@tstax/coding-tab 0.1.0

package/dist/server.cjs

@@ -0,0 +1,709 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  mountCodingTab: () => mountCodingTab
+});
+module.exports = __toCommonJS(server_exports);
+
+// node_modules/tsup/assets/cjs_shims.js
+var getImportMetaUrl = () => typeof document === "undefined" ? new URL(`file:${__filename}`).href : document.currentScript && document.currentScript.tagName.toUpperCase() === "SCRIPT" ? document.currentScript.src : new URL("main.js", document.baseURI).href;
+var importMetaUrl = /* @__PURE__ */ getImportMetaUrl();
+
+// src/server/index.ts
+var import_express5 = __toESM(require("express"), 1);
+
+// src/server/authRoutes.ts
+var import_express = require("express");
+var import_node_crypto = require("crypto");
+
+// src/server/authMiddleware.ts
+var import_iron_session = require("iron-session");
+
+// src/server/session.ts
+var SESSION_COOKIE_NAME = "coding_tab_session";
+function buildSessionOptions(password, secure) {
+  return {
+    password,
+    cookieName: SESSION_COOKIE_NAME,
+    cookieOptions: {
+      httpOnly: true,
+      secure,
+      sameSite: "lax",
+      path: "/",
+      maxAge: 60 * 60 * 24 * 30
+    }
+  };
+}
+
+// src/server/authMiddleware.ts
+function getSession(req, res, opts) {
+  return (0, import_iron_session.getIronSession)(req, res, buildSessionOptions(opts.sessionPassword, opts.secure));
+}
+function makeRequireAuth(opts) {
+  const allowed = new Set(opts.allowedLogins.map((l) => l.toLowerCase()));
+  return async function requireAuth(req, res, next) {
+    try {
+      const session = await getSession(req, res, opts);
+      if (!session.githubLogin || !session.accessToken) {
+        res.status(401).json({ error: "unauthenticated" });
+        return;
+      }
+      if (allowed.size > 0 && !allowed.has(session.githubLogin.toLowerCase())) {
+        res.status(403).json({ error: "not_authorized" });
+        return;
+      }
+      req.user = {
+        githubLogin: session.githubLogin,
+        accessToken: session.accessToken,
+        avatarUrl: session.avatarUrl
+      };
+      next();
+    } catch (err) {
+      console.error(`[${SESSION_COOKIE_NAME}] requireAuth failed`, err);
+      res.status(500).json({ error: "session_error" });
+    }
+  };
+}
+
+// src/server/authRoutes.ts
+var OAUTH_STATE_TTL_MS = 10 * 60 * 1e3;
+function makeAuthRouter(opts) {
+  const router = (0, import_express.Router)();
+  const allowed = new Set(opts.oauth.allowedLogins.map((l) => l.toLowerCase()));
+  const scopes = opts.oauth.scopes ?? ["repo", "read:user"];
+  router.get("/auth/login", async (req, res) => {
+    const session = await getSession(req, res, opts);
+    const state = (0, import_node_crypto.randomBytes)(24).toString("hex");
+    session.oauthState = state;
+    session.oauthStateCreatedAt = Date.now();
+    await session.save();
+    const url = new URL("https://github.com/login/oauth/authorize");
+    url.searchParams.set("client_id", opts.oauth.clientId);
+    url.searchParams.set("redirect_uri", opts.oauth.callbackUrl);
+    url.searchParams.set("scope", scopes.join(" "));
+    url.searchParams.set("state", state);
+    url.searchParams.set("allow_signup", "false");
+    res.redirect(302, url.toString());
+  });
+  router.get("/auth/callback", async (req, res) => {
+    const session = await getSession(req, res, opts);
+    const code = typeof req.query.code === "string" ? req.query.code : null;
+    const state = typeof req.query.state === "string" ? req.query.state : null;
+    const expectedState = session.oauthState;
+    const stateAge = session.oauthStateCreatedAt ? Date.now() - session.oauthStateCreatedAt : Number.POSITIVE_INFINITY;
+    session.oauthState = void 0;
+    session.oauthStateCreatedAt = void 0;
+    if (!code || !state || !expectedState || state !== expectedState || stateAge > OAUTH_STATE_TTL_MS) {
+      await session.save();
+      res.status(400).send("OAuth state mismatch or expired. Try signing in again.");
+      return;
+    }
+    try {
+      const tokenResp = await fetch("https://github.com/login/oauth/access_token", {
+        method: "POST",
+        headers: {
+          Accept: "application/json",
