@trops/dash-core 0.1.350 → 0.1.352

package/dist/electron/index.js

@@ -26707,1465 +26707,1820 @@ function parsePackageId(id) {
 var packageId = { toPackageId: toPackageId$1, parsePackageId };
 
 /**
- * registryController.js
+ * registryAuthController.js
  *
- * Manages fetching, caching, and searching the remote widget registry index.
- * Runs in the Electron main process.
+ * Manages authentication with the Dash registry service.
+ * Uses OAuth device code flow for desktop app authentication.
  *
- * Responsibilities:
- * - Fetch and cache the remote registry-index.json with 5-min TTL
- * - Search/filter across both packages and individual widgets
- * - Support two-level browsing: packages (bundles) and widgets within packages
+ * Flow:
+ * 1. App calls initiateDeviceFlow() — gets device code + verification URL
+ * 2. User opens verification URL in browser, signs in, enters code
+ * 3. App polls pollForToken() until authorized
+ * 4. Token stored securely via electron-store (encrypted)
  */
 
-const path$a = require$$1$2;
-const fs$6 = require$$0$2;
-const { toPackageId } = packageId;
-
-// Default registry API base URL
-const DEFAULT_REGISTRY_API_URL = "https://main.d919rwhuzp7rj.amplifyapp.com";
-
-// Cache TTL: 5 minutes
-const CACHE_TTL_MS = 5 * 60 * 1000;
-
-let cachedIndex = null;
-let cacheTimestamp = 0;
+const REGISTRY_BASE_URL$1 =
+  process.env.DASH_REGISTRY_API_URL ||
+  "https://main.d919rwhuzp7rj.amplifyapp.com";
 
-/**
- * Get the local test registry path for dev mode
- */
-function getTestRegistryPath() {
-  return path$a.join(__dirname, "..", "registry", "test-registry-index.json");
+// Lazy-load electron-store to avoid issues when not installed
+let store$3 = null;
+function getStore$1() {
+  if (!store$3) {
+    const Store = require$$1$1;
+    store$3 = new Store({
+      name: "dash-registry-auth",
+      encryptionKey: "dash-registry-v1",
+    });
+  }
+  return store$3;
 }
 
 /**
- * Check if running in development mode
+ * Initiate the OAuth device code flow.
+ * Returns the device code, user code, and verification URL.
+ *
+ * @returns {Promise<Object>} { deviceCode, userCode, verificationUrl, verificationUrlComplete, expiresIn, interval }
  */
-function isDev() {
-  return (
-    process.defaultApp ||
-    process.env.NODE_ENV === "development" ||
-    process.env.NODE_ENV === "dev"
-  );
+async function initiateDeviceFlow$1() {
+  const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/device`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Device flow initiation failed: ${response.status}`);
+  }
+
+  const data = await response.json();
+
+  return {
+    deviceCode: data.device_code,
+    userCode: data.user_code,
+    verificationUrl: data.verification_uri,
+    verificationUrlComplete: data.verification_uri_complete,
+    expiresIn: data.expires_in,
+    interval: data.interval,
+  };
 }
 
 /**
- * Fetch the registry index from remote URL or local file (dev mode)
- * Caches the result for CACHE_TTL_MS milliseconds.
+ * Poll the registry for token after user completes browser auth.
  *
- * @param {boolean} forceRefresh - Bypass cache and fetch fresh data
- * @returns {Promise<Object>} The registry index
+ * @param {string} deviceCode - The device code from initiateDeviceFlow()
+ * @returns {Promise<Object>} { status: 'pending' | 'authorized' | 'expired', token?, userId? }
  */
-async function fetchRegistryIndex(forceRefresh = false) {
-  const now = Date.now();
+async function pollForToken$1(deviceCode) {
+  const response = await fetch(
+    `${REGISTRY_BASE_URL$1}/api/auth/device?device_code=${encodeURIComponent(deviceCode)}`,
+  );
 
-  // Return cached data if still valid
-  if (!forceRefresh && cachedIndex && now - cacheTimestamp < CACHE_TTL_MS) {
-    console.log("[RegistryController] Returning cached registry index");
-    return cachedIndex;
+  if (response.status === 428) {
+    return { status: "pending" };
   }
 
-  try {
-    let indexData;
-
-    if (isDev()) {
-      // In dev mode, try local test file first
-      const testPath = getTestRegistryPath();
-      if (fs$6.existsSync(testPath)) {
-        console.log(
-          "[RegistryController] Loading test registry from:",
-          testPath,
-        );
-        const raw = fs$6.readFileSync(testPath, "utf8");
-        indexData = JSON.parse(raw);
-      } else {
-        // Fall back to API (supports DASH_REGISTRY_URL as full-URL override)
-        const registryUrl =
-          process.env.DASH_REGISTRY_URL ||
-          `${process.env.DASH_REGISTRY_API_URL || DEFAULT_REGISTRY_API_URL}/api/packages`;
-        console.log(
-          "[RegistryController] Fetching registry from:",
-          registryUrl,
-        );
-        const response = await fetch(registryUrl);
-        if (!response.ok) {
-          throw new Error(
-            `Failed to fetch registry: ${response.status} ${response.statusText}`,
-          );
-        }
-        indexData = await response.json();
-      }
-    } else {
-      // In production, fetch from API
-      const registryUrl =
-        process.env.DASH_REGISTRY_URL ||
-        `${process.env.DASH_REGISTRY_API_URL || DEFAULT_REGISTRY_API_URL}/api/packages`;
-      console.log("[RegistryController] Fetching registry from:", registryUrl);
-
-      const response = await fetch(registryUrl);
-      if (!response.ok) {
-        throw new Error(
-          `Failed to fetch registry: ${response.status} ${response.statusText}`,
-        );
-      }
-      indexData = await response.json();
+  if (response.status === 400) {
+    const data = await response.json();
+    if (data.error === "expired_token") {
+      return { status: "expired" };
     }
+    return { status: "pending" };
+  }
 
-    // Normalize: ensure `version` exists on each package (API uses `latestVersion`)
-    if (indexData.packages) {
-      indexData.packages = indexData.packages.map((pkg) => ({
-        ...pkg,
-        version: pkg.version || pkg.latestVersion || "0.0.0",
-      }));
-    }
+  if (response.ok) {
+    const data = await response.json();
 
-    // Cache the result
-    cachedIndex = indexData;
-    cacheTimestamp = now;
+    // Store the token securely
+    const s = getStore$1();
+    s.set("accessToken", data.access_token);
+    s.set("userId", data.user_id);
+    s.set("tokenType", data.token_type);
+    s.set("authenticatedAt", new Date().toISOString());
 
-    console.log(
-      `[RegistryController] Loaded ${indexData.packages?.length || 0} packages`,
-    );
-    return indexData;
-  } catch (error) {
-    console.error("[RegistryController] Error fetching registry:", error);
+    return {
+      status: "authorized",
+      token: data.access_token,
+      userId: data.user_id,
+    };
+  }
 
-    // Return stale cache if available
-    if (cachedIndex) {
-      console.log(
-        "[RegistryController] Returning stale cache after fetch error",
-      );
-      return cachedIndex;
-    }
+  throw new Error(`Unexpected response: ${response.status}`);
+}
 
-    throw error;
+/**
+ * Get the stored auth token.
+ *
+ * @returns {Object|null} { token, userId, authenticatedAt } or null if not authenticated
+ */
+function getStoredToken$4() {
+  try {
+    const s = getStore$1();
+    const token = s.get("accessToken");
+    if (!token) return null;
+
+    return {
+      token,
+      userId: s.get("userId"),
+      authenticatedAt: s.get("authenticatedAt"),
+    };
+  } catch {
+    return null;
   }
 }
 
 /**
- * Search the registry across packages and individual widgets
+ * Check if the user is authenticated with the registry.
  *
- * @param {string} query - Search query string
- * @param {Object} filters - Optional filters
- * @param {string} filters.category - Filter by category
- * @param {string} filters.author - Filter by author
- * @param {string} filters.tag - Filter by tag
- * @param {string} filters.type - Filter by package type ("widget" or "dashboard")
- * @param {string[]} filters.compatibleWidgets - Only return dashboards whose required widgets are all in this list
- * @param {string[]} filters.appCapabilities - Only return packages whose required API providers are all in this list
- * @returns {Promise<Object>} { packages: [...], totalWidgets: number }
+ * @returns {Object} { authenticated: boolean, userId?: string }
  */
-async function searchRegistry$1(query = "", filters = {}) {
-  const index = await fetchRegistryIndex();
-  let packages = index.packages || [];
-
-  // Apply type filter — packages without an explicit type default to "widget"
-  if (filters.type) {
-    const typeLower = filters.type.toLowerCase();
-    packages = packages.filter(
-      (pkg) => (pkg.type || "widget").toLowerCase() === typeLower,
-    );
+function getAuthStatus$1() {
+  const stored = getStoredToken$4();
+  if (!stored) {
+    return { authenticated: false };
   }
 
-  // Apply search query
-  if (query) {
-    const q = query.toLowerCase();
-    packages = packages.filter((pkg) => {
-      // Match against package-level fields
-      const packageMatch =
-        (pkg.name || "").toLowerCase().includes(q) ||
-        (pkg.displayName || "").toLowerCase().includes(q) ||
-        (pkg.description || "").toLowerCase().includes(q) ||
-        (pkg.author || "").toLowerCase().includes(q) ||
-        (pkg.tags || []).some((t) => t.toLowerCase().includes(q));
+  return {
+    authenticated: true,
+    userId: stored.userId,
+    authenticatedAt: stored.authenticatedAt,
+  };
+}
 
-      // Match against individual widgets within the package
-      const widgetMatch = (pkg.widgets || []).some(
-        (w) =>
-          (w.name || "").toLowerCase().includes(q) ||
-          (w.displayName || "").toLowerCase().includes(q) ||
-          (w.description || "").toLowerCase().includes(q),
-      );
+/**
+ * Get the user's registry profile.
+ *
+ * @returns {Promise<Object|null>} User profile or null
+ */
+async function getRegistryProfile$2() {
+  const stored = getStoredToken$4();
+  if (!stored) return null;
 
-      return packageMatch || widgetMatch;
+  try {
+    const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/me`, {
+      headers: {
+        Authorization: `Bearer ${stored.token}`,
+      },
     });
-  }
 
-  // Apply category filter (supports single string or comma-separated or array)
-  if (filters.category) {
-    const cats = Array.isArray(filters.category)
-      ? filters.category
-      : filters.category.split(",").map((c) => c.trim().toLowerCase());
-    packages = packages.filter((pkg) =>
-      cats.includes((pkg.category || "").toLowerCase()),
-    );
-  }
-
-  // Apply author filter
-  if (filters.author) {
-    packages = packages.filter(
-      (pkg) =>
-        (pkg.author || "").toLowerCase() === filters.author.toLowerCase(),
-    );
-  }
-
-  // Apply tag filter (supports single string or comma-separated or array)
-  if (filters.tag) {
-    const tags = Array.isArray(filters.tag)
-      ? filters.tag
-      : filters.tag.split(",").map((t) => t.trim().toLowerCase());
-    packages = packages.filter((pkg) =>
-      (pkg.tags || []).some((t) => tags.includes(t.toLowerCase())),
-    );
-  }
+    if (response.status === 401) {
+      // Token expired or invalid — clear stored credentials
+      clearToken$2();
+      return null;
+    }
+    if (!response.ok) return null;
 
-  // Apply compatibility filter — only dashboards whose required widgets
-  // are all present in the user's installed widget list
-  if (filters.compatibleWidgets && filters.compatibleWidgets.length) {
-    const installedSet = new Set(
-      filters.compatibleWidgets.map((w) => w.toLowerCase()),
-    );
-    packages = packages.filter((pkg) => {
-      const requiredWidgets = (pkg.widgets || []).filter(
-        (w) => w.required !== false,
-      );
-      return requiredWidgets.every(
-        (w) =>
-          installedSet.has((w.package || "").toLowerCase()) ||
-          installedSet.has((w.name || "").toLowerCase()),
-      );
-    });
+    const data = await response.json();
+    return data.user || null;
+  } catch {
+    return null;
   }
+}
 
-  // Apply API capability filter — only return packages whose required
-  // "api" providers are all present in the app's capability set
-  if (filters.appCapabilities && filters.appCapabilities.length) {
-    const capSet = new Set(filters.appCapabilities.map((c) => c.toLowerCase()));
-    packages = packages.filter((pkg) => {
-      // Collect all "api" provider requirements from package-level and widget-level providers
-      const apiProviders = [];
-
-      // Package-level providers
-      for (const p of pkg.providers || []) {
-        if (p.providerClass === "api" && p.required !== false) {
-          apiProviders.push(p.type);
-        }
-      }
-
-      // Widget-level providers
-      for (const w of pkg.widgets || []) {
-        for (const p of w.providers || []) {
-          if (p.providerClass === "api" && p.required !== false) {
-            apiProviders.push(p.type);
-          }
-        }
-      }
-
-      // Package is compatible if all required API namespaces are present
-      return apiProviders.every((api) => capSet.has(api.toLowerCase()));
-    });
+/**
+ * Clear stored auth token (logout).
+ */
+function clearToken$2() {
+  try {
+    const s = getStore$1();
+    s.clear();
+    console.log("[RegistryAuthController] Token cleared");
+  } catch (err) {
+    console.error("[RegistryAuthController] Error clearing token:", err);
   }
-
-  // Count total widgets across matched packages
-  const totalWidgets = packages.reduce(
-    (sum, pkg) => sum + (pkg.widgets || []).length,
-    0,
-  );
-
-  return { packages, totalWidgets };
 }
 
 /**
- * Get a specific package by name.
- *
- * Handles multiple naming formats:
- *  - bare name:   "ocean-depth"
- *  - scoped name: "john/ocean-depth" or "@john/ocean-depth"
- *  - displayName: "Ocean Depth"
+ * Update the authenticated user's registry profile.
  *
- * @param {string} packageName - Name of the package (any format)
- * @returns {Promise<Object|null>} Package data or null if not found
+ * @param {Object} updates - Fields to update (e.g. { displayName })
+ * @returns {Promise<Object|null>} Updated user or null on 401
  */
-async function getPackage$1(packageName) {
-  if (!packageName) return null;
-
-  const index = await fetchRegistryIndex();
-  const packages = index.packages || [];
-
-  // 1. Exact match on name
-  let pkg = packages.find((p) => p.name === packageName);
-  if (pkg) return pkg;
-
-  // 2. If input contains "/", split into scope + name and match both fields
-  if (packageName.includes("/")) {
-    const parts = packageName.split("/");
-    const inputScope = parts[0].replace(/^@/, "");
-    const inputName = parts.slice(1).join("/");
-    pkg = packages.find(
-      (p) =>
-        p.name === inputName &&
-        (p.scope || "").replace(/^@/, "") === inputScope,
-    );
-    if (pkg) return pkg;
-  }
+async function updateRegistryProfile$1(updates) {
+  const stored = getStoredToken$4();
+  if (!stored) return null;
 
-  // 3. Match by displayName (case-insensitive)
-  const lower = packageName.toLowerCase();
-  pkg = packages.find((p) => (p.displayName || "").toLowerCase() === lower);
-  if (pkg) return pkg;
+  try {
+    const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/me`, {
+      method: "PATCH",
+      headers: {
+        Authorization: `Bearer ${stored.token}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(updates),
+    });
 
-  // 4. Try bare-name match against scoped registry entries
-  //    (registry might store "scope/name" in p.name while caller sends just "name")
-  pkg = packages.find((p) => {
-    if (p.name && p.name.includes("/")) {
-      const bareName = p.name.split("/").pop();
-      return bareName === packageName;
+    if (response.status === 401) {
+      clearToken$2();
+      return null;
     }
-    return false;
-  });
+    if (!response.ok) return null;
 
-  return pkg || null;
+    const data = await response.json();
+    return data.user || null;
+  } catch {
+    return null;
+  }
 }
 
 /**
- * Check for updates to installed widgets
+ * Get the authenticated user's published packages.
  *
- * @param {Array<Object>} installedWidgets - Array of { name, version } objects
- * @returns {Promise<Array<Object>>} Widgets with available updates
+ * @returns {Promise<Object|null>} { packages: [...] } or null
  */
-async function checkUpdates(installedWidgets = []) {
-  const index = await fetchRegistryIndex();
-  const updates = [];
+async function getRegistryPackages$1() {
+  const stored = getStoredToken$4();
+  if (!stored) return null;
 
-  for (const installed of installedWidgets) {
-    const installedId = installed.packageId || installed.name;
-    const pkg = (index.packages || []).find((p) => {
-      // Match by scoped ID (e.g. "@trops/slack" === "@trops/slack")
-      const registryId = toPackageId(p.scope, p.name);
-      if (registryId === installedId) return true;
-      // Fallback: bare-name match for pre-migration entries
-      if (p.name === installedId) return true;
-      return false;
+  try {
+    const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/me/packages`, {
+      headers: {
+        Authorization: `Bearer ${stored.token}`,
+      },
     });
-    if (pkg && pkg.version !== installed.version) {
-      updates.push({
-        name: installed.name,
-        currentVersion: installed.version,
-        latestVersion: pkg.version,
-        downloadUrl: pkg.downloadUrl,
-        changelog: pkg.changelog || null,
-      });
+
+    if (response.status === 401) {
+      clearToken$2();
+      return null;
     }
-  }
+    if (!response.ok) return null;
 
-  return updates;
+    return await response.json();
+  } catch {
+    return null;
+  }
 }
 
