npm - @tyvm/knowhow - Versions diffs - 0.0.108-dev.bd8f104-dev.bd8f104-dev.bd8f104 → 0.0.108-dev.c47492f - Mend

@tyvm/knowhow 0.0.108-dev.bd8f104-dev.bd8f104-dev.bd8f104 → 0.0.108-dev.c47492f

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/package.json +2 -2
package/scripts/publish.sh +20 -4
package/src/agents/base/base.ts +9 -0
package/src/chat/CliChatService.ts +7 -1
package/src/chat/renderer/CompactRenderer.ts +20 -0
package/src/chat/renderer/ConsoleRenderer.ts +19 -0
package/src/chat/renderer/FancyRenderer.ts +19 -0
package/src/chat/renderer/types.ts +11 -0
package/src/cli.ts +45 -21
package/src/clients/types.ts +12 -4
package/src/processors/JsonCompressor.ts +3 -3
package/src/services/modules/index.ts +21 -17
package/src/tunnel.ts +216 -0
package/src/worker.ts +65 -336
package/src/workers/auth/WsMiddleware.ts +99 -0
package/src/workers/auth/authMiddleware.ts +104 -0
package/src/workers/auth/types.ts +14 -2
package/ts_build/package.json +2 -2
package/ts_build/src/agents/base/base.js +10 -0
package/ts_build/src/agents/base/base.js.map +1 -1
package/ts_build/src/chat/CliChatService.js +10 -1
package/ts_build/src/chat/CliChatService.js.map +1 -1
package/ts_build/src/chat/renderer/CompactRenderer.d.ts +4 -0
package/ts_build/src/chat/renderer/CompactRenderer.js +16 -0
package/ts_build/src/chat/renderer/CompactRenderer.js.map +1 -1
package/ts_build/src/chat/renderer/ConsoleRenderer.d.ts +4 -0
package/ts_build/src/chat/renderer/ConsoleRenderer.js +16 -0
package/ts_build/src/chat/renderer/ConsoleRenderer.js.map +1 -1
package/ts_build/src/chat/renderer/FancyRenderer.d.ts +4 -0
package/ts_build/src/chat/renderer/FancyRenderer.js +16 -0
package/ts_build/src/chat/renderer/FancyRenderer.js.map +1 -1
package/ts_build/src/chat/renderer/types.d.ts +2 -0
package/ts_build/src/cli.js +17 -9
package/ts_build/src/cli.js.map +1 -1
package/ts_build/src/clients/types.d.ts +2 -2
package/ts_build/src/processors/JsonCompressor.js +3 -3
package/ts_build/src/processors/JsonCompressor.js.map +1 -1
package/ts_build/src/services/modules/index.d.ts +30 -0
package/ts_build/src/services/modules/index.js +9 -14
package/ts_build/src/services/modules/index.js.map +1 -1
package/ts_build/src/tunnel.d.ts +27 -0
package/ts_build/src/tunnel.js +112 -0
package/ts_build/src/tunnel.js.map +1 -0
package/ts_build/src/worker.d.ts +1 -4
package/ts_build/src/worker.js +38 -244
package/ts_build/src/worker.js.map +1 -1
package/ts_build/src/workers/auth/WsMiddleware.d.ts +8 -0
package/ts_build/src/workers/auth/WsMiddleware.js +65 -0
package/ts_build/src/workers/auth/WsMiddleware.js.map +1 -0
package/ts_build/src/workers/auth/authMiddleware.d.ts +3 -0
package/ts_build/src/workers/auth/authMiddleware.js +60 -0
package/ts_build/src/workers/auth/authMiddleware.js.map +1 -0
package/ts_build/src/workers/auth/types.d.ts +8 -1

package/src/tunnel.ts ADDED Viewed

@@ -0,0 +1,216 @@
+import os from "os";
+import { WebSocket } from "ws";
+import { createTunnelHandler, TunnelHandler } from "@tyvm/knowhow-tunnel";
+import { loadJwt } from "./login";
+import { wait } from "./utils";
+import { getConfig } from "./config";
+import { KNOWHOW_API_URL } from "./services/KnowhowClient";
+import { ModulesService } from "./services/modules";
+import { WorkerPasskeyAuthService } from "./workers/auth/WorkerPasskeyAuth";
+import { WsMiddlewareStack } from "./workers/auth/WsMiddleware";
+import { makeAuthMiddleware } from "./workers/auth/authMiddleware";
+/**
+ * Extract the tunnel domain and protocol from the API URL.
