@smart-tinker/kayla 0.1.3 → 0.1.4

package/dist/bot/bot.js

@@ -6,7 +6,7 @@ const handlers_1 = require("./handlers");
 const kayla_1 = require("../core/kayla");
 function buildBot(deps) {
     const bot = new grammy_1.Bot(deps.config.telegram.token);
-    const service = new kayla_1.KaylaService({ cfg: deps.config, logger: deps.logger, storage: deps.storage, api: bot.api });
+    const service = new kayla_1.KaylaService({ cfg: deps.config, logger: deps.logger, storage: deps.storage, api: bot.api, semaphore: deps.semaphore });
     (0, handlers_1.registerHandlers)(bot, { ...deps, service });
     return bot;
 }

package/dist/core/config.js

@@ -22,6 +22,12 @@ function defaultDataDir(env) {
     return ".kayla-data";
 }
 const DEFAULT_CONFIG = {
+    web: {
+        enabled: false,
+        bind: "0.0.0.0",
+        port: 17800,
+        admin_password: ""
+    },
     telegram: {
         token: "",
         mode: "polling",
@@ -109,6 +115,19 @@ function readYamlIfExists(p) {
 }
 function applyEnv(cfg, env) {
     const get = (k) => env[k];
+    // Web
+    const webEnabled = get("KAYLA_WEB_ENABLED");
+    if (webEnabled && webEnabled.trim().length)
+        cfg.web.enabled = parseBool(webEnabled);
+    const webBind = get("KAYLA_WEB_BIND");
+    if (webBind && webBind.trim().length)
+        cfg.web.bind = webBind.trim();
+    const webPort = get("KAYLA_WEB_PORT");
+    if (webPort && webPort.trim().length)
+        cfg.web.port = parseNumber(webPort);
+    const webPass = get("KAYLA_WEB_ADMIN_PASSWORD");
+    if (webPass && webPass.trim().length)
+        cfg.web.admin_password = webPass.trim();
     // Telegram
     const t = get("KAYLA_TELEGRAM_TOKEN");
     if (t && t.trim().length)
@@ -201,6 +220,18 @@ function applyEnv(cfg, env) {
 function applyYaml(cfg, doc) {
     if (!isRecord(doc))
         return;
+    const w = isRecord(doc.web) ? doc.web : undefined;
+    if (w) {
+        if (typeof w.enabled === "boolean")
+            cfg.web.enabled = w.enabled;
+        const bind = optionalString(w.bind);
+        if (bind)
+            cfg.web.bind = bind;
+        if (typeof w.port === "number")
+            cfg.web.port = w.port;
+        if (typeof w.admin_password === "string")
+            cfg.web.admin_password = String(w.admin_password);
+    }
     const t = isRecord(doc.telegram) ? doc.telegram : undefined;
     if (t) {
         const token = optionalString(t.token);
@@ -287,6 +318,11 @@ function validate(cfg) {
         throw new Error("Invalid config: jobs.global_concurrency must be >= 1");
     // Derive output_format from streaming by default (kept for compatibility).
     cfg.claude.output_format = cfg.claude.streaming ? "stream-json" : "json";
+    if (cfg.web.enabled) {
+        if (!cfg.web.admin_password || cfg.web.admin_password.trim().length === 0) {
+            throw new Error("Missing web admin password: set web.admin_password in config.yaml or KAYLA_WEB_ADMIN_PASSWORD in env");
+        }
+    }
     if (!cfg.telegram.token || cfg.telegram.token.trim().length === 0) {
         throw new Error("Missing telegram token: set telegram.token in config.yaml or KAYLA_TELEGRAM_TOKEN in env");
     }

package/dist/core/kayla.js

@@ -4,34 +4,12 @@ exports.KaylaService = void 0;
 const sessions_1 = require("./sessions");
 const runner_1 = require("./runner");
 const telegram_1 = require("./telegram");
-class Semaphore {
-    constructor(size) {
-        this.waiters = [];
-        this.available = size;
-    }
-    async acquire() {
-        if (this.available > 0) {
-            this.available -= 1;
-            return () => this.release();
-        }
-        return new Promise((resolve) => {
-            this.waiters.push(resolve);
-        });
-    }
-    release() {
-        this.available += 1;
-        const next = this.waiters.shift();
-        if (next && this.available > 0) {
-            this.available -= 1;
-            next(() => this.release());
-        }
-    }
-}
+const limiter_1 = require("./limiter");
 class KaylaService {
     constructor(deps) {
         this.deps = deps;
         this.chats = new Map();
-        this.semaphore = new Semaphore(this.deps.cfg.jobs.global_concurrency);
+        this.semaphore = this.deps.semaphore ?? new limiter_1.Semaphore(this.deps.cfg.jobs.global_concurrency);
         this.runClaudeImpl = this.deps.runClaudeImpl ?? runner_1.runClaude;
     }
     isAllowedTelegramUser(userId) {

package/dist/core/limiter.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Semaphore = void 0;
+class Semaphore {
+    constructor(size) {
+        this.waiters = [];
+        this.available = size;
+    }
+    async acquire() {
+        if (this.available > 0) {
+            this.available -= 1;
+            return () => this.release();
+        }
+        return new Promise((resolve) => {
+            this.waiters.push(resolve);
+        });
+    }
+    release() {
+        this.available += 1;
+        const next = this.waiters.shift();
+        if (next && this.available > 0) {
+            this.available -= 1;
+            next(() => this.release());
+        }
+    }
+}
+exports.Semaphore = Semaphore;

