@skaile/workspaces 0.22.0-beta.1 → 0.22.0

package/dist/{chunk-XIHFJVOD.js.map → chunk-WH2EB2SF.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../cli/src/store-client.ts"],"names":[],"mappings":";;;;;AAuBO,SAAS,cAAA,GAA8B;AAC5C,EAAA,MAAM,eAAe,kBAAA,EAAmB;AACxC,EAAA,IAAI,WAAgC,EAAC;AACrC,EAAA,IAAI,UAAA,CAAW,YAAY,CAAA,EAAG;AAC5B,IAAA,IAAI;AACF,MAAA,QAAA,GAAW,gBAAgB,IAAA,CAAK,KAAA,CAAM,aAAa,YAAA,EAAc,OAAO,CAAC,CAAC,CAAA;AAAA,IAC5E,CAAA,CAAA,MAAQ;AACN,MAAA,QAAA,GAAW,EAAC;AAAA,IACd;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA,CAAS,QAAA,IAAY,OAAA,CAAQ,IAAI,gBAAA,IAAoB,yBAAA;AAAA,IAC1D,GAAA,EAAK,SAAS,QAAA,IAAY,IAAA;AAAA,IAC1B,YAAA,EAAc,SAAS,iBAAA,IAAqB;AAAA,GAC9C;AACF;AAGA,SAAS,gBAAA,GAA2B;AAClC,EAAA,OAAO,IAAA,CAAK,OAAA,EAAQ,EAAG,SAAA,EAAW,eAAe,CAAA;AACnD;AASO,SAAS,eAAA,CAAgB,KAAa,YAAA,EAA4B;AACvE,EAAA,MAAM,eAAe,gBAAA,EAAiB;AACtC,EAAA,MAAM,GAAA,GAAM,IAAA,CAAK,YAAA,EAAc,IAAI,CAAA;AACnC,EAAA,SAAA,CAAU,GAAA,EAAK,EAAE,SAAA,EAAW,IAAA,EAAM,CAAA;AAElC,EAAA,IAAI,UAA+B,EAAC;AACpC,EAAA,IAAI,UAAA,CAAW,YAAY,CAAA,EAAG;AAC5B,IAAA,IAAI;AACF,MAAA,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,YAAA,EAAc,OAAO,CAAC,CAAA;AAAA,IAC1D,CAAA,CAAA,MAAQ;AACN,MAAA,OAAA,GAAU,EAAC;AAAA,IACb;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,QAAA,GAAW,GAAA;AACnB,EAAA,OAAA,CAAQ,iBAAA,GAAoB,YAAA;AAC5B,EAAA,aAAA,CAAc,cAAc,IAAA,CAAK,SAAA,CAAU,SAAS,IAAA,EAAM,CAAC,GAAG,OAAO,CAAA;AACvE;AAOO,SAAS,gBAAA,GAAyB;AACvC,EAAA,MAAM,eAAe,gBAAA,EAAiB;AACtC,EAAA,IAAI,CAAC,UAAA,CAAW,YAAY,CAAA,EAAG;AAE/B,EAAA,IAAI;AACF,IAAA,MAAM,UAAU,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,YAAA,EAAc,OAAO,CAAC,CAAA;AAC9D,IAAA,OAAO,OAAA,CAAQ,QAAA;AACf,IAAA,OAAO,OAAA,CAAQ,iBAAA;AACf,IAAA,aAAA,CAAc,cAAc,IAAA,CAAK,SAAA,CAAU,SAAS,IAAA,EAAM,CAAC,GAAG,OAAO,CAAA;AAAA,EACvE,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAWA,eAAsB,UAAA,CACpB,MAAA,EACA,IAAA,EACA,IAAA,EAMY;AACZ,EAAA,IAAI,GAAA,GAAM,CAAA,EAAG,MAAA,CAAO,GAAG,GAAG,IAAI,CAAA,CAAA;AAC9B,EAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,IAAA,MAAM,EAAA,GAAK,IAAI,eAAA,CAAgB,IAAA,CAAK,MAAM,CAAA;AAC1C,IAAA,GAAA,IAAO,IAAI,EAAE,CAAA,CAAA;AAAA,EACf;AAEA,EAAA,MAAM,OAAA,GAAkC;AAAA,IACtC,cAAA,EAAgB,kBAAA;AAAA,IAChB,MAAA,EAAQ,kBAAA;AAAA,IACR,GAAI,IAAA,EAAM,OAAA,IAAW;AAAC,GACxB;AACA,EAAA,IAAI,OAAO,GAAA,EAAK;AACd,IAAA,OAAA,CAAQ,aAAA,GAAgB,CAAA,OAAA,EAAU,MAAA,CAAO,GAAG,CAAA,CAAA;AAAA,EAC9C;AAEA,EAAA,MAAM,SAAA,GAAyB;AAAA,IAC7B,MAAA,EAAQ,MAAM,MAAA,IAAU,KAAA;AAAA,IACxB;AAAA,GACF;AACA,EAAA,IAAI,MAAM,IAAA,EAAM;AACd,IAAA,SAAA,CAAU,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA;AAAA,EAC3C;AAEA,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,UAAU,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,IAAK,CAAA;AAC1D,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK,EAAE,GAAG,SAAA,EAAW,MAAA,EAAQ,UAAA,CAAW,MAAA,EAAQ,CAAA;AACxE,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK,CAAE,KAAA,CAAM,OAAO,EAAE,KAAA,EAAO,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,IAAG,CAAE,CAAA;AAC3E,MAAA,MAAM,IAAI,KAAA,CAAO,IAAA,CAAa,SAAS,CAAA,iBAAA,EAAoB,GAAA,CAAI,MAAM,CAAA,CAAE,CAAA;AAAA,IACzE;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EAClB,CAAA,SAAE;AACA,IAAA,YAAA,CAAa,OAAO,CAAA;AAAA,EACtB;AACF;AAQO,SAAS,qBAAqB,MAAA,EAA+B;AAClE,EAAA,MAAM,CAAA,GAAI,UAAU,cAAA,EAAe;AACnC,EAAA,OAAO,CAAC,CAAC,CAAA,CAAE,GAAA;AACb","file":"chunk-XIHFJVOD.js","sourcesContent":["import { existsSync, mkdirSync, readFileSync, writeFileSync } from \"node:fs\";\nimport { homedir } from \"node:os\";\nimport { join } from \"node:path\";\nimport { globalSettingsPath, mapLegacyFields } from \"@skaile/workspaces/core\";\n\n/**\n * Connection configuration for the AI Asset Store API.\n *\n * @docLink cli/dev-guide#store-client\n */\nexport interface StoreConfig {\n  url: string;\n  jwt: string | null;\n  refreshToken: string | null;\n}\n\n/**\n * Read store connection config from global user settings, falling back to\n * `SKAILE_STORE_URL` env var and the default store URL.\n *\n * @returns Populated {@link StoreConfig} with `url`, `jwt`, and `refreshToken`.