@schuttdev/gigai 0.1.0-beta.2 → 0.1.0-beta.6

package/dist/dist-DX6G464T.js

@@ -0,0 +1,1164 @@
+#!/usr/bin/env node
+import {
+  AuthStore
+} from "./chunk-OWDYY3IG.js";
+import {
+  generatePairingCode,
+  validateAndPair
+} from "./chunk-FN4LCKUA.js";
+import {
+  ErrorCode,
+  GigaiConfigSchema,
+  GigaiError,
+  decrypt,
+  generateEncryptionKey
+} from "./chunk-4XUWD3DZ.js";
+
+// ../server/dist/index.mjs
+import { parseArgs } from "util";
+import Fastify from "fastify";
+import cors from "@fastify/cors";
+import rateLimit from "@fastify/rate-limit";
+import multipart from "@fastify/multipart";
+import fp from "fastify-plugin";
+import { randomBytes } from "crypto";
+import fp2 from "fastify-plugin";
+import fp3 from "fastify-plugin";
+import { spawn } from "child_process";
+import fp4 from "fastify-plugin";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { readFile } from "fs/promises";
+import { resolve } from "path";
+import { readFile as fsReadFile, readdir } from "fs/promises";
+import { resolve as resolve2, relative, join } from "path";
+import { realpath } from "fs/promises";
+import { spawn as spawn2 } from "child_process";
+import { writeFile, readFile as readFile2, unlink, mkdir } from "fs/promises";
+import { join as join2 } from "path";
+import { tmpdir } from "os";
+import { nanoid } from "nanoid";
+import { readFile as readFile3 } from "fs/promises";
+import { resolve as resolve3 } from "path";
+import { input, select, checkbox, confirm } from "@inquirer/prompts";
+import { writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { resolve as resolve4, join as join3 } from "path";
+import { input as input2 } from "@inquirer/prompts";
+import { readFile as readFile4, writeFile as writeFile3 } from "fs/promises";
+import { resolve as resolve5 } from "path";
+function connectWithToken(store, encryptedToken, orgUuid, encryptionKey, sessionTtlSeconds) {
+  let payload;
+  try {
+    payload = JSON.parse(encryptedToken);
+  } catch {
+    throw new GigaiError(ErrorCode.TOKEN_INVALID, "Invalid token format");
+  }
+  let decrypted;
+  try {
+    decrypted = decrypt(payload, encryptionKey);
+  } catch {
+    throw new GigaiError(ErrorCode.TOKEN_DECRYPT_FAILED, "Failed to decrypt token");
+  }
+  if (decrypted.orgUuid !== orgUuid) {
+    throw new GigaiError(ErrorCode.ORG_MISMATCH, "Organization UUID mismatch");
+  }
+  return store.createSession(orgUuid, sessionTtlSeconds);
+}
+function validateSession(store, token) {
+  const session = store.getSession(token);
+  if (!session) {
+    throw new GigaiError(ErrorCode.SESSION_INVALID, "Invalid session token");
+  }
+  if (session.expiresAt < Date.now()) {
+    throw new GigaiError(ErrorCode.SESSION_EXPIRED, "Session expired");
+  }
+  return session;
+}
+function createAuthMiddleware(store) {
+  return async function authMiddleware(request, _reply) {
+    const authHeader = request.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+      throw new GigaiError(ErrorCode.AUTH_REQUIRED, "Authorization header required");
+    }
+    const token = authHeader.slice(7);
+    const session = validateSession(store, token);
+    request.session = session;
+  };
+}
+function registerAuthRoutes(server, store, config) {
+  const serverFingerprint = randomBytes(16).toString("hex");
+  server.post("/auth/pair", {
+    config: {
+      rateLimit: { max: 5, timeWindow: "1 hour" }
+    },
+    schema: {
+      body: {
+        type: "object",
+        required: ["pairingCode", "orgUuid"],
+        properties: {
+          pairingCode: { type: "string" },
+          orgUuid: { type: "string" }
+        }
+      }
+    }
+  }, async (request) => {
+    const { pairingCode, orgUuid } = request.body;
+    const encryptedToken = validateAndPair(
+      store,
+      pairingCode,
+      orgUuid,
+      config.auth.encryptionKey,
+      serverFingerprint
+    );
+    return { encryptedToken: JSON.stringify(encryptedToken) };
+  });
+  server.post("/auth/connect", {
+    config: {
+      rateLimit: { max: 10, timeWindow: "1 minute" }
+    },
+    schema: {
+      body: {
+        type: "object",
+        required: ["encryptedToken", "orgUuid"],
+        properties: {
+          encryptedToken: { type: "string" },
+          orgUuid: { type: "string" }
+        }
+      }
+    }
+  }, async (request) => {
+    const { encryptedToken, orgUuid } = request.body;
+    const session = connectWithToken(
+      store,
+      encryptedToken,
+      orgUuid,
+      config.auth.encryptionKey,
+      config.auth.sessionTtlSeconds
+    );
+    return {
+      sessionToken: session.token,
+      expiresAt: session.expiresAt
+    };
