@very_aq/codex-cli-web 0.0.1

package/server/dist/index.js

@@ -0,0 +1,166 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const http_1 = __importDefault(require("http"));
+const node_net_1 = __importDefault(require("node:net"));
+const socket_io_1 = require("socket.io");
+const ws_1 = require("ws");
+const bootstrapAdmin_1 = require("./auth/bootstrapAdmin");
+const adminInit_1 = require("./auth/adminInit");
+const userStore_1 = require("./auth/userStore");
+const codexAppServer_1 = require("./codex/codexAppServer");
+const env_1 = require("./env");
+const app_1 = require("./app");
+const authDb_1 = require("./auth/sqlite/authDb");
+const legacyImport_1 = require("./auth/sqlite/legacyImport");
+const history_1 = require("./history");
+const codexTaskTracker_1 = require("./status/codexTaskTracker");
+const wsHub_1 = require("./ws/wsHub");
+const socketIoBridge_1 = require("./ws/socketIoBridge");
+const userWorkspaceStore_1 = require("./workspace/userWorkspaceStore");
+const userSettingsStore_1 = require("./settings/userSettingsStore");
+const configArg_1 = require("./cli/configArg");
+async function main() {
+    // 启动最早阶段先处理命令行 config 参数，确保后续 env 读取拿到最终配置。
+    // Parse config arg at startup earliest stage so env readers see final value.
+    (0, configArg_1.applyConfigArgToEnv)(process.argv.slice(2));
+    const host = (0, env_1.getHost)();
+    const port = (0, env_1.getPort)();
+    const sessionSecret = (0, env_1.getSessionToken)();
+    const startedAtMs = Date.now();
+    // 认证配置统一写入 auth.db，避免多 JSON 文件分散维护。
+    const authDb = (0, authDb_1.createAuthDb)({ dbPath: (0, env_1.getCodexWebAuthDbPath)() });
+    // DB 为空时尝试从 legacy JSON 导入，保证升级不丢历史账号与工作区配置。
+    await (0, legacyImport_1.maybeImportLegacyJsonSettings)({
+        authDb,
+        usersFilePath: (0, env_1.getCodexWebUsersFile)(),
+        userWorkspacesFilePath: (0, env_1.getCodexWebUserWorkspacesFile)(),
+    });
+    const userStore = await (0, userStore_1.createUserStore)({ authDb });
+    // 当监听非 loopback 时，阻止“默认口令”对外暴露（误部署防呆）。
+    await assertSafeAdminPasswordForHost(host, userStore);
+    // 用户工作目录仓库：与鉴权 workspaces 分离，避免语义耦合。
+    const userWorkspaceStore = await (0, userWorkspaceStore_1.createUserWorkspaceStore)({ authDb });
+    // 用户配置仓库：用于跨端同步主题/模型等偏好设置。
+    const userSettingsStore = await (0, userSettingsStore_1.createUserSettingsStore)({ authDb });
+    await (0, bootstrapAdmin_1.bootstrapAdmin)(userStore);
+    const codex = new codexAppServer_1.CodexAppServer({
+        codexBin: (0, env_1.getCodexBin)(),
+        cwd: env_1.WORKSPACE_ROOT,
+        historyPersistence: (0, env_1.getCodexHistoryPersistence)(),
+        disableResponseStorage: (0, env_1.getCodexDisableResponseStorage)(),
+    });
+    const codexTasks = new codexTaskTracker_1.CodexTaskTracker();
+    const unsubscribeCodexTasks = codex.onNotification((n) => codexTasks.onNotification(n));
+    // 按模式决定是否启用历史写入运行时。
+    const historyRuntime = (0, history_1.createWebHistoryRuntime)({
+        mode: (0, env_1.getWebHistoryMode)(),
+        dbPath: (0, env_1.getWebHistoryDbPath)(),
+    });
+    let getWsClients = () => 0;
+    const getStatusSnapshot = () => ({
+        codex: codex.getStatus(),
+        codexTask: codexTasks.getSnapshot(),
+        ws: { clients: getWsClients() },
+    });
+    const app = (0, app_1.createApp)({
+        sessionSecret,