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          client_id: opts.oauth.clientId,
+          client_secret: opts.oauth.clientSecret,
+          code,
+          redirect_uri: opts.oauth.callbackUrl
+        })
+      });
+      const tokenJson = await tokenResp.json();
+      if (!tokenJson.access_token) {
+        await session.save();
+        res.status(401).send(`GitHub token exchange failed: ${tokenJson.error_description ?? tokenJson.error ?? "unknown"}`);
+        return;
+      }
+      const userResp = await fetch("https://api.github.com/user", {
+        headers: {
+          Authorization: `Bearer ${tokenJson.access_token}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28"
+        }
+      });
+      if (!userResp.ok) {
+        await session.save();
+        res.status(401).send(`GitHub user lookup failed: ${userResp.status}`);
+        return;
+      }
+      const user = await userResp.json();
+      if (allowed.size > 0 && !allowed.has(user.login.toLowerCase())) {
+        await session.save();
+        res.status(403).send(`@${user.login} is not on the allowlist for this app.`);
+        return;
+      }
+      session.githubLogin = user.login;
+      session.avatarUrl = user.avatar_url;
+      session.accessToken = tokenJson.access_token;
+      await session.save();
+      res.redirect(302, opts.basePath + "/");
+    } catch (err) {
+      console.error("[coding-tab] OAuth callback failed", err);
+      res.status(500).send("OAuth callback failed. Check server logs.");
+    }
+  });
+  router.post("/auth/logout", async (req, res) => {
+    const session = await getSession(req, res, opts);
+    session.destroy();
+    res.json({ ok: true });
+  });
+  router.get("/auth/me", async (req, res) => {
+    const session = await getSession(req, res, opts);
+    if (!session.githubLogin || !session.accessToken) {
+      res.status(401).json({ error: "unauthenticated" });
+      return;
+    }
+    if (allowed.size > 0 && !allowed.has(session.githubLogin.toLowerCase())) {
+      res.status(403).json({ error: "not_authorized" });
+      return;
+    }
+    res.json({ githubLogin: session.githubLogin, avatarUrl: session.avatarUrl });
+  });
+  return router;
+}
+
+// src/server/agentRoutes.ts
+var import_express2 = require("express");
+var import_sdk2 = require("@cursor/sdk");
+
+// src/server/models.ts
+var import_sdk = require("@cursor/sdk");
+var SONNET_PATTERN = /sonnet/i;
+var OPUS_PATTERN = /opus/i;
+var cache = null;
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+async function getModelList(apiKey) {
+  if (cache && Date.now() - cache.fetchedAt < CACHE_TTL_MS) return cache.models;
+  const models = await import_sdk.Cursor.models.list({ apiKey });
+  cache = { fetchedAt: Date.now(), models };
+  return models;
+}
+function pickBest(models, pattern) {
+  const matches = models.filter((m) => pattern.test(m.id) || pattern.test(m.displayName) || (m.aliases ?? []).some((a) => pattern.test(a)));
+  if (matches.length === 0) return void 0;
+  matches.sort((a, b) => b.id.localeCompare(a.id));
+  return matches[0];
+}
+async function listAvailableModels(apiKey) {
+  const models = await getModelList(apiKey);
+  const out = [];
+  const sonnet = pickBest(models, SONNET_PATTERN);
+  if (sonnet) out.push({ choice: "sonnet", cursorModelId: sonnet.id, displayName: sonnet.displayName ?? sonnet.id });
+  const opus = pickBest(models, OPUS_PATTERN);
+  if (opus) out.push({ choice: "opus", cursorModelId: opus.id, displayName: opus.displayName ?? opus.id });
+  return out;
+}
+async function resolveModel(apiKey, choice) {
+  const models = await getModelList(apiKey);
+  const pattern = choice === "sonnet" ? SONNET_PATTERN : OPUS_PATTERN;
+  const picked = pickBest(models, pattern);
+  if (!picked) {
+    const available = models.map((m) => `${m.displayName} (${m.id})`).join(", ");
+    throw new Error(`No Cursor-routed model matches "${choice}". Available: ${available}`);
+  }
+  return { cursorModelId: picked.id, displayName: picked.displayName ?? picked.id };
+}
+
+// src/server/sessions.ts
+var import_node_crypto2 = require("crypto");
+var SESSION_IDLE_TTL_MS = 30 * 60 * 1e3;
+var sessions = /* @__PURE__ */ new Map();
