@runeya/apps-cli 0.1.0 → 0.1.2

package/dist/chunk-XZPCEGWS.js

@@ -0,0 +1,2452 @@
+import {
+  decryptValue,
+  decryptVariableSlots,
+  deriveStableSecret,
+  encryptVariableSlots,
+  env,
+  extractEncryptedVariableSlots,
+  getEncryptionKey,
+  isEncryptedValue,
+  stableEncryptValue
+} from "./chunk-ERJIU7R4.js";
+
+// ../server/dist/chunk-G3WSYJ5B.js
+import { EventEmitter as EventEmitter2 } from "events";
+import WebSocket2 from "ws";
+import { z as z20 } from "zod";
+import { randomUUID, randomBytes, createCipheriv, createDecipheriv } from "crypto";
+import { readFile, writeFile, rename, mkdir, chmod } from "fs/promises";
+import { join } from "path";
+import { randomUUID as randomUUID3 } from "crypto";
+import { readFile as readFile3, writeFile as writeFile3, rename as rename3, mkdir as mkdir3, chmod as chmod3 } from "fs/promises";
+import { join as join3 } from "path";
+import { randomUUID as randomUUID2 } from "crypto";
+import { readFile as readFile2, writeFile as writeFile2, rename as rename2, mkdir as mkdir2, chmod as chmod2 } from "fs/promises";
+import { join as join2 } from "path";
+import { z } from "zod";
+import { z as z2 } from "zod";
+import { z as z3 } from "zod";
+import { z as z7 } from "zod";
+import { z as z5 } from "zod";
+import { z as z4 } from "zod";
+import { z as z6 } from "zod";
+import { z as z8 } from "zod";
+import { z as z9 } from "zod";
+import { z as z10 } from "zod";
+import { z as z11 } from "zod";
+import { z as z12 } from "zod";
+import { z as z13 } from "zod";
+import { z as z14 } from "zod";
+import { z as z15 } from "zod";
+import { z as z16 } from "zod";
+import { z as z17 } from "zod";
+import { z as z18 } from "zod";
+import { z as z19 } from "zod";
+import { createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2, randomBytes as randomBytes2, pbkdf2Sync } from "crypto";
+import vm from "vm";
+import { spawn } from "child_process";
+import { createInterface } from "readline";
+import { watch } from "fs";
+import { join as join4 } from "path";
+import { EventEmitter } from "events";
+import WebSocket from "ws";
+var FILENAME = "agents.json";
+var ALGORITHM = "aes-256-gcm";
+function encrypt(plaintext) {
+  const maybeKey = getEncryptionKey();
+  if (!maybeKey) {
+    throw new Error("Encryption key not loaded \u2014 please provide the key via setup UI");
+  }
+  const key = maybeKey;
+  const iv = randomBytes(16);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  let enc = cipher.update(plaintext, "utf-8", "hex");
+  enc += cipher.final("hex");
+  const authTag = cipher.getAuthTag().toString("hex");
+  return { encrypted: enc, iv: iv.toString("hex"), authTag };
+}
+function decrypt(encrypted, ivHex, authTagHex) {
+  if (!/^[0-9a-f]+$/i.test(encrypted) || !/^[0-9a-f]+$/i.test(ivHex) || !/^[0-9a-f]+$/i.test(authTagHex)) {
+    throw new Error("Invalid hex string in encrypted agent data");
+  }
+  const maybeKey = getEncryptionKey();
+  if (!maybeKey) {
+    throw new Error("Encryption key not loaded \u2014 please provide the key via setup UI");
+  }
+  const key = maybeKey;
+  const iv = Buffer.from(ivHex, "hex");
+  const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: 16 });
+  decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
+  let dec = decipher.update(encrypted, "hex", "utf-8");
+  dec += decipher.final("utf-8");
+  return dec;
+}
+var AgentStore = class {
+  agents = /* @__PURE__ */ new Map();
+  passthroughEnv = {};
+  traefikConfigs = {};
+  loaded = false;
+  getFilePath() {
+    return join(env.DATA_DIR, FILENAME);
+  }
+  async ensureDir() {
+    await mkdir(env.DATA_DIR, { recursive: true });
+  }
+  async load() {
+    if (this.loaded) return;
+    try {
+      const raw = await readFile(this.getFilePath(), "utf-8");
+      const data = JSON.parse(raw);
+      if (Array.isArray(data)) {
+        for (const a of data) this.agents.set(a.id, a);
+        this.passthroughEnv = {};
+      } else {
+        const fileData = data;
+        for (const a of fileData.agents) this.agents.set(a.id, a);
+        this.passthroughEnv = fileData.passthroughEnv ?? {};
+        this.traefikConfigs = fileData.traefikConfigs ?? {};
+      }
+    } catch {
+    }
+    this.loaded = true;
+  }
+  async save() {
+    await this.ensureDir();
+    const filePath = this.getFilePath();
+    const tmpPath = filePath + ".tmp";
+    const fileData = {
+      agents: Array.from(this.agents.values()),
+      passthroughEnv: this.passthroughEnv,
+      traefikConfigs: this.traefikConfigs
+    };
+    await writeFile(tmpPath, JSON.stringify(fileData, null, 2), "utf-8");
+    await rename(tmpPath, filePath);
+    await chmod(filePath, 384);
+  }
+  toAgentConfig(stored) {
+    return {
+      id: stored.id,
+      name: stored.name,
+      url: stored.url,
+      passphrase: decrypt(stored.encrypted, stored.iv, stored.authTag),
+      passthroughEnv: this.passthroughEnv[stored.id] ?? []
+    };
+  }
+  async list() {
+    await this.load();
+    if (!getEncryptionKey()) {
+      return [];
+    }
+    return Array.from(this.agents.values()).map((a) => this.toAgentConfig(a));
+  }
+  async get(id) {
+    await this.load();
+    if (!getEncryptionKey()) {
+      return null;
+    }
+    const stored = this.agents.get(id);
+    if (!stored) return null;
+    return this.toAgentConfig(stored);
+  }
+  async register(name, url, passphrase) {
+    await this.load();
+    const existing = Array.from(this.agents.values()).find((a) => a.url === url);
+    const { encrypted, iv, authTag } = encrypt(passphrase);
+    if (existing) {
+      existing.name = name;
+      existing.encrypted = encrypted;
+      existing.iv = iv;
+      existing.authTag = authTag;
+      await this.save();
+      return { id: existing.id, name, url, passphrase, passthroughEnv: this.passthroughEnv[existing.id] ?? [] };
+    }
+    const id = randomUUID();
+    const stored = { id, name, url, encrypted, iv, authTag };
+    this.agents.set(id, stored);
+    await this.save();
+    return { id, name, url, passphrase, passthroughEnv: [] };
+  }
+  async remove(id) {
+    await this.load();
+    if (!this.agents.has(id)) return false;
+    this.agents.delete(id);
+    delete this.passthroughEnv[id];
+    delete this.traefikConfigs[id];
+    await this.save();
+    return true;
+  }
+  getPassthroughEnv(agentId) {
+    return this.passthroughEnv[agentId] ?? [];
+  }
+  async savePassthroughEnv(agentId, names) {
+    await this.load();
+    this.passthroughEnv[agentId] = names;
+    await this.save();
+  }
+  getTraefikConfig(agentId) {
+    return this.traefikConfigs[agentId] ?? null;
+  }
+  async saveTraefikConfig(agentId, config) {
+    await this.load();
+    this.traefikConfigs[agentId] = config;
+    await this.save();
+  }
+  async update(id, fields) {
+    await this.load();
+    const stored = this.agents.get(id);
+    if (!stored) return null;
+    if (fields.name !== void 0) stored.name = fields.name;
+    if (fields.url !== void 0) stored.url = fields.url;
+    if (fields.passphrase !== void 0) {
+      const { encrypted, iv, authTag } = encrypt(fields.passphrase);
+      stored.encrypted = encrypted;
+      stored.iv = iv;
+      stored.authTag = authTag;
+    }
+    await this.save();
+    return this.toAgentConfig(stored);
+  }
+  async updateUrl(id, url) {
+    await this.load();
+    const stored = this.agents.get(id);
+    if (!stored) return null;
+    stored.url = url;
+    this.agents.set(id, stored);
+    await this.save();
+    return this.toAgentConfig(stored);
+  }
+};
+var agentStore = new AgentStore();
+var UserSchema = z.object({
+  id: z.string().max(128),
+  email: z.string().email().max(320),
+  name: z.string().min(1).max(500),
+  avatar: z.string().url().max(2048).nullable().optional()
+});
+var OrgSchema = z2.object({
+  id: z2.string().max(128),
+  name: z2.string().min(1).max(100),
+  slug: z2.string().min(1).max(100).regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/),
+  ownerId: z2.string().max(128)
+});
+var OrgMemberSchema = z2.object({
+  id: z2.string().max(128),
+  orgId: z2.string().max(128),
+  userId: z2.string().max(128),
+  globalRole: z2.enum(["owner", "admin", "member"]),
+  invitedAt: z2.coerce.date(),
+  joinedAt: z2.coerce.date().nullable().optional()
+});
+var ProjectSchema = z3.object({
+  id: z3.string().max(128),
+  orgId: z3.string().max(128).nullable().optional(),
+  name: z3.string().min(1).max(200),
+  description: z3.string().max(1e4).optional().default(""),
+  serviceIds: z3.array(z3.string().max(128)).max(1e4).default([]),
+  // Environment support
+  // NOTE: activeEnvironmentId is runtime-only (not persisted to JSON)
+  // It's initialized to 'local' by default at load time
+  activeEnvironmentId: z3.string().max(128).optional(),
+  environmentIds: z3.array(z3.string().max(128)).max(100).default([])
+});
+var CreateProjectSchema = ProjectSchema.omit({ id: true }).partial().required({ name: true });
+var UpdateProjectSchema = ProjectSchema.partial().required({ id: true });
+var PositionSchema = z4.object({
+  x: z4.number(),
+  y: z4.number()
+});
+var ScenarioGroupSchema = z4.object({
+  id: z4.string().min(1).max(128),
+  name: z4.string().min(1).max(200),
+  description: z4.string().max(1e3).optional(),
+  color: z4.string().max(32).optional(),
+  position: PositionSchema.default({ x: 0, y: 0 }),
+  width: z4.number().default(300),
+  height: z4.number().default(200)
+});
+var ScenarioPresetRoleSchema = z4.object({
+  id: z4.string().min(1).max(64),
+  name: z4.string().min(1).max(200),
+  systemPrompt: z4.string().max(1e4).default(""),
+  prompt: z4.string().max(1e4).default("")
+});
+var ScenarioPresetInitialDataSchema = z4.object({
+  leaderId: z4.string().min(1).max(128),
+  groups: z4.array(z4.object({
+    id: z4.string().min(1).max(128),
+    name: z4.string().min(1).max(200),
+    description: z4.string().max(1e3).optional(),
+    color: z4.string().max(32).optional(),
+    position: z4.object({ x: z4.number(), y: z4.number() }).default({ x: 0, y: 0 }),
+    width: z4.number().default(300),
+    height: z4.number().default(200)
+  })).max(100).default([]),
+  nodes: z4.array(z4.object({
+    id: z4.string().min(1).max(128),
+    type: z4.enum(["ai", "ask"]).default("ai"),
+    parentIds: z4.array(z4.string().max(128)).default([]),
+    groupId: z4.string().max(128).nullable().default(null),
+    label: z4.string().max(240).default(""),
+    role: z4.string().max(64).default("other"),
+    prompt: z4.string().max(5e4).default(""),
+    question: z4.string().max(2e3).default(""),
+    autoGenerated: z4.boolean().default(true),
+    canAddNode: z4.boolean().default(false),
+    aiCli: z4.enum(["claude-code", "codex"]).default("claude-code"),
+    model: z4.string().max(128).default("sonnet"),
+    position: z4.object({ x: z4.number(), y: z4.number() }).default({ x: 0, y: 0 })
+  })).min(1).max(500)
+});
+var LocalizedStringSchema = z4.record(z4.string(), z4.string().max(100));
+var ScenarioPresetLabelsSchema = z4.object({
+  group: LocalizedStringSchema.optional(),
+  node: LocalizedStringSchema.optional(),
+  role: LocalizedStringSchema.optional(),
+  leader: LocalizedStringSchema.optional()
+});
+var ScenarioPresetSchema = z4.object({
+  id: z4.string().min(1).max(128),
+  name: z4.string().min(1).max(200),
+  icon: z4.string().max(64).optional(),
+  defaultTraversalMode: z4.enum(["hierarchical", "topological"]).optional(),
+  canChangeTraversalMode: z4.boolean().default(true),
+  roles: z4.array(ScenarioPresetRoleSchema).min(1).max(100),
+  initialData: ScenarioPresetInitialDataSchema.optional(),
+  labels: ScenarioPresetLabelsSchema.optional()
+});
+var ScenarioNodeSchema = z4.object({
+  id: z4.string().min(1).max(128),
+  type: z4.enum(["ai", "ask"]).default("ai"),
+  parentIds: z4.array(z4.string().max(128)).default([]),
+  groupId: z4.string().max(128).nullable().default(null),
+  label: z4.string().max(240).default(""),
+  role: z4.string().max(64).default("other"),
+  prompt: z4.string().max(5e4).default(""),