+        startedAtMs,
+        getStatusSnapshot,
+        codex,
+        userStore,
+        userWorkspaceStore,
+        userSettingsStore,
+        historyQuery: historyRuntime?.query ?? null,
+    });
+    const server = http_1.default.createServer(app);
+    /**
+     * 注意：不要用 `new WebSocketServer({ server, path: "/ws" })`。
+     * 因为 ws 库在 path 不匹配时会对所有 upgrade 请求直接回 400（Bad Request），
+     * 会误伤 Socket.IO 的 websocket upgrade（路径为 `/socket.io`）。
+     *
+     * 这里使用 `noServer` 模式，仅在 `/ws` 路径手动接管 upgrade。
+     */
+    const wss = new ws_1.WebSocketServer({ noServer: true });
+    server.on("upgrade", (req, socket, head) => {
+        try {
+            const url = new URL(req.url ?? "", "http://localhost");
+            if (url.pathname !== "/ws")
+                return;
+        }
+        catch {
+            return;
+        }
+        wss.handleUpgrade(req, socket, head, (ws) => {
+            wss.emit("connection", ws, req);
+        });
+    });
+    getWsClients = () => wss.clients.size;
+    const io = new socket_io_1.Server(server, {
+        path: "/socket.io",
+        transports: ["websocket", "polling"],
+    });
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const hub = new wsHub_1.WsHub(wss, codex, sessionSecret, getStatusSnapshot, {
+        getActiveTurnIds: (threadId) => codexTasks.getActiveTurnIds(threadId),
+        userStore,
+        historyIngest: historyRuntime?.ingest ?? null,
+    });
+    const socketIoBridge = (0, socketIoBridge_1.createSocketIoBridge)({
+        ioServer: io,
+        upstreamWsUrlFactory: ({ host: bridgeHost, port: bridgePort, rawWsPath }) => `ws://${bridgeHost}:${bridgePort}${rawWsPath}`,
+    });
+    server.listen(port, host, () => {
+        // eslint-disable-next-line no-console
+        console.log(`codex-cli-web server listening on http://${host}:${port}`);
+    });
+    function shutdown(signal) {
+        // eslint-disable-next-line no-console
+        console.log(`shutting down (${signal})`);
+        socketIoBridge.dispose();
+        io.close();
+        wss.close();
+        server.close(() => process.exit(0));
+        unsubscribeCodexTasks();
+        hub.dispose();
+        void historyRuntime?.close();
+        codex.dispose();
+    }
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+}
+main().catch((err) => {
+    // eslint-disable-next-line no-console
+    console.error(err);
+    process.exit(1);
+});
+/**
+ * 判断监听地址是否为 loopback（仅本机可访问）。
+ */
+function isLoopbackHost(host) {
+    const normalized = String(host ?? "").trim().toLowerCase();
+    if (!normalized)
+        return true;
+    if (normalized === "localhost")
+        return true;
+    const ipVersion = node_net_1.default.isIP(normalized);
+    if (ipVersion === 4)
+        return normalized.startsWith("127.");
+    if (ipVersion === 6)
+        return normalized === "::1";
+    return false;
+}
+/**
+ * 当服务监听非 loopback 时，要求管理员初始化已完成，避免未初始化实例对外暴露。
+ */
+async function assertSafeAdminPasswordForHost(host, userStore) {
+    if (isLoopbackHost(host))
+        return;
+    const state = await (0, adminInit_1.readAdminInitState)(userStore);
+    if (!state.requiresSetup)
+        return;
+    throw new Error("Refusing to bind to a non-loopback host before admin initialization is completed on loopback.");
+}
+//# sourceMappingURL=index.js.map