+var sweeperStarted = false;
+function startSweeper() {
+  if (sweeperStarted) return;
+  sweeperStarted = true;
+  setInterval(() => {
+    const now = Date.now();
+    for (const [id, s] of sessions) {
+      if (now - s.lastUsedAt > SESSION_IDLE_TTL_MS) {
+        disposeSession(id).catch((e) => console.error("[coding-tab] session sweep dispose failed", e));
+      }
+    }
+  }, 5 * 60 * 1e3).unref?.();
+}
+function registerSession(opts) {
+  startSweeper();
+  const id = (0, import_node_crypto2.randomUUID)();
+  const session = {
+    id,
+    githubLogin: opts.githubLogin,
+    agent: opts.agent,
+    repoUrl: opts.repoUrl,
+    startingRef: opts.startingRef,
+    createdAt: Date.now(),
+    lastUsedAt: Date.now()
+  };
+  sessions.set(id, session);
+  return session;
+}
+function getSession2(id) {
+  const s = sessions.get(id);
+  if (s) s.lastUsedAt = Date.now();
+  return s;
+}
+async function disposeSession(id) {
+  const s = sessions.get(id);
+  if (!s) return;
+  sessions.delete(id);
+  try {
+    await s.agent[Symbol.asyncDispose]();
+  } catch (err) {
+    console.error("[coding-tab] dispose failed", err);
+  }
+}
+
+// src/server/agentRoutes.ts
+var PLAN_INSTRUCTION = `You are operating in PLAN MODE.
+
+Produce a clear, concise markdown plan for the user's request. Do NOT modify any files. Do NOT call any file-editing or shell tools that mutate state. Read-only exploration tools (Read, Grep, Glob, semantic search) are encouraged.
+
+Structure the plan with:
+- Goal (1 line)
+- Approach (3-7 bullet points)
+- Files that will change (bulleted, with absolute or repo-relative paths)
+- Risks / things to verify after implementation
+
+When you are done, end your message with a single line: PLAN READY`;
+var EXECUTE_INSTRUCTION = `You are now in AGENT MODE. Implement the plan you produced above. Make all required file changes, run any necessary commands, and prepare the changes for a pull request. When complete, summarize what changed in 3-5 bullets.`;
+function sse(res, event) {
+  res.write(`data: ${JSON.stringify(event)}
+
+`);
+}
+function parsePrUrl(url) {
+  if (!url) return void 0;
+  const match = url.match(/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)/);
+  if (!match) return void 0;
+  return { url, owner: match[1], repo: match[2], number: Number(match[3]) };
+}
+function modeInstructionPrefix(mode, prompt) {
+  return mode === "plan" ? `${PLAN_INSTRUCTION}
+
+---
+
+User request:
+${prompt}` : prompt;
+}
+function setupSseHeaders(res) {
+  res.set({
+    "Content-Type": "text/event-stream",
+    "Cache-Control": "no-cache, no-transform",
+    Connection: "keep-alive",
+    "X-Accel-Buffering": "no"
+  });
+  res.flushHeaders?.();
+}
+async function streamRun(res, run) {
+  try {
+    for await (const message of run.stream()) {
+      if (res.writableEnded) break;
+      if (message.type === "assistant") {
+        for (const block of message.message.content) {
+          if (block.type === "text" && block.text) sse(res, { kind: "text", text: block.text });
+          else if (block.type === "tool_use") sse(res, { kind: "tool", name: block.name, status: "running", callId: block.id, args: block.input });
+        }
+      } else if (message.type === "thinking") {
+        sse(res, { kind: "thinking", text: message.text });
+      } else if (message.type === "tool_call") {
+        sse(res, { kind: "tool", name: message.name, status: message.status, callId: message.call_id, args: message.args, result: message.result });
+      } else if (message.type === "status") {
+        sse(res, { kind: "status", status: message.status, message: message.message });
+      }
+    }
+    const result = await run.wait();
+    const prUrl = result.git?.branches?.find((b) => b.prUrl)?.prUrl;
+    sse(res, {
+      kind: "result",
+      status: result.status,
+      pr: parsePrUrl(prUrl),
+      durationMs: result.durationMs
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    const retryable = err instanceof import_sdk2.CursorAgentError ? Boolean(err.isRetryable) : false;
+    sse(res, { kind: "error", message, retryable });
+  } finally {
+    if (!res.writableEnded) res.end();
+  }
+}
+function makeAgentRouter(opts) {