+  question: z4.string().max(2e3).default(""),
+  autoGenerated: z4.boolean().default(true),
+  canAddNode: z4.boolean().default(false),
+  aiCli: z4.enum(["claude-code", "codex"]).default("claude-code"),
+  model: z4.string().max(128).default("sonnet"),
+  position: PositionSchema.default({ x: 0, y: 0 }),
+  injectParentOutputs: z4.boolean().default(false),
+  injectedAncestorIds: z4.array(z4.string().max(128)).default([])
+});
+var ScenarioSchema = z4.object({
+  id: z4.string().min(1).max(128),
+  name: z4.string().min(1).max(200),
+  icon: z4.string().max(64).optional(),
+  description: z4.string().max(2e3).optional(),
+  leaderId: z4.string().min(1).max(128),
+  groups: z4.array(ScenarioGroupSchema).max(100).default([]),
+  nodes: z4.array(ScenarioNodeSchema).min(1).max(500),
+  traversalMode: z4.enum(["hierarchical", "topological"]).default("hierarchical"),
+  presetId: z4.string().max(128).optional(),
+  isPublished: z4.boolean().default(false),
+  createdAt: z4.number(),
+  updatedAt: z4.number()
+});
+var AI_PROVIDERS = ["anthropic", "openai", "mistral", "groq", "ollama"];
+var AIProviderSchema = z5.object({
+  id: z5.string().min(1).max(128),
+  name: z5.string().min(1).max(200),
+  provider: z5.enum(AI_PROVIDERS),
+  encryptedApiKey: z5.string().max(2e3).default(""),
+  model: z5.string().max(200).optional(),
+  active: z5.boolean().default(false),
+  createdAt: z5.coerce.date(),
+  updatedAt: z5.coerce.date()
+});
+var JSLogParserSchema = z5.object({
+  id: z5.string().min(1).max(128),
+  name: z5.string().min(1).max(200),
+  description: z5.string().max(2e3).optional(),
+  code: z5.string().min(1).max(5e4).refine(
+    (s) => !s.includes("require(") && !s.includes("import ") && !s.includes("eval("),
+    { message: "Code must not contain require, import, or eval patterns" }
+  ),
+  enabled: z5.boolean().default(true),
+  version: z5.literal(2).default(2).optional(),
+  builtin: z5.boolean().optional(),
+  createdAt: z5.coerce.date(),
+  updatedAt: z5.coerce.date()
+});
+var NotificationPreferencesSchema = z5.object({
+  scenario_waiting_input: z5.boolean().default(true),
+  ai_conversation_complete: z5.boolean().default(true),
+  ai_conversation_error: z5.boolean().default(true),
+  service_error_log: z5.boolean().default(true),
+  service_status_changed: z5.boolean().default(true),
+  service_health_changed: z5.boolean().default(true)
+});
+var SettingsSchema = z5.object({
+  mode: z5.enum(["local-simple", "cloud"]),
+  cloudUrl: z5.string().url().max(2048).nullable().optional(),
+  logParsers: z5.array(JSLogParserSchema).max(100).default([]),
+  scenarios: z5.array(ScenarioSchema).max(100).default([])
+});
+var TraefikConfigSchema = z5.object({
+  enabled: z5.boolean().default(false),
+  acmeEmail: z5.string().email().max(256).optional(),
+  wildcardDomain: z5.string().max(253).optional(),
+  httpPort: z5.number().int().min(1).max(65535).default(80),
+  httpsPort: z5.number().int().min(1).max(65535).default(443),
+  dnsProvider: z5.string().max(64).optional(),
+  dnsCredentials: z5.record(z5.string().max(64), z5.string().max(2048)).default({}),
+  acmeStaging: z5.boolean().default(false),
+  encryptedCert: z5.string().max(65536).optional(),
+  encryptedCertKey: z5.string().max(65536).optional()
+});
+var SettingsPrivateSchema = z5.object({
+  aiProviders: z5.array(AIProviderSchema).max(50).default([]),
+  scenarios: z5.array(ScenarioSchema).max(100).default([]),
+  notifications: NotificationPreferencesSchema.default(() => ({
+    scenario_waiting_input: true,
+    ai_conversation_complete: true,
+    ai_conversation_error: true,
+    service_error_log: true,
+    service_status_changed: true,
+    service_health_changed: true
+  })),
+  traefikConfig: TraefikConfigSchema.optional()
+});
+var SchemaVersionSchema = z5.object({
+  version: z5.number().int().positive(),
+  migratedAt: z5.coerce.date()
+});
+var safePath = z6.string().min(1).max(4096).refine(
+  (p) => !p.includes("\0"),
+  { message: "path must not contain null bytes" }
+).refine(
+  (p) => !/(^|[/\\])\.\.([/\\]|$)/.test(p),
+  { message: "path must not contain path-traversal sequences (..)" }
+);
+var ConsoleLogSourceSchema = z6.object({
+  type: z6.literal("console")
+});
+var FileLogSourceSchema = z6.object({
+  type: z6.literal("file"),
+  path: safePath,
+  encoding: z6.string().max(32).default("utf-8"),
+  startFromEnd: z6.boolean().default(true)
+});
+var MongoLogSourceSchema = z6.object({
+  type: z6.literal("mongo"),
+  /** @sensitive — stored encrypted (AES-256-GCM) on disk */
+  connectionString: z6.string().min(1).max(2048),
+  database: z6.string().min(1).max(256),
+  collection: z6.string().min(1).max(256),
+  filter: z6.record(z6.string(), z6.unknown()).optional(),
+  timestampField: z6.string().max(128).default("timestamp"),
+  messageField: z6.string().max(128).default("message"),
+  levelField: z6.string().max(128).optional()
+});
+var MySQLLogSourceSchema = z6.object({
+  type: z6.literal("mysql"),
+  host: z6.string().min(1).max(253),
+  port: z6.number().int().min(1).max(65535).default(3306),
+  user: z6.string().min(1).max(256),
+  /** @sensitive — stored encrypted (AES-256-GCM) on disk */
+  password: z6.string().max(2048),
+  database: z6.string().min(1).max(256),
+  table: z6.string().min(1).max(256),
+  query: z6.string().max(8192).optional(),
+  timestampColumn: z6.string().max(128).default("created_at"),
+  messageColumn: z6.string().max(128).default("message"),
+  levelColumn: z6.string().max(128).optional(),
+  pollIntervalMs: z6.number().int().min(500).max(6e4).default(2e3)
+});
+var LogSourceConfigSchema = z6.discriminatedUnion("type", [
+  ConsoleLogSourceSchema,
+  FileLogSourceSchema,
+  MongoLogSourceSchema,
+  MySQLLogSourceSchema
+]);
+var HealthCheckSchema = z7.object({
+  type: z7.enum(["http", "command"]).default("http"),
+  // HTTP-specific (required when type=http)
+  path: z7.string().min(1).max(500).startsWith("/").optional(),
+  method: z7.enum(["GET", "HEAD", "POST", "PUT"]).optional().default("GET"),
+  expectedStatus: z7.number().int().min(100).max(599).optional().default(200),
+  // Command-specific (required when type=command)
+  command: z7.string().min(1).max(4096).optional(),
+  // Shared
+  interval: z7.number().int().positive().default(1e3),
+  timeout: z7.number().int().positive().default(1e3),
+  retries: z7.number().int().nonnegative().default(3),
+  initialDelay: z7.number().int().nonnegative().optional().default(0)
+}).refine(
+  (data) => data.type === "http" ? !!data.path : !!data.command,
+  { message: "HTTP type requires path; command type requires command" }
+);
+var BootstrapCommandSchema = z7.object({
+  id: z7.string().min(1).max(64),
+  label: z7.string().max(200).default(""),
+  entrypoint: z7.string().max(4096).optional(),
+  command: z7.string().max(4096).default(""),
+  user: z7.string().max(256).optional()
+});
+var DockerConfigSchema = z7.object({
+  // Image mode (pull from registry) — mutually exclusive with build mode in UI
+  image: z7.string().min(1).max(1024).optional(),
+  // Build mode — Dockerfile stored inline in services.json
+  dockerfile: z7.string().max(65536).optional(),
+  buildContext: z7.string().max(4096).optional(),
+  buildArgs: z7.record(z7.string().max(256), z7.string().max(4096)).default({}).refine(
+    (obj) => Object.keys(obj).length <= 50,
+    { message: "Max 50 build args" }
+  ),
+  targetStage: z7.string().max(256).optional(),
+  // Runtime config
+  networkMode: z7.enum(["host", "bridge"]).default("host"),
+  ports: z7.array(z7.string().max(64)).max(100).default([]),
+  volumes: z7.array(z7.string().max(1024)).max(100).default([]),
+  mountRootpath: z7.boolean().default(false),
+  entrypoint: z7.string().max(4096).optional(),
+  command: z7.string().max(4096).optional(),
+  user: z7.string().max(256).optional(),
+  useNativeCommand: z7.boolean().default(false),
+  nativeCommandMode: z7.enum(["shared", "isolated"]).default("isolated"),
+  nativeShell: z7.string().max(256).default("sh"),
+  bootstrapCommands: z7.array(BootstrapCommandSchema).max(20).default([])
+});
+var RestartStrategySchema = z7.enum(["none", "on-failure", "always", "unless-stopped"]).default("none");
+var ServiceShortcutSchema = z7.object({
+  id: z7.string().min(1).max(64),
+  label: z7.string().max(200).default(""),
+  command: z7.string().max(4096).default(""),
+  cwd: z7.string().max(4096).optional()
+});
+var ServiceCommandSchema = z7.object({
+  id: z7.string().min(1).max(64),
+  label: z7.string().max(200).default(""),
+  command: z7.string().max(4096).default(""),
+  cwd: z7.string().max(4096).optional(),
+  shell: z7.boolean().optional().default(true)
+});
+var VariableSlotSchema = z7.object({
+  value: z7.string().max(8192).default(""),
+  pre: z7.string().max(8192).default(""),
+  post: z7.string().max(8192).default(""),
+  isSecret: z7.boolean().default(false)
+});
+var VariableSchema = z7.object({
+  key: z7.string().min(1).max(256),
+  value: VariableSlotSchema
+});
+var VariablesRecordSchema = z7.record(
+  z7.string().max(128),
+  VariableSchema
+).refine(
+  (obj) => Object.keys(obj).length <= 200,
+  { message: "Max 200 variables" }
+);
+var VariableSlotsRecordSchema = z7.record(
+  z7.string().max(256),
+  VariableSlotSchema
+).refine(
+  (obj) => Object.keys(obj).length <= 200,
+  { message: "Max 200 variable slots" }
+);
+var ServiceConfigSchema = z7.object({
+  id: z7.string().max(128),
+  orgId: z7.string().max(128).nullable().optional(),
+  agentId: z7.string().max(128).optional(),
+  // Optional: if absent, inherited from active environment's agentId
+  name: z7.string().min(1).max(200),
+  commands: z7.array(ServiceCommandSchema).max(50).optional().default([]),
+  cwd: z7.string().max(4096).optional(),
+  ports: z7.array(z7.number().int().positive().max(65535)).max(20).optional().default([]),
+  // Metadata fields (migration from old Runeya)
+  groups: z7.array(z7.string().max(200)).max(20).optional().default([]),
+  description: z7.string().max(2e3).optional(),
+  url: z7.string().max(2048).optional(),
+  localUrls: z7.array(z7.object({
+    url: z7.string().max(253).regex(/^([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$/),
+    port: z7.number().int().min(1).max(65535)
+  })).max(20).optional().default([]),
+  openapiUrl: z7.string().max(2048).optional(),
+  git: z7.object({
+    remote: z7.string().max(2048).optional(),
+    home: z7.string().max(2048).optional()
+  }).optional(),
+  meta: z7.record(z7.string().max(256), z7.string().max(2e3)).optional().refine((obj) => !obj || Object.keys(obj).length <= 100, { message: "Too many meta keys (max 100)" }),
+  // Transient env dict (resolved by server before deployment, used directly by agent runner — NOT persisted)
+  env: z7.record(z7.string().max(256), z7.string().max(8192)).default({}).refine(
+    (obj) => Object.keys(obj).length <= 200,
+    { message: "Too many env vars (max 200)" }
+  ),
+  envSecrets: z7.array(z7.string().max(256)).max(200).default([]),
+  // Transient: resolved JS log parsers (from parserIds, resolved by server before deployment — NOT persisted)
+  resolvedLogParsers: z7.array(JSLogParserSchema).default([]).optional(),
+  // Transient: resolved working directory (cwd with env vars expanded — NOT persisted)
+  resolvedCwd: z7.string().optional(),
+  runner: z7.enum(["native", "docker"]).optional().default("native"),
+  dockerConfig: DockerConfigSchema.optional(),
+  healthCheck: HealthCheckSchema.optional(),
+  parserIds: z7.array(z7.string().max(128)).max(50).default([]),
+  shortcuts: z7.array(ServiceShortcutSchema).max(50).optional().default([]),
+  autoRestart: z7.boolean().optional().default(false),
+  clearLogsOnStart: z7.boolean().optional().default(false),
+  restartStrategy: RestartStrategySchema.optional(),
+  maxRestarts: z7.number().int().nonnegative().optional(),
+  restartBackoffMs: z7.number().int().positive().optional().default(1e3),
+  // Log sources additionnelles (au-delà du stdout/stderr console par défaut)