 /**
- * Search the registry for dashboard packages only.
- * Convenience wrapper around searchRegistry with type: "dashboard".
+ * Update a published package's metadata.
  *
- * @param {string} query - Search query string
- * @param {Object} filters - Optional filters (category, author, tag, compatibleWidgets)
- * @returns {Promise<Object>} { packages: [...], totalWidgets: number }
+ * @param {string} scope - Package scope (e.g. "@trops")
+ * @param {string} name - Package name
+ * @param {Object} updates - Fields to update (displayName, description, category, tags, visibility)
+ * @returns {Promise<Object|null>} Updated package or null
  */
-async function searchDashboards(query = "", filters = {}) {
-  return searchRegistry$1(query, { ...filters, type: "dashboard" });
+async function updateRegistryPackage$1(scope, name, updates) {
+  const stored = getStoredToken$4();
+  if (!stored) return null;
+
+  try {
+    const response = await fetch(
+      `${REGISTRY_BASE_URL$1}/api/packages/${encodeURIComponent(scope)}/${encodeURIComponent(name)}`,
+      {
+        method: "PATCH",
+        headers: {
+          Authorization: `Bearer ${stored.token}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify(updates),
+      },
+    );
+
+    if (response.status === 401) {
+      clearToken$2();
+      return null;
+    }
+    if (!response.ok) return null;
+
+    return await response.json();
+  } catch {
+    return null;
+  }
 }
 
 /**
- * Search the registry for theme packages only.
- * Convenience wrapper around searchRegistry with type: "theme".
+ * Delete a published package from the registry.
  *
- * @param {string} query - Search query string
- * @param {Object} filters - Optional filters (category, author, tag)
- * @returns {Promise<Object>} { packages: [...], totalWidgets: number }
+ * @param {string} scope - Package scope (e.g. "@trops")
+ * @param {string} name - Package name
+ * @returns {Promise<Object|null>} Response or null
  */
-async function searchThemes(query = "", filters = {}) {
-  return searchRegistry$1(query, { ...filters, type: "theme" });
-}
+async function deleteRegistryPackage(scope, name) {
+  const stored = getStoredToken$4();
+  if (!stored) return null;
 
-var registryController$3 = {
-  fetchRegistryIndex,
-  searchRegistry: searchRegistry$1,
-  searchDashboards,
-  searchThemes,
-  getPackage: getPackage$1,
-  checkUpdates,
+  try {
+    const response = await fetch(
+      `${REGISTRY_BASE_URL$1}/api/packages/${encodeURIComponent(scope)}/${encodeURIComponent(name)}`,
+      {
+        method: "DELETE",
+        headers: {
+          Authorization: `Bearer ${stored.token}`,
+        },
+      },
+    );
+
+    if (response.status === 401) {
+      clearToken$2();
+      return null;
+    }
+    if (!response.ok) return null;
+
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+
+var registryAuthController$2 = {
+  initiateDeviceFlow: initiateDeviceFlow$1,
+  pollForToken: pollForToken$1,
+  getStoredToken: getStoredToken$4,
+  getAuthStatus: getAuthStatus$1,
+  getRegistryProfile: getRegistryProfile$2,
+  updateRegistryProfile: updateRegistryProfile$1,
+  getRegistryPackages: getRegistryPackages$1,
+  updateRegistryPackage: updateRegistryPackage$1,
+  deleteRegistryPackage,
+  clearToken: clearToken$2,
 };
 
-var fs$5 = require$$0$2;
-var JSONStream = require$$4;
-const algoliasearch$1 = require$$2$2;
-const path$9 = require$$3$3;
-const { ensureDirectoryExistence, checkDirectory } = file;
+/**
+ * registryController.js
+ *
+ * Manages fetching, caching, and searching the remote widget registry index.
+ * Runs in the Electron main process.
+ *
+ * Responsibilities:
+ * - Fetch and cache the remote registry-index.json with 5-min TTL
+ * - Search/filter across both packages and individual widgets
+ * - Support two-level browsing: packages (bundles) and widgets within packages
+ */
 
-let AlgoliaIndex$1 = class AlgoliaIndex {
-  /**
-   * @var client the algoliasearch client
-   */
-  client = null;
+const path$a = require$$1$2;
+const fs$6 = require$$0$2;
+const { toPackageId } = packageId;
+const { getStoredToken: getStoredToken$3 } = registryAuthController$2;
 
-  /**
-   * @var index the algoliasearch initiated index
-   */
-  index = null;
+/**
+ * Build request headers for the registry. When the user is signed in, we
+ * include the Bearer token so the server returns private packages that
+ * the user owns or has been granted entitlements for. Anonymous fetches
+ * still work and simply return only public packages.
+ */
+function buildAuthHeaders() {
+  const stored = getStoredToken$3();
+  return stored?.token ? { Authorization: `Bearer ${stored.token}` } : {};
+}
 
-  constructor(appId = "", apiKey = "", indexName = "") {
-    if (appId !== "" && apiKey !== "" && indexName !== "") {
-      this.client = algoliasearch$1(appId, apiKey);
-      this.index = this.client.initIndex(indexName);
-    }
-  }
+// Default registry API base URL
+const DEFAULT_REGISTRY_API_URL = "https://main.d919rwhuzp7rj.amplifyapp.com";
 
-  createBatchesFromJSONFile = (
-    filepath,
-    batchFilepath = "/data/batch",
-    batchSize,
-    callback = null,
-  ) => {
-    return new Promise((resolve, reject) => {
-      // instantiate the JSON parser that will be used by the readStream
-      var parser = JSONStream.parse("*");
+// Cache TTL: 5 minutes
+const CACHE_TTL_MS = 5 * 60 * 1000;
 
-      // count how many items have been added to a single batch
-      var countForBatch = 0;
+// Cache is keyed by userId so anonymous + authenticated results don't mix.
+// When a user signs in, their cache entry is empty and gets populated with
+// their owned/entitled private packages alongside the public set.
+const caches = new Map(); // userId | "anon" -> { data, timestamp }
 
-      // counter for the number of batches (used as filename)
-      var batchNumber = 1;
+function getCacheKey() {
+  const stored = getStoredToken$3();
+  return stored?.userId || "anon";
+}
 
-      // create the readStream to parse the large file (json)
-      var readStream = fs$5.createReadStream(filepath).pipe(parser);
+/**
+ * Get the local test registry path for dev mode
+ */
+function getTestRegistryPath() {
+  return path$a.join(__dirname, "..", "registry", "test-registry-index.json");
+}
 
-      var batch = [];
+/**
+ * Check if running in development mode
+ */
+function isDev() {
+  return (
+    process.defaultApp ||
+    process.env.NODE_ENV === "development" ||
+    process.env.NODE_ENV === "dev"
+  );
+}
 
-      // lets first remove the batch folder
-      this.clearDirectory(batchFilepath)
-        .then(() => {
-          // when we receive data...
-          readStream.on("data", function (data) {
-            try {
-              // if we have reached the limit for the batch...
-              // lets write to the batch file
-              if (countForBatch === batchSize) {
-                // write to the batch file
-                var writeStream = fs$5.createWriteStream(
-                  batchFilepath + "/batch_" + batchNumber + ".json",
-                );
-                writeStream.write(JSON.stringify(batch));
-                writeStream.close();
+/**
+ * Fetch the registry index from remote URL or local file (dev mode)
+ * Caches the result for CACHE_TTL_MS milliseconds.
+ *
+ * @param {boolean} forceRefresh - Bypass cache and fetch fresh data
+ * @returns {Promise<Object>} The registry index
+ */
+async function fetchRegistryIndex(forceRefresh = false) {
+  const now = Date.now();
+  const cacheKey = getCacheKey();
+  const cached = caches.get(cacheKey);
 
-                // adjust counts and reset batch array
-                countForBatch = 0;
-                // bump the batch number
-                batchNumber++;
-                // reset the batch json
-                batch = [];
-                // callback function to pass batchnumber (or anything later on)
-                callback &&
-                  typeof callback === "function" &&
-                  callback(batchNumber);
-              } else {
-                try {
-                  // push the JSON data into the batch array to be written later
-                  batch.push(data);
-                  countForBatch++;
-                } catch (e) {
-                  reject(e);
-                }
-              }
-            } catch (e) {
-              reject(e);
-            }
-          });
+  // Return cached data if still valid
+  if (!forceRefresh && cached && now - cached.timestamp < CACHE_TTL_MS) {
+    console.log(
+      `[RegistryController] Returning cached registry index (key=${cacheKey})`,
+    );
+    return cached.data;
+  }
 
-          readStream.on("error", function (e) {
-            console.log("batch on error ", e);
-            reject(e);
-          });
+  try {
+    let indexData;
 
-          readStream.on("close", function () {
-            console.log("batch on close ");
-            resolve("batches completed ", batchNumber);
-          });
-        })
-        .catch((e) => {
-          console.log("catch batch ", e.message);
-          reject(e);
+    if (isDev()) {
+      // In dev mode, try local test file first
+      const testPath = getTestRegistryPath();
+      if (fs$6.existsSync(testPath)) {
+        console.log(
+          "[RegistryController] Loading test registry from:",
+          testPath,
+        );
+        const raw = fs$6.readFileSync(testPath, "utf8");
+        indexData = JSON.parse(raw);
+      } else {
+        // Fall back to API (supports DASH_REGISTRY_URL as full-URL override)
+        const registryUrl =
+          process.env.DASH_REGISTRY_URL ||
+          `${process.env.DASH_REGISTRY_API_URL || DEFAULT_REGISTRY_API_URL}/api/packages`;
+        console.log(
+          "[RegistryController] Fetching registry from:",
+          registryUrl,
+        );
+        const response = await fetch(registryUrl, {
+          headers: buildAuthHeaders(),
         });
-    });
-  };
+        if (!response.ok) {
+          throw new Error(
+            `Failed to fetch registry: ${response.status} ${response.statusText}`,
+          );
+        }
+        indexData = await response.json();
+      }
+    } else {
+      // In production, fetch from API
+      const registryUrl =
+        process.env.DASH_REGISTRY_URL ||
+        `${process.env.DASH_REGISTRY_API_URL || DEFAULT_REGISTRY_API_URL}/api/packages`;
+      console.log("[RegistryController] Fetching registry from:", registryUrl);
 
-  clearDirectory = (directoryPath) => {
-    return new Promise((resolve, reject) => {
-      try {
-        checkDirectory(directoryPath);
-        fs$5.readdir(directoryPath, (err, files) => {
-          if (err) reject(err);
-          if (files) {
-            files.forEach((file) => {
-              fs$5.unlinkSync(path$9.join(directoryPath, file));
-            });
-            resolve();
-          }
-        });
-      } catch (e) {
-        console.log("clear dir error ", e.message);
-        reject(e);
+      const response = await fetch(registryUrl, {
+        headers: buildAuthHeaders(),
+      });
+      if (!response.ok) {
+        throw new Error(
+          `Failed to fetch registry: ${response.status} ${response.statusText}`,
+        );
       }
-    });
-  };
+      indexData = await response.json();
+    }
 
-  async partialUpdateObjectsFromDirectorySync(
-    batchFilepath,
-    createIfNotExists = false,
-    callback = null,
-  ) {
-    try {
-      // read the directory...
-      const files = await fs$5.readdirSync(batchFilepath);
-      let results = [];
-      for (const fileIndex in files) {
-        // for each file lets read the file and then push to algolia
-        const pathToBatch = path$9.join(batchFilepath, files[fileIndex]);
-        const fileContents = await this.readFile(pathToBatch);
-        if (fileContents) {
-          if ("data" in fileContents && "filepath" in fileContents) {
-            // now we can update the index with the partial update
-            const updateResult = await this.partialUpdateObjects(
-              fileContents.data,
-              fileContents.filepath,
-              createIfNotExists,
-              callback,
-            );
-            results.push({ file: files[fileIndex] });
-          } else {
-            console.log("missed ", files[fileIndex]);
-          }
-        }
-      }
-      return Promise.resolve(results);
-    } catch (e) {
-      return Promise.reject(e);
+    // Normalize: ensure `version` exists on each package (API uses `latestVersion`)
+    if (indexData.packages) {
+      indexData.packages = indexData.packages.map((pkg) => ({
+        ...pkg,
+        version: pkg.version || pkg.latestVersion || "0.0.0",
+      }));
+    }
+
+    // Cache the result
+    caches.set(cacheKey, { data: indexData, timestamp: now });
+
+    console.log(
+      `[RegistryController] Loaded ${indexData.packages?.length || 0} packages (key=${cacheKey})`,
+    );
+    return indexData;
+  } catch (error) {
+    console.error("[RegistryController] Error fetching registry:", error);
+
+    // Return stale cache if available
+    const stale = caches.get(cacheKey);
+    if (stale) {
+      console.log(
+        "[RegistryController] Returning stale cache after fetch error",
+      );
+      return stale.data;
     }
+
+    throw error;
   }
+}
 
-  async readFile(filepath) {
-    return await new Promise((resolve, reject) => {
-      fs$5.readFile(filepath, "utf8", (err, data) => {
-        if (err) {
-          reject(err);
-        }
-        resolve({ data, filepath });
-      });
-    });
+/**
+ * Search the registry across packages and individual widgets
+ *
+ * @param {string} query - Search query string
+ * @param {Object} filters - Optional filters
+ * @param {string} filters.category - Filter by category
+ * @param {string} filters.author - Filter by author
+ * @param {string} filters.tag - Filter by tag
+ * @param {string} filters.type - Filter by package type ("widget" or "dashboard")
+ * @param {string[]} filters.compatibleWidgets - Only return dashboards whose required widgets are all in this list
+ * @param {string[]} filters.appCapabilities - Only return packages whose required API providers are all in this list
+ * @returns {Promise<Object>} { packages: [...], totalWidgets: number }
+ */
+async function searchRegistry$1(query = "", filters = {}) {
+  const index = await fetchRegistryIndex();
+  let packages = index.packages || [];
+
+  // Apply type filter — packages without an explicit type default to "widget"
+  if (filters.type) {
+    const typeLower = filters.type.toLowerCase();
+    packages = packages.filter(
+      (pkg) => (pkg.type || "widget").toLowerCase() === typeLower,
+    );
   }
 
-  browseObjects = (query = "", callback = null) => {
-    return new Promise((resolve, reject) => {
-      try {
-        if (this.index !== null) {
-          // call algolia to update the objects
-          this.index
-            .browseObjects({
-              query,
-              batch: (hits) => {
-                if (callback && typeof callback === "function") {
-                  callback(hits);
-                }
-              },
-            })
-            .then(() => {
-              resolve({ success: true });
-            })
-            .catch((e) => reject(e));
-        } else {
-          reject("No index for client");
-        }
-      } catch (e) {
-        console.log("browse objects ", e.message);
-        reject(e);
-      }
+  // Apply search query
+  if (query) {
+    const q = query.toLowerCase();
+    packages = packages.filter((pkg) => {
+      // Match against package-level fields
+      const packageMatch =
+        (pkg.name || "").toLowerCase().includes(q) ||
+        (pkg.displayName || "").toLowerCase().includes(q) ||
+        (pkg.description || "").toLowerCase().includes(q) ||
+        (pkg.author || "").toLowerCase().includes(q) ||
+        (pkg.tags || []).some((t) => t.toLowerCase().includes(q));
+
+      // Match against individual widgets within the package
+      const widgetMatch = (pkg.widgets || []).some(
+        (w) =>
+          (w.name || "").toLowerCase().includes(q) ||
+          (w.displayName || "").toLowerCase().includes(q) ||
+          (w.description || "").toLowerCase().includes(q),
+      );
+
+      return packageMatch || widgetMatch;
     });
-  };
+  }
 
-  async partialUpdateObjects(
-    objects,
-    file,
-    createIfNotExists = false,
-    callback = null,
-  ) {
-    return new Promise((resolve, reject) => {
-      try {
-        if (objects) {
-          const batch = JSON.parse(objects);
+  // Apply category filter (supports single string or comma-separated or array)
+  if (filters.category) {
+    const cats = Array.isArray(filters.category)
+      ? filters.category
+      : filters.category.split(",").map((c) => c.trim().toLowerCase());
+    packages = packages.filter((pkg) =>
+      cats.includes((pkg.category || "").toLowerCase()),
+    );
+  }
 
-          // callback function to pass batchnumber (or anything later on)
-          if (callback && typeof callback === "function") {
-            callback("indexing objects ", file, batch.length);
-          }
+  // Apply author filter
+  if (filters.author) {
+    packages = packages.filter(
+      (pkg) =>
+        (pkg.author || "").toLowerCase() === filters.author.toLowerCase(),
+    );
+  }
 
-          if (this.index !== null) {
-            // call algolia to update the objects
-            this.index
-              .partialUpdateObjects(batch, {
-                createIfNotExists: createIfNotExists,
-              })
-              .then(({ objectIDs }) => {
-                resolve({
-                  success: true,
-                  batchComplete: batch.length,
-                  objectIDs,
-                });
-              })
-              .catch((e) => {
-                console.log("Error partialUpdateObjects", e.message);
-                reject(e);
-              });
-          } else {
-            reject("No index for client");
-          }
-        }
-      } catch (e) {
-        console.log("partial update objects ", e.message);
-        reject(e);
-      }
+  // Apply tag filter (supports single string or comma-separated or array)
+  if (filters.tag) {
+    const tags = Array.isArray(filters.tag)
+      ? filters.tag
+      : filters.tag.split(",").map((t) => t.trim().toLowerCase());
+    packages = packages.filter((pkg) =>
+      (pkg.tags || []).some((t) => tags.includes(t.toLowerCase())),
+    );
+  }
+
+  // Apply compatibility filter — only dashboards whose required widgets
+  // are all present in the user's installed widget list
+  if (filters.compatibleWidgets && filters.compatibleWidgets.length) {
+    const installedSet = new Set(
+      filters.compatibleWidgets.map((w) => w.toLowerCase()),
+    );
+    packages = packages.filter((pkg) => {
+      const requiredWidgets = (pkg.widgets || []).filter(
+        (w) => w.required !== false,
+      );
+      return requiredWidgets.every(
+        (w) =>
+          installedSet.has((w.package || "").toLowerCase()) ||
+          installedSet.has((w.name || "").toLowerCase()),
+      );
     });
   }
 
