
12772
12780
  });
12773
- app.all = /* @__PURE__ */ __name(function all(path13) {
12774
- var route = this.route(path13);
12781
+ app.all = /* @__PURE__ */ __name(function all(path14) {
12782
+ var route = this.route(path14);
12775
12783
  var args = slice.call(arguments, 1);
12776
12784
  for (var i = 0; i < methods.length; i++) {
12777
12785
  route[methods[i]].apply(route, args);
@@ -13741,7 +13749,7 @@ var require_request = __commonJS({
13741
13749
  var subdomains2 = !isIP2(hostname) ? hostname.split(".").reverse() : [hostname];
13742
13750
  return subdomains2.slice(offset);
13743
13751
  }, "subdomains"));
13744
- defineGetter(req, "path", /* @__PURE__ */ __name(function path13() {
13752
+ defineGetter(req, "path", /* @__PURE__ */ __name(function path14() {
13745
13753
  return parse(this).pathname;
13746
13754
  }, "path"));
13747
13755
  defineGetter(req, "host", /* @__PURE__ */ __name(function host() {
@@ -13964,8 +13972,8 @@ var require_content_disposition = __commonJS({
13964
13972
  this.parameters = parameters;
13965
13973
  }
13966
13974
  __name(ContentDisposition, "ContentDisposition");
13967
- function basename3(path13) {
13968
- const normalized = path13.replaceAll("\\", "/");
13975
+ function basename3(path14) {
13976
+ const normalized = path14.replaceAll("\\", "/");
13969
13977
  let end = normalized.length;
13970
13978
  while (end > 0 && normalized[end - 1] === "/") {
13971
13979
  end--;
@@ -14225,28 +14233,28 @@ var require_send = __commonJS({
14225
14233
  var ms = require_ms();
14226
14234
  var onFinished = require_on_finished();
14227
14235
  var parseRange = require_range_parser();
14228
- var path13 = __require("path");
14236
+ var path14 = __require("path");
14229
14237
  var statuses = require_statuses();
14230
14238
  var Stream = __require("stream");
14231
14239
  var util = __require("util");
14232
- var extname = path13.extname;
14233
- var join5 = path13.join;
14234
- var normalize = path13.normalize;
14235
- var resolve6 = path13.resolve;
14236
- var sep4 = path13.sep;
14240
+ var extname = path14.extname;
14241
+ var join6 = path14.join;
14242
+ var normalize = path14.normalize;
14243
+ var resolve6 = path14.resolve;
14244
+ var sep4 = path14.sep;
14237
14245
  var BYTES_RANGE_REGEXP = /^ *bytes=/;
14238
14246
  var MAX_MAXAGE = 60 * 60 * 24 * 365 * 1e3;
14239
14247
  var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
14240
14248
  module.exports = send;
14241
- function send(req, path14, options) {
14242
- return new SendStream(req, path14, options);
14249
+ function send(req, path15, options) {
14250
+ return new SendStream(req, path15, options);
14243
14251
  }
14244
14252
  __name(send, "send");
14245
- function SendStream(req, path14, options) {
14253
+ function SendStream(req, path15, options) {
14246
14254
  Stream.call(this);
14247
14255
  var opts = options || {};
14248
14256
  this.options = opts;
14249
- this.path = path14;
14257
+ this.path = path15;
14250
14258
  this.req = req;
14251
14259
  this._acceptRanges = opts.acceptRanges !== void 0 ? Boolean(opts.acceptRanges) : true;
14252
14260
  this._cacheControl = opts.cacheControl !== void 0 ? Boolean(opts.cacheControl) : true;
@@ -14361,10 +14369,10 @@ var require_send = __commonJS({
14361
14369
  var lastModified = this.res.getHeader("Last-Modified");
14362
14370
  return parseHttpDate(lastModified) <= parseHttpDate(ifRange);
14363
14371
  }, "isRangeFresh");
14364
- SendStream.prototype.redirect = /* @__PURE__ */ __name(function redirect(path14) {
14372
+ SendStream.prototype.redirect = /* @__PURE__ */ __name(function redirect(path15) {
14365
14373
  var res = this.res;
14366
14374
  if (hasListeners(this, "directory")) {
14367
- this.emit("directory", res, path14);
14375
+ this.emit("directory", res, path15);
14368
14376
  return;
14369
14377
  }
14370
14378
  if (this.hasTrailingSlash()) {
@@ -14384,38 +14392,38 @@ var require_send = __commonJS({
14384
14392
  SendStream.prototype.pipe = /* @__PURE__ */ __name(function pipe(res) {
14385
14393
  var root = this._root;
14386
14394
  this.res = res;
14387
- var path14 = decode(this.path);
14388
- if (path14 === -1) {
14395
+ var path15 = decode(this.path);
14396
+ if (path15 === -1) {
14389
14397
  this.error(400);
14390
14398
  return res;
14391
14399
  }
14392
- if (~path14.indexOf("\0")) {
14400
+ if (~path15.indexOf("\0")) {
14393
14401
  this.error(400);
14394
14402
  return res;
14395
14403
  }
14396
14404
  var parts;
14397
14405
  if (root !== null) {
14398
- if (path14) {
14399
- path14 = normalize("." + sep4 + path14);
14406
+ if (path15) {
14407
+ path15 = normalize("." + sep4 + path15);
14400
14408
  }
14401
- if (UP_PATH_REGEXP.test(path14)) {
14402
- debug('malicious path "%s"', path14);
14409
+ if (UP_PATH_REGEXP.test(path15)) {
14410
+ debug('malicious path "%s"', path15);
14403
14411
  this.error(403);
14404
14412
  return res;
14405
14413
  }
14406
- parts = path14.split(sep4);
14407
- path14 = normalize(join5(root, path14));
14414
+ parts = path15.split(sep4);
14415
+ path15 = normalize(join6(root, path15));
14408
14416
  } else {
14409
- if (UP_PATH_REGEXP.test(path14)) {
14410
- debug('malicious path "%s"', path14);
14417
+ if (UP_PATH_REGEXP.test(path15)) {
14418
+ debug('malicious path "%s"', path15);
14411
14419
  this.error(403);
14412
14420
  return res;
14413
14421
  }
14414
- parts = normalize(path14).split(sep4);
14415
- path14 = resolve6(path14);
14422
+ parts = normalize(path15).split(sep4);
14423
+ path15 = resolve6(path15);
14416
14424
  }
14417
14425
  if (containsDotFile(parts)) {
14418
- debug('%s dotfile "%s"', this._dotfiles, path14);
14426
+ debug('%s dotfile "%s"', this._dotfiles, path15);
14419
14427
  switch (this._dotfiles) {
14420
14428
  case "allow":
14421
14429
  break;
@@ -14429,13 +14437,13 @@ var require_send = __commonJS({
14429
14437
  }
14430
14438
  }
14431
14439
  if (this._index.length && this.hasTrailingSlash()) {
14432
- this.sendIndex(path14);
14440
+ this.sendIndex(path15);
14433
14441
  return res;
14434
14442
  }
14435
- this.sendFile(path14);
14443
+ this.sendFile(path15);
14436
14444
  return res;
14437
14445
  }, "pipe");
14438
- SendStream.prototype.send = /* @__PURE__ */ __name(function send2(path14, stat) {
14446
+ SendStream.prototype.send = /* @__PURE__ */ __name(function send2(path15, stat) {
14439
14447
  var len = stat.size;
14440
14448
  var options = this.options;
14441
14449
  var opts = {};
@@ -14447,9 +14455,9 @@ var require_send = __commonJS({
14447
14455
  this.headersAlreadySent();
14448
14456
  return;
14449
14457
  }
14450
- debug('pipe "%s"', path14);
14451
- this.setHeader(path14, stat);
14452
- this.type(path14);
14458
+ debug('pipe "%s"', path15);
14459
+ this.setHeader(path15, stat);
14460
+ this.type(path15);
14453
14461
  if (this.isConditionalGET()) {
14454
14462
  if (this.isPreconditionFailure()) {
14455
14463
  this.error(412);
@@ -14498,28 +14506,28 @@ var require_send = __commonJS({
14498
14506
  res.end();
14499
14507
  return;
14500
14508
  }
14501
- this.stream(path14, opts);
14509
+ this.stream(path15, opts);
14502
14510
  }, "send");
14503
- SendStream.prototype.sendFile = /* @__PURE__ */ __name(function sendFile(path14) {
14511
+ SendStream.prototype.sendFile = /* @__PURE__ */ __name(function sendFile(path15) {
14504
14512
  var i = 0;
14505
14513
  var self = this;
14506
- debug('stat "%s"', path14);
14507
- fs7.stat(path14, /* @__PURE__ */ __name(function onstat(err, stat) {
14508
- var pathEndsWithSep = path14[path14.length - 1] === sep4;
14509
- if (err && err.code === "ENOENT" && !extname(path14) && !pathEndsWithSep) {
14514
+ debug('stat "%s"', path15);
14515
+ fs7.stat(path15, /* @__PURE__ */ __name(function onstat(err, stat) {
14516
+ var pathEndsWithSep = path15[path15.length - 1] === sep4;
14517
+ if (err && err.code === "ENOENT" && !extname(path15) && !pathEndsWithSep) {
14510
14518
  return next(err);
14511
14519
  }
14512
14520
  if (err) return self.onStatError(err);
14513
- if (stat.isDirectory()) return self.redirect(path14);
14521
+ if (stat.isDirectory()) return self.redirect(path15);
14514
14522
  if (pathEndsWithSep) return self.error(404);
14515
- self.emit("file", path14, stat);
14516
- self.send(path14, stat);
14523
+ self.emit("file", path15, stat);
14524
+ self.send(path15, stat);
14517
14525
  }, "onstat"));
14518
14526
  function next(err) {
14519
14527
  if (self._extensions.length <= i) {
14520
14528
  return err ? self.onStatError(err) : self.error(404);
14521
14529
  }
14522
- var p = path14 + "." + self._extensions[i++];
14530
+ var p = path15 + "." + self._extensions[i++];
14523
14531
  debug('stat "%s"', p);
14524
14532
  fs7.stat(p, function(err2, stat) {
14525
14533
  if (err2) return next(err2);
@@ -14530,7 +14538,7 @@ var require_send = __commonJS({
14530
14538
  }
14531
14539
  __name(next, "next");
14532
14540
  }, "sendFile");
14533
- SendStream.prototype.sendIndex = /* @__PURE__ */ __name(function sendIndex(path14) {
14541
+ SendStream.prototype.sendIndex = /* @__PURE__ */ __name(function sendIndex(path15) {
14534
14542
  var i = -1;
14535
14543
  var self = this;
14536
14544
  function next(err) {
@@ -14538,7 +14546,7 @@ var require_send = __commonJS({
14538
14546
  if (err) return self.onStatError(err);
14539
14547
  return self.error(404);
14540
14548
  }
14541
- var p = join5(path14, self._index[i]);
14549
+ var p = join6(path15, self._index[i]);
14542
14550
  debug('stat "%s"', p);
14543
14551
  fs7.stat(p, function(err2, stat) {
14544
14552
  if (err2) return next(err2);
@@ -14550,10 +14558,10 @@ var require_send = __commonJS({
14550
14558
  __name(next, "next");
14551
14559
  next();
14552
14560
  }, "sendIndex");
14553
- SendStream.prototype.stream = /* @__PURE__ */ __name(function stream(path14, options) {
14561
+ SendStream.prototype.stream = /* @__PURE__ */ __name(function stream(path15, options) {
14554
14562
  var self = this;
14555
14563
  var res = this.res;
14556
- var stream2 = fs7.createReadStream(path14, options);
14564
+ var stream2 = fs7.createReadStream(path15, options);
14557
14565
  this.emit("stream", stream2);
14558
14566
  stream2.pipe(res);
14559
14567
  function cleanup() {
@@ -14569,17 +14577,17 @@ var require_send = __commonJS({
14569
14577
  self.emit("end");
14570
14578
  }, "onend"));
14571
14579
  }, "stream");
14572
- SendStream.prototype.type = /* @__PURE__ */ __name(function type(path14) {
14580
