@useconductor/conductor 1.0.0

package/dist/dashboard/server.js

@@ -0,0 +1,1427 @@
+import express from 'express';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import fs from 'fs/promises';
+import crypto from 'crypto';
+import os from 'os';
+import { execFile } from 'child_process';
+import { promisify } from 'util';
+import rateLimit from 'express-rate-limit';
+import { ConfigManager } from '../core/config.js';
+import { DatabaseManager } from '../core/database.js';
+import { Keychain } from '../security/keychain.js';
+const execFileAsync = promisify(execFile);
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+// ── Constants ────────────────────────────────────────────────────────────────
+const ALL_PLUGINS = [
+    'calculator',
+    'colors',
+    'cron',
+    'crypto',
+    'fun',
+    'gcal',
+    'gdrive',
+    'github',
+    'github-actions',
+    'gmail',
+    'hash',
+    'homekit',
+    'memory',
+    'n8n',
+    'network',
+    'notes',
+    'notion',
+    'slack',
+    'spotify',
+    'system',
+    'text-tools',
+    'timezone',
+    'todoist',
+    'translate',
+    'url-tools',
+    'vercel',
+    'weather',
+    'x',
+];
+const PLUGIN_REQUIRED_CREDS = {
+    github: [{ service: 'github', key: 'token' }],
+    'github-actions': [{ service: 'github', key: 'token' }],
+    gmail: [{ service: 'google', key: 'access_token' }],
+    gcal: [{ service: 'google', key: 'access_token' }],
+    gdrive: [{ service: 'google', key: 'access_token' }],
+    notion: [{ service: 'notion', key: 'api_key' }],
+    spotify: [{ service: 'spotify', key: 'client_id' }],
+    n8n: [{ service: 'n8n', key: 'api_key' }],
+    vercel: [{ service: 'vercel', key: 'token' }],
+    weather: [{ service: 'weather', key: 'api_key' }],
+    x: [{ service: 'x', key: 'api_key' }],
+    homekit: [{ service: 'homekit', key: 'base_url' }],
+    slack: [{ service: 'slack', key: 'bot_token' }],
+    todoist: [{ service: 'todoist', key: 'api_token' }],
+};
+const KNOWN_CREDENTIALS = [
+    { service: 'conductor', key: 'api_key' },
+    { service: 'claude', key: 'api_key' },
+    { service: 'openai', key: 'api_key' },
+    { service: 'gemini', key: 'api_key' },
+    { service: 'github', key: 'token' },
+    { service: 'telegram', key: 'bot_token' },
+    { service: 'spotify', key: 'client_id' },
+    { service: 'spotify', key: 'client_secret' },
+    { service: 'notion', key: 'api_key' },
+    { service: 'n8n', key: 'api_key' },
+    { service: 'vercel', key: 'token' },
+    { service: 'weather', key: 'api_key' },
+    { service: 'x', key: 'api_key' },
+    { service: 'google', key: 'access_token' },
+    { service: 'slack', key: 'bot_token' },
+    { service: 'todoist', key: 'api_token' },
+];
+// Bundled Google OAuth app — users never need to create their own
+const GOOGLE_CLIENT_ID = '529105409300-vmtlgnvcpfohtd7ha9o98fkel6ldjmin.apps.googleusercontent.com';
+const GOOGLE_CLIENT_SECRET = process.env.GOOGLE_CLIENT_SECRET;
+const GOOGLE_REDIRECT_URI = 'http://localhost:4242/api/auth/google/callback';
+// ── Main export ───────────────────────────────────────────────────────────────
+/** Generate or load the persistent dashboard session token. */
+async function getDashboardToken(configDir) {
+    const tokenPath = path.join(configDir, 'dashboard.token');
+    try {
+        const existing = (await fs.readFile(tokenPath, 'utf-8')).trim();
+        if (existing.length >= 32)
+            return existing;
+    }
+    catch {
+        /* not yet created */
+    }
+    const token = crypto.randomBytes(24).toString('hex');
+    await fs.mkdir(configDir, { recursive: true });
+    await fs.writeFile(tokenPath, token, { mode: 0o600 });
+    return token;
+}
+/** In-memory log buffer for SSE streaming */
+const logBuffer = [];
+const maxLogBuffer = 500;
+const sseClients = new Set();
+function interceptLogs() {
+    const origLog = console.log.bind(console);
+    const origError = console.error.bind(console);
+    const origWarn = console.warn.bind(console);
+    function pushLog(level, args) {
+        const message = args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ');
+        const entry = { level, message, timestamp: new Date().toISOString() };
+        logBuffer.push(entry);
+        if (logBuffer.length > maxLogBuffer)
+            logBuffer.shift();
+        const data = `data: ${JSON.stringify(entry)}\n\n`;
+        for (const client of sseClients) {
+            try {
+                client.write(data);
+            }
+            catch {
+                sseClients.delete(client);
+            }
+        }
+    }
+    console.log = (...args) => {
+        origLog(...args);
+        pushLog('info', args);
+    };
+    console.error = (...args) => {
+        origError(...args);
+        pushLog('error', args);
+    };
+    console.warn = (...args) => {
+        origWarn(...args);
+        pushLog('warn', args);
+    };
+}
+export async function startDashboard(port = 4242, conductorInstance) {
+    interceptLogs();
+    const config = new ConfigManager();
+    await config.initialize();
+    const keychain = new Keychain(config.getConfigDir());
+    // Initialize database for conversations endpoint
+    const db = new DatabaseManager(config.getConfigDir());
+    try {
+        await db.initialize();
+    }
+    catch {
+        // DB may not exist yet — conversations endpoint will return empty
+    }
+    // Generate / load session token
+    const dashboardToken = await getDashboardToken(config.getConfigDir());
+    // Auto-store bundled Google OAuth creds so the rest of Conductor can use them
+    const existingOAuth = config.get('oauth.google');
+    if (!existingOAuth?.clientId && GOOGLE_CLIENT_SECRET) {
+        await config.set('oauth.google', {
+            clientId: GOOGLE_CLIENT_ID,
+            clientSecret: GOOGLE_CLIENT_SECRET,
+            redirectUri: GOOGLE_REDIRECT_URI,
+        });
+    }
+    const app = express();
+    app.use(express.json());
+    // CORS — allow both localhost and 127.0.0.1
+    app.use((_req, res, next) => {
+        const origin = _req.headers.origin || '';
+        const allowed = ['http://localhost:4242', 'http://127.0.0.1:4242'];
+        if (allowed.includes(origin)) {
+            res.setHeader('Access-Control-Allow-Origin', origin);
+        }
+        else {
+            res.setHeader('Access-Control-Allow-Origin', 'http://127.0.0.1:4242');
+        }
+        res.setHeader('Access-Control-Allow-Methods', 'GET,POST,DELETE,OPTIONS');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type,Authorization');
+        next();
+    });
+    app.options('/{*path}', (_req, res) => {
+        res.sendStatus(204);
+    });
+    // ── Rate limiting ─────────────────────────────────────────────────────────