+  });
+  server.get("/auth/pair/generate", {
+    config: { skipAuth: true }
+  }, async (request) => {
+    const remoteAddr = request.ip;
+    if (remoteAddr !== "127.0.0.1" && remoteAddr !== "::1" && remoteAddr !== "::ffff:127.0.0.1") {
+      throw new GigaiError(ErrorCode.AUTH_REQUIRED, "Pairing code generation is only available from localhost");
+    }
+    const code = generatePairingCode(store, config.auth.pairingTtlSeconds);
+    return { code, expiresIn: config.auth.pairingTtlSeconds };
+  });
+}
+var authPlugin = fp(async (server, opts) => {
+  const store = new AuthStore();
+  const authMiddleware = createAuthMiddleware(store);
+  server.decorate("authStore", store);
+  server.addHook("onRequest", async (request, reply) => {
+    const routeConfig = request.routeOptions?.config ?? {};
+    if (routeConfig.skipAuth) return;
+    if (request.url === "/health") return;
+    if (request.url.startsWith("/auth/")) return;
+    await authMiddleware(request, reply);
+  });
+  registerAuthRoutes(server, store, opts.config);
+  server.addHook("onClose", async () => {
+    store.destroy();
+  });
+}, { name: "auth" });
+var ToolRegistry = class {
+  tools = /* @__PURE__ */ new Map();
+  loadFromConfig(tools) {
+    for (const tool of tools) {
+      this.register(tool);
+    }
+  }
+  register(config) {
+    const entry = { type: config.type, config };
+    this.tools.set(config.name, entry);
+  }
+  get(name) {
+    const entry = this.tools.get(name);
+    if (!entry) {
+      throw new GigaiError(ErrorCode.TOOL_NOT_FOUND, `Tool not found: ${name}`);
+    }
+    return entry;
+  }
+  has(name) {
+    return this.tools.has(name);
+  }
+  list() {
+    return Array.from(this.tools.values()).map((entry) => ({
+      name: entry.config.name,
+      type: entry.config.type,
+      description: entry.config.description
+    }));
+  }
+  getDetail(name) {
+    const entry = this.get(name);
+    const detail = {
+      name: entry.config.name,
+      type: entry.config.type,
+      description: entry.config.description
+    };
+    if (entry.type === "cli") {
+      detail.usage = `${entry.config.command} ${(entry.config.args ?? []).join(" ")} [args...]`;
+    } else if (entry.type === "script") {
+      detail.usage = `${entry.config.path} [args...]`;
+    }
+    return detail;
+  }
+};
+var registryPlugin = fp2(async (server, opts) => {
+  const registry = new ToolRegistry();
+  registry.loadFromConfig(opts.config.tools);
+  server.decorate("registry", registry);
+  server.log.info(`Loaded ${registry.list().length} tools`);
+}, { name: "registry" });
+var MAX_ARG_LENGTH = 64 * 1024;
+function sanitizeArgs(args) {
+  return args.map((arg, i) => {
+    if (arg.includes("\0")) {
+      throw new GigaiError(
+        ErrorCode.VALIDATION_ERROR,
+        `Argument ${i} contains null byte`
+      );
+    }
+    if (arg.length > MAX_ARG_LENGTH) {
+      throw new GigaiError(
+        ErrorCode.VALIDATION_ERROR,
+        `Argument ${i} exceeds maximum length of ${MAX_ARG_LENGTH}`
+      );
+    }
+    return arg;
+  });
+}
+var DEFAULT_TIMEOUT = 3e4;
+var KILL_GRACE_PERIOD = 5e3;
+var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
+function executeTool(entry, args, timeout) {
+  const sanitized = sanitizeArgs(args);
+  const effectiveTimeout = timeout ?? DEFAULT_TIMEOUT;
+  let command;
+  let spawnArgs;
+  let cwd;
+  let env;
+  switch (entry.type) {
+    case "cli":
+      command = entry.config.command;
+      spawnArgs = [...entry.config.args ?? [], ...sanitized];
+      cwd = entry.config.cwd;
+      env = entry.config.env;
+      break;
+    case "script": {
+      const interpreter = entry.config.interpreter ?? "node";
+      command = interpreter;
+      spawnArgs = [entry.config.path, ...sanitized];
+      break;
+    }
+    default:
+      throw new GigaiError(
+        ErrorCode.EXEC_FAILED,
+        `Cannot execute tool of type: ${entry.type}`
+      );
+  }
+  return new Promise((resolve6, reject) => {
+    const start = Date.now();
+    const stdoutChunks = [];
+    const stderrChunks = [];
+    const child = spawn(command, spawnArgs, {
+      shell: false,
+      cwd,
+      env: env ? { ...process.env, ...env } : process.env,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let killed = false;
+    const timer = setTimeout(() => {
+      killed = true;
+      child.kill("SIGTERM");
+      setTimeout(() => {
+        if (!child.killed) {
+          child.kill("SIGKILL");
+        }
+      }, KILL_GRACE_PERIOD);
+    }, effectiveTimeout);
+    let totalSize = 0;
+    child.stdout.on("data", (chunk) => {
+      totalSize += chunk.length;
