@schuttdev/gigai 0.1.0-beta.8 → 0.2.2

package/dist/{dist-YHKBLFWY.js → dist-U7NYIMA4.js}

@@ -1,11 +1,4 @@
 #!/usr/bin/env node
-import {
-  AuthStore
-} from "./chunk-OWDYY3IG.js";
-import {
-  generatePairingCode,
-  validateAndPair
-} from "./chunk-FN4LCKUA.js";
 import {
   ErrorCode,
   GigaiConfigSchema,
@@ -13,7 +6,7 @@ import {
   decrypt,
   encrypt,
   generateEncryptionKey
-} from "./chunk-4XUWD3DZ.js";
+} from "./chunk-7C3UYEKE.js";
 
 // ../server/dist/index.mjs
 import { parseArgs } from "util";
@@ -22,7 +15,10 @@ import cors from "@fastify/cors";
 import rateLimit from "@fastify/rate-limit";
 import multipart from "@fastify/multipart";
 import fp from "fastify-plugin";
+import { nanoid } from "nanoid";
 import { randomBytes } from "crypto";
+import { hostname } from "os";
+import { nanoid as nanoid2 } from "nanoid";
 import fp2 from "fastify-plugin";
 import fp3 from "fastify-plugin";
 import { spawn } from "child_process";
@@ -38,18 +34,91 @@ import { spawn as spawn2 } from "child_process";
 import { writeFile, readFile as readFile2, unlink, mkdir } from "fs/promises";
 import { join as join2 } from "path";
 import { tmpdir } from "os";
-import { nanoid } from "nanoid";
+import { nanoid as nanoid3 } from "nanoid";
+import { execFile, spawn as spawn3 } from "child_process";
+import { promisify } from "util";
 import { readFile as readFile3 } from "fs/promises";
 import { resolve as resolve3 } from "path";
+import { spawn as spawn4 } from "child_process";
+import { spawn as spawn5 } from "child_process";
 import { input, select, checkbox, confirm } from "@inquirer/prompts";
-import { writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { resolve as resolve4, join as join3 } from "path";
-import { execFile } from "child_process";
-import { promisify } from "util";
-import { randomBytes as randomBytes2 } from "crypto";
+import { writeFile as writeFile2 } from "fs/promises";
+import { resolve as resolve4 } from "path";
+import { execFile as execFile2, spawn as spawn6 } from "child_process";
+import { promisify as promisify2 } from "util";
 import { input as input2 } from "@inquirer/prompts";
 import { readFile as readFile4, writeFile as writeFile3 } from "fs/promises";
 import { resolve as resolve5 } from "path";
+import { writeFile as writeFile4 } from "fs/promises";
+import { resolve as resolve6, join as join3 } from "path";
+import { homedir, platform } from "os";
+import { execFile as execFile3 } from "child_process";
+import { promisify as promisify3 } from "util";
+var AuthStore = class {
+  pairingCodes = /* @__PURE__ */ new Map();
+  sessions = /* @__PURE__ */ new Map();
+  cleanupInterval;
+  constructor() {
+    this.cleanupInterval = setInterval(() => this.cleanup(), 6e4);
+  }
+  // Pairing codes
+  addPairingCode(code, ttlSeconds) {
+    const entry = {
+      code,
+      expiresAt: Date.now() + ttlSeconds * 1e3,
+      used: false
+    };
+    this.pairingCodes.set(code, entry);
+    return entry;
+  }
+  getPairingCode(code) {
+    return this.pairingCodes.get(code);
+  }
+  markPairingCodeUsed(code) {
+    const entry = this.pairingCodes.get(code);
+    if (entry) {
+      entry.used = true;
+    }
+  }
+  // Sessions
+  createSession(orgUuid, ttlSeconds) {
+    const session = {
+      id: nanoid(32),
+      orgUuid,
+      token: nanoid(48),
+      expiresAt: Date.now() + ttlSeconds * 1e3,
+      lastActivity: Date.now()
+    };
+    this.sessions.set(session.token, session);
+    return session;
+  }
+  getSession(token) {
+    const session = this.sessions.get(token);
+    if (session) {
+      session.lastActivity = Date.now();
+    }
+    return session;