+  logSources: z7.array(LogSourceConfigSchema).max(20).optional().default([])
+});
+var CreateServiceSchema = ServiceConfigSchema.omit({ id: true }).partial().required({ name: true });
+var UpdateServiceSchema = ServiceConfigSchema.partial().required({ id: true }).extend({
+  agentId: z7.string().max(128).nullable().optional(),
+  // null = clear (inherit from env), undefined = no change
+  cwd: z7.string().max(4096).nullable().optional(),
+  git: z7.object({ remote: z7.string().max(2048).optional(), home: z7.string().max(2048).optional() }).nullable().optional(),
+  meta: z7.record(z7.string().max(256), z7.string().max(2e3)).nullable().optional().refine((obj) => !obj || Object.keys(obj).length <= 100, { message: "Too many meta keys (max 100)" }),
+  healthCheck: HealthCheckSchema.nullable().optional()
+});
+var ProcessStateSchema = z8.enum(["starting", "running", "stopped", "errored"]);
+var HealthStatusSchema = z8.enum(["healthy", "unhealthy", "unknown"]);
+var ProcessStatusSchema = z8.object({
+  id: z8.string().max(128),
+  serviceId: z8.string().max(128),
+  agentId: z8.string().max(128),
+  state: ProcessStateSchema,
+  pid: z8.number().int().nullable().optional(),
+  pids: z8.array(z8.number().int()).optional().default([]),
+  exitCode: z8.number().int().nullable().optional(),
+  startedAt: z8.coerce.date().nullable().optional(),
+  restartCount: z8.number().int().nonnegative().default(0),
+  uptime: z8.number().nonnegative().default(0),
+  healthStatus: HealthStatusSchema.default("unknown")
+});
+var LogLevelSchema = z9.enum(["debug", "info", "warn", "error", "fatal"]);
+var LogLineSchema = z9.object({
+  /** Raw log line as received from the process (immutable context) */
+  raw: z9.string(),
+  /** Source stream (immutable context) */
+  stream: z9.enum(["stdout", "stderr"]),
+  /** Severity level */
+  level: LogLevelSchema,
+  /** Parsed/enriched message to display */
+  message: z9.string(),
+  /** When true, the line is hidden from the log view */
+  hidden: z9.boolean(),
+  /** Arbitrary key/value pairs shown in the detail panel */
+  metadata: z9.record(z9.string().max(256), z9.unknown()).refine(
+    (obj) => Object.keys(obj).length <= 100,
+    { message: "Too many metadata keys (max 100)" }
+  ),
+  /** Full parsed JSON object when the line is JSON */
+  json: z9.record(z9.string(), z9.unknown()).optional(),
+  /** Custom header for the JSON log card (supports HTML, sanitized before display) */
+  jsonHeader: z9.string().max(256).optional()
+});
+var LogCardDirectiveSchema = z9.object({
+  id: z9.string().max(128),
+  type: z9.string().max(64),
+  header: z9.string().max(256),
+  collapsable: z9.boolean().optional(),
+  collapsed: z9.boolean().optional(),
+  state: z9.enum(["open", "append", "close", "self"])
+});
+var ParsedLogSchema = z9.object({
+  id: z9.string().max(128),
+  processId: z9.string().max(128),
+  pid: z9.number().int().nullable().optional(),
+  timestamp: z9.coerce.date(),
+  level: LogLevelSchema.default("info"),
+  message: z9.string().max(16384),
+  raw: z9.string().max(16384),
+  stream: z9.enum(["stdout", "stderr"]).default("stdout"),
+  hidden: z9.boolean().optional().default(false),
+  metadata: z9.record(z9.string().max(256), z9.unknown()).optional().refine(
+    (obj) => !obj || Object.keys(obj).length <= 100,
+    { message: "Too many metadata keys (max 100)" }
+  ),
+  json: z9.record(z9.string(), z9.unknown()).optional(),
+  logCard: LogCardDirectiveSchema.optional(),
+  sourceType: z9.enum(["console", "file", "mongo", "mysql"]).optional(),
+  sourcePath: z9.string().max(4096).optional()
+});
+var ENV_VAR_NAME_REGEX = /^[A-Za-z_][A-Za-z0-9_]*$/;
+var AgentConfigSchema = z10.object({
+  id: z10.string().max(128),
+  name: z10.string().min(1).max(100),
+  url: z10.string().url().max(2048),
+  passphrase: z10.string().min(1).max(1024),
+  passthroughEnv: z10.array(
+    z10.string().regex(ENV_VAR_NAME_REGEX).max(256)
+  ).max(100).default([])
+});
+var AgentStatusSchema = z10.object({
+  connected: z10.boolean(),
+  lastSeen: z10.string().nullable().optional(),
+  uptime: z10.number().nonnegative().default(0),
+  runnersAvailable: z10.array(z10.enum(["native", "docker"])).default(["native"]),
+  lanIp: z10.string().optional()
+});
+var GlobalRoleSchema = z11.enum(["owner", "admin", "member"]);
+var ProjectRoleSchema = z11.enum(["admin", "editor", "viewer"]);
+var ProjectMemberRoleSchema = z11.object({
+  id: z11.string().max(128),
+  projectId: z11.string().max(128),
+  userId: z11.string().max(128),
+  role: ProjectRoleSchema
+});
+var ConfigVersionSchema = z12.object({
+  id: z12.string().max(128),
+  entityType: z12.enum(["project", "service"]),
+  entityId: z12.string().max(128),
+  version: z12.string().max(128),
+  parentVersion: z12.string().max(128),
+  data: z12.record(z12.string(), z12.unknown()).refine(
+    (obj) => Object.keys(obj).length <= 1e3,
+    "Too many data keys (max 1000)"
+  ),
+  patch: z12.array(z12.record(z12.string(), z12.unknown())).max(1e3),
+  userId: z12.string().max(128),
+  timestamp: z12.coerce.date(),
+  resolved: z12.boolean().default(false)
+});
+var ConfigChangeSchema = z12.object({
+  entityType: z12.enum(["project", "service"]),
+  entityId: z12.string().max(128),
+  version: z12.string().max(128),
+  parentVersion: z12.string().max(128),
+  data: z12.record(z12.string(), z12.unknown()).refine(
+    (obj) => Object.keys(obj).length <= 1e3,
+    "Too many data keys (max 1000)"
+  ),
+  patch: z12.array(z12.record(z12.string(), z12.unknown())).max(1e3)
+});
+var SyncStatusSchema = z12.object({
+  connected: z12.boolean(),
+  lastSync: z12.coerce.date().nullable().optional(),
+  pendingChanges: z12.number().int().nonnegative().default(0),
+  conflicts: z12.number().int().nonnegative().default(0)
+});
+var AuditActionSchema = z13.enum([
+  "create",
+  "update",
+  "delete",
+  "invite",
+  "remove",
+  "deploy",
+  "start",
+  "stop",
+  "roleChange"
+]);
+var AuditEntityTypeSchema = z13.enum([
+  "org",
+  "project",
+  "service",
+  "member",
+  "permission"
+]);
+var AuditLogSchema = z13.object({
+  id: z13.string().max(128),
+  orgId: z13.string().max(128),
+  userId: z13.string().max(128),
+  action: AuditActionSchema,
+  entityType: AuditEntityTypeSchema,
+  entityId: z13.string().max(128),
+  metadata: z13.record(z13.string().max(256), z13.unknown()).default({}).refine(
+    (obj) => Object.keys(obj).length <= 100,
+    { message: "Too many metadata keys (max 100)" }
+  ),
+  timestamp: z13.coerce.date()
+});
+var ProcessMetricsSchema = z14.object({
+  processId: z14.string().max(128),
+  cpu: z14.number().nonnegative(),
+  memory: z14.number().int().nonnegative(),
+  timestamp: z14.string()
+});
+var EnvironmentVariablesSchema = z15.record(
+  z15.string().max(256),
+  VariableSchema
+).refine(
+  (obj) => Object.keys(obj).length <= 200,
+  { message: "Max 200 variables" }
+);
+var EnvironmentSchema = z15.object({
+  id: z15.string().max(128),
+  projectId: z15.string().max(128),
+  name: z15.string().min(1).max(200),
+  description: z15.string().max(2e3).optional().default(""),
+  parentIds: z15.array(z15.string().max(128)).max(10).default([]),
+  variables: EnvironmentVariablesSchema.default({}),
+  // Scope: 'global' = project-level env, 'service' = per-service env
+  scope: z15.enum(["global", "service"]).default("global"),
+  // When scope='service': the serviceId this env belongs to
+  reference: z15.string().max(128).optional(),
+  // When scope='service': the globalEnvId this env activates on
+  activateOn: z15.string().max(128).optional(),
+  immutable: z15.boolean().default(false),
+  default: z15.boolean().optional().default(false),
+  color: z15.string().max(20).optional(),
+  bgColor: z15.string().max(20).optional(),
+  // When scope='global': the default agent used by services that don't have an explicit agentId
+  agentId: z15.string().max(128).optional()
+});
+var ResolvedEnvironmentSchema = z15.object({
+  variables: z15.record(z15.string().max(256), VariableSchema).refine((obj) => Object.keys(obj).length <= 500, { message: "Max 500 resolved variables" }),
+  env: z15.record(z15.string().max(256), z15.string().max(8192)).refine((obj) => Object.keys(obj).length <= 500, { message: "Max 500 resolved env vars" }),
+  envSecrets: z15.array(z15.string().max(256)).max(500),
+  sources: z15.record(z15.string().max(256), z15.object({
+    environmentId: z15.string().max(128),
+    environmentName: z15.string().max(200),
+    overridden: z15.boolean(),
+    resolvedFrom: z15.object({
+      environmentId: z15.string().max(128),
+      environmentName: z15.string().max(200)
+    }).optional()
+  })).refine((obj) => Object.keys(obj).length <= 500, { message: "Max 500 source entries" })
+});
+var CreateEnvironmentSchema = EnvironmentSchema.omit({ id: true }).extend({
+  description: z15.string().max(2e3).optional().default(""),
+  parentIds: z15.array(z15.string().max(128)).max(10).optional().default([]),
+  variables: EnvironmentVariablesSchema.optional().default({}),
+  scope: z15.enum(["global", "service"]).optional().default("global"),
+  reference: z15.string().max(128).optional(),
+  activateOn: z15.string().max(128).optional(),
+  immutable: z15.boolean().optional().default(false)
+});
+var UpdateEnvironmentSchema = EnvironmentSchema.partial().required({ id: true }).extend({
+  description: z15.string().max(2e3).optional(),
+  parentIds: z15.array(z15.string().max(128)).max(10).optional(),
+  variables: EnvironmentVariablesSchema.optional(),
+  scope: z15.enum(["global", "service"]).optional(),
+  immutable: z15.boolean().optional(),
+  default: z15.boolean().optional(),
+  agentId: z15.string().max(128).nullable().optional()
+  // null = clear (no default agent)
+});
+var EnvironmentOverridesSchema = z16.record(
+  z16.string().max(128),
+  VariableSchema
+).refine(
+  (obj) => Object.keys(obj).length <= 5e3,
+  { message: "Max 5000 overrides" }
+);
+var ApiServiceActionSchema = z17.enum([
+  "service:read",
+  "service:start",
+  "service:stop",
+  "service:restart",
+  "service:healthcheck",
+  "service:status",
+  "logs:read"
+]);
+var ApiEnvActionSchema = z17.enum(["env:read", "env:write"]);
+var ApiEnvPermSchema = z17.object({
+  environmentId: z17.string().max(128),
+  actions: z17.array(ApiEnvActionSchema).max(10).default(["env:read"]),
+  includeSecrets: z17.boolean().default(false)
+});
+var ApiServicePermSchema = z17.object({
+  serviceId: z17.string().max(128),
+  actions: z17.array(ApiServiceActionSchema).max(10).default(["service:read"]),
+  environments: z17.array(ApiEnvPermSchema).max(100).default([])
+});
+var ApiKeyScopeSchema = z17.object({
+  services: z17.array(ApiServicePermSchema).max(500).default([])
+});
+var ApiKeySchema = z17.object({
+  id: z17.string().max(128),
+  name: z17.string().min(1).max(200),
+  key: z17.string().regex(/^[0-9a-f]{64}$/i),
+  scopes: ApiKeyScopeSchema,
+  createdAt: z17.string().max(64),
+  isPublic: z17.boolean().default(false)
+});
+var ApiKeysFileSchema = z17.object({
+  keys: z17.array(ApiKeySchema).max(100)
+});
+var ALLOWED_IMAGE_MIME_TYPES = ["image/png", "image/jpeg", "image/webp", "image/gif"];
+var ImagePartSchema = z18.object({
+  type: z18.literal("image"),
+  imageId: z18.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i, "Must be a valid UUID"),
+  url: z18.string().min(1),
+  mimeType: z18.enum(ALLOWED_IMAGE_MIME_TYPES),
+  altText: z18.string().max(500).optional()
+});
+var ImageUploadResponseSchema = z18.object({
+  imageId: z18.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i, "Must be a valid UUID"),
+  url: z18.string().min(1),
+  mimeType: z18.enum(ALLOWED_IMAGE_MIME_TYPES),
+  originalName: z18.string()
+});
+var ImageMetaSchema = z18.object({
+  imageId: z18.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i, "Must be a valid UUID"),
+  filePath: z18.string().min(1),
+  mimeType: z18.enum(ALLOWED_IMAGE_MIME_TYPES),
+  originalName: z18.string().min(1),
+  createdAt: z18.number().positive(),