-  search = (query = "", options = {}) => {
-    return new Promise((resolve, reject) => {
-      try {
-        if (this.index !== null) {
-          this.index
-            .search(query, options)
-            .then((result) => resolve(result))
-            .catch((e) => reject(e));
-        } else {
-          reject("No index for client");
+  // Apply API capability filter — only return packages whose required
+  // "api" providers are all present in the app's capability set
+  if (filters.appCapabilities && filters.appCapabilities.length) {
+    const capSet = new Set(filters.appCapabilities.map((c) => c.toLowerCase()));
+    packages = packages.filter((pkg) => {
+      // Collect all "api" provider requirements from package-level and widget-level providers
+      const apiProviders = [];
+
+      // Package-level providers
+      for (const p of pkg.providers || []) {
+        if (p.providerClass === "api" && p.required !== false) {
+          apiProviders.push(p.type);
         }
-      } catch (e) {
-        reject(e);
       }
+
+      // Widget-level providers
+      for (const w of pkg.widgets || []) {
+        for (const p of w.providers || []) {
+          if (p.providerClass === "api" && p.required !== false) {
+            apiProviders.push(p.type);
+          }
+        }
+      }
+
+      // Package is compatible if all required API namespaces are present
+      return apiProviders.every((api) => capSet.has(api.toLowerCase()));
     });
-  };
+  }
 
-  saveObjects = (objects, file, callback = null) => {
-    return new Promise((resolve, reject) => {
-      try {
-        if (objects) {
-          const batch = JSON.parse(objects);
+  // Count total widgets across matched packages
+  const totalWidgets = packages.reduce(
+    (sum, pkg) => sum + (pkg.widgets || []).length,
+    0,
+  );
 
-          // callback function to pass batchnumber (or anything later on)
-          if (callback && typeof callback === "function") {
-            callback("saving objects ", file);
-          }
+  return { packages, totalWidgets };
+}
 
-          if (this.index !== null) {
-            // call algolia to update the objects
-            this.index
-              .saveObjects(batch, {
-                autoGenerateObjectIDIfNotExist: true,
-              })
-              .then(({ objectIDs }) => {
-                resolve({
-                  success: true,
-                  batchComplete: batch.length,
-                  file,
-                  objectIDs,
-                });
-              })
-              .catch((e) => reject(e));
-          } else {
-            reject("No index for client");
-          }
-        }
-      } catch (e) {
-        console.log("save objects error", e.message);
-        reject(e);
-      }
+/**
+ * Get a specific package by name.
+ *
+ * Handles multiple naming formats:
+ *  - bare name:   "ocean-depth"
+ *  - scoped name: "john/ocean-depth" or "@john/ocean-depth"
+ *  - displayName: "Ocean Depth"
+ *
+ * @param {string} packageName - Name of the package (any format)
+ * @returns {Promise<Object|null>} Package data or null if not found
+ */
+async function getPackage$1(packageName) {
+  if (!packageName) return null;
+
+  const index = await fetchRegistryIndex();
+  const packages = index.packages || [];
+
+  // 1. Exact match on name
+  let pkg = packages.find((p) => p.name === packageName);
+  if (pkg) return pkg;
+
+  // 2. If input contains "/", split into scope + name and match both fields
+  if (packageName.includes("/")) {
+    const parts = packageName.split("/");
+    const inputScope = parts[0].replace(/^@/, "");
+    const inputName = parts.slice(1).join("/");
+    pkg = packages.find(
+      (p) =>
+        p.name === inputName &&
+        (p.scope || "").replace(/^@/, "") === inputScope,
+    );
+    if (pkg) return pkg;
+  }
+
+  // 3. Match by displayName (case-insensitive)
+  const lower = packageName.toLowerCase();
+  pkg = packages.find((p) => (p.displayName || "").toLowerCase() === lower);
+  if (pkg) return pkg;
+
+  // 4. Try bare-name match against scoped registry entries
+  //    (registry might store "scope/name" in p.name while caller sends just "name")
+  pkg = packages.find((p) => {
+    if (p.name && p.name.includes("/")) {
+      const bareName = p.name.split("/").pop();
+      return bareName === packageName;
+    }
+    return false;
+  });
+
+  return pkg || null;
+}
+
+/**
+ * Check for updates to installed widgets
+ *
+ * @param {Array<Object>} installedWidgets - Array of { name, version } objects
+ * @returns {Promise<Array<Object>>} Widgets with available updates
+ */
+async function checkUpdates(installedWidgets = []) {
+  const index = await fetchRegistryIndex();
+  const updates = [];
+
+  for (const installed of installedWidgets) {
+    const installedId = installed.packageId || installed.name;
+    const pkg = (index.packages || []).find((p) => {
+      // Match by scoped ID (e.g. "@trops/slack" === "@trops/slack")
+      const registryId = toPackageId(p.scope, p.name);
+      if (registryId === installedId) return true;
+      // Fallback: bare-name match for pre-migration entries
+      if (p.name === installedId) return true;
+      return false;
     });
-  };
-};
+    if (pkg && pkg.version !== installed.version) {
+      updates.push({
+        name: installed.name,
+        currentVersion: installed.version,
+        latestVersion: pkg.version,
+        downloadUrl: pkg.downloadUrl,
+        changelog: pkg.changelog || null,
+      });
+    }
+  }
 
-var algolia = AlgoliaIndex$1;
+  return updates;
+}
 
 /**
- * algoliaController.js
+ * Search the registry for dashboard packages only.
+ * Convenience wrapper around searchRegistry with type: "dashboard".
  *
- * This is a sample controller that is called from the electron.js file
+ * @param {string} query - Search query string
+ * @param {Object} filters - Optional filters (category, author, tag, compatibleWidgets)
+ * @returns {Promise<Object>} { packages: [...], totalWidgets: number }
+ */
+async function searchDashboards(query = "", filters = {}) {
+  return searchRegistry$1(query, { ...filters, type: "dashboard" });
+}
+
+/**
+ * Search the registry for theme packages only.
+ * Convenience wrapper around searchRegistry with type: "theme".
  *
- * The electron.js file contains listeners from the renderer that will call
- * the controller methods as seen below.
+ * @param {string} query - Search query string
+ * @param {Object} filters - Optional filters (category, author, tag)
+ * @returns {Promise<Object>} { packages: [...], totalWidgets: number }
  */
+async function searchThemes(query = "", filters = {}) {
+  return searchRegistry$1(query, { ...filters, type: "theme" });
+}
 
-const algoliasearch = require$$2$2;
-const events$3 = events$8;
-const AlgoliaIndex = algolia;
-var fs$4 = require$$0$2;
+var registryController$3 = {
+  fetchRegistryIndex,
+  searchRegistry: searchRegistry$1,
+  searchDashboards,
+  searchThemes,
+  getPackage: getPackage$1,
+  checkUpdates,
+};
 
-const algoliaController$1 = {
+var fs$5 = require$$0$2;
+var JSONStream = require$$4;
+const algoliasearch$1 = require$$2$2;
+const path$9 = require$$3$3;
+const { ensureDirectoryExistence, checkDirectory } = file;
+
+let AlgoliaIndex$1 = class AlgoliaIndex {
   /**
-   * loadPagesForApplication
-   * Load the pages for the application <userdata>/appId/pages.json
-   * - filter out the indices that are "rule" indices
-   *
-   * @param {BrowserWindow} win the main window
-   * @param {string} appId the application id from Algolia
+   * @var client the algoliasearch client
    */
-  listIndices: (win, application) => {
-    try {
-      const searchClient = algoliasearch(
-        application["appId"],
-        application["key"],
-      );
-      searchClient
-        .listIndices()
-        .then(({ items }) => {
-          const filtered = items.filter(
-            (item) => item.name.substring(0, 7) !== "sitehub",
-          );
-          win.webContents.send(events$3.ALGOLIA_LIST_INDICES_COMPLETE, filtered);
-        })
-        .catch((e) => {
-          win.webContents.send(events$3.ALGOLIA_LIST_INDICES_ERROR, {
-            error: e.message,
-          });
-        });
-    } catch (e) {
-      win.webContents.send(events$3.ALGOLIA_LIST_INDICES_ERROR, {
-        error: e.message,
-      });
-    }
-  },
-
-  getAnalyticsForQuery: (win, application, indexName, query) => {
-    try {
-      const baseUrl = "https://analytics.us.algolia.com";
-      const headers = {
-        "X-Algolia-Application-Id": application["appId"],
-        "X-Algolia-API-Key": application["key"],
-      };
-      const url = `${baseUrl}/2/hits?search=${encodeURIComponent(
-        query,
-      )}&clickAnalytics=true&index=${indexName}`;
-      axios
-        .get(url, {
-          headers: headers,
-        })
-        .then((resp) => {
-          if (resp.status === 200) {
-            win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_COMPLETE, {
-              result: resp.data,
-              indexName: indexName,
-              query: query,
-            });
-          } else {
-            win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_ERROR, {
-              error: true,
-              message: "Failed request",
-            });
-          }
-        })
-        .catch((e) => {
-          win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_ERROR, {
-            error: true,
-            message: e.message,
-          });
-        });
-    } catch (e) {
-      win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_ERROR, {
-        error: true,
-        message: e.message,
-      });
-    }
-  },
+  client = null;
 
   /**
-   * browseObjectsToFile
-   * Lets try and browse an index and pull down the hits and save as a file
-   *
-   * @param {*} win
-   * @param {*} appId
-   * @param {*} apiKey
-   * @param {*} indexName
-   * @param {*} toFilename
-   * @param {*} query
+   * @var index the algoliasearch initiated index
    */
-  browseObjectsToFile: (
-    win,
-    appId,
-    apiKey,
-    indexName,
-    toFilename,
-    query = "",
-  ) => {
-    try {
-      if (
-        toFilename !== "" &&
-        apiKey !== "" &&
-        indexName !== "" &&
-        appId !== ""
-      ) {
-        // init the Algolia Index helper
-        const a = new AlgoliaIndex(appId, apiKey, indexName);
-        // create the write stream to store the hits
-        const writeStream = fs$4.createWriteStream(toFilename);
-        writeStream.write("[");
+  index = null;
 
-        let sep = "";
+  constructor(appId = "", apiKey = "", indexName = "") {
+    if (appId !== "" && apiKey !== "" && indexName !== "") {
+      this.client = algoliasearch$1(appId, apiKey);
+      this.index = this.client.initIndex(indexName);
+    }
+  }
 
-        // call the algolia browseObjects helper method
-        a.browseObjects(query, (hits) => {
-          win.webContents.send(events$3.ALGOLIA_BROWSE_OBJECTS_UPDATE, hits);
+  createBatchesFromJSONFile = (
+    filepath,
+    batchFilepath = "/data/batch",
+    batchSize,
+    callback = null,
+  ) => {
+    return new Promise((resolve, reject) => {
+      // instantiate the JSON parser that will be used by the readStream
+      var parser = JSONStream.parse("*");
 
-          let count = 0;
-          // write to the file
-          hits.forEach((hit) => {
-            writeStream.write(sep + JSON.stringify(hit));
-            count++;
-            sep = ",\n";
+      // count how many items have been added to a single batch
+      var countForBatch = 0;
+
+      // counter for the number of batches (used as filename)
+      var batchNumber = 1;
+
+      // create the readStream to parse the large file (json)
+      var readStream = fs$5.createReadStream(filepath).pipe(parser);
+
+      var batch = [];
+
+      // lets first remove the batch folder
+      this.clearDirectory(batchFilepath)
+        .then(() => {
+          // when we receive data...
+          readStream.on("data", function (data) {
+            try {
+              // if we have reached the limit for the batch...
+              // lets write to the batch file
+              if (countForBatch === batchSize) {
+                // write to the batch file
+                var writeStream = fs$5.createWriteStream(
+                  batchFilepath + "/batch_" + batchNumber + ".json",
+                );
+                writeStream.write(JSON.stringify(batch));
+                writeStream.close();
+
+                // adjust counts and reset batch array
+                countForBatch = 0;
+                // bump the batch number
+                batchNumber++;
+                // reset the batch json
+                batch = [];
+                // callback function to pass batchnumber (or anything later on)
+                callback &&
+                  typeof callback === "function" &&
+                  callback(batchNumber);
+              } else {
+                try {
+                  // push the JSON data into the batch array to be written later
+                  batch.push(data);
+                  countForBatch++;
+                } catch (e) {
+                  reject(e);
+                }
+              }
+            } catch (e) {
+              reject(e);
+            }
           });
-        })
-          .then((result) => {
-            writeStream.write("]");
-            win.webContents.send(
-              events$3.ALGOLIA_BROWSE_OBJECTS_COMPLETE,
-              result,
-            );
-          })
-          .catch((e) => {
-            win.webContents.send(events$3.ALGOLIA_BROWSE_OBJECTS_ERROR, e);
+
+          readStream.on("error", function (e) {
+            console.log("batch on error ", e);
+            reject(e);
           });
-      } else {
-        win.webContents.send(
-          events$3.ALGOLIA_BROWSE_OBJECTS_ERROR,
-          new Error("Missing parameters"),
-        );
-      }
-    } catch (e) {
-      win.webContents.send(events$3.ALGOLIA_BROWSE_OBJECTS_ERROR, {
-        error: e.message,
-      });
-    }
-  },
 
-  async partialUpdateObjectsFromDirectory(
-    win,
-    appId,
-    apiKey,
-    indexName,
-    dir,
-    createIfNotExists = false,
-  ) {
-    try {
-      const a = new AlgoliaIndex(appId, apiKey, indexName);
-      // now we can make the call to the utility and we are passing in the createIfNotExists FALSE by default
-      a.partialUpdateObjectsFromDirectorySync(
-        dir,
-        createIfNotExists,
-        (data) => {
-          win.webContents.send(
-            events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_UPDATE,
-            data,
-          );
-        },
-      )
-        .then((result) => {
-          win.webContents.send(
-            events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_COMPLETE,
-            result,
-          );
+          readStream.on("close", function () {
+            console.log("batch on close ");
+            resolve("batches completed ", batchNumber);
+          });
         })
         .catch((e) => {
-          win.webContents.send(events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_ERROR, e);
+          console.log("catch batch ", e.message);
+          reject(e);
         });
-    } catch (e) {
-      win.webContents.send(events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_ERROR, {
-        error: e.message,
-      });
-    }
-  },
+    });
+  };
 
-  /**
-   * createBatchesFromFile
-   * @param {*} win
-   * @param {*} filepath
-   * @param {*} batchFilepath
-   * @param {*} batchSize
-   * @param {*} callback
-   */
-  createBatchesFromFile: (
-    win,
-    filepath,
-    batchFilepath = "/data/batch",
-    batchSize = 500,
-  ) => {
-    try {
-      const a = new AlgoliaIndex();
-      a.createBatchesFromJSONFile(
-        filepath,
-        batchFilepath,
-        batchSize,
-        (data) => {
-          win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_UPDATE, data);
-        },
-      )
-        .then((result) => {
-          win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_COMPLETE, result);
-        })
-        .catch((e) => {
-          win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_ERROR, e);
+  clearDirectory = (directoryPath) => {
+    return new Promise((resolve, reject) => {
+      try {
+        checkDirectory(directoryPath);
+        fs$5.readdir(directoryPath, (err, files) => {
+          if (err) reject(err);
+          if (files) {
+            files.forEach((file) => {
+              fs$5.unlinkSync(path$9.join(directoryPath, file));
+            });
+            resolve();
+          }
         });
-    } catch (e) {
-      win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_ERROR, {
-        error: e.message,
-      });
-    }
-  },
-  /**
-   * search
-   * Search an index and return results in-memory (no file export).
-   * Returns the result directly for use with ipcMain.handle / ipcRenderer.invoke.
-   */
-  search: async (win, appId, apiKey, indexName, query = "", options = {}) => {
+      } catch (e) {
+        console.log("clear dir error ", e.message);
+        reject(e);
+      }
+    });
+  };
+
+  async partialUpdateObjectsFromDirectorySync(
+    batchFilepath,
+    createIfNotExists = false,
+    callback = null,
+  ) {
     try {
-      const a = new AlgoliaIndex(appId, apiKey, indexName);
-      return await a.search(query, options);
+      // read the directory...
+      const files = await fs$5.readdirSync(batchFilepath);
+      let results = [];
+      for (const fileIndex in files) {
+        // for each file lets read the file and then push to algolia
+        const pathToBatch = path$9.join(batchFilepath, files[fileIndex]);
+        const fileContents = await this.readFile(pathToBatch);
+        if (fileContents) {
+          if ("data" in fileContents && "filepath" in fileContents) {
+            // now we can update the index with the partial update
+            const updateResult = await this.partialUpdateObjects(
+              fileContents.data,
+              fileContents.filepath,
+              createIfNotExists,
+              callback,
+            );
+            results.push({ file: files[fileIndex] });
+          } else {
+            console.log("missed ", files[fileIndex]);
+          }
+        }
+      }
+      return Promise.resolve(results);
     } catch (e) {
-      return { error: true, message: e.message || String(e) };
+      return Promise.reject(e);
     }
-  },
-};
-
-var algoliaController_1 = algoliaController$1;
-
-const OpenAI = require$$0$7;
-const events$2 = events$8;
+  }
 
-const openaiController$1 = {
-  async describeImage(win, imageUrl, apiKey, prompt = "What's in this image?") {
-    try {
-      const openai = new OpenAI({
-        apiKey: apiKey,
+  async readFile(filepath) {
+    return await new Promise((resolve, reject) => {
+      fs$5.readFile(filepath, "utf8", (err, data) => {
+        if (err) {
+          reject(err);
+        }
+        resolve({ data, filepath });
       });
-      const response = await openai.chat.completions.create({
-        model: "gpt-4-vision-preview",
-        messages: [
-          {
-            role: "user",
-            content: [
-              { type: "text", text: prompt },
-              {
-                type: "image_url",
-                image_url: imageUrl,
+    });
+  }
+
+  browseObjects = (query = "", callback = null) => {
+    return new Promise((resolve, reject) => {
+      try {
+        if (this.index !== null) {
+          // call algolia to update the objects
+          this.index
+            .browseObjects({
+              query,
+              batch: (hits) => {
+                if (callback && typeof callback === "function") {
+                  callback(hits);
+                }
               },
-            ],
-          },
-        ],
-      });
+            })
+            .then(() => {
+              resolve({ success: true });
+            })
+            .catch((e) => reject(e));
+        } else {
+          reject("No index for client");
+        }
+      } catch (e) {
+        console.log("browse objects ", e.message);
+        reject(e);
+      }
+    });
+  };
 