+ * e.g., "https://api.knowhow.tyvm.ai" -> { domain: "worker.knowhow.tyvm.ai", useHttps: true }
+ * e.g., "http://localhost:4000" -> { domain: "worker.localhost:4000", useHttps: false }
+ */
+export function extractTunnelDomain(apiUrl: string): {
+  domain: string;
+  useHttps: boolean;
+} {
+  try {
+    const url = new URL(apiUrl);
+    const useHttps = url.protocol === "https:";
+    // For localhost, include port; for production, just use hostname
+    if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
+      return {
+        domain: `worker.${url.hostname}:${url.port || "80"}`,
+        useHttps,
+      };
+    }
+    return { domain: `worker.${url.hostname}`, useHttps };
+  } catch (err) {
+    console.error("Failed to parse API_URL for tunnel domain:", err);
+    return { domain: "worker.localhost:4000", useHttps: false }; // fallback
+  }
+}
+/**
+ * Initialize a tunnel handler and load tunnel modules.
+ */
+export async function initTunnelHandler(
+  tunnelConnection: WebSocket,
+  tunnelConfig: Parameters<typeof createTunnelHandler>[1]
+): Promise<TunnelHandler> {
+  const handler = createTunnelHandler(tunnelConnection, tunnelConfig);
+  console.log("🌐 Tunnel handler initialized");
+  console.log(tunnelConfig);
+  const tunnelModuleService = new ModulesService();
+  const tunnelContext = await tunnelModuleService.overrideDefaultContext({
+    Tunnel: handler,
+  });
+  tunnelModuleService.loadModulesFromConfig(tunnelContext).catch((err) => {
+    console.error("Failed to load tunnel modules:", err);
+  });
+  return handler;
+}
+/**
+ * Resolve tunnel local host, log port mapping, and return shared tunnel setup values.
+ * Extracted to avoid duplication between worker() and tunnel().
+ */
+export function resolveTunnelConfig(
+  config: Awaited<ReturnType<typeof getConfig>>,
+  isInsideDocker: boolean
+): { tunnelLocalHost: string; portMapping: Record<string, number> } {
+  // Determine localHost based on environment
+  let tunnelLocalHost = config.worker?.tunnel?.localHost;
+  if (!tunnelLocalHost) {
+    if (isInsideDocker) {
+      tunnelLocalHost = "host.docker.internal";
+      console.log(
+        "🐳 Docker detected: tunnel will use host.docker.internal to reach host services"
+      );
+    } else {
+      tunnelLocalHost = "127.0.0.1";
+    }
+  }
+  // Check for port mapping configuration
+  const portMapping = (config.worker?.tunnel?.portMapping || {}) as Record<string, number>;
+  if (Object.keys(portMapping).length > 0) {
+    console.log("🔀 Port mapping configured:");
+    for (const [containerPort, hostPort] of Object.entries(portMapping)) {
+      console.log(`   Container port ${containerPort} → Host port ${hostPort}`);
+    }
+  }
+  return { tunnelLocalHost, portMapping };
+}
+/**
+ * Options for connectTunnelWebSocket helper.
+ */
+export interface TunnelWebSocketOptions {
+  /** Already-resolved tunnel domain (hostname only, no protocol) */
+  tunnelDomain: string;
+  /** Whether the tunnel should use HTTPS */
+  tunnelUseHttps: boolean;
+  /** Local host to forward tunnel traffic to */
+  tunnelLocalHost: string;
+  /** Port mapping configuration */
+  portMapping: Record<string, number>;
+  /** Worker config (for tunnel sub-config) */
+  config: Awaited<ReturnType<typeof getConfig>>;
+  /** HTTP headers to attach to the WebSocket upgrade request */
+  headers: Record<string, string>;
+  /** Callback invoked with the TunnelHandler once the connection opens */
+  onOpen?: (handler: TunnelHandler) => void;
+  /** Called when the connection closes; receives code + reason string */
+  onClose?: (code: number, reason: string) => void;
+  /** Called on error */
+  onError?: (error: Error) => void;
+  /** Optional passkey auth service — if provided, applies WS middleware to gate tunnel traffic */
+  authService?: WorkerPasskeyAuthService | null;
+}
+/**
+ * Create a tunnel WebSocket connection, build the tunnelConfig, and
+ * initialize the tunnel handler.  Returns the WebSocket.