+    app.use('/api', rateLimit({
+        windowMs: 60 * 1000, // 1 minute
+        max: 120, // 120 requests per minute per IP
+        standardHeaders: true,
+        legacyHeaders: false,
+        message: { error: 'COND-RATE-001: Too many requests. Slow down.' },
+    }));
+    // ── Authentication middleware for /api/* routes ───────────────────────────
+    // The Google OAuth callback must remain open (browser redirect from google.com)
+    app.use('/api', (req, res, next) => {
+        if (req.path === '/auth/google/callback') {
+            next();
+            return;
+        }
+        // Accept token from Authorization header OR ?token= query param (needed for EventSource / SSE)
+        const authHeader = req.headers['authorization'];
+        const queryToken = req.query.token;
+        const rawToken = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : (queryToken ?? '');
+        if (!rawToken) {
+            res.status(401).json({
+                error: 'COND-AUTH-001: Unauthorized — include Authorization: Bearer <token>. Generate a token with: conductor dashboard token',
+            });
+            return;
+        }
+        const provided = rawToken;
+        // Constant-time comparison to prevent timing attacks
+        try {
+            const tokenBuf = Buffer.from(dashboardToken, 'utf-8');
+            const providedBuf = Buffer.from(provided, 'utf-8');
+            if (tokenBuf.length !== providedBuf.length || !crypto.timingSafeEqual(tokenBuf, providedBuf)) {
+                res
+                    .status(401)
+                    .json({ error: 'COND-AUTH-002: Invalid token. Generate a new token with: conductor dashboard token' });
+                return;
+            }
+        }
+        catch {
+            res
+                .status(401)
+                .json({ error: 'COND-AUTH-003: Invalid token format. Generate a new token with: conductor dashboard token' });
+            return;
+        }
+        next();
+    });
+    // ── Static ────────────────────────────────────────────────────────────────
+    // Inject dashboard token as a meta tag so the JS can read it
+    app.get('/', async (_req, res) => {
+        try {
+            const htmlPath = path.join(__dirname, 'index.html');
+            let html = await fs.readFile(htmlPath, 'utf-8');
+            // Inject meta tag with the token right before </head>
+            // Replace the placeholder meta tag that's already in the HTML template
+            html = html.replace('<meta name="dashboard-token" content="">', `<meta name="dashboard-token" content="${dashboardToken}">`);
+            res.setHeader('Content-Type', 'text/html; charset=utf-8');
+            res.send(html);
+        }
+        catch {
+            res.status(500).send('Dashboard HTML not found. Run: npm run build');
+        }
+    });
+    // ── Status ────────────────────────────────────────────────────────────────
+    app.get('/api/status', async (_req, res) => {
+        let version = 'unknown';
+        try {
+            const pkgPath = path.resolve(__dirname, '..', '..', 'package.json');
+            version = JSON.parse(await fs.readFile(pkgPath, 'utf-8')).version ?? 'unknown';
+        }
+        catch {
+            /* ignore */
+        }
+        res.json({ version, configDir: config.getConfigDir(), nodeVersion: process.version, platform: process.platform });
+    });
+    // ── Config ────────────────────────────────────────────────────────────────
+    app.get('/api/config', (_req, res) => {
+        res.json(config.getConfig());
+    });
+    app.post('/api/config', async (req, res) => {
+        const body = req.body;
+        if (typeof body.key !== 'string' || body.key.trim() === '') {
+            res.status(400).json({ error: '`key` must be a non-empty string' });
+            return;
+        }
+        await config.set(body.key, body.value);
+        res.json({ ok: true });
+    });
+    // ── Plugins ───────────────────────────────────────────────────────────────
+    app.get('/api/plugins', (_req, res) => {
+        const installed = config.get('plugins.installed') ?? [];
+        const enabled = config.get('plugins.enabled') ?? [];
+        res.json({ installed, enabled, all: ALL_PLUGINS, requiredCreds: PLUGIN_REQUIRED_CREDS });
+    });
+    app.post('/api/plugins/toggle', async (req, res) => {
+        const body = req.body;
+        if (typeof body.plugin !== 'string' || body.plugin.trim() === '') {
+            res.status(400).json({ error: '`plugin` must be a non-empty string' });
+            return;
+        }
+        if (typeof body.enabled !== 'boolean') {
+            res.status(400).json({ error: '`enabled` must be a boolean' });
+            return;
+        }
+        if (body.enabled && PLUGIN_REQUIRED_CREDS[body.plugin]) {
+            const missing = [];
+            for (const { service, key } of PLUGIN_REQUIRED_CREDS[body.plugin]) {
+                if (!(await keychain.has(service, key)))
+                    missing.push(`${service} / ${key}`);
+            }
+            if (missing.length > 0) {
+                res.status(400).json({ error: `Missing credentials: ${missing.join(', ')}`, missingCreds: missing });
+                return;
+            }
+        }
+        const current = config.get('plugins.enabled') ?? [];
+        const updated = body.enabled
+            ? current.includes(body.plugin)
+                ? current
+                : [...current, body.plugin]
+            : current.filter((p) => p !== body.plugin);
+        await config.set('plugins.enabled', updated);
+        res.json({ ok: true, enabled: updated });
+    });
+    // ── Credentials ───────────────────────────────────────────────────────────
+    app.get('/api/credentials', async (_req, res) => {
+        const result = await Promise.all(KNOWN_CREDENTIALS.map(async ({ service, key }) => ({
+            service,
+            key,
+            hasValue: await keychain.has(service, key),
+        })));
+        res.json(result);
+    });
+    app.post('/api/credentials', async (req, res) => {
+        const body = req.body;
+        if (!body.service || !body.key || !body.value) {
+            res.status(400).json({ error: '`service`, `key`, and `value` are all required' });
+            return;
+        }
+        await keychain.set(body.service, body.key, body.value);
+        res.json({ ok: true });
+    });
+    app.delete('/api/credentials/:service/:key', async (req, res) => {
+        const { service, key } = req.params;
+        await keychain.delete(service, key);
+        res.json({ ok: true });
+    });
+    // ── Google OAuth ──────────────────────────────────────────────────────────