package/server/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;AAAA,gDAAwB;AACxB,wDAA2B;AAC3B,yCAAqD;AACrD,2BAAqC;AACrC,0DAAuD;AACvD,gDAAsD;AACtD,gDAAmE;AACnE,2DAAwD;AACxD,+BAae;AACf,+BAAkC;AAClC,iDAAoD;AACpD,6DAA2E;AAC3E,uCAAoD;AACpD,gEAA6D;AAC7D,sCAAmC;AACnC,wDAA2D;AAC3D,uEAA0E;AAC1E,oEAAuE;AACvE,+CAAsD;AAEtD,KAAK,UAAU,IAAI;IACjB,4CAA4C;IAC5C,6EAA6E;IAC7E,IAAA,+BAAmB,EAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE3C,MAAM,IAAI,GAAG,IAAA,aAAO,GAAE,CAAC;IACvB,MAAM,IAAI,GAAG,IAAA,aAAO,GAAE,CAAC;IACvB,MAAM,aAAa,GAAG,IAAA,qBAAe,GAAE,CAAC;IACxC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE/B,oCAAoC;IACpC,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,EAAE,MAAM,EAAE,IAAA,2BAAqB,GAAE,EAAE,CAAC,CAAC;IACjE,6CAA6C;IAC7C,MAAM,IAAA,4CAA6B,EAAC;QAClC,MAAM;QACN,aAAa,EAAE,IAAA,0BAAoB,GAAE;QACrC,sBAAsB,EAAE,IAAA,mCAA6B,GAAE;KACxD,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,MAAM,IAAA,2BAAe,EAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IACpD,uCAAuC;IACvC,MAAM,8BAA8B,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACtD,qCAAqC;IACrC,MAAM,kBAAkB,GAAG,MAAM,IAAA,6CAAwB,EAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IACtE,2BAA2B;IAC3B,MAAM,iBAAiB,GAAG,MAAM,IAAA,2CAAuB,EAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IACpE,MAAM,IAAA,+BAAc,EAAC,SAAS,CAAC,CAAC;IAEhC,MAAM,KAAK,GAAG,IAAI,+BAAc,CAAC;QAC/B,QAAQ,EAAE,IAAA,iBAAW,GAAE;QACvB,GAAG,EAAE,oBAAc;QACnB,kBAAkB,EAAE,IAAA,gCAA0B,GAAE;QAChD,sBAAsB,EAAE,IAAA,oCAA8B,GAAE;KACzD,CAAC,CAAC;IACH,MAAM,UAAU,GAAG,IAAI,mCAAgB,EAAE,CAAC;IAC1C,MAAM,qBAAqB,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;IACxF,oBAAoB;IACpB,MAAM,cAAc,GAAG,IAAA,iCAAuB,EAAC;QAC7C,IAAI,EAAE,IAAA,uBAAiB,GAAE;QACzB,MAAM,EAAE,IAAA,yBAAmB,GAAE;KAC9B,CAAC,CAAC;IAEH,IAAI,YAAY,GAAiB,GAAG,EAAE,CAAC,CAAC,CAAC;IACzC,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,CAAC;QAC/B,KAAK,EAAE,KAAK,CAAC,SAAS,EAAE;QACxB,SAAS,EAAE,UAAU,CAAC,WAAW,EAAE;QACnC,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE;KAChC,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,IAAA,eAAS,EAAC;QACpB,aAAa;QACb,WAAW;QACX,iBAAiB;QACjB,KAAK;QACL,SAAS;QACT,kBAAkB;QAClB,iBAAiB;QACjB,YAAY,EAAE,cAAc,EAAE,KAAK,IAAI,IAAI;KAC5C,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,cAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IACtC;;;;;;OAMG;IACH,MAAM,GAAG,GAAG,IAAI,oBAAe,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE;QACzC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,EAAE,kBAAkB,CAAC,CAAC;YACvD,IAAI,GAAG,CAAC,QAAQ,KAAK,KAAK;gBAAE,OAAO;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,GAAG,CAAC,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,EAAE;YAC1C,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IACH,YAAY,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;IACtC,MAAM,EAAE,GAAG,IAAI,kBAAc,CAAC,MAAM,EAAE;QACpC,IAAI,EAAE,YAAY;QAClB,UAAU,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC;KACrC,CAAC,CAAC;IACH,6DAA6D;IAC7D,MAAM,GAAG,GAAG,IAAI,aAAK,CAAC,GAAG,EAAE,KAAK,EAAE,aAAa,EAAE,iBAAiB,EAAE;QAClE,gBAAgB,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,QAAQ,CAAC;QACrE,SAAS;QACT,aAAa,EAAE,cAAc,EAAE,MAAM,IAAI,IAAI;KAC9C,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,IAAA,qCAAoB,EAAC;QAC1C,QAAQ,EAAE,EAAE;QACZ,oBAAoB,EAAE,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,QAAQ,UAAU,IAAI,UAAU,GAAG,SAAS,EAAE;KAC5H,CAAC,CAAC;IAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;QAC7B,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,4CAA4C,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,SAAS,QAAQ,CAAC,MAAsB;QACtC,sCAAsC;QACtC,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,GAAG,CAAC,CAAC;QACzC,cAAc,CAAC,OAAO,EAAE,CAAC;QACzB,EAAE,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,KAAK,EAAE,CAAC;QACZ,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,qBAAqB,EAAE,CAAC;QACxB,GAAG,CAAC,OAAO,EAAE,CAAC;QACd,KAAK,cAAc,EAAE,KAAK,EAAE,CAAC;QAC7B,KAAK,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3D,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,IAAI,UAAU,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAC5C,MAAM,SAAS,GAAG,kBAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvC,IAAI,SAAS,KAAK,CAAC;QAAE,OAAO,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC1D,IAAI,SAAS,KAAK,CAAC;QAAE,OAAO,UAAU,KAAK,KAAK,CAAC;IACjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,8BAA8B,CAAC,IAAY,EAAE,SAAuC;IACjG,IAAI,cAAc,CAAC,IAAI,CAAC;QAAE,OAAO;IAEjC,MAAM,KAAK,GAAG,MAAM,IAAA,8BAAkB,EAAC,SAAS,CAAC,CAAC;IAClD,IAAI,CAAC,KAAK,CAAC,aAAa;QAAE,OAAO;IACjC,MAAM,IAAI,KAAK,CAAC,+FAA+F,CAAC,CAAC;AACnH,CAAC"}