+  size: z18.number().positive().optional()
+});
+var KanbanCardEventSchema = z19.object({
+  type: z19.enum(["created", "edited", "moved", "image_added", "image_removed", "title_changed", "conversation_started", "scenario_started", "comment"]),
+  timestamp: z19.string(),
+  /** Extra context: old/new column name, old/new title, comment text, etc. */
+  detail: z19.string().max(5e3).optional(),
+  /** Who authored this event — 'ai' or 'user'. Only set for comment events. */
+  author: z19.enum(["ai", "user"]).optional(),
+  /** Conversation that produced this event (comments only). Used to navigate back to the conversation. */
+  conversationId: z19.string().optional()
+});
+var KanbanCardSchema = z19.object({
+  id: z19.string(),
+  title: z19.string().min(1).max(500),
+  markdown: z19.string().max(1e5).default(""),
+  /** Base64-encoded image data URIs attached to the card */
+  images: z19.array(z19.string()).default([]),
+  order: z19.number().int(),
+  history: z19.array(KanbanCardEventSchema).default([]),
+  createdAt: z19.string(),
+  updatedAt: z19.string()
+});
+var KanbanColumnSchema = z19.object({
+  id: z19.string(),
+  title: z19.string().min(1).max(200),
+  order: z19.number().int(),
+  cards: z19.array(KanbanCardSchema).default([])
+});
+var KanbanBoardSchema = z19.object({
+  id: z19.string(),
+  name: z19.string().min(1).max(200),
+  description: z19.string().max(1e4).default(""),
+  columns: z19.array(KanbanColumnSchema).default([]),
+  archived: z19.boolean().default(false),
+  createdAt: z19.string(),
+  updatedAt: z19.string()
+});
+var CreateKanbanBoardInput = z19.object({
+  name: z19.string().min(1).max(200),
+  description: z19.string().max(1e4).optional()
+});
+var UpdateKanbanBoardInput = z19.object({
+  id: z19.string(),
+  name: z19.string().min(1).max(200).optional(),
+  description: z19.string().max(1e4).optional(),
+  columns: z19.array(KanbanColumnSchema).optional(),
+  archived: z19.boolean().optional()
+});
+var epoch = /* @__PURE__ */ new Date("2025-01-01T00:00:00Z");
+var nativeParsers = [
+  {
+    id: "native:json",
+    name: "JSON Log Parser",
+    description: "Parses JSON log lines and extracts level, message, timestamp, metadata, and the full parsed object.",
+    code: `(line) => {
+  var trimmed = line.message.trim();
+  if (!trimmed.startsWith('{')) return line;
+  try {
+    var obj = JSON.parse(trimmed);
+    var level = (obj.level || obj.severity || obj.loglevel || '').toString().toLowerCase();
+    var levelMap = { trace: 'debug', debug: 'debug', info: 'info', warn: 'warn', warning: 'warn', error: 'error', fatal: 'fatal', err: 'error' };
+    var mappedLevel = levelMap[level] || line.level;
+    var message = obj.message || obj.msg || obj.text || trimmed;
+    var metadata = {};
+    for (var k in obj) {
+      if (['level','severity','loglevel','message','msg','text','timestamp','time','ts'].indexOf(k) !== -1) continue;
+      metadata[k] = typeof obj[k] === 'string' ? obj[k] : JSON.stringify(obj[k]);
+    }
+    var merged = {};
+    for (var mk in line.metadata) merged[mk] = line.metadata[mk];
+    for (var nk in metadata) merged[nk] = metadata[nk];
+    return { raw: line.raw, stream: line.stream, level: mappedLevel, message: String(message).slice(0, 16384), hidden: line.hidden, metadata: merged, json: obj, jsonHeader: line.jsonHeader };
+  } catch (e) { return line; }
+}`,
+    enabled: true,
+    version: 2,
+    builtin: true,
+    createdAt: epoch,
+    updatedAt: epoch
+  },
+  {
+    id: "native:debug",
+    name: "Runeya Debug Parser",
+    description: 'Detects Runeya internal debug logs emitted as JSON arrays: ["runeya", payload]. Marks them as debug level.',
+    code: `(line) => {
+  var trimmed = line.message.trim();
+  if (!trimmed.startsWith('[')) return line;
+  try {
+    var parsed = JSON.parse(trimmed);
+    if (!Array.isArray(parsed) || parsed[0] !== 'runeya') return line;
+    var debug = parsed.length === 2 ? parsed[1] : parsed.slice(1);
+    var message = typeof debug === 'string' ? debug : JSON.stringify(debug);
+    var merged = {};
+    for (var k in line.metadata) merged[k] = line.metadata[k];
+    merged.runeya_debug = JSON.stringify(debug);
+    return { raw: line.raw, stream: line.stream, level: 'debug', message: message, hidden: line.hidden, metadata: merged, jsonHeader: line.jsonHeader };
+  } catch (e) { return line; }
+}`,
+    enabled: true,
+    version: 2,
+    builtin: true,
+    createdAt: epoch,
+    updatedAt: epoch
+  },
+  {
+    id: "native:links",
+    name: "Link Detector",
+    description: "Detects URLs in plain-text log lines and exposes them in metadata.links for frontend rendering.",
+    code: `(line) => {
+  var urlRegex = /(https?|ftp):\\/\\/[\\w_-]+(?:\\.[\\w_-]+)+([\\w.,@?^=%&:/~+#-]*[\\w@?^=%&/~+#-])?/gi;
+  var urls = line.message.match(urlRegex);
+  if (!urls || urls.length === 0) return line;
+  var merged = {};
+  for (var k in line.metadata) merged[k] = line.metadata[k];
+  merged.links = urls.join(' ');
+  return { raw: line.raw, stream: line.stream, level: line.level, message: line.message, hidden: line.hidden, metadata: merged, jsonHeader: line.jsonHeader };
+}`,
+    enabled: true,
+    version: 2,
+    builtin: true,
+    createdAt: epoch,
+    updatedAt: epoch
+  }
+];
+var VALID_LEVELS = /* @__PURE__ */ new Set(["debug", "info", "warn", "error", "fatal"]);
+var JSLogParser = class {
+  parsers = [];
+  constructor(definitions = []) {
+    this.setParsers(definitions);
+  }
+  setParsers(definitions) {
+    this.parsers = [];
+    for (const def of definitions) {
+      if (!def.enabled) continue;
+      try {
+        const compiled = this.compileParser(def);
+        this.parsers.push({
+          id: def.id,
+          name: def.name,
+          enabled: true,
+          fn: compiled
+        });
+      } catch (err) {
+        console.warn(
+          `[js-log-parser] Failed to compile parser "${def.name}" (${def.id}): ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+  }
+  parse(line) {
+    let current = line;
+    for (const parser of this.parsers) {
+      try {
+        current = parser.fn(current);
+      } catch (err) {
+        console.warn(
+          `[js-log-parser] Parser "${parser.name}" threw error: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+    return this.sanitize(current);
+  }
+  compileParser(def) {
+    const forbidden = ["require(", "import ", "eval("];
+    for (const pat of forbidden) {
+      if (def.code.includes(pat)) {
+        throw new Error("Code contains forbidden patterns (require, import, eval)");
+      }
+    }
+    const sandbox = {
+      RegExp,
+      String,
+      Object,
+      Array,
+      JSON,
+      Math,
+      Date,
+      undefined: void 0,
+      null: null
+    };
+    let script;
+    try {
+      script = new vm.Script(`(${def.code})`, { filename: `parser-${def.id}.js` });
+    } catch (err) {
+      throw new Error(`Compilation failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    let parserFn;
+    try {
+      parserFn = script.runInNewContext(sandbox, { timeout: 100 });
+    } catch (err) {
+      throw new Error(`Execution failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    if (typeof parserFn !== "function") {
+      throw new Error("Parser code must export a function");
+    }
+    return (line) => {
+      const result = parserFn(line);
+      if (result === null || result === void 0 || typeof result !== "object") {
+        return line;
+      }
+      return result;
+    };
+  }
+  /** Sanitize the final LogLine: truncate message, limit metadata, validate level */
+  sanitize(line) {
+    let { message, metadata, level } = line;
+    if (message.length > 16384) {
+      message = message.substring(0, 16384) + "...[truncated]";
+    }
+    const metaKeys = Object.keys(metadata);
+    if (metaKeys.length > 100) {
+      const limited = {};
+      for (let i = 0; i < 100; i++) {
+        limited[metaKeys[i]] = metadata[metaKeys[i]];
+      }
+      metadata = limited;
+    }
+    if (!VALID_LEVELS.has(level)) {
+      level = "info";
+    }
+    if (message !== line.message || metadata !== line.metadata || level !== line.level) {
+      return { ...line, message, metadata, level };
+    }
+    return line;
+  }
+};
+var AGENT_HEALTH_POLL_INTERVAL = 15e3;
+var LOG_BUFFER_SIZE = 5e3;
+var GRACE_PERIOD = 1e4;
+var AGENT_FETCH_TIMEOUT = 1e4;
+var AGENT_LONG_FETCH_TIMEOUT = 6e5;
+var AGENT_STOP_FETCH_TIMEOUT = GRACE_PERIOD + 15e3;
+var PASSPHRASE_TIMEOUT = 3e4;
+var WS_RECONNECT_MIN = 1e3;
+var WS_RECONNECT_MAX = 15e3;
+var SUPPORTED_EDITORS = [
+  { key: "vscode", name: "Visual Studio Code", command: "code" },
+  { key: "cursor", name: "Cursor", command: "cursor" },
+  { key: "windsurf", name: "Windsurf", command: "windsurf" },
+  { key: "sublime", name: "Sublime Text", command: "subl" },
+  { key: "atom", name: "Atom", command: "atom" },
+  { key: "antigravity", name: "Antigravity", command: "antigravity" },
+  { key: "intellij", name: "IntelliJ IDEA", command: "idea" },
+  { key: "android-studio", name: "Android Studio", command: "studio" },
+  { key: "webstorm", name: "WebStorm", command: "webstorm" },
+  { key: "zed", name: "Zed", command: "zed" },
+  { key: "neovim", name: "Neovim", command: "nvim" },
+  { key: "vim", name: "Vim", command: "vim" },
+  { key: "emacs", name: "Emacs", command: "emacs" },
+  { key: "fleet", name: "Fleet", command: "fleet" }
+];
+var EDITOR_BY_KEY = new Map(
+  SUPPORTED_EDITORS.map((e) => [e.key, e])
+);
+var FILENAME2 = "environments.json";
+var EnvironmentStore = class {
+  environments = /* @__PURE__ */ new Map();
+  loaded = false;
+  /** Cache of encrypted secret values as last written to disk */
+  diskEncryptedSlots = /* @__PURE__ */ new Map();
+  getFilePath() {
+    return join2(env.DATA_DIR, FILENAME2);
+  }
+  async ensureDir() {
+    await mkdir2(env.DATA_DIR, { recursive: true });
+  }
+  extractEncryptedCache(environment) {
+    const envSlots = extractEncryptedVariableSlots(
+      environment.variables
+    );
+    return { envSlots };
+  }
+  encryptEnvironment(environment) {
+    const cache = this.diskEncryptedSlots.get(environment.id);
+    let encryptedVars = environment.variables;
+    if (environment.variables && Object.keys(environment.variables).length > 0) {
+      encryptedVars = encryptVariableSlots(
+        environment.variables,
+        cache?.envSlots
+      );
+    }
+    return { ...environment, variables: encryptedVars };
+  }
+  decryptEnvironment(environment) {
+    let decryptedVars = environment.variables;
+    if (environment.variables && Object.keys(environment.variables).length > 0) {
+      decryptedVars = decryptVariableSlots(
+        environment.variables,
+        `environment ${environment.id}`
+      );
+    }
+    return { ...environment, variables: decryptedVars };
+  }
+  async load() {
+    if (this.loaded) return;
+    try {
+      const raw = await readFile2(this.getFilePath(), "utf-8");
+      const data = JSON.parse(raw);
+      if (!getEncryptionKey()) {
+        this.loaded = true;
+        return;
+      }
+      for (const e of data) {
+        this.diskEncryptedSlots.set(e.id, this.extractEncryptedCache(e));
+        const decrypted = this.decryptEnvironment(e);
+        this.environments.set(e.id, decrypted);
+      }
+    } catch {
+    }
+    this.loaded = true;
+  }
+  async save() {
+    await this.ensureDir();
+    const filePath = this.getFilePath();
+    const tmpPath = filePath + ".tmp";
+    const preparedEnvironments = Array.from(this.environments.values()).map((e) => this.encryptEnvironment(e));
+    for (const e of preparedEnvironments) {
+      this.diskEncryptedSlots.set(e.id, this.extractEncryptedCache(e));
+    }
+    const data = JSON.stringify(preparedEnvironments, null, 2);
+    await writeFile2(tmpPath, data, "utf-8");
+    await rename2(tmpPath, filePath);
+    await chmod2(filePath, 384);
+  }
+  async list(projectId) {
+    await this.load();