+    app.get('/api/auth/google/status', async (_req, res) => {
+        const connected = await keychain.has('google', 'access_token');
+        res.json({ connected });
+    });
+    app.get('/api/auth/google/url', async (_req, res) => {
+        if (!GOOGLE_CLIENT_SECRET) {
+            res.status(503).json({ error: 'Google OAuth is not configured — set GOOGLE_CLIENT_SECRET env var' });
+            return;
+        }
+        try {
+            const { google } = await import('googleapis');
+            const oauth2Client = new google.auth.OAuth2(GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REDIRECT_URI);
+            const url = oauth2Client.generateAuthUrl({
+                access_type: 'offline',
+                prompt: 'consent',
+                scope: [
+                    'https://www.googleapis.com/auth/userinfo.email',
+                    'https://www.googleapis.com/auth/userinfo.profile',
+                    'https://www.googleapis.com/auth/gmail.modify',
+                    'https://www.googleapis.com/auth/calendar',
+                    'https://www.googleapis.com/auth/drive.file',
+                ],
+            });
+            res.json({ url });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    app.get('/api/auth/google/callback', async (req, res) => {
+        if (!GOOGLE_CLIENT_SECRET) {
+            res.status(503).json({ error: 'Google OAuth is not configured — set GOOGLE_CLIENT_SECRET env var' });
+            return;
+        }
+        const code = req.query.code;
+        if (!code) {
+            res.status(400).send('<h2>Missing code</h2>');
+            return;
+        }
+        try {
+            const { google } = await import('googleapis');
+            const oauth2Client = new google.auth.OAuth2(GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REDIRECT_URI);
+            const { tokens } = await oauth2Client.getToken(code);
+            if (tokens.access_token)
+                await keychain.set('google', 'access_token', tokens.access_token);
+            if (tokens.refresh_token)
+                await keychain.set('google', 'refresh_token', tokens.refresh_token);
+            res.send(`<!DOCTYPE html><html><head><title>Connected</title></head>
+        <body style="font-family:system-ui;text-align:center;padding:60px;background:#0d0d0d;color:#e8e8e8">
+          <h2 style="color:#22c55e;margin-bottom:12px">✓ Google Connected</h2>
+          <p style="color:#888">Gmail, Calendar, and Drive are ready.</p>
+          <p style="color:#555;font-size:12px;margin-top:8px">This tab will close automatically.</p>
+          <script>setTimeout(()=>{window.close();},1800);</script>
+        </body></html>`);
+        }
+        catch (e) {
+            res.status(500).send(`<h2 style="color:#ef4444">Auth failed: ${e.message}</h2>`);
+        }
+    });
+    app.delete('/api/auth/google', async (_req, res) => {
+        await keychain.delete('google', 'access_token');
+        await keychain.delete('google', 'refresh_token');
+        res.json({ ok: true });
+    });
+    // ── Activity log ──────────────────────────────────────────────────────────
+    app.get('/api/activity', async (_req, res) => {
+        try {
+            const logsDir = path.join(config.getConfigDir(), 'logs');
+            let entries = [];
+            try {
+                const files = await fs.readdir(logsDir);
+                for (const f of files.filter((f) => f.endsWith('.json')).slice(-5)) {
+                    try {
+                        const raw = await fs.readFile(path.join(logsDir, f), 'utf-8');
+                        const parsed = JSON.parse(raw);
+                        if (Array.isArray(parsed))
+                            entries.push(...parsed);
+                        else
+                            entries.push(parsed);
+                    }
+                    catch {
+                        /* skip bad file */
+                    }
+                }
+            }
+            catch {
+                /* no logs dir */
+            }
+            res.json({ entries: entries.slice(-20) });
+        }
+        catch {
+            res.json({ entries: [] });
+        }
+    });
+    // ── System Control ────────────────────────────────────────────────────────
+    // Safe command runner using execFile (no shell interpretation)
+    async function runCmd(cmd, timeoutMs = 30000) {
+        // Whitelist of allowed dashboard commands
+        const allowedPrefixes = [
+            'ps ',
+            'tasklist',
+            'open ',
+            'xdg-open',
+            'screencapture',
+            'scrot',
+            'pbpaste',
+            'xclip',
+            'xsel',
+            'ifconfig',
+            'ip ',
+            'netstat',
+            'ss ',
+            'lsof',
+            'docker ',
+            'crontab',
+            'git ',
+        ];
+        const trimmed = cmd.trim();
+        const isAllowed = allowedPrefixes.some((p) => trimmed.startsWith(p));
+        if (!isAllowed) {
+            return { stdout: '', stderr: `Command not allowed in dashboard: ${trimmed}`, exitCode: 1 };
+        }
+        const [executable, ...args] = trimmed.split(/\s+/);
+        try {
+            const { stdout, stderr } = await execFileAsync(executable, args, {
+                timeout: timeoutMs,
+                maxBuffer: 10 * 1024 * 1024,
+            });
+            return { stdout: (stdout ?? '').trim(), stderr: (stderr ?? '').trim(), exitCode: 0 };
+        }
+        catch (err) {
+            if (err && typeof err === 'object' && 'code' in err) {
+                const e = err;
+                return { stdout: (e.stdout ?? '').trim(), stderr: (e.stderr ?? '').trim(), exitCode: e.code ?? 1 };
+            }
+            return { stdout: '', stderr: String(err), exitCode: 1 };
+        }
+    }
+    // GET /api/system/info
+    app.get('/api/system/info', async (_req, res) => {
+        const cpus = os.cpus();
+        res.json({
+            platform: os.platform(),
+            arch: os.arch(),
+            hostname: os.hostname(),
+            uptime: os.uptime(),
+            memory: {
+                total: os.totalmem(),
+                free: os.freemem(),
+                used: os.totalmem() - os.freemem(),
+            },
+            cpu: {
+                model: cpus[0]?.model ?? 'unknown',
+                cores: cpus.length,
+                usage: null, // point-in-time snapshot not meaningful without sampling interval
+            },
+        });
+    });
+    // POST /api/system/shell — REMOVED for security
+    // Shell access through a web dashboard is an unacceptable attack surface.
+    // Use the CLI directly for shell operations.