+ SendStream.prototype.type = /* @__PURE__ */ __name(function type(path15) {
14573
14581
  var res = this.res;
14574
14582
  if (res.getHeader("Content-Type")) return;
14575
- var ext = extname(path14);
14583
+ var ext = extname(path15);
14576
14584
  var type2 = mime.contentType(ext) || "application/octet-stream";
14577
14585
  debug("content-type %s", type2);
14578
14586
  res.setHeader("Content-Type", type2);
14579
14587
  }, "type");
14580
- SendStream.prototype.setHeader = /* @__PURE__ */ __name(function setHeader(path14, stat) {
14588
+ SendStream.prototype.setHeader = /* @__PURE__ */ __name(function setHeader(path15, stat) {
14581
14589
  var res = this.res;
14582
- this.emit("headers", res, path14, stat);
14590
+ this.emit("headers", res, path15, stat);
14583
14591
  if (this._acceptRanges && !res.getHeader("Accept-Ranges")) {
14584
14592
  debug("accept ranges");
14585
14593
  res.setHeader("Accept-Ranges", "bytes");
@@ -14643,9 +14651,9 @@ var require_send = __commonJS({
14643
14651
  return err instanceof Error ? createError(status, err, { expose: false }) : createError(status, err);
14644
14652
  }
14645
14653
  __name(createHttpError, "createHttpError");
14646
- function decode(path14) {
14654
+ function decode(path15) {
14647
14655
  try {
14648
- return decodeURIComponent(path14);
14656
+ return decodeURIComponent(path15);
14649
14657
  } catch (err) {
14650
14658
  return -1;
14651
14659
  }
@@ -14800,7 +14808,7 @@ var require_response = __commonJS({
14800
14808
  var http = __require("node:http");
14801
14809
  var onFinished = require_on_finished();
14802
14810
  var mime = require_mime_types();
14803
- var path13 = __require("node:path");
14811
+ var path14 = __require("node:path");
14804
14812
  var pathIsAbsolute = __require("node:path").isAbsolute;
14805
14813
  var statuses = require_statuses();
14806
14814
  var sign = require_cookie_signature().sign;
@@ -14809,8 +14817,8 @@ var require_response = __commonJS({
14809
14817
  var setCharset = require_utils2().setCharset;
14810
14818
  var cookie = require_cookie();
14811
14819
  var send = require_send();
14812
- var extname = path13.extname;
14813
- var resolve6 = path13.resolve;
14820
+ var extname = path14.extname;
14821
+ var resolve6 = path14.resolve;
14814
14822
  var vary = require_vary();
14815
14823
  var { Buffer: Buffer2 } = __require("node:buffer");
14816
14824
  var res = Object.create(http.ServerResponse.prototype);
@@ -14956,26 +14964,26 @@ var require_response = __commonJS({
14956
14964
  this.type("txt");
14957
14965
  return this.send(body);
14958
14966
  }, "sendStatus");
14959
- res.sendFile = /* @__PURE__ */ __name(function sendFile(path14, options, callback) {
14967
+ res.sendFile = /* @__PURE__ */ __name(function sendFile(path15, options, callback) {
14960
14968
  var done = callback;
14961
14969
  var req = this.req;
14962
14970
  var res2 = this;
14963
14971
  var next = req.next;
14964
14972
  var opts = options || {};
14965
- if (!path14) {
14973
+ if (!path15) {
14966
14974
  throw new TypeError("path argument is required to res.sendFile");
14967
14975
  }
14968
- if (typeof path14 !== "string") {
14976
+ if (typeof path15 !== "string") {
14969
14977
  throw new TypeError("path must be a string to res.sendFile");
14970
14978
  }
14971
14979
  if (typeof options === "function") {
14972
14980
  done = options;
14973
14981
  opts = {};
14974
14982
  }
14975
- if (!opts.root && !pathIsAbsolute(path14)) {
14983
+ if (!opts.root && !pathIsAbsolute(path15)) {
14976
14984
  throw new TypeError("path must be absolute or specify root to res.sendFile");
14977
14985
  }
14978
- var pathname = encodeURI(path14);
14986
+ var pathname = encodeURI(path15);
14979
14987
  opts.etag = this.app.enabled("etag");
14980
14988
  var file = send(req, pathname, opts);
14981
14989
  sendfile(res2, file, opts, function(err) {
@@ -14986,7 +14994,7 @@ var require_response = __commonJS({
14986
14994
  }
14987
14995
  });
14988
14996
  }, "sendFile");
14989
- res.download = /* @__PURE__ */ __name(function download(path14, filename, options, callback) {
14997
+ res.download = /* @__PURE__ */ __name(function download(path15, filename, options, callback) {
14990
14998
  var done = callback;
14991
14999
  var name = filename;
14992
15000
  var opts = options || null;
@@ -15003,7 +15011,7 @@ var require_response = __commonJS({
15003
15011
  opts = filename;
15004
15012
  }
15005
15013
  var headers = {
15006
- "Content-Disposition": contentDisposition(name || path14)
15014
+ "Content-Disposition": contentDisposition(name || path15)
15007
15015
  };
15008
15016
  if (opts && opts.headers) {
15009
15017
  var keys = Object.keys(opts.headers);
@@ -15016,7 +15024,7 @@ var require_response = __commonJS({
15016
15024
  }
15017
15025
  opts = Object.create(opts);
15018
15026
  opts.headers = headers;
15019
- var fullPath = !opts.root ? resolve6(path14) : path14;
15027
+ var fullPath = !opts.root ? resolve6(path15) : path15;
15020
15028
  return this.sendFile(fullPath, opts, done);
15021
15029
  }, "download");
15022
15030
  res.contentType = res.type = /* @__PURE__ */ __name(function contentType(type) {
@@ -15309,11 +15317,11 @@ var require_serve_static = __commonJS({
15309
15317
  }
15310
15318
  var forwardError = !fallthrough;
15311
15319
  var originalUrl = parseUrl.original(req);
15312
- var path13 = parseUrl(req).pathname;
15313
- if (path13 === "/" && originalUrl.pathname.substr(-1) !== "/") {
15314
- path13 = "";
15320
+ var path14 = parseUrl(req).pathname;
15321
+ if (path14 === "/" && originalUrl.pathname.substr(-1) !== "/") {
15322
+ path14 = "";
15315
15323
  }
15316
- var stream = send(req, path13, opts);
15324
+ var stream = send(req, path14, opts);
15317
15325
  stream.on("directory", onDirectory);
15318
15326
  if (setHeaders) {
15319
15327
  stream.on("headers", setHeaders);
@@ -15436,7 +15444,7 @@ init_esbuild_shims();
15436
15444
  var import_express = __toESM(require_express2(), 1);
15437
15445
  import * as crypto from "node:crypto";
15438
15446
  import * as net from "node:net";
15439
- import * as path11 from "node:path";
15447
+ import * as path12 from "node:path";
15440
15448
 
15441
15449
  // packages/cli/src/serve/auth.ts
15442
15450
  init_esbuild_shims();
@@ -17144,7 +17152,10 @@ function getAcpMemoryArgs() {
17144
17152
  const currentLimitMB = Math.floor(
17145
17153
  getHeapStatistics().heap_size_limit / (1024 * 1024)
17146
17154
  );
17147
- cachedMemoryArgs = targetMB > currentLimitMB ? [`--max-old-space-size=${targetMB}`] : [];
17155
+ cachedMemoryArgs = [
17156
+ ...targetMB > currentLimitMB ? [`--max-old-space-size=${targetMB}`] : [],
17157
+ "--expose-gc"
17158
+ ];
17148
17159
  return cachedMemoryArgs;
17149
17160
  }
17150
17161
  __name(getAcpMemoryArgs, "getAcpMemoryArgs");
@@ -17193,11 +17204,18 @@ function createSpawnChannelFactory(options = {}) {
17193
17204
  );
17194
17205
  childEnv["QWEN_CODE_NO_RELAUNCH"] = "true";
17195
17206
  const memoryArgs = getAcpMemoryArgs();
17196
- const child = spawn(process.execPath, [...memoryArgs, cliEntry, "--acp"], {
17197
- cwd: workspaceCwd,
17198
- stdio: ["pipe", "pipe", "pipe"],
17199
- env: childEnv
17200
- });
17207
+ const execArgs = process.execArgv.filter(
17208
+ (a) => !/^--inspect(-brk)?($|=)/.test(a)
17209
+ );
17210
+ const child = spawn(
17211
+ process.execPath,
17212
+ [...execArgs, ...memoryArgs, cliEntry, "--acp"],
17213
+ {
17214
+ cwd: workspaceCwd,
17215
+ stdio: ["pipe", "pipe", "pipe"],
17216
+ env: childEnv
17217
+ }
17218
+ );
17201
17219
  if (child.stderr) {
17202
17220
  const prefix = `[serve pid=${child.pid} cwd=${workspaceCwd}] `;
17203
17221
  const forwarder = createStderrForwarder({
@@ -17457,10 +17475,37 @@ var BridgeClient = class {
17457
17475
  const entry = this.resolveEntry(params.sessionId);
17458
17476
  const events = entry?.events ?? this.resolvePendingRestoreEvents(params.sessionId);
17459
17477
  if (!events) return;
17478
+ const originator = entry?.activePromptOriginatorClientId ? { originatorClientId: entry.activePromptOriginatorClientId } : {};
17479
+ const a2ui = extractA2uiToolUpdate(params);
17480
+ if (a2ui) {
17481
+ for (const surface of a2ui.surfaces) {
17482
+ events.publish({
17483
+ type: "session_update",
17484
+ data: {
17485
+ sessionId: params.sessionId,
17486
+ update: {
17487
+ sessionUpdate: "a2ui",
17488
+ a2ui: {
17489
+ surfaceId: surface.surfaceId,
17490
+ callId: a2ui.callId,
17491
+ commands: surface.commands
17492
+ },
17493
+ _meta: { serverTimestamp: Date.now(), source: "a2ui-bridge" }
17494
+ }
17495
+ },
17496
+ ...originator
17497
+ });
17498
+ }
17499
+ params = a2ui.sanitizedParams;
17500
+ }
17501
+ const updateMeta = params.update._meta;
17502
+ const originalTs = updateMeta?.["serverTimestamp"] ?? updateMeta?.["timestamp"];
17503
+ const serverTimestamp = typeof originalTs === "number" && Number.isFinite(originalTs) ? originalTs : void 0;
17460
17504
  events.publish({
17461
17505
  type: "session_update",
17462
17506
  data: params,
17463
- ...entry?.activePromptOriginatorClientId ? { originatorClientId: entry.activePromptOriginatorClientId } : {}
17507
+ ...originator,
17508
+ ...serverTimestamp !== void 0 ? { _meta: { serverTimestamp } } : {}
17464
17509
  });
17465
17510
  }
17466
17511
  /**
@@ -17912,6 +17957,123 @@ var BridgeClient = class {
17912
17957
  return { content };
17913
17958
  }
17914
17959
  };
17960
+ var A2UI_TOOL_RE = /(^|__)(present_ui|present_choices|a2ui_action)$/;
17961
+ function isA2uiToolMeta(meta) {
17962
+ if (!meta) return false;
17963
+ if (typeof meta.serverId === "string" && meta.serverId.toLowerCase().includes("a2ui"))
17964
+ return true;
17965
+ return typeof meta.toolName === "string" && A2UI_TOOL_RE.test(meta.toolName);
17966
+ }
17967
+ __name(isA2uiToolMeta, "isA2uiToolMeta");
17968
+ function splitA2uiText(raw) {
17969
+ const s = raw.replace(/^\s+/, "");
17970
+ if (s[0] !== "[") return null;
17971
+ let depth = 0;
17972
+ let inStr = false;
17973
+ let esc = false;
17974
+ let end = -1;
17975
+ for (let i = 0; i < s.length; i++) {
17976
+ const c = s[i];
17977
+ if (inStr) {
17978
+ if (esc) esc = false;
17979
+ else if (c === "\\") esc = true;
17980
+ else if (c === '"') inStr = false;
17981
+ continue;
17982
+ }
17983
+ if (c === '"') inStr = true;
17984
+ else if (c === "[") depth++;
17985
+ else if (c === "]") {
17986
+ depth--;
17987
+ if (depth === 0) {
17988