+    return Array.from(this.environments.values()).filter((e) => e.projectId === projectId);
+  }
+  async get(id) {
+    await this.load();
+    return this.environments.get(id) ?? null;
+  }
+  async create(input) {
+    await this.load();
+    const parsed = CreateEnvironmentSchema.parse(input);
+    const environment = {
+      id: randomUUID2(),
+      projectId: parsed.projectId,
+      name: parsed.name,
+      description: parsed.description,
+      parentIds: parsed.parentIds,
+      variables: parsed.variables,
+      scope: parsed.scope,
+      reference: parsed.reference,
+      activateOn: parsed.activateOn,
+      immutable: parsed.immutable,
+      default: parsed.default,
+      color: parsed.color,
+      bgColor: parsed.bgColor,
+      agentId: parsed.agentId
+    };
+    if (environment.default) {
+      for (const [id, e] of this.environments) {
+        if (e.projectId === environment.projectId && e.default) {
+          this.environments.set(id, { ...e, default: false });
+        }
+      }
+    }
+    this.environments.set(environment.id, environment);
+    await this.save();
+    return environment;
+  }
+  async update(input) {
+    await this.load();
+    const existing = this.environments.get(input.id);
+    if (!existing) return null;
+    const updated = {
+      ...existing,
+      // Immutable environments: allow changing variables, color, description — but not name
+      ...!existing.immutable && input.name !== void 0 && { name: input.name },
+      ...input.description !== void 0 && { description: input.description },
+      ...input.parentIds !== void 0 && { parentIds: input.parentIds },
+      ...input.variables !== void 0 && { variables: input.variables },
+      ...input.scope !== void 0 && { scope: input.scope },
+      ...input.reference !== void 0 && { reference: input.reference },
+      ...input.activateOn !== void 0 && { activateOn: input.activateOn },
+      ...input.color !== void 0 && { color: input.color },
+      ...input.bgColor !== void 0 && { bgColor: input.bgColor },
+      ...input.default !== void 0 && { default: input.default },
+      ...input.agentId !== void 0 && { agentId: input.agentId ?? void 0 }
+    };
+    if (updated.default) {
+      for (const [id, e] of this.environments) {
+        if (id !== input.id && e.projectId === updated.projectId && e.default) {
+          this.environments.set(id, { ...e, default: false });
+        }
+      }
+    }
+    this.environments.set(input.id, updated);
+    await this.save();
+    return updated;
+  }
+  async upsertVariable(environmentId, variableId, variable) {
+    const existing = this.environments.get(environmentId);
+    if (!existing) return null;
+    const variables = { ...existing.variables ?? {}, [variableId]: variable };
+    return this.update({ id: environmentId, variables });
+  }
+  async removeVariable(environmentId, variableId) {
+    const existing = this.environments.get(environmentId);
+    if (!existing) return null;
+    const variables = { ...existing.variables ?? {} };
+    delete variables[variableId];
+    return this.update({ id: environmentId, variables });
+  }
+  async delete(id) {
+    await this.load();
+    const env2 = this.environments.get(id);
+    if (!env2) return false;
+    if (env2.immutable) return false;
+    this.environments.delete(id);
+    await this.save();
+    return true;
+  }
+  async getByProjectId(projectId) {
+    await this.load();
+    return Array.from(this.environments.values()).filter((e) => e.projectId === projectId);
+  }
+  async listAllGlobal() {
+    await this.load();
+    return Array.from(this.environments.values()).filter((e) => e.scope === "global");
+  }
+  // --- Scope-based Query Methods ---
+  async listByScope(projectId, scope) {
+    await this.load();
+    return Array.from(this.environments.values()).filter((e) => e.projectId === projectId && e.scope === scope);
+  }
+  async findServiceEnvironment(serviceId, globalEnvId) {
+    await this.load();
+    for (const e of this.environments.values()) {
+      if (e.scope === "service" && e.reference === serviceId && e.activateOn === globalEnvId) return e;
+    }
+    return null;
+  }
+  async findServiceEnvironments(serviceId) {
+    await this.load();
+    return Array.from(this.environments.values()).filter((e) => e.scope === "service" && e.reference === serviceId);
+  }
+  async deleteByReference(serviceId) {
+    await this.load();
+    let changed = false;
+    for (const [id, e] of this.environments) {
+      if (e.scope === "service" && e.reference === serviceId) {
+        this.environments.delete(id);
+        changed = true;
+      }
+    }
+    if (changed) await this.save();
+  }
+  async deleteByActivateOn(globalEnvId) {
+    await this.load();
+    let changed = false;
+    for (const [id, e] of this.environments) {
+      if (e.scope === "service" && e.activateOn === globalEnvId) {
+        this.environments.delete(id);
+        changed = true;
+      }
+    }
+    if (changed) await this.save();
+  }
+  /**
+   * When a service is renamed, update the name of all its service-scoped environments
+   * to keep the `${serviceName} (${globalEnvName})` pattern in sync.
+   */
+  async renameByReference(serviceId, newServiceName) {
+    await this.load();
+    let changed = false;
+    for (const [id, e] of this.environments) {
+      if (e.scope === "service" && e.reference === serviceId && e.activateOn) {
+        const globalEnv = this.environments.get(e.activateOn);
+        if (!globalEnv) continue;
+        this.environments.set(id, { ...e, name: `${newServiceName} (${globalEnv.name})` });
+        changed = true;
+      }
+    }
+    if (changed) await this.save();
+  }
+  /**
+   * When a global environment is renamed, update the name of all service-scoped
+   * environments that activateOn it to keep the naming pattern in sync.
+   * Caller provides a serviceId→name map since environmentStore can't access serviceStore.
+   */
+  async renameByActivateOn(globalEnvId, newGlobalName, serviceNames) {
+    await this.load();
+    let changed = false;
+    for (const [id, e] of this.environments) {
+      if (e.scope === "service" && e.activateOn === globalEnvId && e.reference) {
+        const serviceName = serviceNames.get(e.reference);
+        if (!serviceName) continue;
+        this.environments.set(id, { ...e, name: `${serviceName} (${newGlobalName})` });
+        changed = true;
+      }
+    }
+    if (changed) await this.save();
+  }
+};
+var environmentStore = new EnvironmentStore();
+var FILENAME3 = "services.json";
+function encryptLogSources(logSources) {
+  return logSources.map((src) => {
+    if (src.type === "mongo") {
+      return { ...src, connectionString: stableEncryptValue(src.connectionString) };
+    }
+    if (src.type === "mysql" && src.password) {
+      return { ...src, password: stableEncryptValue(src.password) };
+    }
+    return src;
+  });
+}
+function decryptLogSources(logSources) {
+  return logSources.map((src) => {
+    if (src.type === "mongo" && isEncryptedValue(src.connectionString)) {
+      try {
+        return { ...src, connectionString: decryptValue(src.connectionString) };
+      } catch {
+        console.error("[service-store] Failed to decrypt mongo connectionString");
+        return src;
+      }
+    }
+    if (src.type === "mysql" && src.password && isEncryptedValue(src.password)) {
+      try {
+        return { ...src, password: decryptValue(src.password) };
+      } catch {
+        console.error("[service-store] Failed to decrypt mysql password");
+        return src;
+      }
+    }
+    return src;
+  });
+}
+function prepareForDisk(service) {
+  return {
+    ...service,
+    env: {},
+    envSecrets: [],
+    resolvedLogParsers: void 0,
+    resolvedCwd: void 0,
+    logSources: encryptLogSources(service.logSources ?? [])
+  };
+}
+var ServiceStore = class {
+  services = /* @__PURE__ */ new Map();
+  loaded = false;
+  listeners = /* @__PURE__ */ new Set();
+  onChange(fn) {
+    this.listeners.add(fn);
+    return () => this.listeners.delete(fn);
+  }
+  notify() {
+    for (const fn of this.listeners) fn();
+  }
+  getFilePath() {
+    return join3(env.DATA_DIR, FILENAME3);
+  }
+  async ensureDir() {
+    await mkdir3(env.DATA_DIR, { recursive: true });
+  }
+  async load() {
+    if (this.loaded) return;
+    try {
+      const raw = await readFile3(this.getFilePath(), "utf-8");
+      const data = JSON.parse(raw);
+      if (!getEncryptionKey()) {
+        this.loaded = true;
+        return;
+      }
+      for (const s of data) {
+        if (s.commands) {
+          for (const cmd of s.commands) {
+            if (cmd.shell === void 0) cmd.shell = true;
+          }
+        }
+        this.services.set(s.id, {
+          ...s,
+          logSources: decryptLogSources(s.logSources ?? [])
+        });
+      }
+    } catch {
+    }
+    this.loaded = true;
+  }
+  async save() {
+    await this.ensureDir();
+    const filePath = this.getFilePath();
+    const tmpPath = filePath + ".tmp";
+    const preparedServices = Array.from(this.services.values()).map((s) => prepareForDisk(s));
+    const data = JSON.stringify(preparedServices, null, 2);
+    await writeFile3(tmpPath, data, "utf-8");
+    await rename3(tmpPath, filePath);
+    await chmod3(filePath, 384);
+  }
+  async list() {
+    await this.load();
+    return Array.from(this.services.values());
+  }
+  async get(id) {
+    await this.load();
+    return this.services.get(id) ?? null;
+  }
+  async create(input) {
+    await this.load();
+    const service = {
+      id: randomUUID3(),
+      orgId: input.orgId ?? null,
+      agentId: input.agentId,
+      name: input.name,
+      commands: input.commands ?? [],
+      cwd: input.cwd,
+      ports: input.ports ?? [],
+      groups: input.groups ?? [],
+      description: input.description,
+      url: input.url,
+      localUrls: input.localUrls ?? [],
+      openapiUrl: input.openapiUrl,
+      git: input.git,
+      meta: input.meta,
+      env: {},
+      envSecrets: [],
+      runner: input.runner ?? "native",
+      dockerConfig: input.dockerConfig,
+      healthCheck: input.healthCheck,
+      parserIds: input.parserIds ?? [],
+      shortcuts: input.shortcuts ?? [],
+      logSources: input.logSources ?? [],
+      autoRestart: input.autoRestart ?? false,
+      restartBackoffMs: input.restartBackoffMs ?? 1e3,
+      clearLogsOnStart: input.clearLogsOnStart ?? false
+    };
+    this.services.set(service.id, service);
+    await this.save();
+    this.notify();
+    return service;
+  }
+  async update(input) {
+    await this.load();
+    const existing = this.services.get(input.id);
+    if (!existing) return null;
+    const updated = {
+      ...existing,
+      ...input.agentId !== void 0 && { agentId: input.agentId ?? void 0 },
+      ...input.name !== void 0 && { name: input.name },
+      ...input.commands !== void 0 && { commands: input.commands },
+      ...input.cwd !== void 0 && { cwd: input.cwd ?? void 0 },
+      ...input.ports !== void 0 && { ports: input.ports },
+      ...input.groups !== void 0 && { groups: input.groups },
+      ...input.description !== void 0 && { description: input.description },
+      ...input.url !== void 0 && { url: input.url },
+      ...input.localUrls !== void 0 && { localUrls: input.localUrls },
+      ...input.openapiUrl !== void 0 && { openapiUrl: input.openapiUrl },
+      ...input.git !== void 0 && { git: input.git ?? void 0 },
+      ...input.meta !== void 0 && { meta: input.meta ?? void 0 },
+      ...input.runner !== void 0 && { runner: input.runner },
+      ...input.dockerConfig !== void 0 && { dockerConfig: input.dockerConfig },
+      ...input.healthCheck !== void 0 && { healthCheck: input.healthCheck ?? void 0 },
+      ...input.autoRestart !== void 0 && { autoRestart: input.autoRestart },
+      ...input.clearLogsOnStart !== void 0 && { clearLogsOnStart: input.clearLogsOnStart },
+      ...input.restartBackoffMs !== void 0 && { restartBackoffMs: input.restartBackoffMs },