package/server/dist/security/executionPolicy.d.ts

@@ -0,0 +1,33 @@
+import type { UserRole } from "../auth/userTypes";
+/**
+ * Codex 执行审批策略：
+ * - `never` 风险最高（不做审批）；
+ * - 其余策略均比 `never` 更严格。
+ */
+export type ApprovalPolicy = "untrusted" | "on-failure" | "on-request" | "never";
+/**
+ * Codex 沙箱策略：
+ * - `danger-full-access` 风险最高（不受沙箱限制）；
+ * - `workspace-write`/`read-only` 属于受控范围。
+ */
+export type SandboxMode = "read-only" | "workspace-write" | "danger-full-access";
+/**
+ * 按用户角色收敛 approvalPolicy：
+ * - admin：允许使用请求值（若合法），否则使用 fallback；
+ * - member：仅允许 MEMBER_ALLOWED_APPROVAL_POLICIES；请求值或 fallback 不安全则回退到 MEMBER_FALLBACK_APPROVAL_POLICY。
+ */
+export declare function coerceApprovalPolicyForUser(opts: {
+    userRole: UserRole;
+    requested: unknown;
+    fallback: ApprovalPolicy;
+}): ApprovalPolicy;
+/**
+ * 按用户角色收敛 sandbox：
+ * - admin：允许使用请求值（若合法），否则使用 fallback；
+ * - member：仅允许 MEMBER_ALLOWED_SANDBOX_MODES；请求值或 fallback 不安全则回退到 MEMBER_FALLBACK_SANDBOX_MODE。
+ */
+export declare function coerceSandboxModeForUser(opts: {
+    userRole: UserRole;
+    requested: unknown;
+    fallback: SandboxMode;
+}): SandboxMode;

package/server/dist/security/executionPolicy.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.coerceApprovalPolicyForUser = coerceApprovalPolicyForUser;
+exports.coerceSandboxModeForUser = coerceSandboxModeForUser;
+const roles_1 = require("../auth/roles");
+/**
+ * member 允许的审批策略集合（显式禁用 `never`）。
+ */
+const MEMBER_ALLOWED_APPROVAL_POLICIES = new Set(["untrusted", "on-failure", "on-request"]);
+/**
+ * member 允许的沙箱策略集合（显式禁用 `danger-full-access`）。
+ */
+const MEMBER_ALLOWED_SANDBOX_MODES = new Set(["read-only", "workspace-write"]);
+/**
+ * 当请求值/默认值不安全时，member 的审批策略兜底值。
+ */
+const MEMBER_FALLBACK_APPROVAL_POLICY = "on-request";
+/**
+ * 当请求值/默认值不安全时，member 的沙箱策略兜底值。
+ */
+const MEMBER_FALLBACK_SANDBOX_MODE = "workspace-write";
+/**
+ * 解析客户端上报的 approvalPolicy；非法值返回 null。
+ */
+function parseApprovalPolicy(requested) {
+    const raw = typeof requested === "string" ? requested.trim() : "";
+    if (raw === "untrusted" || raw === "on-failure" || raw === "on-request" || raw === "never")
+        return raw;
+    return null;
+}
+/**
+ * 解析客户端上报的 sandbox；非法值返回 null。
+ */
+function parseSandboxMode(requested) {
+    const raw = typeof requested === "string" ? requested.trim() : "";
+    if (raw === "read-only" || raw === "workspace-write" || raw === "danger-full-access")
+        return raw;
+    return null;
+}
+/**
+ * 按用户角色收敛 approvalPolicy：
+ * - admin：允许使用请求值（若合法），否则使用 fallback；
+ * - member：仅允许 MEMBER_ALLOWED_APPROVAL_POLICIES；请求值或 fallback 不安全则回退到 MEMBER_FALLBACK_APPROVAL_POLICY。
+ */
+function coerceApprovalPolicyForUser(opts) {
+    const requestedPolicy = parseApprovalPolicy(opts.requested);
+    if ((0, roles_1.isAdminRole)(opts.userRole)) {
+        return requestedPolicy ?? opts.fallback;
+    }
+    if (requestedPolicy && MEMBER_ALLOWED_APPROVAL_POLICIES.has(requestedPolicy))
+        return requestedPolicy;
+    if (MEMBER_ALLOWED_APPROVAL_POLICIES.has(opts.fallback))
+        return opts.fallback;
+    return MEMBER_FALLBACK_APPROVAL_POLICY;
+}
+/**
+ * 按用户角色收敛 sandbox：
+ * - admin：允许使用请求值（若合法），否则使用 fallback；
+ * - member：仅允许 MEMBER_ALLOWED_SANDBOX_MODES；请求值或 fallback 不安全则回退到 MEMBER_FALLBACK_SANDBOX_MODE。
+ */
+function coerceSandboxModeForUser(opts) {
+    const requestedSandbox = parseSandboxMode(opts.requested);
+    if ((0, roles_1.isAdminRole)(opts.userRole)) {
+        return requestedSandbox ?? opts.fallback;
+    }
+    if (requestedSandbox && MEMBER_ALLOWED_SANDBOX_MODES.has(requestedSandbox))
+        return requestedSandbox;
+    if (MEMBER_ALLOWED_SANDBOX_MODES.has(opts.fallback))
+        return opts.fallback;
+    return MEMBER_FALLBACK_SANDBOX_MODE;
+}
+//# sourceMappingURL=executionPolicy.js.map

