npm - @shykaruu/jarvis-brain - Versions diffs - 0.4.0 - Mend

@shykaruu/jarvis-brain 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (330) hide show

package/LICENSE +153 -0
package/README.md +428 -0
package/bin/jarvis.ts +449 -0
package/package.json +79 -0
package/roles/activity-observer.yaml +60 -0
package/roles/ceo-founder.yaml +144 -0
package/roles/chief-of-staff.yaml +158 -0
package/roles/dev-lead.yaml +182 -0
package/roles/executive-assistant.yaml +77 -0
package/roles/marketing-director.yaml +168 -0
package/roles/personal-assistant.yaml +266 -0
package/roles/research-specialist.yaml +60 -0
package/roles/specialists/content-writer.yaml +53 -0
package/roles/specialists/customer-support.yaml +57 -0
package/roles/specialists/data-analyst.yaml +57 -0
package/roles/specialists/financial-analyst.yaml +56 -0
package/roles/specialists/hr-specialist.yaml +55 -0
package/roles/specialists/legal-advisor.yaml +58 -0
package/roles/specialists/marketing-strategist.yaml +56 -0
package/roles/specialists/project-coordinator.yaml +55 -0
package/roles/specialists/research-analyst.yaml +58 -0
package/roles/specialists/software-engineer.yaml +57 -0
package/roles/specialists/system-administrator.yaml +57 -0
package/roles/system-admin.yaml +76 -0
package/scripts/ensure-bun.cjs +16 -0
package/src/actions/README.md +421 -0
package/src/actions/app-control/desktop-controller.test.ts +26 -0
package/src/actions/app-control/desktop-controller.ts +438 -0
package/src/actions/app-control/interface.ts +64 -0
package/src/actions/app-control/linux.ts +273 -0
package/src/actions/app-control/macos.ts +54 -0
package/src/actions/app-control/sidecar-launcher.test.ts +23 -0
package/src/actions/app-control/sidecar-launcher.ts +286 -0
package/src/actions/app-control/windows.ts +44 -0
package/src/actions/browser/cdp.ts +138 -0
package/src/actions/browser/chrome-launcher.ts +261 -0
package/src/actions/browser/session.ts +506 -0
package/src/actions/browser/stealth.ts +49 -0
package/src/actions/index.ts +20 -0
package/src/actions/terminal/executor.ts +157 -0
package/src/actions/terminal/wsl-bridge.ts +126 -0
package/src/actions/test.ts +93 -0
package/src/actions/tools/agents.ts +363 -0
package/src/actions/tools/builtin.ts +950 -0
package/src/actions/tools/commitments.ts +192 -0
package/src/actions/tools/content.ts +217 -0
package/src/actions/tools/delegate.ts +147 -0
package/src/actions/tools/desktop.test.ts +55 -0
package/src/actions/tools/desktop.ts +305 -0
package/src/actions/tools/documents.ts +169 -0
package/src/actions/tools/goals.ts +376 -0
package/src/actions/tools/local-tools-guard.ts +31 -0
package/src/actions/tools/registry.ts +173 -0
package/src/actions/tools/research.ts +111 -0
package/src/actions/tools/sidecar-list.ts +57 -0
package/src/actions/tools/sidecar-route.ts +105 -0
package/src/actions/tools/workflows.ts +216 -0
package/src/agents/agent.ts +132 -0
package/src/agents/delegation.ts +107 -0
package/src/agents/hierarchy.ts +113 -0
package/src/agents/index.ts +19 -0
package/src/agents/messaging.ts +125 -0
package/src/agents/orchestrator.ts +592 -0
package/src/agents/role-discovery.ts +61 -0
package/src/agents/sub-agent-runner.ts +309 -0
package/src/agents/task-manager.ts +151 -0
package/src/authority/approval-delivery.ts +59 -0
package/src/authority/approval.ts +196 -0
package/src/authority/audit.ts +158 -0
package/src/authority/authority.test.ts +519 -0
package/src/authority/deferred-executor.ts +103 -0
package/src/authority/emergency.ts +66 -0
package/src/authority/engine.ts +301 -0
package/src/authority/index.ts +12 -0
package/src/authority/learning.ts +111 -0
package/src/authority/tool-action-map.ts +74 -0
package/src/awareness/analytics.ts +466 -0
package/src/awareness/awareness.test.ts +332 -0
package/src/awareness/capture-engine.ts +305 -0
package/src/awareness/context-graph.ts +130 -0
package/src/awareness/context-tracker.ts +349 -0
package/src/awareness/index.ts +25 -0
package/src/awareness/intelligence.ts +321 -0
package/src/awareness/ocr-engine.ts +88 -0
package/src/awareness/service.ts +528 -0
package/src/awareness/struggle-detector.ts +342 -0
package/src/awareness/suggestion-engine.ts +476 -0
package/src/awareness/types.ts +201 -0
package/src/cli/autostart.ts +417 -0
package/src/cli/deps.ts +449 -0
package/src/cli/doctor.ts +238 -0
package/src/cli/helpers.ts +401 -0
package/src/cli/onboard.ts +827 -0
package/src/cli/uninstall.test.ts +37 -0
package/src/cli/uninstall.ts +202 -0
package/src/comms/README.md +329 -0
package/src/comms/auth-error.html +48 -0
package/src/comms/channels/discord.ts +228 -0
package/src/comms/channels/signal.ts +56 -0
package/src/comms/channels/telegram.ts +316 -0
package/src/comms/channels/whatsapp.ts +60 -0
package/src/comms/channels.test.ts +173 -0
package/src/comms/dashboard-auth.ts +75 -0