+    app.post('/api/system/shell', async (_req, res) => {
+        res.status(410).json({ error: 'Shell endpoint has been removed for security. Use the CLI directly.' });
+    });
+    // GET /api/system/processes — REMOVED (relied on shell execution)
+    app.get('/api/system/processes', async (_req, res) => {
+        res.status(410).json({ error: 'Process listing endpoint has been removed (relied on shell execution).' });
+    });
+    // POST /api/system/open
+    app.post('/api/system/open', async (req, res) => {
+        const body = req.body;
+        if (!body.path || typeof body.path !== 'string' || body.path.trim() === '') {
+            res.status(400).json({ error: '`path` is required' });
+            return;
+        }
+        const platform = os.platform();
+        let opener;
+        if (platform === 'darwin')
+            opener = 'open';
+        else if (platform === 'win32')
+            opener = 'start ""';
+        else
+            opener = 'xdg-open';
+        const result = await runCmd(`${opener} ${JSON.stringify(body.path.trim())}`);
+        res.json(result);
+    });
+    // POST /api/system/notify
+    app.post('/api/system/notify', async (req, res) => {
+        const body = req.body;
+        if (!body.title || !body.message) {
+            res.status(400).json({ error: '`title` and `message` are required' });
+            return;
+        }
+        const platform = os.platform();
+        let cmd;
+        if (platform === 'darwin') {
+            const t = body.title.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+            const m = body.message.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+            cmd = `osascript -e 'display notification "${m}" with title "${t}"'`;
+        }
+        else {
+            cmd = `notify-send ${JSON.stringify(body.title)} ${JSON.stringify(body.message)}`;
+        }
+        const result = await runCmd(cmd);
+        res.json(result);
+    });
+    // GET /api/system/clipboard
+    app.get('/api/system/clipboard', async (_req, res) => {
+        const platform = os.platform();
+        const cmd = platform === 'darwin' ? 'pbpaste' : 'xclip -o';
+        const result = await runCmd(cmd);
+        res.json({ text: result.stdout, ...result });
+    });
+    // POST /api/system/clipboard
+    app.post('/api/system/clipboard', async (req, res) => {
+        const body = req.body;
+        if (typeof body.text !== 'string') {
+            res.status(400).json({ error: '`text` is required' });
+            return;
+        }
+        const platform = os.platform();
+        const cmd = platform === 'darwin' ? 'pbcopy' : 'xclip -selection clipboard';
+        const result = await runCmd(`printf '%s' ${JSON.stringify(body.text)} | ${cmd}`);
+        res.json(result);
+    });
+    // GET /api/system/screenshot
+    app.get('/api/system/screenshot', async (_req, res) => {
+        const platform = os.platform();
+        const tmpFile = '/tmp/conductor-screenshot.png';
+        let captureResult;
+        if (platform === 'darwin') {
+            captureResult = await runCmd(`screencapture -x -t png ${tmpFile}`);
+        }
+        else {
+            captureResult = await runCmd(`scrot ${tmpFile}`);
+        }
+        if (captureResult.exitCode !== 0) {
+            res.status(500).json({ error: 'Screenshot failed', ...captureResult });
+            return;
+        }
+        try {
+            const imgBuf = await fs.readFile(tmpFile);
+            const image = imgBuf.toString('base64');
+            await fs.unlink(tmpFile).catch(() => {
+                /* best-effort cleanup */
+            });
+            res.json({ image, mimeType: 'image/png' });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // POST /api/system/type
+    app.post('/api/system/type', async (req, res) => {
+        const body = req.body;
+        if (typeof body.text !== 'string' || body.text === '') {
+            res.status(400).json({ error: '`text` is required' });
+            return;
+        }
+        const platform = os.platform();
+        let cmd;
+        if (platform === 'darwin') {
+            const escaped = body.text.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+            cmd = `osascript -e 'tell application "System Events" to keystroke "${escaped}"'`;
+        }
+        else {
+            cmd = `xdotool type ${JSON.stringify(body.text)}`;
+        }
+        const result = await runCmd(cmd);
+        res.json(result);
+    });
+    // GET /api/system/windows
+    app.get('/api/system/windows', async (_req, res) => {
+        const platform = os.platform();
+        let cmd;
+        if (platform === 'darwin') {
+            cmd = `osascript -e 'tell application "System Events" to get name of every process whose background only is false'`;
+        }
+        else if (platform === 'win32') {
+            cmd = `powershell -Command "Get-Process | Where-Object {$_.MainWindowTitle -ne ''} | Select-Object -ExpandProperty MainWindowTitle"`;
+        }
+        else {
+            cmd = `wmctrl -l 2>/dev/null || xdotool search --onlyvisible --name "" getwindowname 2>/dev/null || echo ''`;
+        }
+        const result = await runCmd(cmd);
+        const apps = result.stdout
+            .split(/,\s*|\n/)
+            .map((s) => s.trim())
+            .filter((s) => s.length > 0);
+        res.json({ apps, raw: result.stdout });
+    });
+    // ── File System Routes ────────────────────────────────────────────────────
+    const ALLOWED_TEXT_EXTENSIONS = new Set([
+        '.txt',
+        '.md',
+        '.json',
+        '.ts',
+        '.js',
+        '.py',
+        '.sh',
+        '.yaml',
+        '.yml',
+        '.toml',
+        '.env',
+        '.log',
+        '.csv',
+        '.html',
+        '.css',
+        '.xml',
+        '.sql',
+        '.go',
+        '.rs',
+        '.rb',
+        '.php',
+        '.java',
+        '.c',
+        '.cpp',
+        '.h',
+    ]);
+    function isSafePath(rawPath, mustBeUnder) {
+        const resolved = path.resolve(rawPath);
+        if (rawPath.includes('..') || resolved !== path.normalize(resolved)) {
+            return { safe: false, resolved };
+        }
+        if (mustBeUnder) {
+            const base = path.resolve(mustBeUnder);
+            if (!resolved.startsWith(base + path.sep) && resolved !== base) {
+                return { safe: false, resolved };
+            }
+        }
+        return { safe: true, resolved };
+    }
+    // GET /api/fs/list
+    app.get('/api/fs/list', async (req, res) => {
+        let rawPath = req.query.path;
+        // Normalize: missing, empty, or '~' → home dir; relative → join with home dir
+        if (!rawPath || rawPath === '~') {
+            rawPath = os.homedir();
+        }
+        else if (!path.isAbsolute(rawPath)) {
+            rawPath = path.join(os.homedir(), rawPath);
+        }
+        const { safe, resolved } = isSafePath(rawPath);
+        if (!safe) {
+            res.status(400).json({ error: 'Invalid path — traversal not allowed' });
+            return;
+        }
+        try {
+            const names = await fs.readdir(resolved);
+            const capped = names.slice(0, 200);