\n * @docLink cli/dev-guide#store-client\n */\nexport function getStoreConfig(): StoreConfig {\n  const settingsPath = globalSettingsPath();\n  let settings: Record<string, any> = {};\n  if (existsSync(settingsPath)) {\n    try {\n      settings = mapLegacyFields(JSON.parse(readFileSync(settingsPath, \"utf-8\")));\n    } catch {\n      settings = {};\n    }\n  }\n  return {\n    url: settings.storeUrl ?? process.env.SKAILE_STORE_URL ?? \"https://store.skaile.ai\",\n    jwt: settings.storeJwt ?? null,\n    refreshToken: settings.storeRefreshToken ?? null,\n  };\n}\n\n/** Path to user-level settings */\nfunction userSettingsPath(): string {\n  return join(homedir(), \".skaile\", \"settings.json\");\n}\n\n/**\n * Persist store authentication tokens to `~/.skaile/settings.json`.\n *\n * @param jwt - The JWT access token returned by the store login endpoint.\n * @param refreshToken - The refresh token for obtaining new JWTs.\n * @docLink cli/dev-guide#store-client\n */\nexport function saveStoreTokens(jwt: string, refreshToken: string): void {\n  const settingsPath = userSettingsPath();\n  const dir = join(settingsPath, \"..\");\n  mkdirSync(dir, { recursive: true });\n\n  let current: Record<string, any> = {};\n  if (existsSync(settingsPath)) {\n    try {\n      current = JSON.parse(readFileSync(settingsPath, \"utf-8\"));\n    } catch {\n      current = {};\n    }\n  }\n\n  current.storeJwt = jwt;\n  current.storeRefreshToken = refreshToken;\n  writeFileSync(settingsPath, JSON.stringify(current, null, 2), \"utf-8\");\n}\n\n/**\n * Remove store authentication tokens from `~/.skaile/settings.json`.\n *\n * @docLink cli/dev-guide#store-client\n */\nexport function clearStoreTokens(): void {\n  const settingsPath = userSettingsPath();\n  if (!existsSync(settingsPath)) return;\n\n  try {\n    const current = JSON.parse(readFileSync(settingsPath, \"utf-8\"));\n    delete current.storeJwt;\n    delete current.storeRefreshToken;\n    writeFileSync(settingsPath, JSON.stringify(current, null, 2), \"utf-8\");\n  } catch {\n    // ignore\n  }\n}\n\n/**\n * Make an authenticated HTTP request to the store REST API with a 1.5s timeout.\n *\n * @param config - Store connection config (URL + auth token).\n * @param path - API path (e.g. `/api/assets`).\n * @param opts - Optional method, body, query params, and extra headers.\n * @returns Parsed JSON response body.\n * @docLink cli/dev-guide#store-client\n */\nexport async function storeFetch<T = any>(\n  config: StoreConfig,\n  path: string,\n  opts?: {\n    method?: string;\n    body?: unknown;\n    params?: Record<string, string>;\n    headers?: Record<string, string>;\n  },\n): Promise<T> {\n  let url = `${config.url}${path}`;\n  if (opts?.params) {\n    const sp = new URLSearchParams(opts.params);\n    url += `?${sp}`;\n  }\n\n  const headers: Record<string, string> = {\n    \"Content-Type\": \"application/json\",\n    Accept: \"application/json\",\n    ...(opts?.headers ?? {}),\n  };\n  if (config.jwt) {\n    headers.Authorization = `Bearer ${config.jwt}`;\n  }\n\n  const fetchOpts: RequestInit = {\n    method: opts?.method ?? \"GET\",\n    headers,\n  };\n  if (opts?.body) {\n    fetchOpts.body = JSON.stringify(opts.body);\n  }\n\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), 1_500);\n  try {\n    const res = await fetch(url, { ...fetchOpts, signal: controller.signal });\n    if (!res.ok) {\n      const body = await res.json().catch(() => ({ error: `HTTP ${res.status}` }));\n      throw new Error((body as any).error ?? `Store API error: ${res.status}`);\n    }\n    return res.json() as Promise<T>;\n  } finally {\n    clearTimeout(timeout);\n  }\n}\n\n/**\n * Return `true` if a JWT token is present in the provided (or default) store config.\n *\n * @param config - Optional pre-loaded config; if omitted, calls {@link getStoreConfig}.\n * @docLink cli/dev-guide#store-client\n */\nexport function isStoreAuthenticated(config?: StoreConfig): boolean {\n  const c = config ?? getStoreConfig();\n  return !!c.jwt;\n}\n"]}
+{"version":3,"sources":["../cli/src/store-client.ts"],"names":[],"mappings":";;;;;AAuBO,SAAS,cAAA,GAA8B;AAC5C,EAAA,MAAM,eAAe,kBAAA,EAAmB;AACxC,EAAA,IAAI,WAAgC,EAAC;AACrC,EAAA,IAAI,UAAA,CAAW,YAAY,CAAA,EAAG;AAC5B,IAAA,IAAI;AACF,MAAA,QAAA,GAAW,gBAAgB,IAAA,CAAK,KAAA,CAAM,aAAa,YAAA,EAAc,OAAO,CAAC,CAAC,CAAA;AAAA,IAC5E,CAAA,CAAA,MAAQ;AACN,MAAA,QAAA,GAAW,EAAC;AAAA,IACd;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA,CAAS,QAAA,IAAY,OAAA,CAAQ,IAAI,gBAAA,IAAoB,yBAAA;AAAA,IAC1D,GAAA,EAAK,SAAS,QAAA,IAAY,IAAA;AAAA,IAC1B,YAAA,EAAc,SAAS,iBAAA,IAAqB;AAAA,GAC9C;AACF;AAGA,SAAS,gBAAA,GAA2B;AAClC,EAAA,OAAO,IAAA,CAAK,OAAA,EAAQ,EAAG,SAAA,EAAW,eAAe,CAAA;AACnD;AASO,SAAS,eAAA,CAAgB,KAAa,YAAA,EAA4B;AACvE,EAAA,MAAM,eAAe,gBAAA,EAAiB;AACtC,EAAA,MAAM,GAAA,GAAM,IAAA,CAAK,YAAA,EAAc,IAAI,CAAA;AACnC,EAAA,SAAA,CAAU,GAAA,EAAK,EAAE,SAAA,EAAW,IAAA,EAAM,CAAA;AAElC,EAAA,IAAI,UAA+B,EAAC;AACpC,EAAA,IAAI,UAAA,CAAW,YAAY,CAAA,EAAG;AAC5B,IAAA,IAAI;AACF,MAAA,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,YAAA,EAAc,OAAO,CAAC,CAAA;AAAA,IAC1D,CAAA,CAAA,MAAQ;AACN,MAAA,OAAA,GAAU,EAAC;AAAA,IACb;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,QAAA,GAAW,GAAA;AACnB,EAAA,OAAA,CAAQ,iBAAA,GAAoB,YAAA;AAC5B,EAAA,aAAA,CAAc,cAAc,IAAA,CAAK,SAAA,CAAU,SAAS,IAAA,EAAM,CAAC,GAAG,OAAO,CAAA;AACvE;AAOO,SAAS,gBAAA,GAAyB;AACvC,EAAA,MAAM,eAAe,gBAAA,EAAiB;AACtC,EAAA,IAAI,CAAC,UAAA,CAAW,YAAY,CAAA,EAAG;AAE/B,EAAA,IAAI;AACF,IAAA,MAAM,UAAU,IAAA,CAAK,KAAA,CAAM,YAAA,CAAa,YAAA,EAAc,OAAO,CAAC,CAAA;AAC9D,IAAA,OAAO,OAAA,CAAQ,QAAA;AACf,IAAA,OAAO,OAAA,CAAQ,iBAAA;AACf,IAAA,aAAA,CAAc,cAAc,IAAA,CAAK,SAAA,CAAU,SAAS,IAAA,EAAM,CAAC,GAAG,OAAO,CAAA;AAAA,EACvE,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAWA,eAAsB,UAAA,CACpB,MAAA,EACA,IAAA,EACA,IAAA,EAMY;AACZ,EAAA,IAAI,GAAA,GAAM,CAAA,EAAG,MAAA,CAAO,GAAG,GAAG,IAAI,CAAA,CAAA;AAC9B,EAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,IAAA,MAAM,EAAA,GAAK,IAAI,eAAA,CAAgB,IAAA,CAAK,MAAM,CAAA;AAC1C,IAAA,GAAA,IAAO,IAAI,EAAE,CAAA,CAAA;AAAA,EACf;AAEA,EAAA,MAAM,OAAA,GAAkC;AAAA,IACtC,cAAA,EAAgB,kBAAA;AAAA,IAChB,MAAA,EAAQ,kBAAA;AAAA,IACR,GAAI,IAAA,EAAM,OAAA,IAAW;AAAC,GACxB;AACA,EAAA,IAAI,OAAO,GAAA,EAAK;AACd,IAAA,OAAA,CAAQ,aAAA,GAAgB,CAAA,OAAA,EAAU,MAAA,CAAO,GAAG,CAAA,CAAA;AAAA,EAC9C;AAEA,EAAA,MAAM,SAAA,GAAyB;AAAA,IAC7B,MAAA,EAAQ,MAAM,MAAA,IAAU,KAAA;AAAA,IACxB;AAAA,GACF;AACA,EAAA,IAAI,MAAM,IAAA,EAAM;AACd,IAAA,SAAA,CAAU,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA;AAAA,EAC3C;AAEA,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,UAAU,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,IAAK,CAAA;AAC1D,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK,EAAE,GAAG,SAAA,EAAW,MAAA,EAAQ,UAAA,CAAW,MAAA,EAAQ,CAAA;AACxE,IAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,MAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK,CAAE,KAAA,CAAM,OAAO,EAAE,KAAA,EAAO,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,IAAG,CAAE,CAAA;AAC3E,MAAA,MAAM,IAAI,KAAA,CAAO,IAAA,CAAa,SAAS,CAAA,iBAAA,EAAoB,GAAA,CAAI,MAAM,CAAA,CAAE,CAAA;AAAA,IACzE;AACA,IAAA,OAAO,IAAI,IAAA,EAAK;AAAA,EAClB,CAAA,SAAE;AACA,IAAA,YAAA,CAAa,OAAO,CAAA;AAAA,EACtB;AACF;AAQO,SAAS,qBAAqB,MAAA,EAA+B;AAClE,EAAA,MAAM,CAAA,GAAI,UAAU,cAAA,EAAe;AACnC,EAAA,OAAO,CAAC,CAAC,CAAA,CAAE,GAAA;AACb","file":"chunk-WH2EB2SF.js","sourcesContent":["import { existsSync, mkdirSync, readFileSync, writeFileSync } from \"node:fs\";\nimport { homedir } from \"node:os\";\nimport { join } from \"node:path\";\nimport { globalSettingsPath, mapLegacyFields } from \"@skaile/workspaces/core\";\n\n/**\n * Connection configuration for the AI Asset Store API.\n *\n * @docLink cli/dev-guide#store-client\n */\nexport interface StoreConfig {\n  url: string;\n  jwt: string | null;\n  refreshToken: string | null;\n}\n\n/**\n * Read store connection config from global user settings, falling back to\n * `SKAILE_STORE_URL` env var and the default store URL.\n *\n * @returns Populated {@link StoreConfig} with `url`, `jwt`, and `refreshToken`.\n * @docLink cli/dev-guide#store-client\n */\nexport function getStoreConfig(): StoreConfig {\n  const settingsPath = globalSettingsPath();\n  let settings: Record<string, any> = {};\n  if (existsSync(settingsPath)) {\n    try {\n      settings = mapLegacyFields(JSON.parse(readFileSync(settingsPath, \"utf-8\")));\n    } catch {\n      settings = {};\n    }\n  }\n  return {\n    url: settings.storeUrl ?? process.env.SKAILE_STORE_URL ?? \"https://store.skaile.ai\",\n    jwt: settings.storeJwt ?? null,\n    refreshToken: settings.storeRefreshToken ?? null,\n  };\n}\n\n/** Path to user-level settings */\nfunction userSettingsPath(): string {\n  return join(homedir(), \".skaile\", \"settings.json\");\n}\n\n/**\n * Persist store authentication tokens to `~/.skaile/settings.json`.\n *\n * @param jwt - The JWT access token returned by the store login endpoint.\n * @param refreshToken - The refresh token for obtaining new JWTs.\n * @docLink cli/dev-guide#store-client\n */\nexport function saveStoreTokens(jwt: string, refreshToken: string): void {\n  const settingsPath = userSettingsPath();\n  const dir = join(settingsPath, \"..