+  }
+  // Cleanup
+  cleanup() {
+    const now = Date.now();
+    for (const [key, code] of this.pairingCodes) {
+      if (code.expiresAt < now) {
+        this.pairingCodes.delete(key);
+      }
+    }
+    for (const [key, session] of this.sessions) {
+      if (session.expiresAt < now) {
+        this.sessions.delete(key);
+      }
+    }
+  }
+  destroy() {
+    clearInterval(this.cleanupInterval);
+    this.pairingCodes.clear();
+    this.sessions.clear();
+  }
+};
 function connectWithToken(store, encryptedToken, orgUuid, encryptionKey, sessionTtlSeconds) {
   let payload;
   try {
@@ -63,7 +132,7 @@ function connectWithToken(store, encryptedToken, orgUuid, encryptionKey, session
   } catch {
     throw new GigaiError(ErrorCode.TOKEN_DECRYPT_FAILED, "Failed to decrypt token");
   }
-  if (decrypted.orgUuid !== "*" && decrypted.orgUuid !== orgUuid) {
+  if (decrypted.orgUuid !== orgUuid) {
     throw new GigaiError(ErrorCode.ORG_MISMATCH, "Organization UUID mismatch");
   }
   return store.createSession(orgUuid, sessionTtlSeconds);
@@ -89,8 +158,37 @@ function createAuthMiddleware(store) {
     request.session = session;
   };
 }
+var PAIRING_CODE_LENGTH = 8;
+var PAIRING_CODE_CHARS = "0123456789ABCDEFGHJKLMNPQRSTUVWXYZ";
+function generatePairingCode(store, ttlSeconds) {
+  let code = "";
+  const bytes = nanoid2(PAIRING_CODE_LENGTH);
+  for (let i = 0; i < PAIRING_CODE_LENGTH; i++) {
+    code += PAIRING_CODE_CHARS[bytes.charCodeAt(i) % PAIRING_CODE_CHARS.length];
+  }
+  store.addPairingCode(code, ttlSeconds);
+  return code;
+}
+function validateAndPair(store, code, orgUuid, encryptionKey, serverFingerprint) {
+  const entry = store.getPairingCode(code.toUpperCase());
+  if (!entry) {
+    throw new GigaiError(ErrorCode.PAIRING_INVALID, "Invalid pairing code");
+  }
+  if (entry.used) {
+    throw new GigaiError(ErrorCode.PAIRING_USED, "Pairing code already used");
+  }
+  if (entry.expiresAt < Date.now()) {
+    throw new GigaiError(ErrorCode.PAIRING_EXPIRED, "Pairing code expired");
+  }
+  store.markPairingCodeUsed(code.toUpperCase());
+  return encrypt(
+    { orgUuid, serverFingerprint, createdAt: Date.now() },
+    encryptionKey
+  );
+}
 function registerAuthRoutes(server, store, config) {
   const serverFingerprint = randomBytes(16).toString("hex");
+  const serverName = config.serverName ?? hostname();
   server.post("/auth/pair", {
     config: {
       rateLimit: { max: 5, timeWindow: "1 hour" }
@@ -114,7 +212,7 @@ function registerAuthRoutes(server, store, config) {
       config.auth.encryptionKey,
       serverFingerprint
     );
-    return { encryptedToken: JSON.stringify(encryptedToken) };
+    return { encryptedToken: JSON.stringify(encryptedToken), serverName };
   });
   server.post("/auth/connect", {
     config: {
@@ -267,7 +365,7 @@ function executeTool(entry, args, timeout) {
         `Cannot execute tool of type: ${entry.type}`
       );
   }
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     const start = Date.now();
     const stdoutChunks = [];
     const stderrChunks = [];
@@ -315,7 +413,7 @@ function executeTool(entry, args, timeout) {
         reject(new GigaiError(ErrorCode.EXEC_TIMEOUT, `Tool execution timed out after ${effectiveTimeout}ms`));
         return;
       }
-      resolve6({
+      resolve7({
         stdout: Buffer.concat(stdoutChunks).toString("utf8"),
         stderr: Buffer.concat(stderrChunks).toString("utf8"),
         exitCode: exitCode ?? 1,
@@ -607,7 +705,7 @@ async function execCommandSafe(command, args, config) {
       throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Null byte in argument");
     }
   }