package/server/dist/security/executionPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executionPolicy.js","sourceRoot":"","sources":["../../src/security/executionPolicy.ts"],"names":[],"mappings":";;AA4DA,kEASC;AAOD,4DASC;AArFD,yCAA4C;AAiB5C;;GAEG;AACH,MAAM,gCAAgC,GAAG,IAAI,GAAG,CAAiB,CAAC,WAAW,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC,CAAC;AAE5G;;GAEG;AACH,MAAM,4BAA4B,GAAG,IAAI,GAAG,CAAc,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAE5F;;GAEG;AACH,MAAM,+BAA+B,GAAmB,YAAY,CAAC;AAErE;;GAEG;AACH,MAAM,4BAA4B,GAAgB,iBAAiB,CAAC;AAEpE;;GAEG;AACH,SAAS,mBAAmB,CAAC,SAAkB;IAC7C,MAAM,GAAG,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAClE,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,OAAO;QAAE,OAAO,GAAG,CAAC;IACvG,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,SAAkB;IAC1C,MAAM,GAAG,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAClE,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,iBAAiB,IAAI,GAAG,KAAK,oBAAoB;QAAE,OAAO,GAAG,CAAC;IACjG,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,SAAgB,2BAA2B,CAAC,IAA0E;IACpH,MAAM,eAAe,GAAG,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC5D,IAAI,IAAA,mBAAW,EAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,OAAO,eAAe,IAAI,IAAI,CAAC,QAAQ,CAAC;IAC1C,CAAC;IAED,IAAI,eAAe,IAAI,gCAAgC,CAAC,GAAG,CAAC,eAAe,CAAC;QAAE,OAAO,eAAe,CAAC;IACrG,IAAI,gCAAgC,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;IAC9E,OAAO,+BAA+B,CAAC;AACzC,CAAC;AAED;;;;GAIG;AACH,SAAgB,wBAAwB,CAAC,IAAuE;IAC9G,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC1D,IAAI,IAAA,mBAAW,EAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,OAAO,gBAAgB,IAAI,IAAI,CAAC,QAAQ,CAAC;IAC3C,CAAC;IAED,IAAI,gBAAgB,IAAI,4BAA4B,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACpG,IAAI,4BAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;IAC1E,OAAO,4BAA4B,CAAC;AACtC,CAAC"}

package/server/dist/security/origin.d.ts

@@ -0,0 +1,11 @@
+export declare function isLoopbackAddress(address: string | undefined): boolean;
+export type OriginPolicy = {
+    strict: boolean;
+    allowedOrigins: string[];
+};
+/**
+ * 判断请求 Origin 是否允许。
+ * - strict=false：不做限制；
+ * - strict=true：若存在 Origin，则必须命中 allowlist；Origin 为空时放行（兼容非浏览器客户端）。
+ */
+export declare function isAllowedOrigin(origin: string | undefined, policy: OriginPolicy): boolean;

package/server/dist/security/origin.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isLoopbackAddress = isLoopbackAddress;
+exports.isAllowedOrigin = isAllowedOrigin;
+function isLoopbackAddress(address) {
+    if (!address)
+        return false;
+    if (address === "127.0.0.1" || address === "::1")
+        return true;
+    if (address.startsWith("::ffff:127."))
+        return true;
+    return false;
+}
+function normalizeOriginHeader(origin) {
+    const raw = String(origin ?? "").trim();
+    if (!raw)
+        return null;
+    if (raw.toLowerCase() === "null")
+        return null;
+    try {
+        return new URL(raw).origin;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * 判断请求 Origin 是否允许。
+ * - strict=false：不做限制；
+ * - strict=true：若存在 Origin，则必须命中 allowlist；Origin 为空时放行（兼容非浏览器客户端）。
+ */
+function isAllowedOrigin(origin, policy) {
+    if (!policy.strict)
+        return true;
+    const normalized = normalizeOriginHeader(origin);
+    if (!normalized)
+        return true;
+    return policy.allowedOrigins.includes(normalized);
+}
+//# sourceMappingURL=origin.js.map