+      if (totalSize <= MAX_OUTPUT_SIZE) stdoutChunks.push(chunk);
+      else if (!killed) {
+        killed = true;
+        child.kill("SIGTERM");
+      }
+    });
+    child.stderr.on("data", (chunk) => {
+      totalSize += chunk.length;
+      if (totalSize <= MAX_OUTPUT_SIZE) stderrChunks.push(chunk);
+      else if (!killed) {
+        killed = true;
+        child.kill("SIGTERM");
+      }
+    });
+    child.on("error", (err) => {
+      clearTimeout(timer);
+      reject(new GigaiError(ErrorCode.EXEC_FAILED, `Failed to spawn: ${err.message}`));
+    });
+    child.on("close", (exitCode) => {
+      clearTimeout(timer);
+      const durationMs = Date.now() - start;
+      if (killed) {
+        reject(new GigaiError(ErrorCode.EXEC_TIMEOUT, `Tool execution timed out after ${effectiveTimeout}ms`));
+        return;
+      }
+      resolve6({
+        stdout: Buffer.concat(stdoutChunks).toString("utf8"),
+        stderr: Buffer.concat(stderrChunks).toString("utf8"),
+        exitCode: exitCode ?? 1,
+        durationMs
+      });
+    });
+  });
+}
+var executorPlugin = fp3(async (server) => {
+  server.decorate("executor", {
+    execute: executeTool
+  });
+}, { name: "executor" });
+var McpClientWrapper = class {
+  constructor(config) {
+    this.config = config;
+  }
+  client = null;
+  transport = null;
+  toolsCache = null;
+  connected = false;
+  async ensureConnected() {
+    if (this.connected && this.client) return;
+    this.transport = new StdioClientTransport({
+      command: this.config.command,
+      args: this.config.args,
+      env: this.config.env ? { ...process.env, ...this.config.env } : process.env
+    });
+    this.client = new Client({
+      name: `gigai-${this.config.name}`,
+      version: "0.1.0"
+    });
+    await this.client.connect(this.transport);
+    this.connected = true;
+  }
+  async listTools() {
+    if (this.toolsCache) return this.toolsCache;
+    await this.ensureConnected();
+    const result = await this.client.listTools();
+    this.toolsCache = result.tools.map((t) => ({
+      name: t.name,
+      description: t.description ?? "",
+      inputSchema: t.inputSchema
+    }));
+    return this.toolsCache;
+  }
+  async callTool(toolName, args) {
+    await this.ensureConnected();
+    try {
+      const result = await this.client.callTool({ name: toolName, arguments: args });
+      return {
+        content: result.content ?? [],
+        isError: result.isError ?? false
+      };
+    } catch (err) {
+      throw new GigaiError(
+        ErrorCode.MCP_ERROR,
+        `MCP tool call failed: ${err.message}`
+      );
+    }
+  }
+  async disconnect() {
+    if (this.client && this.connected) {
+      try {
+        await this.client.close();
+      } catch {
+      }
+      this.client = null;
+      this.transport = null;
+      this.connected = false;
+      this.toolsCache = null;
+    }
+  }
+  get isConnected() {
+    return this.connected;
+  }
+  get name() {
+    return this.config.name;
+  }
+};
+var McpPool = class {
+  clients = /* @__PURE__ */ new Map();
+  loadFromConfig(tools) {
+    for (const tool of tools) {
+      this.clients.set(tool.name, new McpClientWrapper(tool));
+    }
+  }
+  getClient(name) {
+    const client = this.clients.get(name);
+    if (!client) {
+      throw new GigaiError(ErrorCode.TOOL_NOT_FOUND, `MCP tool not found: ${name}`);
+    }
+    return client;
+  }
+  has(name) {
+    return this.clients.has(name);
+  }
+  async listToolsFor(name) {
+    const client = this.getClient(name);
+    return client.listTools();
+  }
+  list() {
+    return Array.from(this.clients.keys());
+  }
+  async shutdownAll() {
+    const disconnects = Array.from(this.clients.values()).map((c) => c.disconnect());
+    await Promise.allSettled(disconnects);
+    this.clients.clear();
+  }
+};
+var McpLifecycleManager = class {
+  constructor(pool) {
+    this.pool = pool;
+  }
+  healthCheckInterval = null;
+  startHealthChecks(intervalMs = 3e4) {
+    this.healthCheckInterval = setInterval(async () => {
+      for (const name of this.pool.list()) {
+        try {
+          const client = this.pool.getClient(name);
+          if (client.isConnected) {
+            await client.listTools();
+          }
+        } catch {
+        }
+      }
+    }, intervalMs);
+  }
+  async shutdown() {
+    if (this.healthCheckInterval) {
+      clearInterval(this.healthCheckInterval);
+      this.healthCheckInterval = null;
+    }
+    await this.pool.shutdownAll();
+  }
+};
+var mcpPlugin = fp4(async (server, opts) => {
+  const pool = new McpPool();
+  const mcpTools = opts.config.tools.filter(