package/dist/core/sessions.js

@@ -3,6 +3,9 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOrCreateSessionByIds = getOrCreateSessionByIds;
+exports.createNewSessionByIds = createNewSessionByIds;
+exports.resetSessionByIds = resetSessionByIds;
 exports.getOrCreateSession = getOrCreateSession;
 exports.createNewSession = createNewSession;
 exports.resetSession = resetSession;
@@ -21,9 +24,7 @@ function defaultWorkspacePath(cfg, chatId) {
 function newWorkspacePath(cfg, chatId) {
     return node_path_1.default.join(cfg.runtime.workspaces_dir, `${safeWorkspaceName(chatId)}-${Date.now()}`);
 }
-function getOrCreateSession(storage, cfg, chatIdRaw, userIdRaw) {
-    const chatId = String(chatIdRaw);
-    const userId = String(userIdRaw);
+function getOrCreateSessionByIds(storage, cfg, chatId, userId) {
     const existing = storage.getChat(chatId);
     if (existing) {
         ensureDir(existing.workspace_path);
@@ -34,12 +35,11 @@ function getOrCreateSession(storage, cfg, chatIdRaw, userIdRaw) {
     const inserted = storage.upsertChat({ chatId, userId, workspacePath, settings: {} });
     return { chatId, userId: inserted.user_id, workspacePath: inserted.workspace_path };
 }
-function createNewSession(storage, cfg, chatIdRaw, userIdRaw) {
-    const chatId = String(chatIdRaw);
+function createNewSessionByIds(storage, cfg, chatId, userId) {
     const existing = storage.getChat(chatId);
     if (!existing) {
         // If no chat yet, "new" is equivalent to create.
-        return getOrCreateSession(storage, cfg, chatIdRaw, userIdRaw);
+        return getOrCreateSessionByIds(storage, cfg, chatId, userId);
     }
     let workspacePath = newWorkspacePath(cfg, chatId);
     // Extremely unlikely, but avoid collisions in fast loops.
@@ -50,10 +50,19 @@ function createNewSession(storage, cfg, chatIdRaw, userIdRaw) {
     const updated = storage.updateChatWorkspace(chatId, workspacePath);
     return { chatId, userId: updated.user_id, workspacePath: updated.workspace_path };
 }
-function resetSession(storage, cfg, chatIdRaw, userIdRaw) {
-    const session = getOrCreateSession(storage, cfg, chatIdRaw, userIdRaw);
+function resetSessionByIds(storage, cfg, chatId, userId) {
+    const session = getOrCreateSessionByIds(storage, cfg, chatId, userId);
     node_fs_1.default.rmSync(session.workspacePath, { recursive: true, force: true });
     ensureDir(session.workspacePath);
     // Workspace path remains the same; just return current mapping.
-    return getOrCreateSession(storage, cfg, chatIdRaw, userIdRaw);
+    return getOrCreateSessionByIds(storage, cfg, chatId, userId);
+}
+function getOrCreateSession(storage, cfg, chatIdRaw, userIdRaw) {
+    return getOrCreateSessionByIds(storage, cfg, String(chatIdRaw), String(userIdRaw));
+}
+function createNewSession(storage, cfg, chatIdRaw, userIdRaw) {
+    return createNewSessionByIds(storage, cfg, String(chatIdRaw), String(userIdRaw));
+}
+function resetSession(storage, cfg, chatIdRaw, userIdRaw) {
+    return resetSessionByIds(storage, cfg, String(chatIdRaw), String(userIdRaw));
 }

package/dist/core/setup.js

@@ -68,7 +68,14 @@ function buildConfigFromBootstrapInputs(paths, inputs) {
     if (adminIds.length === 0)
         throw new Error("Missing telegram admin user ids");
     const allowIds = inputs.telegramAllowlistUserIds;
+    const webPass = inputs.webAdminPassword.trim();
     return {
+        web: {
+            enabled: webPass.length > 0,
+            bind: "0.0.0.0",
+            port: 17800,
+            admin_password: webPass
+        },
         telegram: {
             token,
             mode: "polling",
@@ -115,7 +122,16 @@ function parseBootstrapInputsFromEnv(env) {
         throw new Error("Invalid KAYLA_TELEGRAM_ADMIN_USER_IDS: empty list");
     const allowCsv = (env.KAYLA_TELEGRAM_ALLOWLIST_USER_IDS ?? "").trim();
     const allowIds = allowCsv ? parseCsvNumbersStrict(allowCsv) : [];
-    return { telegramToken: token, telegramAdminUserIds: adminIds, telegramAllowlistUserIds: allowIds };
+    const webEnabledRaw = (env.KAYLA_WEB_ENABLED ?? "").trim();
+    const webEnabled = webEnabledRaw ? ["1", "true", "yes", "on"].includes(webEnabledRaw.toLowerCase()) : undefined;
+    const webDisabled = webEnabledRaw ? ["0", "false", "no", "off"].includes(webEnabledRaw.toLowerCase()) : undefined;
+    if (webEnabledRaw && webEnabled === undefined && webDisabled === undefined)
+        throw new Error(`Invalid KAYLA_WEB_ENABLED: ${webEnabledRaw}`);
+    const webPass = (env.KAYLA_WEB_ADMIN_PASSWORD ?? "").trim();
+    if (webEnabled && !webPass)
+        throw new Error("Missing KAYLA_WEB_ADMIN_PASSWORD (required when KAYLA_WEB_ENABLED=true)");
+    const webAdminPassword = webDisabled ? "" : webPass;
+    return { telegramToken: token, telegramAdminUserIds: adminIds, telegramAllowlistUserIds: allowIds, webAdminPassword };
 }
 function buildConfigFromEnv(paths, env) {
     const inputs = parseBootstrapInputsFromEnv(env);
@@ -152,7 +168,8 @@ async function promptBootstrapInputs(prompt) {
             }
         }
     })();
-    return { telegramToken: token, telegramAdminUserIds: adminIds, telegramAllowlistUserIds: allowIds };
+    const webAdminPassword = (await prompt({ kind: "secret", message: "Web admin password (blank = disable web UI): " })).trim();
+    return { telegramToken: token, telegramAdminUserIds: adminIds, telegramAllowlistUserIds: allowIds, webAdminPassword };
 }
 function nonInteractiveSetupError(configPath) {
     return [

package/dist/service.js

@@ -3,8 +3,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.runService = runService;
 const bot_1 = require("./bot/bot");
 const config_1 = require("./core/config");
+const doctor_1 = require("./core/doctor");
+const limiter_1 = require("./core/limiter");
 const logging_1 = require("./core/logging");
 const storage_1 = require("./core/storage");
+const server_1 = require("./web/server");
 async function runService() {
     const config = (0, config_1.loadConfig)();
     const logger = (0, logging_1.createLogger)(config.logging);
@@ -12,7 +15,12 @@ async function runService() {
     const storage = (0, storage_1.openStorage)(config.runtime.data_dir);
     // Bootstrap allowlist into DB (required for first admin).
     storage.bootstrapAllowedUsers("telegram", [...config.telegram.admin_user_ids, ...config.telegram.allowlist.user_ids]);
-    const bot = (0, bot_1.buildBot)({ config, logger, storage });
+    const semaphore = new limiter_1.Semaphore(config.jobs.global_concurrency);
+    const bot = (0, bot_1.buildBot)({ config, logger, storage, semaphore });
+    if (config.web.enabled) {
+        const configPath = (0, doctor_1.resolveConfigPath)(process.env);
+        await (0, server_1.startWebServer)({ config, configPath, logger, storage, semaphore });
+    }
     // MVP: polling only.
     if (config.telegram.mode !== "polling") {
         throw new Error(`telegram.mode=${config.telegram.mode} is not supported yet (MVP supports polling only)`);