+            const entries = await Promise.all(capped.map(async (name) => {
+                try {
+                    const stat = await fs.stat(path.join(resolved, name));
+                    return {
+                        name,
+                        type: stat.isDirectory() ? 'dir' : 'file',
+                        size: stat.size,
+                        modified: stat.mtime.toISOString(),
+                        permissions: (stat.mode & 0o777).toString(8).padStart(3, '0'),
+                    };
+                }
+                catch {
+                    return { name, type: 'unknown', size: 0, modified: null, permissions: '000' };
+                }
+            }));
+            res.json({ entries, path: resolved });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // GET /api/fs/read
+    app.get('/api/fs/read', async (req, res) => {
+        const rawPath = req.query.path;
+        if (!rawPath) {
+            res.status(400).json({ error: '`path` query parameter is required' });
+            return;
+        }
+        const { safe, resolved } = isSafePath(rawPath);
+        if (!safe) {
+            res.status(400).json({ error: 'Invalid path — traversal not allowed' });
+            return;
+        }
+        const ext = path.extname(resolved).toLowerCase();
+        if (!ALLOWED_TEXT_EXTENSIONS.has(ext)) {
+            res.status(400).json({ error: `File extension '${ext}' is not allowed` });
+            return;
+        }
+        try {
+            const stat = await fs.stat(resolved);
+            if (stat.size > 1024 * 1024) {
+                res.status(400).json({ error: 'File exceeds 1MB limit' });
+                return;
+            }
+            const content = await fs.readFile(resolved, 'utf-8');
+            res.json({ content, size: stat.size, encoding: 'utf-8' });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // POST /api/fs/write
+    app.post('/api/fs/write', async (req, res) => {
+        const body = req.body;
+        if (!body.path || typeof body.path !== 'string') {
+            res.status(400).json({ error: '`path` is required' });
+            return;
+        }
+        if (typeof body.content !== 'string') {
+            res.status(400).json({ error: '`content` is required' });
+            return;
+        }
+        const { safe, resolved } = isSafePath(body.path, os.homedir());
+        if (!safe) {
+            res.status(400).json({ error: 'Invalid path — traversal above home directory not allowed' });
+            return;
+        }
+        const contentBytes = Buffer.byteLength(body.content, 'utf-8');
+        if (contentBytes > 512 * 1024) {
+            res.status(400).json({ error: 'Content exceeds 512KB limit' });
+            return;
+        }
+        try {
+            await fs.writeFile(resolved, body.content, 'utf-8');
+            res.json({ ok: true, bytesWritten: contentBytes });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // POST /api/fs/delete
+    app.post('/api/fs/delete', async (req, res) => {
+        const body = req.body;
+        if (!body.path || typeof body.path !== 'string') {
+            res.status(400).json({ error: '`path` is required' });
+            return;
+        }
+        const { safe, resolved } = isSafePath(body.path, os.homedir());
+        if (!safe) {
+            res.status(400).json({ error: 'Invalid path — traversal above home directory not allowed' });
+            return;
+        }
+        try {
+            const stat = await fs.stat(resolved);
+            if (stat.isDirectory()) {
+                await fs.rmdir(resolved); // only succeeds on empty dirs
+            }
+            else {
+                await fs.unlink(resolved);
+            }
+            res.json({ ok: true });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // ── Enhanced Process Manager ──────────────────────────────────────────────
+    // GET /api/system/processes/detail
+    app.get('/api/system/processes/detail', async (_req, res) => {
+        const platform = os.platform();
+        const cmd = platform === 'win32' ? 'tasklist /FO CSV /NH' : 'ps aux';
+        const result = await runCmd(cmd);
+        const lines = result.stdout.split('\n').filter((l) => l.trim().length > 0);
+        const dataLines = platform === 'win32' ? lines : lines.slice(1); // skip header on unix
+        const processes = dataLines.slice(0, 30).map((line) => {
+            if (platform === 'win32') {
+                const parts = line.split(',').map((p) => p.replace(/"/g, '').trim());
+                return { pid: parseInt(parts[1] ?? '0', 10), user: 'N/A', cpu: 'N/A', mem: 'N/A', command: parts[0] ?? line };
+            }
+            // ps aux format: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
+            const parts = line.trim().split(/\s+/);
+            return {
+                pid: parseInt(parts[1] ?? '0', 10),
+                user: parts[0] ?? '',
+                cpu: parts[2] ?? '',
+                mem: parts[3] ?? '',
+                command: parts.slice(10).join(' '),
+            };
+        });
+        res.json({ processes });
+    });
+    // POST /api/system/processes/kill
+    app.post('/api/system/processes/kill', (req, res) => {
+        const body = req.body;
+        if (typeof body.pid !== 'number' || !Number.isInteger(body.pid)) {
+            res.status(400).json({ error: '`pid` must be an integer' });
+            return;
+        }
+        if (body.pid <= 1000) {
+            res.status(400).json({ error: 'Refusing to kill system process (pid <= 1000)' });
+            return;
+        }
+        try {
+            process.kill(body.pid, 'SIGTERM');
+            res.json({ ok: true });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // ── Real-time System Metrics ───────────────────────────────────────────────
+    // GET /api/system/metrics
+    app.get('/api/system/metrics', (_req, res) => {
+        const total = os.totalmem();
+        const free = os.freemem();
+        const used = total - free;
+        res.json({
+            loadAvg: os.loadavg(),
+            memory: {
+                total,
+                free,
+                used,
+                usedPercent: Math.round((used / total) * 10000) / 100,
+            },
+            uptime: os.uptime(),
+            platform: os.platform(),
+        });
+    });
+    // ── Network Connections ───────────────────────────────────────────────────
+    // GET /api/system/network
+    app.get('/api/system/network', async (_req, res) => {
+        const platform = os.platform();
+        let connCmd;
+        let ifaceCmd;
+        if (platform === 'darwin') {
+            connCmd = 'netstat -an | grep ESTABLISHED | head -20';
+            ifaceCmd = 'ifconfig';
+        }
+        else {
+            connCmd = 'ss -tuln | head -20';
+            ifaceCmd = 'ip addr';
+        }
+        const [connResult, ifaceResult] = await Promise.all([runCmd(connCmd), runCmd(ifaceCmd)]);
+        const connections = connResult.stdout
+            .split('\n')
+            .map((l) => l.trim())
+            .filter((l) => l.length > 0);
+        res.json({ connections, interfaces: ifaceResult.stdout });
+    });
+    // ── Environment Variables ─────────────────────────────────────────────────