+  const router = (0, import_express2.Router)();
+  router.get("/models", async (_req, res) => {
+    try {
+      const models = await listAvailableModels(opts.cursorApiKey);
+      res.json({ models });
+    } catch (err) {
+      console.error("[coding-tab] /models failed", err);
+      res.status(500).json({ error: err instanceof Error ? err.message : "models_failed" });
+    }
+  });
+  router.post("/agent/start", async (req, res) => {
+    const user = req.user;
+    const { prompt, mode, model, repoUrl, startingRef } = req.body ?? {};
+    if (!prompt || mode !== "plan" && mode !== "agent" || model !== "sonnet" && model !== "opus") {
+      res.status(400).json({ error: "invalid_request" });
+      return;
+    }
+    setupSseHeaders(res);
+    let agent;
+    try {
+      const resolved = await resolveModel(opts.cursorApiKey, model);
+      agent = await import_sdk2.Agent.create({
+        apiKey: opts.cursorApiKey,
+        model: { id: resolved.cursorModelId },
+        cloud: {
+          repos: [
+            {
+              url: repoUrl ?? opts.defaultRepo.url,
+              startingRef: startingRef ?? opts.defaultRepo.ref
+            }
+          ],
+          autoCreatePR: mode === "agent",
+          skipReviewerRequest: opts.skipReviewerRequest ?? true,
+          envVars: { GITHUB_TOKEN: user.accessToken },
+          ...opts.envName ? { env: { type: "cloud", name: opts.envName } } : {}
+        }
+      });
+      const session = registerSession({
+        githubLogin: user.githubLogin,
+        agent,
+        repoUrl: repoUrl ?? opts.defaultRepo.url,
+        startingRef: startingRef ?? opts.defaultRepo.ref
+      });
+      const run = await agent.send(modeInstructionPrefix(mode, prompt));
+      sse(res, { kind: "ready", sessionId: session.id, agentId: agent.agentId, runId: run.id });
+      console.log(`[coding-tab] start agent=${agent.agentId} run=${run.id} session=${session.id} login=${user.githubLogin}`);
+      await streamRun(res, run);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      const retryable = err instanceof import_sdk2.CursorAgentError ? Boolean(err.isRetryable) : false;
+      console.error("[coding-tab] /agent/start failed", err);
+      sse(res, { kind: "error", message, retryable });
+      if (!res.writableEnded) res.end();
+      if (agent) await agent[Symbol.asyncDispose]().catch(() => {
+      });
+    }
+    req.on("close", () => {
+      if (!res.writableEnded) res.end();
+    });
+  });
+  router.post("/agent/send", async (req, res) => {
+    const { sessionId, prompt, mode } = req.body ?? {};
+    if (!sessionId || !prompt || mode !== "plan" && mode !== "agent") {
+      res.status(400).json({ error: "invalid_request" });
+      return;
+    }
+    const session = getSession2(sessionId);
+    if (!session) {
+      res.status(404).json({ error: "session_not_found" });
+      return;
+    }
+    setupSseHeaders(res);
+    try {
+      const run = await session.agent.send(modeInstructionPrefix(mode, prompt));
+      sse(res, { kind: "ready", sessionId: session.id, agentId: session.agent.agentId, runId: run.id });
+      console.log(`[coding-tab] send agent=${session.agent.agentId} run=${run.id} session=${session.id}`);
+      await streamRun(res, run);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error("[coding-tab] /agent/send failed", err);
+      sse(res, { kind: "error", message });
+      if (!res.writableEnded) res.end();
+    }
+    req.on("close", () => {
+      if (!res.writableEnded) res.end();
+    });
+  });
+  router.post("/agent/execute", async (req, res) => {
+    const { sessionId } = req.body ?? {};
+    if (!sessionId) {
+      res.status(400).json({ error: "invalid_request" });
+      return;
+    }
+    const session = getSession2(sessionId);
+    if (!session) {
+      res.status(404).json({ error: "session_not_found" });
+      return;
+    }
+    setupSseHeaders(res);
+    try {
+      const run = await session.agent.send(EXECUTE_INSTRUCTION);
+      sse(res, { kind: "ready", sessionId: session.id, agentId: session.agent.agentId, runId: run.id });
+      console.log(`[coding-tab] execute agent=${session.agent.agentId} run=${run.id} session=${session.id}`);