+    (t) => t.type === "mcp"
+  );
+  pool.loadFromConfig(mcpTools);
+  server.decorate("mcpPool", pool);
+  const lifecycle = new McpLifecycleManager(pool);
+  lifecycle.startHealthChecks();
+  server.log.info(`MCP pool initialized with ${mcpTools.length} servers`);
+  server.addHook("onClose", async () => {
+    await lifecycle.shutdown();
+  });
+}, { name: "mcp" });
+var startTime = Date.now();
+async function healthRoutes(server) {
+  server.get("/health", {
+    config: { skipAuth: true }
+  }, async () => {
+    let version = "0.1.0";
+    try {
+      const pkg = JSON.parse(
+        await readFile(resolve(import.meta.dirname ?? ".", "../package.json"), "utf8")
+      );
+      version = pkg.version;
+    } catch {
+    }
+    return {
+      status: "ok",
+      version,
+      uptime: Date.now() - startTime
+    };
+  });
+}
+async function toolRoutes(server) {
+  server.get("/tools", async () => {
+    return { tools: server.registry.list() };
+  });
+  server.get("/tools/:name", async (request) => {
+    const { name } = request.params;
+    const detail = server.registry.getDetail(name);
+    const entry = server.registry.get(name);
+    if (entry.type === "mcp") {
+      try {
+        const mcpTools = await server.mcpPool.listToolsFor(name);
+        detail.mcpTools = mcpTools;
+      } catch {
+      }
+    }
+    return { tool: detail };
+  });
+  server.get("/tools/:name/mcp", async (request) => {
+    const { name } = request.params;
+    const entry = server.registry.get(name);
+    if (entry.type !== "mcp") {
+      return { tools: [] };
+    }
+    const mcpTools = await server.mcpPool.listToolsFor(name);
+    return { tools: mcpTools };
+  });
+}
+async function validatePath(targetPath, allowedPaths) {
+  const resolved = resolve2(targetPath);
+  let real;
+  try {
+    real = await realpath(resolved);
+  } catch {
+    real = resolved;
+  }
+  const isAllowed = allowedPaths.some((allowed) => {
+    const resolvedAllowed = resolve2(allowed);
+    const allowedPrefix = resolvedAllowed.endsWith("/") ? resolvedAllowed : resolvedAllowed + "/";
+    return real === resolvedAllowed || real.startsWith(allowedPrefix) || resolved === resolvedAllowed || resolved.startsWith(allowedPrefix);
+  });
+  if (!isAllowed) {
+    throw new GigaiError(
+      ErrorCode.PATH_NOT_ALLOWED,
+      `Path not within allowed directories: ${targetPath}`
+    );
+  }
+  return resolved;
+}
+async function readFileSafe(path, allowedPaths) {
+  const safePath = await validatePath(path, allowedPaths);
+  return fsReadFile(safePath, "utf8");
+}
+async function listDirSafe(path, allowedPaths) {
+  const safePath = await validatePath(path, allowedPaths);
+  const entries = await readdir(safePath, { withFileTypes: true });
+  return entries.map((e) => ({
+    name: e.name,
+    type: e.isDirectory() ? "directory" : "file"
+  }));
+}
+async function searchFilesSafe(path, pattern, allowedPaths) {
+  const safePath = await validatePath(path, allowedPaths);
+  const results = [];
+  let regex;
+  try {
+    regex = new RegExp(pattern, "i");
+  } catch {
+    throw new GigaiError(ErrorCode.VALIDATION_ERROR, `Invalid search pattern: ${pattern}`);
+  }
+  async function walk(dir) {
+    const entries = await readdir(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = join(dir, entry.name);
+      if (regex.test(entry.name)) {
+        results.push(relative(safePath, fullPath));
+      }
+      if (entry.isDirectory()) {
+        await walk(fullPath);
+      }
+    }
+  }
+  await walk(safePath);
+  return results;
+}
+var SHELL_INTERPRETERS = /* @__PURE__ */ new Set([
+  "sh",
+  "bash",
+  "zsh",
+  "fish",
+  "csh",
+  "tcsh",
+  "dash",
+  "ksh",
+  "env",
+  "xargs",
+  "nohup",
+  "strace",
+  "ltrace"
+]);
+var MAX_OUTPUT_SIZE2 = 10 * 1024 * 1024;
+async function execCommandSafe(command, args, config) {
+  if (!config.allowlist.includes(command)) {
+    throw new GigaiError(
+      ErrorCode.COMMAND_NOT_ALLOWED,
+      `Command not in allowlist: ${command}. Allowed: ${config.allowlist.join(", ")}`
+    );
+  }
+  if (command === "sudo" && !config.allowSudo) {
+    throw new GigaiError(ErrorCode.COMMAND_NOT_ALLOWED, "sudo is not allowed");
+  }
+  if (SHELL_INTERPRETERS.has(command)) {
+    throw new GigaiError(
+      ErrorCode.COMMAND_NOT_ALLOWED,
+      `Shell interpreter not allowed: ${command}`
+    );
+  }
+  for (const arg of args) {
+    if (arg.includes("\0")) {
+      throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Null byte in argument");
+    }
+  }
+  return new Promise((resolve6, reject) => {
+    const child = spawn2(command, args, {