package/src/comms/desktop-notify.ts +114 -0
package/src/comms/example.ts +129 -0
package/src/comms/index.ts +129 -0
package/src/comms/streaming.ts +149 -0
package/src/comms/voice.test.ts +504 -0
package/src/comms/voice.ts +341 -0
package/src/comms/websocket.test.ts +409 -0
package/src/comms/websocket.ts +669 -0
package/src/config/README.md +389 -0
package/src/config/index.ts +6 -0
package/src/config/loader.test.ts +183 -0
package/src/config/loader.ts +148 -0
package/src/config/types.ts +293 -0
package/src/daemon/README.md +232 -0
package/src/daemon/agent-service-interface.ts +9 -0
package/src/daemon/agent-service.ts +667 -0
package/src/daemon/api-routes.ts +3067 -0
package/src/daemon/background-agent-service.ts +396 -0
package/src/daemon/background-agent.test.ts +78 -0
package/src/daemon/channel-service.ts +201 -0
package/src/daemon/commitment-executor.ts +297 -0
package/src/daemon/dashboard-auth.test.ts +170 -0
package/src/daemon/event-classifier.ts +239 -0
package/src/daemon/event-coalescer.ts +123 -0
package/src/daemon/event-reactor.ts +214 -0
package/src/daemon/flock.c +7 -0
package/src/daemon/health.ts +220 -0
package/src/daemon/index.ts +1070 -0
package/src/daemon/llm-settings.test.ts +78 -0
package/src/daemon/llm-settings.ts +450 -0
package/src/daemon/observer-service.ts +150 -0
package/src/daemon/pid.test.ts +283 -0
package/src/daemon/pid.ts +224 -0
package/src/daemon/research-queue.ts +155 -0
package/src/daemon/services.ts +175 -0
package/src/daemon/ws-service.ts +926 -0
package/src/global.d.ts +4 -0
package/src/goals/accountability.ts +240 -0
package/src/goals/awareness-bridge.ts +185 -0
package/src/goals/estimator.ts +185 -0
package/src/goals/events.ts +28 -0
package/src/goals/goals.test.ts +400 -0
package/src/goals/integration.test.ts +329 -0
package/src/goals/nl-builder.test.ts +220 -0
package/src/goals/nl-builder.ts +256 -0
package/src/goals/rhythm.test.ts +177 -0
package/src/goals/rhythm.ts +275 -0
package/src/goals/service.test.ts +135 -0
package/src/goals/service.ts +407 -0
package/src/goals/types.ts +106 -0
package/src/goals/workflow-bridge.ts +96 -0
package/src/integrations/google-api.ts +134 -0
package/src/integrations/google-auth.ts +175 -0
package/src/llm/README.md +291 -0
package/src/llm/anthropic.ts +400 -0
package/src/llm/gemini.ts +380 -0
package/src/llm/groq.ts +406 -0
package/src/llm/history.ts +147 -0
package/src/llm/index.ts +21 -0
package/src/llm/manager.ts +226 -0
package/src/llm/ollama.ts +316 -0
package/src/llm/openai.ts +411 -0
package/src/llm/openrouter.ts +390 -0
package/src/llm/provider.test.ts +487 -0
package/src/llm/provider.ts +61 -0
package/src/llm/test.ts +88 -0
package/src/observers/README.md +278 -0
package/src/observers/calendar.ts +113 -0
package/src/observers/clipboard.ts +136 -0
package/src/observers/email.ts +109 -0
package/src/observers/example.ts +58 -0
package/src/observers/file-watcher.ts +124 -0
package/src/observers/index.ts +159 -0
package/src/observers/notifications.ts +197 -0
package/src/observers/observers.test.ts +203 -0
package/src/observers/processes.ts +225 -0
package/src/personality/README.md +61 -0
package/src/personality/adapter.ts +196 -0
package/src/personality/index.ts +20 -0
package/src/personality/learner.ts +209 -0
package/src/personality/model.ts +132 -0
package/src/personality/personality.test.ts +236 -0
package/src/roles/README.md +252 -0
package/src/roles/authority.ts +120 -0
package/src/roles/example-usage.ts +198 -0
package/src/roles/index.ts +42 -0
package/src/roles/loader.ts +143 -0
package/src/roles/prompt-builder.ts +218 -0
package/src/roles/test-multi.ts +102 -0
package/src/roles/test-role.yaml +77 -0
package/src/roles/test-utils.ts +93 -0
package/src/roles/test.ts +106 -0
package/src/roles/tool-guide.ts +195 -0
package/src/roles/types.ts +36 -0
package/src/roles/utils.ts +200 -0
package/src/scripts/google-setup.ts +168 -0
package/src/sidecar/connection.ts +179 -0
package/src/sidecar/index.ts +6 -0
package/src/sidecar/manager.ts +542 -0
package/src/sidecar/protocol.ts +85 -0
package/src/sidecar/rpc.ts +161 -0
package/src/sidecar/scheduler.ts +136 -0
package/src/sidecar/types.ts +112 -0
package/src/sidecar/validator.ts +144 -0
package/src/sites/builder-tools.ts +215 -0
package/src/sites/dev-server-manager.ts +286 -0
package/src/sites/fixtures/security-test-site/.jarvis-project.json +6 -0
package/src/sites/fixtures/security-test-site/Makefile +15 -0
package/src/sites/fixtures/security-test-site/README.md +18 -0
package/src/sites/fixtures/security-test-site/index.html +12 -0
package/src/sites/fixtures/security-test-site/index.ts +16 -0
package/src/sites/fixtures/security-test-site/package.json +13 -0
package/src/sites/fixtures/security-test-site/src/app.tsx +780 -0
package/src/sites/fixtures/security-test-site/tsconfig.json +10 -0