-      win.webContents.send(events$2.OPENAI_DESCRIBE_IMAGE_COMPLETE, {
-        succes: true,
-        imageUrl,
-        response,
-      });
-    } catch (e) {
-      win.webContents.send(events$2.OPENAI_DESCRIBE_IMAGE_ERROR, {
-        succes: true,
-        error: e.message,
-      });
-    }
-  },
-};
+  async partialUpdateObjects(
+    objects,
+    file,
+    createIfNotExists = false,
+    callback = null,
+  ) {
+    return new Promise((resolve, reject) => {
+      try {
+        if (objects) {
+          const batch = JSON.parse(objects);
 
-var openaiController_1 = openaiController$1;
+          // callback function to pass batchnumber (or anything later on)
+          if (callback && typeof callback === "function") {
+            callback("indexing objects ", file, batch.length);
+          }
 
-const { app: app$4 } = require$$0$1;
-const path$8 = require$$1$2;
-const { writeFileSync } = require$$0$2;
-const { getFileContents: getFileContents$2 } = file;
+          if (this.index !== null) {
+            // call algolia to update the objects
+            this.index
+              .partialUpdateObjects(batch, {
+                createIfNotExists: createIfNotExists,
+              })
+              .then(({ objectIDs }) => {
+                resolve({
+                  success: true,
+                  batchComplete: batch.length,
+                  objectIDs,
+                });
+              })
+              .catch((e) => {
+                console.log("Error partialUpdateObjects", e.message);
+                reject(e);
+              });
+          } else {
+            reject("No index for client");
+          }
+        }
+      } catch (e) {
+        console.log("partial update objects ", e.message);
+        reject(e);
+      }
+    });
+  }
 
-const configFilename$1 = "menuItems.json";
-const appName$2 = "Dashboard";
+  search = (query = "", options = {}) => {
+    return new Promise((resolve, reject) => {
+      try {
+        if (this.index !== null) {
+          this.index
+            .search(query, options)
+            .then((result) => resolve(result))
+            .catch((e) => reject(e));
+        } else {
+          reject("No index for client");
+        }
+      } catch (e) {
+        reject(e);
+      }
+    });
+  };
 
-const menuItemsController$1 = {
-  saveMenuItemForApplication: (win, appId, menuItem) => {
-    try {
-      // filename to the pages file (live pages)
-      const filename = path$8.join(
-        app$4.getPath("userData"),
-        appName$2,
-        appId,
-        configFilename$1,
-      );
-      const menuItemsArray = getFileContents$2(filename);
+  saveObjects = (objects, file, callback = null) => {
+    return new Promise((resolve, reject) => {
+      try {
+        if (objects) {
+          const batch = JSON.parse(objects);
 
-      menuItemsArray.filter((mi) => mi !== null);
+          // callback function to pass batchnumber (or anything later on)
+          if (callback && typeof callback === "function") {
+            callback("saving objects ", file);
+          }
 
-      // add the menuItems object to the file
-      menuItemsArray.push(menuItem);
+          if (this.index !== null) {
+            // call algolia to update the objects
+            this.index
+              .saveObjects(batch, {
+                autoGenerateObjectIDIfNotExist: true,
+              })
+              .then(({ objectIDs }) => {
+                resolve({
+                  success: true,
+                  batchComplete: batch.length,
+                  file,
+                  objectIDs,
+                });
+              })
+              .catch((e) => reject(e));
+          } else {
+            reject("No index for client");
+          }
+        }
+      } catch (e) {
+        console.log("save objects error", e.message);
+        reject(e);
+      }
+    });
+  };
+};
 
-      // write the new pages configuration back to the file
-      writeFileSync(filename, JSON.stringify(menuItemsArray, null, 2));
+var algolia = AlgoliaIndex$1;
 
-      console.log("[menuItemsController] Menu item saved successfully");
+/**
+ * algoliaController.js
+ *
+ * This is a sample controller that is called from the electron.js file
+ *
+ * The electron.js file contains listeners from the renderer that will call
+ * the controller methods as seen below.
+ */
 
-      // Return the data for ipcMain.handle() - modern promise-based approach
-      return {
-        menuItems: menuItemsArray,
-        success: true,
-      };
-    } catch (e) {
-      console.error("[menuItemsController] Error saving menu item:", e);
-      // Return error object with empty menu items array
-      return {
-        error: true,
-        message: e.message,
-        menuItems: [],
-      };
-    }
-  },
+const algoliasearch = require$$2$2;
+const events$3 = events$8;
+const AlgoliaIndex = algolia;
+var fs$4 = require$$0$2;
 
-  listMenuItemsForApplication: (win, appId) => {
+const algoliaController$1 = {
+  /**
+   * loadPagesForApplication
+   * Load the pages for the application <userdata>/appId/pages.json
+   * - filter out the indices that are "rule" indices
+   *
+   * @param {BrowserWindow} win the main window
+   * @param {string} appId the application id from Algolia
+   */
+  listIndices: (win, application) => {
     try {
-      const filename = path$8.join(
-        app$4.getPath("userData"),
-        appName$2,
-        appId,
-        configFilename$1,
+      const searchClient = algoliasearch(
+        application["appId"],
+        application["key"],
       );
-      const menuItemsArray = getFileContents$2(filename);
-      const filtered = menuItemsArray.filter((mi) => mi !== null);
-      // Return the data for ipcMain.handle() - modern promise-based approach
-      return {
-        menuItems: filtered,
-      };
+      searchClient
+        .listIndices()
+        .then(({ items }) => {
+          const filtered = items.filter(
+            (item) => item.name.substring(0, 7) !== "sitehub",
+          );
+          win.webContents.send(events$3.ALGOLIA_LIST_INDICES_COMPLETE, filtered);
+        })
+        .catch((e) => {
+          win.webContents.send(events$3.ALGOLIA_LIST_INDICES_ERROR, {
+            error: e.message,
+          });
+        });
     } catch (e) {
-      console.error("[menuItemsController] Error listing menu items:", e);
-      // Return error object with empty menu items array
-      return {
-        error: true,
-        message: e.message,
-        menuItems: [],
-      };
+      win.webContents.send(events$3.ALGOLIA_LIST_INDICES_ERROR, {
+        error: e.message,
+      });
     }
   },
-};
-
-var menuItemsController_1 = menuItemsController$1;
 
-const path$7 = require$$1$2;
-const { app: app$3 } = require$$0$1;
-
-const pluginController$1 = {
-  install: (win, packageName, filepath) => {
+  getAnalyticsForQuery: (win, application, indexName, query) => {
     try {
-      const rootPath = path$7.join(
-        app$3.getPath("userData"),
-        "plugins",
-        packageName,
-      );
+      const baseUrl = "https://analytics.us.algolia.com";
+      const headers = {
+        "X-Algolia-Application-Id": application["appId"],
+        "X-Algolia-API-Key": application["key"],
+      };
+      const url = `${baseUrl}/2/hits?search=${encodeURIComponent(
+        query,
+      )}&clickAnalytics=true&index=${indexName}`;
+      axios
+        .get(url, {
+          headers: headers,
+        })
+        .then((resp) => {
+          if (resp.status === 200) {
+            win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_COMPLETE, {
+              result: resp.data,
+              indexName: indexName,
+              query: query,
+            });
+          } else {
+            win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_ERROR, {
+              error: true,
+              message: "Failed request",
+            });
+          }
+        })
+        .catch((e) => {
+          win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_ERROR, {
+            error: true,
+            message: e.message,
+          });
+        });
     } catch (e) {
-      win.webContents.send("plugin-install-error", { error: e.message });
-    }
-  },
-};
-
-var pluginController_1 = pluginController$1;
-
-/**
- * cliController.js
- *
- * Manages Claude Code CLI (`claude -p`) as an alternative LLM backend.
- * Spawns the CLI subprocess, parses stream-json NDJSON output, and emits
- * the same LLM_STREAM_* events as the Anthropic SDK path.
- *
- * Users with a Claude Pro/Max subscription and Claude Code installed
- * can use the Chat widget without a separate API key.
- */
-
-const { spawn, execSync } = require$$6$1;
-const {
-  LLM_STREAM_DELTA: LLM_STREAM_DELTA$2,
-  LLM_STREAM_TOOL_CALL: LLM_STREAM_TOOL_CALL$2,
-  LLM_STREAM_TOOL_RESULT: LLM_STREAM_TOOL_RESULT$2,
-  LLM_STREAM_COMPLETE: LLM_STREAM_COMPLETE$2,
-  LLM_STREAM_ERROR: LLM_STREAM_ERROR$2,
-} = llmEvents$1;
-
-/**
- * Cached shell PATH result (resolved once, reused for all spawns).
- * Same pattern as mcpController.js.
- */
-let _shellPath = null;
-
-function getShellPath() {
-  if (_shellPath !== null) return _shellPath;
-
-  try {
-    const shell = process.env.SHELL || "/bin/bash";
-    _shellPath = execSync(`${shell} -ilc 'echo -n "$PATH"'`, {
-      encoding: "utf8",
-      timeout: 5000,
-    });
-  } catch {
-    _shellPath = process.env.PATH || "";
-  }
-
-  return _shellPath;
-}
-
-/**
- * Cached CLI binary path (resolved once via `which claude`).
- */
-let _cliBinaryPath = undefined; // undefined = not yet checked
-
-function resolveCliBinary() {
-  if (_cliBinaryPath !== undefined) return _cliBinaryPath;
-
-  try {
-    const fullPath = getShellPath();
-    _cliBinaryPath = execSync("which claude", {
-      encoding: "utf8",
-      timeout: 5000,
-      env: { ...process.env, PATH: fullPath },
-    }).trim();
-  } catch {
-    _cliBinaryPath = null;
-  }
-
-  return _cliBinaryPath;
-}
-
-/**
- * Active CLI processes for abort support.
- * Map<requestId, ChildProcess>
- */
-const activeProcesses = new Map();
-
-/**
- * Session IDs for conversation continuity.
- * Map<widgetUuid, sessionId>
- */
-const sessions = new Map();
-
-/**
- * Send events safely to a window.
- */
-function safeSend(win, channel, data) {
-  if (win && !win.isDestroyed()) {
-    win.webContents.send(channel, data);
-  }
-}
-
-const cliController$2 = {
-  /**
-   * isAvailable
-   * Check if the Claude Code CLI is installed and accessible.
-   *
-   * @returns {{ available: boolean, path?: string }}
-   */
-  isAvailable: () => {
-    const binaryPath = resolveCliBinary();
-    if (binaryPath) {
-      return { available: true, path: binaryPath };
+      win.webContents.send(events$3.ALGOLIA_ANALYTICS_FOR_QUERY_ERROR, {
+        error: true,
+        message: e.message,
+      });
     }
-    return { available: false };
   },
 
   /**
-   * sendMessage
-   * Stream a response from the Claude Code CLI with NDJSON parsing.
+   * browseObjectsToFile
+   * Lets try and browse an index and pull down the hits and save as a file
    *
-   * @param {BrowserWindow} win - the window to send stream events to
-   * @param {string} requestId - unique ID for this request
-   * @param {object} params - { model, messages, systemPrompt, maxToolRounds, widgetUuid }
+   * @param {*} win
+   * @param {*} appId
+   * @param {*} apiKey
+   * @param {*} indexName
+   * @param {*} toFilename
+   * @param {*} query
    */
-  sendMessage: async (win, requestId, params) => {
-    const { model, messages, systemPrompt, widgetUuid, cwd } = params;
-
-    const binaryPath = resolveCliBinary();
-    if (!binaryPath) {
-      safeSend(win, LLM_STREAM_ERROR$2, {
-        requestId,
-        error:
-          "Claude Code CLI not found. Install from https://claude.ai/download",
-        code: "CLI_NOT_FOUND",
-      });
-      return;
-    }
-
-    // Build CLI args
-    const args = ["-p", "--output-format", "stream-json", "--verbose"];
-
-    if (model) {
-      args.push("--model", model);
-    }
-
-    if (systemPrompt) {
-      args.push("--append-system-prompt", systemPrompt);
-    }
+  browseObjectsToFile: (
+    win,
+    appId,
+    apiKey,
+    indexName,
+    toFilename,
+    query = "",
+  ) => {
+    try {
+      if (
+        toFilename !== "" &&
+        apiKey !== "" &&
+        indexName !== "" &&
+        appId !== ""
+      ) {
+        // init the Algolia Index helper
+        const a = new AlgoliaIndex(appId, apiKey, indexName);
+        // create the write stream to store the hits
+        const writeStream = fs$4.createWriteStream(toFilename);
+        writeStream.write("[");
 
-    // Resume existing session for conversation continuity
-    const sessionId = widgetUuid ? sessions.get(widgetUuid) : null;
-    if (sessionId) {
-      args.push("--resume", sessionId);
-    }
+        let sep = "";
 
-    // Extract the user message (last user message in the array)
-    const lastUserMsg = [...messages].reverse().find((m) => m.role === "user");
-    const userText =
-      typeof lastUserMsg?.content === "string"
-        ? lastUserMsg.content
-        : Array.isArray(lastUserMsg?.content)
-          ? lastUserMsg.content
-              .filter((b) => b.type === "text")
-              .map((b) => b.text)
-              .join("\n")
-          : "";
+        // call the algolia browseObjects helper method
+        a.browseObjects(query, (hits) => {
+          win.webContents.send(events$3.ALGOLIA_BROWSE_OBJECTS_UPDATE, hits);
 
-    if (!userText) {
-      safeSend(win, LLM_STREAM_ERROR$2, {
-        requestId,
-        error: "No user message to send.",
-        code: "CLI_ERROR",
+          let count = 0;
+          // write to the file
+          hits.forEach((hit) => {
+            writeStream.write(sep + JSON.stringify(hit));
+            count++;
+            sep = ",\n";
+          });
+        })
+          .then((result) => {
+            writeStream.write("]");
+            win.webContents.send(
+              events$3.ALGOLIA_BROWSE_OBJECTS_COMPLETE,
+              result,
+            );
+          })
+          .catch((e) => {
+            win.webContents.send(events$3.ALGOLIA_BROWSE_OBJECTS_ERROR, e);
+          });
+      } else {
+        win.webContents.send(
+          events$3.ALGOLIA_BROWSE_OBJECTS_ERROR,
+          new Error("Missing parameters"),
+        );
+      }
+    } catch (e) {
+      win.webContents.send(events$3.ALGOLIA_BROWSE_OBJECTS_ERROR, {
+        error: e.message,
       });
-      return;
     }
+  },
 
-    try {
-      const fullPath = getShellPath();
-      const spawnOpts = {
-        env: { ...process.env, PATH: fullPath },
-        stdio: ["pipe", "pipe", "pipe"],
-      };
-      if (cwd) {
-        const fs = require("fs");
-        if (!fs.existsSync(cwd)) {
-          fs.mkdirSync(cwd, { recursive: true });
-        }
-        spawnOpts.cwd = cwd;
-      }
-      const child = spawn(binaryPath, args, spawnOpts);
+  async partialUpdateObjectsFromDirectory(
+    win,
+    appId,
+    apiKey,
+    indexName,
+    dir,
+    createIfNotExists = false,
+  ) {
+    try {
+      const a = new AlgoliaIndex(appId, apiKey, indexName);
+      // now we can make the call to the utility and we are passing in the createIfNotExists FALSE by default
+      a.partialUpdateObjectsFromDirectorySync(
+        dir,
+        createIfNotExists,
+        (data) => {
+          win.webContents.send(
+            events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_UPDATE,
+            data,
+          );
+        },
+      )
+        .then((result) => {
+          win.webContents.send(
+            events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_COMPLETE,
+            result,
+          );
+        })
+        .catch((e) => {
+          win.webContents.send(events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_ERROR, e);
+        });
+    } catch (e) {
+      win.webContents.send(events$3.ALGOLIA_PARTIAL_UPDATE_OBJECTS_ERROR, {
+        error: e.message,
+      });
+    }
+  },
 
-      activeProcesses.set(requestId, child);
+  /**
+   * createBatchesFromFile
+   * @param {*} win
+   * @param {*} filepath
+   * @param {*} batchFilepath
+   * @param {*} batchSize
+   * @param {*} callback
+   */
+  createBatchesFromFile: (
+    win,
+    filepath,
+    batchFilepath = "/data/batch",
+    batchSize = 500,
+  ) => {
+    try {
+      const a = new AlgoliaIndex();
+      a.createBatchesFromJSONFile(
+        filepath,
+        batchFilepath,
+        batchSize,
+        (data) => {
+          win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_UPDATE, data);
+        },
+      )
+        .then((result) => {
+          win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_COMPLETE, result);
+        })
+        .catch((e) => {
+          win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_ERROR, e);
+        });
+    } catch (e) {
+      win.webContents.send(events$3.ALGOLIA_CREATE_BATCH_ERROR, {
+        error: e.message,
+      });
+    }
+  },
+  /**
+   * search
+   * Search an index and return results in-memory (no file export).
+   * Returns the result directly for use with ipcMain.handle / ipcRenderer.invoke.
+   */
+  search: async (win, appId, apiKey, indexName, query = "", options = {}) => {
+    try {
+      const a = new AlgoliaIndex(appId, apiKey, indexName);
+      return await a.search(query, options);
+    } catch (e) {
+      return { error: true, message: e.message || String(e) };
+    }
+  },
+};
 