\");\n  mkdirSync(dir, { recursive: true });\n\n  let current: Record<string, any> = {};\n  if (existsSync(settingsPath)) {\n    try {\n      current = JSON.parse(readFileSync(settingsPath, \"utf-8\"));\n    } catch {\n      current = {};\n    }\n  }\n\n  current.storeJwt = jwt;\n  current.storeRefreshToken = refreshToken;\n  writeFileSync(settingsPath, JSON.stringify(current, null, 2), \"utf-8\");\n}\n\n/**\n * Remove store authentication tokens from `~/.skaile/settings.json`.\n *\n * @docLink cli/dev-guide#store-client\n */\nexport function clearStoreTokens(): void {\n  const settingsPath = userSettingsPath();\n  if (!existsSync(settingsPath)) return;\n\n  try {\n    const current = JSON.parse(readFileSync(settingsPath, \"utf-8\"));\n    delete current.storeJwt;\n    delete current.storeRefreshToken;\n    writeFileSync(settingsPath, JSON.stringify(current, null, 2), \"utf-8\");\n  } catch {\n    // ignore\n  }\n}\n\n/**\n * Make an authenticated HTTP request to the store REST API with a 1.5s timeout.\n *\n * @param config - Store connection config (URL + auth token).\n * @param path - API path (e.g. `/api/assets`).\n * @param opts - Optional method, body, query params, and extra headers.\n * @returns Parsed JSON response body.\n * @docLink cli/dev-guide#store-client\n */\nexport async function storeFetch<T = any>(\n  config: StoreConfig,\n  path: string,\n  opts?: {\n    method?: string;\n    body?: unknown;\n    params?: Record<string, string>;\n    headers?: Record<string, string>;\n  },\n): Promise<T> {\n  let url = `${config.url}${path}`;\n  if (opts?.params) {\n    const sp = new URLSearchParams(opts.params);\n    url += `?${sp}`;\n  }\n\n  const headers: Record<string, string> = {\n    \"Content-Type\": \"application/json\",\n    Accept: \"application/json\",\n    ...(opts?.headers ?? {}),\n  };\n  if (config.jwt) {\n    headers.Authorization = `Bearer ${config.jwt}`;\n  }\n\n  const fetchOpts: RequestInit = {\n    method: opts?.method ?? \"GET\",\n    headers,\n  };\n  if (opts?.body) {\n    fetchOpts.body = JSON.stringify(opts.body);\n  }\n\n  const controller = new AbortController();\n  const timeout = setTimeout(() => controller.abort(), 1_500);\n  try {\n    const res = await fetch(url, { ...fetchOpts, signal: controller.signal });\n    if (!res.ok) {\n      const body = await res.json().catch(() => ({ error: `HTTP ${res.status}` }));\n      throw new Error((body as any).error ?? `Store API error: ${res.status}`);\n    }\n    return res.json() as Promise<T>;\n  } finally {\n    clearTimeout(timeout);\n  }\n}\n\n/**\n * Return `true` if a JWT token is present in the provided (or default) store config.\n *\n * @param config - Optional pre-loaded config; if omitted, calls {@link getStoreConfig}.\n * @docLink cli/dev-guide#store-client\n */\nexport function isStoreAuthenticated(config?: StoreConfig): boolean {\n  const c = config ?? getStoreConfig();\n  return !!c.jwt;\n}\n"]}

package/dist/{chunk-PBWMV5GM.js → chunk-WQ7DE5UC.js}

@@ -1,7 +1,7 @@
+import { decodeBearerFromHeader, tokensEqual } from './chunk-32NA4TVC.js';
 import { createServer } from 'http';
 import { WebSocketServer } from 'ws';
 
-// transport/src/ws/server.ts
 function validateSessionInitShape(cmd) {
   if (cmd.type !== "session_init") return "type must be 'session_init'";
   const identity = cmd.identity;
@@ -32,12 +32,14 @@ var WebSocketServerTransport = class {
   activeClient = null;
   port;
   log;
+  authToken;
   commandHandlers = /* @__PURE__ */ new Set();
   connectHandlers = /* @__PURE__ */ new Set();
   disconnectHandlers = /* @__PURE__ */ new Set();
   constructor(options) {
     this.port = options.port;
     this.log = options.onLog ?? console.log;
+    this.authToken = options.authToken;
   }
   /** Start the server and accept connections. */
   async listen() {
@@ -45,7 +47,19 @@ var WebSocketServerTransport = class {
       res.writeHead(200, { "content-type": "text/plain" });
       res.end("skaile agent server");
     });
-    const wss = new WebSocketServer({ server: httpServer });
+    const expected = this.authToken;
+    const wss = new WebSocketServer({
+      server: httpServer,
+      verifyClient: expected ? (info, cb) => {
+        const presented = decodeBearerFromHeader(info.req.headers["sec-websocket-protocol"]);