package/dist/web/server.js

@@ -0,0 +1,834 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startWebServer = startWebServer;
+const node_http_1 = __importDefault(require("node:http"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const yaml_1 = __importDefault(require("yaml"));
+const doctor_1 = require("../core/doctor");
+const runner_1 = require("../core/runner");
+const sessions_1 = require("../core/sessions");
+function unauthorized(res) {
+    res.statusCode = 401;
+    res.setHeader("WWW-Authenticate", 'Basic realm="Kayla"');
+    res.end("Unauthorized");
+}
+function parseBasicAuthHeader(v) {
+    if (typeof v !== "string")
+        return null;
+    const [kind, token] = v.split(" ");
+    if (kind !== "Basic" || !token)
+        return null;
+    let raw = "";
+    try {
+        raw = Buffer.from(token, "base64").toString("utf8");
+    }
+    catch {
+        return null;
+    }
+    const idx = raw.indexOf(":");
+    if (idx < 0)
+        return null;
+    const username = raw.slice(0, idx);
+    const password = raw.slice(idx + 1);
+    return { username, password };
+}
+function isAuthorized(req, adminPassword) {
+    const auth = parseBasicAuthHeader(req.headers.authorization);
+    if (!auth)
+        return false;
+    // Username is ignored for now (single-admin mode).
+    return auth.password === adminPassword;
+}
+function sendJson(res, status, body) {
+    res.statusCode = status;
+    res.setHeader("Content-Type", "application/json; charset=utf-8");
+    res.end(JSON.stringify(body));
+}
+function sendHtml(res, status, html) {
+    res.statusCode = status;
+    res.setHeader("Content-Type", "text/html; charset=utf-8");
+    res.end(html);
+}
+function readBody(req, maxBytes) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        req.on("data", (c) => {
+            size += c.length;
+            if (size > maxBytes) {
+                reject(new Error("Request body too large"));
+                req.destroy();
+                return;
+            }
+            chunks.push(c);
+        });
+        req.on("end", () => resolve(Buffer.concat(chunks)));
+        req.on("error", reject);
+    });
+}
+async function readJsonBody(req, maxBytes) {
+    const buf = await readBody(req, maxBytes);
+    if (buf.length === 0)
+        return {};
+    try {
+        return JSON.parse(buf.toString("utf8"));
+    }
+    catch {
+        throw new Error("Invalid JSON");
+    }
+}
+function parseCsvNumbersBestEffort(v) {
+    if (typeof v !== "string")
+        return [];
+    const items = v
+        .split(",")
+        .map((x) => x.trim())
+        .filter((x) => x.length > 0);
+    const out = [];
+    for (const it of items) {
+        const n = Number(it);
+        if (!Number.isFinite(n))
+            continue;
+        out.push(n);
+    }
+    return out;
+}
+function maskSecret(v) {
+    if (!v.trim())
+        return "";
+    // Fixed-length mask to avoid leaking secret length in UI.
+    return "********";
+}
+function renderIndexHtml() {
+    // Keep it dependency-free; minimal JS to fetch/save settings.
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Kayla Admin</title>
+    <style>
+      :root { --bg:#0e1116; --panel:#151a22; --text:#e7eefc; --muted:#9bb0d1; --accent:#f6c945; --danger:#ff6673; --ok:#7bf1a8; }
+      body { margin:0; font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Arial; background: radial-gradient(1200px 600px at 15% 0%, #1a2440, var(--bg)); color: var(--text); }
+      .wrap { max-width: 900px; margin: 0 auto; padding: 28px 16px 48px; }
+      h1 { margin: 0 0 6px; font-size: 28px; letter-spacing: 0.2px; }
+      .sub { margin: 0 0 22px; color: var(--muted); }
+      .panel { background: linear-gradient(180deg, rgba(255,255,255,0.06), rgba(255,255,255,0.03)); border: 1px solid rgba(255,255,255,0.08); border-radius: 14px; padding: 18px; backdrop-filter: blur(8px); }
+      .grid { display: grid; grid-template-columns: 1fr 1fr; gap: 14px; }
+      @media (max-width: 760px) { .grid { grid-template-columns: 1fr; } }
+      label { display:block; font-size: 12px; letter-spacing: 0.08em; text-transform: uppercase; color: var(--muted); margin: 12px 0 6px; }
+      input, select { width: 100%; padding: 10px 12px; border-radius: 10px; border: 1px solid rgba(255,255,255,0.10); background: rgba(10,12,16,0.6); color: var(--text); outline: none; }
+      input:focus, select:focus { border-color: rgba(246,201,69,0.65); box-shadow: 0 0 0 3px rgba(246,201,69,0.18); }
+      .row { display:flex; gap: 10px; align-items: center; }
+      .row > * { flex: 1; }
+      .btn { cursor:pointer; display:inline-flex; align-items:center; justify-content:center; gap:8px; padding: 10px 12px; border-radius: 10px; border: 1px solid rgba(255,255,255,0.12); background: rgba(246,201,69,0.12); color: var(--text); font-weight: 600; }
+      .btn:hover { border-color: rgba(246,201,69,0.45); background: rgba(246,201,69,0.18); }
+      .btn.secondary { background: rgba(255,255,255,0.06); }
+      .btn.danger { background: rgba(255,102,115,0.12); }
+      .btn.danger:hover { border-color: rgba(255,102,115,0.45); background: rgba(255,102,115,0.18); }
+      .hint { margin-top: 6px; color: var(--muted); font-size: 13px; line-height: 1.35; }
+      .status { margin-top: 14px; font-size: 14px; color: var(--muted); }
+      .status.ok { color: var(--ok); }
+      .status.err { color: var(--danger); }
+      .hr { height: 1px; background: rgba(255,255,255,0.08); margin: 16px 0; }
+      code { font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, \"Liberation Mono\", \"Courier New\", monospace; }
+    </style>
+  </head>
+  <body>
+    <div class="wrap">
+      <h1>Kayla Admin</h1>
+      <p class="sub">LAN-only HTTP UI. Changes are written to <code>~/.config/kayla/config.yaml</code>.</p>
+      <div class="panel">
+        <div class="grid">
+          <div>
+            <label for="telegramToken">Telegram bot token</label>
+            <div class="row">
+              <input id="telegramToken" type="password" placeholder="(empty)" autocomplete="off" />
+              <button class="btn secondary" id="btnShowToken" type="button">Show</button>
+              <button class="btn secondary" id="btnToggleMask" type="button">Mask</button>
+            </div>
+            <div class="hint">Token is masked by default. Use Show to fetch the secret explicitly.</div>
+          </div>
+          <div>
+            <label for="claudeBinary">Claude command/binary</label>