+      await streamRun(res, run);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error("[coding-tab] /agent/execute failed", err);
+      sse(res, { kind: "error", message });
+      if (!res.writableEnded) res.end();
+    }
+    req.on("close", () => {
+      if (!res.writableEnded) res.end();
+    });
+  });
+  router.post("/agent/cancel", async (req, res) => {
+    const { sessionId, runId } = req.body ?? {};
+    if (!sessionId || !runId) {
+      res.status(400).json({ error: "invalid_request" });
+      return;
+    }
+    const session = getSession2(sessionId);
+    if (!session) {
+      res.status(404).json({ error: "session_not_found" });
+      return;
+    }
+    try {
+      await import_sdk2.Agent.cancelRun(runId, { runtime: "cloud", agentId: session.agent.agentId, apiKey: opts.cursorApiKey });
+      res.json({ ok: true });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error("[coding-tab] /agent/cancel failed", err);
+      res.status(500).json({ error: message });
+    }
+  });
+  router.post("/agent/dispose", async (req, res) => {
+    const { sessionId } = req.body ?? {};
+    if (!sessionId) {
+      res.status(400).json({ error: "invalid_request" });
+      return;
+    }
+    await disposeSession(sessionId);
+    res.json({ ok: true });
+  });
+  return router;
+}
+
+// src/server/githubRoutes.ts
+var import_express3 = require("express");
+var import_rest = require("@octokit/rest");
+function parsePrUrl2(prUrl) {
+  const match = prUrl.match(/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)/);
+  if (!match) return null;
+  return { owner: match[1], repo: match[2], number: Number(match[3]) };
+}
+function makeGitHubRouter() {
+  const router = (0, import_express3.Router)();
+  router.get("/pr/status", async (req, res) => {
+    const prUrl = typeof req.query.prUrl === "string" ? req.query.prUrl : null;
+    if (!prUrl) {
+      res.status(400).json({ error: "missing_prUrl" });
+      return;
+    }
+    const parsed = parsePrUrl2(prUrl);
+    if (!parsed) {
+      res.status(400).json({ error: "invalid_prUrl" });
+      return;
+    }
+    const user = req.user;
+    const octokit = new import_rest.Octokit({ auth: user.accessToken });
+    try {
+      const pr = await octokit.pulls.get({ owner: parsed.owner, repo: parsed.repo, pull_number: parsed.number });
+      const info = {
+        url: pr.data.html_url,
+        owner: parsed.owner,
+        repo: parsed.repo,
+        number: parsed.number,
+        branch: pr.data.head?.ref,
+        state: pr.data.merged ? "merged" : pr.data.state,
+        title: pr.data.title,
+        body: pr.data.body ?? void 0
+      };
+      res.json({ pr: info, mergeable: pr.data.mergeable, mergeable_state: pr.data.mergeable_state });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      res.status(500).json({ error: message });
+    }
+  });
+  router.post("/pr/merge", async (req, res) => {
+    const body = req.body ?? {};
+    if (!body.prUrl) {
+      res.status(400).json({ error: "missing_prUrl" });
+      return;
+    }
+    const parsed = parsePrUrl2(body.prUrl);
+    if (!parsed) {
+      res.status(400).json({ error: "invalid_prUrl" });
+      return;
+    }
+    const user = req.user;
+    const octokit = new import_rest.Octokit({ auth: user.accessToken });
+    try {
+      const merge = await octokit.pulls.merge({
+        owner: parsed.owner,
+        repo: parsed.repo,
+        pull_number: parsed.number,
+        merge_method: body.mergeMethod ?? "squash"
+      });
+      res.json({ sha: merge.data.sha, merged: merge.data.merged });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error("[coding-tab] /pr/merge failed", err);
+      res.status(500).json({ error: message });
+    }
+  });
+  return router;
+}
+
+// src/server/staticAssets.ts
+var import_express4 = require("express");
+var import_promises = require("fs/promises");
+var import_node_path = require("path");
+var import_node_url = require("url");
+var here = (0, import_node_path.dirname)((0, import_node_url.fileURLToPath)(importMetaUrl));
+var ASSET_CANDIDATES = [
+  (0, import_node_path.resolve)(here, "browser.js"),
+  (0, import_node_path.resolve)(here, "..", "dist", "browser.js"),