package/src/sites/git-manager.ts +240 -0
package/src/sites/github-manager.ts +355 -0
package/src/sites/index.ts +25 -0
package/src/sites/project-manager.ts +389 -0
package/src/sites/proxy.ts +133 -0
package/src/sites/service.ts +136 -0
package/src/sites/templates.ts +169 -0
package/src/sites/types.ts +89 -0
package/src/user/profile-followup.test.ts +84 -0
package/src/user/profile-followup.ts +185 -0
package/src/user/profile.ts +224 -0
package/src/vault/README.md +110 -0
package/src/vault/awareness.ts +341 -0
package/src/vault/commitments.ts +299 -0
package/src/vault/content-pipeline.ts +270 -0
package/src/vault/conversations.ts +173 -0
package/src/vault/dashboard-sessions.ts +44 -0
package/src/vault/documents.ts +130 -0
package/src/vault/entities.ts +185 -0
package/src/vault/extractor.test.ts +356 -0
package/src/vault/extractor.ts +345 -0
package/src/vault/facts.ts +190 -0
package/src/vault/goals.ts +477 -0
package/src/vault/index.ts +87 -0
package/src/vault/keychain.ts +99 -0
package/src/vault/observations.ts +115 -0
package/src/vault/relationships.ts +178 -0
package/src/vault/retrieval.test.ts +139 -0
package/src/vault/retrieval.ts +258 -0
package/src/vault/schema.ts +709 -0
package/src/vault/settings.ts +38 -0
package/src/vault/user-profile.test.ts +113 -0
package/src/vault/user-profile.ts +176 -0
package/src/vault/vectors.ts +92 -0
package/src/vault/webapp-template-seeds.ts +116 -0
package/src/vault/webapp-templates.ts +244 -0
package/src/vault/workflows.ts +403 -0
package/src/workflows/auto-suggest.ts +290 -0
package/src/workflows/engine.ts +366 -0
package/src/workflows/events.ts +24 -0
package/src/workflows/executor.ts +207 -0
package/src/workflows/nl-builder.ts +198 -0
package/src/workflows/nodes/actions/agent-task.ts +73 -0
package/src/workflows/nodes/actions/calendar-action.ts +85 -0
package/src/workflows/nodes/actions/code-execution.ts +73 -0
package/src/workflows/nodes/actions/discord.ts +77 -0
package/src/workflows/nodes/actions/file-write.ts +73 -0
package/src/workflows/nodes/actions/gmail.ts +69 -0
package/src/workflows/nodes/actions/http-request.ts +117 -0
package/src/workflows/nodes/actions/notification.ts +85 -0
package/src/workflows/nodes/actions/run-tool.ts +55 -0
package/src/workflows/nodes/actions/send-message.ts +82 -0
package/src/workflows/nodes/actions/shell-command.ts +76 -0
package/src/workflows/nodes/actions/telegram.ts +60 -0
package/src/workflows/nodes/builtin.ts +119 -0
package/src/workflows/nodes/error/error-handler.ts +37 -0
package/src/workflows/nodes/error/fallback.ts +47 -0
package/src/workflows/nodes/error/retry.ts +82 -0
package/src/workflows/nodes/logic/delay.ts +42 -0
package/src/workflows/nodes/logic/if-else.ts +41 -0
package/src/workflows/nodes/logic/loop.ts +90 -0
package/src/workflows/nodes/logic/merge.ts +38 -0
package/src/workflows/nodes/logic/race.ts +40 -0
package/src/workflows/nodes/logic/switch.ts +59 -0
package/src/workflows/nodes/logic/template-render.ts +53 -0
package/src/workflows/nodes/logic/variable-get.ts +37 -0
package/src/workflows/nodes/logic/variable-set.ts +59 -0
package/src/workflows/nodes/registry.ts +99 -0
package/src/workflows/nodes/transform/aggregate.ts +99 -0
package/src/workflows/nodes/transform/csv-parse.ts +70 -0
package/src/workflows/nodes/transform/json-parse.ts +63 -0
package/src/workflows/nodes/transform/map-filter.ts +84 -0
package/src/workflows/nodes/transform/regex-match.ts +89 -0
package/src/workflows/nodes/triggers/calendar.ts +33 -0
package/src/workflows/nodes/triggers/clipboard.ts +32 -0
package/src/workflows/nodes/triggers/cron.ts +40 -0
package/src/workflows/nodes/triggers/email.ts +40 -0
package/src/workflows/nodes/triggers/file-change.ts +45 -0
package/src/workflows/nodes/triggers/git.ts +46 -0
package/src/workflows/nodes/triggers/manual.ts +23 -0
package/src/workflows/nodes/triggers/poll.ts +81 -0
package/src/workflows/nodes/triggers/process.ts +44 -0
package/src/workflows/nodes/triggers/screen-event.ts +37 -0
package/src/workflows/nodes/triggers/webhook.ts +39 -0
package/src/workflows/safe-eval.ts +139 -0
package/src/workflows/template.ts +118 -0
package/src/workflows/triggers/cron.ts +311 -0
package/src/workflows/triggers/manager.ts +285 -0
package/src/workflows/triggers/observer-bridge.ts +172 -0
package/src/workflows/triggers/poller.ts +201 -0
package/src/workflows/triggers/screen-condition.ts +218 -0
package/src/workflows/triggers/triggers.test.ts +740 -0
package/src/workflows/triggers/webhook.ts +191 -0
package/src/workflows/types.ts +133 -0
package/src/workflows/variables.ts +72 -0
package/src/workflows/workflows.test.ts +383 -0
package/src/workflows/yaml.ts +104 -0
package/ui/dist/index-3gr23jt9.js +112614 -0
package/ui/dist/index-9vmj8127.css +14239 -0
package/ui/dist/index-hy9pc1gm.js +112873 -0
package/ui/dist/index-j2ep5d1w.js +112374 -0