+ *
+ * The caller is responsible for storing a reference to the returned TunnelHandler
+ * (via onOpen) and performing any outer-state cleanup (via onClose / onError).
+ */
+export function connectTunnelWebSocket(
+  options: TunnelWebSocketOptions
+): WebSocket {
+  const {
+    tunnelDomain,
+    tunnelUseHttps,
+    tunnelLocalHost,
+    portMapping,
+    config,
+    headers,
+    onOpen,
+    onClose,
+    onError,
+    authService,
+  } = options;
+  const tunnelConnection = new WebSocket(`${KNOWHOW_API_URL}/ws/tunnel`, { headers });
+  tunnelConnection.on("open", async () => {
+    console.log("Tunnel WebSocket connected");
+    // Apply passkey auth middleware FIRST, before tunnel handler registers its
+    // "message" listener. Node.js EventEmitter fires listeners in registration
+    // order, so our middleware runs first. wrapSocket() also redirects future
+    // ws.on("message", ...) calls to an inner emitter, ensuring the tunnel
+    // handler only receives messages that passed the middleware.
+    if (authService) {
+      const stack = new WsMiddlewareStack();
+      stack.use(makeAuthMiddleware(authService));
+      stack.wrapSocket(tunnelConnection);
+    }
+    const allowedPorts = config.worker?.tunnel?.allowedPorts || [];
+    // Create URL rewriter callback that returns the hostname (without protocol).
+    // The tunnel package will add the protocol based on the useHttps config.
+    const urlRewriter = (port: number, metadata?: any) => {
+      const workerId = metadata?.workerId;
+      const secret = metadata?.secret;
+      // Examples: secret-p3000.worker.example.com  /  workerId-p3000.worker.example.com
+      const subdomain = secret
+        ? `${secret}-p${port}`
+        : `${workerId}-p${port}`;
+      return `${subdomain}.${tunnelDomain}`;
+    };
+    const tunnelConfig = {
+      allowedPorts,
+      maxConcurrentStreams: config.worker?.tunnel?.maxConcurrentStreams || 50,
+      tunnelUseHttps,
+      localHost: tunnelLocalHost,
+      urlRewriter,
+      enableUrlRewriting: config.worker?.tunnel?.enableUrlRewriting !== false,
+      portMapping,
+      logLevel: "debug" as const,
+    };
+    const handler = await initTunnelHandler(tunnelConnection, tunnelConfig);
+    onOpen?.(handler);
+  });
+  tunnelConnection.on("close", (code, reason) => {
+    console.log(
+      `Tunnel WebSocket closed. Code: ${code}, Reason: ${reason.toString()}`
+    );
+    onClose?.(code, reason.toString());
+  });
+  tunnelConnection.on("error", (error) => {
+    console.error("Tunnel WebSocket error:", error);
+    onError?.(error);
+  });
+  return tunnelConnection;
+}
+/**
+ * The minimal set of tool names that are always registered when running in
+ * tunnel mode. These are the tools the backend and frontend need to interact
+ * with the tunnel worker (port discovery, passkey auth).
+ *
+ * Additional tools can be added here in the future without changing the CLI.
+ */
+export const TUNNEL_MINIMAL_TOOLS = [
+  "listAllowedPorts",
+  "unlock",
+  "lock",
+  "reloadConfig",
+];

package/src/worker.ts CHANGED Viewed

@@ -1,12 +1,16 @@
 import os from "os";
 import { WebSocket } from "ws";
-import { createTunnelHandler, TunnelHandler } from "@tyvm/knowhow-tunnel";
+import { TunnelHandler } from "@tyvm/knowhow-tunnel";
 import { includedTools } from "./agents/tools/list";
 import { loadJwt } from "./login";
 import { services } from "./services";
 import { PasskeySetupService } from "./workers/auth/PasskeySetup";
 import { WorkerPasskeyAuthService } from "./workers/auth/WorkerPasskeyAuth";
-import { makeUnlockTool, makeLockTool, makeReloadConfigTool } from "./workers/tools";
+import {
+  makeUnlockTool,
+  makeLockTool,
+  makeReloadConfigTool,
+} from "./workers/tools";
 import { McpServerService } from "./services/Mcp";
 import * as allTools from "./agents/tools";
 import workerTools from "./workers/tools";
@@ -14,7 +18,11 @@ import { wait } from "./utils";
 import { getConfig, updateConfig } from "./config";
 import { KNOWHOW_API_URL } from "./services/KnowhowClient";
 import { registerWorkerPath } from "./workerRegistry";
-import { ModulesService } from "./services/modules";
+import {
+  extractTunnelDomain,
+  resolveTunnelConfig,
+  connectTunnelWebSocket,
+} from "./tunnel";
 const API_URL = KNOWHOW_API_URL;
@@ -91,6 +99,7 @@ export async function worker(options?: {
   noSandbox?: boolean;
   passkey?: boolean;
   passkeyReset?: boolean;
+  allowedTools?: string[];
 }) {
   const config = await getConfig();
@@ -210,9 +219,9 @@ export async function worker(options?: {
     console.log(`🖥️  Using host mode (${sandboxSource})`);
   }
-  // Use the config we already loaded above
-  if (!config.worker || !config.worker.allowedTools) {
+  // If a tool list override was passed (e.g. from tunnel mode), skip the
+  // first-run config write and use it directly.