+  (0, import_node_path.resolve)(here, "..", "browser.js")
+];
+var STYLE_CANDIDATES = [
+  (0, import_node_path.resolve)(here, "style.css"),
+  (0, import_node_path.resolve)(here, "..", "dist", "style.css"),
+  (0, import_node_path.resolve)(here, "..", "style.css")
+];
+async function readFirst(paths) {
+  let lastErr;
+  for (const p of paths) {
+    try {
+      const data = await (0, import_promises.readFile)(p);
+      return { path: p, data };
+    } catch (err) {
+      lastErr = err;
+    }
+  }
+  throw lastErr instanceof Error ? lastErr : new Error("asset not found");
+}
+function makeAssetRouter(basePath) {
+  const router = (0, import_express4.Router)();
+  router.get("/browser.js", async (_req, res) => {
+    try {
+      const { data } = await readFirst(ASSET_CANDIDATES);
+      res.set("Content-Type", "application/javascript; charset=utf-8");
+      res.set("Cache-Control", "public, max-age=300");
+      res.send(data);
+    } catch (err) {
+      res.status(500).send("// coding-tab browser bundle missing \u2014 did you run `npm run build`?");
+    }
+  });
+  router.get("/style.css", async (_req, res) => {
+    try {
+      const { data } = await readFirst(STYLE_CANDIDATES);
+      res.set("Content-Type", "text/css; charset=utf-8");
+      res.set("Cache-Control", "public, max-age=300");
+      res.send(data);
+    } catch {
+      res.status(404).send("/* style.css missing */");
+    }
+  });
+  router.get("/", async (_req, res) => {
+    const html = renderHostHtml(basePath);
+    res.set("Content-Type", "text/html; charset=utf-8");
+    res.send(html);
+  });
+  return router;
+}
+function renderHostHtml(basePath) {
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+    <title>Coding Tab</title>
+    <link rel="stylesheet" href="${basePath}/style.css" />
+  </head>
+  <body>
+    <div id="coding-tab-root"></div>
+    <script src="${basePath}/browser.js"></script>
+    <script>
+      window.CodingTab.mountCodingTab(
+        document.getElementById("coding-tab-root"),
+        { apiBase: ${JSON.stringify(basePath)} },
+      );
+    </script>
+  </body>
+</html>`;
+}
+
+// src/server/index.ts
+function mountCodingTab(app, options) {
+  const basePath = (options.basePath ?? "/coding-tab").replace(/\/$/, "");
+  const secure = options.secure ?? process.env.NODE_ENV === "production";
+  if (!options.cursorApiKey) throw new Error("[coding-tab] cursorApiKey is required");
+  if (!options.sessionPassword || options.sessionPassword.length < 32) {
+    throw new Error("[coding-tab] sessionPassword must be at least 32 characters");
+  }
+  if (!options.githubOAuth?.clientId || !options.githubOAuth?.clientSecret) {
+    throw new Error("[coding-tab] githubOAuth.clientId and clientSecret are required");
+  }
+  if (!options.githubOAuth.callbackUrl) {
+    throw new Error("[coding-tab] githubOAuth.callbackUrl is required");
+  }
+  if (!options.githubOAuth.allowedLogins || options.githubOAuth.allowedLogins.length === 0) {
+    console.warn("[coding-tab] WARNING: allowedLogins is empty \u2014 anyone with a GitHub account can sign in.");
+  }
+  const router = import_express5.default.Router();
+  router.use(import_express5.default.json({ limit: "1mb" }));
+  const assetRouter = makeAssetRouter(basePath);
+  router.use(assetRouter);
+  const authRouter = makeAuthRouter({
+    oauth: options.githubOAuth,
+    sessionPassword: options.sessionPassword,
+    secure,
+    basePath
+  });
+  router.use(authRouter);
+  const requireAuth = makeRequireAuth({
+    sessionPassword: options.sessionPassword,
+    secure,
+    allowedLogins: options.githubOAuth.allowedLogins
+  });
+  const agentRouter = makeAgentRouter({
+    cursorApiKey: options.cursorApiKey,
+    defaultRepo: options.defaultRepo,
+    envName: options.envName,
+    skipReviewerRequest: options.skipReviewerRequest
+  });
+  router.use(requireAuth, agentRouter);
+  const githubRouter = makeGitHubRouter();
+  router.use(requireAuth, githubRouter);
+  app.use(basePath, router);
+  console.log(`[coding-tab] mounted at ${basePath}`);
+  return router;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  mountCodingTab
+});
+//# sourceMappingURL=server.cjs.map