+            <input id="claudeBinary" type="text" placeholder="claude" />
+            <div class="hint">This is the command Kayla runs (must be in PATH for the service user).</div>
+          </div>
+        </div>
+
+        <div class="grid">
+          <div>
+            <label for="adminIds">Telegram admin user ids (CSV)</label>
+            <input id="adminIds" type="text" placeholder="123456789" />
+          </div>
+          <div>
+            <label for="allowIds">Allowlist user ids (CSV, optional)</label>
+            <input id="allowIds" type="text" placeholder="(blank = none)" />
+          </div>
+        </div>
+
+        <div class="grid">
+          <div>
+            <label for="loggingLevel">Logging level</label>
+            <select id="loggingLevel">
+              <option value="fatal">fatal</option>
+              <option value="error">error</option>
+              <option value="warn">warn</option>
+              <option value="info">info</option>
+              <option value="debug">debug</option>
+              <option value="trace">trace</option>
+            </select>
+          </div>
+          <div>
+            <label for="loggingJson">Logging JSON</label>
+            <select id="loggingJson">
+              <option value="true">true</option>
+              <option value="false">false</option>
+            </select>
+          </div>
+        </div>
+
+        <div class="hr"></div>
+        <div class="row">
+          <button class="btn secondary" id="btnDoctor" type="button">Doctor</button>
+          <button class="btn secondary" id="btnCheckToken" type="button">Check Telegram token</button>
+          <button class="btn danger" id="btnRestart" type="button">Restart service</button>
+        </div>
+        <div class="hint">Restart exits the process; systemd should bring it back (Restart=always).</div>
+        <pre id="actionsOut" style="margin-top:12px; padding:12px; border-radius:12px; border:1px solid rgba(255,255,255,0.08); background: rgba(10,12,16,0.55); overflow:auto; white-space:pre-wrap;"></pre>
+        <div class="hr"></div>
+        <div class="row">
+          <button class="btn" id="btnSave" type="button">Save settings</button>
+        </div>
+        <div class="status" id="status"></div>
+      </div>
+    </div>
+    <script>
+      const $ = (id) => document.getElementById(id);
+      const status = (kind, msg) => {
+        const el = $("status");
+        el.className = "status " + (kind || "");
+        el.textContent = msg || "";
+      };
+
+      async function loadSettings() {
+        status("", "Loading...");
+        const res = await fetch("/api/settings", { credentials: "same-origin" });
+        if (!res.ok) throw new Error("Failed to load settings (" + res.status + ")");
+        const s = await res.json();
+        $("telegramToken").value = s.telegramTokenMasked || "";
+        $("adminIds").value = s.telegramAdminUserIdsCsv || "";
+        $("allowIds").value = s.telegramAllowlistUserIdsCsv || "";
+        $("claudeBinary").value = s.claudeBinary || "claude";
+        $("loggingLevel").value = s.loggingLevel || "info";
+        $("loggingJson").value = String(Boolean(s.loggingJson));
+        status("ok", "Loaded.");
+      }
+
+      async function showToken() {
+        status("", "Fetching token...");
+        const res = await fetch("/api/secrets/telegram-token", { credentials: "same-origin" });
+        if (!res.ok) throw new Error("Failed to fetch token (" + res.status + ")");
+        const out = await res.json();
+        $("telegramToken").value = out.token || "";
+        $("telegramToken").type = "text";
+        status("ok", "Token loaded (visible).");
+      }
+
+      function toggleMask() {
+        const el = $("telegramToken");
+        el.type = (el.type === "password") ? "text" : "password";
+      }
+
+      async function saveSettings() {
+        status("", "Saving...");
+        const payload = {
+          telegramToken: $("telegramToken").value || "",
+          telegramAdminUserIdsCsv: $("adminIds").value || "",
+          telegramAllowlistUserIdsCsv: $("allowIds").value || "",
+          claudeBinary: $("claudeBinary").value || "",
+          loggingLevel: $("loggingLevel").value || "info",
+          loggingJson: $("loggingJson").value === "true"
+        };
+        const res = await fetch("/api/settings", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(payload),
+          credentials: "same-origin"
+        });
+        const out = await res.json().catch(() => ({}));
+        if (!res.ok) throw new Error(out.error || ("Save failed (" + res.status + ")"));
+        status("ok", out.message || "Saved. Restart the service to apply changes.");
+      }
+
+      async function runDoctor() {
+        status("", "Running doctor...");
+        const res = await fetch("/api/doctor", { method: "POST", credentials: "same-origin" });
+        const out = await res.json().catch(() => ({}));
+        if (!res.ok) throw new Error(out.error || ("Doctor failed (" + res.status + ")"));
+        $("actionsOut").textContent = JSON.stringify(out, null, 2);
+        status(out.ok ? "ok" : "err", out.ok ? "Doctor: OK" : "Doctor: FAIL");
+      }
+
+      async function checkToken() {
+        status("", "Checking Telegram token...");
+        const res = await fetch("/api/telegram/check-token", { method: "POST", credentials: "same-origin" });
+        const out = await res.json().catch(() => ({}));
+        if (!res.ok) throw new Error(out.error || ("Token check failed (" + res.status + ")"));
+        $("actionsOut").textContent = JSON.stringify(out, null, 2);
+        status(out.ok ? "ok" : "err", out.ok ? "Token: OK" : "Token: FAIL");
+      }
+
+      async function restartService() {
+        status("", "Restarting...");
+        const res = await fetch("/api/restart", { method: "POST", credentials: "same-origin" });
+        const out = await res.json().catch(() => ({}));
+        $("actionsOut").textContent = JSON.stringify(out, null, 2);
+        status("ok", out.message || "Restarting...");
+      }
+
+      $("btnShowToken").addEventListener("click", () => showToken().catch(e => status("err", String(e && e.message ? e.message : e))));
+      $("btnToggleMask").addEventListener("click", () => toggleMask());
+      $("btnSave").addEventListener("click", () => saveSettings().catch(e => status("err", String(e && e.message ? e.message : e))));