+  if (!options?.allowedTools && (!config.worker || !config.worker.allowedTools)) {
     console.log(
       "Worker tools configured! Update knowhow.json to adjust which tools are allowed by the worker."
     );
@@ -230,7 +239,8 @@ export async function worker(options?: {
     return;
   }
-  let toolsToUse = Tools.getToolsByNames(config.worker.allowedTools);
+  const resolvedToolNames = options?.allowedTools ?? config.worker!.allowedTools;
+  let toolsToUse = Tools.getToolsByNames(resolvedToolNames);
   // If passkey auth is enabled, wrap all tool functions to check locked state
   // and register the unlock/lock auth tools
@@ -289,31 +299,14 @@ export async function worker(options?: {
   let lastJwt: string | null = null;
   let unauthorizedJwt: string | null = null;
-  // Check if tunnel is enabled
-  const tunnelEnabled = config.worker?.tunnel?.enabled ?? false;
+  // Check if tunnel is enabled.
+  // When allowedTools is passed as an override (e.g. from `knowhow tunnel`),
+  // the tunnel is always forced on — that's the whole point of tunnel mode.
+  const tunnelEnabled = options?.allowedTools
+    ? true
+    : (config.worker?.tunnel?.enabled ?? false);
-  // Determine localHost based on environment
-  let tunnelLocalHost = config.worker?.tunnel?.localHost;
-  if (!tunnelLocalHost) {
-    // Auto-detect based on Docker environment
-    if (isInsideDocker) {
-      tunnelLocalHost = "host.docker.internal";
-      console.log(
-        "🐳 Docker detected: tunnel will use host.docker.internal to reach host services"
-      );
-    } else {
-      tunnelLocalHost = "127.0.0.1";
-    }
-  }
-  // Check for port mapping configuration
-  const portMapping = config.worker?.tunnel?.portMapping || {};
-  if (Object.keys(portMapping).length > 0) {
-    console.log("🔀 Port mapping configured:");
-    for (const [containerPort, hostPort] of Object.entries(portMapping)) {
-      console.log(`   Container port ${containerPort} → Host port ${hostPort}`);
-    }
-  }
+  const { tunnelLocalHost, portMapping } = resolveTunnelConfig(config, isInsideDocker);
   if (tunnelEnabled) {
     const tunnelPorts = config.worker?.tunnel?.allowedPorts || [];
@@ -330,31 +323,6 @@ export async function worker(options?: {
     );
   }
-  // Extract tunnel domain from API_URL
-  // e.g., "https://api.knowhow.tyvm.ai" -> "knowhow.tyvm.ai"
-  // e.g., "http://localhost:4000" -> "localhost:4000"
-  function extractTunnelDomain(apiUrl: string): {
-    domain: string;
-    useHttps: boolean;
-  } {
-    try {
-      const url = new URL(apiUrl);
-      const useHttps = url.protocol === "https:";
-      // For localhost, include port; for production, just use hostname
-      if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
-        return {
-          domain: `worker.${url.hostname}:${url.port || "80"}`,
-          useHttps,
-        };
-      }
-      return { domain: `worker.${url.hostname}`, useHttps };
-    } catch (err) {
-      console.error("Failed to parse API_URL for tunnel domain:", err);
-      return { domain: "worker.localhost:4000", useHttps: false }; // fallback
-    }
-  }
   async function connectWebSocket() {
     const jwt = await loadJwt();
     console.log(`Connecting to ${API_URL}`);
@@ -424,7 +392,9 @@ export async function worker(options?: {
         // Hot-reload: re-read config, reconnect MCPs, and rebuild the tool list
         // without restarting the worker process.
         if (parsed?.type === "reloadConfig") {
-          console.log("🔄 Received reloadConfig — reloading MCPs, modules and tools...");
+          console.log(
+            "🔄 Received reloadConfig — reloading MCPs, modules and tools..."