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve7, reject) => {
     const child = spawn2(command, args, {
       shell: false,
       stdio: ["ignore", "pipe", "pipe"]
@@ -629,7 +727,7 @@ async function execCommandSafe(command, args, config) {
       reject(new GigaiError(ErrorCode.EXEC_FAILED, `Failed to spawn ${command}: ${err.message}`));
     });
     child.on("close", (exitCode) => {
-      resolve6({
+      resolve7({
         stdout: Buffer.concat(stdoutChunks).toString("utf8"),
         stderr: Buffer.concat(stderrChunks).toString("utf8"),
         exitCode: exitCode ?? 1
@@ -747,7 +845,7 @@ async function transferRoutes(server) {
     if (!data) {
       throw new GigaiError(ErrorCode.VALIDATION_ERROR, "No file uploaded");
     }
-    const id = nanoid(16);
+    const id = nanoid3(16);
     const buffer = await data.toBuffer();
     const filePath = join2(TRANSFER_DIR, id);
     await writeFile(filePath, buffer);
@@ -778,6 +876,48 @@ async function transferRoutes(server) {
     reply.type(entry.mimeType).send(content);
   });
 }
+var execFileAsync = promisify(execFile);
+async function adminRoutes(server) {
+  server.post("/admin/update", async (_request, reply) => {
+    try {
+      const { stdout, stderr } = await execFileAsync(
+        "npm",
+        ["install", "-g", "@schuttdev/gigai@latest"],
+        { timeout: 12e4 }
+      );
+      server.log.info(`Update output: ${stdout}`);
+      if (stderr) server.log.warn(`Update stderr: ${stderr}`);
+    } catch (e) {
+      server.log.error(`Update failed: ${e.message}`);
+      reply.status(500);
+      return { updated: false, error: e.message };
+    }
+    setTimeout(async () => {
+      server.log.info("Restarting server after update...");
+      const args = ["server", "start"];
+      const configIdx = process.argv.indexOf("--config");
+      if (configIdx !== -1 && process.argv[configIdx + 1]) {
+        args.push("--config", process.argv[configIdx + 1]);
+      }
+      const shortIdx = process.argv.indexOf("-c");
+      if (shortIdx !== -1 && process.argv[shortIdx + 1]) {
+        args.push("--config", process.argv[shortIdx + 1]);
+      }
+      if (process.argv.includes("--dev")) {
+        args.push("--dev");
+      }
+      await server.close();
+      const child = spawn3("gigai", args, {
+        detached: true,
+        stdio: "ignore",
+        cwd: process.cwd()
+      });
+      child.unref();
+      process.exit(0);
+    }, 500);
+    return { updated: true, restarting: true };
+  });
+}
 async function createServer(opts) {
   const { config, dev = false } = opts;
   const server = Fastify({
@@ -787,7 +927,9 @@ async function createServer(opts) {
     trustProxy: !dev
     // Only trust proxy headers in production (behind HTTPS reverse proxy)
   });
-  if (!dev) {
+  const httpsProvider = config.server.https?.provider;
+  const behindTunnel = httpsProvider === "tailscale" || httpsProvider === "cloudflare";
+  if (!dev && !behindTunnel) {
     server.addHook("onRequest", async (request, _reply) => {
       if (request.protocol !== "https") {
         throw new GigaiError(ErrorCode.HTTPS_REQUIRED, "HTTPS is required");
@@ -805,6 +947,7 @@ async function createServer(opts) {
   await server.register(toolRoutes);
   await server.register(execRoutes);
   await server.register(transferRoutes);
+  await server.register(adminRoutes);
   server.setErrorHandler((error, _request, reply) => {
     if (error instanceof GigaiError) {
       reply.status(error.statusCode).send(error.toJSON());
@@ -830,10 +973,67 @@ async function loadConfig(path) {
   const json = JSON.parse(raw);
   return GigaiConfigSchema.parse(json);