package/ui/dist/index-jt00vjqs.js +112858 -0
package/ui/dist/index-k9ymx5qb.js +112374 -0
package/ui/dist/index.html +16 -0
package/ui/public/audio/pcm-capture-processor.js +11 -0
package/ui/public/openwakeword/models/embedding_model.onnx +0 -0
package/ui/public/openwakeword/models/hey_jarvis_v0.1.onnx +0 -0
package/ui/public/openwakeword/models/melspectrogram.onnx +0 -0
package/ui/public/openwakeword/models/silero_vad.onnx +0 -0
package/ui/public/ort/ort-wasm-simd-threaded.jsep.mjs +106 -0
package/ui/public/ort/ort-wasm-simd-threaded.jsep.wasm +0 -0
package/ui/public/ort/ort-wasm-simd-threaded.mjs +59 -0
package/ui/public/ort/ort-wasm-simd-threaded.wasm +0 -0

package/src/comms/websocket.ts ADDED Viewed

@@ -0,0 +1,669 @@
+import type { Server, ServerWebSocket } from 'bun';
+import path from 'node:path';
+import type { SidecarManager } from '../sidecar/manager.ts';
+import {
+  getCookie,
+  getDashboardSessionFromRequest,
+  safeCompare,
+} from './dashboard-auth.ts';
+export type WSMessage = {
+  type: 'chat' | 'command' | 'status' | 'stream' | 'error' | 'notification'
+      | 'tts_start' | 'tts_end' | 'voice_start' | 'voice_end'
+      | 'workflow_event'
+      | 'goal_event'
+      | 'site_event';
+  payload: unknown;
+  id?: string;
+  priority?: 'urgent' | 'normal' | 'low';
+  timestamp: number;
+};
+export type WSClientHandler = {
+  onMessage: (msg: WSMessage, ws: ServerWebSocket<unknown>) => Promise<WSMessage | void>;
+  onBinaryMessage?: (data: Buffer, ws: ServerWebSocket<unknown>) => Promise<void>;
+  onConnect: (ws: ServerWebSocket<unknown>) => void;
+  onDisconnect: (ws: ServerWebSocket<unknown>) => void;
+};
+type RouteHandler = (req: Request) => Response | Promise<Response>;
+type MethodRoutes = { [method: string]: RouteHandler };
+/** 401 HTML page loaded from auth-error.html */
+const AUTH_ERROR_HTML = await Bun.file(path.join(import.meta.dir, 'auth-error.html')).text();
+/** Inline script injected into authed HTML pages — strips ?token= from the hash. */
+const TOKEN_STRIP_SCRIPT = `<script>(function(){var h=location.hash,i=h.indexOf('?');if(i===-1)return;var p=new URLSearchParams(h.slice(i));if(!p.has('token'))return;p.delete('token');var c=h.slice(0,i),r=p.toString();if(r)c+='?'+r;location.replace(location.pathname+location.search+c)})()</script>`;
+function isPublicRoute(pathname: string, method: string): boolean {
+  return (
+    pathname === '/health' ||
+    pathname === '/sidecar/connect' ||
+    pathname === '/api/sidecars/.well-known/jwks.json' ||
+    pathname === '/api/auth/login' ||
+    pathname === '/api/auth/logout' ||
+    pathname === '/api/auth/session' ||
+    pathname === '/api/auth/google/callback' ||
+    pathname.startsWith('/api/webhooks/') ||
+    method === 'OPTIONS'
+  );
+}
+/** Simple sliding-window rate limiter for proxy requests */
+class ProxyRateLimiter {
+  private windowMs: number;
+  private maxRequests: number;
+  private requests: number[] = [];
+  constructor(windowMs = 10_000, maxRequests = 200) {
+    this.windowMs = windowMs;
+    this.maxRequests = maxRequests;
+  }
+  allow(): boolean {
+    const now = Date.now();
+    // Evict stale entries
+    while (this.requests.length > 0 && this.requests[0]! < now - this.windowMs) {
+      this.requests.shift();
+    }
+    if (this.requests.length >= this.maxRequests) return false;
+    this.requests.push(now);
+    return true;
+  }
+}
+export class WebSocketServer {
+  private server: Server<any> | null = null;
+  private clients: Set<ServerWebSocket<unknown>> = new Set();
+  private handler: WSClientHandler | null = null;
+  private port: number;
+  private startTime: number = 0;
+  private apiRoutes: Map<string, MethodRoutes> = new Map();
+  private staticDir: string | null = null;
+  private publicDir: string | null = null;
+  private sidecarManager: SidecarManager | null = null;
+  private authToken: string | null = null;
+  private dashboardPasswordHash: string | null = null;
+  private corsOrigin: string | null = null;
+  private proxyLimiter = new ProxyRateLimiter();
+  constructor(port: number = 3142) {
+    this.port = port;
+    this.corsOrigin = `http://localhost:${port}`;
+  }
+  setAuthToken(token: string): void {
+    this.authToken = token;
+  }
+  setDashboardPasswordHash(passwordHash?: string | null): void {
+    this.dashboardPasswordHash = passwordHash?.trim() || null;
+  }
+  setHandler(handler: WSClientHandler): void {
+    this.handler = handler;
+  }
+  setSidecarManager(manager: SidecarManager): void {
+    this.sidecarManager = manager;
+  }
+  private siteProxy: import('../sites/proxy.ts').SiteProxy | null = null;
+  setSiteProxy(proxy: import('../sites/proxy.ts').SiteProxy): void {
+    this.siteProxy = proxy;
+  }
+  /**
+   * Register API route handlers (method-based).