+ end = i + 1;
17989
+ break;
17990
+ }
17991
+ }
17992
+ }
17993
+ if (end < 0) return null;
17994
+ try {
17995
+ const arr = JSON.parse(s.slice(0, end));
17996
+ if (!Array.isArray(arr) || arr.length === 0) return null;
17997
+ return [arr, s.slice(end).trim()];
17998
+ } catch {
17999
+ return null;
18000
+ }
18001
+ }
18002
+ __name(splitA2uiText, "splitA2uiText");
18003
+ function surfaceIdOf(c) {
18004
+ const cmd = c;
18005
+ return cmd?.createSurface?.surfaceId ?? cmd?.updateComponents?.surfaceId ?? cmd?.updateDataModel?.surfaceId ?? cmd?.deleteSurface?.surfaceId;
18006
+ }
18007
+ __name(surfaceIdOf, "surfaceIdOf");
18008
+ function extractA2uiToolUpdate(params) {
18009
+ const update = params.update;
18010
+ if (!update || update["sessionUpdate"] !== "tool_call_update") return null;
18011
+ const meta = update["_meta"];
18012
+ if (!isA2uiToolMeta(meta)) return null;
18013
+ const content = update["content"];
18014
+ if (!Array.isArray(content)) return null;
18015
+ let split = null;
18016
+ let hitIndex = -1;
18017
+ for (let i = 0; i < content.length; i++) {
18018
+ const inner = content[i]?.content;
18019
+ if (typeof inner?.text === "string") {
18020
+ split = splitA2uiText(inner.text);
18021
+ if (split) {
18022
+ hitIndex = i;
18023
+ break;
18024
+ }
18025
+ }
18026
+ }
18027
+ if (!split) return null;
18028
+ const [commands, fallback] = split;
18029
+ const order = [];
18030
+ const grouped = /* @__PURE__ */ new Map();
18031
+ for (const c of commands) {
18032
+ const sid = surfaceIdOf(c);
18033
+ if (!sid) {
18034
+ const shape = c && typeof c === "object" ? Object.keys(c).join(",") || "empty object" : typeof c;
18035
+ writeStderrLine2(
18036
+ `a2ui: dropping command with unrecognized shape (${shape})`
18037
+ );
18038
+ continue;
18039
+ }
18040
+ if (!grouped.has(sid)) {
18041
+ grouped.set(sid, []);
18042
+ order.push(sid);
18043
+ }
18044
+ grouped.get(sid).push(c);
18045
+ }
18046
+ const surfaces = order.map((sid) => ({
18047
+ surfaceId: sid,
18048
+ commands: grouped.get(sid)
18049
+ }));
18050
+ const sanitizedText = fallback || "[A2UI surface rendered]";
18051
+ const sanitizedContent = content.map(
18052
+ (block, i) => i === hitIndex ? {
18053
+ ...block,
18054
+ content: {
18055
+ ...block.content ?? {},
18056
+ text: sanitizedText
18057
+ }
18058
+ } : block
18059
+ );
18060
+ const sanitizedUpdate = {
18061
+ ...update,
18062
+ content: sanitizedContent
18063
+ };
18064
+ if (typeof update["rawOutput"] === "string") {
18065
+ sanitizedUpdate["rawOutput"] = sanitizedText;
18066
+ }
18067
+ return {
18068
+ surfaces,
18069
+ callId: typeof update["toolCallId"] === "string" ? update["toolCallId"] : void 0,
18070
+ sanitizedParams: {
18071
+ ...params,
18072
+ update: sanitizedUpdate
18073
+ }
18074
+ };
18075
+ }
18076
+ __name(extractA2uiToolUpdate, "extractA2uiToolUpdate");
17915
18077
 
17916
18078
  // packages/acp-bridge/src/bridge.ts
17917
18079
  init_esbuild_shims();
@@ -18346,6 +18508,7 @@ __name(extractErrorCode, "extractErrorCode");
18346
18508
  function broadcastTurnError(entry, sessionId, err, promptId, originatorClientId) {
18347
18509
  const message = extractErrorMessage(err);
18348
18510
  const code = extractErrorCode(err);
18511
+ entry.retryAllowed = true;
18349
18512
  entry.events.publish({
18350
18513
  type: "turn_error",
18351
18514
  data: {
@@ -18372,11 +18535,13 @@ var DEFAULT_INIT_TIMEOUT_MS = 1e4;
18372
18535
  var PERSIST_TIMEOUT_MS = 5e3;
18373
18536
  var MCP_RESTART_TIMEOUT_MS = 3e5;
18374
18537
  var MCP_OAUTH_TIMEOUT_MS = 6e5;
18538
+ var DAEMON_RETRY_META_KEY = "qwen.daemon.retry";
18375
18539
  var SESSION_RECAP_TIMEOUT_MS = 6e4;
18376
18540
  var SESSION_BTW_TIMEOUT_MS = 6e4;
18377
18541
  var SHELL_COMMAND_TIMEOUT_MS = 12e4;
18378
18542
  var MAX_SHELL_OUTPUT_FOR_HISTORY = 1e4;
18379
18543
  var DEFAULT_MAX_SESSIONS = 20;
18544
+ var DEFAULT_MAX_PENDING_PROMPTS_PER_SESSION = 5;
18380
18545
  var MAX_EVENT_RING_SIZE = 1e6;
18381
18546
  var DEFAULT_PERMISSION_TIMEOUT_MS = 5 * 60 * 1e3;
18382
18547
  var DEFAULT_MAX_PENDING_PER_SESSION = 64;
@@ -18423,6 +18588,17 @@ function createAcpSessionBridge(opts) {
18423
18588
  const permissionTimeoutMs = permissionTimeoutRaw > 0 && Number.isFinite(permissionTimeoutRaw) ? permissionTimeoutRaw : 0;
18424
18589
  const maxPendingRaw = opts.maxPendingPermissionsPerSession ?? DEFAULT_MAX_PENDING_PER_SESSION;
18425
18590
  const maxPendingPerSession = maxPendingRaw > 0 && Number.isFinite(maxPendingRaw) ? maxPendingRaw : Infinity;
18591
+ const maxPendingPromptsRaw = opts.maxPendingPromptsPerSession ?? DEFAULT_MAX_PENDING_PROMPTS_PER_SESSION;
18592
+ let maxPendingPromptsPerSession;
18593
+ if (maxPendingPromptsRaw === 0 || maxPendingPromptsRaw === Number.POSITIVE_INFINITY) {
18594
+ maxPendingPromptsPerSession = Infinity;
18595
+ } else if (!Number.isInteger(maxPendingPromptsRaw) || maxPendingPromptsRaw < 0) {
18596
+ throw new TypeError(
18597
+ `Invalid maxPendingPromptsPerSession: ${maxPendingPromptsRaw}. Must be a non-negative integer (0 / Infinity = unlimited).`
18598
+ );
18599
+ } else {
18600
+ maxPendingPromptsPerSession = maxPendingPromptsRaw;
18601
+ }
18426
18602
  if (!path2.isAbsolute(opts.boundWorkspace)) {
18427
18603
  throw new TypeError(
18428
18604
  `Invalid boundWorkspace: "${opts.boundWorkspace}". Must be an absolute path.`
@@ -19086,6 +19262,7 @@ function createAcpSessionBridge(opts) {
19086
19262
  connection: ci.connection,
19087
19263
  events,
19088
19264
  promptQueue: Promise.resolve(),
19265
+ pendingPromptCount: 0,
19089
19266
  modelChangeQueue: Promise.resolve(),
19090
19267
  approvalModeQueue: Promise.resolve(),
19091
19268
  modelPublishGeneration: 0,
@@ -19095,7 +19272,8 @@ function createAcpSessionBridge(opts) {
19095
19272
  clientLastSeenAt: /* @__PURE__ */ new Map(),
19096
19273
  attachCount: 0,
19097
19274
  spawnOwnerWantedKill: false,
19098
- promptActive: false
19275
+ promptActive: false,
19276
+ retryAllowed: false
19099
19277
  };
19100
19278
  ci.sessionIds.add(entry.sessionId);
19101
19279
  byId.set(entry.sessionId, entry);
@@ -19473,7 +19651,9 @@ function createAcpSessionBridge(opts) {
19473
19651
  inFlightSpawns.delete(tracker);
19474
19652
  }
19475
19653
  },
19476
- async sendPrompt(sessionId, req, signal, context) {
19654
+ // Keep this method non-async: admission failures must throw before
19655
+ // HTTP routes return 202.
19656
+ sendPrompt(sessionId, req, signal, context) {
19477
19657
  opts.onDiagnosticLine?.(
19478
19658
  `qwen serve: bridge sendPrompt for session=${sessionId}`,
19479
19659
  "info"
@@ -19481,14 +19661,30 @@ function createAcpSessionBridge(opts) {
19481
19661
  const capturedContext = telemetry.captureContext();
19482
19662
  const queuedAt = Date.now();
19483
19663
  const entry = byId.get(sessionId);
19484
- if (!entry) throw new SessionNotFoundError(sessionId);
19485
- const originatorClientId = resolveTrustedClientId(
19486
- entry,
19487
- context?.clientId
19488
- );
19664
+ if (!entry) return Promise.reject(new SessionNotFoundError(sessionId));
19665
+ let originatorClientId;
19666
+ try {
19667
+ originatorClientId = resolveTrustedClientId(entry, context?.clientId);
19668
+ } catch (err) {
19669
+ return Promise.reject(err);
19670
+ }
19489
19671
  if (signal?.aborted) {
19490
19672
  throw new DOMException("Prompt aborted", "AbortError");
19491
19673
  }
19674
+ if (entry.pendingPromptCount >= maxPendingPromptsPerSession) {
19675
+ throw new PromptQueueFullError(
19676
+ maxPendingPromptsPerSession,
19677
+ entry.pendingPromptCount,
19678
+ sessionId
19679
+ );
19680
+ }
19681
+ entry.pendingPromptCount += 1;
19682
+ let promptSlotReleased = false;
19683
+ const releasePromptSlot = /* @__PURE__ */ __name(() => {
19684
+ if (promptSlotReleased) return;
19685
+ promptSlotReleased = true;
19686
+ entry.pendingPromptCount = Math.max(0, entry.pendingPromptCount - 1);
19687
+ }, "releasePromptSlot");
19492
19688
  const result = entry.promptQueue.then(
19493
19689
  () => telemetry.runWithContext(capturedContext, async () => {
19494
19690
  const queueWaitMs = Date.now() - queuedAt;
@@ -19513,6 +19709,26 @@ function createAcpSessionBridge(opts) {
19513
19709
  if (signal?.aborted) {
19514
19710
  throw new DOMException("Prompt aborted", "AbortError");
19515
19711
  }
19712
+ const requestedRetry = req.retry === true;
19713
+ const isRetry = requestedRetry && entry.retryAllowed;
19714
+ entry.retryAllowed = false;
19715
+ const promptRequest = (() => {
19716
+ const copy = {
19717
+ ...normalized
19718
+ };
19719
+ delete copy.retry;
19720
+ const meta = copy._meta && typeof copy._meta === "object" ? { ...copy._meta } : {};
19721
+ delete meta[DAEMON_RETRY_META_KEY];
19722
+ if (isRetry) {
19723
+ meta[DAEMON_RETRY_META_KEY] = true;
19724
+ }
19725
+ if (Object.keys(meta).length > 0) {
19726
+ copy._meta = meta;
19727
+ } else {
19728
+ delete copy._meta;
19729
+ }
19730
+ return copy;
19731
+ })();
19516
19732
  entry.promptActive = true;
19517
19733
  entry.sessionLastSeenAt = Date.now();
19518
19734
  if (originatorClientId === void 0) {
@@ -19522,13 +19738,19 @@ function createAcpSessionBridge(opts) {
19522
19738
  }
19523
19739
  try {
19524
19740
  entry.cancelBroadcast = false;
19525
- echoPromptToSessionBus(entry, normalized, originatorClientId);
19741
+ if (!isRetry) {
19742
+ echoPromptToSessionBus(
19743
+ entry,
19744
+ promptRequest,
19745
+ originatorClientId
19746
+ );
19747
+ }
19526
19748
  } catch (echoErr) {
19527
19749
  entry.promptActive = false;
19528
19750
  delete entry.activePromptOriginatorClientId;
19529
19751
  throw echoErr;
19530
19752
  }
19531
- const promptPromise = entry.connection.prompt(normalized).finally(() => {
19753
+ const promptPromise = entry.connection.prompt(promptRequest).finally(() => {
19532
19754
  entry.promptActive = false;
19533
19755
  entry.sessionLastSeenAt = Date.now();
19534
19756
  delete entry.activePromptOriginatorClientId;
@@ -19618,6 +19840,8 @@ function createAcpSessionBridge(opts) {
19618
19840
  () => void 0,
19619
19841
  () => void 0
19620
19842
  );
19843
+ result.finally(releasePromptSlot).catch(() => {
19844
+ });
19621
19845
  return result;
19622
19846
  },
19623
19847
  async cancelSession(sessionId, req, context) {
@@ -20364,11 +20588,17 @@ function createAcpSessionBridge(opts) {
20364
20588
  `qwen serve: bridge executeShellCommand for session=${sessionId}`,
20365
20589