-      // Pipe user message via stdin (not visible in ps)
-      child.stdin.write(userText);
-      child.stdin.end();
+var algoliaController_1 = algoliaController$1;
 
-      let stdoutBuffer = "";
-      let stderrBuffer = "";
-      let capturedSessionId = null;
-      let retried = false;
+const OpenAI = require$$0$7;
+const events$2 = events$8;
 
-      // Track active tool calls for mapping results
-      const activeToolCalls = new Map();
+const openaiController$1 = {
+  async describeImage(win, imageUrl, apiKey, prompt = "What's in this image?") {
+    try {
+      const openai = new OpenAI({
+        apiKey: apiKey,
+      });
+      const response = await openai.chat.completions.create({
+        model: "gpt-4-vision-preview",
+        messages: [
+          {
+            role: "user",
+            content: [
+              { type: "text", text: prompt },
+              {
+                type: "image_url",
+                image_url: imageUrl,
+              },
+            ],
+          },
+        ],
+      });
 
-      child.stdout.on("data", (chunk) => {
-        stdoutBuffer += chunk.toString();
+      win.webContents.send(events$2.OPENAI_DESCRIBE_IMAGE_COMPLETE, {
+        succes: true,
+        imageUrl,
+        response,
+      });
+    } catch (e) {
+      win.webContents.send(events$2.OPENAI_DESCRIBE_IMAGE_ERROR, {
+        succes: true,
+        error: e.message,
+      });
+    }
+  },
+};
 
-        // Process complete lines
-        const lines = stdoutBuffer.split("\n");
-        stdoutBuffer = lines.pop(); // keep incomplete line in buffer
+var openaiController_1 = openaiController$1;
 
-        for (const line of lines) {
-          if (!line.trim()) continue;
+const { app: app$4 } = require$$0$1;
+const path$8 = require$$1$2;
+const { writeFileSync } = require$$0$2;
+const { getFileContents: getFileContents$2 } = file;
 
-          let parsed;
-          try {
-            parsed = JSON.parse(line);
-          } catch {
-            console.warn("[cliController] Skipping invalid JSON line:", line);
-            continue;
-          }
+const configFilename$1 = "menuItems.json";
+const appName$2 = "Dashboard";
 
-          // Capture session ID from any message that has it
-          if (parsed.session_id && widgetUuid) {
-            capturedSessionId = parsed.session_id;
-            sessions.set(widgetUuid, capturedSessionId);
-          }
+const menuItemsController$1 = {
+  saveMenuItemForApplication: (win, appId, menuItem) => {
+    try {
+      // filename to the pages file (live pages)
+      const filename = path$8.join(
+        app$4.getPath("userData"),
+        appName$2,
+        appId,
+        configFilename$1,
+      );
+      const menuItemsArray = getFileContents$2(filename);
 
-          // Map CLI stream-json events to IPC events
-          if (parsed.type === "content_block_delta") {
-            if (parsed.delta?.type === "text_delta" && parsed.delta.text) {
-              safeSend(win, LLM_STREAM_DELTA$2, {
-                requestId,
-                text: parsed.delta.text,
-              });
-            } else if (parsed.delta?.type === "input_json_delta") {
-              // Update tool input incrementally
-              const tc = activeToolCalls.get(parsed.index);
-              if (tc) {
-                tc.partialInput =
-                  (tc.partialInput || "") + (parsed.delta.partial_json || "");
-              }
-            }
-          } else if (parsed.type === "content_block_start") {
-            if (parsed.content_block?.type === "tool_use") {
-              const toolBlock = parsed.content_block;
-              activeToolCalls.set(parsed.index, {
-                toolUseId: toolBlock.id,
-                toolName: toolBlock.name,
-                partialInput: "",
-              });
-              safeSend(win, LLM_STREAM_TOOL_CALL$2, {
-                requestId,
-                toolUseId: toolBlock.id,
-                toolName: toolBlock.name,
-                serverName: "Claude Code",
-                input: toolBlock.input || {},
-              });
-            }
-          } else if (parsed.type === "content_block_stop") {
-            // Tool call completed — try to parse the accumulated input
-            const tc = activeToolCalls.get(parsed.index);
-            if (tc && tc.partialInput) {
-              try {
-                tc.finalInput = JSON.parse(tc.partialInput);
-              } catch {
-                tc.finalInput = tc.partialInput;
-              }
-            }
-          } else if (parsed.type === "message_stop") {
-            // Individual message completed (may be followed by more in tool-use loops)
-          } else if (parsed.type === "result") {
-            // Final result — conversation complete
-            const content = [];
-            if (parsed.result) {
-              content.push({ type: "text", text: parsed.result });
-            }
+      menuItemsArray.filter((mi) => mi !== null);
 
-            safeSend(win, LLM_STREAM_COMPLETE$2, {
-              requestId,
-              content,
-              stopReason: parsed.stop_reason || "end_turn",
-              usage: parsed.usage || {},
-            });
-          }
-        }
-      });
+      // add the menuItems object to the file
+      menuItemsArray.push(menuItem);
 
-      child.stderr.on("data", (chunk) => {
-        stderrBuffer += chunk.toString();
-      });
+      // write the new pages configuration back to the file
+      writeFileSync(filename, JSON.stringify(menuItemsArray, null, 2));
 
-      child.on("error", (err) => {
-        activeProcesses.delete(requestId);
-        safeSend(win, LLM_STREAM_ERROR$2, {
-          requestId,
-          error: `Failed to start Claude CLI: ${err.message}`,
-          code: "CLI_SPAWN_ERROR",
-        });
-      });
+      console.log("[menuItemsController] Menu item saved successfully");
 
-      child.on("close", (code) => {
-        activeProcesses.delete(requestId);
+      // Return the data for ipcMain.handle() - modern promise-based approach
+      return {
+        menuItems: menuItemsArray,
+        success: true,
+      };
+    } catch (e) {
+      console.error("[menuItemsController] Error saving menu item:", e);
+      // Return error object with empty menu items array
+      return {
+        error: true,
+        message: e.message,
+        menuItems: [],
+      };
+    }
+  },
 
-        // Process any remaining buffer
-        if (stdoutBuffer.trim()) {
-          try {
-            const parsed = JSON.parse(stdoutBuffer);
-            if (parsed.session_id && widgetUuid) {
-              sessions.set(widgetUuid, parsed.session_id);
-            }
-            if (parsed.type === "result") {
-              const content = [];
-              if (parsed.result) {
-                content.push({ type: "text", text: parsed.result });
-              }
-              safeSend(win, LLM_STREAM_COMPLETE$2, {
-                requestId,
-                content,
-                stopReason: parsed.stop_reason || "end_turn",
-                usage: parsed.usage || {},
-              });
-              return;
-            }
-          } catch {
-            // ignore
-          }
-        }
+  listMenuItemsForApplication: (win, appId) => {
+    try {
+      const filename = path$8.join(
+        app$4.getPath("userData"),
+        appName$2,
+        appId,
+        configFilename$1,
+      );
+      const menuItemsArray = getFileContents$2(filename);
+      const filtered = menuItemsArray.filter((mi) => mi !== null);
+      // Return the data for ipcMain.handle() - modern promise-based approach
+      return {
+        menuItems: filtered,
+      };
+    } catch (e) {
+      console.error("[menuItemsController] Error listing menu items:", e);
+      // Return error object with empty menu items array
+      return {
+        error: true,
+        message: e.message,
+        menuItems: [],
+      };
+    }
+  },
+};
 
-        if (code !== 0 && code !== null) {
-          // Check if resume failed and retry without it
-          if (sessionId && !retried && stderrBuffer.includes("session")) {
-            retried = true;
-            if (widgetUuid) sessions.delete(widgetUuid);
-            // Retry without --resume
-            cliController$2.sendMessage(win, requestId, {
-              ...params,
-              _retryWithoutResume: true,
-            });
-            return;
-          }
+var menuItemsController_1 = menuItemsController$1;
 
-          // Check for auth errors
-          if (
-            stderrBuffer.includes("auth") ||
-            stderrBuffer.includes("login") ||
-            stderrBuffer.includes("not authenticated")
-          ) {
-            safeSend(win, LLM_STREAM_ERROR$2, {
-              requestId,
-              error:
-                "Claude Code CLI is not authenticated. Run `claude auth login` in your terminal.",
-              code: "CLI_AUTH_ERROR",
-            });
-            return;
-          }
+const path$7 = require$$1$2;
+const { app: app$3 } = require$$0$1;
 
-          safeSend(win, LLM_STREAM_ERROR$2, {
-            requestId,
-            error: `Claude CLI exited with code ${code}${stderrBuffer ? ": " + stderrBuffer.slice(0, 500) : ""}`,
-            code: "CLI_ERROR",
-          });
-        }
-      });
-    } catch (err) {
-      activeProcesses.delete(requestId);
-      safeSend(win, LLM_STREAM_ERROR$2, {
-        requestId,
-        error: `Failed to start Claude CLI: ${err.message}`,
-        code: "CLI_SPAWN_ERROR",
-      });
+const pluginController$1 = {
+  install: (win, packageName, filepath) => {
+    try {
+      const rootPath = path$7.join(
+        app$3.getPath("userData"),
+        "plugins",
+        packageName,
+      );
+    } catch (e) {
+      win.webContents.send("plugin-install-error", { error: e.message });
     }
   },
+};
+
+var pluginController_1 = pluginController$1;
+
+/**
+ * cliController.js
+ *
+ * Manages Claude Code CLI (`claude -p`) as an alternative LLM backend.
+ * Spawns the CLI subprocess, parses stream-json NDJSON output, and emits
+ * the same LLM_STREAM_* events as the Anthropic SDK path.
+ *
+ * Users with a Claude Pro/Max subscription and Claude Code installed
+ * can use the Chat widget without a separate API key.
+ */
+
+const { spawn, execSync } = require$$6$1;
+const {
+  LLM_STREAM_DELTA: LLM_STREAM_DELTA$2,
+  LLM_STREAM_TOOL_CALL: LLM_STREAM_TOOL_CALL$2,
+  LLM_STREAM_TOOL_RESULT: LLM_STREAM_TOOL_RESULT$2,
+  LLM_STREAM_COMPLETE: LLM_STREAM_COMPLETE$2,
+  LLM_STREAM_ERROR: LLM_STREAM_ERROR$2,
+} = llmEvents$1;
+
+/**
+ * Cached shell PATH result (resolved once, reused for all spawns).
+ * Same pattern as mcpController.js.
+ */
+let _shellPath = null;
+
+function getShellPath() {
+  if (_shellPath !== null) return _shellPath;
+
+  try {
+    const shell = process.env.SHELL || "/bin/bash";
+    _shellPath = execSync(`${shell} -ilc 'echo -n "$PATH"'`, {
+      encoding: "utf8",
+      timeout: 5000,
+    });
+  } catch {
+    _shellPath = process.env.PATH || "";
+  }
+
+  return _shellPath;
+}
+
+/**
+ * Cached CLI binary path (resolved once via `which claude`).
+ */
+let _cliBinaryPath = undefined; // undefined = not yet checked
+
+function resolveCliBinary() {
+  if (_cliBinaryPath !== undefined) return _cliBinaryPath;
+
+  try {
+    const fullPath = getShellPath();
+    _cliBinaryPath = execSync("which claude", {
+      encoding: "utf8",
+      timeout: 5000,
+      env: { ...process.env, PATH: fullPath },
+    }).trim();
+  } catch {
+    _cliBinaryPath = null;
+  }
+
+  return _cliBinaryPath;
+}
+
+/**
+ * Active CLI processes for abort support.
+ * Map<requestId, ChildProcess>
+ */
+const activeProcesses = new Map();
+
+/**
+ * Session IDs for conversation continuity.
+ * Map<widgetUuid, sessionId>
+ */
+const sessions = new Map();
+
+/**
+ * Send events safely to a window.
+ */
+function safeSend(win, channel, data) {
+  if (win && !win.isDestroyed()) {
+    win.webContents.send(channel, data);
+  }
+}
 
+const cliController$2 = {
   /**
-   * abortRequest
-   * Kill an in-flight CLI process.
+   * isAvailable
+   * Check if the Claude Code CLI is installed and accessible.
    *
-   * @param {string} requestId - the request to cancel
-   * @returns {{ success: boolean }}
+   * @returns {{ available: boolean, path?: string }}
    */
-  abortRequest: (requestId) => {
-    const child = activeProcesses.get(requestId);
-    if (child) {
-      child.kill("SIGTERM");
-      activeProcesses.delete(requestId);
-      return { success: true };
+  isAvailable: () => {
+    const binaryPath = resolveCliBinary();
+    if (binaryPath) {
+      return { available: true, path: binaryPath };
     }
-    return { success: false, message: "Request not found" };
+    return { available: false };
   },
 
   /**
-   * clearSession
-   * Remove the stored session ID for a widget (called on "New Chat").
+   * sendMessage
+   * Stream a response from the Claude Code CLI with NDJSON parsing.
    *
-   * @param {string} widgetUuid - the widget whose session to clear
-   * @returns {{ success: boolean }}
+   * @param {BrowserWindow} win - the window to send stream events to
+   * @param {string} requestId - unique ID for this request
+   * @param {object} params - { model, messages, systemPrompt, maxToolRounds, widgetUuid }
    */
-  clearSession: (widgetUuid) => {
-    if (widgetUuid && sessions.has(widgetUuid)) {
-      sessions.delete(widgetUuid);
-      return { success: true };
+  sendMessage: async (win, requestId, params) => {
+    const { model, messages, systemPrompt, widgetUuid, cwd } = params;
+
+    const binaryPath = resolveCliBinary();
+    if (!binaryPath) {
+      safeSend(win, LLM_STREAM_ERROR$2, {
+        requestId,
+        error:
+          "Claude Code CLI not found. Install from https://claude.ai/download",
+        code: "CLI_NOT_FOUND",
+      });
+      return;
     }
-    return { success: false };
-  },
 