+        if (presented !== null && tokensEqual(presented, expected)) {
+          cb(true);
+        } else {
+          this.log("[ws-server] rejecting unauthenticated upgrade");
+          cb(false, 401, "Unauthorized");
+        }
+      } : void 0
+    });
     wss.on("connection", (ws) => this.handleConnection(ws));
     this.httpServer = httpServer;
     this.wss = wss;
@@ -167,5 +181,5 @@ var WebSocketServerTransport = class {
 };
 
 export { WebSocketServerTransport };
-//# sourceMappingURL=chunk-PBWMV5GM.js.map
-//# sourceMappingURL=chunk-PBWMV5GM.js.map
+//# sourceMappingURL=chunk-WQ7DE5UC.js.map
+//# sourceMappingURL=chunk-WQ7DE5UC.js.map

package/dist/chunk-WQ7DE5UC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../transport/src/ws/server.ts"],"names":[],"mappings":";;;;AA6CA,SAAS,yBAAyB,GAAA,EAA6C;AAC7E,EAAA,IAAI,GAAA,CAAI,IAAA,KAAS,cAAA,EAAgB,OAAO,6BAAA;AAExC,EAAA,MAAM,WAAW,GAAA,CAAI,QAAA;AACrB,EAAA,IAAI,CAAC,YAAY,OAAO,QAAA,KAAa,YAAY,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACxE,IAAA,OAAO,4BAAA;AAAA,EACT;AACA,EAAA,IAAI,OAAO,QAAA,CAAS,WAAA,KAAgB,QAAA,EAAU,OAAO,uCAAA;AACrD,EAAA,IAAI,OAAO,QAAA,CAAS,SAAA,KAAc,QAAA,EAAU,OAAO,qCAAA;AACnD,EAAA,IAAI,OAAO,QAAA,CAAS,SAAA,KAAc,QAAA,EAAU,OAAO,qCAAA;AAEnD,EAAA,MAAM,kBAAkB,GAAA,CAAI,eAAA;AAC5B,EAAA,IAAI,CAAC,mBAAmB,OAAO,eAAA,KAAoB,YAAY,KAAA,CAAM,OAAA,CAAQ,eAAe,CAAA,EAAG;AAC7F,IAAA,OAAO,mCAAA;AAAA,EACT;AACA,EAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,QAAA,EAAU,OAAO,wCAAA;AACtD,EAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,QAAA,EAAU,OAAO,wCAAA;AACtD,EAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,QAAA,EAAU,OAAO,wCAAA;AAEtD,EAAA,IACE,CAAC,GAAA,CAAI,cAAA,IACL,OAAO,GAAA,CAAI,cAAA,KAAmB,QAAA,IAC9B,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAChC;AACA,IAAA,OAAO,kCAAA;AAAA,EACT;AAEA,EAAA,IAAI,CAAC,GAAA,CAAI,WAAA,IAAe,OAAO,GAAA,CAAI,WAAA,KAAgB,QAAA,IAAY,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,EAAG;AAC7F,IAAA,OAAO,+BAAA;AAAA,EACT;AAEA,EAAA,OAAO,IAAA;AACT;AAyBO,IAAM,2BAAN,MAA0D;AAAA,EACvD,UAAA,GAAgC,IAAA;AAAA,EAChC,GAAA,GAA8B,IAAA;AAAA,EAC9B,YAAA,GAAiC,IAAA;AAAA,EACxB,IAAA;AAAA,EACA,GAAA;AAAA,EACA,SAAA;AAAA,EAEA,eAAA,uBAAsB,GAAA,EAAqC;AAAA,EAC3D,eAAA,uBAAsB,GAAA,EAAgB;AAAA,EACtC,kBAAA,uBAAyB,GAAA,EAAgB;AAAA,EAE1D,YAAY,OAAA,EAAiC;AAC3C,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AACpB,IAAA,IAAA,CAAK,GAAA,GAAM,OAAA,CAAQ,KAAA,IAAS,OAAA,CAAQ,GAAA;AACpC,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,SAAA;AAAA,EAC3B;AAAA;AAAA,EAGA,MAAM,MAAA,GAAwB;AAC5B,IAAA,MAAM,UAAA,GAAa,YAAA,CAAa,CAAC,IAAA,EAAM,GAAA,KAAQ;AAC7C,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,cAAc,CAAA;AACnD,MAAA,GAAA,CAAI,IAAI,qBAAqB,CAAA;AAAA,IAC/B,CAAC,CAAA;AAKD,IAAA,MAAM,WAAW,IAAA,CAAK,SAAA;AACtB,IAAA,MAAM,GAAA,GAAM,IAAI,eAAA,CAAgB;AAAA,MAC9B,MAAA,EAAQ,UAAA;AAAA,MACR,YAAA,EAAc,QAAA,GACV,CAAC,IAAA,EAAM,EAAA,KAAO;AACZ,QAAA,MAAM,YAAY,sBAAA,CAAuB,IAAA,CAAK,GAAA,CAAI,OAAA,CAAQ,wBAAwB,CAAC,CAAA;AACnF,QAAA,IAAI,SAAA,KAAc,IAAA,IAAQ,WAAA,CAAY,SAAA,EAAW,QAAQ,CAAA,EAAG;AAC1D,UAAA,EAAA,CAAG,IAAI,CAAA;AAAA,QACT,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,IAAI,+CAA+C,CAAA;AACxD,UAAA,EAAA,CAAG,KAAA,EAAO,KAAK,cAAc,CAAA;AAAA,QAC/B;AAAA,MACF,CAAA,GACA;AAAA,KACL,CAAA;AACD,IAAA,GAAA,CAAI,GAAG,YAAA,EAAc,CAAC,OAAO,IAAA,CAAK,gBAAA,CAAiB,EAAE,CAAC,CAAA;AACtD,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,GAAA,GAAM,GAAA;AAEX,IAAA,MAAM,IAAI,OAAA,CAAc,CAAC,OAAA,EAAS,MAAA,KAAW;AAC3C,MAAA,UAAA,CAAW,IAAA,CAAK,SAAS,MAAM,CAAA;AAC/B,MAAA,UAAA,CAAW,MAAA,CAAO,IAAA,CAAK,IAAA,EAAM,MAAM;AACjC,QAAA,UAAA,CAAW,GAAA,CAAI,SAAS,MAAM,CAAA;AAC9B,QAAA,OAAA,EAAQ;AAAA,MACV,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAED,IAAA,MAAM,IAAA,GAAO,WAAW,OAAA,EAAQ;AAChC,IAAA,MAAM,YAAY,OAAO,IAAA,KAAS,YAAY,IAAA,GAAO,IAAA,CAAK,OAAO,IAAA,CAAK,IAAA;AACtE,IAAA,IAAA,CAAK,GAAA,CAAI,CAAA,8BAAA,EAAiC,SAAS,CAAA,CAAE,CAAA;AAAA,EACvD;AAAA,EAEQ,iBAAiB,EAAA,EAAqB;AAC5C,IAAA,IAAI,KAAK,YAAA,EAAc;AAIrB,MAAA,IAAA,CAAK,IAAI,2CAA2C,CAAA;AACpD,MAAA,IAAI;AACF,QAAA,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,IAAA,EAAM,4BAA4B,CAAA;AAAA,MAC5D,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AACA,IAAA,IAAA,CAAK,IAAI,8BAA8B,CAAA;AACvC,IAAA,IAAA,CAAK,YAAA,GAAe,EAAA;AACpB,IAAA,KAAA,MAAW,OAAA,IAAW,KAAK,eAAA,EAAiB;AAC1C,MAAA,OAAA,EAAQ;AAAA,IACV;AAEA,IAAA,EAAA,CAAG,EAAA,CAAG,SAAA,EAAW,CAAC,IAAA,KAAS;AACzB,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