+      ...input.orgId !== void 0 && { orgId: input.orgId },
+      ...input.shortcuts !== void 0 && { shortcuts: input.shortcuts },
+      ...input.parserIds !== void 0 && { parserIds: input.parserIds },
+      ...input.logSources !== void 0 && { logSources: input.logSources }
+    };
+    this.services.set(input.id, updated);
+    await this.save();
+    this.notify();
+    return updated;
+  }
+  async delete(id) {
+    await this.load();
+    if (!this.services.has(id)) return false;
+    this.services.delete(id);
+    await this.save();
+    this.notify();
+    await environmentStore.deleteByReference(id);
+    return true;
+  }
+};
+var serviceStore = new ServiceStore();
+function buildAgentEnv() {
+  const safeKeys = ["PATH", "HOME", "USER", "SHELL", "LANG", "TERM", "NODE_ENV", "TMPDIR", "TZ", "DBUS_SESSION_BUS_ADDRESS", "XDG_RUNTIME_DIR"];
+  const agentEnv = {
+    RUNEYA_AGENT_PORT: String(env.RUNEYA_AGENT_PORT),
+    RUNEYA_AGENT_HOST: env.RUNEYA_AGENT_HOST
+  };
+  if (env.MODE === "local-simple") {
+    const passphrase = deriveStableSecret("local-agent-passphrase");
+    if (!passphrase) {
+      return null;
+    }
+    agentEnv.PASSPHRASE_OVERRIDE = passphrase;
+  }
+  for (const key of safeKeys) {
+    if (process.env[key]) {
+      agentEnv[key] = process.env[key];
+    }
+  }
+  return agentEnv;
+}
+var LOCAL_AGENT_ID = "local-agent";
+var LOCAL_AGENT_NAME = "local";
+var AgentSpawner = class {
+  agentProcess = null;
+  exitHandlerRegistered = false;
+  fileWatcher = null;
+  isRestarting = false;
+  agentDistPath = null;
+  async spawnLocalAgent() {
+    const agentUrl = `http://${env.RUNEYA_AGENT_HOST}:${env.RUNEYA_AGENT_PORT}`;
+    const agentEnv = buildAgentEnv();
+    if (!agentEnv) {
+      console.log("[agent-spawner] \u26A0\uFE0F  Cannot spawn local agent: encryption key not available");
+      console.log("[agent-spawner] Please provide the encryption key via the setup UI");
+      return;
+    }
+    console.log(`[agent-spawner] Spawning local agent on ${agentUrl}...`);
+    const isDev = process.env.NODE_ENV === "development";
+    this.agentDistPath = env.AGENT_BINARY_PATH || join4(process.cwd(), "..", "agent", "dist", "index.js");
+    this.agentProcess = spawn("node", [this.agentDistPath], {
+      env: agentEnv,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    if (isDev) {
+      this.setupFileWatcher();
+    }
+    if (!this.exitHandlerRegistered) {
+      this.exitHandlerRegistered = true;
+      process.on("exit", () => {
+        if (this.agentProcess && !this.agentProcess.killed) {
+          this.agentProcess.kill("SIGKILL");
+        }
+      });
+    }
+    const passphrase = await this.waitForPassphrase();
+    if (!passphrase) {
+      console.error("[agent-spawner] Failed to get passphrase from local agent");
+      return;
+    }
+    console.log("[agent-spawner] Local agent started, passphrase received");
+    await agentManager.registerLocal({ id: LOCAL_AGENT_ID, name: LOCAL_AGENT_NAME, url: agentUrl, passphrase, passthroughEnv: [] });
+    console.log(`[agent-spawner] Local agent registered as ${LOCAL_AGENT_ID}`);
+  }
+  waitForPassphrase() {
+    return new Promise((resolve) => {
+      if (!this.agentProcess?.stdout) {
+        resolve(null);
+        return;
+      }
+      const rl = createInterface({ input: this.agentProcess.stdout });
+      const timeout = setTimeout(() => {
+        resolve(null);
+      }, PASSPHRASE_TIMEOUT);
+      let initialPassphraseFound = false;
+      rl.on("line", (line) => {
+        const match = line.match(/^RUNEYA_PASSPHRASE=([a-f0-9]{64})$/);
+        if (match) {
+          const newPassphrase = match[1];
+          if (!initialPassphraseFound) {
+            initialPassphraseFound = true;
+            clearTimeout(timeout);
+            resolve(newPassphrase);
+          } else {
+            console.log("[agent-spawner] \u{1F504} Agent reloaded, updating passphrase...");
+            this.updateAgentPassphrase(newPassphrase).catch((err) => {
+              console.error("[agent-spawner] Failed to update passphrase after reload:", err);
+            });
+          }
+          return;
+        }
+        console.log(`[agent] ${line}`);
+      });
+      if (this.agentProcess?.stderr) {
+        const stderrRl = createInterface({ input: this.agentProcess.stderr });
+        stderrRl.on("line", (line) => {
+          console.error(`[agent:err] ${line}`);
+        });
+      }
+      this.agentProcess?.on("error", (err) => {
+        console.error("[agent-spawner] Failed to spawn agent:", err);
+        clearTimeout(timeout);
+        if (!initialPassphraseFound) resolve(null);
+      });
+      this.agentProcess?.on("exit", (code) => {
+        if (code !== null && code !== 0) {
+          console.error(`[agent-spawner] Agent exited with code ${code}`);
+        }
+        clearTimeout(timeout);
+        if (!initialPassphraseFound) resolve(null);
+      });
+    });
+  }
+  async shutdown() {
+    if (this.fileWatcher) {
+      this.fileWatcher.close();
+      this.fileWatcher = null;
+    }
+    if (this.agentProcess) {
+      console.log("[agent-spawner] Stopping local agent...");
+      this.agentProcess.kill("SIGKILL");
+      await new Promise((resolve) => {
+        this.agentProcess?.on("exit", () => resolve());
+        setTimeout(resolve, 2e3);
+      });
+      this.agentProcess = null;
+    }
+  }
+  getLocalAgentId() {
+    return LOCAL_AGENT_ID;
+  }
+  async updateAgentPassphrase(newPassphrase) {
+    const agentUrl = `http://${env.RUNEYA_AGENT_HOST}:${env.RUNEYA_AGENT_PORT}`;
+    await agentManager.registerLocal({ id: LOCAL_AGENT_ID, name: LOCAL_AGENT_NAME, url: agentUrl, passphrase: newPassphrase, passthroughEnv: [] });
+    console.log(`[agent-spawner] \u2705 Agent passphrase updated, re-registered as ${LOCAL_AGENT_ID}`);
+  }
+  setupFileWatcher() {
+    if (!this.agentDistPath) return;
+    if (this.fileWatcher) {
+      this.fileWatcher.close();
+    }
+    console.log("[agent-spawner] \u{1F50D} Watching agent dist for changes (hot reload enabled)");
+    const distDir = join4(this.agentDistPath, "..");
+    this.fileWatcher = watch(distDir, { persistent: false }, (eventType, filename) => {
+      if ((eventType === "change" || eventType === "rename") && filename === "index.js" && !this.isRestarting) {
+        this.isRestarting = true;
+        console.log("[agent-spawner] \u{1F504} Agent code changed, restarting...");
+        if (this.agentProcess && !this.agentProcess.killed) {
+          const oldProcess = this.agentProcess;
+          oldProcess.once("exit", () => {
+            setTimeout(() => {
+              this.restartAgent().catch((err) => {
+                console.error("[agent-spawner] Failed to restart agent:", err);
+                this.isRestarting = false;
+              });
+            }, 100);
+          });
+          oldProcess.kill("SIGKILL");
+        }
+      }
+    });
+  }
+  async restartAgent() {
+    if (!this.agentDistPath) return;
+    const agentEnv = buildAgentEnv();
+    if (!agentEnv) {
+      console.log("[agent-spawner] Cannot restart agent: encryption key not available");
+      this.isRestarting = false;
+      return;
+    }
+    const agentUrl = `http://${env.RUNEYA_AGENT_HOST}:${env.RUNEYA_AGENT_PORT}`;
+    const isDev = process.env.NODE_ENV === "development";
+    this.agentProcess = spawn("node", [this.agentDistPath], {
+      env: agentEnv,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    if (this.agentProcess?.stdout) {
+      const rl = createInterface({ input: this.agentProcess.stdout });
+      rl.on("line", (line) => {
+        const match = line.match(/^RUNEYA_PASSPHRASE=([a-f0-9]{64})$/);
+        if (match) {
+          const newPassphrase = match[1];
+          agentManager.registerLocal({ id: LOCAL_AGENT_ID, name: LOCAL_AGENT_NAME, url: agentUrl, passphrase: newPassphrase, passthroughEnv: [] }).then(() => {
+            console.log(`[agent-spawner] \u2705 Agent restarted and re-registered as ${LOCAL_AGENT_ID}`);
+            this.isRestarting = false;
+            if (isDev) {
+              this.setupFileWatcher();
+            }
+          }).catch((err) => {
+            console.error("[agent-spawner] Failed to register agent after restart:", err);
+            this.isRestarting = false;
+          });
+          return;
+        }
+        console.log(`[agent] ${line}`);
+      });
+    }
+    if (this.agentProcess?.stderr) {
+      const stderrRl = createInterface({ input: this.agentProcess.stderr });
+      stderrRl.on("line", (line) => {
+        console.error(`[agent:err] ${line}`);
+      });
+    }
+  }
+};
+var agentSpawner = new AgentSpawner();
+var TraefikManager = class {
+  encryptDnsCredentials(credentials) {
+    const result = {};
+    for (const [key, value] of Object.entries(credentials)) {
+      result[key] = isEncryptedValue(value) ? value : stableEncryptValue(value);
+    }
+    return result;
+  }
+  decryptDnsCredentials(credentials) {
+    const result = {};
+    for (const [key, value] of Object.entries(credentials)) {
+      if (isEncryptedValue(value)) {
+        try {
+          result[key] = decryptValue(value);
+        } catch {
+          console.error(`[traefik-manager] Failed to decrypt credential: ${key}`);
+          result[key] = "";
+        }
+      } else {
+        result[key] = value;
+      }
+    }
+    return result;
+  }
+};
+var traefikManager = new TraefikManager();
+var SUBSCRIPTION_PATHS = [
+  { path: "process.onStatus", eventType: "process:status" },
+  { path: "process.onLog", eventType: "process:log" },
+  { path: "process.onHealth", eventType: "process:health" },
+  { path: "process.onMetrics", eventType: "process:metrics" }
+];
+var PING_INTERVAL_MS = 3e4;
+var PONG_TIMEOUT_MS = 1e4;
+var AgentWSBridge = class extends EventEmitter {
+  constructor(agentId, url, passphrase) {
+    super();
+    this.agentId = agentId;
+    this.url = url;
+    this.passphrase = passphrase;
+  }
+  ws = null;
+  nextId = 1;
+  subscriptions = /* @__PURE__ */ new Map();
+  reconnectTimer = null;
+  currentReconnectDelay = WS_RECONNECT_MIN;
+  closed = false;
+  pingInterval = null;
+  pongTimeout = null;
+  connect() {
+    if (this.closed) return;
+    this.cleanup();
+    const httpUrl = new URL(this.url);
+    const wsProtocol = httpUrl.protocol === "https:" ? "wss:" : "ws:";
+    const wsUrl = `${wsProtocol}//${httpUrl.host}`;
+    try {
+      this.ws = new WebSocket(wsUrl, {
+        headers: { "Authorization": `Bearer ${this.passphrase}` }
+      });
+    } catch {
+      this.scheduleReconnect();
+      return;
+    }
+    this.ws.on("open", () => {
+      console.log(`[agent-ws-bridge] \u2705 Connected to agent ${this.agentId}`);
+      this.currentReconnectDelay = WS_RECONNECT_MIN;
+      this.startHeartbeat();
+      this.subscribeAll();
+      console.log(`[agent-ws-bridge] Created ${SUBSCRIPTION_PATHS.length} subscriptions for agent ${this.agentId}`);
+    });
+    this.ws.on("message", (raw) => {
+      try {
+        const msg = JSON.parse(
+          typeof raw === "string" ? raw : raw.toString()
+        );
+        this.handleMessage(msg);
+      } catch {
+      }
+    });
+    this.ws.on("pong", () => {
+      if (this.pongTimeout) {
+        clearTimeout(this.pongTimeout);
+        this.pongTimeout = null;
+      }
+    });
+    this.ws.on("close", () => {
+      console.log(`[agent-ws-bridge] \u274C Disconnected from agent ${this.agentId}`);
+      this.stopHeartbeat();
+      this.ws = null;
+      this.subscriptions.clear();
+      if (!this.closed) {
+        console.log(`[agent-ws-bridge] Scheduling reconnect for agent ${this.agentId} in ${this.currentReconnectDelay}ms`);
+        this.scheduleReconnect();
+      }
+    });
+    this.ws.on("error", (err) => {
+      console.debug("[agent-ws-bridge] WS error for agent", this.agentId + ":", err.message);
+    });
+  }
+  /**
+   * Subscribe to a dynamic tRPC path with an input payload.