+      shell: false,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    const stdoutChunks = [];
+    const stderrChunks = [];
+    let totalSize = 0;
+    child.stdout.on("data", (chunk) => {
+      totalSize += chunk.length;
+      if (totalSize <= MAX_OUTPUT_SIZE2) stdoutChunks.push(chunk);
+      else child.kill("SIGTERM");
+    });
+    child.stderr.on("data", (chunk) => {
+      totalSize += chunk.length;
+      if (totalSize <= MAX_OUTPUT_SIZE2) stderrChunks.push(chunk);
+      else child.kill("SIGTERM");
+    });
+    child.on("error", (err) => {
+      reject(new GigaiError(ErrorCode.EXEC_FAILED, `Failed to spawn ${command}: ${err.message}`));
+    });
+    child.on("close", (exitCode) => {
+      resolve6({
+        stdout: Buffer.concat(stdoutChunks).toString("utf8"),
+        stderr: Buffer.concat(stderrChunks).toString("utf8"),
+        exitCode: exitCode ?? 1
+      });
+    });
+  });
+}
+async function execRoutes(server) {
+  server.post("/exec", {
+    config: {
+      rateLimit: { max: 60, timeWindow: "1 minute" }
+    },
+    schema: {
+      body: {
+        type: "object",
+        required: ["tool", "args"],
+        properties: {
+          tool: { type: "string" },
+          args: { type: "array", items: { type: "string" } },
+          timeout: { type: "number" }
+        }
+      }
+    }
+  }, async (request) => {
+    const { tool, args, timeout } = request.body;
+    const entry = server.registry.get(tool);
+    if (entry.type === "builtin") {
+      return handleBuiltin(entry.config, args);
+    }
+    const result = await server.executor.execute(entry, args, timeout);
+    return result;
+  });
+  server.post("/exec/mcp", {
+    config: {
+      rateLimit: { max: 60, timeWindow: "1 minute" }
+    },
+    schema: {
+      body: {
+        type: "object",
+        required: ["tool", "mcpTool", "args"],
+        properties: {
+          tool: { type: "string" },
+          mcpTool: { type: "string" },
+          args: { type: "object" }
+        }
+      }
+    }
+  }, async (request) => {
+    const { tool, mcpTool, args } = request.body;
+    const entry = server.registry.get(tool);
+    if (entry.type !== "mcp") {
+      throw new GigaiError(ErrorCode.VALIDATION_ERROR, `Tool ${tool} is not an MCP tool`);
+    }
+    const start = Date.now();
+    const client = server.mcpPool.getClient(tool);
+    const result = await client.callTool(mcpTool, args);
+    return {
+      content: result.content,
+      isError: result.isError,
+      durationMs: Date.now() - start
+    };
+  });
+}
+async function handleBuiltin(config, args) {
+  const builtinConfig = config.config ?? {};
+  switch (config.builtin) {
+    case "filesystem": {
+      const allowedPaths = builtinConfig.allowedPaths ?? ["."];
+      const subcommand = args[0];
+      const target = args[1] ?? ".";
+      switch (subcommand) {
+        case "read":
+          return { stdout: await readFileSafe(target, allowedPaths), stderr: "", exitCode: 0, durationMs: 0 };
+        case "list":
+          return { stdout: JSON.stringify(await listDirSafe(target, allowedPaths), null, 2), stderr: "", exitCode: 0, durationMs: 0 };
+        case "search":
+          return { stdout: JSON.stringify(await searchFilesSafe(target, args[2] ?? ".*", allowedPaths), null, 2), stderr: "", exitCode: 0, durationMs: 0 };
+        default:
+          throw new GigaiError(ErrorCode.VALIDATION_ERROR, `Unknown filesystem subcommand: ${subcommand}. Use: read, list, search`);
+      }
+    }
+    case "shell": {
+      const allowlist = builtinConfig.allowlist ?? [];
+      const allowSudo = builtinConfig.allowSudo ?? false;
+      const command = args[0];
+      if (!command) {
+        throw new GigaiError(ErrorCode.VALIDATION_ERROR, "No command specified");
+      }
+      const result = await execCommandSafe(command, args.slice(1), { allowlist, allowSudo });
+      return { ...result, durationMs: 0 };
+    }
+    default:
+      throw new GigaiError(ErrorCode.VALIDATION_ERROR, `Unknown builtin: ${config.builtin}`);
+  }
+}
+var transfers = /* @__PURE__ */ new Map();
+var TRANSFER_DIR = join2(tmpdir(), "gigai-transfers");
+var TRANSFER_TTL = 60 * 60 * 1e3;
+setInterval(async () => {
+  const now = Date.now();
+  for (const [id, entry] of transfers) {
+    if (entry.expiresAt < now) {
+      transfers.delete(id);
+      try {
+        await unlink(entry.path);
+      } catch {
+      }
+    }
+  }
+}, 6e4);
+async function transferRoutes(server) {
+  await mkdir(TRANSFER_DIR, { recursive: true });
+  server.post("/transfer/upload", async (request) => {
+    const data = await request.file();
+    if (!data) {