,IAAI,CAAC,CAAA;AAKtC,QAAA,IAAI,UAAU,OAAO,MAAA,KAAW,QAAA,IAAY,MAAA,CAAO,SAAS,cAAA,EAAgB;AAC1E,UAAA,MAAM,MAAA,GAAS,yBAAyB,MAAM,CAAA;AAC9C,UAAA,IAAI,WAAW,IAAA,EAAM;AACnB,YAAA,IAAA,CAAK,GAAA,CAAI,CAAA,4CAAA,EAA+C,MAAM,CAAA,CAAE,CAAA;AAChE,YAAA,IAAA,CAAK,OAAA,CAAQ;AAAA,cACX,IAAA,EAAM,OAAA;AAAA,cACN,OAAA,EAAS,yBAAyB,MAAM,CAAA,CAAA;AAAA,cACxC,KAAA,EAAO;AAAA,aACR,CAAA;AACD,YAAA;AAAA,UACF;AAAA,QACF;AACA,QAAA,MAAM,GAAA,GAAM,MAAA;AACZ,QAAA,KAAA,MAAW,OAAA,IAAW,KAAK,eAAA,EAAiB;AAC1C,UAAA,OAAA,CAAQ,GAAG,CAAA;AAAA,QACb;AAAA,MACF,SAAS,GAAA,EAAK;AACZ,QAAA,IAAA,CAAK,OAAA,CAAQ;AAAA,UACX,IAAA,EAAM,OAAA;AAAA,UACN,OAAA,EAAS,oBAAoB,GAAA,YAAe,KAAA,GAAQ,IAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAAC,CAAA,CAAA;AAAA,UAC7E,KAAA,EAAO;AAAA,SACR,CAAA;AAAA,MACH;AAAA,IACF,CAAC,CAAA;AAED,IAAA,EAAA,CAAG,EAAA,CAAG,SAAS,MAAM;AACnB,MAAA,IAAA,CAAK,IAAI,iCAAiC,CAAA;AAC1C,MAAA,IAAI,IAAA,CAAK,iBAAiB,EAAA,EAAI;AAC5B,QAAA,IAAA,CAAK,YAAA,GAAe,IAAA;AACpB,QAAA,KAAA,MAAW,OAAA,IAAW,KAAK,kBAAA,EAAoB;AAC7C,UAAA,OAAA,EAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI;AACF,MAAA,IAAA,CAAK,cAAc,SAAA,EAAU;AAAA,IAC/B,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,IAAA,CAAK,YAAA,GAAe,IAAA;AACpB,IAAA,IAAA,CAAK,KAAK,KAAA,EAAM;AAChB,IAAA,IAAA,CAAK,GAAA,GAAM,IAAA;AACX,IAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AACxB,IAAA,IAAA,CAAK,UAAA,GAAa,IAAA;AAClB,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,UAAA,CAAW,mBAAA,EAAoB;AAC/B,MAAA,MAAM,IAAI,QAAc,CAAC,OAAA,KAAY,WAAW,KAAA,CAAM,MAAM,OAAA,EAAS,CAAC,CAAA;AAAA,IACxE;AAAA,EACF;AAAA,EAEA,KAAK,KAAA,EAAyB;AAC5B,IAAA,IAAA,CAAK,QAAQ,KAAK,CAAA;AAAA,EACpB;AAAA,EAEA,UAAU,OAAA,EAAsD;AAC9D,IAAA,IAAA,CAAK,eAAA,CAAgB,IAAI,OAAO,CAAA;AAChC,IAAA,OAAO,MAAM;AACX,MAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,OAAO,CAAA;AAAA,IACrC,CAAA;AAAA,EACF;AAAA,EAEA,UAAU,OAAA,EAAiC;AACzC,IAAA,IAAA,CAAK,eAAA,CAAgB,IAAI,OAAO,CAAA;AAChC,IAAA,OAAO,MAAM;AACX,MAAA,IAAA,CAAK,eAAA,CAAgB,OAAO,OAAO,CAAA;AAAA,IACrC,CAAA;AAAA,EACF;AAAA,EAEA,aAAa,OAAA,EAAiC;AAC5C,IAAA,IAAA,CAAK,kBAAA,CAAmB,IAAI,OAAO,CAAA;AACnC,IAAA,OAAO,MAAM;AACX,MAAA,IAAA,CAAK,kBAAA,CAAmB,OAAO,OAAO,CAAA;AAAA,IACxC,CAAA;AAAA,EACF;AAAA,EAEA,IAAI,SAAA,GAAqB;AACvB,IAAA,OAAO,KAAK,YAAA,KAAiB,IAAA;AAAA,EAC/B;AAAA,EAEQ,QAAQ,IAAA,EAAqB;AACnC,IAAA,IAAI;AACF,MAAA,MAAM,SAAS,IAAA,CAAK,YAAA;AACpB,MAAA,IAAI,MAAA,IAAU,MAAA,CAAO,UAAA,KAAe,CAAA,EAAG;AACrC,QAAA,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC,CAAA;AAAA,MAClC;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AACF","file":"chunk-WQ7DE5UC.js","sourcesContent":["/**\n * WebSocketServerTransport — `ws`-based WebSocket server.\n *\n * Accepts one client at a time. Implements ServerTransport from @skaile/workspaces/types.\n * Built on the `ws` package + `node:http`, both of which run under Node and Bun.\n */\n\nimport { createServer, type Server as HttpServer } from \"node:http\";\nimport type { AgentCommand, AgentEvent, ServerTransport } from \"@skaile/workspaces/types\";\nimport { type WebSocket, WebSocketServer } from \"ws\";\nimport { decodeBearerFromHeader, tokensEqual } from \"./auth.js\";\n\n/**\n * Options for {@link WebSocketServerTransport}.\n *\n * @param port - TCP port to bind to.\n * @param onLog - Optional callback for internal log lines (client connect/disconnect events).\n * @param authToken - When set, every upgrade must present this token via the\n *   `skaile-bearer.<base64url>` subprotocol or the handshake is rejected with\n *   HTTP 401. When unset, no auth is enforced (back-compatible default).\n *\n * @docLink packages/transport/dev-guide#websocket-server-transport\n */\nexport interface WebSocketServerOptions {\n  port: number;\n  onLog?: (line: string) => void;\n  authToken?: string;\n}\n\n/**\n * Shape-validate a `session_init` frame at ingress before forwarding to the\n * runner. Protocol v3 requires the deterministic bootstrap envelope to carry\n * an identity tuple, a semver-shaped `protocolVersion`, a resolved config\n * object, and a `credentials` map keyed by `mounts` / `connectors`. Frames\n * that fail the guard are rejected on the wire so the runner never sees a\n * malformed boot envelope.\n *\n * Returns `null` when the frame is well-formed, or a human-readable reason\n * when it should be rejected.\n *\n * Spec: `_devlog/specs/2026-05-10-deterministic-session-bootstrap.md`\n * § \"SessionInitCommand schema\".