+          );
           try {
             // Re-read fresh config from disk
             const freshConfig = await getConfig();
@@ -436,13 +406,16 @@ export async function worker(options?: {
             await Mcp.connectToConfigured(Tools);
             // Rebuild the allowed tools list from fresh config
-            const allowedToolNames = freshConfig.worker?.allowedTools ?? Tools.getToolNames();
+            const allowedToolNames =
+              freshConfig.worker?.allowedTools ?? Tools.getToolNames();
             toolsToUse = Tools.getToolsByNames(allowedToolNames);
             // Update the MCP server with new tool list
             mcpServer.withTools(toolsToUse);
-            console.log(`✅ Config reloaded: ${toolsToUse.length} tools active`);
+            console.log(
+              `✅ Config reloaded: ${toolsToUse.length} tools active`
+            );
           } catch (err) {
             console.error("❌ Failed to reload config:", err);
           }
@@ -456,100 +429,40 @@ export async function worker(options?: {
     // Create separate WebSocket connection for tunnel if enabled
     let tunnelConnection: WebSocket | null = null;
     if (tunnelEnabled) {
-      tunnelConnection = new WebSocket(`${API_URL}/ws/tunnel`, {
+      tunnelConnection = connectTunnelWebSocket({
+        tunnelDomain,
+        tunnelUseHttps,
+        tunnelLocalHost,
+        portMapping,
+        config,
         headers,
-      });
-      tunnelConnection.on("open", () => {
-        console.log("Tunnel WebSocket connected");
-        // Get the allowedPorts configuration
-        const allowedPorts = config.worker?.tunnel?.allowedPorts || [];
-        // Create URL rewriter callback that returns the hostname (without protocol)
-        // The tunnel package will add the protocol based on the useHttps config
-        // This receives port and metadata from the tunnel request
-        const urlRewriter = (port: number, metadata?: any) => {
-          const workerId = metadata?.workerId;
-          const secret = metadata?.secret;
-          // Build the hostname/domain (without protocol) based on metadata
-          // The tunnel handler will add the protocol using the useHttps config
-          // Examples:
-          // - secret-p3000.worker.example.com
-          // - workerId-p3000.worker.example.com
-          const subdomain = secret
-            ? `${secret}-p${port}`
-            : `${workerId}-p${port}`;
-          // Return just the hostname - the tunnel package should add the protocol
-          // based on the useHttps configuration passed below
-          const replacementUrl = `${subdomain}.${tunnelDomain}`;
-          return replacementUrl;
-        };
-        const tunnelConfig = {
-          allowedPorts,
-          maxConcurrentStreams:
-            config.worker?.tunnel?.maxConcurrentStreams || 50,
-          tunnelUseHttps,
-          localHost: tunnelLocalHost,
-          urlRewriter,
-          enableUrlRewriting:
-            config.worker?.tunnel?.enableUrlRewriting !== false,
-          portMapping,
-          logLevel: "debug" as const,
-        };
-        // Initialize tunnel handler with the tunnel-specific WebSocket
-        // Pass useHttps flag so the tunnel package can add the correct protocol
-        tunnelHandler = createTunnelHandler(tunnelConnection!, tunnelConfig);
-        console.log("🌐 Tunnel handler initialized");
-        console.log(tunnelConfig);
-        // Let modules that need the tunnel handler register their addons now
-        const tunnelModulesService = new ModulesService();
-        const { Agents, Embeddings, Plugins, Clients, Tools, MediaProcessor } = services();
-        tunnelModulesService.loadModulesFromConfig({
-          Agents, Embeddings, Plugins, Clients, Tools, MediaProcessor,
-          Tunnel: tunnelHandler,
-        }).catch((err) => {
-          console.error("Failed to load tunnel modules:", err);
-        });
-      });
-      tunnelConnection.on("close", (code, reason) => {
-        console.log(
-          `Tunnel WebSocket closed. Code: ${code}, Reason: ${reason.toString()}`
-        );
-        if (code === 1008) {
-          unauthorizedJwt = lastJwt;
-          console.error(
-            "❌ Tunnel received Unauthorized (1008). The JWT may be expired."