  "info"
20366
20590
  );
20591
+ if (opts.sessionShellCommandEnabled !== true) {
20592
+ throw new SessionShellDisabledError();
20593
+ }
20594
+ if (context?.clientId === void 0) {
20595
+ throw new SessionShellClientRequiredError();
20596
+ }
20367
20597
  const entry = byId.get(sessionId);
20368
20598
  if (!entry) throw new SessionNotFoundError(sessionId);
20369
20599
  const originatorClientId = resolveTrustedClientId(
20370
20600
  entry,
20371
- context?.clientId
20601
+ context.clientId
20372
20602
  );
20373
20603
  if (signal?.aborted) {
20374
20604
  return { exitCode: null, output: "", aborted: true };
@@ -22790,8 +23020,12 @@ function isResponse(m) {
22790
23020
  "result" in m !== "error" in m;
22791
23021
  }
22792
23022
  __name(isResponse, "isResponse");
23023
+ var LOG_SAFE_RE = new RegExp(
23024
+ String.raw`[\x00-\x1f\x7f-\x9f\u200b-\u200f\u2028-\u202e\u2066-\u2069\ufeff]`,
23025
+ "g"
23026
+ );
22793
23027
  function logSafe(s) {
22794
- return s.replace(/[\u0000-\u001f\u007f\u0080-\u009f]/g, " ");
23028
+ return s.replace(LOG_SAFE_RE, " ");
22795
23029
  }
22796
23030
  __name(logSafe, "logSafe");
22797
23031
  function success(id, result) {
@@ -22836,7 +23070,8 @@ function errMsg(err) {
22836
23070
  return err instanceof Error ? err.message : String(err);
22837
23071
  }
22838
23072
  __name(errMsg, "errMsg");
22839
- var QWEN_VENDOR_METHODS = [
23073
+ var SESSION_SHELL_METHOD = `${QWEN_METHOD_NS}session/shell`;
23074
+ var ALL_QWEN_VENDOR_METHODS = [
22840
23075
  `${QWEN_METHOD_NS}session/heartbeat`,
22841
23076
  `${QWEN_METHOD_NS}session/context`,
22842
23077
  `${QWEN_METHOD_NS}session/supported_commands`,
@@ -22852,7 +23087,7 @@ var QWEN_VENDOR_METHODS = [
22852
23087
  // Wave 1: session extensions
22853
23088
  `${QWEN_METHOD_NS}session/recap`,
22854
23089
  `${QWEN_METHOD_NS}session/btw`,
22855
- `${QWEN_METHOD_NS}session/shell`,
23090
+ SESSION_SHELL_METHOD,
22856
23091
  `${QWEN_METHOD_NS}session/detach`,
22857
23092
  `${QWEN_METHOD_NS}session/context_usage`,
22858
23093
  `${QWEN_METHOD_NS}session/tasks`,
@@ -22885,6 +23120,12 @@ var QWEN_VENDOR_METHODS = [
22885
23120
  `${QWEN_METHOD_NS}workspace/agents/update`,
22886
23121
  `${QWEN_METHOD_NS}workspace/agents/delete`
22887
23122
  ];
23123
+ function advertisedQwenVendorMethods(sessionShellCommandEnabled) {
23124
+ return ALL_QWEN_VENDOR_METHODS.filter(
23125
+ (method) => sessionShellCommandEnabled || method !== SESSION_SHELL_METHOD
23126
+ );
23127
+ }
23128
+ __name(advertisedQwenVendorMethods, "advertisedQwenVendorMethods");
22888
23129
  var CONN_ROUTED_METHODS = /* @__PURE__ */ new Set([
22889
23130
  "authenticate",
22890
23131
  "session/new",
@@ -22892,7 +23133,8 @@ var CONN_ROUTED_METHODS = /* @__PURE__ */ new Set([
22892
23133
  "session/resume",
22893
23134
  "session/list",
22894
23135
  "session/close",
22895
- ...QWEN_VENDOR_METHODS
23136
+ "session/fork",
23137
+ ...ALL_QWEN_VENDOR_METHODS
22896
23138
  ]);
22897
23139
  var MAX_NAME_LENGTH = 256;
22898
23140
  var AcpParamError = class extends Error {
@@ -22982,6 +23224,20 @@ function toRpcError(err) {
22982
23224
  data: { errorKind: "upstream_error" }
22983
23225
  };
22984
23226
  }
23227
+ if (err instanceof SessionShellDisabledError) {
23228
+ return {
23229
+ code: RPC.INVALID_PARAMS,
23230
+ message: errMsg(err),
23231
+ data: { errorKind: "session_shell_disabled" }
23232
+ };
23233
+ }
23234
+ if (err instanceof SessionShellClientRequiredError) {
23235
+ return {
23236
+ code: RPC.INVALID_PARAMS,
23237
+ message: errMsg(err),
23238
+ data: { errorKind: "client_id_required" }
23239
+ };
23240
+ }
22985
23241
  const name = err instanceof Error ? err.name : "";
22986
23242
  switch (name) {
22987
23243
  case "SessionNotFoundError":
@@ -22991,6 +23247,19 @@ function toRpcError(err) {
22991
23247
  return { code: RPC.INVALID_PARAMS, message: errMsg(err) };
22992
23248
  case "SessionLimitExceededError":
22993
23249
  return { code: RPC.INTERNAL_ERROR, message: errMsg(err) };
23250
+ case "PromptQueueFullError": {
23251
+ const promptErr = err;
23252
+ return {
23253
+ code: RPC.INTERNAL_ERROR,
23254
+ message: errMsg(err),
23255
+ data: {
23256
+ errorKind: "prompt_queue_full",
23257
+ sessionId: promptErr.sessionId,
23258
+ limit: promptErr.limit,
23259
+ pendingCount: promptErr.pendingCount
23260
+ }
23261
+ };
23262
+ }
22994
23263
  default:
22995
23264
  return {
22996
23265
  code: RPC.INTERNAL_ERROR,
@@ -23000,14 +23269,20 @@ function toRpcError(err) {
23000
23269
  }
23001
23270
  }
23002
23271
  __name(toRpcError, "toRpcError");
23272
+ function rpcErrorFrame(id, err) {
23273
+ const { code, message, data } = toRpcError(err);
23274
+ return error(id, code, message, data);
23275
+ }
23276
+ __name(rpcErrorFrame, "rpcErrorFrame");
23003
23277
  var ACP_PROTOCOL_VERSION = 1;
23004
23278
  var AcpDispatcher = class {
23005
- constructor(bridge, boundWorkspace, workspace, fsFactory, deviceFlowRegistry) {
23279
+ constructor(bridge, boundWorkspace, workspace, fsFactory, deviceFlowRegistry, sessionShellCommandEnabled = false) {
23006
23280
  this.bridge = bridge;
23007
23281
  this.boundWorkspace = boundWorkspace;
23008
23282
  this.workspace = workspace;
23009
23283
  this.fsFactory = fsFactory;
23010
23284
  this.deviceFlowRegistry = deviceFlowRegistry;
23285
+ this.sessionShellCommandEnabled = sessionShellCommandEnabled;
23011
23286
  this.agentManager = createDaemonSubagentManager(boundWorkspace);
23012
23287
  }
23013
23288
  static {
@@ -23072,6 +23347,48 @@ var AcpDispatcher = class {
23072
23347
  return void 0;
23073
23348
  }
23074
23349
  }
23350
+ /**
23351
+ * Extract ACP-standard `SessionModelState` from configOptions.
23352
+ * ConfigOptions carry model info as `{ category: 'model', type: 'select',
23353
+ * currentValue, options }`. Maps to `{ currentModelId, availableModels }`.
23354
+ */
23355
+ extractModelState(configOptions) {
23356
+ if (!configOptions) return void 0;
23357
+ const modelOpt = configOptions.find(
23358
+ (o) => typeof o === "object" && o !== null && o["category"] === "model"
23359
+ );
23360
+ if (!modelOpt) return void 0;
23361
+ const currentModelId = String(modelOpt["currentValue"] ?? "");
23362
+ const options = Array.isArray(modelOpt["options"]) ? modelOpt["options"] : [];
23363
+ return {
23364
+ currentModelId,
23365
+ availableModels: options.map((opt) => {
23366
+ const o = opt;
23367
+ return { id: String(o["value"] ?? o["id"] ?? "") };
23368
+ })
23369
+ };
23370
+ }
23371
+ /**
23372
+ * Extract ACP-standard `SessionModeState` from configOptions.
23373
+ * ConfigOptions carry mode info as `{ category: 'mode', type: 'select',
23374
+ * currentValue, options }`. Maps to `{ currentModeId, availableModes }`.
23375
+ */
23376
+ extractModeState(configOptions) {
23377
+ if (!configOptions) return void 0;
23378
+ const modeOpt = configOptions.find(
23379
+ (o) => typeof o === "object" && o !== null && o["category"] === "mode"
23380
+ );
23381
+ if (!modeOpt) return void 0;
23382
+ const currentModeId = String(modeOpt["currentValue"] ?? "");
23383
+ const options = Array.isArray(modeOpt["options"]) ? modeOpt["options"] : [];
23384
+ return {
23385
+ currentModeId,
23386
+ availableModes: options.map((opt) => {
23387
+ const o = opt;
23388
+ return { id: String(o["value"] ?? o["id"] ?? "") };
23389
+ })
23390
+ };
23391
+ }
23075
23392
  /**
23076
23393
  * Cancel a permission request the client abandoned (closed its stream /
23077
23394
  * connection before voting), so the bridge isn't left blocked. Invoked
@@ -23126,7 +23443,9 @@ var AcpDispatcher = class {
23126
23443
  [QWEN_META_KEY]: {
23127
23444
  connectionId,
23128
23445
  workspaceCwd: this.boundWorkspace,
23129
- methods: [...QWEN_VENDOR_METHODS]
23446
+ methods: advertisedQwenVendorMethods(
23447
+ this.sessionShellCommandEnabled
23448
+ )
23130
23449
  }
23131
23450
  }
23132
23451
  }
@@ -23197,23 +23516,10 @@ var AcpDispatcher = class {
23197
23516
  return;
23198
23517
  case "session/new": {
23199
23518
  const cwd = parseOptionalWorkspaceCwd(params, this.boundWorkspace);
23200
- const rawScope = params["sessionScope"];
23201
- if (rawScope !== void 0 && rawScope !== "single" && rawScope !== "thread") {
23202
- if (id !== void 0) {
23203
- conn.sendConn(
23204
- error(
23205
- id,
23206
- RPC.INVALID_PARAMS,
23207
- '`sessionScope` must be "single" or "thread"'
23208
- )
23209
- );
23210
- }
23211
- return;
23212
- }
23213
23519
  const session = await this.bridge.spawnOrAttach({
23214
23520
  workspaceCwd: cwd,
23215
23521
  clientId: conn.clientId,
23216
- ...rawScope !== void 0 ? { sessionScope: rawScope } : {}
23522
+ sessionScope: "thread"
23217
23523
  });
23218
23524
  if (conn.destroyed) {
23219
23525
  this.killOrphanSession(session.sessionId);
@@ -23226,9 +23532,13 @@ var AcpDispatcher = class {
23226
23532
  this.killOrphanSession(session.sessionId);
23227
23533
  return;
23228
23534
  }
23535
+ const models = this.extractModelState(configOptions);
23536
+ const modes = this.extractModeState(configOptions);
23229
23537
  this.replyConn(conn, id, {
23230
23538
  sessionId: session.sessionId,
23231
- ...configOptions ? { configOptions } : {}
23539
+ ...configOptions ? { configOptions } : {},
23540
+ ...models ? { models } : {},
23541
+ ...modes ? { modes } : {}
23232
23542
  });
23233
23543
  return;
23234
23544
  }
@@ -23288,7 +23598,15 @@ var AcpDispatcher = class {
23288
23598
  }
23289
23599
  conn.getOrCreateSession(sessionId).clientId = restored.clientId;
23290
23600
  conn.ownSession(sessionId);
23291
- this.replyConn(conn, id, restored.state ?? {});
23601
+ const loadConfigOptions = await this.configOptionsFor(sessionId);
23602
+ const loadModels = this.extractModelState(loadConfigOptions);
23603
+ const loadModes = this.extractModeState(loadConfigOptions);
23604
+ this.replyConn(conn, id, {
23605
+ ...restored.state ?? {},
23606
+ ...loadConfigOptions ? { configOptions: loadConfigOptions } : {},
23607
+ ...loadModels ? { models: loadModels } : {},
23608
+ ...loadModes ? { modes: loadModes } : {}
23609
+ });
23292
23610
  return;
23293
23611
  }
23294
23612
  case "session/list": {
@@ -23334,6 +23652,44 @@ var AcpDispatcher = class {
23334
23652
  this.replyConn(conn, id, {});
23335
23653
  return;
23336
23654
  }
23655
+ // ACP standard: session/fork — create a branched copy of an existing
23656
+ // session. Maps to bridge.branchSession().
