@straiffi/archon 1.1.3 → 1.2.1

package/dist/server/lib/mobileAccess.js

@@ -0,0 +1,1051 @@
+import express from 'express';
+import { createHash, randomBytes } from 'crypto';
+import { createServer } from 'http';
+import { networkInterfaces as readNetworkInterfaces } from 'os';
+import { Server as SocketIoServer } from 'socket.io';
+import { createProjectChatSession, stopProjectChatSessionResponse, submitProjectChatSessionMessage, updateProjectChatSessionMode } from './chatOperations.js';
+import { DEFAULT_DESKTOP_BIND_HOST } from './desktopServerHost.js';
+import { startManagedNgrokTunnel } from './ngrok.js';
+import { STATIC_CLIENT_DIRECTORY_OPTIONS, STATIC_CLIENT_INDEX_OPTIONS } from './staticClient.js';
+import { transitionTicketState } from './ticketWorkflowOperations.js';
+import { resumeBuildTicketRun, runTicketRun, stopActiveRunByContextKey, stopBuildTicketRun, stopTicketRun } from './ticketRunOperations.js';
+import { submitPlanTicketFollowUp, submitTicketFollowUp } from './ticketFollowUpOperations.js';
+import { updateTicketAgentSettings } from './ticketSettingsOperations.js';
+const DEFAULT_MOBILE_PORT = 43111;
+const MOBILE_PORT_FALLBACK_COUNT = 20;
+const PAIRING_TTL_MS = 2 * 60 * 1000;
+const PAIRING_RATE_LIMIT_WINDOW_MS = 60 * 1000;
+const PAIRING_RATE_LIMIT_MAX_ATTEMPTS = 8;
+const MOBILE_SESSION_COOKIE = 'archon_mobile_session';
+const MOBILE_CSRF_HEADER = 'x-archon-mobile-csrf';
+const CUSTOM_PUBLIC_URL_VALIDATION_ERROR = 'Custom public URL must be a valid HTTPS origin without a path, query, or fragment.';
+const CUSTOM_PUBLIC_URL_PORT_IN_USE_ERROR = `Custom public URL mode requires local loopback port ${DEFAULT_MOBILE_PORT}, but it is already in use. Free that port and try again.`;
+const MOBILE_REALTIME_EVENTS = new Set([
+    'ticket:created',
+    'ticket:updated',
+    'ticket:deleted',
+    'ticket-dependency:created',
+    'ticket-dependency:deleted',
+    'chat-session:created',
+    'chat-session:updated',
+    'chat-session:deleted',
+]);
+const hashSecret = (value) => {
+    return createHash('sha256').update(value).digest('hex');
+};
+const createId = () => randomBytes(16).toString('base64url');
+const createSecret = () => randomBytes(32).toString('base64url');
+const createDisplayCode = () => {
+    const value = randomBytes(4).toString('hex').toUpperCase();
+    return `${value.slice(0, 4)}-${value.slice(4)}`;
+};
+const isPrivateIpv4Address = (address) => {
+    const parts = address.split('.').map(part => Number(part));
+    if (parts.length !== 4 || parts.some(part => !Number.isInteger(part) || part < 0 || part > 255)) {
+        return false;
+    }
+    const [first, second] = parts;
+    return first === 10 || (first === 172 && second >= 16 && second <= 31) || (first === 192 && second === 168);
+};
+export const selectPrivateLanAddress = (networkInterfaces) => {
+    const candidates = Object.values(networkInterfaces)
+        .flatMap(entries => entries ?? [])
+        .filter(entry => entry.family === 'IPv4' && !entry.internal && isPrivateIpv4Address(entry.address));
+    const uniqueCandidates = Array.from(new Set(candidates.map(entry => entry.address)));
+    if (uniqueCandidates.length === 1) {
+        return { address: uniqueCandidates[0], error: null };
+    }
+    if (uniqueCandidates.length === 0) {
+        return { address: null, error: 'No private LAN IPv4 interface is available for mobile access.' };
+    }
+    return {
+        address: null,
+        error: 'Multiple private LAN interfaces were found. Choose one explicitly before enabling mobile access.',
+    };
+};
+export const resolveMobileAccessPublicBaseUrl = (value) => {
+    const trimmedValue = value?.trim() ?? '';
+    if (trimmedValue.length === 0) {
+        return { baseUrl: null, error: null };
+    }
+    try {
+        const url = new URL(trimmedValue);
+        if (url.protocol !== 'https:'
+            || !url.host
+            || url.pathname !== '/'
+            || url.search.length > 0
+            || url.hash.length > 0
+            || url.username.length > 0
+            || url.password.length > 0) {
+            return { baseUrl: null, error: CUSTOM_PUBLIC_URL_VALIDATION_ERROR };
+        }
+        return { baseUrl: url.origin, error: null };
+    }
+    catch {
+        return { baseUrl: null, error: CUSTOM_PUBLIC_URL_VALIDATION_ERROR };
+    }
+};
+const listenOnMobilePort = ({ app, host, preferredPort, allowPortFallback = true, configureServer }) => {
+    const tryListen = (port) => {
+        return new Promise((resolve, reject) => {
+            const server = createServer(app);
+            const socketServer = configureServer?.(server) ?? null;
+            const handleError = (error) => {
+                server.off('listening', handleListening);
+                socketServer?.disconnectSockets?.(true);
+                reject(error);
+            };
+            const handleListening = () => {
+                server.off('error', handleError);
+                const address = server.address();
+                resolve({
+                    server,
+                    port: typeof address === 'object' && address ? address.port : port,
+                    socketServer,
+                });
+            };
+            server.once('error', handleError);
+            server.once('listening', handleListening);
+            server.listen(port, host);
+        });
+    };