-  /**
+    // Build CLI args
+    const args = ["-p", "--output-format", "stream-json", "--verbose"];
+
+    if (model) {
+      args.push("--model", model);
+    }
+
+    if (systemPrompt) {
+      args.push("--append-system-prompt", systemPrompt);
+    }
+
+    // Resume existing session for conversation continuity
+    const sessionId = widgetUuid ? sessions.get(widgetUuid) : null;
+    if (sessionId) {
+      args.push("--resume", sessionId);
+    }
+
+    // Extract the user message (last user message in the array)
+    const lastUserMsg = [...messages].reverse().find((m) => m.role === "user");
+    const userText =
+      typeof lastUserMsg?.content === "string"
+        ? lastUserMsg.content
+        : Array.isArray(lastUserMsg?.content)
+          ? lastUserMsg.content
+              .filter((b) => b.type === "text")
+              .map((b) => b.text)
+              .join("\n")
+          : "";
+
+    if (!userText) {
+      safeSend(win, LLM_STREAM_ERROR$2, {
+        requestId,
+        error: "No user message to send.",
+        code: "CLI_ERROR",
+      });
+      return;
+    }
+
+    try {
+      const fullPath = getShellPath();
+      const spawnOpts = {
+        env: { ...process.env, PATH: fullPath },
+        stdio: ["pipe", "pipe", "pipe"],
+      };
+      if (cwd) {
+        const fs = require("fs");
+        if (!fs.existsSync(cwd)) {
+          fs.mkdirSync(cwd, { recursive: true });
+        }
+        spawnOpts.cwd = cwd;
+      }
+      const child = spawn(binaryPath, args, spawnOpts);
+
+      activeProcesses.set(requestId, child);
+
+      // Pipe user message via stdin (not visible in ps)
+      child.stdin.write(userText);
+      child.stdin.end();
+
+      let stdoutBuffer = "";
+      let stderrBuffer = "";
+      let capturedSessionId = null;
+      let retried = false;
+
+      // Track active tool calls for mapping results
+      const activeToolCalls = new Map();
+
+      child.stdout.on("data", (chunk) => {
+        stdoutBuffer += chunk.toString();
+
+        // Process complete lines
+        const lines = stdoutBuffer.split("\n");
+        stdoutBuffer = lines.pop(); // keep incomplete line in buffer
+
+        for (const line of lines) {
+          if (!line.trim()) continue;
+
+          let parsed;
+          try {
+            parsed = JSON.parse(line);
+          } catch {
+            console.warn("[cliController] Skipping invalid JSON line:", line);
+            continue;
+          }
+
+          // Capture session ID from any message that has it
+          if (parsed.session_id && widgetUuid) {
+            capturedSessionId = parsed.session_id;
+            sessions.set(widgetUuid, capturedSessionId);
+          }
+
+          // Map CLI stream-json events to IPC events
+          if (parsed.type === "content_block_delta") {
+            if (parsed.delta?.type === "text_delta" && parsed.delta.text) {
+              safeSend(win, LLM_STREAM_DELTA$2, {
+                requestId,
+                text: parsed.delta.text,
+              });
+            } else if (parsed.delta?.type === "input_json_delta") {
+              // Update tool input incrementally
+              const tc = activeToolCalls.get(parsed.index);
+              if (tc) {
+                tc.partialInput =
+                  (tc.partialInput || "") + (parsed.delta.partial_json || "");
+              }
+            }
+          } else if (parsed.type === "content_block_start") {
+            if (parsed.content_block?.type === "tool_use") {
+              const toolBlock = parsed.content_block;
+              activeToolCalls.set(parsed.index, {
+                toolUseId: toolBlock.id,
+                toolName: toolBlock.name,
+                partialInput: "",
+              });
+              safeSend(win, LLM_STREAM_TOOL_CALL$2, {
+                requestId,
+                toolUseId: toolBlock.id,
+                toolName: toolBlock.name,
+                serverName: "Claude Code",
+                input: toolBlock.input || {},
+              });
+            }
+          } else if (parsed.type === "content_block_stop") {
+            // Tool call completed — try to parse the accumulated input
+            const tc = activeToolCalls.get(parsed.index);
+            if (tc && tc.partialInput) {
+              try {
+                tc.finalInput = JSON.parse(tc.partialInput);
+              } catch {
+                tc.finalInput = tc.partialInput;
+              }
+            }
+          } else if (parsed.type === "message_stop") {
+            // Individual message completed (may be followed by more in tool-use loops)
+          } else if (parsed.type === "result") {
+            // Final result — conversation complete
+            const content = [];
+            if (parsed.result) {
+              content.push({ type: "text", text: parsed.result });
+            }
+
+            safeSend(win, LLM_STREAM_COMPLETE$2, {
+              requestId,
+              content,
+              stopReason: parsed.stop_reason || "end_turn",
+              usage: parsed.usage || {},
+            });
+          }
+        }
+      });
+
+      child.stderr.on("data", (chunk) => {
+        stderrBuffer += chunk.toString();
+      });
+
+      child.on("error", (err) => {
+        activeProcesses.delete(requestId);
+        safeSend(win, LLM_STREAM_ERROR$2, {
+          requestId,
+          error: `Failed to start Claude CLI: ${err.message}`,
+          code: "CLI_SPAWN_ERROR",
+        });
+      });
+
+      child.on("close", (code) => {
+        activeProcesses.delete(requestId);
+
+        // Process any remaining buffer
+        if (stdoutBuffer.trim()) {
+          try {
+            const parsed = JSON.parse(stdoutBuffer);
+            if (parsed.session_id && widgetUuid) {
+              sessions.set(widgetUuid, parsed.session_id);
+            }
+            if (parsed.type === "result") {
+              const content = [];
+              if (parsed.result) {
+                content.push({ type: "text", text: parsed.result });
+              }
+              safeSend(win, LLM_STREAM_COMPLETE$2, {
+                requestId,
+                content,
+                stopReason: parsed.stop_reason || "end_turn",
+                usage: parsed.usage || {},
+              });
+              return;
+            }
+          } catch {
+            // ignore
+          }
+        }
+
+        if (code !== 0 && code !== null) {
+          // Check if resume failed and retry without it
+          if (sessionId && !retried && stderrBuffer.includes("session")) {
+            retried = true;
+            if (widgetUuid) sessions.delete(widgetUuid);
+            // Retry without --resume
+            cliController$2.sendMessage(win, requestId, {
+              ...params,
+              _retryWithoutResume: true,
+            });
+            return;
+          }
+
+          // Check for auth errors
+          if (
+            stderrBuffer.includes("auth") ||
+            stderrBuffer.includes("login") ||
+            stderrBuffer.includes("not authenticated")
+          ) {
+            safeSend(win, LLM_STREAM_ERROR$2, {
+              requestId,
+              error:
+                "Claude Code CLI is not authenticated. Run `claude auth login` in your terminal.",
+              code: "CLI_AUTH_ERROR",
+            });
+            return;
+          }
+
+          safeSend(win, LLM_STREAM_ERROR$2, {
+            requestId,
+            error: `Claude CLI exited with code ${code}${stderrBuffer ? ": " + stderrBuffer.slice(0, 500) : ""}`,
+            code: "CLI_ERROR",
+          });
+        }
+      });
+    } catch (err) {
+      activeProcesses.delete(requestId);
+      safeSend(win, LLM_STREAM_ERROR$2, {
+        requestId,
+        error: `Failed to start Claude CLI: ${err.message}`,
+        code: "CLI_SPAWN_ERROR",
+      });
+    }
+  },
+
+  /**
+   * abortRequest
+   * Kill an in-flight CLI process.
+   *
+   * @param {string} requestId - the request to cancel
+   * @returns {{ success: boolean }}
+   */
+  abortRequest: (requestId) => {
+    const child = activeProcesses.get(requestId);
+    if (child) {
+      child.kill("SIGTERM");
+      activeProcesses.delete(requestId);
+      return { success: true };
+    }
+    return { success: false, message: "Request not found" };
+  },
+
+  /**
+   * clearSession
+   * Remove the stored session ID for a widget (called on "New Chat").
+   *
+   * @param {string} widgetUuid - the widget whose session to clear
+   * @returns {{ success: boolean }}
+   */
+  clearSession: (widgetUuid) => {
+    if (widgetUuid && sessions.has(widgetUuid)) {
+      sessions.delete(widgetUuid);
+      return { success: true };
+    }
+    return { success: false };
+  },
+
+  /**
    * getSessionStatus
    * Check if a CLI session exists and whether a process is active for a widget.
    *
@@ -48637,1013 +48992,685 @@ let StreamableHTTPServerTransport$1 = class StreamableHTTPServerTransport {
         const handler = (0, node_server_1.getRequestListener)(async (webRequest) => {
             return this._webStandardTransport.handleRequest(webRequest, {
                 authInfo,
-                parsedBody
-            });
-        }, { overrideGlobalObjects: false });
-        // Delegate to the request listener which handles all the Node.js <-> Web Standard conversion
-        // including proper SSE streaming support
-        await handler(req, res);
-    }
-    /**
-     * Close an SSE stream for a specific request, triggering client reconnection.
-     * Use this to implement polling behavior during long-running operations -
-     * client will reconnect after the retry interval specified in the priming event.
-     */
-    closeSSEStream(requestId) {
-        this._webStandardTransport.closeSSEStream(requestId);
-    }
-    /**
-     * Close the standalone GET SSE stream, triggering client reconnection.
-     * Use this to implement polling behavior for server-initiated notifications.
-     */
-    closeStandaloneSSEStream() {
-        this._webStandardTransport.closeStandaloneSSEStream();
-    }
-};
-streamableHttp.StreamableHTTPServerTransport = StreamableHTTPServerTransport$1;
-
-/**
- * tlsCert.js
- *
- * Generates and caches a self-signed TLS certificate for the MCP Dash Server.
- * Uses node-forge (already in the dependency tree) to create a cert valid for
- * 127.0.0.1 and localhost, stored in the app's userData directory.
- *
- * Usage:
- *   const { getOrCreateCert } = require('./tlsCert');
- *   const { cert, key } = getOrCreateCert(certsDir);
- *   https.createServer({ key, cert }, handler);
- */
-
-const fs$3 = require$$0$2;
-const path$6 = require$$1$2;
-const forge = require$$2$3;
-
-/**
- * Get or create a self-signed TLS certificate for localhost.
- * @param {string} certsDir - Directory to store cert.pem and key.pem
- * @returns {{ cert: string, key: string }} PEM-encoded certificate and private key
- */
-function getOrCreateCert$1(certsDir) {
-  const certPath = path$6.join(certsDir, "cert.pem");
-  const keyPath = path$6.join(certsDir, "key.pem");
-
-  // Return existing cert if valid
-  if (fs$3.existsSync(certPath) && fs$3.existsSync(keyPath)) {
-    try {
-      const cert = fs$3.readFileSync(certPath, "utf8");
-      const key = fs$3.readFileSync(keyPath, "utf8");
-      // Verify cert is not expired
-      const parsed = forge.pki.certificateFromPem(cert);
-      if (parsed.validity.notAfter > new Date()) {
-        return { cert, key };
-      }
-      console.log("[tlsCert] Existing certificate expired, regenerating...");
-    } catch (e) {
-      console.log("[tlsCert] Existing certificate invalid, regenerating...");
-    }
-  }
-
-  console.log("[tlsCert] Generating self-signed certificate for localhost...");
-
-  // Generate 2048-bit RSA key pair
-  const keys = forge.pki.rsa.generateKeyPair(2048);
-
-  // Create certificate
-  const cert = forge.pki.createCertificate();
-  cert.publicKey = keys.publicKey;
-  cert.serialNumber = "01";
-
-  // Valid for 10 years
-  cert.validity.notBefore = new Date();
-  cert.validity.notAfter = new Date();
-  cert.validity.notAfter.setFullYear(
-    cert.validity.notBefore.getFullYear() + 10,
-  );
-
-  // Subject and issuer (self-signed)
-  const attrs = [
-    { name: "commonName", value: "Dash MCP Server" },
-    { name: "organizationName", value: "Dash" },
-  ];
-  cert.setSubject(attrs);
-  cert.setIssuer(attrs);
-
-  // Subject Alternative Names (SAN) — required for modern TLS clients
-  cert.setExtensions([
-    { name: "basicConstraints", cA: false },
-    {
-      name: "keyUsage",
-      digitalSignature: true,
-      keyEncipherment: true,
-    },
-    {
-      name: "extKeyUsage",
-      serverAuth: true,
-    },
-    {
-      name: "subjectAltName",
-      altNames: [
-        { type: 7, ip: "127.0.0.1" }, // IP SAN
-        { type: 2, value: "localhost" }, // DNS SAN
-      ],
-    },
-  ]);
-
-  // Self-sign with SHA-256
-  cert.sign(keys.privateKey, forge.md.sha256.create());
-
-  // Convert to PEM
-  const certPem = forge.pki.certificateToPem(cert);
-  const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
-
-  // Write to disk
-  fs$3.mkdirSync(certsDir, { recursive: true });
-  fs$3.writeFileSync(certPath, certPem, { mode: 0o644 });
-  fs$3.writeFileSync(keyPath, keyPem, { mode: 0o600 });
-
-  console.log(`[tlsCert] Certificate saved to ${certsDir}`);
-
-  return { cert: certPem, key: keyPem };
-}
-
-var tlsCert = { getOrCreateCert: getOrCreateCert$1 };
-
-/**
- * jsonSchemaToZod.js
- *
- * Converts JSON Schema objects to Zod v3 schemas.
- * Used by the MCP Dash server to satisfy the MCP SDK's requirement
- * for Zod schemas in tool input validation (safeParseAsync).
- */
-
-const z$1 = zod;
-
-/**
- * Convert a JSON Schema property definition to a Zod v3 schema.
- * Handles: string (+ enum), number, boolean, object (recursive), array.
- */
-function jsonSchemaPropertyToZod(prop) {
-  if (!prop || typeof prop !== "object") return z$1.any();
-
-  let schema;
-
-  switch (prop.type) {
-    case "string":
-      if (Array.isArray(prop.enum) && prop.enum.length > 0) {
-        schema = z$1.enum(prop.enum);
-      } else {
-        schema = z$1.string();
-      }
-      break;
-    case "number":
-      schema = z$1.number();
-      break;
-    case "boolean":
-      schema = z$1.boolean();
-      break;
-    case "array":
-      schema = z$1.array(
-        prop.items ? jsonSchemaPropertyToZod(prop.items) : z$1.any(),
-      );
-      break;
-    case "object":
-      if (prop.properties && Object.keys(prop.properties).length > 0) {
-        schema = jsonSchemaToZod$1(prop);
-      } else {
-        // Generic object with no known properties (e.g. config, credentials)
-        schema = z$1.object({}).passthrough();
-      }
-      break;
-    default:
-      schema = z$1.any();
-  }
-
-  if (prop.description) {
-    schema = schema.describe(prop.description);
-  }
-
-  return schema;
-}
-
-/**
- * Convert a top-level JSON Schema inputSchema to a Zod v3 object schema.
- * The MCP SDK requires Zod schemas for input validation (safeParseAsync).
- */
-function jsonSchemaToZod$1(schema) {
-  if (!schema || schema.type !== "object") {
-    return z$1.object({});
-  }
-
-  const properties = schema.properties || {};
-  const required = Array.isArray(schema.required) ? schema.required : [];
-  const shape = {};
-
-  for (const [key, prop] of Object.entries(properties)) {
-    let fieldSchema = jsonSchemaPropertyToZod(prop);
-    if (!required.includes(key)) {
-      fieldSchema = fieldSchema.optional();
+                parsedBody
+            });
+        }, { overrideGlobalObjects: false });
+        // Delegate to the request listener which handles all the Node.js <-> Web Standard conversion
+        // including proper SSE streaming support
+        await handler(req, res);
     }
-    shape[key] = fieldSchema;
-  }
-
-  return z$1.object(shape);
-}
-
-var jsonSchemaToZod_1 = { jsonSchemaToZod: jsonSchemaToZod$1, jsonSchemaPropertyToZod };
+    /**
+     * Close an SSE stream for a specific request, triggering client reconnection.
+     * Use this to implement polling behavior during long-running operations -
+     * client will reconnect after the retry interval specified in the priming event.
+     */
+    closeSSEStream(requestId) {
+        this._webStandardTransport.closeSSEStream(requestId);
+    }
+    /**
+     * Close the standalone GET SSE stream, triggering client reconnection.
+     * Use this to implement polling behavior for server-initiated notifications.
+     */
+    closeStandaloneSSEStream() {
+        this._webStandardTransport.closeStandaloneSSEStream();
+    }
+};
+streamableHttp.StreamableHTTPServerTransport = StreamableHTTPServerTransport$1;
 
 /**
- * mcpDashServerController.js
- *
- * Manages the hosted MCP server that exposes Dash capabilities to external
- * LLM clients (Claude Desktop, ChatGPT, etc.) via Streamable HTTP transport.
+ * tlsCert.js
  *
- * This is the MCP *server* — distinct from mcpController.js which is the
- * MCP *client* that connects to external tool servers for widgets.
+ * Generates and caches a self-signed TLS certificate for the MCP Dash Server.
+ * Uses node-forge (already in the dependency tree) to create a cert valid for
+ * 127.0.0.1 and localhost, stored in the app's userData directory.
  *
- * Architecture:
- *   - Node https server bound to 127.0.0.1 (localhost only)
- *   - Auto-generated self-signed TLS certificate for localhost
- *   - StreamableHTTPServerTransport from @modelcontextprotocol/sdk
- *   - McpServer registers tools and resources
- *   - Bearer token authentication on all requests
- *   - Rate limiting via token bucket (60 req/min)
- */
-
-const https$2 = require$$8$1;
-const { randomUUID } = require$$1$5;
-const { McpServer } = mcp;
-const {
-  StreamableHTTPServerTransport,
-} = streamableHttp;
-
-const settingsController$3 = settingsController_1;
-const { getOrCreateCert } = tlsCert;
-
-// --- State ---
-let mcpServer = null;
-let httpsServer = null;
-let transport = null;
-let startTime = null;
-let connectionCount = 0;
-let activeWin = null;
-
-// --- Rate Limiting ---
-const RATE_LIMIT = 60; // requests per minute
-const RATE_WINDOW = 60 * 1000; // 1 minute in ms
-const rateBuckets$1 = new Map(); // ip -> { count, resetAt }
-
-function isRateLimited$1(ip) {
-  const now = Date.now();
-  let bucket = rateBuckets$1.get(ip);
-  if (!bucket || now > bucket.resetAt) {
-    bucket = { count: 0, resetAt: now + RATE_WINDOW };
-    rateBuckets$1.set(ip, bucket);
-  }
-  bucket.count++;
-  return bucket.count > RATE_LIMIT;
-}
-
-// Clean up stale buckets periodically
-let cleanupInterval = null;
-function startCleanup() {
-  if (cleanupInterval) return;
-  cleanupInterval = setInterval(() => {
-    const now = Date.now();
-    for (const [ip, bucket] of rateBuckets$1) {
-      if (now > bucket.resetAt) rateBuckets$1.delete(ip);
-    }
-  }, RATE_WINDOW);
-}
-function stopCleanup() {
-  if (cleanupInterval) {
-    clearInterval(cleanupInterval);
-    cleanupInterval = null;
-  }
-  rateBuckets$1.clear();
-}
-
-// --- Tool, Resource & Prompt Registration ---
-// These are populated by other modules (DASH-78, DASH-79, etc.)
-// Each entry: { name, description, inputSchema, handler }
-const registeredTools = [];
-const registeredResources = [];
-// Each entry: { name, description, args, handler }
-const registeredPrompts = [];
-
-/**
- * Register a tool to be exposed via the MCP server.
- * Call this before starting the server (or restart after registering).
- */
-function registerTool$6(toolDef) {
-  registeredTools.push(toolDef);
-}
-
-/**
- * Register a resource to be exposed via the MCP server.
- */
-function registerResource$1(resourceDef) {
-  registeredResources.push(resourceDef);
-}
-
-/**
- * Register a prompt to be exposed via the MCP server.
- * Prompts are guided entry points that LLM clients display as suggested actions.
+ * Usage:
+ *   const { getOrCreateCert } = require('./tlsCert');
+ *   const { cert, key } = getOrCreateCert(certsDir);
+ *   https.createServer({ key, cert }, handler);
  */
-function registerPrompt$1(promptDef) {
-  registeredPrompts.push(promptDef);
-}
 
-const z = zod;
-const { jsonSchemaToZod } = jsonSchemaToZod_1;
+const fs$3 = require$$0$2;
+const path$6 = require$$1$2;
+const forge = require$$2$3;
 
 /**
- * Apply all registered tools, resources, and prompts to the McpServer instance.
+ * Get or create a self-signed TLS certificate for localhost.
+ * @param {string} certsDir - Directory to store cert.pem and key.pem
+ * @returns {{ cert: string, key: string }} PEM-encoded certificate and private key
  */
-function applyRegistrations(server) {
-  for (const tool of registeredTools) {
-    const zodSchema = jsonSchemaToZod(tool.inputSchema);
-    // server.tool() expects a raw Zod shape (e.g. { name: z.string() }),
-    // NOT a z.object() wrapper. Extract .shape from the Zod object.
-    server.tool(
-      tool.name,
-      tool.description,
-      zodSchema.shape || {},
-      tool.handler,
-    );
-  }
-  for (const resource of registeredResources) {
-    server.resource(
-      resource.name,
-      resource.uri,
-      resource.metadata || {},
-      resource.handler,
-    );
-  }
-  for (const prompt of registeredPrompts) {
-    if (prompt.args && Object.keys(prompt.args).length > 0) {
-      // Prompt with arguments — use the 4-arg overload
-      // Build a Zod-compatible arg schema from our plain arg definitions
-      const shape = {};
-      for (const [key, def] of Object.entries(prompt.args)) {
-        shape[key] = def.required
-          ? z.string().describe(def.description)
-          : z.string().optional().describe(def.description);
-      }
-      server.prompt(prompt.name, prompt.description, shape, prompt.handler);
-    } else {
-      // Prompt with no arguments — use the 2-arg overload
-      server.prompt(prompt.name, prompt.description, prompt.handler);
-    }
-  }
-}
-
-// --- Settings Helpers ---
-function getMcpServerSettings(win) {
-  const result = settingsController$3.getSettingsForApplication(win);
-  const settings = result?.settings || {};
-  return settings.mcpDashServer || {};
-}
-
-function saveMcpServerSettings(win, mcpSettings) {
-  const result = settingsController$3.getSettingsForApplication(win);
-  const settings = result?.settings || {};
-  settings.mcpDashServer = mcpSettings;
-  settingsController$3.saveSettingsForApplication(win, settings);
-}
+function getOrCreateCert$1(certsDir) {
+  const certPath = path$6.join(certsDir, "cert.pem");
+  const keyPath = path$6.join(certsDir, "key.pem");
 