23657
+ case "session/fork": {
23658
+ const sessionId = String(params["sessionId"] ?? "");
23659
+ if (!sessionId) {
23660
+ if (id !== void 0) {
23661
+ conn.sendConn(
23662
+ error(id, RPC.INVALID_PARAMS, "`sessionId` is required")
23663
+ );
23664
+ }
23665
+ return;
23666
+ }
23667
+ if (!this.requireOwned(conn, sessionId, id)) return;
23668
+ const ctx = this.sessionCtx(conn, sessionId, loopback);
23669
+ const result = await this.bridge.branchSession(
23670
+ sessionId,
23671
+ {
23672
+ name: typeof params["name"] === "string" ? params["name"] : void 0
23673
+ },
23674
+ ctx
23675
+ );
23676
+ if (conn.destroyed) {
23677
+ this.killOrphanSession(result.sessionId);
23678
+ return;
23679
+ }
23680
+ conn.getOrCreateSession(result.sessionId).clientId = result.clientId;
23681
+ conn.ownSession(result.sessionId);
23682
+ const configOptions = await this.configOptionsFor(result.sessionId);
23683
+ const models = this.extractModelState(configOptions);
23684
+ const modes = this.extractModeState(configOptions);
23685
+ this.replyConn(conn, id, {
23686
+ sessionId: result.sessionId,
23687
+ ...configOptions ? { configOptions } : {},
23688
+ ...models ? { models } : {},
23689
+ ...modes ? { modes } : {}
23690
+ });
23691
+ return;
23692
+ }
23337
23693
  case "session/cancel": {
23338
23694
  const sessionId = String(params["sessionId"] ?? "");
23339
23695
  if (!this.requireOwned(conn, sessionId, id)) return;
@@ -23425,6 +23781,80 @@ var AcpDispatcher = class {
23425
23781
  this.replySession(conn, sessionId, id, { configOptions });
23426
23782
  return;
23427
23783
  }
23784
+ // ACP standard: session/set_mode — dedicated method for mode changes.
23785
+ // Maps to the same bridge call as set_config_option with configId='mode'.
23786
+ case "session/set_mode": {
23787
+ const sessionId = String(params["sessionId"] ?? "");
23788
+ if (!sessionId) {
23789
+ if (id !== void 0)
23790
+ conn.sendConn(
23791
+ error(id, RPC.INVALID_PARAMS, "`sessionId` is required")
23792
+ );
23793
+ return;
23794
+ }
23795
+ if (!this.requireOwned(conn, sessionId, id)) return;
23796
+ const modeId = String(params["modeId"] ?? "");
23797
+ if (!modeId || !APPROVAL_MODES.includes(modeId)) {
23798
+ if (id !== void 0) {
23799
+ this.replySession(
23800
+ conn,
23801
+ sessionId,
23802
+ id,
23803
+ void 0,
23804
+ error(
23805
+ id,
23806
+ RPC.INVALID_PARAMS,
23807
+ `invalid modeId "${modeId}" (expected one of: ${APPROVAL_MODES.join(", ")})`
23808
+ )
23809
+ );
23810
+ }
23811
+ return;
23812
+ }
23813
+ const ctx = this.sessionCtx(conn, sessionId, loopback);
23814
+ await this.bridge.setSessionApprovalMode(
23815
+ sessionId,
23816
+ modeId,
23817
+ { persist: false },
23818
+ ctx
23819
+ );
23820
+ this.replySession(conn, sessionId, id, {});
23821
+ return;
23822
+ }
23823
+ // ACP standard (unstable): session/set_model — dedicated method for
23824
+ // model changes. Maps to the same bridge call as set_config_option
23825
+ // with configId='model'.
23826
+ case "session/set_model": {
23827
+ const sessionId = String(params["sessionId"] ?? "");
23828
+ if (!sessionId) {
23829
+ if (id !== void 0)
23830
+ conn.sendConn(
23831
+ error(id, RPC.INVALID_PARAMS, "`sessionId` is required")
23832
+ );
23833
+ return;
23834
+ }
23835
+ if (!this.requireOwned(conn, sessionId, id)) return;
23836
+ const modelId = String(params["modelId"] ?? "");
23837
+ if (!modelId) {
23838
+ if (id !== void 0) {
23839
+ this.replySession(
23840
+ conn,
23841
+ sessionId,
23842
+ id,
23843
+ void 0,
23844
+ error(id, RPC.INVALID_PARAMS, "`modelId` is required")
23845
+ );
23846
+ }
23847
+ return;
23848
+ }
23849
+ const ctx = this.sessionCtx(conn, sessionId, loopback);
23850
+ await this.bridge.setSessionModel(
23851
+ sessionId,
23852
+ { modelId, sessionId },
23853
+ ctx
23854
+ );
23855
+ this.replySession(conn, sessionId, id, {});
23856
+ return;
23857
+ }
23428
23858
  case `${QWEN_METHOD_NS}session/heartbeat`: {
23429
23859
  const sessionId = String(params["sessionId"] ?? "");
23430
23860
  if (!this.requireOwned(conn, sessionId, id)) return;
@@ -23628,7 +24058,23 @@ var AcpDispatcher = class {
23628
24058
  }
23629
24059
  case `${QWEN_METHOD_NS}session/shell`: {
23630
24060
  const sessionId = String(params["sessionId"] ?? "");
24061
+ if (!this.sessionShellCommandEnabled) {
24062
+ if (id !== void 0) {
24063
+ conn.sendConn(rpcErrorFrame(id, new SessionShellDisabledError()));
24064
+ }
24065
+ return;
24066
+ }
23631
24067
  if (!this.requireOwned(conn, sessionId, id)) return;
24068
+ const binding = conn.sessions.get(sessionId);
24069
+ const clientId = binding?.clientId;
24070
+ if (!clientId) {
24071
+ if (id !== void 0) {
24072
+ conn.sendConn(
24073
+ rpcErrorFrame(id, new SessionShellClientRequiredError())
24074
+ );
24075
+ }
24076
+ return;
24077
+ }
23632
24078
  const rawCmd = params["command"];
23633
24079
  if (typeof rawCmd !== "string" || rawCmd.trim().length === 0) {
23634
24080
  if (id !== void 0)
@@ -23650,7 +24096,7 @@ var AcpDispatcher = class {
23650
24096
  const result = await this.bridge.executeShellCommand(
23651
24097
  sessionId,
23652
24098
  rawCmd,
23653
- void 0,
24099
+ binding.abort.signal,
23654
24100
  this.sessionCtx(conn, sessionId, loopback)
23655
24101
  );
23656
24102
  this.replyConn(conn, id, result);
@@ -24209,8 +24655,10 @@ var AcpDispatcher = class {
24209
24655
  if (err instanceof Error && err.name === "SessionNotFoundError") {
24210
24656
  closedIds.push(sid);
24211
24657
  } else {
24658
+ const safeSessionId = logSafe(sid.slice(0, 8));
24659
+ const safeMessage = logSafe(msg2);
24212
24660
  writeStderrLine(
24213
- `qwen serve: /acp sessions/delete closeSession(${sid.slice(0, 8)}) failed: ${msg2}`
24661
+ `qwen serve: /acp sessions/delete closeSession(${safeSessionId}) failed: ${safeMessage}`
24214
24662
  );
24215
24663
  closeErrors.push({ sessionId: sid, error: msg2 });
24216
24664
  }
@@ -24220,8 +24668,10 @@ var AcpDispatcher = class {
24220
24668
  const svc = new SessionService(this.boundWorkspace);
24221
24669
  const removeResult = await svc.removeSessions(closedIds);
24222
24670
  for (const e of removeResult.errors) {
24671
+ const safeSessionId = logSafe(e.sessionId.slice(0, 8));
24672
+ const safeMessage = logSafe(errMsg(e.error));
24223
24673
  writeStderrLine(
24224
- `qwen serve: /acp sessions/delete removeSessions(${e.sessionId.slice(0, 8)}) failed: ${e.error.message}`
24674
+ `qwen serve: /acp sessions/delete removeSessions(${safeSessionId}) failed: ${safeMessage}`
24225
24675
  );
24226
24676
  }
24227
24677
  this.replyConn(conn, id, {
@@ -24231,7 +24681,7 @@ var AcpDispatcher = class {
24231
24681
  ...closeErrors,
24232
24682
  ...removeResult.errors.map((e) => ({
24233
24683
  sessionId: e.sessionId,
24234
- error: e.error.message
24684
+ error: errMsg(e.error)
24235
24685
  }))
24236
24686
  ]
24237
24687
  });
@@ -25209,13 +25659,14 @@ var WS_READ_METHODS = /* @__PURE__ */ new Set([
25209
25659
  function mountAcpHttp(app, bridge, opts) {
25210
25660
  const enabled = opts.enabled ?? process.env["QWEN_SERVE_ACP_HTTP"] !== "0";
25211
25661
  if (!enabled) return void 0;
25212
- const path13 = opts.path ?? "/acp";
25662
+ const path14 = opts.path ?? "/acp";
25213
25663
  const dispatcher = new AcpDispatcher(
25214
25664
  bridge,
25215
25665
  opts.boundWorkspace,
25216
25666
  opts.workspace,
25217
25667
  opts.fsFactory,
25218
- opts.deviceFlowRegistry
25668
+ opts.deviceFlowRegistry,
25669
+ opts.sessionShellCommandEnabled === true
25219
25670
  );
25220
25671
  const registry = new ConnectionRegistry(
25221
25672
  (req, clientId) => dispatcher.cancelAbandonedPermission(req, clientId),
@@ -25230,7 +25681,7 @@ function mountAcpHttp(app, bridge, opts) {
25230
25681
  },
25231
25682
  opts.maxConnections
25232
25683
  );
25233
- app.post(path13, async (req, res) => {
25684
+ app.post(path14, async (req, res) => {
25234
25685
  const ct = req.headers["content-type"];
25235
25686
  if (!ct || !ct.startsWith("application/json")) {
25236
25687
  res.status(415).json({ error: "Content-Type must be application/json" });
@@ -25334,7 +25785,7 @@ function mountAcpHttp(app, bridge, opts) {
25334
25785
  );
25335
25786
  });
25336
25787
  });
25337
- app.get(path13, (req, res) => {
25788
+ app.get(path14, (req, res) => {
25338
25789
  const accept = req.headers["accept"] ?? "";
25339
25790
  if (!accept.includes("text/event-stream")) {
25340
25791
  res.status(406).json({ error: "Accept header must include text/event-stream" });
@@ -25410,7 +25861,7 @@ function mountAcpHttp(app, bridge, opts) {
25410
25861
  }
25411
25862
  );
25412
25863
  });
25413
- app.delete(path13, (req, res) => {
25864
+ app.delete(path14, (req, res) => {
25414
25865
  const connectionId = headerOf(req, ACP_CONNECTION_HEADER);
25415
25866
  if (!connectionId) {
25416
25867
  res.status(400).json({ error: "Missing Acp-Connection-Id" });
@@ -25443,7 +25894,7 @@ function mountAcpHttp(app, bridge, opts) {
25443
25894
  socket.destroy();
25444
25895
  return;
25445
25896
  }
25446
- if (url.pathname !== path13) {
25897
+ if (url.pathname !== path14) {
25447
25898
  socket.destroy();
25448
25899
  return;
25449
25900
  }
@@ -25678,7 +26129,7 @@ function mountAcpHttp(app, bridge, opts) {
25678
26129
  });
25679
26130
  }, "upgradeListener");
25680
26131
  httpServer.on("upgrade", upgradeListener);
25681
- writeStderrLine(`qwen serve: /acp WebSocket transport enabled on ${path13}`);
26132
+ writeStderrLine(`qwen serve: /acp WebSocket transport enabled on ${path14}`);
25682
26133
  }
25683
26134
  __name(setupWebSocket, "setupWebSocket");
25684
26135
  return {
@@ -25856,6 +26307,11 @@ var SERVE_CAPABILITY_REGISTRY = {
25856
26307
  // Side question (/btw) against the session's conversation context.