+      $("btnDoctor").addEventListener("click", () => runDoctor().catch(e => status("err", String(e && e.message ? e.message : e))));
+      $("btnCheckToken").addEventListener("click", () => checkToken().catch(e => status("err", String(e && e.message ? e.message : e))));
+      $("btnRestart").addEventListener("click", () => restartService().catch(e => status("err", String(e && e.message ? e.message : e))));
+
+      loadSettings().catch(e => status("err", String(e && e.message ? e.message : e)));
+    </script>
+  </body>
+</html>`;
+}
+function writeYamlAtomic(targetPath, rawYaml) {
+    const dir = node_path_1.default.dirname(targetPath);
+    node_fs_1.default.mkdirSync(dir, { recursive: true });
+    // Temp dir must be on the same filesystem as the target so rename is atomic.
+    const tmpDir = node_fs_1.default.mkdtempSync(node_path_1.default.join(dir, ".kayla-web-"));
+    const tmpPath = node_path_1.default.join(tmpDir, "config.yaml");
+    try {
+        // 0600: contains secrets (Telegram token and web password).
+        node_fs_1.default.writeFileSync(tmpPath, rawYaml, { mode: 0o600 });
+        node_fs_1.default.renameSync(tmpPath, targetPath);
+    }
+    finally {
+        try {
+            node_fs_1.default.rmSync(tmpDir, { recursive: true, force: true });
+        }
+        catch {
+            // ignore cleanup errors
+        }
+    }
+}
+function renderChatHtml() {
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Kayla Chat</title>
+    <style>
+      :root { --bg:#0e1116; --panel:#151a22; --text:#e7eefc; --muted:#9bb0d1; --accent:#f6c945; --danger:#ff6673; --ok:#7bf1a8; }
+      body { margin:0; font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Arial; background: radial-gradient(1200px 600px at 15% 0%, #1a2440, var(--bg)); color: var(--text); }
+      .wrap { max-width: 980px; margin: 0 auto; padding: 18px 16px 40px; }
+      h1 { margin: 0 0 10px; font-size: 26px; }
+      .panel { background: linear-gradient(180deg, rgba(255,255,255,0.06), rgba(255,255,255,0.03)); border: 1px solid rgba(255,255,255,0.08); border-radius: 14px; padding: 14px; backdrop-filter: blur(8px); }
+      .row { display:flex; gap: 10px; align-items: center; }
+      .btn { cursor:pointer; display:inline-flex; align-items:center; justify-content:center; gap:8px; padding: 10px 12px; border-radius: 10px; border: 1px solid rgba(255,255,255,0.12); background: rgba(255,255,255,0.06); color: var(--text); font-weight: 600; }
+      .btn:hover { border-color: rgba(246,201,69,0.45); background: rgba(246,201,69,0.10); }
+      .btn.danger { background: rgba(255,102,115,0.12); }
+      .btn.danger:hover { border-color: rgba(255,102,115,0.45); background: rgba(255,102,115,0.18); }
+      .btn.primary { background: rgba(246,201,69,0.14); }
+      .hint { margin: 10px 0 0; color: var(--muted); font-size: 13px; }
+      #log { margin-top: 12px; padding: 12px; border-radius: 12px; border: 1px solid rgba(255,255,255,0.08); background: rgba(10,12,16,0.55); min-height: 320px; overflow:auto; white-space: pre-wrap; }
+      #input { width: 100%; padding: 10px 12px; border-radius: 10px; border: 1px solid rgba(255,255,255,0.10); background: rgba(10,12,16,0.6); color: var(--text); outline: none; }
+      #input:focus { border-color: rgba(246,201,69,0.65); box-shadow: 0 0 0 3px rgba(246,201,69,0.18); }
+      .status { margin-top: 10px; font-size: 14px; color: var(--muted); }
+      .status.ok { color: var(--ok); }
+      .status.err { color: var(--danger); }
+    </style>
+  </head>
+  <body>
+    <div class="wrap">
+      <h1>Kayla Chat</h1>
+      <div class="panel">
+        <div class="row">
+          <button class="btn" id="btnNew" type="button">New session</button>
+          <button class="btn danger" id="btnReset" type="button">Reset session</button>
+          <button class="btn danger" id="btnCancel" type="button">Cancel</button>
+          <button class="btn" id="btnStatus" type="button">Status</button>
+          <a class="btn" href="/" style="text-decoration:none;">Admin</a>
+        </div>
+        <div class="hint">Streaming is via SSE. Reset is destructive and asks for confirmation.</div>
+        <div id="log"></div>
+        <div class="row" style="margin-top: 12px;">
+          <input id="input" type="text" placeholder="Type a message..." autocomplete="off" />
+          <button class="btn primary" id="btnSend" type="button">Send</button>
+        </div>
+        <div class="status" id="status"></div>
+      </div>
+    </div>
+    <script>
+      const $ = (id) => document.getElementById(id);
+      const logEl = $("log");
+      const statusEl = $("status");
+
+      const setStatus = (kind, msg) => {
+        statusEl.className = "status " + (kind || "");
+        statusEl.textContent = msg || "";
+      };
+      const append = (text) => {
+        logEl.textContent += text;
+        logEl.scrollTop = logEl.scrollHeight;
+      };
+
+      let currentJobId = null;
+
+      const es = new EventSource("/api/chat/stream");
+      es.addEventListener("hello", () => setStatus("ok", "Connected."));
+      es.addEventListener("status", (e) => {
+        try {
+          const d = JSON.parse(e.data);
+          append("[status] " + JSON.stringify(d) + "\\n");
+        } catch {}
+      });
+      es.addEventListener("start", (e) => {
+        const d = JSON.parse(e.data);
+        currentJobId = d.jobId || null;
+        append("\\nYou: " + (d.prompt || "") + "\\n");
+        append("Kayla: ");
+      });
+      es.addEventListener("delta", (e) => {
+        const d = JSON.parse(e.data);
+        if (!currentJobId || d.jobId !== currentJobId) return;
+        append(d.delta || "");
+      });
+      es.addEventListener("done", (e) => {
+        const d = JSON.parse(e.data);
+        if (d.jobId === currentJobId) currentJobId = null;
+        append("\\n\\n[done] " + d.status + (d.error ? (" " + d.error) : "") + "\\n");
+        setStatus(d.status === "succeeded" ? "ok" : "err", "Done: " + d.status);
+      });
+      es.onerror = () => setStatus("err", "Stream disconnected.");
+
+      async function postJson(url, body) {
+        const res = await fetch(url, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(body || {}),
+          credentials: "same-origin"
+        });
+        const out = await res.json().catch(() => ({}));
+        if (!res.ok) throw new Error(out.error || ("HTTP " + res.status));
+        return out;
+      }
+
+      async function send() {