+      throw new GigaiError(ErrorCode.VALIDATION_ERROR, "No file uploaded");
+    }
+    const id = nanoid(16);
+    const buffer = await data.toBuffer();
+    const filePath = join2(TRANSFER_DIR, id);
+    await writeFile(filePath, buffer);
+    const entry = {
+      id,
+      path: filePath,
+      filename: data.filename,
+      mimeType: data.mimetype,
+      expiresAt: Date.now() + TRANSFER_TTL
+    };
+    transfers.set(id, entry);
+    return {
+      id,
+      expiresAt: entry.expiresAt
+    };
+  });
+  server.get("/transfer/:id", async (request, reply) => {
+    const { id } = request.params;
+    const entry = transfers.get(id);
+    if (!entry) {
+      throw new GigaiError(ErrorCode.TRANSFER_NOT_FOUND, "Transfer not found");
+    }
+    if (entry.expiresAt < Date.now()) {
+      transfers.delete(id);
+      throw new GigaiError(ErrorCode.TRANSFER_EXPIRED, "Transfer expired");
+    }
+    const content = await readFile2(entry.path);
+    reply.type(entry.mimeType).send(content);
+  });
+}
+async function createServer(opts) {
+  const { config, dev = false } = opts;
+  const server = Fastify({
+    logger: {
+      level: dev ? "debug" : "info"
+    },
+    trustProxy: !dev
+    // Only trust proxy headers in production (behind HTTPS reverse proxy)
+  });
+  if (!dev) {
+    server.addHook("onRequest", async (request, _reply) => {
+      if (request.protocol !== "https") {
+        throw new GigaiError(ErrorCode.HTTPS_REQUIRED, "HTTPS is required");
+      }
+    });
+  }
+  await server.register(cors, { origin: false });
+  await server.register(rateLimit, { max: 100, timeWindow: "1 minute" });
+  await server.register(multipart, { limits: { fileSize: 50 * 1024 * 1024 } });
+  await server.register(authPlugin, { config });
+  await server.register(registryPlugin, { config });
+  await server.register(executorPlugin);
+  await server.register(mcpPlugin, { config });
+  await server.register(healthRoutes);
+  await server.register(toolRoutes);
+  await server.register(execRoutes);
+  await server.register(transferRoutes);
+  server.setErrorHandler((error, _request, reply) => {
+    if (error instanceof GigaiError) {
+      reply.status(error.statusCode).send(error.toJSON());
+      return;
+    }
+    if ("statusCode" in error && error.statusCode === 429) {
+      reply.status(429).send({
+        error: { code: ErrorCode.RATE_LIMITED, message: "Too many requests" }
+      });
+      return;
+    }
+    server.log.error(error);
+    reply.status(500).send({
+      error: { code: ErrorCode.INTERNAL_ERROR, message: "Internal server error" }
+    });
+  });
+  return server;
+}
+var DEFAULT_CONFIG_PATH = "gigai.config.json";
+async function loadConfig(path) {
+  const configPath = resolve3(path ?? DEFAULT_CONFIG_PATH);
+  const raw = await readFile3(configPath, "utf8");
+  const json = JSON.parse(raw);
+  return GigaiConfigSchema.parse(json);
+}
+async function runInit() {
+  console.log("\n  gigai server setup\n");
+  const httpsProvider = await select({
+    message: "HTTPS provider:",
+    choices: [
+      { name: "Tailscale Funnel (recommended)", value: "tailscale" },
+      { name: "Cloudflare Tunnel", value: "cloudflare" },
+      { name: "Let's Encrypt", value: "letsencrypt" },
+      { name: "Manual (provide certs)", value: "manual" },
+      { name: "None (dev mode only)", value: "none" }
+    ]
+  });
+  let httpsConfig;
+  switch (httpsProvider) {
+    case "tailscale":
+      httpsConfig = {
+        provider: "tailscale",
+        funnelPort: 7443
+      };
+      console.log("  Will use Tailscale Funnel for HTTPS.");
+      break;
+    case "cloudflare": {
+      const tunnelName = await input({
+        message: "Cloudflare tunnel name:",
+        default: "gigai"
+      });
+      const domain = await input({
+        message: "Domain (optional):"
+      });
+      httpsConfig = {
+        provider: "cloudflare",
+        tunnelName,
+        ...domain && { domain }
+      };
+      break;
+    }
+    case "letsencrypt": {
+      const domain = await input({
+        message: "Domain name:",
+        required: true
+      });
+      const email = await input({
+        message: "Email for Let's Encrypt:",
+        required: true
+      });
+      httpsConfig = {
+        provider: "letsencrypt",
+        domain,
+        email
+      };
+      break;
+    }
+    case "manual": {
+      const certPath = await input({
+        message: "Path to TLS certificate:",
+        required: true
+      });
+      const keyPath = await input({
+        message: "Path to TLS private key:",
+        required: true
+      });
+      httpsConfig = {