+    const attempt = async (offset) => {
+        try {
+            return await tryListen(preferredPort + offset);
+        }
+        catch (error) {
+            if (allowPortFallback && error.code === 'EADDRINUSE' && offset < MOBILE_PORT_FALLBACK_COUNT) {
+                return await attempt(offset + 1);
+            }
+            throw error;
+        }
+    };
+    return attempt(0);
+};
+const parseCookie = (cookieHeader, name) => {
+    if (!cookieHeader) {
+        return null;
+    }
+    for (const entry of cookieHeader.split(';')) {
+        const [rawKey, ...rawValue] = entry.trim().split('=');
+        if (rawKey === name) {
+            return decodeURIComponent(rawValue.join('='));
+        }
+    }
+    return null;
+};
+const setNoStore = (res) => {
+    res.setHeader('Cache-Control', 'no-store');
+};
+const setNoReferrer = (res) => {
+    res.setHeader('Referrer-Policy', 'no-referrer');
+};
+const getOriginHost = (value) => {
+    try {
+        return new URL(value).host.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+};
+const listSerializedProjects = async () => {
+    const { listProjects, serializeProject } = await import('./projects.js');
+    return listProjects().map(serializeProject).filter(project => project !== null);
+};
+const getSerializedProjectSummary = async (projectId) => {
+    const [{ default: db }, { getProjectById, serializeProject }, { getActiveRunStatusForProject }] = await Promise.all([
+        import('../db.js'),
+        import('./projects.js'),
+        import('./run.js'),
+    ]);
+    const project = serializeProject(getProjectById(projectId));
+    if (!project) {
+        return null;
+    }
+    const stateRows = db.prepare(`
+    SELECT state, COUNT(*) AS count
+    FROM tickets
+    WHERE project_id = ?
+      AND parked_at IS NULL
+    GROUP BY state
+  `).all(projectId);
+    const counts = {
+        plan: 0,
+        build: 0,
+        review: 0,
+    };
+    for (const row of stateRows) {
+        counts[row.state] = Number(row.count ?? 0);
+    }
+    const parkedRow = db.prepare('SELECT COUNT(*) AS count FROM tickets WHERE project_id = ? AND parked_at IS NOT NULL').get(projectId);
+    const parked = Number(parkedRow?.count ?? 0);
+    return {
+        project,
+        tickets: {
+            total: project.ticket_count,
+            plan: counts.plan,
+            build: counts.build,
+            review: counts.review,
+            parked,
+        },
+        active_run: getActiveRunStatusForProject(project.id),
+    };
+};
+const listMobileChatSessions = async (projectId) => {
+    const [{ getProjectById }, { listChatSessions }] = await Promise.all([
+        import('./projects.js'),
+        import('./chats.js'),
+    ]);
+    if (!getProjectById(projectId)) {
+        return null;
+    }
+    return listChatSessions(projectId);
+};
+const listMobileModels = async (tool) => {
+    if (tool !== 'opencode') {
+        return [];
+    }
+    const { getDiscoveredModels } = await import('./models.js');
+    return await getDiscoveredModels(tool);
+};
+const listMobileSkills = async (tool, projectId) => {
+    if (tool !== 'opencode') {
+        return [];
+    }
+    const [{ getProjectById }, { getDiscoveredSkills }] = await Promise.all([
+        import('./projects.js'),
+        import('./skills.js'),
+    ]);
+    const project = projectId ? getProjectById(projectId) : null;
+    return await getDiscoveredSkills(tool, { projectPath: project?.repo_path ?? null });
+};
+const listMobileTickets = async (projectId) => {
+    const [{ getProjectById }, { listTickets }] = await Promise.all([
+        import('./projects.js'),
+        import('./tickets.js'),
+    ]);
+    if (!getProjectById(projectId)) {
+        return null;
+    }
+    return listTickets(projectId, { detail: 'board' });
+};
+const getMobileTicket = async (projectId, ticketId) => {
+    const [{ getProjectById }, { getTicket }] = await Promise.all([
+        import('./projects.js'),
+        import('./tickets.js'),
+    ]);
+    if (!getProjectById(projectId)) {
+        return null;
+    }
+    const ticket = getTicket(ticketId);
+    if (!ticket || ticket.project_id !== projectId) {
+        return null;
+    }
+    return ticket;
+};
+const getMobileChatSession = async (projectId, chatSessionId) => {
+    const [{ refreshChatSessionUsageSnapshot }, { getProjectById }, { getChatSession }] = await Promise.all([
+        import('./agent.js'),
+        import('./projects.js'),
+        import('./chats.js'),
+    ]);
+    if (!getProjectById(projectId)) {
+        return null;
+    }
+    const chatSession = getChatSession(chatSessionId, { includeMessages: true });
+    if (!chatSession || chatSession.project_id !== projectId) {
+        return null;
+    }
+    const refreshedChatSession = refreshChatSessionUsageSnapshot(chatSession.id, { includeMessages: true });
+    if (!refreshedChatSession || refreshedChatSession.project_id !== projectId) {
+        return chatSession;
+    }
+    return refreshedChatSession;
+};
+const createDefaultMobileSocketServer = (server, authenticate) => {
+    const socketServer = new SocketIoServer(server);
+    socketServer.use((socket, next) => {
+        const session = authenticate(socket.handshake.headers.cookie);
+        if (!session) {
+            next(new Error('Authentication required.'));
+            return;
+        }