+        const input = $("input");
+        const text = (input.value || "").trim();
+        if (!text) return;
+        input.value = "";
+        setStatus("", "Sending...");
+        await postJson("/api/chat/send", { text });
+        setStatus("ok", "Sent.");
+      }
+
+      async function newSession() {
+        setStatus("", "Starting new session...");
+        const out = await postJson("/api/chat/new", {});
+        append("[new] workspace=" + (out.workspacePath || "") + "\\n");
+        setStatus("ok", "New session started.");
+      }
+
+      async function resetSession() {
+        const ok = confirm("Reset session? This deletes the workspace contents.");
+        if (!ok) return;
+        setStatus("", "Resetting...");
+        const out = await postJson("/api/chat/reset", { confirm: true });
+        append("[reset] workspace=" + (out.workspacePath || "") + "\\n");
+        setStatus("ok", "Session reset.");
+      }
+
+      async function cancel() {
+        setStatus("", "Canceling...");
+        const out = await postJson("/api/chat/cancel", {});
+        append("[cancel] " + (out.message || "") + "\\n");
+        setStatus("ok", out.message || "Cancel requested.");
+      }
+
+      async function statusCmd() {
+        setStatus("", "Fetching status...");
+        const out = await fetch("/api/chat/status", { credentials: "same-origin" }).then((r) => r.json());
+        append("[status] " + JSON.stringify(out) + "\\n");
+        setStatus("ok", "OK");
+      }
+
+      $("btnSend").addEventListener("click", () => send().catch((e) => setStatus("err", String(e && e.message ? e.message : e))));
+      $("input").addEventListener("keydown", (e) => {
+        if (e.key === "Enter") send().catch(() => {});
+      });
+      $("btnNew").addEventListener("click", () => newSession().catch((e) => setStatus("err", String(e && e.message ? e.message : e))));
+      $("btnReset").addEventListener("click", () => resetSession().catch((e) => setStatus("err", String(e && e.message ? e.message : e))));
+      $("btnCancel").addEventListener("click", () => cancel().catch((e) => setStatus("err", String(e && e.message ? e.message : e))));
+      $("btnStatus").addEventListener("click", () => statusCmd().catch((e) => setStatus("err", String(e && e.message ? e.message : e))));
+    </script>
+  </body>
+</html>`;
+}
+class WebChat {
+    constructor(deps) {
+        this.deps = deps;
+        this.chatId = "web:default";
+        this.userId = "web:default";
+        this.clients = new Set();
+        this.queue = [];
+        this.processing = false;
+    }
+    broadcast(event, data) {
+        const payload = JSON.stringify(data);
+        for (const res of this.clients) {
+            try {
+                res.write(`event: ${event}\n`);
+                res.write(`data: ${payload}\n\n`);
+            }
+            catch {
+                // ignore broken connections; cleanup happens on close
+            }
+        }
+    }
+    sendStatus() {
+        const running = this.deps.storage.getRunningJob(this.chatId);
+        const queued = this.deps.storage.countQueuedJobs(this.chatId);
+        const chat = this.deps.storage.getChat(this.chatId);
+        this.broadcast("status", {
+            running: running ? running.job_id : null,
+            queued,
+            workspace: chat?.workspace_path ?? null
+        });
+    }
+    handleChatPage(res) {
+        sendHtml(res, 200, renderChatHtml());
+    }
+    handleStream(req, res) {
+        res.statusCode = 200;
+        res.setHeader("Content-Type", "text/event-stream; charset=utf-8");
+        res.setHeader("Cache-Control", "no-cache, no-transform");
+        res.setHeader("Connection", "keep-alive");
+        res.setHeader("X-Accel-Buffering", "no");
+        // Make sure headers are sent immediately for streaming clients.
+        res.flushHeaders?.();
+        res.write("event: hello\n");
+        res.write(`data: ${JSON.stringify({ ok: true })}\n\n`);
+        this.clients.add(res);
+        this.sendStatus();
+        const keep = setInterval(() => {
+            try {
+                res.write(":keep-alive\n\n");
+            }
+            catch {
+                // ignore
+            }
+        }, 15000);
+        req.on("close", () => {
+            clearInterval(keep);
+            this.clients.delete(res);
+        });
+    }
+    async handleSend(req, res) {
+        const body = await readJsonBody(req, 256 * 1024);
+        const b = typeof body === "object" && body !== null ? body : {};
+        const text = typeof b.text === "string" ? b.text.trim() : "";
+        if (!text)
+            return sendJson(res, 400, { ok: false, error: "text is required" });
+        const stateCount = this.queue.length + (this.active ? 1 : 0);
+        const cfg = this.deps.getConfig();
+        if (stateCount >= cfg.jobs.queue_size_per_chat)
+            return sendJson(res, 429, { ok: false, error: "Queue is full" });
+        // Ensure chat/workspace exists.
+        (0, sessions_1.getOrCreateSessionByIds)(this.deps.storage, cfg, this.chatId, this.userId);
+        const job = this.deps.storage.insertJob({ chatId: this.chatId, requestText: text });
+        this.queue.push({ jobId: job.job_id, requestText: text });
+        this.broadcast("queued", { jobId: job.job_id });
+        this.kick().catch((err) => this.deps.logger.error({ msg: "web chat kick failed", err }));
+        return sendJson(res, 200, { ok: true, jobId: job.job_id });
+    }
+    async handleStatus(_req, res) {
+        const running = this.deps.storage.getRunningJob(this.chatId);
+        const queued = this.deps.storage.countQueuedJobs(this.chatId);
+        const chat = this.deps.storage.getChat(this.chatId);
+        return sendJson(res, 200, {
+            ok: true,
+            chatId: this.chatId,
+            running: running ? running.job_id : null,
+            queued,
+            workspace: chat?.workspace_path ?? null
+        });
+    }
+    async handleCancel(_req, res) {
+        if (!this.active)
+            return sendJson(res, 200, { ok: true, message: "Nothing to cancel." });
+        this.active.cancel();
+        return sendJson(res, 200, { ok: true, message: `Cancel requested: ${this.active.jobId}` });
+    }
+    isBusy() {
+        return !!this.active || this.queue.length > 0 || this.deps.storage.getRunningJob(this.chatId) !== undefined;
+    }
+    async handleNew(_req, res) {
+        if (this.isBusy())