+   * Example: setApiRoutes({ '/api/health': { GET: handler } })
+   */
+  setApiRoutes(routes: Record<string, MethodRoutes>): void {
+    for (const [path, methods] of Object.entries(routes)) {
+      this.apiRoutes.set(path, methods);
+    }
+  }
+  /**
+   * Set directory for serving static files (pre-built dashboard).
+   */
+  setStaticDir(dir: string): void {
+    this.staticDir = dir;
+  }
+  /**
+   * Set directory for serving public assets (models, WASM, etc.).
+   * Falls through to this if file not found in staticDir.
+   */
+  setPublicDir(dir: string): void {
+    this.publicDir = dir;
+  }
+  start(): void {
+    if (this.server) {
+      console.warn('[WebSocketServer] Server already running');
+      return;
+    }
+    this.startTime = Date.now();
+    const self = this;
+    this.server = Bun.serve<{ sidecar_id?: string; proxy_target?: string; _proxyUpstream?: WebSocket }>({
+      port: this.port,
+      idleTimeout: 30, // seconds — prevent timeout during heavy processing (OCR, PowerShell)
+      async fetch(req, server) {
+        const url = new URL(req.url);
+        const pathname = url.pathname;
+        // 0. Sidecar WebSocket upgrade (has its own JWT auth)
+        if (pathname === '/sidecar/connect' && self.sidecarManager) {
+          const authHeader = req.headers.get('Authorization');
+          const token = authHeader?.startsWith('Bearer ')
+            ? authHeader.slice(7)
+            : null;
+          if (!token) {
+            return new Response('Missing token', { status: 401 });
+          }
+          const claims = await self.sidecarManager.validateToken(token);
+          if (!claims) {
+            return new Response('Invalid or revoked token', { status: 403 });
+          }
+          const success = server.upgrade(req, { data: { sidecar_id: claims.sid } });
+          if (success) return undefined;
+          return new Response('WebSocket upgrade failed', { status: 500 });
+        }
+        // 1. Auth check (if configured)
+        const tokenAuthEnabled = Boolean(self.authToken);
+        const passwordAuthEnabled = Boolean(self.dashboardPasswordHash);
+        const dashboardAuthEnabled = tokenAuthEnabled || passwordAuthEnabled;
+        const cookieToken = tokenAuthEnabled ? getCookie(req, 'token') : null;
+        const hasValidToken = Boolean(
+          tokenAuthEnabled &&
+          self.authToken &&
+          cookieToken &&
+          safeCompare(cookieToken, self.authToken),
+        );
+        const queryToken = tokenAuthEnabled ? url.searchParams.get('token') : null;
+        const hasValidQueryToken = Boolean(
+          tokenAuthEnabled &&
+          self.authToken &&
+          queryToken &&
+          safeCompare(queryToken, self.authToken),
+        );
+        const session = passwordAuthEnabled ? getDashboardSessionFromRequest(req) : null;
+        const isAuthenticated = hasValidToken || Boolean(session);
+        const wantsJsonUnauthorized = pathname.startsWith('/api/') || pathname === '/ws';
+        if (dashboardAuthEnabled && !isPublicRoute(pathname, req.method) && hasValidQueryToken) {
+          const cleanParams = new URLSearchParams(url.searchParams);
+          cleanParams.delete('token');
+          const qs = cleanParams.toString();
+          const redirectTo = pathname + (qs ? '?' + qs : '');
+          return new Response(null, {
+            status: 302,
+            headers: {
+              'Location': redirectTo || '/',
+              'Set-Cookie': `token=${queryToken}; Path=/; SameSite=Lax; HttpOnly`,
+            },
+          });
+        }
+        if (dashboardAuthEnabled && !isPublicRoute(pathname, req.method)) {
+          if (wantsJsonUnauthorized && !isAuthenticated) {
+            return Response.json({ error: 'Unauthorized' }, { status: 401 });
+          }
+          if (!passwordAuthEnabled && !isAuthenticated) {
+            return new Response(AUTH_ERROR_HTML, {
+              status: 401,
+              headers: { 'Content-Type': 'text/html' },
+            });
+          }
+        }
+            // Check ?token= query param — set cookie via Set-Cookie and redirect
+        /*
+            const queryToken = url.searchParams.get('token');
+            if (queryToken && safeCompare(queryToken, self.authToken)) {
+              const cleanParams = new URLSearchParams(url.searchParams);
+              cleanParams.delete('token');
+              const qs = cleanParams.toString();
+              const redirectTo = pathname + (qs ? '?' + qs : '');
+              return new Response(null, {
+                status: 302,
+                headers: {
+                  'Location': redirectTo || '/',
+                  'Set-Cookie': `token=${queryToken}; Path=/; SameSite=Lax; HttpOnly`,
+                },
+              });
+            }
+            // No valid auth — API & WebSocket get JSON 401; browsers get the auth error page
+            if (pathname.startsWith('/api/') || pathname === '/ws') {
+              return Response.json({ error: 'Unauthorized' }, { status: 401 });
+            }
+            return new Response(AUTH_ERROR_HTML, {
+              status: 401,
+              headers: { 'Content-Type': 'text/html' },
+            });
+          }
+        */
+        // 2. WebSocket upgrade — validate Origin to block cross-origin connections
+        //    (e.g., dev server iframes on different ports attempting ws://localhost:3142/ws)
+        if (pathname === '/ws') {
+          const origin = req.headers.get('origin');
+          const expectedOrigin = self.corsOrigin || `http://localhost:${self.port}`;