+   * Returns an unsubscribe function that cleans up on the agent side.
+   * Used for per-session subscriptions (e.g. terminal.onData).
+   */
+  subscribeWithInput(path, input, onData, onStop) {
+    const id = this.nextId++;
+    this.subscriptions.set(id, { onData, onStop });
+    if (this.ws?.readyState === WebSocket.OPEN) {
+      const msg = { id, method: "subscription", params: { path, input } };
+      this.ws.send(JSON.stringify(msg));
+    }
+    return () => {
+      this.subscriptions.delete(id);
+      if (this.ws?.readyState === WebSocket.OPEN) {
+        this.ws.send(JSON.stringify({ id, method: "subscription.stop" }));
+      }
+    };
+  }
+  disconnect() {
+    this.closed = true;
+    this.cleanup();
+  }
+  startHeartbeat() {
+    this.stopHeartbeat();
+    this.pingInterval = setInterval(() => {
+      if (!this.ws || this.ws.readyState !== WebSocket.OPEN) return;
+      this.pongTimeout = setTimeout(() => {
+        console.log(`[agent-ws-bridge] Pong timeout for agent ${this.agentId}, closing connection`);
+        this.ws?.terminate();
+      }, PONG_TIMEOUT_MS);
+      this.ws.ping();
+    }, PING_INTERVAL_MS);
+  }
+  stopHeartbeat() {
+    if (this.pingInterval) {
+      clearInterval(this.pingInterval);
+      this.pingInterval = null;
+    }
+    if (this.pongTimeout) {
+      clearTimeout(this.pongTimeout);
+      this.pongTimeout = null;
+    }
+  }
+  cleanup() {
+    this.stopHeartbeat();
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.ws) {
+      this.ws.removeAllListeners();
+      this.ws.on("error", () => {
+      });
+      this.ws.close();
+      this.ws = null;
+    }
+    this.subscriptions.clear();
+  }
+  subscribeAll() {
+    for (const { path, eventType } of SUBSCRIPTION_PATHS) {
+      this.sendSubscription(path, eventType);
+    }
+  }
+  sendSubscription(path, eventType) {
+    if (!this.ws || this.ws.readyState !== WebSocket.OPEN) return;
+    const id = this.nextId++;
+    this.subscriptions.set(id, { eventType });
+    const msg = {
+      id,
+      method: "subscription",
+      params: { path }
+    };
+    this.ws.send(JSON.stringify(msg));
+  }
+  handleMessage(msg) {
+    const sub = this.subscriptions.get(msg.id);
+    if (!sub) return;
+    if (msg.result?.type === "data" && msg.result.data !== void 0) {
+      const data = msg.result.data;
+      if (sub.onData) {
+        sub.onData(data);
+      } else if (sub.eventType) {
+        if (typeof data !== "object" || data === null) return;
+        if (Array.isArray(data)) {
+          this.emit(sub.eventType, { batch: data, agentId: this.agentId });
+        } else {
+          this.emit(sub.eventType, {
+            ...data,
+            agentId: this.agentId
+          });
+        }
+      }
+    } else if (msg.result?.type === "started") {
+      const label = sub.eventType ?? "(dynamic)";
+      console.log(`[agent-ws-bridge] \u2705 Subscription ${label} started for agent ${this.agentId}`);
+    } else if (msg.result?.type === "stopped") {
+      const label = sub.eventType ?? "(dynamic)";
+      console.log(`[agent-ws-bridge] \u23F9\uFE0F  Subscription ${label} stopped for agent ${this.agentId}`);
+      if (sub.onStop) sub.onStop();
+      this.subscriptions.delete(msg.id);
+    } else if (msg.error) {
+      const label = sub.eventType ?? "(dynamic)";
+      console.debug("[agent-ws-bridge] Subscription error for", label, "on agent", this.agentId + ":", msg.error);
+      if (sub.onStop) sub.onStop();
+      this.subscriptions.delete(msg.id);
+    }
+  }
+  scheduleReconnect() {
+    if (this.closed || this.reconnectTimer) return;
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      if (!this.closed) {
+        this.connect();
+      }
+    }, this.currentReconnectDelay);
+    this.currentReconnectDelay = Math.min(this.currentReconnectDelay * 2, WS_RECONNECT_MAX);
+  }
+};
+var HealthMessageSchema = z20.object({
+  status: z20.string(),
+  uptime: z20.number(),
+  runnersAvailable: z20.array(z20.enum(["native", "docker"])),
+  processCount: z20.number(),
+  runningCount: z20.number(),
+  lanIp: z20.string().optional()
+});
+var MIN_RECONNECT_DELAY = WS_RECONNECT_MIN;
+var MAX_RECONNECT_DELAY = WS_RECONNECT_MAX;
+var ALIVE_TIMEOUT = AGENT_HEALTH_POLL_INTERVAL;
+function resolvePassthroughValues(names) {
+  const values = {};
+  for (const name of names) {
+    if (process.env[name] !== void 0) {
+      values[name] = process.env[name];
+    }
+  }
+  return values;
+}
+var AgentManager = class extends EventEmitter2 {
+  connections = /* @__PURE__ */ new Map();
+  constructor() {
+    super();
+    this.setMaxListeners(50);
+  }
+  // Make an authenticated fetch call to an agent's tRPC endpoint
+  async agentCall(agent, path, input, method = "GET", timeout = AGENT_FETCH_TIMEOUT) {
+    const url = new URL(`/api/trpc/${path}`, agent.url);
+    const headers = {
+      "Authorization": `Bearer ${agent.passphrase}`,
+      "Content-Type": "application/json"
+    };
+    let response;
+    try {
+      if (method === "GET") {
+        if (input !== void 0) {
+          url.searchParams.set("input", JSON.stringify(input));
+        }
+        response = await fetch(url.toString(), { headers, signal: AbortSignal.timeout(timeout) });
+      } else {
+        response = await fetch(url.toString(), {
+          method: "POST",
+          headers,
+          body: JSON.stringify(input !== void 0 ? input : {}),
+          signal: AbortSignal.timeout(timeout)
+        });
+      }
+    } catch (err) {
+      console.error("[agent-manager] Agent call failed (" + method + " " + path + "):", err instanceof Error ? err.message : String(err));
+      throw err;
+    }
+    if (!response.ok) {
+      let agentMessage = "";
+      try {
+        const errBody = await response.json();
+        agentMessage = errBody?.error?.message ?? errBody?.message ?? "";
+      } catch {
+      }
+      const detail = agentMessage ? `: ${agentMessage}` : "";
+      console.error("[agent-manager] Agent call failed: HTTP", response.status, "for", method, path, detail);
+      throw new Error(`Agent call failed: HTTP ${response.status}${detail}`);
+    }
+    const json = await response.json();
+    if (json.error) {
+      console.error("[agent-manager] Agent error on", path + ":", json.error);
+      throw new Error(`Agent error on ${path}: ${json.error.message ?? "unknown"}`);
+    }
+    return json.result?.data;
+  }
+  // Query wrapper
+  async agentQuery(agentId, path, input) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    return this.agentCall(agent.config, path, input, "GET");
+  }
+  // Mutation wrapper
+  async agentMutation(agentId, path, input, timeout) {
+    const agent = this.getAgent(agentId);
+    if (!agent) throw new Error(`Agent ${agentId} not found`);
+    return this.agentCall(agent.config, path, input, "POST", timeout);
+  }
+  /**
+   * Open a dynamic tRPC subscription on the agent's WS bridge.
+   * Returns an unsubscribe function.
+   * Used for per-session streaming (e.g. terminal.onData).
+   */
+  agentSubscribe(agentId, path, input, onData, onStop) {
+    const conn = this.connections.get(agentId);
+    if (!conn?.bridge) throw new Error(`Agent ${agentId} not connected via WebSocket`);
+    return conn.bridge.subscribeWithInput(path, input, onData, onStop);
+  }
+  async init() {
+    const agents = await agentStore.list();
+    for (const agent of agents) {
+      this.connectAgent(agent);
+    }
+  }
+  async register(name, url, passphrase) {
+    const config = await agentStore.register(name, url, passphrase);
+    const isReRegistration = this.connections.has(config.id);
+    if (isReRegistration) {
+      console.log(`[agent-manager] Re-registering agent ${config.name} (${config.id})`);
+      this.disconnectAgent(config.id);
+      await new Promise((resolve) => setTimeout(resolve, 200));
+    }
+    this.connectAgent(config);
+    console.log(`[agent-manager] Agent ${config.name} (${config.id}) connection established`);
+    return config;
+  }
+  /**
+   * Register a local agent in-memory only (no persistence to agentStore).
+   * The local agent is always auto-spawned with deterministic config,
+   * so it doesn't need disk persistence.
+   * Also reassigns orphaned services (from old UUID-based agent IDs) to this agent.
+   */
+  async registerLocal(config) {
+    const isReRegistration = this.connections.has(config.id);
+    if (isReRegistration) {
+      console.log(`[agent-manager] Re-registering local agent ${config.name} (${config.id})`);
+      this.disconnectAgent(config.id);
+      await new Promise((resolve) => setTimeout(resolve, 200));
+    }
+    const storedPassthrough = agentStore.getPassthroughEnv(config.id);
+    const configWithPassthrough = { ...config, passthroughEnv: storedPassthrough };
+    await this.reassignOrphanedServices(config.id);
+    this.connectAgent(configWithPassthrough);
+    console.log(`[agent-manager] Local agent ${config.name} (${config.id}) connected (in-memory only)`);
+  }
+  /**
+   * Find services assigned to unknown agent IDs and reassign them to the given agent.
+   * This handles the migration from random UUID-based agent IDs to the stable 'local-agent' ID.