\n *\n * @internal\n */\nfunction validateSessionInitShape(cmd: Record<string, unknown>): string | null {\n  if (cmd.type !== \"session_init\") return \"type must be 'session_init'\";\n\n  const identity = cmd.identity as Record<string, unknown> | undefined;\n  if (!identity || typeof identity !== \"object\" || Array.isArray(identity)) {\n    return \"identity must be an object\";\n  }\n  if (typeof identity.containerId !== \"string\") return \"identity.containerId must be a string\";\n  if (typeof identity.sessionId !== \"string\") return \"identity.sessionId must be a string\";\n  if (typeof identity.projectId !== \"string\") return \"identity.projectId must be a string\";\n\n  const protocolVersion = cmd.protocolVersion as Record<string, unknown> | undefined;\n  if (!protocolVersion || typeof protocolVersion !== \"object\" || Array.isArray(protocolVersion)) {\n    return \"protocolVersion must be an object\";\n  }\n  if (typeof protocolVersion.major !== \"number\") return \"protocolVersion.major must be a number\";\n  if (typeof protocolVersion.minor !== \"number\") return \"protocolVersion.minor must be a number\";\n  if (typeof protocolVersion.patch !== \"number\") return \"protocolVersion.patch must be a number\";\n\n  if (\n    !cmd.resolvedConfig ||\n    typeof cmd.resolvedConfig !== \"object\" ||\n    Array.isArray(cmd.resolvedConfig)\n  ) {\n    return \"resolvedConfig must be an object\";\n  }\n\n  if (!cmd.credentials || typeof cmd.credentials !== \"object\" || Array.isArray(cmd.credentials)) {\n    return \"credentials must be an object\";\n  }\n\n  return null;\n}\n\n/**\n * `ServerTransport` implementation backed by the `ws` package on top of a\n * `node:http` server.\n *\n * Enforces a single-client policy: if a new connection arrives while a client is\n * already connected, the stale connection is closed with code 4001 and replaced.\n * Incoming frames are parsed as JSON `AgentCommand` messages and fanned out to\n * registered `onCommand` handlers; outgoing `AgentEvent` objects are JSON-serialised\n * before sending. Call `listen()` to start accepting connections and `close()` to\n * shut down cleanly — `close()` terminates the active socket immediately rather\n * than keeping the event loop alive.\n *\n * @example\n * ```ts\n * const server = new WebSocketServerTransport({ port: 8080 });\n * await server.listen();\n * server.onCommand((cmd) => console.log(cmd));\n * server.send({ type: 'agent_end' });\n * await server.close();\n * ```\n *\n * @docLink packages/transport/dev-guide#websocket-server-transport\n */\nexport class WebSocketServerTransport implements ServerTransport {\n  private httpServer: HttpServer | null = null;\n  private wss: WebSocketServer | null = null;\n  private activeClient: WebSocket | null = null;\n  private readonly port: number;\n  private readonly log: (line: string) => void;\n  private readonly authToken?: string;\n\n  private readonly commandHandlers = new Set<(command: AgentCommand) => void>();\n  private readonly connectHandlers = new Set<() => void>();\n  private readonly disconnectHandlers = new Set<() => void>();\n\n  constructor(options: WebSocketServerOptions) {\n    this.port = options.port;\n    this.log = options.onLog ?? console.log;\n    this.authToken = options.authToken;\n  }\n\n  /** Start the server and accept connections. */\n  async listen(): Promise<void> {\n    const httpServer = createServer((_req, res) => {\n      res.writeHead(200, { \"content-type\": \"text/plain\" });\n      res.end(\"skaile agent server\");\n    });\n    // When an auth token is configured, reject the upgrade at handshake time\n    // (HTTP 401) unless the client presents the matching bearer subprotocol.\n    // Rejecting here — before `connection` — keeps unauthenticated sockets from\n    // ever reaching the command handlers.\n    const expected = this.authToken;\n    const wss = new WebSocketServer({\n      server: httpServer,\n      verifyClient: expected\n        ? (info, cb) => {\n            const presented = decodeBearerFromHeader(info.req.headers[\"sec-websocket-protocol\"]);\n            if (presented !