+          if (origin && origin !== expectedOrigin) {
+            return new Response('Forbidden: origin mismatch', { status: 403 });
+          }
+          const success = server.upgrade(req, { data: {} });
+          if (success) return undefined;
+          return new Response('WebSocket upgrade failed', { status: 500 });
+        }
+        // 3. Health check (always public)
+        if (pathname === '/health') {
+          return Response.json({
+            status: 'ok',
+            uptime: Date.now() - self.startTime,
+            clients: self.clients.size,
+            timestamp: Date.now(),
+          });
+        }
+        // 3b. Site builder proxy — intercept before API route matching
+        if (self.siteProxy && pathname.startsWith('/api/sites/') && pathname.includes('/proxy')) {
+          const match = self.siteProxy.matchProxy(pathname);
+          if (match) {
+            // Rate limit proxy requests
+            if (!self.proxyLimiter.allow()) {
+              return new Response(JSON.stringify({ error: 'Too many proxy requests' }), {
+                status: 429,
+                headers: { 'Content-Type': 'application/json', 'Retry-After': '10' },
+              });
+            }
+            // WebSocket upgrade for HMR — bridge to dev server
+            if (req.headers.get('upgrade')?.toLowerCase() === 'websocket') {
+              const targetUrl = self.siteProxy.getWebSocketTarget(match.projectId, match.subPath);
+              if (!targetUrl) {
+                return new Response('Dev server not running', { status: 502 });
+              }
+              const success = server.upgrade(req, {
+                data: { proxy_target: targetUrl },
+              });
+              if (success) return undefined;
+              return new Response('WebSocket upgrade failed', { status: 500 });
+            }
+            // HTTP proxy
+            return self.siteProxy.proxyHttp(req, match.projectId, match.subPath);
+          }
+        }
+        // 4. API routes
+        if (pathname.startsWith('/api/')) {
+          // Handle CORS preflight
+          if (req.method === 'OPTIONS') {
+            const allowedOrigin = self.corsOrigin || `http://localhost:${self.port}`;
+            return new Response(null, {
+              status: 204,
+              headers: {
+                'Access-Control-Allow-Origin': allowedOrigin,
+                'Access-Control-Allow-Methods': 'GET, POST, PATCH, DELETE, OPTIONS',
+                'Access-Control-Allow-Headers': 'Content-Type',
+              },
+            });
+          }
+          // Try exact match first
+          const exactRoute = self.apiRoutes.get(pathname);
+          if (exactRoute) {
+            const handler = exactRoute[req.method];
+            if (handler) return handler(req);
+            return new Response('Method Not Allowed', { status: 405 });
+          }
+          // Try parameterized routes (e.g., /api/vault/entities/:id)
+          for (const [pattern, methods] of self.apiRoutes) {
+            const params = matchRoute(pattern, pathname);
+            if (params) {
+              const handler = methods[req.method];
+              if (handler) {
+                // Attach params to request
+                (req as any).params = params;
+                return handler(req);
+              }
+              return new Response('Method Not Allowed', { status: 405 });
+            }
+          }
+          return Response.json({ error: 'Not found' }, { status: 404 });
+        }
+        // 5a. Overlay widget (served from ui/ source, not dist/)
+        if (pathname === '/overlay' && self.staticDir) {
+          if (dashboardAuthEnabled && !isAuthenticated) {
+            return new Response(AUTH_ERROR_HTML, {
+              status: 401,
+              headers: { 'Content-Type': 'text/html' },
+            });
+          }
+          // overlay.html lives in the ui/ source directory (parent of dist/)
+          const overlayPath = path.join(self.staticDir, '..', 'overlay.html');
+          const overlayFile = Bun.file(overlayPath);
+          if (await overlayFile.exists()) {
+            if (self.authToken) {
+              const html = await overlayFile.text();
+              return new Response(injectTokenStrip(html), { headers: { 'Content-Type': 'text/html' } });
+            }
+            return new Response(overlayFile, { headers: { 'Content-Type': 'text/html' } });
+          }
+        }
+        // 5b. Static files (dashboard)
+        if (self.staticDir) {
+          let filePath: string;
+          if (pathname === '/' || pathname === '/index.html') {
+            filePath = path.join(self.staticDir, 'index.html');
+          } else {
+            // Serve JS/CSS/assets — resolve and validate within staticDir
+            filePath = path.resolve(self.staticDir, '.' + pathname);
+          }
+          // Prevent path traversal outside staticDir
+          if (!filePath.startsWith(path.resolve(self.staticDir) + path.sep) && filePath !== path.resolve(self.staticDir, 'index.html')) {
+            return new Response('Forbidden', { status: 403 });
+          }
+          const file = Bun.file(filePath);
+          if (await file.exists()) {
+            if (self.authToken && filePath.endsWith('.html')) {
+              const html = await file.text();
+              return new Response(injectTokenStrip(html), { headers: { 'Content-Type': 'text/html' } });
+            }
+            return new Response(file);
+          }
+        }
+        // 6. Public assets fallback (models, WASM, etc.)