+    // GET /api/system/env
+    app.get('/api/system/env', (_req, res) => {
+        const SAFE_KEYS = new Set(['PATH', 'HOME', 'USER', 'SHELL', 'TERM', 'LANG', 'NODE_ENV', 'PORT']);
+        const env = {};
+        for (const [k, v] of Object.entries(process.env)) {
+            if (v !== undefined && (SAFE_KEYS.has(k) || k.startsWith('CONDUCTOR_'))) {
+                env[k] = v;
+            }
+        }
+        res.json({ env });
+    });
+    // ── Git Status ────────────────────────────────────────────────────────────
+    // GET /api/git/status
+    app.get('/api/git/status', async (req, res) => {
+        const rawPath = req.query.path;
+        if (!rawPath) {
+            res.status(400).json({ error: '`path` query parameter is required' });
+            return;
+        }
+        const { safe, resolved } = isSafePath(rawPath);
+        if (!safe) {
+            res.status(400).json({ error: 'Invalid path — traversal not allowed' });
+            return;
+        }
+        const [statusResult, logResult] = await Promise.all([
+            runCmd(`git -C ${JSON.stringify(resolved)} status --porcelain -b 2>&1`),
+            runCmd(`git -C ${JSON.stringify(resolved)} log --oneline -10 2>&1`),
+        ]);
+        const isRepo = statusResult.exitCode === 0;
+        let branch = '';
+        let statusText = statusResult.stdout;
+        if (isRepo) {
+            // First line of --porcelain -b is "## <branch>..." or "## HEAD (no branch)"
+            const lines = statusResult.stdout.split('\n');
+            const branchLine = lines[0] ?? '';
+            const branchMatch = branchLine.match(/^## ([^.]+)/);
+            branch = branchMatch ? branchMatch[1].trim() : '';
+            statusText = lines.slice(1).join('\n');
+        }
+        const recentCommits = isRepo ? logResult.stdout.split('\n').filter((l) => l.trim().length > 0) : [];
+        res.json({ branch, status: statusText, recentCommits, isRepo });
+    });
+    // ── Docker ────────────────────────────────────────────────────────────────
+    // GET /api/docker/containers
+    app.get('/api/docker/containers', async (_req, res) => {
+        const result = await runCmd('docker ps --format "{{json .}}" 2>&1');
+        if (result.exitCode !== 0 ||
+            result.stdout.includes('command not found') ||
+            result.stdout.includes('Cannot connect')) {
+            res.json({ available: false, containers: [] });
+            return;
+        }
+        const containers = result.stdout
+            .split('\n')
+            .filter((l) => l.trim().startsWith('{'))
+            .map((l) => {
+            try {
+                return JSON.parse(l);
+            }
+            catch {
+                return null;
+            }
+        })
+            .filter((c) => c !== null);
+        res.json({ available: true, containers });
+    });
+    // POST /api/docker/containers/:id/action
+    app.post('/api/docker/containers/:id/action', async (req, res) => {
+        const { id } = req.params;
+        const body = req.body;
+        const allowed = new Set(['start', 'stop', 'restart']);
+        if (!body.action || !allowed.has(body.action)) {
+            res.status(400).json({ error: "`action` must be 'start', 'stop', or 'restart'" });
+            return;
+        }
+        // Validate container id: alphanumeric, dashes, underscores only
+        if (!/^[a-zA-Z0-9_\-]+$/.test(id)) {
+            res.status(400).json({ error: 'Invalid container id' });
+            return;
+        }
+        const result = await runCmd(`docker ${body.action} ${id} 2>&1`);
+        if (result.exitCode !== 0) {
+            res.status(500).json({ error: result.stdout || result.stderr });
+            return;
+        }
+        res.json({ ok: true });
+    });
+    const notesDir = path.join(os.homedir(), '.conductor');
+    const notesFile = path.join(notesDir, 'notes.json');
+    async function readNotes() {
+        try {
+            const raw = await fs.readFile(notesFile, 'utf-8');
+            return JSON.parse(raw);
+        }
+        catch {
+            return [];
+        }
+    }
+    async function writeNotes(notes) {
+        await fs.mkdir(notesDir, { recursive: true });
+        await fs.writeFile(notesFile, JSON.stringify(notes, null, 2), 'utf-8');
+    }
+    // GET /api/notes
+    app.get('/api/notes', async (_req, res) => {
+        const notes = await readNotes();
+        res.json({ notes });
+    });
+    // POST /api/notes
+    app.post('/api/notes', async (req, res) => {
+        const body = req.body;
+        if (typeof body.title !== 'string' || body.title.trim() === '') {
+            res.status(400).json({ error: '`title` is required' });
+            return;
+        }
+        if (typeof body.content !== 'string') {
+            res.status(400).json({ error: '`content` is required' });
+            return;
+        }
+        const notes = await readNotes();
+        const now = new Date().toISOString();
+        const note = {
+            id: crypto.randomBytes(8).toString('hex'),
+            title: body.title.trim(),
+            content: body.content,
+            created: now,
+            updated: now,
+        };
+        notes.push(note);
+        await writeNotes(notes);
+        res.json({ ok: true, note });
+    });
+    // PUT /api/notes/:id — update title and/or content
+    app.put('/api/notes/:id', async (req, res) => {
+        const { id } = req.params;
+        const body = req.body;
+        const notes = await readNotes();
+        const idx = notes.findIndex((n) => n.id === id);
+        if (idx === -1) {
+            res.status(404).json({ error: 'Note not found' });
+            return;
+        }
+        if (typeof body.title === 'string')
+            notes[idx].title = body.title.trim() || notes[idx].title;
+        if (typeof body.content === 'string')
+            notes[idx].content = body.content;
+        notes[idx].updated = new Date().toISOString();
+        await writeNotes(notes);
+        res.json({ ok: true, note: notes[idx] });
+    });
+    // DELETE /api/notes/:id
+    app.delete('/api/notes/:id', async (req, res) => {
+        const { id } = req.params;
+        const notes = await readNotes();
+        const filtered = notes.filter((n) => n.id !== id);
+        if (filtered.length === notes.length) {
+            res.status(404).json({ error: 'Note not found' });
+            return;
+        }
+        await writeNotes(filtered);
+        res.json({ ok: true });
+    });
+    // ── Cron Jobs ─────────────────────────────────────────────────────────────
+    // GET /api/cron
+    app.get('/api/cron', async (_req, res) => {
+        const result = await runCmd('crontab -l 2>/dev/null');
+        const raw = result.stdout;
+        const entries = raw
+            .split('\n')
+            .map((l) => l.trim())
+            .filter((l) => l.length > 0 && !l.startsWith('#'));
+        res.json({ entries, raw });
+    });
+    // ── Todoist proxy ─────────────────────────────────────────────────────────
+    //
+    // All routes forward to https://api.todoist.com/api/v1 using the token
+    // stored in the keychain.  The token is never sent to the browser.