-          );
-          console.error("   Pausing reconnection until JWT changes...");
-        } else {
-          console.log(
-            "Tunnel connection will reconnect on next connection cycle..."
-          );
-        }
-        // Cleanup tunnel handler
-        if (tunnelHandler) {
-          tunnelHandler.cleanup();
-          tunnelHandler = null;
-        }
-        tunnelWs = null;
-        // Mark as disconnected to trigger reconnection
-        // The tunnel websocket is separate but we should reconnect both
-        connected = false;
-      });
-      tunnelConnection.on("error", (error) => {
-        console.error("Tunnel WebSocket error:", error);
-        // Mark as disconnected on error to trigger reconnection
-        connected = false;
+        authService,
+        onOpen: (handler) => {
+          tunnelHandler = handler;
+        },
+        onClose: (code, _reason) => {
+          if (code === 1008) {
+            unauthorizedJwt = lastJwt;
+            console.error(
+              "❌ Tunnel received Unauthorized (1008). The JWT may be expired."
+            );
+            console.error("   Pausing reconnection until JWT changes...");
+          } else {
+            console.log(
+              "Tunnel connection will reconnect on next connection cycle..."
+            );
+          }
+          if (tunnelHandler) {
+            tunnelHandler.cleanup();
+            tunnelHandler = null;
+          }
+          tunnelWs = null;
+          // The tunnel websocket is separate but we should reconnect both
+          connected = false;
+        },
+        onError: (_error) => {
+          connected = false;
+        },
       });
       tunnelWs = tunnelConnection;
@@ -632,187 +545,3 @@ export async function worker(options?: {
     await wait(5000);
   }
 }
-/**
- * Run tunnel-only mode: connects to the Knowhow tunnel WebSocket without
- * registering any MCP tools. Useful for users who only want the web tunnel
- * feature to expose local ports to the cloud.
- */
-export async function tunnel(options?: {
-  share?: boolean;
-  unshare?: boolean;
-}) {
-  const config = await getConfig();
-  const isInsideDocker = process.env.KNOWHOW_DOCKER === "true";
-  // Determine localHost based on environment
-  let tunnelLocalHost = config.worker?.tunnel?.localHost;
-  if (!tunnelLocalHost) {
-    if (isInsideDocker) {
-      tunnelLocalHost = "host.docker.internal";
-      console.log(
-        "🐳 Docker detected: tunnel will use host.docker.internal to reach host services"
-      );
-    } else {
-      tunnelLocalHost = "127.0.0.1";
-    }
-  }
-  // Check for port mapping configuration
-  const portMapping = config.worker?.tunnel?.portMapping || {};
-  if (Object.keys(portMapping).length > 0) {
-    console.log("🔀 Port mapping configured:");
-    for (const [containerPort, hostPort] of Object.entries(portMapping)) {
-      console.log(`   Container port ${containerPort} → Host port ${hostPort}`);
-    }
-  }
-  const tunnelPorts = config.worker?.tunnel?.allowedPorts || [];
-  if (tunnelPorts.length === 0) {
-    console.warn(
-      "⚠️  No allowedPorts configured. Add worker.tunnel.allowedPorts to knowhow.json"
-    );
-  } else {
-    console.log(`🌐 Tunnel mode for ports: ${tunnelPorts.join(", ")}`);
-  }
-  // Extract tunnel domain from API_URL
-  function extractTunnelDomain(apiUrl: string): {
-    domain: string;
-    useHttps: boolean;
-  } {
-    try {
-      const url = new URL(apiUrl);
-      const useHttps = url.protocol === "https:";
-      if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
-        return {
-          domain: `worker.${url.hostname}:${url.port || "80"}`,
-          useHttps,
-        };
-      }
-      return { domain: `worker.${url.hostname}`, useHttps };
-    } catch (err) {
-      console.error("Failed to parse API_URL for tunnel domain:", err);
-      return { domain: "worker.localhost:4000", useHttps: false };
-    }
-  }
-  let connected = false;
-  let tunnelHandler: TunnelHandler | null = null;
-  let lastJwt: string | null = null;