+        socket.data.mobileSessionId = session.sessionId;
+        next();
+    });
+    return socketServer;
+};
+export const createMobileAccessController = (options = {}) => {
+    const getNetworkInterfaces = options.networkInterfaces ?? readNetworkInterfaces;
+    const listen = options.listen ?? listenOnMobilePort;
+    const getNow = options.now ?? (() => new Date());
+    const defaultClientBuild = options.clientBuild ?? null;
+    const listMobileProjects = options.listProjects ?? listSerializedProjects;
+    const getMobileProjectSummary = options.getProjectSummary ?? getSerializedProjectSummary;
+    const listProjectChatSessions = options.listChatSessions ?? listMobileChatSessions;
+    const getProjectChatSession = options.getChatSession ?? getMobileChatSession;
+    const listProjectTickets = options.listTickets ?? listMobileTickets;
+    const getProjectTicket = options.getTicket ?? getMobileTicket;
+    const listAgentModels = options.listModels ?? listMobileModels;
+    const listAgentSkills = options.listSkills ?? listMobileSkills;
+    const createMobileChatSession = options.createChatSession ?? ((projectId, payload, broadcaster) => createProjectChatSession({ projectId, payload, broadcaster }));
+    const updateMobileChatSession = options.updateChatSession ?? ((projectId, chatSessionId, payload, broadcaster) => updateProjectChatSessionMode({ projectId, chatSessionId, payload, broadcaster }));
+    const submitMobileChatMessage = options.submitChatMessage ?? ((projectId, chatSessionId, payload, broadcaster) => submitProjectChatSessionMessage({ projectId, chatSessionId, payload, broadcaster }));
+    const stopMobileChatSession = options.stopChatSession ?? ((projectId, chatSessionId) => stopProjectChatSessionResponse({ projectId, chatSessionId }));
+    const createSocketServer = options.createSocketServer ?? createDefaultMobileSocketServer;
+    const startManagedTunnel = options.startManagedTunnel ?? startManagedNgrokTunnel;
+    let operationBroadcaster = options.broadcaster ?? { emit: (event, payload) => emitRealtime(event, payload) };
+    let mobileReviewBundleTickets = options.reviewBundleTickets ?? (() => ({
+        ok: false,
+        status: 409,
+        error: 'Bundle review transitions are unavailable from mobile access.',
+    }));
+    const transitionMobileTicket = options.transitionTicket ?? ((projectId, ticketId, payload, broadcaster) => transitionTicketState({
+        ticketId,
+        requestedState: payload?.state,
+        requestedProjectId: projectId,
+        broadcaster,
+        reviewBundleTickets: mobileReviewBundleTickets,
+    }));
+    const runMobileTicket = options.runTicket ?? ((projectId, ticketId, broadcaster) => runTicketRun({ ticketId, requestedProjectId: projectId, broadcaster }));
+    const stopMobileTicket = options.stopTicket ?? ((projectId, ticketId, broadcaster) => stopTicketRun({ ticketId, requestedProjectId: projectId, broadcaster }));
+    const stopMobileRun = options.stopRun ?? ((runContextKey, broadcaster) => stopActiveRunByContextKey({ runContextKey, broadcaster }));
+    const stopMobileBuildTicket = options.stopBuildTicket ?? ((projectId, ticketId) => stopBuildTicketRun({ ticketId, requestedProjectId: projectId }));
+    const resumeMobileBuildTicket = options.resumeBuildTicket ?? ((projectId, ticketId, broadcaster) => resumeBuildTicketRun({ ticketId, requestedProjectId: projectId, broadcaster }));
+    const updateMobileTicketSettings = options.updateTicketSettings ?? ((projectId, ticketId, payload, broadcaster) => updateTicketAgentSettings({ ticketId, requestedProjectId: projectId, payload, broadcaster }));
+    const submitMobilePlanTicketFollowUp = options.submitPlanTicketFollowUp ?? ((projectId, ticketId, payload, broadcaster) => submitPlanTicketFollowUp({ ticketId, requestedProjectId: projectId, payload, broadcaster }));
+    const submitMobileTicketFollowUp = options.submitTicketFollowUp ?? ((projectId, ticketId, payload, broadcaster) => submitTicketFollowUp({ ticketId, requestedProjectId: projectId, payload, broadcaster }));
+    let mobileAccessId = null;
+    let mobileAccessMode = null;
+    let localListenerUrl = null;
+    let mobileUrl = null;
+    let managedTunnelStop = null;
+    let pairingChallenge = null;
+    let sessions = new Map();
+    let attempts = new Map();
+    let server = null;
+    let mobileSocketServer = null;
+    let lastError = null;
+    const nowMs = () => getNow().getTime();
+    const isPairingExpired = () => {
+        return Boolean(pairingChallenge && pairingChallenge.expiresAt.getTime() <= nowMs());
+    };
+    const generatePairingChallenge = (preferredProjectId = null) => {
+        if (!mobileAccessId || !mobileUrl) {
+            throw new Error('Mobile access is not enabled.');
+        }
+        const pairingId = createId();
+        const pairingSecret = createSecret();
+        const displayCode = createDisplayCode();
+        const url = new URL('/mobile/pair', mobileUrl);
+        url.searchParams.set('mobileAccessId', mobileAccessId);
+        url.searchParams.set('pairingId', pairingId);
+        pairingChallenge = {
+            mobileAccessId,
+            pairingId,
+            pairingSecretHash: hashSecret(pairingSecret),
+            preferredProjectId,
+            displayCode,
+            qrUrl: `${url.toString()}#pairingSecret=${encodeURIComponent(pairingSecret)}`,