+            return sendJson(res, 409, { ok: false, error: "Busy: cancel the running job first." });
+        const cfg = this.deps.getConfig();
+        const s = (0, sessions_1.createNewSessionByIds)(this.deps.storage, cfg, this.chatId, this.userId);
+        this.broadcast("info", { msg: "new session", workspace: s.workspacePath });
+        return sendJson(res, 200, { ok: true, workspacePath: s.workspacePath });
+    }
+    async handleReset(req, res) {
+        const body = await readJsonBody(req, 32 * 1024);
+        const b = typeof body === "object" && body !== null ? body : {};
+        const confirm = Boolean(b.confirm);
+        if (!confirm)
+            return sendJson(res, 400, { ok: false, error: "Confirm reset by sending {confirm:true}" });
+        if (this.isBusy())
+            return sendJson(res, 409, { ok: false, error: "Busy: cancel the running job first." });
+        const cfg = this.deps.getConfig();
+        const s = (0, sessions_1.resetSessionByIds)(this.deps.storage, cfg, this.chatId, this.userId);
+        this.broadcast("info", { msg: "session reset", workspace: s.workspacePath });
+        return sendJson(res, 200, { ok: true, workspacePath: s.workspacePath });
+    }
+    async kick() {
+        if (this.processing)
+            return;
+        this.processing = true;
+        try {
+            while (this.queue.length > 0) {
+                const item = this.queue.shift();
+                const release = await this.deps.semaphore.acquire();
+                try {
+                    await this.runOne(item);
+                }
+                finally {
+                    release();
+                }
+            }
+        }
+        finally {
+            this.processing = false;
+        }
+    }
+    async runOne(item) {
+        const cfg = this.deps.getConfig();
+        const session = (0, sessions_1.getOrCreateSessionByIds)(this.deps.storage, cfg, this.chatId, this.userId);
+        const logger = this.deps.logger.child({ channel: "web", jobId: item.jobId });
+        this.deps.storage.setJobRunning(item.jobId);
+        this.broadcast("start", { jobId: item.jobId, prompt: item.requestText });
+        let assistantSoFar = "";
+        const running = this.deps.runClaudeImpl({
+            cfg,
+            cwd: session.workspacePath,
+            prompt: item.requestText,
+            logger,
+            onTextDelta: (delta) => {
+                assistantSoFar += delta;
+                this.broadcast("delta", { jobId: item.jobId, delta });
+            }
+        });
+        this.active = { jobId: item.jobId, cancel: running.cancel };
+        let status = "succeeded";
+        let error = null;
+        let exitCode = null;
+        let stderr = "";
+        try {
+            const res = await running.promise;
+            exitCode = res.exitCode;
+            stderr = res.stderr;
+            if (res.timedOut) {
+                status = "timeout";
+                error = "timeout";
+            }
+            else if (res.canceled) {
+                status = "canceled";
+                error = "canceled";
+            }
+            else if (res.exitCode !== 0) {
+                status = "failed";
+                error = `exit_code=${res.exitCode}`;
+            }
+            if (!assistantSoFar)
+                assistantSoFar = res.assistantText;
+        }
+        catch (err) {
+            status = "failed";
+            error = err instanceof Error ? err.message : "unknown error";
+        }
+        finally {
+            this.active = undefined;
+        }
+        logger.info({ msg: "web chat job finished", status, exitCode });
+        if (stderr)
+            logger.debug({ msg: "claude stderr", stderr });
+        this.deps.storage.setJobFinished({ jobId: item.jobId, status, responseText: assistantSoFar, error, exitCode });
+        this.broadcast("done", { jobId: item.jobId, status, error });
+        this.sendStatus();
+    }
+}
+async function startWebServer(opts) {
+    // Local mutable config; we don't hot-reload, but UI should reflect last saved values.
+    let cfg = opts.config;
+    const deps = {
+        exit: opts.deps?.exit ?? ((code) => process.exit(code)),
+        telegramGetMe: opts.deps?.telegramGetMe ?? (async (token) => {
+            try {
+                const url = `https://api.telegram.org/bot${token}/getMe`;
+                const res = await fetch(url, { method: "GET" });
+                const json = (await res.json().catch(() => null));
+                if (!res.ok)
+                    return { ok: false, error: `HTTP ${res.status}` };
+                if (!json || typeof json !== "object")
+                    return { ok: false, error: "Invalid response" };
+                if (json.ok !== true)
+                    return { ok: false, error: json.description ? String(json.description) : "Telegram API error" };
+                return { ok: true, result: json.result };
+            }
+            catch (err) {
+                return { ok: false, error: err instanceof Error ? err.message : "Network error" };
+            }
+        }),
+        runClaude: opts.deps?.runClaude ?? runner_1.runClaude
+    };
+    const adminPassword = (cfg.web?.admin_password ?? "").trim();
+    if (!adminPassword)
+        throw new Error("web.admin_password is required to start web UI");
+    const bind = (cfg.web?.bind ?? "0.0.0.0").trim() || "0.0.0.0";
+    const port = typeof cfg.web?.port === "number" && Number.isFinite(cfg.web.port) ? cfg.web.port : 17800;
+    const chat = new WebChat({
+        getConfig: () => cfg,
+        logger: opts.logger,
+        storage: opts.storage,
+        semaphore: opts.semaphore,
+        runClaudeImpl: deps.runClaude
+    });
+    const server = node_http_1.default.createServer(async (req, res) => {
+        try {
+            if (!isAuthorized(req, adminPassword))
+                return unauthorized(res);
+            const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+            const method = (req.method ?? "GET").toUpperCase();
+            if (method === "GET" && url.pathname === "/") {
+                return sendHtml(res, 200, renderIndexHtml());
+            }
+            if (method === "GET" && url.pathname === "/chat") {
+                return chat.handleChatPage(res);
+            }
+            if (method === "GET" && url.pathname === "/api/chat/stream") {
+                chat.handleStream(req, res);