 }
-var execFileAsync = promisify(execFile);
+function runCommand(command, args) {
+  return new Promise((resolve7, reject) => {
+    const child = spawn4(command, args, { shell: false, stdio: ["ignore", "pipe", "pipe"] });
+    const chunks = [];
+    child.stdout.on("data", (chunk) => chunks.push(chunk));
+    child.on("error", reject);
+    child.on("close", (exitCode) => {
+      resolve7({ stdout: Buffer.concat(chunks).toString("utf8").trim(), exitCode: exitCode ?? 1 });
+    });
+  });
+}
+async function getTailscaleStatus() {
+  try {
+    const { stdout, exitCode } = await runCommand("tailscale", ["status", "--json"]);
+    if (exitCode !== 0) return { online: false };
+    const status = JSON.parse(stdout);
+    return {
+      online: status.BackendState === "Running",
+      hostname: status.Self?.DNSName?.replace(/\.$/, "")
+    };
+  } catch {
+    return { online: false };
+  }
+}
+async function enableFunnel(port) {
+  const status = await getTailscaleStatus();
+  if (!status.online || !status.hostname) {
+    throw new Error("Tailscale is not running or not connected");
+  }
+  const { exitCode, stdout } = await runCommand("tailscale", [
+    "funnel",
+    "--bg",
+    `${port}`
+  ]);
+  if (exitCode !== 0) {
+    throw new Error(`Failed to enable Tailscale Funnel: ${stdout}`);
+  }
+  return `https://${status.hostname}`;
+}
+async function disableFunnel(port) {
+  await runCommand("tailscale", ["funnel", "--bg", "off", `${port}`]);
+}
+function runTunnel(tunnelName, localPort) {
+  const child = spawn5("cloudflared", [
+    "tunnel",
+    "--url",
+    `http://localhost:${localPort}`,
+    "run",
+    tunnelName
+  ], {
+    shell: false,
+    stdio: "ignore",
+    detached: true
+  });
+  child.unref();
+  return child;
+}
+var execFileAsync2 = promisify2(execFile2);
 async function getTailscaleDnsName() {
   try {
-    const { stdout } = await execFileAsync("tailscale", ["status", "--json"]);
+    const { stdout } = await execFileAsync2("tailscale", ["status", "--json"]);
     const data = JSON.parse(stdout);
     const dnsName = data?.Self?.DNSName;
     if (dnsName) return dnsName.replace(/\.$/, "");
@@ -842,6 +1042,41 @@ async function getTailscaleDnsName() {
     return null;
   }
 }
+async function ensureTailscaleFunnel(port) {
+  const dnsName = await getTailscaleDnsName();
+  if (!dnsName) {
+    throw new Error("Tailscale is not running or not connected. Install/start Tailscale first.");
+  }
+  console.log("  Enabling Tailscale Funnel...");
+  try {
+    const { stdout, stderr } = await execFileAsync2("tailscale", ["funnel", "--bg", `${port}`]);
+    const output = stdout + stderr;
+    if (output.includes("Funnel is not enabled")) {
+      const urlMatch = output.match(/(https:\/\/login\.tailscale\.com\/\S+)/);
+      const enableUrl = urlMatch?.[1] ?? "https://login.tailscale.com/admin/machines";
+      console.log(`
+  Funnel is not enabled on your tailnet.`);
+      console.log(`  Enable it here: ${enableUrl}
+`);
+      await confirm({ message: "I've enabled Funnel in my Tailscale admin. Continue?", default: true });
+      const retry = await execFileAsync2("tailscale", ["funnel", "--bg", `${port}`]);
+      if ((retry.stdout + retry.stderr).includes("Funnel is not enabled")) {
+        throw new Error("Funnel is still not enabled. Please enable it in your Tailscale admin and try again.");
+      }
+    }
+  } catch (e) {
+    if (e.message.includes("Funnel is still not enabled")) throw e;
+  }
+  try {
+    const { stdout } = await execFileAsync2("tailscale", ["funnel", "status"]);
+    if (stdout.includes("No serve config")) {