+            expiresAt: new Date(nowMs() + PAIRING_TTL_MS),
+            consumedAt: null,
+        };
+    };
+    const serializeSessions = () => {
+        return Array.from(sessions.values()).map(session => ({
+            id: session.id,
+            paired_at: session.pairedAt.toISOString(),
+            last_seen_at: session.lastSeenAt.toISOString(),
+            remote_address: session.remoteAddress,
+            user_agent: session.userAgent,
+        }));
+    };
+    const getStatus = () => {
+        if (!server) {
+            return {
+                mode: null,
+                state: lastError ? 'error' : 'disabled',
+                local_listener_url: null,
+                url: null,
+                pairing: null,
+                sessions: [],
+                error: lastError,
+            };
+        }
+        const hasSessions = sessions.size > 0;
+        const pairing = pairingChallenge && !pairingChallenge.consumedAt && !isPairingExpired()
+            ? {
+                display_code: pairingChallenge.displayCode,
+                qr_url: pairingChallenge.qrUrl,
+                expires_at: pairingChallenge.expiresAt.toISOString(),
+            }
+            : null;
+        return {
+            mode: mobileAccessMode,
+            state: hasSessions ? 'connected' : pairing ? 'awaiting_pairing' : 'expired',
+            local_listener_url: localListenerUrl,
+            url: mobileUrl,
+            pairing,
+            sessions: serializeSessions(),
+            error: lastError,
+        };
+    };
+    const start = async ({ mode, preferredPort = DEFAULT_MOBILE_PORT, clientBuild = defaultClientBuild, broadcaster, reviewBundleTickets, publicBaseUrl, preferredProjectId = null, } = {}) => {
+        if (server) {
+            if (broadcaster) {
+                operationBroadcaster = broadcaster;
+            }
+            if (reviewBundleTickets) {
+                mobileReviewBundleTickets = reviewBundleTickets;
+            }
+            return getStatus();
+        }
+        lastError = null;
+        operationBroadcaster = broadcaster ?? options.broadcaster ?? { emit: (event, payload) => emitRealtime(event, payload) };
+        mobileReviewBundleTickets = reviewBundleTickets ?? options.reviewBundleTickets ?? mobileReviewBundleTickets;
+        const resolvedPublicBaseUrl = resolveMobileAccessPublicBaseUrl(publicBaseUrl);
+        if (resolvedPublicBaseUrl.error) {
+            lastError = resolvedPublicBaseUrl.error;
+            return getStatus();
+        }
+        const nextMode = mode ?? (resolvedPublicBaseUrl.baseUrl ? 'custom_public_url' : 'lan');
+        if (nextMode === 'custom_public_url' && !resolvedPublicBaseUrl.baseUrl) {
+            lastError = CUSTOM_PUBLIC_URL_VALIDATION_ERROR;
+            return getStatus();
+        }
+        const selection = nextMode === 'lan' ? selectPrivateLanAddress(getNetworkInterfaces()) : { address: DEFAULT_DESKTOP_BIND_HOST, error: null };
+        if (!selection.address) {
+            lastError = selection.error;
+            return getStatus();
+        }
+        mobileAccessId = createId();
+        mobileAccessMode = nextMode;
+        sessions = new Map();
+        attempts = new Map();
+        let startedServer = null;
+        let startedSocketServer = null;
+        let nextManagedTunnelStop = null;
+        try {
+            const app = createMobileApp(clientBuild);
+            const result = await listen({
+                app,
+                host: selection.address,
+                preferredPort,
+                allowPortFallback: nextMode === 'lan',
+                configureServer: httpServer => createSocketServer(httpServer, validateMobileSocketHandshake),
+            });
+            startedServer = result.server;
+            startedSocketServer = result.socketServer ?? null;
+            const nextLocalListenerUrl = `http://${selection.address}:${result.port}`;
+            let nextMobileUrl = `http://${selection.address}:${result.port}/mobile`;
+            if (nextMode === 'custom_public_url') {
+                nextMobileUrl = `${resolvedPublicBaseUrl.baseUrl}/mobile`;
+            }
+            if (nextMode === 'ngrok') {
+                const tunnel = await startManagedTunnel({ localListenerUrl: nextLocalListenerUrl });
+                nextManagedTunnelStop = tunnel.stop;
+                nextMobileUrl = `${tunnel.publicBaseUrl}/mobile`;
+            }
+            server = startedServer;
+            mobileSocketServer = startedSocketServer;
+            localListenerUrl = nextLocalListenerUrl;
+            mobileUrl = nextMobileUrl;
+            managedTunnelStop = nextManagedTunnelStop;
+            generatePairingChallenge(preferredProjectId);
+            return getStatus();
+        }
+        catch (error) {
+            if (nextManagedTunnelStop) {
+                await nextManagedTunnelStop().catch(() => { });
+            }
+            startedSocketServer?.disconnectSockets?.(true);
+            if (startedServer) {
+                await new Promise(resolve => {
+                    startedServer?.close(() => resolve());
+                });
+            }
+            mobileAccessId = null;
+            mobileAccessMode = null;
+            localListenerUrl = null;
+            mobileUrl = null;
+            managedTunnelStop = null;
+            pairingChallenge = null;