== null && tokensEqual(presented, expected)) {\n              cb(true);\n            } else {\n              this.log(\"[ws-server] rejecting unauthenticated upgrade\");\n              cb(false, 401, \"Unauthorized\");\n            }\n          }\n        : undefined,\n    });\n    wss.on(\"connection\", (ws) => this.handleConnection(ws));\n    this.httpServer = httpServer;\n    this.wss = wss;\n\n    await new Promise<void>((resolve, reject) => {\n      httpServer.once(\"error\", reject);\n      httpServer.listen(this.port, () => {\n        httpServer.off(\"error\", reject);\n        resolve();\n      });\n    });\n\n    const addr = httpServer.address();\n    const boundPort = typeof addr === \"object\" && addr ? addr.port : this.port;\n    this.log(`[ws-server] listening on port ${boundPort}`);\n  }\n\n  private handleConnection(ws: WebSocket): void {\n    if (this.activeClient) {\n      // Close the stale connection instead of rejecting the new one.\n      // This handles the race where waitForWsReady's probe hasn't\n      // fully disconnected before the real gateway client connects.\n      this.log(\"[ws-server] replacing previous connection\");\n      try {\n        this.activeClient.close(4001, \"Replaced by new connection\");\n      } catch {\n        // already closed\n      }\n    }\n    this.log(\"[ws-server] client connected\");\n    this.activeClient = ws;\n    for (const handler of this.connectHandlers) {\n      handler();\n    }\n\n    ws.on(\"message\", (data) => {\n      try {\n        const parsed = JSON.parse(String(data)) as Record<string, unknown>;\n        // Protocol v3: shape-validate `session_init` at ingress so the\n        // runner never receives a malformed boot envelope. Other command\n        // shapes pass through unchanged — invalid `AgentCommand`s surface\n        // through the existing per-command handlers in serve.ts.\n        if (parsed && typeof parsed === \"object\" && parsed.type === \"session_init\") {\n          const reason = validateSessionInitShape(parsed);\n          if (reason !== null) {\n            this.log(`[ws-server] rejecting invalid session_init: ${reason}`);\n            this.sendRaw({\n              type: \"error\",\n              message: `Invalid session_init: ${reason}`,\n              fatal: false,\n            });\n            return;\n          }\n        }\n        const cmd = parsed as unknown as AgentCommand;\n        for (const handler of this.commandHandlers) {\n          handler(cmd);\n        }\n      } catch (err) {\n        this.sendRaw({\n          type: \"error\",\n          message: `Invalid message: ${err instanceof Error ? err.message : String(err)}`,\n          fatal: false,\n        });\n      }\n    });\n\n    ws.on(\"close\", () => {\n      this.log(\"[ws-server] client disconnected\");\n      if (this.activeClient === ws) {\n        this.activeClient = null;\n        for (const handler of this.disconnectHandlers) {\n          handler();\n        }\n      }\n    });\n  }\n\n  /**\n   * Stop the server.\n   *\n   * Terminates the active socket immediately — otherwise a still-connected\n   * client would keep the event loop alive and block process shutdown.\n   */\n  async close(): Promise<void> {\n    try {\n      this.activeClient?.terminate();\n    } catch {\n      // already closed\n    }\n    this.activeClient = null;\n    this.wss?.close();\n    this.wss = null;\n    const httpServer = this.httpServer;\n    this.httpServer = null;\n    if (httpServer) {\n      httpServer.closeAllConnections();\n      await new Promise<void>((resolve) => httpServer.close(() => resolve()));\n    }\n  }\n\n  send(event: AgentEvent): void {\n    this.sendRaw(event);\n  }\n\n  onCommand(handler: (command: AgentCommand) => void): () => void {\n    this.commandHandlers.add(handler);\n    return () => {\n      this.commandHandlers.delete(handler);\n    };\n  }\n\n  onConnect(handler: () => void): () => void {\n    this.connectHandlers.add(handler);\n    return () => {\n      this.connectHandlers.delete(handler);\n    };\n  }\n\n  onDisconnect(handler: () => void): () => void {\n    this.disconnectHandlers.add(handler);\n    return () => {\n      this.disconnectHandlers.delete(handler);\n    };\n  }\n\n  get connected(): boolean {\n    return this.activeClient !== null;\n  }\n\n  private sendRaw(data: unknown): void {\n    try {\n      const client = this.activeClient;\n      if (client && client.readyState === 1) {\n        client.send(JSON.stringify(data));\n      }\n    } catch {\n      // Silently ignore send failures\n    }\n  }\n}\n"]}