+      throw new Error("Funnel setup failed. Run 'tailscale funnel --bg " + port + "' manually to debug.");
+    }
+  } catch {
+  }
+  console.log(`  Tailscale Funnel active: https://${dnsName}`);
+  return `https://${dnsName}`;
+}
 async function runInit() {
   console.log("\n  gigai server setup\n");
   const httpsProvider = await select({
@@ -849,7 +1084,6 @@ async function runInit() {
     choices: [
       { name: "Tailscale Funnel (recommended)", value: "tailscale" },
       { name: "Cloudflare Tunnel", value: "cloudflare" },
-      { name: "Let's Encrypt", value: "letsencrypt" },
       { name: "Manual (provide certs)", value: "manual" },
       { name: "None (dev mode only)", value: "none" }
     ]
@@ -861,7 +1095,6 @@ async function runInit() {
         provider: "tailscale",
         funnelPort: 7443
       };
-      console.log("  Will use Tailscale Funnel for HTTPS.");
       break;
     case "cloudflare": {
       const tunnelName = await input({
@@ -878,22 +1111,6 @@ async function runInit() {
       };
       break;
     }
-    case "letsencrypt": {
-      const domain = await input({
-        message: "Domain name:",
-        required: true
-      });
-      const email = await input({
-        message: "Email for Let's Encrypt:",
-        required: true
-      });
-      httpsConfig = {
-        provider: "letsencrypt",
-        domain,
-        email
-      };
-      break;
-    }
     case "manual": {
       const certPath = await input({
         message: "Path to TLS certificate:",
@@ -961,8 +1178,25 @@ async function runInit() {
       config: { allowlist, allowSudo }
     });
   }
+  let serverName;
+  if (httpsProvider === "tailscale") {
+    const dnsName = await getTailscaleDnsName();
+    if (dnsName) {
+      serverName = dnsName.split(".")[0];
+    }
+  } else if (httpsProvider === "cloudflare") {
+    serverName = await input({
+      message: "Server name (identifies this machine):",
+      required: true
+    });
+  }
+  if (!serverName) {
+    const { hostname: osHostname } = await import("os");
+    serverName = osHostname();
+  }
   const encryptionKey = generateEncryptionKey();
   const config = {
+    serverName,
     server: {
       port,
       host: "0.0.0.0",
@@ -979,86 +1213,78 @@ async function runInit() {
   await writeFile2(configPath, JSON.stringify(config, null, 2) + "\n", { mode: 384 });
   console.log(`
   Config written to: ${configPath}`);
-  const skillDir = resolve4("gigai-skill");
-  await mkdir2(skillDir, { recursive: true });
-  let serverUrl = "<YOUR_SERVER_URL>";
+  let serverUrl;
   if (httpsProvider === "tailscale") {
-    const dnsName = await getTailscaleDnsName();
-    if (dnsName) {
-      serverUrl = `https://${dnsName}:${port}`;
-      console.log(`  Detected Tailscale URL: ${serverUrl}`);
+    try {
+      serverUrl = await ensureTailscaleFunnel(port);
+    } catch (e) {
+      console.error(`  ${e.message}`);
+      console.log("  You can enable Funnel later and run 'gigai server start' manually.\n");
     }
+  } else if (httpsProvider === "cloudflare" && httpsConfig && "domain" in httpsConfig && httpsConfig.domain) {
+    serverUrl = `https://${httpsConfig.domain}`;
+    console.log(`  Cloudflare URL: ${serverUrl}`);
+  }
+  if (!serverUrl) {
+    serverUrl = await input({
+      message: "Server URL (how clients will reach this server):",
+      required: true
+    });
+  }
+  console.log("\n  Starting server...");
+  const serverArgs = ["server", "start", "--config", configPath];
+  if (!httpsConfig) serverArgs.push("--dev");
+  const child = spawn6("gigai", serverArgs, {
+    detached: true,
+    stdio: "ignore",
+    cwd: resolve4(".")