package/server/dist/security/origin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"origin.js","sourceRoot":"","sources":["../../src/security/origin.ts"],"names":[],"mappings":";;AAAA,8CAKC;AAuBD,0CAKC;AAjCD,SAAgB,iBAAiB,CAAC,OAA2B;IAC3D,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,IAAI,OAAO,KAAK,WAAW,IAAI,OAAO,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC9D,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,SAAS,qBAAqB,CAAC,MAA0B;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACxC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,eAAe,CAAC,MAA0B,EAAE,MAAoB;IAC9E,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAChC,MAAM,UAAU,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACpD,CAAC"}

package/server/dist/settings/sqliteUserSettingsStore.d.ts

@@ -0,0 +1,12 @@
+import type { AuthDb } from "../auth/sqlite/authDb";
+import type { UserSettingsStore } from "./userSettingsStore";
+/**
+ * SQLite 用户配置仓库创建参数。
+ */
+export type CreateSqliteUserSettingsStoreOptions = {
+    authDb: AuthDb;
+};
+/**
+ * 基于 SQLite 创建用户配置仓库。
+ */
+export declare function createSqliteUserSettingsStore(options: CreateSqliteUserSettingsStoreOptions): UserSettingsStore;

package/server/dist/settings/sqliteUserSettingsStore.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSqliteUserSettingsStore = createSqliteUserSettingsStore;
+const userSettingsTypes_1 = require("./userSettingsTypes");
+/**
+ * 规范化用户名输入。
+ */
+function normalizeUsername(username) {
+    return String(username ?? "").trim();
+}
+/**
+ * 基于 SQLite 创建用户配置仓库。
+ */
+function createSqliteUserSettingsStore(options) {
+    const db = options.authDb.db;
+    const getSettingsByUsernameStatement = db.prepare(`
+    SELECT settings_json
+    FROM auth_user_settings
+    WHERE username = ?
+    LIMIT 1
+  `);
+    const upsertSettingsStatement = db.prepare(`
+    INSERT INTO auth_user_settings (
+      username, settings_json, updated_at_ms
+    ) VALUES (
+      @username, @settingsJson, @updatedAtMs
+    )
+    ON CONFLICT(username) DO UPDATE SET
+      settings_json = excluded.settings_json,
+      updated_at_ms = excluded.updated_at_ms
+  `);
+    return {
+        async getUserSettings(usernameRaw) {
+            const username = normalizeUsername(usernameRaw);
+            if (!username)
+                return (0, userSettingsTypes_1.normalizeUserSettings)(null);
+            const row = getSettingsByUsernameStatement.get(username);
+            if (!row)
+                return (0, userSettingsTypes_1.normalizeUserSettings)(null);
+            try {
+                const parsed = JSON.parse(String(row.settings_json ?? "{}"));
+                return (0, userSettingsTypes_1.normalizeUserSettings)(parsed);
+            }
+            catch {
+                return (0, userSettingsTypes_1.normalizeUserSettings)(null);
+            }
+        },
+        async replaceUserSettings(usernameRaw, settingsRaw) {
+            const username = normalizeUsername(usernameRaw);
+            if (!username)
+                throw new Error("username is required");
+            const normalizedSettings = (0, userSettingsTypes_1.normalizeUserSettings)(settingsRaw);
+            upsertSettingsStatement.run({
+                username,
+                settingsJson: JSON.stringify(normalizedSettings),
+                updatedAtMs: Date.now(),
+            });
+            return normalizedSettings;
+        },
+    };
+}
+//# sourceMappingURL=sqliteUserSettingsStore.js.map

package/server/dist/settings/sqliteUserSettingsStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqliteUserSettingsStore.js","sourceRoot":"","sources":["../../src/settings/sqliteUserSettingsStore.ts"],"names":[],"mappings":";;AA4BA,sEAkDC;AA5ED,2DAA4D;AAgB5D;;GAEG;AACH,SAAS,iBAAiB,CAAC,QAAgB;IACzC,OAAO,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAgB,6BAA6B,CAAC,OAA6C;IACzF,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;IAE7B,MAAM,8BAA8B,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;GAKjD,CAAC,CAAC;IAEH,MAAM,uBAAuB,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;;;;GAS1C,CAAC,CAAC;IAEH,OAAO;QACL,KAAK,CAAC,eAAe,CAAC,WAAmB;YACvC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAA,yCAAqB,EAAC,IAAI,CAAC,CAAC;YAElD,MAAM,GAAG,GAAG,8BAA8B,CAAC,GAAG,CAAC,QAAQ,CAAgC,CAAC;YACxF,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAA,yCAAqB,EAAC,IAAI,CAAC,CAAC;YAE7C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,aAAa,IAAI,IAAI,CAAC,CAAC,CAAC;gBAC7D,OAAO,IAAA,yCAAqB,EAAC,MAAM,CAAC,CAAC;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAA,yCAAqB,EAAC,IAAI,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,KAAK,CAAC,mBAAmB,CAAC,WAAW,EAAE,WAAW;YAChD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,CAAC,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;YAEvD,MAAM,kBAAkB,GAAG,IAAA,yCAAqB,EAAC,WAAW,CAAC,CAAC;YAC9D,uBAAuB,CAAC,GAAG,CAAC;gBAC1B,QAAQ;gBACR,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC;gBAChD,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;aACxB,CAAC,CAAC;YACH,OAAO,kBAAkB,CAAC;QAC5B,CAAC;KACF,CAAC;AACJ,CAAC"}