25857
26308
  // Single-turn, tool-free LLM call via runForkedAgent (cache path).
25858
26309
  session_btw: { since: "v1" },
26310
+ // Direct daemon-side shell execution for an existing session.
26311
+ // Advertised CONDITIONALLY: operators must explicitly enable it and
26312
+ // configure bearer auth. Clients must still send a session-bound
26313
+ // X-Qwen-Client-Id when calling the route.
26314
+ session_shell_command: { since: "v1" },
25859
26315
  // Daemon hosts a workspace-shared MCP transport
25860
26316
  // pool (`QwenAgent.mcpPool`); `GET /workspace/mcp` reflects pool-level
25861
26317
  // accounting (`entryCount`, `entrySummary` on each per-server cell).
@@ -25935,6 +26391,10 @@ var CONDITIONAL_SERVE_FEATURES = /* @__PURE__ */ new Map([
25935
26391
  (toggles) => typeof toggles.writerIdleTimeoutMs === "number" && toggles.writerIdleTimeoutMs > 0
25936
26392
  ],
25937
26393
  ["workspace_settings", (toggles) => toggles.persistSettingAvailable === true],
26394
+ [
26395
+ "session_shell_command",
26396
+ (toggles) => toggles.sessionShellCommandEnabled === true
26397
+ ],
25938
26398
  ["rate_limit", (toggles) => toggles.rateLimit === true],
25939
26399
  ["workspace_reload", (toggles) => toggles.reloadAvailable === true]
25940
26400
  ]);
@@ -29046,20 +29506,25 @@ var TUI_ONLY_SETTINGS = /* @__PURE__ */ new Set([
29046
29506
  "ide.enabled",
29047
29507
  "ui.showLineNumbers",
29048
29508
  "ui.renderMode",
29049
- "ui.compactMode",
29050
29509
  "ui.useTerminalBuffer",
29051
29510
  "ui.hideBanner",
29052
- "ui.accessibility.enableLoadingPhrases"
29511
+ "ui.accessibility.enableLoadingPhrases",
29512
+ "ui.enableWelcomeBack"
29053
29513
  ]);
29514
+ var WEB_SHELL_SETTINGS = /* @__PURE__ */ new Set(["ui.compactMode"]);
29054
29515
  var VALID_WRITE_SCOPES = /* @__PURE__ */ new Set(["workspace"]);
29055
29516
  var MAX_STRING_VALUE_LENGTH = 1024;
29056
29517
  var SECURITY_SENSITIVE_SETTINGS = /* @__PURE__ */ new Set(["tools.approvalMode"]);
29057
29518
  function getAllowedKeys() {
29058
- return new Set(
29519
+ const keys = new Set(
29059
29520
  getDialogSettingKeys().filter(
29060
29521
  (k) => !TUI_ONLY_SETTINGS.has(k) && !SECURITY_SENSITIVE_SETTINGS.has(k)
29061
29522
  )
29062
29523
  );
29524
+ for (const key of WEB_SHELL_SETTINGS) {
29525
+ keys.add(key);
29526
+ }
29527
+ return keys;
29063
29528
  }
29064
29529
  __name(getAllowedKeys, "getAllowedKeys");
29065
29530
  function buildSettingsResponse(boundWorkspace, keys) {
@@ -29256,13 +29721,150 @@ function registerWorkspaceSettingsRoutes(app, deps) {
29256
29721
  }
29257
29722
  __name(registerWorkspaceSettingsRoutes, "registerWorkspaceSettingsRoutes");
29258
29723
 
29724
+ // packages/cli/src/serve/routes/a2uiAction.ts
29725
+ init_esbuild_shims();
29726
+ import * as fsp3 from "node:fs/promises";
29727
+ import * as path11 from "node:path";
29728
+ var A2UI_MIME = "application/a2ui+json";
29729
+ var ACTION_TOOL = "action";
29730
+ var CALL_TIMEOUT_MS = 15e3;
29731
+ function usableServerConfig(cfg) {
29732
+ return !!cfg && (typeof cfg.command === "string" || typeof cfg.httpUrl === "string");
29733
+ }
29734
+ __name(usableServerConfig, "usableServerConfig");
29735
+ async function findFromSettingsFile(workspaceCwd) {
29736
+ try {
29737
+ const raw = await fsp3.readFile(
29738
+ path11.join(workspaceCwd, ".qwen", "settings.json"),
29739
+ "utf8"
29740
+ );
29741
+ const settings = JSON.parse(raw);
29742
+ for (const [name, cfg] of Object.entries(settings.mcpServers ?? {})) {
29743
+ if (name.toLowerCase().includes("a2ui") && usableServerConfig(cfg)) {
29744
+ return cfg;
29745
+ }
29746
+ }
29747
+ } catch {
29748
+ }
29749
+ return null;
29750
+ }
29751
+ __name(findFromSettingsFile, "findFromSettingsFile");
29752
+ function buildTransport(cfg) {
29753
+ if (typeof cfg.httpUrl === "string") {
29754
+ return new StreamableHTTPClientTransport(new URL(cfg.httpUrl));
29755
+ }
29756
+ return new StdioClientTransport({
29757
+ command: cfg.command,
29758
+ args: cfg.args ?? [],
29759
+ // spawn() treats `env` as a complete replacement, not a merge — a partial
29760
+ // env (e.g. {API_KEY}) would strip PATH/HOME and break the child. Merge
29761
+ // over process.env like packages/core/src/tools/mcp-client.ts does; when
29762
+ // unset, let the SDK apply its safe default environment.
29763
+ ...cfg.env ? { env: { ...process.env, ...cfg.env } } : {},
29764
+ cwd: cfg.cwd
29765
+ });
29766
+ }
29767
+ __name(buildTransport, "buildTransport");
29768
+ function extractA2uiActionResult(result) {
29769
+ if (result.isError) {
29770
+ const errMsg2 = (result.content ?? []).filter(
29771
+ (b) => b.type === "text" && typeof b.text === "string"
29772
+ ).map((b) => b.text).join("");
29773
+ throw new Error(
29774
+ `a2ui action tool returned error: ${errMsg2 || "unknown error"}`
29775
+ );
29776
+ }
29777
+ let commands = null;
29778
+ let fallback = "";
29779
+ for (const block of result.content ?? []) {
29780
+ if (commands === null && block.type === "resource" && block.resource?.mimeType === A2UI_MIME && typeof block.resource.text === "string") {
29781
+ try {
29782
+ const parsed = JSON.parse(block.resource.text);
29783
+ if (Array.isArray(parsed)) commands = parsed;
29784
+ } catch {
29785
+ }
29786
+ } else if (block.type === "text" && typeof block.text === "string") {
29787
+ fallback += block.text;
29788
+ }
29789
+ }
29790
+ return { commands, fallback };
29791
+ }
29792
+ __name(extractA2uiActionResult, "extractA2uiActionResult");
29793
+ async function callA2uiAction(cfg, args) {
29794
+ const transport = buildTransport(cfg);
29795
+ const client = new Client({ name: "qwen-serve-a2ui", version: "0.0.1" });
29796
+ try {
29797
+ await client.connect(transport, { timeout: CALL_TIMEOUT_MS });
29798
+ const result = await client.callTool(
29799
+ { name: ACTION_TOOL, arguments: { ...args } },
29800
+ void 0,
29801
+ { timeout: CALL_TIMEOUT_MS }
29802
+ );
29803
+ return extractA2uiActionResult(result);
29804
+ } finally {
29805
+ await transport.close().catch(() => {
29806
+ });
29807
+ await client.close().catch(() => {
29808
+ });
29809
+ }
29810
+ }
29811
+ __name(callA2uiAction, "callA2uiAction");
29812
+ function registerA2uiActionRoutes(app, opts) {
29813
+ const { boundWorkspace, mutate, safeBody: safeBody2, getMcpServers } = opts;
29814
+ const callAction = opts.callAction ?? callA2uiAction;
29815
+ app.post(
29816
+ "/session/:id/a2ui-action",
29817
+ mutate(),
29818
+ async (req, res) => {
29819
+ const body = safeBody2(req);
29820
+ const name = body["name"];
29821
+ if (typeof name !== "string" || name.trim().length === 0) {
29822
+ res.status(400).json({ error: "`name` is required" });
29823
+ return;
29824
+ }
29825
+ const surfaceId = typeof body["surfaceId"] === "string" ? body["surfaceId"] : void 0;
29826
+ const context = body["context"] && typeof body["context"] === "object" && !Array.isArray(body["context"]) ? body["context"] : void 0;
29827
+ let cfg = null;
29828
+ try {
29829
+ const servers = (await getMcpServers(req)).filter(
29830
+ (s) => s.name.toLowerCase().includes("a2ui") && usableServerConfig(s.config)
29831
+ );
29832
+ const live = servers.find((s) => s.mcpStatus === "connected");
29833
+ cfg = (live ?? servers[0])?.config ?? null;
29834
+ } catch {
29835
+ }
29836
+ if (!cfg) cfg = await findFromSettingsFile(boundWorkspace);
29837
+ if (!cfg) {
29838
+ res.status(503).json({
29839
+ error: "no a2ui MCP server found (neither runtime-registered nor in workspace settings mcpServers)"
29840
+ });
29841
+ return;
29842
+ }
29843
+ try {
29844
+ const { commands, fallback } = await callAction(cfg, {
29845
+ name: name.trim(),
29846
+ surfaceId,
29847
+ context
29848
+ });
29849
+ res.status(200).json({ commands, fallback });
29850
+ } catch (err) {
29851
+ writeStderrLine(
29852
+ `a2ui-action proxy failed: ${err instanceof Error ? err.message : String(err)}`
29853
+ );
29854
+ res.status(502).json({ error: "a2ui action call failed" });
29855
+ }
29856
+ }
29857
+ );
29858
+ }
29859
+ __name(registerA2uiActionRoutes, "registerA2uiActionRoutes");
29860
+
29259
29861
  // packages/cli/src/serve/rateLimit.ts
29260
29862
  init_esbuild_shims();
29261
29863
  var MAX_BUCKETS = 1e4;
29262
29864
  var GC_REQUEST_INTERVAL = 1e3;
29263
29865
  var GC_TIMER_INTERVAL_MS = 5 * 60 * 1e3;
29264
- function resolveTier(method, path13) {
29265
- const p = path13.endsWith("/") && path13.length > 1 ? path13.slice(0, -1) : path13;
29866
+ function resolveTier(method, path14) {
29867
+ const p = path14.endsWith("/") && path14.length > 1 ? path14.slice(0, -1) : path14;
29266
29868
  if (method === "OPTIONS") return null;
29267
29869
  if ((method === "GET" || method === "HEAD") && (p === "/health" || p === "/demo"))
29268
29870
  return null;
@@ -29799,15 +30401,15 @@ function parseAuthProviderInstallRequest(body, options) {
29799
30401
  }
29800
30402
  __name(parseAuthProviderInstallRequest, "parseAuthProviderInstallRequest");
29801
30403
  function resolveDaemonTelemetryRoute(req) {
29802
- const path13 = req.path.replace(/\/$/, "") || "/";
29803
- if (req.method === "POST" && path13 === "/session") {
30404
+ const path14 = req.path.replace(/\/$/, "") || "/";
30405
+ if (req.method === "POST" && path14 === "/session") {
29804
30406
  return { route: "POST /session" };
29805
30407
  }
29806
- if (req.method === "POST" && path13 === "/sessions/delete") {
30408
+ if (req.method === "POST" && path14 === "/sessions/delete") {
29807
30409
  return { route: "POST /sessions/delete" };
29808
30410
  }
29809
- const sessionAction = path13.match(
29810