-// --- App ID Resolution ---
-/**
- * Resolve the appId by scanning the userData/Dashboard directory for
- * subdirectories containing workspaces.json. Falls back to the default.
- */
-function resolveAppId() {
-  const { app } = require$$0$1;
-  const fs = require$$0$2;
-  const path = require$$1$2;
-  const dashboardDir = path.join(app.getPath("userData"), "Dashboard");
-  try {
-    const entries = fs.readdirSync(dashboardDir, { withFileTypes: true });
-    for (const entry of entries) {
-      if (entry.isDirectory()) {
-        const wsFile = path.join(dashboardDir, entry.name, "workspaces.json");
-        if (fs.existsSync(wsFile)) {
-          return entry.name;
-        }
+  // Return existing cert if valid
+  if (fs$3.existsSync(certPath) && fs$3.existsSync(keyPath)) {
+    try {
+      const cert = fs$3.readFileSync(certPath, "utf8");
+      const key = fs$3.readFileSync(keyPath, "utf8");
+      // Verify cert is not expired
+      const parsed = forge.pki.certificateFromPem(cert);
+      if (parsed.validity.notAfter > new Date()) {
+        return { cert, key };
       }
+      console.log("[tlsCert] Existing certificate expired, regenerating...");
+    } catch (e) {
+      console.log("[tlsCert] Existing certificate invalid, regenerating...");
     }
-  } catch (e) {
-    // Directory may not exist yet
-  }
-  return "@trops/dash-electron";
-}
-
-/**
- * Get the current server context (win + appId) for tool handlers.
- * Returns null if the server is not running.
- */
-function getServerContext() {
-  if (!activeWin) return null;
-  return { win: activeWin, appId: resolveAppId() };
-}
-
-// --- Controller ---
-const mcpDashServerController$4 = {
-  /**
-   * Start the MCP Dash server.
-   * @param {BrowserWindow} win
-   * @param {Object} options - { port?: number }
-   */
-  startServer: async (win, options = {}) => {
-    if (httpsServer) {
-      return {
-        success: false,
-        error: "Server is already running",
-      };
-    }
+  }
 
-    try {
-      const serverSettings = getMcpServerSettings(win);
-      const port = options.port || serverSettings.port || 3141;
-      const token =
-        serverSettings.token || mcpDashServerController$4.getOrCreateToken(win);
+  console.log("[tlsCert] Generating self-signed certificate for localhost...");
 
-      // Create McpServer
-      mcpServer = new McpServer({
-        name: "dash-electron",
-        version: "1.0.0",
-      });
+  // Generate 2048-bit RSA key pair
+  const keys = forge.pki.rsa.generateKeyPair(2048);
 
-      // Generate or load TLS certificate
-      const { app } = require("electron");
-      const path = require("path");
-      const certsDir = path.join(app.getPath("userData"), "certs");
-      const tlsCert = getOrCreateCert(certsDir);
+  // Create certificate
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = "01";
 
-      // Apply registered tools and resources
-      applyRegistrations(mcpServer);
+  // Valid for 10 years
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(
+    cert.validity.notBefore.getFullYear() + 10,
+  );
 
-      // Create HTTPS server with auth and rate limiting
-      httpsServer = https$2.createServer(
-        { key: tlsCert.key, cert: tlsCert.cert },
-        async (req, res) => {
-          const ip = req.socket.remoteAddress || req.connection.remoteAddress;
+  // Subject and issuer (self-signed)
+  const attrs = [
+    { name: "commonName", value: "Dash MCP Server" },
+    { name: "organizationName", value: "Dash" },
+  ];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
 
-          // Rate limiting
-          if (isRateLimited$1(ip)) {
-            res.writeHead(429, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({ error: "Rate limit exceeded" }));
-            return;
-          }
+  // Subject Alternative Names (SAN) — required for modern TLS clients
+  cert.setExtensions([
+    { name: "basicConstraints", cA: false },
+    {
+      name: "keyUsage",
+      digitalSignature: true,
+      keyEncipherment: true,
+    },
+    {
+      name: "extKeyUsage",
+      serverAuth: true,
+    },
+    {
+      name: "subjectAltName",
+      altNames: [
+        { type: 7, ip: "127.0.0.1" }, // IP SAN
+        { type: 2, value: "localhost" }, // DNS SAN
+      ],
+    },
+  ]);
 
-          // Bearer token auth
-          const authHeader = req.headers.authorization;
-          if (!authHeader || authHeader !== `Bearer ${token}`) {
-            res.writeHead(401, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({ error: "Unauthorized" }));
-            return;
-          }
+  // Self-sign with SHA-256
+  cert.sign(keys.privateKey, forge.md.sha256.create());
 
-          // Handle MCP requests on /mcp path
-          if (req.url === "/mcp" || req.url?.startsWith("/mcp")) {
-            try {
-              // Stateless mode: create a fresh server + transport per request
-              const reqServer = new McpServer({
-                name: "dash-electron",
-                version: "1.0.0",
-              });
-              applyRegistrations(reqServer);
-              const reqTransport = new StreamableHTTPServerTransport({
-                sessionIdGenerator: undefined,
-              });
-              await reqServer.connect(reqTransport);
-              connectionCount++;
-              await reqTransport.handleRequest(req, res);
-            } catch (err) {
-              console.error("[mcpDashServer] Error handling MCP request:", err);
-              if (!res.headersSent) {
-                res.writeHead(500, {
-                  "Content-Type": "application/json",
-                });
-                res.end(
-                  JSON.stringify({
-                    error: "Internal server error",
-                  }),
-                );
-              }
-            }
-          } else {
-            // Health check endpoint
-            if (req.url === "/health" && req.method === "GET") {
-              res.writeHead(200, {
-                "Content-Type": "application/json",
-              });
-              res.end(
-                JSON.stringify({
-                  status: "ok",
-                  server: "dash-electron-mcp",
-                  version: "1.0.0",
-                }),
-              );
-              return;
-            }
-            res.writeHead(404, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({ error: "Not found" }));
-          }
-        },
-      );
+  // Convert to PEM
+  const certPem = forge.pki.certificateToPem(cert);
+  const keyPem = forge.pki.privateKeyToPem(keys.privateKey);
 
-      // Bind to localhost only
-      await new Promise((resolve, reject) => {
-        httpsServer.on("error", (err) => {
-          httpsServer = null;
-          mcpServer = null;
-          if (err.code === "EADDRINUSE") {
-            reject(
-              new Error(
-                `Port ${port} is already in use. Choose a different port in Settings.`,
-              ),
-            );
-          } else {
-            reject(err);
-          }
-        });
-        httpsServer.listen(port, "127.0.0.1", () => {
-          resolve();
-        });
-      });
+  // Write to disk
+  fs$3.mkdirSync(certsDir, { recursive: true });
+  fs$3.writeFileSync(certPath, certPem, { mode: 0o644 });
+  fs$3.writeFileSync(keyPath, keyPem, { mode: 0o600 });
 
-      startTime = Date.now();
-      connectionCount = 0;
-      activeWin = win;
-      startCleanup();
+  console.log(`[tlsCert] Certificate saved to ${certsDir}`);
 
-      // Save enabled state
-      saveMcpServerSettings(win, {
-        ...serverSettings,
-        enabled: true,
-        port,
-        token,
-      });
+  return { cert: certPem, key: keyPem };
+}
 
-      console.log(
-        `[mcpDashServer] Server started on https://127.0.0.1:${port}/mcp`,
-      );
+var tlsCert = { getOrCreateCert: getOrCreateCert$1 };
 
-      return {
-        success: true,
-        port,
-        url: `https://127.0.0.1:${port}/mcp`,
-      };
-    } catch (err) {
-      console.error("[mcpDashServer] Failed to start server:", err);
-      httpsServer = null;
-      mcpServer = null;
-      return {
-        success: false,
-        error: err.message,
-      };
-    }
-  },
+/**
+ * jsonSchemaToZod.js
+ *
+ * Converts JSON Schema objects to Zod v3 schemas.
+ * Used by the MCP Dash server to satisfy the MCP SDK's requirement
+ * for Zod schemas in tool input validation (safeParseAsync).
+ */
 
-  /**
-   * Stop the MCP Dash server.
-   */
-  stopServer: async (win) => {
-    if (!httpsServer) {
-      return { success: true, message: "Server was not running" };
-    }
+const z$1 = zod;
 
-    try {
-      stopCleanup();
+/**
+ * Convert a JSON Schema property definition to a Zod v3 schema.
+ * Handles: string (+ enum), number, boolean, object (recursive), array.
+ */
+function jsonSchemaPropertyToZod(prop) {
+  if (!prop || typeof prop !== "object") return z$1.any();
 
-      await new Promise((resolve) => {
-        httpsServer.close(() => resolve());
-        // Force close after 5 seconds
-        setTimeout(() => resolve(), 5000);
-      });
+  let schema;
 
-      if (mcpServer) {
-        try {
-          await mcpServer.close();
-        } catch (e) {
-          // Ignore close errors
-        }
+  switch (prop.type) {
+    case "string":
+      if (Array.isArray(prop.enum) && prop.enum.length > 0) {
+        schema = z$1.enum(prop.enum);
+      } else {
+        schema = z$1.string();
       }
-
-      httpsServer = null;
-      mcpServer = null;
-      transport = null;
-      startTime = null;
-      connectionCount = 0;
-      activeWin = null;
-
-      // Update settings
-      if (win) {
-        const serverSettings = getMcpServerSettings(win);
-        saveMcpServerSettings(win, {
-          ...serverSettings,
-          enabled: false,
-        });
+      break;
+    case "number":
+      schema = z$1.number();
+      break;
+    case "boolean":
+      schema = z$1.boolean();
+      break;
+    case "array":
+      schema = z$1.array(
+        prop.items ? jsonSchemaPropertyToZod(prop.items) : z$1.any(),
+      );
+      break;
+    case "object":
+      if (prop.properties && Object.keys(prop.properties).length > 0) {
+        schema = jsonSchemaToZod$1(prop);
+      } else {
+        // Generic object with no known properties (e.g. config, credentials)
+        schema = z$1.object({}).passthrough();
       }
+      break;
+    default:
+      schema = z$1.any();
+  }
 
-      console.log("[mcpDashServer] Server stopped");
-      return { success: true };
-    } catch (err) {
-      console.error("[mcpDashServer] Error stopping server:", err);
-      return { success: false, error: err.message };
-    }
-  },
+  if (prop.description) {
+    schema = schema.describe(prop.description);
+  }
 
-  /**
-   * Restart the server (stop + start).
-   */
-  restartServer: async (win, options = {}) => {
-    await mcpDashServerController$4.stopServer(win);
-    return mcpDashServerController$4.startServer(win, options);
-  },
+  return schema;
+}
 
-  /**
-   * Get server status.
-   */
-  getStatus: (win) => {
-    const serverSettings = getMcpServerSettings(win);
-    return {
-      running: !!httpsServer,
-      enabled: serverSettings.enabled || false,
-      port: serverSettings.port || 3141,
-      connectionCount,
-      uptime: startTime ? Math.floor((Date.now() - startTime) / 1000) : 0,
-      toolCount: registeredTools.length,
-      resourceCount: registeredResources.length,
-    };
-  },
+/**
+ * Convert a top-level JSON Schema inputSchema to a Zod v3 object schema.
+ * The MCP SDK requires Zod schemas for input validation (safeParseAsync).
+ */
+function jsonSchemaToZod$1(schema) {
+  if (!schema || schema.type !== "object") {
+    return z$1.object({});
+  }
 
-  /**
-   * Get or create the bearer token.
-   */
-  getOrCreateToken: (win) => {
-    const serverSettings = getMcpServerSettings(win);
-    if (serverSettings.token) {
-      return serverSettings.token;
-    }
-    const token = randomUUID();
-    saveMcpServerSettings(win, { ...serverSettings, token });
-    return token;
-  },
+  const properties = schema.properties || {};
+  const required = Array.isArray(schema.required) ? schema.required : [];
+  const shape = {};
 
-  /**
-   * Auto-start server if enabled in settings.
-   * Called from dash-electron on app ready.
-   */
-  autoStart: async (win) => {
-    const serverSettings = getMcpServerSettings(win);
-    if (serverSettings.enabled) {
-      console.log("[mcpDashServer] Auto-starting server...");
-      return mcpDashServerController$4.startServer(win, {
-        port: serverSettings.port,
-      });
+  for (const [key, prop] of Object.entries(properties)) {
+    let fieldSchema = jsonSchemaPropertyToZod(prop);
+    if (!required.includes(key)) {
+      fieldSchema = fieldSchema.optional();
     }
-    return { success: false, message: "Server not enabled" };
-  },
+    shape[key] = fieldSchema;
+  }
 
-  // Expose registration functions for other controllers
-  registerTool: registerTool$6,
-  registerResource: registerResource$1,
-  registerPrompt: registerPrompt$1,
-  getServerContext,
-};
+  return z$1.object(shape);
+}
 
-var mcpDashServerController_1 = mcpDashServerController$4;
+var jsonSchemaToZod_1 = { jsonSchemaToZod: jsonSchemaToZod$1, jsonSchemaPropertyToZod };
 
 /**
- * registryAuthController.js
+ * mcpDashServerController.js
  *
- * Manages authentication with the Dash registry service.
- * Uses OAuth device code flow for desktop app authentication.
+ * Manages the hosted MCP server that exposes Dash capabilities to external
+ * LLM clients (Claude Desktop, ChatGPT, etc.) via Streamable HTTP transport.
  *
- * Flow:
- * 1. App calls initiateDeviceFlow() — gets device code + verification URL
- * 2. User opens verification URL in browser, signs in, enters code
- * 3. App polls pollForToken() until authorized
- * 4. Token stored securely via electron-store (encrypted)
+ * This is the MCP *server* — distinct from mcpController.js which is the
+ * MCP *client* that connects to external tool servers for widgets.
+ *
+ * Architecture:
+ *   - Node https server bound to 127.0.0.1 (localhost only)
+ *   - Auto-generated self-signed TLS certificate for localhost
+ *   - StreamableHTTPServerTransport from @modelcontextprotocol/sdk
+ *   - McpServer registers tools and resources
+ *   - Bearer token authentication on all requests
+ *   - Rate limiting via token bucket (60 req/min)
  */
 
-const REGISTRY_BASE_URL$1 =
-  process.env.DASH_REGISTRY_API_URL ||
-  "https://main.d919rwhuzp7rj.amplifyapp.com";
+const https$2 = require$$8$1;
+const { randomUUID } = require$$1$5;
+const { McpServer } = mcp;
+const {
+  StreamableHTTPServerTransport,
+} = streamableHttp;
 
-// Lazy-load electron-store to avoid issues when not installed
-let store$3 = null;
-function getStore$1() {
-  if (!store$3) {
-    const Store = require$$1$1;
-    store$3 = new Store({
-      name: "dash-registry-auth",
-      encryptionKey: "dash-registry-v1",
-    });
+const settingsController$3 = settingsController_1;
+const { getOrCreateCert } = tlsCert;
+
+// --- State ---
+let mcpServer = null;
+let httpsServer = null;
+let transport = null;
+let startTime = null;
+let connectionCount = 0;
+let activeWin = null;
+
+// --- Rate Limiting ---
+const RATE_LIMIT = 60; // requests per minute
+const RATE_WINDOW = 60 * 1000; // 1 minute in ms
+const rateBuckets$1 = new Map(); // ip -> { count, resetAt }
+
+function isRateLimited$1(ip) {
+  const now = Date.now();
+  let bucket = rateBuckets$1.get(ip);
+  if (!bucket || now > bucket.resetAt) {
+    bucket = { count: 0, resetAt: now + RATE_WINDOW };
+    rateBuckets$1.set(ip, bucket);
   }
-  return store$3;
+  bucket.count++;
+  return bucket.count > RATE_LIMIT;
 }
 
-/**
- * Initiate the OAuth device code flow.
- * Returns the device code, user code, and verification URL.
- *
- * @returns {Promise<Object>} { deviceCode, userCode, verificationUrl, verificationUrlComplete, expiresIn, interval }
- */
-async function initiateDeviceFlow$1() {
-  const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/device`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-  });
-
-  if (!response.ok) {
-    throw new Error(`Device flow initiation failed: ${response.status}`);
+// Clean up stale buckets periodically
+let cleanupInterval = null;
+function startCleanup() {
+  if (cleanupInterval) return;
+  cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [ip, bucket] of rateBuckets$1) {
+      if (now > bucket.resetAt) rateBuckets$1.delete(ip);
+    }
+  }, RATE_WINDOW);
+}
+function stopCleanup() {
+  if (cleanupInterval) {
+    clearInterval(cleanupInterval);
+    cleanupInterval = null;
   }
+  rateBuckets$1.clear();
+}
 