+                return;
+            }
+            if (method === "POST" && url.pathname === "/api/chat/send") {
+                return await chat.handleSend(req, res);
+            }
+            if (method === "GET" && url.pathname === "/api/chat/status") {
+                return await chat.handleStatus(req, res);
+            }
+            if (method === "POST" && url.pathname === "/api/chat/cancel") {
+                return await chat.handleCancel(req, res);
+            }
+            if (method === "POST" && url.pathname === "/api/chat/new") {
+                return await chat.handleNew(req, res);
+            }
+            if (method === "POST" && url.pathname === "/api/chat/reset") {
+                return await chat.handleReset(req, res);
+            }
+            if (method === "GET" && url.pathname === "/api/settings") {
+                return sendJson(res, 200, {
+                    telegramTokenPresent: Boolean(cfg.telegram.token && cfg.telegram.token.trim()),
+                    telegramTokenMasked: maskSecret(cfg.telegram.token ?? ""),
+                    telegramAdminUserIdsCsv: (cfg.telegram.admin_user_ids ?? []).join(","),
+                    telegramAllowlistUserIdsCsv: (cfg.telegram.allowlist?.user_ids ?? []).join(","),
+                    claudeBinary: cfg.claude.binary ?? "claude",
+                    loggingLevel: cfg.logging.level ?? "info",
+                    loggingJson: Boolean(cfg.logging.json)
+                });
+            }
+            if (method === "GET" && url.pathname === "/api/secrets/telegram-token") {
+                return sendJson(res, 200, { token: cfg.telegram.token ?? "" });
+            }
+            if (method === "POST" && url.pathname === "/api/settings") {
+                const body = await readJsonBody(req, 256 * 1024);
+                const b = typeof body === "object" && body !== null ? body : {};
+                const token = typeof b.telegramToken === "string" ? b.telegramToken.trim() : "";
+                if (!token)
+                    return sendJson(res, 400, { error: "telegramToken is required" });
+                const adminIds = parseCsvNumbersBestEffort(b.telegramAdminUserIdsCsv);
+                const allowIds = parseCsvNumbersBestEffort(b.telegramAllowlistUserIdsCsv);
+                if (adminIds.length === 0 && allowIds.length === 0) {
+                    return sendJson(res, 400, { error: "At least one admin user id (or allowlist user id) is required" });
+                }
+                const claudeBinary = typeof b.claudeBinary === "string" ? b.claudeBinary.trim() : "";
+                if (!claudeBinary)
+                    return sendJson(res, 400, { error: "claudeBinary is required" });
+                const loggingLevel = typeof b.loggingLevel === "string" ? b.loggingLevel.trim() : "info";
+                const allowedLevels = new Set(["fatal", "error", "warn", "info", "debug", "trace"]);
+                if (!allowedLevels.has(loggingLevel))
+                    return sendJson(res, 400, { error: "Invalid loggingLevel" });
+                const loggingJson = Boolean(b.loggingJson);
+                cfg = {
+                    ...cfg,
+                    telegram: { ...cfg.telegram, token, admin_user_ids: adminIds, allowlist: { user_ids: allowIds } },
+                    claude: { ...cfg.claude, binary: claudeBinary },
+                    logging: { ...cfg.logging, level: loggingLevel, json: loggingJson }
+                };
+                // Generate full YAML (overwrite; no comment preservation).
+                const raw = yaml_1.default.stringify(cfg);
+                writeYamlAtomic(opts.configPath, raw);
+                return sendJson(res, 200, { ok: true, message: "Saved. Restart the service to apply changes." });
+            }
+            if (method === "POST" && url.pathname === "/api/doctor") {
+                const checks = [
+                    ...(0, doctor_1.checkConfig)(opts.configPath),
+                    ...(0, doctor_1.checkDirs)({ dataDir: cfg.runtime.data_dir, workspacesDir: cfg.runtime.workspaces_dir, uploadsDir: cfg.runtime.uploads_dir }),
+                    (0, doctor_1.checkSqlite)(cfg.runtime.data_dir),
+                    (0, doctor_1.checkClaude)(cfg.claude.binary ?? "claude", process.env)
+                ];
+                const ok = checks.every((c) => c.ok);
+                return sendJson(res, 200, { ok, checks });
+            }
+            if (method === "POST" && url.pathname === "/api/telegram/check-token") {
+                const token = (cfg.telegram.token ?? "").trim();
+                if (!token)
+                    return sendJson(res, 400, { ok: false, error: "telegram.token is empty" });
+                const out = await deps.telegramGetMe(token);
+                if (!out.ok)
+                    return sendJson(res, 502, { ok: false, error: out.error ?? "Telegram API error" });
+                return sendJson(res, 200, { ok: true, result: out.result });
+            }
+            if (method === "POST" && url.pathname === "/api/restart") {
+                sendJson(res, 200, { ok: true, message: "Restarting..." });
+                // Allow the response to flush before exiting.
+                setTimeout(() => deps.exit(0), 250);
+                return;
+            }
+            sendJson(res, 404, { error: "Not found" });
+        }
+        catch (err) {
+            // Never include secrets in errors; keep generic.
+            const msg = err instanceof Error ? err.message : "Internal error";
+            opts.logger.error({ msg: "web request failed", err: msg });
+            sendJson(res, 500, { error: "Internal error" });
+        }
+    });
+    await new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(port, bind, () => resolve());
+    });
+    const addr = server.address();
+    const baseUrl = typeof addr === "object" && addr ? `http://${bind}:${addr.port}` : `http://${bind}:${port}`;
+    opts.logger.info({ msg: "web ui started", bind, port });
+    return {
+        baseUrl,
+        close: async () => {
+            await new Promise((resolve, reject) => server.close((err) => (err ? reject(err) : resolve())));
+        }
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@smart-tinker/kayla",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "Telegram -> Claude Code CLI orchestrator (Z.AI backend configured in Claude Code).",
   "license": "MIT",
   "repository": {