+    async function todoistProxy(token, path, options = {}) {
+        let todoistRes;
+        try {
+            const url = `https://api.todoist.com/api/v1${path}`;
+            const { headers: extraHeaders, ...restOptions } = options;
+            todoistRes = await fetch(url, {
+                ...restOptions,
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    'Content-Type': 'application/json',
+                    ...(extraHeaders ?? {}),
+                },
+            });
+        }
+        catch (fetchErr) {
+            const msg = fetchErr instanceof Error ? fetchErr.message : String(fetchErr);
+            console.error('[todoist-proxy] fetch error:', msg);
+            return { status: 502, body: { error: `Failed to reach Todoist: ${msg}` } };
+        }
+        if (todoistRes.status === 204) {
+            return { status: 200, body: { ok: true } };
+        }
+        const rawText = await todoistRes.text().catch(() => '');
+        if (!todoistRes.ok) {
+            console.error(`[todoist-proxy] Todoist ${todoistRes.status} for ${path}:`, rawText.slice(0, 200));
+            return {
+                status: todoistRes.status,
+                body: { error: `Todoist error ${todoistRes.status}: ${rawText.slice(0, 120)}` },
+            };
+        }
+        if (!rawText)
+            return { status: 200, body: [] };
+        try {
+            const data = JSON.parse(rawText);
+            // API v1 wraps list responses in { results: [], next_cursor }
+            if (data !== null && typeof data === 'object' && Array.isArray(data.results)) {
+                return { status: 200, body: data.results };
+            }
+            return { status: 200, body: data };
+        }
+        catch {
+            console.error('[todoist-proxy] JSON parse failed, raw:', rawText.slice(0, 200));
+            return { status: 502, body: { error: `Todoist returned non-JSON: ${rawText.slice(0, 80)}` } };
+        }
+    }
+    // GET /api/todoist/status
+    app.get('/api/todoist/status', async (_req, res) => {
+        const configured = await keychain.has('todoist', 'api_token');
+        res.json({ configured });
+    });
+    // GET /api/todoist/projects
+    app.get('/api/todoist/projects', async (_req, res) => {
+        const token = await keychain.get('todoist', 'api_token');
+        if (!token) {
+            res.status(400).json({ error: 'Todoist not configured' });
+            return;
+        }
+        const { status, body } = await todoistProxy(token, '/projects');
+        res.status(status).json(body);
+    });
+    // GET /api/todoist/tasks — supports ?project_id, ?label, ?filter
+    app.get('/api/todoist/tasks', async (req, res) => {
+        const token = await keychain.get('todoist', 'api_token');
+        if (!token) {
+            res.status(400).json({ error: 'Todoist not configured' });
+            return;
+        }
+        const query = req.query;
+        const params = new URLSearchParams();
+        for (const key of ['project_id', 'label', 'filter']) {
+            if (query[key])
+                params.set(key, query[key]);
+        }
+        const qs = params.toString() ? `?${params.toString()}` : '';
+        const { status, body } = await todoistProxy(token, `/tasks${qs}`);
+        res.status(status).json(body);
+    });
+    // POST /api/todoist/tasks — create a task
+    app.post('/api/todoist/tasks', async (req, res) => {
+        const token = await keychain.get('todoist', 'api_token');
+        if (!token) {
+            res.status(400).json({ error: 'Todoist not configured' });
+            return;
+        }
+        const { status, body } = await todoistProxy(token, '/tasks', {
+            method: 'POST',
+            body: JSON.stringify(req.body),
+        });
+        res.status(status).json(body);
+    });
+    // POST /api/todoist/tasks/:id — update a task
+    app.post('/api/todoist/tasks/:id', async (req, res) => {
+        const token = await keychain.get('todoist', 'api_token');
+        if (!token) {
+            res.status(400).json({ error: 'Todoist not configured' });
+            return;
+        }
+        const { id } = req.params;
+        const { status, body } = await todoistProxy(token, `/tasks/${id}`, {
+            method: 'POST',
+            body: JSON.stringify(req.body),
+        });
+        res.status(status).json(body);
+    });
+    // POST /api/todoist/tasks/:id/close — complete a task
+    app.post('/api/todoist/tasks/:id/close', async (req, res) => {
+        const token = await keychain.get('todoist', 'api_token');
+        if (!token) {
+            res.status(400).json({ error: 'Todoist not configured' });
+            return;
+        }
+        const { id } = req.params;
+        const { status, body } = await todoistProxy(token, `/tasks/${id}/close`, {
+            method: 'POST',
+        });
+        // Todoist returns 204 on success — normalise to a JSON ok response for the
+        // frontend so it doesn't have to special-case empty bodies.
+        if (status === 204) {
+            res.json({ ok: true });
+            return;
+        }
+        res.status(status).json(body);
+    });
+    // DELETE /api/todoist/tasks/:id — delete a task
+    app.delete('/api/todoist/tasks/:id', async (req, res) => {
+        const token = await keychain.get('todoist', 'api_token');
+        if (!token) {
+            res.status(400).json({ error: 'Todoist not configured' });
+            return;
+        }
+        const { id } = req.params;
+        const { status, body } = await todoistProxy(token, `/tasks/${id}`, {
+            method: 'DELETE',
+        });
+        if (status === 204) {
+            res.json({ ok: true });
+            return;
+        }
+        res.status(status).json(body);
+    });
+    // ── Conversations ─────────────────────────────────────────────────────────
+    app.get('/api/conversations', async (_req, res) => {
+        try {
+            const messages = await db.getRecentMessages(200);
+            res.json({ messages: messages.reverse() });
+        }
+        catch {
+            res.json({ messages: [] });
+        }
+    });
+    // ── Live Log Stream (SSE) ─────────────────────────────────────────────────
+    app.get('/api/logs/stream', (req, res) => {
+        res.setHeader('Content-Type', 'text/event-stream');
+        res.setHeader('Cache-Control', 'no-cache');
+        res.setHeader('Connection', 'keep-alive');
+        res.flushHeaders();
+        // Send buffered logs first
+        for (const entry of logBuffer) {
+            res.write(`data: ${JSON.stringify(entry)}\n\n`);
+        }
+        sseClients.add(res);
+        req.on('close', () => {
+            sseClients.delete(res);
+        });
+    });
+    // ── Chat (AI) ─────────────────────────────────────────────────────────────
+    const PLUGIN_CATALOG = {
+        calculator: {
+            desc: 'Evaluate mathematical expressions and unit conversions',
+            category: 'Utilities',
+            requiresAuth: false,
+        },
+        colors: {
+            desc: 'Convert and manipulate colors (hex, rgb, hsl, name)',
+            category: 'Utilities',
+            requiresAuth: false,
+        },
+        cron: { desc: 'Manage and inspect system cron jobs', category: 'System', requiresAuth: false },
+        crypto: { desc: 'Encrypt, decrypt, and generate cryptographic keys', category: 'Security', requiresAuth: false },
+        fun: { desc: 'Jokes, trivia, dice rolls, and random fun', category: 'Utilities', requiresAuth: false },
+        gcal: {
+            desc: 'Read, create, and manage Google Calendar events',
+            category: 'Google',
+            requiresAuth: true,
+            authLabel: 'Google OAuth',
+        },
+        gdrive: {
+            desc: 'List, read, and upload files to Google Drive',
+            category: 'Google',
+            requiresAuth: true,
+            authLabel: 'Google OAuth',
+        },
+        github: {