package/server/dist/settings/userSettingsRoutes.d.ts

@@ -0,0 +1,8 @@
+import type { Router } from "express";
+import type { UserSettingsStore } from "./userSettingsStore";
+/**
+ * 创建用户配置同步 API 路由。
+ */
+export declare function createUserSettingsRoutes(opts: {
+    userSettingsStore: UserSettingsStore;
+}): Router;

package/server/dist/settings/userSettingsRoutes.js

@@ -0,0 +1,55 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUserSettingsRoutes = createUserSettingsRoutes;
+const express_1 = __importDefault(require("express"));
+const userSettingsTypes_1 = require("./userSettingsTypes");
+/**
+ * 从请求中读取已鉴权用户名；缺失时返回 401。
+ */
+function resolveAuthenticatedUsername(req, res) {
+    const username = String(req?.user?.username ?? "").trim();
+    if (!username) {
+        res.status(401).json({ ok: false, error: "unauthorized" });
+        return null;
+    }
+    return username;
+}
+/**
+ * 创建用户配置同步 API 路由。
+ */
+function createUserSettingsRoutes(opts) {
+    const router = express_1.default.Router();
+    router.get("/", async (req, res) => {
+        const username = resolveAuthenticatedUsername(req, res);
+        if (!username)
+            return;
+        try {
+            const settings = await opts.userSettingsStore.getUserSettings(username);
+            res.json({ ok: true, settings });
+        }
+        catch (error) {
+            res.status(500).json({ ok: false, error: "request_failed", details: String(error) });
+        }
+    });
+    router.put("/", async (req, res) => {
+        const username = resolveAuthenticatedUsername(req, res);
+        if (!username)
+            return;
+        try {
+            const body = (req.body ?? {});
+            // 兼容两种 payload：`{ settings: ... }` 或直接顶层 settings 对象。
+            const rawSettings = Object.prototype.hasOwnProperty.call(body, "settings") ? body.settings : body;
+            const normalizedSettings = (0, userSettingsTypes_1.normalizeUserSettings)(rawSettings);
+            const settings = await opts.userSettingsStore.replaceUserSettings(username, normalizedSettings);
+            res.json({ ok: true, settings });
+        }
+        catch (error) {
+            res.status(500).json({ ok: false, error: "request_failed", details: String(error) });
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=userSettingsRoutes.js.map

package/server/dist/settings/userSettingsRoutes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userSettingsRoutes.js","sourceRoot":"","sources":["../../src/settings/userSettingsRoutes.ts"],"names":[],"mappings":";;;;;AAoBA,4DAgCC;AAnDD,sDAA8B;AAE9B,2DAA4D;AAE5D;;GAEG;AACH,SAAS,4BAA4B,CAAC,GAAQ,EAAE,GAAa;IAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAC3D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAgB,wBAAwB,CAAC,IAA8C;IACrF,MAAM,MAAM,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACjC,MAAM,QAAQ,GAAG,4BAA4B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,QAAQ;YAAE,OAAO;QAEtB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;YACxE,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACvF,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACjC,MAAM,QAAQ,GAAG,4BAA4B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,QAAQ;YAAE,OAAO;QAEtB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAQ,CAAC;YACrC,sDAAsD;YACtD,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;YAClG,MAAM,kBAAkB,GAAG,IAAA,yCAAqB,EAAC,WAAW,CAAC,CAAC;YAC9D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;YAChG,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACvF,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/server/dist/settings/userSettingsStore.d.ts