+        if (self.publicDir) {
+          const publicPath = path.resolve(self.publicDir, '.' + pathname);
+          // Prevent path traversal outside publicDir
+          if (!publicPath.startsWith(path.resolve(self.publicDir) + path.sep)) {
+            return new Response('Forbidden', { status: 403 });
+          }
+          const publicFile = Bun.file(publicPath);
+          if (await publicFile.exists()) {
+            return new Response(publicFile);
+          }
+        }
+        // 7. Site builder catch-all — proxy unmatched paths to the active
+        //    dev server using the __proj cookie set by the explicit proxy route.
+        //    This handles absolute paths (/src/main.tsx, /node_modules/...) that
+        //    frameworks emit and that don't match any JARVIS route.
+        if (self.siteProxy) {
+          if (dashboardAuthEnabled && !isAuthenticated) {
+            return new Response('Unauthorized', { status: 401 });
+          }
+          // WebSocket upgrade (e.g. Vite HMR)
+          if (req.headers.get('upgrade')?.toLowerCase() === 'websocket') {
+            const targetUrl = self.siteProxy.getWebSocketTargetFromCookie(req, pathname);
+            if (targetUrl) {
+              const success = server.upgrade(req, { data: { proxy_target: targetUrl } });
+              if (success) return undefined;
+            }
+          }
+          // HTTP
+          const proxyResp = await self.siteProxy.proxyCatchAll(req, pathname + url.search);
+          if (proxyResp) return proxyResp;
+        }
+        return new Response('Not Found', { status: 404 });
+      },
+      websocket: {
+        // Limit individual WS messages to 16 MB (defense against abusive HMR payloads)
+        maxPayloadLength: 16 * 1024 * 1024,
+        open(ws) {
+          // HMR proxy WebSocket — bridge to dev server
+          const proxyTarget = (ws.data as any)?.proxy_target as string | undefined;
+          if (proxyTarget) {
+            const upstream = new WebSocket(proxyTarget);
+            (ws.data as any)._proxyUpstream = upstream;
+            upstream.onmessage = (e) => {
+              try {
+                // Enforce size limit on upstream messages too
+                const data = e.data;
+                const size = typeof data === 'string' ? data.length : (data as ArrayBuffer).byteLength ?? 0;
+                if (size > 16 * 1024 * 1024) return; // drop oversized frames
+                ws.send(data);
+              } catch { /* client gone */ }
+            };
+            upstream.onerror = () => { try { ws.close(); } catch { /* ignore */ } };
+            upstream.onclose = () => { try { ws.close(); } catch { /* ignore */ } };
+            return;
+          }
+          const sidecarId = (ws.data as any)?.sidecar_id as string | undefined;
+          if (sidecarId && self.sidecarManager) {
+            self.sidecarManager.handleSidecarConnect(ws, sidecarId);
+            return;
+          }
+          self.clients.add(ws);
+          console.log('[WebSocketServer] Client connected. Total clients:', self.clients.size);
+          self.handler?.onConnect(ws);
+        },
+        async message(ws, message) {
+          // HMR proxy — forward to upstream dev server
+          const proxyUpstream = (ws.data as any)?._proxyUpstream as WebSocket | undefined;
+          if (proxyUpstream) {
+            if (proxyUpstream.readyState === WebSocket.OPEN) {
+              proxyUpstream.send(message);
+            }
+            return;
+          }
+          const sidecarId = (ws.data as any)?.sidecar_id as string | undefined;
+          if (sidecarId && self.sidecarManager) {
+            self.sidecarManager.handleSidecarMessage(ws, message);
+            return;
+          }
+          // Binary frame = audio data (mic audio from client)
+          if (message instanceof Buffer) {
+            if (self.handler?.onBinaryMessage) {
+              try {
+                await self.handler.onBinaryMessage(message, ws);
+              } catch (error) {
+                console.error('[WebSocketServer] Error processing binary message:', error);
+              }
+            }
+            return;
+          }
+          // Text frame = JSON message (existing protocol)
+          try {
+            const msg: WSMessage = JSON.parse(message.toString());
+            console.log('[WebSocketServer] Received:', msg.type, msg.id);
+            if (self.handler) {
+              const response = await self.handler.onMessage(msg, ws);
+              if (response) {
+                ws.send(JSON.stringify(response));
+              }
+            }
+          } catch (error) {
+            console.error('[WebSocketServer] Error processing message:', error);
+            const errorMsg: WSMessage = {
+              type: 'error',