- /^\/session\/([^/]+)\/(load|resume|prompt|cancel|recap|btw|model|shell|detach|rewind|approval-mode|language)$/
30411
+ const sessionAction = path14.match(
30412
+ /^\/session\/([^/]+)\/(load|resume|prompt|cancel|recap|btw|model|shell|detach|rewind|approval-mode|language|a2ui-action)$/
29811
30413
  );
29812
30414
  const sessionActionId = sessionAction?.[1];
29813
30415
  const sessionActionName = sessionAction?.[2];
@@ -29817,14 +30419,14 @@ function resolveDaemonTelemetryRoute(req) {
29817
30419
  sessionId: sessionActionId
29818
30420
  };
29819
30421
  }
29820
- const sessionMetadata = path13.match(/^\/session\/([^/]+)\/metadata$/);
30422
+ const sessionMetadata = path14.match(/^\/session\/([^/]+)\/metadata$/);
29821
30423
  if (sessionMetadata?.[1] && req.method === "PATCH") {
29822
30424
  return {
29823
30425
  route: "PATCH /session/:id/metadata",
29824
30426
  sessionId: sessionMetadata[1]
29825
30427
  };
29826
30428
  }
29827
- const sessionPermission = path13.match(
30429
+ const sessionPermission = path14.match(
29828
30430
  /^\/session\/([^/]+)\/permission\/([^/]+)$/
29829
30431
  );
29830
30432
  if (sessionPermission?.[1] && sessionPermission?.[2] && req.method === "POST") {
@@ -29835,7 +30437,7 @@ function resolveDaemonTelemetryRoute(req) {
29835
30437
  ...rawRequestId.length <= MAX_CLIENT_ID_LENGTH2 && CLIENT_ID_RE2.test(rawRequestId) ? { permissionRequestId: rawRequestId } : {}
29836
30438
  };
29837
30439
  }
29838
- const globalPermission = path13.match(/^\/permission\/([^/]+)$/);
30440
+ const globalPermission = path14.match(/^\/permission\/([^/]+)$/);
29839
30441
  if (globalPermission?.[1] && req.method === "POST") {
29840
30442
  const rawRequestId = globalPermission[1];
29841
30443
  return {
@@ -29843,45 +30445,45 @@ function resolveDaemonTelemetryRoute(req) {
29843
30445
  ...rawRequestId.length <= MAX_CLIENT_ID_LENGTH2 && CLIENT_ID_RE2.test(rawRequestId) ? { permissionRequestId: rawRequestId } : {}
29844
30446
  };
29845
30447
  }
29846
- const deleteSession = path13.match(/^\/session\/([^/]+)$/);
30448
+ const deleteSession = path14.match(/^\/session\/([^/]+)$/);
29847
30449
  const deleteSessionId = deleteSession?.[1];
29848
30450
  if (deleteSessionId && req.method === "DELETE") {
29849
30451
  return { route: "DELETE /session/:id", sessionId: deleteSessionId };
29850
30452
  }
29851
- if (req.method === "GET" && /^\/workspace\/[^/]+\/sessions$/.test(path13)) {
30453
+ if (req.method === "GET" && /^\/workspace\/[^/]+\/sessions$/.test(path14)) {
29852
30454
  return { route: "GET /workspace/:id/sessions" };
29853
30455
  }
29854
- if (req.method === "POST" && path13 === "/workspace/init") {
30456
+ if (req.method === "POST" && path14 === "/workspace/init") {
29855
30457
  return { route: "POST /workspace/init" };
29856
30458
  }
29857
- if (req.method === "POST" && path13 === "/workspace/reload") {
30459
+ if (req.method === "POST" && path14 === "/workspace/reload") {
29858
30460
  return { route: "POST /workspace/reload" };
29859
30461
  }
29860
- const mcpRestart = path13.match(/^\/workspace\/mcp\/([^/]+)\/restart$/);
30462
+ const mcpRestart = path14.match(/^\/workspace\/mcp\/([^/]+)\/restart$/);
29861
30463
  if (mcpRestart?.[1] && req.method === "POST") {
29862
30464
  return { route: "POST /workspace/mcp/:server/restart" };
29863
30465
  }
29864
- if (req.method === "POST" && path13 === "/workspace/mcp/servers") {
30466
+ if (req.method === "POST" && path14 === "/workspace/mcp/servers") {
29865
30467
  return { route: "POST /workspace/mcp/servers" };
29866
30468
  }
29867
- const mcpDelete = path13.match(/^\/workspace\/mcp\/servers\/([^/]+)$/);
30469
+ const mcpDelete = path14.match(/^\/workspace\/mcp\/servers\/([^/]+)$/);
29868
30470
  if (mcpDelete?.[1] && req.method === "DELETE") {
29869
30471
  return { route: "DELETE /workspace/mcp/servers/:name" };
29870
30472
  }
29871
- if (req.method === "POST" && path13 === "/workspace/auth/device-flow") {
30473
+ if (req.method === "POST" && path14 === "/workspace/auth/device-flow") {
29872
30474
  return { route: "POST /workspace/auth/device-flow" };
29873
30475
  }
29874
- const deviceFlowDelete = path13.match(
30476
+ const deviceFlowDelete = path14.match(
29875
30477
  /^\/workspace\/auth\/device-flow\/([^/]+)$/
29876
30478
  );
29877
30479
  if (deviceFlowDelete?.[1] && req.method === "DELETE") {
29878
30480
  return { route: "DELETE /workspace/auth/device-flow/:id" };
29879
30481
  }
29880
- const toolEnable = path13.match(/^\/workspace\/tools\/([^/]+)\/enable$/);
30482
+ const toolEnable = path14.match(/^\/workspace\/tools\/([^/]+)\/enable$/);
29881
30483
  if (toolEnable?.[1] && req.method === "POST") {
29882
30484
  return { route: "POST /workspace/tools/:name/enable" };
29883
30485
  }
29884
- if (path13 === "/workspace/settings") {
30486
+ if (path14 === "/workspace/settings") {
29885
30487
  if (req.method === "GET") return { route: "GET /workspace/settings" };
29886
30488
  if (req.method === "POST") return { route: "POST /workspace/settings" };
29887
30489
  }
@@ -29955,6 +30557,13 @@ function resolvePromptDeadlineMs(serverMs, requestMs) {
29955
30557
  return Math.min(serverMs, requestMs);
29956
30558
  }
29957
30559
  __name(resolvePromptDeadlineMs, "resolvePromptDeadlineMs");
30560
+ var DEFAULT_MAX_PENDING_PROMPTS_PER_SESSION2 = 5;
30561
+ function advertisedMaxPendingPromptsPerSession(value) {
30562
+ if (value === void 0) return DEFAULT_MAX_PENDING_PROMPTS_PER_SESSION2;
30563
+ if (value === 0 || value === Number.POSITIVE_INFINITY) return null;
30564
+ return value;
30565
+ }
30566
+ __name(advertisedMaxPendingPromptsPerSession, "advertisedMaxPendingPromptsPerSession");
29958
30567
  function createServeApp(opts, getPort = () => opts.port, deps = {}) {
29959
30568
  const app = (0, import_express.default)();
29960
30569
  const boundWorkspace = deps.boundWorkspace ?? canonicalizeWorkspace(opts.workspace ?? process.cwd());
@@ -29969,10 +30578,14 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
29969
30578
  injected: deps.fsFactory,
29970
30579
  trusted: false
29971
30580
  });
30581
+ const tokenConfigured = typeof opts.token === "string" && opts.token.length > 0;
30582
+ const sessionShellCommandEnabled = opts.enableSessionShell === true && tokenConfigured;
29972
30583
  const bridge = deps.bridge ?? createAcpSessionBridge({
29973
30584
  maxSessions: opts.maxSessions,
30585
+ maxPendingPromptsPerSession: opts.maxPendingPromptsPerSession,
29974
30586
  eventRingSize: opts.eventRingSize,
29975
30587
  boundWorkspace,
30588
+ sessionShellCommandEnabled,
29976
30589
  // Wire the production status provider so direct embeds / tests
29977
30590
  // that don't inject `deps.bridge` get daemon env + preflight cells.
29978
30591
  statusProvider: createDaemonStatusProvider(),
@@ -30168,10 +30781,10 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30168
30781
  { tier, key: key.slice(0, 64) }
30169
30782
  );
30170
30783
  } : void 0,
30171
- onError: daemonLog ? (err, path13) => {
30784
+ onError: daemonLog ? (err, path14) => {
30172
30785
  daemonLog.warn(
30173
30786
  `rate limiter error (fail-open): ${err instanceof Error ? err.message : String(err)}`,
30174
- { path: path13 }
30787
+ { path: path14 }
30175
30788
  );
30176
30789
  } : void 0
30177
30790
  });
@@ -30189,7 +30802,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30189
30802
  app.get("/demo", demoHandler);
30190
30803
  }
30191
30804
  const mutate = createMutationGate({
30192
- tokenConfigured: opts.token !== void 0,
30805
+ tokenConfigured,
30193
30806
  requireAuth: opts.requireAuth === true
30194
30807
  });
30195
30808
  app.use(daemonTelemetryMiddleware(boundWorkspace));
@@ -30215,6 +30828,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30215
30828
  ...opts.promptDeadlineMs !== void 0 ? { promptDeadlineMs: opts.promptDeadlineMs } : {},
30216
30829
  ...opts.writerIdleTimeoutMs !== void 0 ? { writerIdleTimeoutMs: opts.writerIdleTimeoutMs } : {},
30217
30830
  persistSettingAvailable: deps.persistSetting !== void 0,
30831
+ sessionShellCommandEnabled,
30218
30832
  rateLimit: opts.rateLimit === true,
30219
30833
  reloadAvailable: deps.workspace !== void 0
30220
30834
  }),
@@ -30222,8 +30836,19 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30222
30836
  // Surface the bound workspace so clients can detect mismatch
30223
30837
  // pre-flight and omit `cwd` on `POST /session`.
30224
30838
  workspaceCwd: boundWorkspace,
30839
+ // Advertise supported transport families so SDK clients can
30840
+ // auto-negotiate the best available transport via
30841
+ // `negotiateTransport()`. REST is always available; future PRs
30842
+ // will add 'acp-http' / 'acp-ws' entries when the corresponding
30843
+ // routes are wired.
30844
+ transports: ["rest"],
30225
30845
  // Active mediation policy under the `policy` namespace.
30226
30846
  policy: { permission: bridge.permissionPolicy },
30847
+ limits: {
30848
+ maxPendingPromptsPerSession: advertisedMaxPendingPromptsPerSession(
30849
+ opts.maxPendingPromptsPerSession
30850
+ )
30851
+ },
30227
30852
  supportedLanguages: LANGUAGE_CODES
30228
30853
  };
30229
30854
  res.status(200).json(envelope);
@@ -30353,6 +30978,18 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30353
30978
  parseAndValidateClientId: /* @__PURE__ */ __name((req, res) => parseAndValidateWorkspaceClientId(req, res, bridge), "parseAndValidateClientId")
30354
30979
  });
30355
30980
  }
30981
+ registerA2uiActionRoutes(app, {
30982
+ boundWorkspace,
30983
+ mutate,
30984
+ safeBody,
30985
+ // UI-server discovery uses the daemon's workspace MCP status, which
30986
+ // includes servers registered at runtime.