+  });
+  child.unref();
+  await new Promise((r) => setTimeout(r, 1500));
+  try {
+    const res = await fetch(`http://localhost:${port}/health`);
+    if (res.ok) {
+      console.log(`  Server running on port ${port} (PID ${child.pid})`);
+    }
+  } catch {
+    console.log(`  Server starting in background (PID ${child.pid})`);
+  }
+  let code;
+  const maxRetries = 5;
+  for (let i = 0; i < maxRetries; i++) {
+    try {
+      const res = await fetch(`http://localhost:${port}/auth/pair/generate`);
+      if (res.ok) {
+        const data = await res.json();
+        code = data.code;
+        break;
+      }
+    } catch {
+      await new Promise((r) => setTimeout(r, 1e3));
+    }
+  }
+  if (!code) {
+    console.log("\n  Server is starting but not ready yet.");
+    console.log("  Run 'gigai server pair' once it's up to get a pairing code.\n");
+    return;
   }
-  const skillMd = `---
-name: gigai
-description: Access tools on the user's machine via the gigai CLI
----
-
-# gigai Skill
-
-This skill gives you access to tools running on the user's machine via the gigai CLI.
-
-## Quick Start
-
-1. Connect to the server:
-   \`\`\`
-   gigai connect
-   \`\`\`
-
-2. List available tools:
-   \`\`\`
-   gigai list
-   \`\`\`
-
-3. Get help on a specific tool:
-   \`\`\`
-   gigai help <tool-name>
-   \`\`\`
-
-4. Use a tool directly:
-   \`\`\`
-   gigai <tool-name> [args...]
-   \`\`\`
-
-## Commands
-
-### Connection
-- \`gigai connect\` \u2014 Establish/renew a session with the server
-- \`gigai status\` \u2014 Check connection status
-- \`gigai pair <code> <server-url>\` \u2014 Pair with a new server
-
-### Tool Usage
-- \`gigai list\` \u2014 List all available tools
-- \`gigai help <name>\` \u2014 Show detailed help for a tool
-- \`gigai <name> [args...]\` \u2014 Execute a tool by name
-
-### File Transfer
-- \`gigai upload <file>\` \u2014 Upload a file to the server
-- \`gigai download <id> <dest>\` \u2014 Download a file from the server
-
-## Notes
-
-- The connection is authenticated and encrypted end-to-end
-- Tools are scoped to what the user has explicitly configured
-- Sessions auto-renew; if you get auth errors, run \`gigai connect\`
-- All tool execution happens on the user's machine, not in this container
-`;
-  await writeFile2(join3(skillDir, "SKILL.md"), skillMd);
-  const tokenPayload = {
-    orgUuid: "*",
-    serverFingerprint: randomBytes2(16).toString("hex"),
-    createdAt: Date.now()
-  };
-  const encryptedToken = encrypt(tokenPayload, encryptionKey);
-  const skillConfig = {
-    server: serverUrl,
-    token: JSON.stringify(encryptedToken)
-  };
-  await writeFile2(join3(skillDir, "config.json"), JSON.stringify(skillConfig, null, 2) + "\n", { mode: 384 });
-  console.log(`  Skill template written to: ${skillDir}/`);
   console.log(`
-  Start the server with: gigai server start${httpsConfig ? "" : " --dev"}`);
-  console.log(`  Then upload gigai-skill/ contents to your Claude Project.`);
+  Paste this into Claude to pair:
+`);
+  console.log(`  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+  console.log(`  Install the gigai CLI and pair with my server:
+`);
+  console.log(`  \`\`\`bash`);
+  console.log(`  npm install -g @schuttdev/gigai`);
+  console.log(`  gigai pair ${code} ${serverUrl}`);
+  console.log(`  \`\`\`
+`);
+  console.log(`  Then show me the skill file output so I can save it.`);
+  console.log(`  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+  console.log(`
+  Pairing code expires in ${config.auth.pairingTtlSeconds / 60} minutes.`);
+  console.log(`  Run 'gigai server pair' to generate a new one.