+            sessions.clear();
+            attempts.clear();
+            server = null;
+            mobileSocketServer = null;
+            const errorCode = error?.code;
+            lastError = errorCode === 'EADDRINUSE' && nextMode === 'custom_public_url'
+                ? CUSTOM_PUBLIC_URL_PORT_IN_USE_ERROR
+                : error instanceof Error
+                    ? error.message
+                    : 'Failed to start mobile access.';
+            return getStatus();
+        }
+    };
+    const stop = async () => {
+        const activeServer = server;
+        const activeManagedTunnelStop = managedTunnelStop;
+        disconnectAllMobileSockets();
+        mobileAccessId = null;
+        mobileAccessMode = null;
+        localListenerUrl = null;
+        mobileUrl = null;
+        managedTunnelStop = null;
+        pairingChallenge = null;
+        sessions.clear();
+        attempts.clear();
+        server = null;
+        mobileSocketServer = null;
+        lastError = null;
+        if (!activeServer) {
+            return getStatus();
+        }
+        let tunnelStopError = null;
+        if (activeManagedTunnelStop) {
+            try {
+                await activeManagedTunnelStop();
+            }
+            catch (error) {
+                tunnelStopError = error instanceof Error ? error : new Error('Failed to stop managed tunnel.');
+            }
+        }
+        await new Promise((resolve, reject) => {
+            activeServer.close(error => {
+                if (error) {
+                    reject(error);
+                    return;
+                }
+                resolve();
+            });
+        });
+        if (tunnelStopError) {
+            throw tunnelStopError;
+        }
+        return getStatus();
+    };
+    const regeneratePairingChallenge = (preferredProjectId = null) => {
+        if (!server) {
+            lastError = 'Mobile access is not enabled.';
+            return getStatus();
+        }
+        generatePairingChallenge(preferredProjectId);
+        lastError = null;
+        return getStatus();
+    };
+    const createAttemptKey = (payload) => {
+        return `${payload.remoteAddress ?? 'unknown'}:${payload.pairingId}`;
+    };
+    const isRateLimited = (payload) => {
+        const key = createAttemptKey(payload);
+        const current = attempts.get(key);
+        const timestamp = nowMs();
+        if (!current || current.resetAt <= timestamp) {
+            attempts.set(key, { count: 1, resetAt: timestamp + PAIRING_RATE_LIMIT_WINDOW_MS });
+            return false;
+        }
+        current.count += 1;
+        return current.count > PAIRING_RATE_LIMIT_MAX_ATTEMPTS;
+    };
+    const getValidPairingChallenge = (payload) => {
+        if (isRateLimited(payload)) {
+            return null;
+        }
+        if (!pairingChallenge ||
+            pairingChallenge.consumedAt ||
+            pairingChallenge.expiresAt.getTime() <= nowMs() ||
+            payload.mobileAccessId !== pairingChallenge.mobileAccessId ||
+            payload.pairingId !== pairingChallenge.pairingId ||
+            hashSecret(payload.pairingSecret) !== pairingChallenge.pairingSecretHash) {
+            return null;
+        }
+        return pairingChallenge;
+    };
+    const previewPairingChallenge = (payload) => {
+        const challenge = getValidPairingChallenge(payload);
+        if (!challenge) {
+            return null;
+        }
+        return {
+            displayCode: challenge.displayCode,
+            expiresAt: challenge.expiresAt.toISOString(),
+        };
+    };
+    const consumePairingChallenge = (payload) => {
+        const challenge = getValidPairingChallenge(payload);
+        if (!challenge) {
+            return null;
+        }
+        challenge.consumedAt = getNow();
+        const sessionId = createId();
+        const sessionToken = createSecret();
+        const csrfToken = createSecret();
+        const timestamp = getNow();
+        sessions.set(sessionId, {
+            id: sessionId,
+            tokenHash: hashSecret(sessionToken),
+            csrfToken,
+            preferredProjectId: challenge.preferredProjectId,
+            pairedAt: timestamp,
+            lastSeenAt: timestamp,
+            remoteAddress: payload.remoteAddress ?? null,
+            userAgent: payload.userAgent ?? null,
+        });
+        return {
+            sessionId,
+            sessionToken,
+            csrfToken,
+            preferredProjectId: challenge.preferredProjectId,
+        };
+    };
+    const validateSessionToken = (sessionToken) => {
+        if (!sessionToken) {
+            return null;
+        }
+        const tokenHash = hashSecret(sessionToken);
+        const session = Array.from(sessions.values()).find(candidate => candidate.tokenHash === tokenHash);
+        if (!session) {
+            return null;
+        }
+        session.lastSeenAt = getNow();
+        return {
+            sessionId: session.id,
+            csrfToken: session.csrfToken,
+            preferredProjectId: session.preferredProjectId,
+        };
+    };
+    const validateMobileRequest = (req) => {
+        return validateSessionToken(parseCookie(req.headers.cookie, MOBILE_SESSION_COOKIE));
+    };
+    const validateMobileSocketHandshake = (cookieHeader) => {
+        return validateSessionToken(parseCookie(cookieHeader, MOBILE_SESSION_COOKIE));