+        provider: "manual",
+        certPath,
+        keyPath
+      };
+      break;
+    }
+    case "none":
+    default:
+      httpsConfig = void 0;
+      console.log("  No HTTPS \u2014 dev mode only.");
+      break;
+  }
+  const portStr = await input({
+    message: "Server port:",
+    default: "7443"
+  });
+  const port = parseInt(portStr, 10);
+  const selectedBuiltins = await checkbox({
+    message: "Built-in tools to enable:",
+    choices: [
+      { name: "Filesystem (read/list/search files)", value: "filesystem", checked: true },
+      { name: "Shell (execute allowed commands)", value: "shell", checked: true }
+    ]
+  });
+  const tools = [];
+  if (selectedBuiltins.includes("filesystem")) {
+    const pathsStr = await input({
+      message: "Allowed filesystem paths (comma-separated):",
+      default: process.env.HOME ?? "~"
+    });
+    const allowedPaths = pathsStr.split(",").map((p) => p.trim());
+    tools.push({
+      type: "builtin",
+      name: "fs",
+      builtin: "filesystem",
+      description: "Read, list, and search files",
+      config: { allowedPaths }
+    });
+  }
+  if (selectedBuiltins.includes("shell")) {
+    const allowlistStr = await input({
+      message: "Allowed shell commands (comma-separated):",
+      default: "ls,cat,head,tail,grep,find,wc,echo,date,whoami,pwd,git,npm,node"
+    });
+    const allowlist = allowlistStr.split(",").map((c) => c.trim());
+    const allowSudo = await confirm({
+      message: "Allow sudo?",
+      default: false
+    });
+    tools.push({
+      type: "builtin",
+      name: "shell",
+      builtin: "shell",
+      description: "Execute allowed shell commands",
+      config: { allowlist, allowSudo }
+    });
+  }
+  const encryptionKey = generateEncryptionKey();
+  const config = {
+    server: {
+      port,
+      host: "0.0.0.0",
+      ...httpsConfig && { https: httpsConfig }
+    },
+    auth: {
+      encryptionKey,
+      pairingTtlSeconds: 300,
+      sessionTtlSeconds: 14400
+    },
+    tools
+  };
+  const configPath = resolve4("gigai.config.json");
+  await writeFile2(configPath, JSON.stringify(config, null, 2) + "\n", { mode: 384 });
+  console.log(`
+  Config written to: ${configPath}`);
+  const skillDir = resolve4("gigai-skill");
+  await mkdir2(skillDir, { recursive: true });
+  const skillMd = `# gigai Skill
+
+This skill gives you access to tools running on the user's machine via the gigai CLI.
+
+## Setup
+
+The gigai CLI is pre-installed. To use it:
+
+1. Connect to the server: \`gigai connect\`
+2. List available tools: \`gigai list\`
+3. Get help on a tool: \`gigai help <tool-name>\`
+4. Use a tool: \`gigai <tool-name> [args...]\`
+
+## File Transfer
+
+- Upload: \`gigai upload <file>\`
+- Download: \`gigai download <id> <dest>\`
+
+## Notes
+
+- The connection is authenticated and encrypted
+- Tools are scoped to what the user has configured
+- If a command fails, check \`gigai status\` for connection info
+`;
+  await writeFile2(join3(skillDir, "SKILL.md"), skillMd);
+  const skillConfig = {
+    server: "<YOUR_SERVER_URL>",
+    token: "<PASTE_ENCRYPTED_TOKEN_HERE>"
+  };
+  await writeFile2(join3(skillDir, "config.json"), JSON.stringify(skillConfig, null, 2) + "\n");
+  console.log(`  Skill template written to: ${skillDir}/`);
+  const store = new AuthStore();
+  const code = generatePairingCode(store, config.auth.pairingTtlSeconds);
+  console.log(`
+  Pairing code: ${code}`);
+  console.log(`  Expires in ${config.auth.pairingTtlSeconds / 60} minutes.`);
+  console.log(`
+  Start the server with: gigai server start${httpsConfig ? "" : " --dev"}`);
+  store.destroy();
+}
+async function loadConfigFile(path) {
+  const configPath = resolve5(path ?? "gigai.config.json");
+  const raw = await readFile4(configPath, "utf8");
+  const config = GigaiConfigSchema.parse(JSON.parse(raw));
+  return { config, path: configPath };
+}
+async function saveConfig(config, path) {
+  await writeFile3(path, JSON.stringify(config, null, 2) + "\n");
+}
+async function wrapCli() {
+  const { config, path } = await loadConfigFile();
+  const name = await input2({ message: "Tool name:", required: true });
+  const command = await input2({ message: "Command:", required: true });
+  const description = await input2({ message: "Description:", required: true });
+  const argsStr = await input2({ message: "Default args (space-separated, optional):" });
+  const timeoutStr = await input2({ message: "Timeout in ms (optional):", default: "30000" });
+  const tool = {
+    type: "cli",
+    name,
+    command,
+    description,
+    ...argsStr && { args: argsStr.split(" ").filter(Boolean) },