+`);
 }
 async function loadConfigFile(path) {
   const configPath = resolve5(path ?? "gigai.config.json");
@@ -1171,17 +1397,165 @@ async function unwrapTool(name) {
 }
 async function generateServerPairingCode(configPath) {
   const { config } = await loadConfigFile(configPath);
-  const { AuthStore: AuthStore2 } = await import("./store-Y4V3TOYJ-GKOB6ANA.js");
-  const { generatePairingCode: generatePairingCode2 } = await import("./pairing-IGMDVOIZ-RA7GNFU7.js");
-  const store = new AuthStore2();
-  const code = generatePairingCode2(store, config.auth.pairingTtlSeconds);
-  console.log(`
-Pairing code: ${code}`);
-  console.log(`Expires in ${config.auth.pairingTtlSeconds / 60} minutes.`);
-  console.log(`
-Note: The server must be running for the client to use this code.`);
-  console.log(`For a live pairing code, use the server's /auth/pair/generate endpoint.`);
-  store.destroy();
+  const port = config.server.port;
+  try {
+    const res = await fetch(`http://localhost:${port}/auth/pair/generate`);
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Server returned ${res.status}: ${body}`);
+    }
+    const data = await res.json();
+    console.log(`
+Pairing code: ${data.code}`);
+    console.log(`Expires in ${data.expiresIn / 60} minutes.`);
+  } catch (e) {
+    if (e.message.includes("fetch failed") || e.message.includes("ECONNREFUSED")) {
+      console.error("Server is not running. Start it with: gigai server start");
+    } else {
+      console.error(`Error: ${e.message}`);
+    }
+    process.exitCode = 1;
+  }
+}
+var execFileAsync3 = promisify3(execFile3);
+function getGigaiBin() {
+  return process.argv[1] ?? "gigai";
+}
+function getLaunchdPlist(configPath) {
+  const bin = getGigaiBin();
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.gigai.server</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${bin}</string>
+    <string>server</string>
+    <string>start</string>
+    <string>--config</string>
+    <string>${configPath}</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>${join3(homedir(), ".gigai", "server.log")}</string>
+  <key>StandardErrorPath</key>
+  <string>${join3(homedir(), ".gigai", "server.log")}</string>
+  <key>WorkingDirectory</key>
+  <string>${homedir()}</string>
+</dict>
+</plist>
+`;
+}
+function getSystemdUnit(configPath) {
+  const bin = getGigaiBin();
+  return `[Unit]
+Description=gigai server
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=${bin} server start --config ${configPath}
+Restart=always
+RestartSec=5
+WorkingDirectory=${homedir()}
+
+[Install]
+WantedBy=default.target
+`;
+}
+async function installDaemon(configPath) {
+  const config = resolve6(configPath ?? "gigai.config.json");
+  const os = platform();
+  if (os === "darwin") {
+    const plistPath = join3(homedir(), "Library", "LaunchAgents", "com.gigai.server.plist");
+    await writeFile4(plistPath, getLaunchdPlist(config));
+    console.log(`  Wrote launchd plist: ${plistPath}`);
+    try {
+      await execFileAsync3("launchctl", ["load", plistPath]);
+      console.log("  Service loaded and started.");
+    } catch {
+      console.log(`  Load it with: launchctl load ${plistPath}`);
+    }
+    console.log(`  Logs: ~/.gigai/server.log`);
+    console.log(`  Stop:  launchctl unload ${plistPath}`);
+  } else if (os === "linux") {
+    const unitDir = join3(homedir(), ".config", "systemd", "user");
+    const unitPath = join3(unitDir, "gigai.service");
+    const { mkdir: mkdir2 } = await import("fs/promises");
+    await mkdir2(unitDir, { recursive: true });
+    await writeFile4(unitPath, getSystemdUnit(config));
+    console.log(`  Wrote systemd unit: ${unitPath}`);
+    try {
+      await execFileAsync3("systemctl", ["--user", "daemon-reload"]);