+    };
+    const validateMobileWriteRequest = (req) => {
+        const session = validateMobileRequest(req);
+        if (!session) {
+            return null;
+        }
+        const origin = req.get('origin');
+        const host = req.get('host');
+        if (origin) {
+            const originHost = getOriginHost(origin);
+            if (!originHost) {
+                return null;
+            }
+            const expectedHost = mobileAccessMode && mobileAccessMode !== 'lan'
+                ? getOriginHost(mobileUrl ?? '')
+                : host?.toLowerCase() ?? null;
+            if (!expectedHost || originHost !== expectedHost) {
+                return null;
+            }
+        }
+        if (req.get(MOBILE_CSRF_HEADER) !== session.csrfToken) {
+            return null;
+        }
+        return session;
+    };
+    const disconnectMobileSessionSockets = (sessionId) => {
+        for (const socket of mobileSocketServer?.sockets.sockets.values() ?? []) {
+            if (socket.data.mobileSessionId === sessionId) {
+                socket.disconnect(true);
+            }
+        }
+    };
+    const disconnectAllMobileSockets = () => {
+        mobileSocketServer?.disconnectSockets?.(true);
+        for (const socket of mobileSocketServer?.sockets.sockets.values() ?? []) {
+            socket.disconnect(true);
+        }
+    };
+    const emitRealtime = (event, payload) => {
+        if (!MOBILE_REALTIME_EVENTS.has(event)) {
+            return false;
+        }
+        return Boolean(mobileSocketServer?.emit(event, payload));
+    };
+    const revokeMobileSession = (sessionId) => {
+        disconnectMobileSessionSockets(sessionId);
+        sessions.delete(sessionId);
+        return getStatus();
+    };
+    const revokeAllMobileSessions = () => {
+        disconnectAllMobileSockets();
+        sessions.clear();
+        return getStatus();
+    };
+    const sendMobileIndex = (res, clientBuild) => {
+        setNoReferrer(res);
+        if (!clientBuild) {
+            res
+                .status(503)
+                .type('html')
+                .send('<!doctype html><title>Archon mobile unavailable</title><main>Archon mobile client is not available in this server build.</main>');
+            return;
+        }
+        res.sendFile(clientBuild.indexPath, STATIC_CLIENT_INDEX_OPTIONS);
+    };
+    const createMobileApp = (clientBuild) => {
+        const app = express();
+        app.disable('x-powered-by');
+        app.use(express.json({ limit: '64kb' }));
+        app.use((_, res, next) => {
+            setNoStore(res);
+            next();
+        });
+        app.get('/mobile-auth/status', (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.json({ authenticated: false });
+                return;
+            }
+            res.json({
+                authenticated: true,
+                csrf_token: session.csrfToken,
+                preferred_project_id: session.preferredProjectId,
+            });
+        });
+        const createPairingPayload = (req) => {
+            const body = req.body;
+            return {
+                mobileAccessId: typeof body.mobileAccessId === 'string' ? body.mobileAccessId : '',
+                pairingId: typeof body.pairingId === 'string' ? body.pairingId : '',
+                pairingSecret: typeof body.pairingSecret === 'string' ? body.pairingSecret : '',
+                remoteAddress: req.ip,
+                userAgent: req.get('user-agent') ?? null,
+            };
+        };
+        app.post('/mobile-auth/pair', (req, res) => {
+            const result = consumePairingChallenge(createPairingPayload(req));
+            if (!result) {
+                res.status(401).json({ error: 'Pairing failed.' });
+                return;
+            }
+            res.cookie(MOBILE_SESSION_COOKIE, result.sessionToken, {
+                httpOnly: true,
+                sameSite: 'strict',
+                secure: mobileAccessMode !== 'lan',
+                path: '/',
+            });
+            res.json({
+                authenticated: true,
+                csrf_token: result.csrfToken,
+                preferred_project_id: result.preferredProjectId,
+            });
+        });
+        app.post('/mobile-auth/pair/preview', (req, res) => {
+            const result = previewPairingChallenge(createPairingPayload(req));
+            if (!result) {
+                res.status(401).json({ error: 'Pairing failed.' });
+                return;
+            }
+            res.json({ display_code: result.displayCode, expires_at: result.expiresAt });
+        });
+        app.post('/mobile-auth/logout', (req, res) => {
+            const session = validateMobileWriteRequest(req);
+            if (!session) {
+                res.status(403).json({ error: 'Forbidden' });
+                return;
+            }
+            sessions.delete(session.sessionId);
+            res.clearCookie(MOBILE_SESSION_COOKIE, {
+                sameSite: 'strict',
+                secure: mobileAccessMode !== 'lan',
+                path: '/',
+            });
+            res.json({ ok: true });
+        });
+        const sendTicketOperationResult = (res, result) => {
+            if (!result.ok) {
+                res.status(result.status).json({
+                    error: result.error,
+                    ...result.details,