-  const data = await response.json();
+// --- Tool, Resource & Prompt Registration ---
+// These are populated by other modules (DASH-78, DASH-79, etc.)
+// Each entry: { name, description, inputSchema, handler }
+const registeredTools = [];
+const registeredResources = [];
+// Each entry: { name, description, args, handler }
+const registeredPrompts = [];
 
-  return {
-    deviceCode: data.device_code,
-    userCode: data.user_code,
-    verificationUrl: data.verification_uri,
-    verificationUrlComplete: data.verification_uri_complete,
-    expiresIn: data.expires_in,
-    interval: data.interval,
-  };
+/**
+ * Register a tool to be exposed via the MCP server.
+ * Call this before starting the server (or restart after registering).
+ */
+function registerTool$6(toolDef) {
+  registeredTools.push(toolDef);
 }
 
 /**
- * Poll the registry for token after user completes browser auth.
- *
- * @param {string} deviceCode - The device code from initiateDeviceFlow()
- * @returns {Promise<Object>} { status: 'pending' | 'authorized' | 'expired', token?, userId? }
+ * Register a resource to be exposed via the MCP server.
  */
-async function pollForToken$1(deviceCode) {
-  const response = await fetch(
-    `${REGISTRY_BASE_URL$1}/api/auth/device?device_code=${encodeURIComponent(deviceCode)}`,
-  );
+function registerResource$1(resourceDef) {
+  registeredResources.push(resourceDef);
+}
 
-  if (response.status === 428) {
-    return { status: "pending" };
+/**
+ * Register a prompt to be exposed via the MCP server.
+ * Prompts are guided entry points that LLM clients display as suggested actions.
+ */
+function registerPrompt$1(promptDef) {
+  registeredPrompts.push(promptDef);
+}
+
+const z = zod;
+const { jsonSchemaToZod } = jsonSchemaToZod_1;
+
+/**
+ * Apply all registered tools, resources, and prompts to the McpServer instance.
+ */
+function applyRegistrations(server) {
+  for (const tool of registeredTools) {
+    const zodSchema = jsonSchemaToZod(tool.inputSchema);
+    // server.tool() expects a raw Zod shape (e.g. { name: z.string() }),
+    // NOT a z.object() wrapper. Extract .shape from the Zod object.
+    server.tool(
+      tool.name,
+      tool.description,
+      zodSchema.shape || {},
+      tool.handler,
+    );
+  }
+  for (const resource of registeredResources) {
+    server.resource(
+      resource.name,
+      resource.uri,
+      resource.metadata || {},
+      resource.handler,
+    );
   }
-
-  if (response.status === 400) {
-    const data = await response.json();
-    if (data.error === "expired_token") {
-      return { status: "expired" };
+  for (const prompt of registeredPrompts) {
+    if (prompt.args && Object.keys(prompt.args).length > 0) {
+      // Prompt with arguments — use the 4-arg overload
+      // Build a Zod-compatible arg schema from our plain arg definitions
+      const shape = {};
+      for (const [key, def] of Object.entries(prompt.args)) {
+        shape[key] = def.required
+          ? z.string().describe(def.description)
+          : z.string().optional().describe(def.description);
+      }
+      server.prompt(prompt.name, prompt.description, shape, prompt.handler);
+    } else {
+      // Prompt with no arguments — use the 2-arg overload
+      server.prompt(prompt.name, prompt.description, prompt.handler);
     }
-    return { status: "pending" };
   }
+}
 
-  if (response.ok) {
-    const data = await response.json();
-
-    // Store the token securely
-    const s = getStore$1();
-    s.set("accessToken", data.access_token);
-    s.set("userId", data.user_id);
-    s.set("tokenType", data.token_type);
-    s.set("authenticatedAt", new Date().toISOString());
-
-    return {
-      status: "authorized",
-      token: data.access_token,
-      userId: data.user_id,
-    };
-  }
+// --- Settings Helpers ---
+function getMcpServerSettings(win) {
+  const result = settingsController$3.getSettingsForApplication(win);
+  const settings = result?.settings || {};
+  return settings.mcpDashServer || {};
+}
 
-  throw new Error(`Unexpected response: ${response.status}`);
+function saveMcpServerSettings(win, mcpSettings) {
+  const result = settingsController$3.getSettingsForApplication(win);
+  const settings = result?.settings || {};
+  settings.mcpDashServer = mcpSettings;
+  settingsController$3.saveSettingsForApplication(win, settings);
 }
 
+// --- App ID Resolution ---
 /**
- * Get the stored auth token.
- *
- * @returns {Object|null} { token, userId, authenticatedAt } or null if not authenticated
+ * Resolve the appId by scanning the userData/Dashboard directory for
+ * subdirectories containing workspaces.json. Falls back to the default.
  */
-function getStoredToken$3() {
+function resolveAppId() {
+  const { app } = require$$0$1;
+  const fs = require$$0$2;
+  const path = require$$1$2;
+  const dashboardDir = path.join(app.getPath("userData"), "Dashboard");
   try {
-    const s = getStore$1();
-    const token = s.get("accessToken");
-    if (!token) return null;
-
-    return {
-      token,
-      userId: s.get("userId"),
-      authenticatedAt: s.get("authenticatedAt"),
-    };
-  } catch {
-    return null;
+    const entries = fs.readdirSync(dashboardDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.isDirectory()) {
+        const wsFile = path.join(dashboardDir, entry.name, "workspaces.json");
+        if (fs.existsSync(wsFile)) {
+          return entry.name;
+        }
+      }
+    }
+  } catch (e) {
+    // Directory may not exist yet
   }
+  return "@trops/dash-electron";
 }
 
 /**
- * Check if the user is authenticated with the registry.
- *
- * @returns {Object} { authenticated: boolean, userId?: string }
+ * Get the current server context (win + appId) for tool handlers.
+ * Returns null if the server is not running.
  */
-function getAuthStatus$1() {
-  const stored = getStoredToken$3();
-  if (!stored) {
-    return { authenticated: false };
-  }
-
-  return {
-    authenticated: true,
-    userId: stored.userId,
-    authenticatedAt: stored.authenticatedAt,
-  };
+function getServerContext() {
+  if (!activeWin) return null;
+  return { win: activeWin, appId: resolveAppId() };
 }
 
-/**
- * Get the user's registry profile.
- *
- * @returns {Promise<Object|null>} User profile or null
- */
-async function getRegistryProfile$2() {
-  const stored = getStoredToken$3();
-  if (!stored) return null;
+// --- Controller ---
+const mcpDashServerController$4 = {
+  /**
+   * Start the MCP Dash server.
+   * @param {BrowserWindow} win
+   * @param {Object} options - { port?: number }
+   */
+  startServer: async (win, options = {}) => {
+    if (httpsServer) {
+      return {
+        success: false,
+        error: "Server is already running",
+      };
+    }
 
-  try {
-    const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/me`, {
-      headers: {
-        Authorization: `Bearer ${stored.token}`,
-      },
-    });
+    try {
+      const serverSettings = getMcpServerSettings(win);
+      const port = options.port || serverSettings.port || 3141;
+      const token =
+        serverSettings.token || mcpDashServerController$4.getOrCreateToken(win);
 
-    if (response.status === 401) {
-      // Token expired or invalid — clear stored credentials
-      clearToken$2();
-      return null;
-    }
-    if (!response.ok) return null;
+      // Create McpServer
+      mcpServer = new McpServer({
+        name: "dash-electron",
+        version: "1.0.0",
+      });
 
-    const data = await response.json();
-    return data.user || null;
-  } catch {
-    return null;
-  }
-}
+      // Generate or load TLS certificate
+      const { app } = require("electron");
+      const path = require("path");
+      const certsDir = path.join(app.getPath("userData"), "certs");
+      const tlsCert = getOrCreateCert(certsDir);
 
-/**
- * Clear stored auth token (logout).
- */
-function clearToken$2() {
-  try {
-    const s = getStore$1();
-    s.clear();
-    console.log("[RegistryAuthController] Token cleared");
-  } catch (err) {
-    console.error("[RegistryAuthController] Error clearing token:", err);
-  }
-}
+      // Apply registered tools and resources
+      applyRegistrations(mcpServer);
+
+      // Create HTTPS server with auth and rate limiting
+      httpsServer = https$2.createServer(
+        { key: tlsCert.key, cert: tlsCert.cert },
+        async (req, res) => {
+          const ip = req.socket.remoteAddress || req.connection.remoteAddress;
+
+          // Rate limiting
+          if (isRateLimited$1(ip)) {
+            res.writeHead(429, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Rate limit exceeded" }));
+            return;
+          }
+
+          // Bearer token auth
+          const authHeader = req.headers.authorization;
+          if (!authHeader || authHeader !== `Bearer ${token}`) {
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Unauthorized" }));
+            return;
+          }
+
+          // Handle MCP requests on /mcp path
+          if (req.url === "/mcp" || req.url?.startsWith("/mcp")) {
+            try {
+              // Stateless mode: create a fresh server + transport per request
+              const reqServer = new McpServer({
+                name: "dash-electron",
+                version: "1.0.0",
+              });
+              applyRegistrations(reqServer);
+              const reqTransport = new StreamableHTTPServerTransport({
+                sessionIdGenerator: undefined,
+              });
+              await reqServer.connect(reqTransport);
+              connectionCount++;
+              await reqTransport.handleRequest(req, res);
+            } catch (err) {
+              console.error("[mcpDashServer] Error handling MCP request:", err);
+              if (!res.headersSent) {
+                res.writeHead(500, {
+                  "Content-Type": "application/json",
+                });
+                res.end(
+                  JSON.stringify({
+                    error: "Internal server error",
+                  }),
+                );
+              }
+            }
+          } else {
+            // Health check endpoint
+            if (req.url === "/health" && req.method === "GET") {
+              res.writeHead(200, {
+                "Content-Type": "application/json",
+              });
+              res.end(
+                JSON.stringify({
+                  status: "ok",
+                  server: "dash-electron-mcp",
+                  version: "1.0.0",
+                }),
+              );
+              return;
+            }
+            res.writeHead(404, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Not found" }));
+          }
+        },
+      );
+
+      // Bind to localhost only
+      await new Promise((resolve, reject) => {
+        httpsServer.on("error", (err) => {
+          httpsServer = null;
+          mcpServer = null;
+          if (err.code === "EADDRINUSE") {
+            reject(
+              new Error(
+                `Port ${port} is already in use. Choose a different port in Settings.`,
+              ),
+            );
+          } else {
+            reject(err);
+          }
+        });
+        httpsServer.listen(port, "127.0.0.1", () => {
+          resolve();
+        });
+      });
 
-/**
- * Update the authenticated user's registry profile.
- *
- * @param {Object} updates - Fields to update (e.g. { displayName })
- * @returns {Promise<Object|null>} Updated user or null on 401
- */
-async function updateRegistryProfile$1(updates) {
-  const stored = getStoredToken$3();
-  if (!stored) return null;
+      startTime = Date.now();
+      connectionCount = 0;
+      activeWin = win;
+      startCleanup();
 
-  try {
-    const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/me`, {
-      method: "PATCH",
-      headers: {
-        Authorization: `Bearer ${stored.token}`,
-        "Content-Type": "application/json",
-      },
-      body: JSON.stringify(updates),
-    });
+      // Save enabled state
+      saveMcpServerSettings(win, {
+        ...serverSettings,
+        enabled: true,
+        port,
+        token,
+      });
 
-    if (response.status === 401) {
-      clearToken$2();
-      return null;
-    }
-    if (!response.ok) return null;
+      console.log(
+        `[mcpDashServer] Server started on https://127.0.0.1:${port}/mcp`,
+      );
 
-    const data = await response.json();
-    return data.user || null;
-  } catch {
-    return null;
-  }
-}
+      return {
+        success: true,
+        port,
+        url: `https://127.0.0.1:${port}/mcp`,
+      };
+    } catch (err) {
+      console.error("[mcpDashServer] Failed to start server:", err);
+      httpsServer = null;
+      mcpServer = null;
+      return {
+        success: false,
+        error: err.message,
+      };
+    }
+  },
 
-/**
- * Get the authenticated user's published packages.
- *
- * @returns {Promise<Object|null>} { packages: [...] } or null
- */
-async function getRegistryPackages$1() {
-  const stored = getStoredToken$3();
-  if (!stored) return null;
+  /**
+   * Stop the MCP Dash server.
+   */
+  stopServer: async (win) => {
+    if (!httpsServer) {
+      return { success: true, message: "Server was not running" };
+    }
 
-  try {
-    const response = await fetch(`${REGISTRY_BASE_URL$1}/api/auth/me/packages`, {
-      headers: {
-        Authorization: `Bearer ${stored.token}`,
-      },
-    });
+    try {
+      stopCleanup();
 
-    if (response.status === 401) {
-      clearToken$2();
-      return null;
-    }
-    if (!response.ok) return null;
+      await new Promise((resolve) => {
+        httpsServer.close(() => resolve());
+        // Force close after 5 seconds
+        setTimeout(() => resolve(), 5000);
+      });
 
-    return await response.json();
-  } catch {
-    return null;
-  }
-}
+      if (mcpServer) {
+        try {
+          await mcpServer.close();
+        } catch (e) {
+          // Ignore close errors
+        }
+      }
 
-/**
- * Update a published package's metadata.
- *
- * @param {string} scope - Package scope (e.g. "@trops")
- * @param {string} name - Package name
- * @param {Object} updates - Fields to update (displayName, description, category, tags, visibility)
- * @returns {Promise<Object|null>} Updated package or null
- */
-async function updateRegistryPackage$1(scope, name, updates) {
-  const stored = getStoredToken$3();
-  if (!stored) return null;
+      httpsServer = null;
+      mcpServer = null;
+      transport = null;
+      startTime = null;
+      connectionCount = 0;
+      activeWin = null;
 
-  try {
-    const response = await fetch(
-      `${REGISTRY_BASE_URL$1}/api/packages/${encodeURIComponent(scope)}/${encodeURIComponent(name)}`,
-      {
-        method: "PATCH",
-        headers: {
-          Authorization: `Bearer ${stored.token}`,
-          "Content-Type": "application/json",
-        },
-        body: JSON.stringify(updates),
-      },
-    );
+      // Update settings
+      if (win) {
+        const serverSettings = getMcpServerSettings(win);
+        saveMcpServerSettings(win, {
+          ...serverSettings,
+          enabled: false,
+        });
+      }
 
-    if (response.status === 401) {
-      clearToken$2();
-      return null;
+      console.log("[mcpDashServer] Server stopped");
+      return { success: true };
+    } catch (err) {
+      console.error("[mcpDashServer] Error stopping server:", err);
+      return { success: false, error: err.message };
     }
-    if (!response.ok) return null;
-
-    return await response.json();
-  } catch {
-    return null;
-  }
-}
+  },
 
-/**
- * Delete a published package from the registry.
- *
- * @param {string} scope - Package scope (e.g. "@trops")
- * @param {string} name - Package name
- * @returns {Promise<Object|null>} Response or null
- */
-async function deleteRegistryPackage(scope, name) {
-  const stored = getStoredToken$3();
-  if (!stored) return null;
+  /**
+   * Restart the server (stop + start).
+   */
+  restartServer: async (win, options = {}) => {
+    await mcpDashServerController$4.stopServer(win);
+    return mcpDashServerController$4.startServer(win, options);
+  },
 
-  try {
-    const response = await fetch(
-      `${REGISTRY_BASE_URL$1}/api/packages/${encodeURIComponent(scope)}/${encodeURIComponent(name)}`,
-      {
-        method: "DELETE",
-        headers: {
-          Authorization: `Bearer ${stored.token}`,
-        },
-      },
-    );
+  /**
+   * Get server status.
+   */
+  getStatus: (win) => {
+    const serverSettings = getMcpServerSettings(win);
+    return {
+      running: !!httpsServer,
+      enabled: serverSettings.enabled || false,
+      port: serverSettings.port || 3141,
+      connectionCount,
+      uptime: startTime ? Math.floor((Date.now() - startTime) / 1000) : 0,
+      toolCount: registeredTools.length,
+      resourceCount: registeredResources.length,
+    };
+  },
 
-    if (response.status === 401) {
-      clearToken$2();
-      return null;
+  /**
+   * Get or create the bearer token.
+   */
+  getOrCreateToken: (win) => {
+    const serverSettings = getMcpServerSettings(win);
+    if (serverSettings.token) {
+      return serverSettings.token;
     }
-    if (!response.ok) return null;
+    const token = randomUUID();
+    saveMcpServerSettings(win, { ...serverSettings, token });
+    return token;
+  },
 
-    return await response.json();
-  } catch {
-    return null;
-  }
-}
+  /**
+   * Auto-start server if enabled in settings.
+   * Called from dash-electron on app ready.
+   */
+  autoStart: async (win) => {
+    const serverSettings = getMcpServerSettings(win);
+    if (serverSettings.enabled) {
+      console.log("[mcpDashServer] Auto-starting server...");
+      return mcpDashServerController$4.startServer(win, {
+        port: serverSettings.port,
+      });
+    }
+    return { success: false, message: "Server not enabled" };
+  },
 
-var registryAuthController$2 = {
-  initiateDeviceFlow: initiateDeviceFlow$1,
-  pollForToken: pollForToken$1,
-  getStoredToken: getStoredToken$3,
-  getAuthStatus: getAuthStatus$1,
-  getRegistryProfile: getRegistryProfile$2,
-  updateRegistryProfile: updateRegistryProfile$1,
-  getRegistryPackages: getRegistryPackages$1,
-  updateRegistryPackage: updateRegistryPackage$1,
-  deleteRegistryPackage,
-  clearToken: clearToken$2,
+  // Expose registration functions for other controllers
+  registerTool: registerTool$6,
+  registerResource: registerResource$1,
+  registerPrompt: registerPrompt$1,
+  getServerContext,
 };
 
+var mcpDashServerController_1 = mcpDashServerController$4;
+
 var widgetRegistry$1 = {exports: {}};
 
 var dynamicWidgetLoader$2 = {exports: {}};