+            desc: 'Manage repos, issues, PRs, and gists on GitHub',
+            category: 'Developer',
+            requiresAuth: true,
+            authLabel: 'GitHub Token',
+        },
+        'github-actions': {
+            desc: 'Trigger and monitor GitHub Actions CI/CD workflows',
+            category: 'Developer',
+            requiresAuth: true,
+            authLabel: 'GitHub Token',
+        },
+        gmail: {
+            desc: 'Read, search, send, and label Gmail messages',
+            category: 'Google',
+            requiresAuth: true,
+            authLabel: 'Google OAuth',
+        },
+        hash: { desc: 'Compute MD5, SHA-1, SHA-256, and bcrypt hashes', category: 'Security', requiresAuth: false },
+        homekit: {
+            desc: 'Control HomeKit smart home devices and accessories',
+            category: 'Smart Home',
+            requiresAuth: true,
+            authLabel: 'HomeKit Bridge URL',
+        },
+        memory: { desc: 'Store and recall information across conversations', category: 'AI', requiresAuth: false },
+        n8n: {
+            desc: 'Trigger n8n automation workflows via webhook',
+            category: 'Automation',
+            requiresAuth: true,
+            authLabel: 'n8n API Key',
+        },
+        network: { desc: 'DNS lookup, ping, port scan, and IP geolocation', category: 'System', requiresAuth: false },
+        notes: { desc: 'Create, read, update, and delete personal notes', category: 'Productivity', requiresAuth: false },
+        notion: {
+            desc: 'Query, create, and update Notion databases and pages',
+            category: 'Productivity',
+            requiresAuth: true,
+            authLabel: 'Notion API Key',
+        },
+        slack: {
+            desc: 'Send messages and read channels in Slack workspaces',
+            category: 'Communication',
+            requiresAuth: true,
+            authLabel: 'Slack Bot Token',
+        },
+        spotify: {
+            desc: 'Control Spotify playback and browse music catalog',
+            category: 'Entertainment',
+            requiresAuth: true,
+            authLabel: 'Spotify OAuth',
+        },
+        system: {
+            desc: 'CPU, memory, disk stats, processes, and shell commands',
+            category: 'System',
+            requiresAuth: false,
+        },
+        'text-tools': {
+            desc: 'Transform text: case, trim, word count, slugify, base64',
+            category: 'Utilities',
+            requiresAuth: false,
+        },
+        timezone: { desc: 'Convert times between timezones worldwide', category: 'Utilities', requiresAuth: false },
+        todoist: {
+            desc: 'Manage Todoist tasks, projects, and priorities',
+            category: 'Productivity',
+            requiresAuth: true,
+            authLabel: 'Todoist API Token',
+        },
+        translate: { desc: 'Translate text between 100+ languages', category: 'Utilities', requiresAuth: false },
+        'url-tools': {
+            desc: 'Parse, encode, decode, and expand shortened URLs',
+            category: 'Utilities',
+            requiresAuth: false,
+        },
+        vercel: {
+            desc: 'Manage Vercel deployments, projects, and domains',
+            category: 'Developer',
+            requiresAuth: true,
+            authLabel: 'Vercel Token',
+        },
+        weather: {
+            desc: 'Current conditions and forecasts for any location',
+            category: 'Utilities',
+            requiresAuth: true,
+            authLabel: 'Weather API Key',
+        },
+        x: {
+            desc: 'Post tweets and read your X/Twitter timeline',
+            category: 'Social',
+            requiresAuth: true,
+            authLabel: 'X API Key',
+        },
+    };
+    let _chatConductorInstance = conductorInstance ?? null;
+    async function getChatConductor() {
+        if (_chatConductorInstance)
+            return _chatConductorInstance;
+        const { Conductor: ConductorClass } = await import('../core/conductor.js');
+        _chatConductorInstance = new ConductorClass(undefined, { quiet: true });
+        await _chatConductorInstance.initialize();
+        return _chatConductorInstance;
+    }
+    // POST /api/chat
+    app.post('/api/chat', async (req, res) => {
+        const body = req.body;
+        if (!body.message || typeof body.message !== 'string' || body.message.trim() === '') {
+            res.status(400).json({ error: '`message` is required' });
+            return;
+        }
+        const userId = body.userId && typeof body.userId === 'string' ? body.userId.trim() : 'dashboard-user';
+        try {
+            const c = await getChatConductor();
+            const ai = c.getAIManager();
+            const result = await ai.handleConversation(userId, body.message.trim());
+            // Extract tool calls from the current turn: walk backwards from the end,
+            // collect tool messages until we hit the user message we just added.
+            const history = await c.getDatabase().getHistory(userId, 60);
+            const toolCalls = [];
+            for (let i = history.length - 1; i >= 0; i--) {
+                const msg = history[i];
+                if (msg.role === 'user')
+                    break; // stop at the user message for this turn
+                if (msg.role === 'tool' && msg.name) {
+                    toolCalls.unshift({ tool: msg.name, success: !String(msg.content ?? '').startsWith('Error') });
+                }
+            }
+            const providerName = c.getConfig().get('ai.provider') ?? 'unknown';
+            const modelName = c.getConfig().get('ai.model') ?? '';
+            res.json({
+                response: result.text,
+                toolCalls,
+                approvalRequired: result.approvalRequired ?? null,
+                provider: providerName,
+                model: modelName,
+            });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // GET /api/chat/history
+    app.get('/api/chat/history', async (req, res) => {
+        const userId = (req.query.userId ?? 'dashboard-user').trim();
+        try {
+            const c = await getChatConductor();
+            const messages = await c.getDatabase().getHistory(userId, 100);
+            res.json({ messages });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // DELETE /api/chat/history
+    app.delete('/api/chat/history', async (req, res) => {
+        const userId = (req.query.userId ?? 'dashboard-user').trim();
+        try {
+            const c = await getChatConductor();
+            await c.getDatabase().clearHistory(userId);
+            res.json({ ok: true });
+        }
+        catch (e) {
+            res.status(500).json({ error: e.message });
+        }
+    });
+    // GET /api/marketplace
+    app.get('/api/marketplace', (_req, res) => {
+        const installedPlugins = config.get('plugins.installed') ?? [];
+        const enabledPlugins = config.get('plugins.enabled') ?? [];
+        const plugins = Object.entries(PLUGIN_CATALOG).map(([name, meta]) => ({
+            name,
+            ...meta,
+            installed: installedPlugins.includes(name) || ALL_PLUGINS.includes(name),
+            enabled: enabledPlugins.includes(name),
+            requiredCreds: PLUGIN_REQUIRED_CREDS[name] ?? [],
+        }));
+        res.json({ plugins });
+    });
+    // ── Start — bind to 127.0.0.1 only (not 0.0.0.0) ────────────────────────
+    return new Promise((resolve, reject) => {
+        const server = app.listen(port, '127.0.0.1', () => {
+            process.stderr.write(`Dashboard running at http://127.0.0.1:${port}\n`);
+            process.stderr.write(`Dashboard token stored at ${path.join(config.getConfigDir(), 'dashboard.token')}\n`);
+            resolve({
+                port,
+                close: () => new Promise((res, rej) => server.close((err) => (err ? rej(err) : res()))),
+            });
+        });
+        server.on('error', reject);
+    });
+}
+//# sourceMappingURL=server.js.map