+                });
+                return;
+            }
+            res.status(result.status).json(result.value);
+            result.afterResponse?.();
+        };
+        const requireMobileWriteSession = (req, res) => {
+            const session = validateMobileWriteRequest(req);
+            if (!session) {
+                res.status(403).json({ error: 'Forbidden' });
+                return null;
+            }
+            return session;
+        };
+        app.get('/mobile/projects', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            try {
+                res.json(await listMobileProjects());
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to list projects.' });
+            }
+        });
+        app.get('/mobile/projects/:projectId/summary', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            try {
+                const summary = await getMobileProjectSummary(req.params.projectId);
+                if (!summary) {
+                    res.status(404).json({ error: 'Not found' });
+                    return;
+                }
+                res.json(summary);
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to load project summary.' });
+            }
+        });
+        app.get('/mobile/projects/:projectId/chat-sessions', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            try {
+                const chatSessions = await listProjectChatSessions(req.params.projectId);
+                if (!chatSessions) {
+                    res.status(404).json({ error: 'Not found' });
+                    return;
+                }
+                res.json(chatSessions);
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to list chat sessions.' });
+            }
+        });
+        app.get('/mobile/projects/:projectId/chat-sessions/:sessionId', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            try {
+                const chatSession = await getProjectChatSession(req.params.projectId, req.params.sessionId);
+                if (!chatSession) {
+                    res.status(404).json({ error: 'Not found' });
+                    return;
+                }
+                res.json(chatSession);
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to load chat session.' });
+            }
+        });
+        app.get('/mobile/projects/:projectId/tickets', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            try {
+                const tickets = await listProjectTickets(req.params.projectId);
+                if (!tickets) {
+                    res.status(404).json({ error: 'Not found' });
+                    return;
+                }
+                res.json(tickets);
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to list tickets.' });
+            }
+        });
+        app.get('/mobile/projects/:projectId/tickets/:ticketId', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            try {
+                const ticket = await getProjectTicket(req.params.projectId, req.params.ticketId);
+                if (!ticket) {
+                    res.status(404).json({ error: 'Not found' });
+                    return;
+                }
+                res.json(ticket);
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to load ticket.' });
+            }
+        });
+        app.patch('/mobile/projects/:projectId/tickets/:ticketId', (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, updateMobileTicketSettings(req.params.projectId, req.params.ticketId, req.body, operationBroadcaster));
+        });
+        app.patch('/mobile/projects/:projectId/tickets/:ticketId/state', (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, transitionMobileTicket(req.params.projectId, req.params.ticketId, req.body, operationBroadcaster));
+        });
+        app.post('/mobile/projects/:projectId/tickets/:ticketId/run', (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, runMobileTicket(req.params.projectId, req.params.ticketId, operationBroadcaster));
+        });
+        app.post('/mobile/projects/:projectId/tickets/:ticketId/stop', async (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, await stopMobileTicket(req.params.projectId, req.params.ticketId, operationBroadcaster));
+        });
+        app.post('/mobile/projects/:projectId/tickets/:ticketId/stop-build', async (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, await stopMobileBuildTicket(req.params.projectId, req.params.ticketId));
+        });
+        app.post('/mobile/projects/:projectId/tickets/:ticketId/resume-build', (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, resumeMobileBuildTicket(req.params.projectId, req.params.ticketId, operationBroadcaster));
+        });
+        app.post('/mobile/runs/:runContextKey/stop', async (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, await stopMobileRun(req.params.runContextKey, operationBroadcaster));
+        });
+        app.post('/mobile/projects/:projectId/tickets/:ticketId/plan-follow-up', (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, submitMobilePlanTicketFollowUp(req.params.projectId, req.params.ticketId, req.body, operationBroadcaster));
+        });
+        app.post('/mobile/projects/:projectId/tickets/:ticketId/follow-up', (req, res) => {
+            if (!requireMobileWriteSession(req, res)) {
+                return;
+            }