+      await execFileAsync3("systemctl", ["--user", "enable", "--now", "gigai"]);
+      console.log("  Service enabled and started.");
+    } catch {
+      console.log("  Enable it with: systemctl --user enable --now gigai");
+    }
+    console.log(`  Logs:   journalctl --user -u gigai -f`);
+    console.log(`  Stop:   systemctl --user stop gigai`);
+    console.log(`  Remove: systemctl --user disable gigai`);
+  } else {
+    console.log("  Persistent daemon not supported on this platform.");
+    console.log("  Run 'gigai server start' manually.");
+  }
+}
+async function uninstallDaemon() {
+  const os = platform();
+  if (os === "darwin") {
+    const plistPath = join3(homedir(), "Library", "LaunchAgents", "com.gigai.server.plist");
+    try {
+      await execFileAsync3("launchctl", ["unload", plistPath]);
+    } catch {
+    }
+    const { unlink: unlink2 } = await import("fs/promises");
+    try {
+      await unlink2(plistPath);
+      console.log("  Service removed.");
+    } catch {
+      console.log("  No service found.");
+    }
+  } else if (os === "linux") {
+    try {
+      await execFileAsync3("systemctl", ["--user", "disable", "--now", "gigai"]);
+    } catch {
+    }
+    const unitPath = join3(homedir(), ".config", "systemd", "user", "gigai.service");
+    const { unlink: unlink2 } = await import("fs/promises");
+    try {
+      await unlink2(unitPath);
+      await execFileAsync3("systemctl", ["--user", "daemon-reload"]);
+      console.log("  Service removed.");
+    } catch {
+      console.log("  No service found.");
+    }
+  }
+}
+async function stopServer() {
+  const { execFileSync } = await import("child_process");
+  let pids = [];
+  try {
+    const out = execFileSync("pgrep", ["-f", "gigai server start"], { encoding: "utf8" });
+    pids = out.trim().split("\n").map(Number).filter((pid) => pid && pid !== process.pid);
+  } catch {
+  }
+  if (pids.length === 0) {
+    console.log("No running gigai server found.");
+    return;
+  }
+  for (const pid of pids) {
+    try {
+      process.kill(pid, "SIGTERM");
+      console.log(`Stopped gigai server (PID ${pid})`);
+    } catch (e) {
+      console.error(`Failed to stop PID ${pid}: ${e.message}`);
+    }
+  }
 }
 async function startServer() {
   const { values } = parseArgs({
@@ -1197,8 +1571,38 @@ async function startServer() {
   const host = config.server.host;
   await server.listen({ port, host });
   server.log.info(`gigai server listening on ${host}:${port}`);
+  let cfTunnel;
+  const httpsProvider = config.server.https?.provider;
+  if (httpsProvider === "tailscale") {
+    try {
+      const funnelUrl = await enableFunnel(port);
+      server.log.info(`Tailscale Funnel enabled: ${funnelUrl}`);
+    } catch (e) {
+      server.log.error(`Failed to enable Tailscale Funnel: ${e.message}`);
+    }
+  } else if (httpsProvider === "cloudflare") {
+    try {
+      const tunnelName = config.server.https.tunnelName;
+      cfTunnel = runTunnel(tunnelName, port);
+      server.log.info(`Cloudflare Tunnel started: ${tunnelName}`);
+    } catch (e) {
+      server.log.error(`Failed to start Cloudflare Tunnel: ${e.message}`);
+    }
+  }
   const shutdown = async () => {
     server.log.info("Shutting down...");
+    if (httpsProvider === "tailscale") {
+      try {
+        await disableFunnel(port);
+      } catch {
+      }
+    }
+    if (cfTunnel) {
+      try {
+        cfTunnel.kill();
+      } catch {
+      }
+    }
     await server.close();
     process.exit(0);
   };
@@ -1208,9 +1612,12 @@ async function startServer() {
 export {
   createServer,
   generateServerPairingCode,
+  installDaemon,
   loadConfig,
   runInit,
   startServer,
+  stopServer,
+  uninstallDaemon,
   unwrapTool,
   wrapCli,
   wrapImport,