-  let unauthorizedJwt: string | null = null;
-  async function connectTunnel() {
-    const jwt = await loadJwt();
-    lastJwt = jwt;
-    console.log(`Connecting tunnel to ${API_URL}`);
-    const dir = process.cwd();
-    const homedir = os.homedir();
-    const hostname = process.env.WORKER_HOSTNAME || os.hostname();
-    const root =
-      process.env.WORKER_ROOT ||
-      (dir === homedir ? "~" : dir.replace(homedir, "~"));
-    const headers: Record<string, string> = {
-      Authorization: `Bearer ${jwt}`,
-      "User-Agent": `knowhow-tunnel/1.0.0/${hostname}`,
-      Root: root,
-    };
-    if (options?.share) {
-      headers.Shared = "true";
-      console.log("🔓 Tunnel shared with organization");
-    } else if (options?.unshare) {
-      headers.Shared = "false";
-      console.log("🔒 Tunnel is now private (unshared)");
-    } else {
-      console.log("🔒 Tunnel is private (only you can use it)");
-    }
-    const { domain: tunnelDomain, useHttps: tunnelUseHttps } =
-      extractTunnelDomain(API_URL);
-    const tunnelConnection = new WebSocket(`${API_URL}/ws/tunnel`, { headers });
-    tunnelConnection.on("open", () => {
-      console.log("🌐 Tunnel WebSocket connected");
-      connected = true;
-      const allowedPorts = config.worker?.tunnel?.allowedPorts || [];
-      const urlRewriter = (port: number, metadata?: any) => {
-        const workerId = metadata?.workerId;
-        const secret = metadata?.secret;
-        const subdomain = secret ? `${secret}-p${port}` : `${workerId}-p${port}`;
-        return `${subdomain}.${tunnelDomain}`;
-      };
-      const tunnelConfig = {
-        allowedPorts,
-        maxConcurrentStreams: config.worker?.tunnel?.maxConcurrentStreams || 50,
-        tunnelUseHttps,
-        localHost: tunnelLocalHost,
-        urlRewriter,
-        enableUrlRewriting: config.worker?.tunnel?.enableUrlRewriting !== false,
-        portMapping,
-        logLevel: "debug" as const,
-      };
-      tunnelHandler = createTunnelHandler(tunnelConnection, tunnelConfig);
-      console.log("🌐 Tunnel handler initialized");
-      console.log(tunnelConfig);
-      // Let modules that need the tunnel handler register their addons now
-      const tunnelModulesService2 = new ModulesService();
-      const { Agents: A2, Embeddings: E2, Plugins: P2, Clients: C2, Tools: T2, MediaProcessor: MP2 } = services();
-      tunnelModulesService2.loadModulesFromConfig({
-        Agents: A2, Embeddings: E2, Plugins: P2, Clients: C2, Tools: T2, MediaProcessor: MP2,
-        Tunnel: tunnelHandler,
-      }).catch((err) => {
-        console.error("Failed to load tunnel modules:", err);
-      });
-    });
-    tunnelConnection.on("close", (code, reason) => {
-      console.log(`Tunnel WebSocket closed. Code: ${code}, Reason: ${reason.toString()}`);
-      if (code === 1008) {
-        unauthorizedJwt = lastJwt;
-        console.error("❌ Tunnel received Unauthorized (1008). The JWT may be expired.");
-        console.error("   Run 'knowhow login' to refresh your token, then restart.");
-        console.error("   Pausing reconnection until JWT changes...");
-      } else {
-        console.log("Tunnel connection will reconnect on next cycle...");
-      }
-      if (tunnelHandler) {
-        tunnelHandler.cleanup();
-        tunnelHandler = null;
-      }
-      connected = false;
-    });
-    tunnelConnection.on("error", (error) => {
-      console.error("Tunnel WebSocket error:", error);
-      connected = false;
-    });
-    return tunnelConnection;
-  }
-  while (true) {
-    if (!connected) {
-      if (unauthorizedJwt !== null) {
-        const currentJwt = await loadJwt().catch(() => null);
-        if (currentJwt === unauthorizedJwt) {
-          await wait(5000);
-          continue;
-        }
-        console.log("🔄 JWT has changed, attempting to reconnect tunnel...");
-        unauthorizedJwt = null;
-      }
-      console.log("Attempting to connect tunnel...");
-      await connectTunnel();
-    }
-    await wait(5000);
-  }
-}