30987
+ getMcpServers: /* @__PURE__ */ __name(async (req) => {
30988
+ const ctx = buildWorkspaceCtx(req, "POST /session/:id/a2ui-action");
30989
+ const status = await workspace.getWorkspaceMcpStatus(ctx);
30990
+ return status.servers ?? [];
30991
+ }, "getMcpServers")
30992
+ });
30356
30993
  app.post(
30357
30994
  "/workspace/auth/device-flow",
30358
30995
  mutate({ strict: true }),
@@ -30541,7 +31178,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30541
31178
  return;
30542
31179
  }
30543
31180
  const cwd = hasCwd ? body["cwd"] : boundWorkspace;
30544
- if (!path11.isAbsolute(cwd)) {
31181
+ if (!path12.isAbsolute(cwd)) {
30545
31182
  res.status(400).json({ error: "`cwd` must be an absolute path when provided" });
30546
31183
  return;
30547
31184
  }
@@ -30843,6 +31480,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30843
31480
  });
30844
31481
  return;
30845
31482
  }
31483
+ addDaemonRequestAttribute("qwen-code.prompt_id", promptId);
30846
31484
  const abort = new AbortController();
30847
31485
  const effectiveDeadlineMs = resolvePromptDeadlineMs(
30848
31486
  opts.promptDeadlineMs,
@@ -30857,19 +31495,39 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
30857
31495
  }, effectiveDeadlineMs);
30858
31496
  deadlineTimer.unref();
30859
31497
  }
30860
- bridge.sendPrompt(
30861
- sessionId,
30862
- {
30863
- ...forwardedBody,
31498
+ let promptPromise;
31499
+ try {
31500
+ promptPromise = bridge.sendPrompt(
30864
31501
  sessionId,
30865
- prompt
30866
- },
30867
- abort.signal,
30868
- {
30869
- ...clientId !== void 0 ? { clientId } : {},
30870
- promptId
31502
+ {
31503
+ ...forwardedBody,
31504
+ sessionId,
31505
+ prompt
31506
+ },
31507
+ abort.signal,
31508
+ {
31509
+ ...clientId !== void 0 ? { clientId } : {},
31510
+ promptId
31511
+ }
31512
+ );
31513
+ } catch (err) {
31514
+ if (deadlineTimer !== void 0) clearTimeout(deadlineTimer);
31515
+ if (daemonLog && err instanceof PromptQueueFullError) {
31516
+ daemonLog.warn("prompt admission rejected: queue full", {
31517
+ sessionId,
31518
+ promptId,
31519
+ ...clientId !== void 0 ? { clientId } : {},
31520
+ limit: err.limit,
31521
+ pendingCount: err.pendingCount
31522
+ });
30871
31523
  }
30872
- ).then(
31524
+ sendBridgeError(res, err, {
31525
+ route: "POST /session/:id/prompt",
31526
+ sessionId
31527
+ });
31528
+ return;
31529
+ }
31530
+ promptPromise.then(
30873
31531
  () => {
30874
31532
  if (daemonLog) {
30875
31533
  daemonLog.info("prompt turn completed", {
@@ -31083,7 +31741,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
31083
31741
  });
31084
31742
  app.get("/workspace/:id/sessions", async (req, res) => {
31085
31743
  const workspaceCwd = req.params["id"] ?? "";
31086
- if (!path11.isAbsolute(workspaceCwd)) {
31744
+ if (!path12.isAbsolute(workspaceCwd)) {
31087
31745
  res.status(400).json({ error: "`:id` must decode to an absolute workspace path" });
31088
31746
  return;
31089
31747
  }
@@ -31224,8 +31882,26 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
31224
31882
  res.off("close", onResClose);
31225
31883
  }
31226
31884
  });
31227
- app.post("/session/:id/shell", mutate(), async (req, res) => {
31885
+ app.post("/session/:id/shell", mutate({ strict: true }), async (req, res) => {
31228
31886
  const sessionId = req.params["id"];
31887
+ if (!sessionShellCommandEnabled) {
31888
+ sendBridgeError(res, new SessionShellDisabledError(), {
31889
+ route: "POST /session/:id/shell",
31890
+ sessionId
31891
+ });
31892
+ return;
31893
+ }
31894
+ const clientId = parseClientIdHeader(req, res);
31895
+ if (clientId === null) {
31896
+ return;
31897
+ }
31898
+ if (clientId === void 0) {
31899
+ sendBridgeError(res, new SessionShellClientRequiredError(), {
31900
+ route: "POST /session/:id/shell",
31901
+ sessionId
31902
+ });
31903
+ return;
31904
+ }
31229
31905
  const body = safeBody(req);
31230
31906
  const command = body["command"];
31231
31907
  if (typeof command !== "string" || command.trim().length === 0) {
@@ -31239,17 +31915,12 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
31239
31915
  if (!res.writableEnded) abort.abort();
31240
31916
  }, "onResClose");
31241
31917
  res.once("close", onResClose);
31242
- const clientId = parseClientIdHeader(req, res);
31243
- if (clientId === null) {
31244
- res.off("close", onResClose);
31245
- return;
31246
- }
31247
31918
  try {
31248
31919
  const result = await bridge.executeShellCommand(
31249
31920
  sessionId,
31250
31921
  command.trim(),
31251
31922
  abort.signal,
31252
- clientId !== void 0 ? { clientId } : void 0
31923
+ { clientId }
31253
31924
  );
31254
31925
  if (daemonLog) {
31255
31926
  daemonLog.info("shell command completed", {
@@ -31929,6 +32600,7 @@ function createServeApp(opts, getPort = () => opts.port, deps = {}) {
31929
32600
  fsFactory,
31930
32601
  deviceFlowRegistry,
31931
32602
  token: opts.token,
32603
+ sessionShellCommandEnabled,
31932
32604
  checkRate: rateLimiter?.checkRate
31933
32605
  });
31934
32606
  if (acpHandle) {
@@ -32000,7 +32672,7 @@ function parseOptionalWorkspaceCwd2(body, boundWorkspace, res) {
32000
32672
  return void 0;
32001
32673
  }
32002
32674
  const cwd = hasCwd ? body["cwd"] : boundWorkspace;
32003
- if (!path11.isAbsolute(cwd)) {
32675
+ if (!path12.isAbsolute(cwd)) {
32004
32676
  res.status(400).json({ error: "`cwd` must be an absolute path when provided" });
32005
32677
  return void 0;
32006
32678
  }
@@ -32358,6 +33030,22 @@ function sendBridgeErrorImpl(res, err, ctx, daemonLog) {
32358
33030
  });
32359
33031
  return;
32360
33032
  }
33033
+ if (err instanceof SessionShellDisabledError) {
33034
+ res.status(403).json({
33035
+ error: err.message,
33036
+ code: "session_shell_disabled",
33037
+ errorKind: "session_shell_disabled"
33038
+ });
33039
+ return;
33040
+ }
33041
+ if (err instanceof SessionShellClientRequiredError) {
33042
+ res.status(403).json({
33043
+ error: err.message,
33044
+ code: "client_id_required",
33045
+ errorKind: "client_id_required"
33046
+ });
33047
+ return;
33048
+ }
32361
33049
  if (err instanceof WorkspaceMismatchError) {
32362
33050
  writeStderrLine(
32363
33051
  `qwen serve: workspace_mismatch (POST /session): daemon bound to ${JSON.stringify(err.bound)}, rejected ${JSON.stringify(err.requested)}`
@@ -32394,6 +33082,17 @@ function sendBridgeErrorImpl(res, err, ctx, daemonLog) {
32394
33082
  });
32395
33083
  return;
32396
33084
  }
33085
+ if (err instanceof PromptQueueFullError) {
33086
+ res.set("Retry-After", "5");
33087
+ res.status(503).json({
33088
+ error: err.message,
33089
+ code: "prompt_queue_full",
33090
+ sessionId: err.sessionId,
33091
+ limit: err.limit,
33092
+ pendingCount: err.pendingCount
33093
+ });
33094
+ return;
33095
+ }
32397
33096
  if (err instanceof RestoreInProgressError) {
32398
33097
  res.set("Retry-After", "5");
32399
33098
  res.status(409).json({
@@ -32535,7 +33234,7 @@ __name(errorPayload, "errorPayload");
32535
33234
  // packages/cli/src/serve/runQwenServe.ts
32536
33235
  init_esbuild_shims();
32537
33236
  import * as fs6 from "node:fs";
32538
- import * as path12 from "node:path";
33237
+ import * as path13 from "node:path";
32539
33238
 
32540
33239
  // packages/cli/src/serve/permissionAudit.ts
32541
33240
  init_esbuild_shims();
@@ -32803,6 +33502,10 @@ function isPositiveIntegerMs(value) {
32803
33502
  return Number.isFinite(value) && Number.isInteger(value) && value > 0;
32804
33503
  }
32805
33504
  __name(isPositiveIntegerMs, "isPositiveIntegerMs");
33505
+ function isNonNegativeIntegerOrInfinity(value) {
33506
+ return value === Number.POSITIVE_INFINITY || Number.isFinite(value) && Number.isInteger(value) && value >= 0;
33507
+ }
33508
+ __name(isNonNegativeIntegerOrInfinity, "isNonNegativeIntegerOrInfinity");
32806
33509
  var MAX_TIMEOUT_MS = 2147483647;
32807
33510
  function assertTimerDelayInRange(name, value) {
32808
33511
  if (value > MAX_TIMEOUT_MS) {
@@ -32943,6 +33646,12 @@ __name(shouldPreheatBridge, "shouldPreheatBridge");
32943
33646
  async function runQwenServe(optsIn, deps = {}) {
32944
33647
  const rawToken = optsIn.token ?? process.env[QWEN_SERVER_TOKEN_ENV];
32945
33648
  const token = typeof rawToken === "string" && rawToken.trim().length > 0 ? rawToken.trim() : void 0;
33649
+ const sessionShellCommandEnabled = optsIn.enableSessionShell === true && token !== void 0;
33650
+ if (optsIn.enableSessionShell === true && token === void 0) {
33651
+ writeStderrLine(
33652
+ `qwen serve: --enable-session-shell ignored because no bearer token is configured. Set ${QWEN_SERVER_TOKEN_ENV} or pass --token to enable direct session shell.`
33653
+ );
33654
+ }
32946
33655
  const promptDeadlineMs = optsIn.promptDeadlineMs ?? parseDeadlineEnv(
32947
33656
  QWEN_SERVE_PROMPT_DEADLINE_MS_ENV,
32948
33657
  process.env[QWEN_SERVE_PROMPT_DEADLINE_MS_ENV]
@@ -32990,7 +33699,7 @@ async function runQwenServe(optsIn, deps = {}) {
32990
33699
  );
32991
33700
  }
32992
33701
  const rawWorkspace = opts.workspace ?? process.cwd();
32993
- if (!path12.isAbsolute(rawWorkspace)) {
33702
+ if (!path13.isAbsolute(rawWorkspace)) {
32994
33703
  throw new Error(
32995
33704
  `Invalid --workspace "${rawWorkspace}": must be an absolute path.`
32996
33705
  );
@@ -33043,6 +33752,13 @@ async function runQwenServe(optsIn, deps = {}) {
33043
33752
  }
33044
33753
  assertTimerDelayInRange("promptDeadlineMs", opts.promptDeadlineMs);
33045
33754
  }
33755
+ if (opts.maxPendingPromptsPerSession !== void 0) {
33756
+ if (!isNonNegativeIntegerOrInfinity(opts.maxPendingPromptsPerSession)) {
33757
+ throw new TypeError(
33758
+ `Invalid maxPendingPromptsPerSession: ${opts.maxPendingPromptsPerSession}. Must be a non-negative integer (0 / Infinity = unlimited).`
33759
+ );
33760
+ }
33761
+ }
33046
33762
  if (opts.writerIdleTimeoutMs !== void 0) {
33047
33763
  if (!isPositiveIntegerMs(opts.writerIdleTimeoutMs)) {
33048
33764
  throw new TypeError(
@@ -33163,11 +33879,13 @@ async function runQwenServe(optsIn, deps = {}) {
33163
33879
  const statusProvider = createDaemonStatusProvider();
33164
33880
  const bridge = deps.bridge ?? createAcpSessionBridge({
33165
33881
  maxSessions: opts.maxSessions,
33882
+ ...opts.maxPendingPromptsPerSession !== void 0 ? { maxPendingPromptsPerSession: opts.maxPendingPromptsPerSession } : {},
33166
33883
  ...opts.eventRingSize !== void 0 ? { eventRingSize: opts.eventRingSize } : {},
33167
33884
  ...opts.channelIdleTimeoutMs !== void 0 ? { channelIdleTimeoutMs: opts.channelIdleTimeoutMs } : {},
33168
33885
  ...opts.sessionReapIntervalMs !== void 0 ? { sessionReapIntervalMs: opts.sessionReapIntervalMs } : {},
33169
33886
  ...opts.sessionIdleTimeoutMs !== void 0 ? { sessionIdleTimeoutMs: opts.sessionIdleTimeoutMs } : {},
33170
33887
  boundWorkspace,
33888
+ sessionShellCommandEnabled,
33171
33889
  childEnvOverrides,
33172
33890
  channelFactory,
33173
33891
  onDiagnosticLine: diagnosticSink,
@@ -33482,6 +34200,8 @@ export {
33482
34200
  STATUS_SCHEMA_VERSION,
33483
34201
  SUPPORTED_SERVE_PROTOCOL_VERSIONS,
33484
34202
  SessionNotFoundError,
34203
+ SessionShellClientRequiredError,
34204
+ SessionShellDisabledError,
33485
34205
  WorkspaceInitConflictError,
33486
34206
  WorkspaceInitPathEscapeError,
33487
34207
  WorkspaceInitRaceError,