+   */
+  async reassignOrphanedServices(localAgentId) {
+    const allServices = await serviceStore.list();
+    const persistedAgents = await agentStore.list();
+    const knownIds = /* @__PURE__ */ new Set([localAgentId, ...persistedAgents.map((a) => a.id)]);
+    for (const service of allServices) {
+      if (service.agentId && !knownIds.has(service.agentId)) {
+        console.log(`[agent-manager] Reassigning orphaned service ${service.name} (${service.id}) from ${service.agentId} \u2192 ${localAgentId}`);
+        await serviceStore.update({ id: service.id, agentId: localAgentId });
+      }
+    }
+  }
+  async update(agentId, fields) {
+    const isLocal = agentSpawner.getLocalAgentId() === agentId;
+    if (isLocal) {
+      const hasOtherFields = fields.name !== void 0 || fields.url !== void 0 || fields.passphrase !== void 0;
+      if (hasOtherFields) {
+        throw new Error("Cannot modify the local agent");
+      }
+    }
+    if (fields.passthroughEnv !== void 0) {
+      await agentStore.savePassthroughEnv(agentId, fields.passthroughEnv);
+      const conn2 = this.connections.get(agentId);
+      if (conn2) {
+        conn2.config = { ...conn2.config, passthroughEnv: fields.passthroughEnv };
+        try {
+          await this.agentMutation(agentId, "config.setPassthroughEnv", {
+            names: fields.passthroughEnv,
+            values: resolvePassthroughValues(fields.passthroughEnv)
+          });
+        } catch (err) {
+          console.error("[agent-manager] Failed to push passthroughEnv to agent", agentId + ":", err instanceof Error ? err.message : String(err));
+        }
+      }
+    }
+    if (isLocal) {
+      const conn2 = this.connections.get(agentId);
+      if (!conn2) throw new Error(`Agent ${agentId} not found`);
+      return conn2.config;
+    }
+    const { passthroughEnv: _pt, ...storeFields } = fields;
+    const hasStoreFields = storeFields.name !== void 0 || storeFields.url !== void 0 || storeFields.passphrase !== void 0;
+    if (hasStoreFields) {
+      const updated = await agentStore.update(agentId, storeFields);
+      if (!updated) {
+        throw new Error(`Agent ${agentId} not found`);
+      }
+      const conn2 = this.connections.get(agentId);
+      if (conn2) {
+        conn2.config = updated;
+        if (storeFields.url !== void 0 || storeFields.passphrase !== void 0) {
+          this.disconnectAgent(agentId);
+          this.connectAgent(updated);
+        }
+      }
+      return updated;
+    }
+    const conn = this.connections.get(agentId);
+    if (!conn) throw new Error(`Agent ${agentId} not found`);
+    return conn.config;
+  }
+  async remove(agentId) {
+    if (agentSpawner.getLocalAgentId() === agentId) {
+      throw new Error("Cannot remove the local agent");
+    }
+    this.disconnectAgent(agentId);
+    return agentStore.remove(agentId);
+  }
+  connectAgent(config) {
+    const connection = {
+      config,
+      status: {
+        connected: false,
+        lastSeen: null,
+        uptime: 0,
+        runnersAvailable: []
+      },
+      reconnectDelay: MIN_RECONNECT_DELAY
+    };
+    this.connections.set(config.id, connection);
+    this.openHealthWs(config.id);
+    this.openBridge(config.id);
+  }
+  openBridge(agentId) {
+    const conn = this.connections.get(agentId);
+    if (!conn) return;
+    console.log(`[agent-manager] Opening tRPC bridge for agent ${conn.config.name} (${agentId})`);
+    const bridge = new AgentWSBridge(agentId, conn.config.url, conn.config.passphrase);
+    conn.bridge = bridge;
+    const eventTypes = ["process:status", "process:log", "process:health", "process:metrics"];
+    for (const eventType of eventTypes) {
+      bridge.on(eventType, (data) => {
+        this.emit(eventType, data);
+      });
+    }
+    bridge.connect();
+  }
+  disconnectAgent(agentId) {
+    const conn = this.connections.get(agentId);
+    if (!conn) return;
+    console.log(`[agent-manager] Disconnecting agent ${conn.config.name} (${agentId})`);
+    if (conn.healthWs) {
+      conn.healthWs.removeAllListeners();
+      conn.healthWs.close();
+      conn.healthWs = void 0;
+    }
+    if (conn.bridge) {
+      conn.bridge.disconnect();
+      conn.bridge = void 0;
+    }
+    if (conn.reconnectTimer) {
+      clearTimeout(conn.reconnectTimer);
+      conn.reconnectTimer = void 0;
+    }
+    if (conn.aliveTimer) {
+      clearTimeout(conn.aliveTimer);
+      conn.aliveTimer = void 0;
+    }
+    this.connections.delete(agentId);
+    this.emit("status", { agentId, status: { connected: false, lastSeen: null, uptime: 0, runnersAvailable: [] } });
+  }
+  openHealthWs(agentId) {
+    const conn = this.connections.get(agentId);
+    if (!conn) return;
+    const httpUrl = new URL(conn.config.url);
+    const wsProtocol = httpUrl.protocol === "https:" ? "wss:" : "ws:";
+    const wsUrl = `${wsProtocol}//${httpUrl.host}/ws/health`;
+    const ws = new WebSocket2(wsUrl, {
+      headers: { "Authorization": `Bearer ${conn.config.passphrase}` }
+    });
+    conn.healthWs = ws;
+    const resetAliveTimer = () => {
+      if (conn.aliveTimer) clearTimeout(conn.aliveTimer);
+      conn.aliveTimer = setTimeout(() => {
+        console.debug(`[agent-manager] Agent ${conn.config.name} (${agentId}) alive timeout \u2014 closing WS`);
+        ws.close();
+      }, ALIVE_TIMEOUT);
+    };
+    ws.on("open", () => {
+      console.debug(`[agent-manager] WS open to agent ${conn.config.name} (${agentId})`);
+      resetAliveTimer();
+    });
+    ws.on("message", (raw) => {
+      try {
+        const health = HealthMessageSchema.parse(
+          JSON.parse(typeof raw === "string" ? raw : raw.toString())
+        );
+        resetAliveTimer();
+        const wasConnected = conn.status.connected;
+        conn.status = {
+          connected: true,
+          lastSeen: (/* @__PURE__ */ new Date()).toISOString(),
+          uptime: health.uptime,
+          runnersAvailable: health.runnersAvailable,
+          lanIp: health.lanIp
+        };
+        conn.reconnectDelay = MIN_RECONNECT_DELAY;
+        this.emit("status", { agentId, status: { ...conn.status } });
+        if (!wasConnected) {
+          console.debug(`[agent-manager] Agent ${conn.config.name} (${agentId}) connected`);
+          this.pushPassthroughEnv(agentId);
+          this.reconcileAiSpawns(agentId);
+          const rawTraefikConfig = agentStore.getTraefikConfig(agentId);
+          if (rawTraefikConfig) {
+            const parsed = TraefikConfigSchema.safeParse(rawTraefikConfig);
+            if (parsed.success) {
+              const configToPush = {
+                ...parsed.data,
+                dnsCredentials: traefikManager.decryptDnsCredentials(parsed.data.dnsCredentials ?? {})
+              };
+              this.pushTraefikConfig(agentId, configToPush);
+            } else {
+              console.error("[agent-manager] Invalid Traefik config in store for agent", agentId);
+            }
+          }
+        }
+      } catch (err) {
+        console.debug("[agent-manager] Failed to parse health message for agent", agentId + ":", err);
+      }
+    });
+    ws.on("close", () => {
+      if (conn.aliveTimer) {
+        clearTimeout(conn.aliveTimer);
+        conn.aliveTimer = void 0;
+      }
+      conn.healthWs = void 0;
+      if (conn.status.connected) {
+        console.debug(`[agent-manager] Agent ${conn.config.name} (${agentId}) disconnected`);
+        conn.status.connected = false;
+        this.emit("status", { agentId, status: { ...conn.status } });
+      }
+      if (this.connections.has(agentId)) {
+        this.scheduleReconnect(agentId);
+      }
+    });
+    ws.on("error", (err) => {
+      if (conn.status.connected) {
+        console.debug("[agent-manager] WS error for agent", conn.config.name, "(" + agentId + "):", err.message);
+      }
+    });
+  }
+  scheduleReconnect(agentId) {
+    const conn = this.connections.get(agentId);
+    if (!conn) return;
+    if (conn.reconnectTimer) {
+      clearTimeout(conn.reconnectTimer);
+    }
+    conn.reconnectTimer = setTimeout(() => {
+      conn.reconnectTimer = void 0;
+      if (this.connections.has(agentId)) {
+        this.openHealthWs(agentId);
+      }
+    }, conn.reconnectDelay);
+    conn.reconnectDelay = Math.min(conn.reconnectDelay * 2, MAX_RECONNECT_DELAY);
+  }
+  /**
+   * On agent (re)connect, discover any AI spawns still alive on the agent.
+   * Log them for now — full rehydration of ActiveSessionRegistry is a follow-up.
+   */
+  async reconcileAiSpawns(agentId) {
+    try {
+      const spawns = await this.agentQuery(agentId, "ai.list");
+      if (spawns.length > 0) {
+        const summary = spawns.map((s) => `${s.spawnId} (${s.cli}, ${s.status}, buf:${s.bufferLength})`).join(", ");
+        console.log("[agent-manager] Agent %s has %d AI spawn(s): %s", agentId, spawns.length, summary);
+        for (const spawn2 of spawns) {
+          if (spawn2.status !== "running") {
+            this.agentMutation(agentId, "ai.ack", { spawnId: spawn2.spawnId }).catch(() => {
+            });
+          }
+        }
+      }
+    } catch (err) {
+      console.debug("[agent-manager] Failed to reconcile AI spawns for agent", agentId + ":", err instanceof Error ? err.message : String(err));
+    }
+  }
+  // Push passthrough env variables to agent on (re)connection
+  async pushPassthroughEnv(agentId) {
+    const conn = this.connections.get(agentId);
+    if (conn && conn.config.passthroughEnv && conn.config.passthroughEnv.length > 0) {
+      try {
+        await this.agentMutation(agentId, "config.setPassthroughEnv", {
+          names: conn.config.passthroughEnv,
+          values: resolvePassthroughValues(conn.config.passthroughEnv)
+        });
+        console.log("[agent-manager] Pushed passthroughEnv to agent", agentId + ":", conn.config.passthroughEnv.join(", "));
+      } catch (err) {
+        console.error("[agent-manager] Failed to push passthroughEnv to agent", agentId + ":", err instanceof Error ? err.message : String(err));
+      }
+    }
+  }
+  // Push Traefik config to agent on (re)connection or after update
+  async pushTraefikConfig(agentId, config) {
+    const conn = this.connections.get(agentId);
+    if (!conn) return;
+    try {
+      await this.agentMutation(agentId, "config.setTraefikConfig", config);
+    } catch (err) {
+      console.error("[agent-manager] Failed to push Traefik config to agent", agentId + ":", err instanceof Error ? err.message : String(err));
+    }
+  }
+  /** Returns the local agent ID, or first connected agent, or null. */
+  getDefaultAgentId() {
+    const localId = agentSpawner.getLocalAgentId();
+    if (localId && this.connections.get(localId)?.status.connected) return localId;
+    for (const [id, conn] of this.connections) {
+      if (conn.status.connected) return id;
+    }
+    return null;
+  }
+  getAgent(agentId) {
+    return this.connections.get(agentId);
+  }
+  getAgentConfig(agentId) {
+    return this.connections.get(agentId)?.config;
+  }
+  listAgents() {
+    const localId = agentSpawner.getLocalAgentId();
+    return Array.from(this.connections.values()).map((conn) => ({
+      config: { ...conn.config, passphrase: "***" },
+      // Don't expose passphrase
+      status: conn.status,
+      isLocal: conn.config.id === localId
+    }));
+  }
+  getStatus(agentId) {
+    return this.connections.get(agentId)?.status ?? null;
+  }
+  async shutdown() {
+    const ids = [...this.connections.keys()];
+    for (const id of ids) {
+      this.disconnectAgent(id);
+    }
+  }
+};
+var agentManager = new AgentManager();
+
+export {
+  agentStore,
+  ScenarioGroupSchema,
+  ScenarioNodeSchema,
+  ScenarioSchema,
+  AIProviderSchema,
+  JSLogParserSchema,
+  NotificationPreferencesSchema,
+  SettingsSchema,
+  TraefikConfigSchema,
+  SettingsPrivateSchema,
+  SchemaVersionSchema,
+  LogSourceConfigSchema,
+  HealthCheckSchema,
+  DockerConfigSchema,
+  RestartStrategySchema,
+  ServiceShortcutSchema,
+  ServiceCommandSchema,
+  VariableSchema,
+  CreateEnvironmentSchema,
+  UpdateEnvironmentSchema,
+  ApiKeyScopeSchema,
+  ApiKeysFileSchema,
+  KanbanColumnSchema,
+  nativeParsers,
+  JSLogParser,
+  LOG_BUFFER_SIZE,
+  AGENT_LONG_FETCH_TIMEOUT,
+  AGENT_STOP_FETCH_TIMEOUT,
+  SUPPORTED_EDITORS,
+  EDITOR_BY_KEY,
+  environmentStore,
+  serviceStore,
+  agentSpawner,
+  traefikManager,
+  agentManager
+};
+//# sourceMappingURL=chunk-XZPCEGWS.js.map