@@ -0,0 +1,19 @@
+import { type AuthDb } from "../auth/sqlite/authDb";
+import type { UserSettings } from "./userSettingsTypes";
+/**
+ * 用户配置仓库接口（支持跨端同步）。
+ */
+export type UserSettingsStore = {
+    getUserSettings(username: string): Promise<UserSettings>;
+    replaceUserSettings(username: string, settings: UserSettings): Promise<UserSettings>;
+};
+type CreateUserSettingsStoreOptions = {
+    filePath?: string;
+    dbPath?: string;
+    authDb?: AuthDb;
+};
+/**
+ * 创建用户配置仓库（当前默认使用 SQLite）。
+ */
+export declare function createUserSettingsStore(opts: CreateUserSettingsStoreOptions): Promise<UserSettingsStore>;
+export {};

package/server/dist/settings/userSettingsStore.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUserSettingsStore = createUserSettingsStore;
+const node_path_1 = __importDefault(require("node:path"));
+const authDb_1 = require("../auth/sqlite/authDb");
+const sqliteUserSettingsStore_1 = require("./sqliteUserSettingsStore");
+/**
+ * 解析用户配置仓库 SQLite 路径。
+ */
+function resolveUserSettingsStoreDbPath(opts) {
+    const rawDbPath = String(opts.dbPath ?? opts.filePath ?? "").trim();
+    if (!rawDbPath)
+        throw new Error("user settings store dbPath is required");
+    return node_path_1.default.resolve(rawDbPath);
+}
+/**
+ * 创建用户配置仓库（当前默认使用 SQLite）。
+ */
+async function createUserSettingsStore(opts) {
+    const authDb = opts.authDb ?? (0, authDb_1.createAuthDb)({ dbPath: resolveUserSettingsStoreDbPath(opts) });
+    return (0, sqliteUserSettingsStore_1.createSqliteUserSettingsStore)({ authDb });
+}
+//# sourceMappingURL=userSettingsStore.js.map

package/server/dist/settings/userSettingsStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userSettingsStore.js","sourceRoot":"","sources":["../../src/settings/userSettingsStore.ts"],"names":[],"mappings":";;;;;AAoCA,0DAGC;AAvCD,0DAA6B;AAC7B,kDAAkE;AAClE,uEAA0E;AAsB1E;;GAEG;AACH,SAAS,8BAA8B,CAAC,IAAoC;IAC1E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACpE,IAAI,CAAC,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC1E,OAAO,mBAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,uBAAuB,CAAC,IAAoC;IAChF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,IAAA,qBAAY,EAAC,EAAE,MAAM,EAAE,8BAA8B,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7F,OAAO,IAAA,uDAA6B,EAAC,EAAE,MAAM,EAAE,CAAC,CAAC;AACnD,CAAC"}

package/server/dist/settings/userSettingsTypes.d.ts

@@ -0,0 +1,70 @@
+/**
+ * 用户可同步的审批策略。
+ */
+export type UserApprovalPolicy = "untrusted" | "on-failure" | "on-request" | "never";
+/**
+ * 用户可同步的语言配置。
+ */
+export type UserLocale = "zh-CN" | "en-US";
+/**
+ * 用户可同步的沙箱模式。
+ */
+export type UserSandboxMode = "read-only" | "workspace-write" | "danger-full-access";
+/**
+ * 线程级模型覆盖配置。
+ */
+export type UserThreadModelOverride = {
+    model?: string;
+    reasoningEffort?: string;
+};
+/**
+ * Web 默认模型配置。
+ */
+export type UserWebModelDefaults = {
+    model?: string;
+    reasoningEffort?: string;
+};
+/**
+ * 线程级权限覆盖配置。
+ */
+export type UserThreadPermissionsOverride = {
+    approvalPolicy?: UserApprovalPolicy;
+    sandbox?: UserSandboxMode;
+};
+/**
+ * 线程级协作模式覆盖配置。
+ */
+export type UserThreadCollaborationOverride = {
+    mode: "plan" | "default";
+    settings: {
+        model: string;
+        developer_instructions?: string | null;
+        reasoning_effort?: string | null;
+    };
+};
+/**
+ * 用户配置持久化结构（用于跨端同步）。
+ */
+export type UserSettings = {
+    locale: UserLocale;
+    theme: "light" | "dark";
+    accentColor: string | null;
+    backgroundColor: string | null;
+    sidebarCollapsed: boolean;
+    compactView: boolean;
+    threadNameOverrides: Record<string, string>;
+    threadModelOverrides: Record<string, UserThreadModelOverride>;
+    webModelDefaults: UserWebModelDefaults;
+    customModels: string[];
+    threadPermissionsOverrides: Record<string, UserThreadPermissionsOverride>;
+    threadCollaborationOverrides: Record<string, UserThreadCollaborationOverride>;
+    defaultWorkspace: string | null;
+};
+/**
+ * 默认用户配置（每次读取时应复制，避免引用污染）。
+ */
+export declare const DEFAULT_USER_SETTINGS: UserSettings;
+/**
+ * 规范化用户配置输入，确保可安全入库与返回。
+ */
+export declare function normalizeUserSettings(input: unknown): UserSettings;