+            sendTicketOperationResult(res, submitMobileTicketFollowUp(req.params.projectId, req.params.ticketId, req.body, operationBroadcaster));
+        });
+        app.post('/mobile/projects/:projectId/chat-sessions', (req, res) => {
+            const session = validateMobileWriteRequest(req);
+            if (!session) {
+                res.status(403).json({ error: 'Forbidden' });
+                return;
+            }
+            const result = createMobileChatSession(req.params.projectId, req.body, operationBroadcaster);
+            if (!result.ok) {
+                res.status(result.status).json({ error: result.error });
+                return;
+            }
+            res.status(result.status).json(result.value);
+        });
+        app.patch('/mobile/projects/:projectId/chat-sessions/:sessionId', (req, res) => {
+            const session = validateMobileWriteRequest(req);
+            if (!session) {
+                res.status(403).json({ error: 'Forbidden' });
+                return;
+            }
+            const result = updateMobileChatSession(req.params.projectId, req.params.sessionId, req.body, operationBroadcaster);
+            if (!result.ok) {
+                res.status(result.status).json({ error: result.error });
+                return;
+            }
+            res.status(result.status).json(result.value);
+        });
+        app.post('/mobile/projects/:projectId/chat-sessions/:sessionId/messages', (req, res) => {
+            const session = validateMobileWriteRequest(req);
+            if (!session) {
+                res.status(403).json({ error: 'Forbidden' });
+                return;
+            }
+            const result = submitMobileChatMessage(req.params.projectId, req.params.sessionId, req.body, operationBroadcaster);
+            if (!result.ok) {
+                res.status(result.status).json({ error: result.error });
+                return;
+            }
+            res.status(result.status).json(result.value);
+        });
+        app.post('/mobile/projects/:projectId/chat-sessions/:sessionId/stop', async (req, res) => {
+            const session = validateMobileWriteRequest(req);
+            if (!session) {
+                res.status(403).json({ error: 'Forbidden' });
+                return;
+            }
+            const result = await stopMobileChatSession(req.params.projectId, req.params.sessionId);
+            if (!result.ok) {
+                res.status(result.status).json({ error: result.error });
+                return;
+            }
+            res.status(result.status).json(result.value);
+        });
+        app.get('/mobile/models', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            const tool = typeof req.query.tool === 'string' ? req.query.tool : '';
+            try {
+                res.json(await listAgentModels(tool));
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to list models.' });
+            }
+        });
+        app.get('/mobile/skills', async (req, res) => {
+            const session = validateMobileRequest(req);
+            if (!session) {
+                res.status(401).json({ error: 'Authentication required.' });
+                return;
+            }
+            const tool = typeof req.query.tool === 'string' ? req.query.tool : '';
+            const projectId = typeof req.query.project_id === 'string' ? req.query.project_id : null;
+            try {
+                res.json(await listAgentSkills(tool, projectId));
+            }
+            catch {
+                res.status(500).json({ error: 'Unable to list skills.' });
+            }
+        });
+        if (clientBuild) {
+            app.use(express.static(clientBuild.directoryPath, STATIC_CLIENT_DIRECTORY_OPTIONS));
+        }
+        app.get('/mobile', (_req, res) => {
+            sendMobileIndex(res, clientBuild);
+        });
+        app.get('/mobile/*path', (_req, res) => {
+            sendMobileIndex(res, clientBuild);
+        });
+        return app;
+    };
+    return {
+        getStatus,
+        start,
+        stop,
+        regeneratePairingChallenge,
+        consumePairingChallenge,
+        previewPairingChallenge,
+        validateMobileRequest,
+        validateMobileSocketHandshake,
+        validateMobileWriteRequest,
+        emitRealtime,
+        revokeMobileSession,
+        revokeAllMobileSessions,
+    };
+};
+export const mobileAccess = createMobileAccessController();
+export const getMobileAccessStatus = () => mobileAccess.getStatus();
+export const startMobileAccess = (options) => mobileAccess.start(options);
+export const stopMobileAccess = () => mobileAccess.stop();
+export const regenerateMobilePairingChallenge = (preferredProjectId) => mobileAccess.regeneratePairingChallenge(preferredProjectId);
+export const consumeMobilePairingChallenge = (payload) => mobileAccess.consumePairingChallenge(payload);
+export const validateMobileRequest = (req) => mobileAccess.validateMobileRequest(req);
+export const validateMobileWriteRequest = (req) => mobileAccess.validateMobileWriteRequest(req);
+export const emitMobileRealtime = (event, payload) => mobileAccess.emitRealtime(event, payload);
+export const revokeMobileSession = (sessionId) => mobileAccess.revokeMobileSession(sessionId);
+export const revokeAllMobileSessions = () => mobileAccess.revokeAllMobileSessions();
+//# sourceMappingURL=mobileAccess.js.map