+              payload: {
+                message: error instanceof Error ? error.message : 'Unknown error',
+              },
+              timestamp: Date.now(),
+            };
+            ws.send(JSON.stringify(errorMsg));
+          }
+        },
+        pong(ws) {
+          const sidecarId = (ws.data as any)?.sidecar_id as string | undefined;
+          if (sidecarId && self.sidecarManager) {
+            self.sidecarManager.handleSidecarPong(sidecarId);
+          }
+        },
+        close(ws) {
+          // HMR proxy cleanup
+          const proxyUpstream = (ws.data as any)?._proxyUpstream as WebSocket | undefined;
+          if (proxyUpstream) {
+            try { proxyUpstream.close(); } catch { /* ignore */ }
+            return;
+          }
+          const sidecarId = (ws.data as any)?.sidecar_id as string | undefined;
+          if (sidecarId && self.sidecarManager) {
+            self.sidecarManager.handleSidecarDisconnect(sidecarId);
+            return;
+          }
+          self.clients.delete(ws);
+          console.log('[WebSocketServer] Client disconnected. Total clients:', self.clients.size);
+          self.handler?.onDisconnect(ws);
+        },
+      },
+    });
+    console.log(`[WebSocketServer] Started on ws://localhost:${this.port}/ws`);
+    console.log(`[WebSocketServer] Health endpoint: http://localhost:${this.port}/health`);
+    if (this.staticDir) {
+      console.log(`[WebSocketServer] Dashboard: http://localhost:${this.port}/`);
+    }
+  }
+  stop(): void {
+    if (this.server) {
+      this.server.stop();
+      this.server = null;
+      this.clients.clear();
+      console.log('[WebSocketServer] Stopped');
+    }
+  }
+  broadcast(message: WSMessage): void {
+    const payload = JSON.stringify(message);
+    let sent = 0;
+    for (const client of this.clients) {
+      try {
+        client.send(payload);
+        sent++;
+      } catch (error) {
+        console.error('[WebSocketServer] Error broadcasting to client:', error);
+      }
+    }
+    // Only log errors or when no clients received the message
+    if (sent === 0 && this.clients.size > 0) {
+      console.warn(`[WebSocketServer] Broadcast failed: 0/${this.clients.size} clients received message`);
+    }
+  }
+  send(client: ServerWebSocket<unknown>, message: WSMessage): void {
+    try {
+      client.send(JSON.stringify(message));
+    } catch (error) {
+      console.error('[WebSocketServer] Error sending to client:', error);
+    }
+  }
+  /**
+   * Unicast a JSON message to a specific client (e.g. tts_start/tts_end signals).
+   */
+  sendToClient(ws: ServerWebSocket<unknown>, message: WSMessage): void {
+    try {
+      ws.send(JSON.stringify(message));
+    } catch (error) {
+      console.error('[WebSocketServer] Error unicasting to client:', error);
+    }
+  }
+  /**
+   * Unicast binary data to a specific client (e.g. TTS audio chunks).
+   */
+  sendBinary(ws: ServerWebSocket<unknown>, data: Buffer): void {
+    try {
+      ws.sendBinary(data);
+    } catch (error) {
+      console.error('[WebSocketServer] Error sending binary to client:', error);
+    }
+  }
+  isRunning(): boolean {
+    return this.server !== null;
+  }
+  getPort(): number {
+    return this.port;
+  }
+  getClientCount(): number {
+    return this.clients.size;
+  }
+  getClients(): Set<ServerWebSocket<unknown>> {
+    return this.clients;
+  }
+}
+/**
+ * Inject the token-stripping script into an HTML page (right after <head>).
+ */
+function injectTokenStrip(html: string): string {
+  const headIdx = html.indexOf('<head>');
+  if (headIdx !== -1) {
+    return html.slice(0, headIdx + 6) + TOKEN_STRIP_SCRIPT + html.slice(headIdx + 6);
+  }
+  const htmlIdx = html.indexOf('<html');
+  if (htmlIdx !== -1) {
+    const closeTag = html.indexOf('>', htmlIdx);
+    if (closeTag !== -1) {
+      return html.slice(0, closeTag + 1) + TOKEN_STRIP_SCRIPT + html.slice(closeTag + 1);
+    }
+  }
+  return TOKEN_STRIP_SCRIPT + html;
+}
+/**
+ * Match a route pattern like '/api/vault/entities/:id/facts' against a pathname.
+ * Returns params object if matched, null otherwise.
+ */
+function matchRoute(pattern: string, pathname: string): Record<string, string> | null {
+  // Skip wildcard patterns
+  if (pattern.includes('*')) return null;
+  const patternParts = pattern.split('/');
+  const pathParts = pathname.split('/');
+  if (patternParts.length !== pathParts.length) return null;
+  const params: Record<string, string> = {};
+  for (let i = 0; i < patternParts.length; i++) {
+    if (patternParts[i]!.startsWith(':')) {
+      params[patternParts[i]!.slice(1)] = pathParts[i]!;
+    } else if (patternParts[i] !== pathParts[i]) {
+      return null;
+    }
+  }
+  return Object.keys(params).length > 0 ? params : null;
+}