+    timeout: parseInt(timeoutStr, 10)
+  };
+  config.tools.push(tool);
+  await saveConfig(config, path);
+  console.log(`Added CLI tool: ${name}`);
+}
+async function wrapMcp() {
+  const { config, path } = await loadConfigFile();
+  const name = await input2({ message: "Tool name:", required: true });
+  const command = await input2({ message: "MCP server command:", required: true });
+  const description = await input2({ message: "Description:", required: true });
+  const argsStr = await input2({ message: "Command args (space-separated, optional):" });
+  const envStr = await input2({
+    message: "Environment variables (KEY=VALUE, comma-separated, optional):"
+  });
+  const env = {};
+  if (envStr) {
+    for (const pair of envStr.split(",")) {
+      const [k, ...v] = pair.trim().split("=");
+      if (k && v.length > 0) {
+        env[k.trim()] = v.join("=").trim();
+      }
+    }
+  }
+  const tool = {
+    type: "mcp",
+    name,
+    command,
+    description,
+    ...argsStr && { args: argsStr.split(" ").filter(Boolean) },
+    ...Object.keys(env).length > 0 && { env }
+  };
+  config.tools.push(tool);
+  await saveConfig(config, path);
+  console.log(`Added MCP tool: ${name}`);
+}
+async function wrapScript() {
+  const { config, path } = await loadConfigFile();
+  const name = await input2({ message: "Tool name:", required: true });
+  const scriptPath = await input2({ message: "Script path:", required: true });
+  const description = await input2({ message: "Description:", required: true });
+  const interpreter = await input2({ message: "Interpreter:", default: "node" });
+  const tool = {
+    type: "script",
+    name,
+    path: scriptPath,
+    description,
+    interpreter
+  };
+  config.tools.push(tool);
+  await saveConfig(config, path);
+  console.log(`Added script tool: ${name}`);
+}
+async function wrapImport(configFilePath) {
+  const { config, path } = await loadConfigFile();
+  const raw = await readFile4(resolve5(configFilePath), "utf8");
+  const desktopConfig = JSON.parse(raw);
+  const mcpServers = desktopConfig.mcpServers ?? {};
+  for (const [serverName, serverConfig] of Object.entries(mcpServers)) {
+    const sc = serverConfig;
+    const tool = {
+      type: "mcp",
+      name: serverName,
+      command: sc.command,
+      description: `Imported MCP server: ${serverName}`,
+      ...sc.args && { args: sc.args },
+      ...sc.env && { env: sc.env }
+    };
+    config.tools.push(tool);
+    console.log(`  Imported: ${serverName}`);
+  }
+  await saveConfig(config, path);
+  console.log(`
+Imported ${Object.keys(mcpServers).length} MCP servers.`);
+}
+async function unwrapTool(name) {
+  const { config, path } = await loadConfigFile();
+  const idx = config.tools.findIndex((t) => t.name === name);
+  if (idx === -1) {
+    console.error(`Tool not found: ${name}`);
+    process.exitCode = 1;
+    return;
+  }
+  config.tools.splice(idx, 1);
+  await saveConfig(config, path);
+  console.log(`Removed tool: ${name}`);
+}
+async function generateServerPairingCode(configPath) {
+  const { config } = await loadConfigFile(configPath);
+  const { AuthStore: AuthStore2 } = await import("./store-Y4V3TOYJ-GKOB6ANA.js");
+  const { generatePairingCode: generatePairingCode2 } = await import("./pairing-IGMDVOIZ-RA7GNFU7.js");
+  const store = new AuthStore2();
+  const code = generatePairingCode2(store, config.auth.pairingTtlSeconds);
+  console.log(`
+Pairing code: ${code}`);
+  console.log(`Expires in ${config.auth.pairingTtlSeconds / 60} minutes.`);
+  console.log(`
+Note: The server must be running for the client to use this code.`);
+  console.log(`For a live pairing code, use the server's /auth/pair/generate endpoint.`);
+  store.destroy();
+}
+async function startServer() {
+  const { values } = parseArgs({
+    options: {
+      config: { type: "string", short: "c" },
+      dev: { type: "boolean", default: false }
+    },
+    strict: false
+  });
+  const config = await loadConfig(values.config);
+  const server = await createServer({ config, dev: values.dev });
+  const port = config.server.port;
+  const host = config.server.host;
+  await server.listen({ port, host });
+  server.log.info(`gigai server listening on ${host}:${port}`);
+  const shutdown = async () => {
+    server.log.info("Shutting down...");
+    await server.close();
+    process.exit(0);
+  };
+  process.on("SIGTERM", shutdown);
+  process.on("SIGINT", shutdown);
+}
+export {
+  createServer,
+  generateServerPairingCode,
+  loadConfig,
+  runInit,
+  startServer,
+  unwrapTool,
+  wrapCli,
+  wrapImport,
+  wrapMcp,
+  wrapScript
+};