@very_aq/codex-cli-web 0.0.1

package/server/dist/workspace/userWorkspaceRoutes.js

@@ -0,0 +1,124 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUserWorkspaceRoutes = createUserWorkspaceRoutes;
+const express_1 = __importDefault(require("express"));
+const promises_1 = __importDefault(require("node:fs/promises"));
+const node_path_1 = __importDefault(require("node:path"));
+const env_1 = require("../env");
+const accessControl_1 = require("./accessControl");
+function normalizeWorkspaceDirInputs(rawWorkspaceDirs) {
+    const input = Array.isArray(rawWorkspaceDirs) ? rawWorkspaceDirs : [];
+    return input.map((dir) => String(dir ?? "").trim()).filter(Boolean);
+}
+function mapWorkspaceValidationError(error) {
+    const details = String(error?.message ?? error ?? "invalid workspace dir");
+    if (details.includes("cwd not allowed")) {
+        return { status: 403, code: "path_not_allowed", details };
+    }
+    if (details.includes("cwd not found") || details.includes("cwd is not a directory") || details.includes("invalid cwd")) {
+        return { status: 400, code: "invalid_workspace_dir", details };
+    }
+    return { status: 400, code: "invalid_input", details };
+}
+async function resolveRealpathOrFallback(candidatePath) {
+    return promises_1.default.realpath(candidatePath).catch(() => node_path_1.default.resolve(candidatePath));
+}
+function resolveRequestedWorkspaceDir(workspaceDir) {
+    // 与 accessControl 的 cwd 解析口径保持一致：相对路径基于 CODEX_CWD。
+    const baseCwd = node_path_1.default.resolve((0, env_1.getCodexCwd)());
+    const rawWorkspaceDir = String(workspaceDir ?? "").trim();
+    if (rawWorkspaceDir.includes("\0"))
+        throw new Error("invalid cwd");
+    if (!rawWorkspaceDir)
+        throw new Error("invalid cwd");
+    return node_path_1.default.isAbsolute(rawWorkspaceDir) ? node_path_1.default.resolve(rawWorkspaceDir) : node_path_1.default.resolve(baseCwd, rawWorkspaceDir);
+}
+async function resolveTargetRealpathByExistingAncestor(targetPath) {
+    // 为了避免“通过 symlink 越权创建目录”，基于最近存在父目录的 realpath 计算目标真实路径。
+    let existingAncestorPath = node_path_1.default.resolve(targetPath);
+    while (true) {
+        try {
+            await promises_1.default.stat(existingAncestorPath);
+            break;
+        }
+        catch {
+            const parentPath = node_path_1.default.dirname(existingAncestorPath);
+            if (parentPath === existingAncestorPath)
+                break;
+            existingAncestorPath = parentPath;
+        }
+    }
+    const existingAncestorRealpath = await resolveRealpathOrFallback(existingAncestorPath);
+    const relativeToAncestor = node_path_1.default.relative(existingAncestorPath, node_path_1.default.resolve(targetPath));
+    return relativeToAncestor ? node_path_1.default.resolve(existingAncestorRealpath, relativeToAncestor) : existingAncestorRealpath;
+}
+async function assertWorkspaceCreateTargetAllowed(workspaceDir, user) {
+    const resolvedWorkspaceDir = resolveRequestedWorkspaceDir(workspaceDir);
+    const access = (0, accessControl_1.resolveAllowedRootsForUser)(user);
+    if (access.allowAnyRoot)
+        return resolvedWorkspaceDir;
+    if (!access.roots.length)
+        throw new Error(`cwd not allowed: ${resolvedWorkspaceDir}`);
+    const candidateRealpathBeforeCreate = await resolveTargetRealpathByExistingAncestor(resolvedWorkspaceDir);
+    const allowedRootRealpaths = await Promise.all(access.roots.map((rootPath) => resolveRealpathOrFallback(rootPath)));
+    const withinAllowedRoots = allowedRootRealpaths.some((rootRealpath) => (0, accessControl_1.isPathWithinRoot)(rootRealpath, candidateRealpathBeforeCreate));
+    if (!withinAllowedRoots)
+        throw new Error(`cwd not allowed: ${candidateRealpathBeforeCreate}`);
+    return resolvedWorkspaceDir;
+}
+async function ensureWorkspaceDirectoryExists(workspaceDir, user) {
+    const allowedTargetWorkspaceDir = await assertWorkspaceCreateTargetAllowed(workspaceDir, user);
+    // 路径不存在时自动创建；存在时保持幂等。
+    await promises_1.default.mkdir(allowedTargetWorkspaceDir, { recursive: true });
+}
+function createUserWorkspaceRoutes(opts) {
+    const router = express_1.default.Router();
+    router.get("/user-created", async (req, res) => {
+        const username = String(req.user?.username ?? "").trim();
+        if (!username) {
+            res.status(401).json({ ok: false, error: "unauthorized" });
+            return;
+        }
+        const workspaceDirs = await opts.userWorkspaceStore.listUserWorkspaceDirs(username);
+        res.json({ ok: true, workspaceDirs });
+    });
+    router.put("/user-created", async (req, res) => {
+        const username = String(req.user?.username ?? "").trim();
+        const user = req.user;
+        if (!username || !user) {
+            res.status(401).json({ ok: false, error: "unauthorized" });
+            return;
+        }
+        const body = (req.body ?? {});
+        if (!Array.isArray(body.workspaceDirs)) {
+            res.status(400).json({ ok: false, error: "invalid_input", details: "workspaceDirs must be an array" });
+            return;
+        }
+        try {
+            const inputWorkspaceDirs = normalizeWorkspaceDirInputs(body.workspaceDirs);
+            const seen = new Set();
+            const validatedWorkspaceDirs = [];
+            for (const workspaceDir of inputWorkspaceDirs) {
+                // 用户保存目录时路径不存在则自动创建；创建前先做权限边界校验。
+                await ensureWorkspaceDirectoryExists(workspaceDir, user);
+                // 复用现有访问控制：同时校验目录存在性与用户权限边界，返回 canonical 绝对路径。
+                const canonicalWorkspaceDir = await (0, accessControl_1.assertCwdAllowedForUser)({ cwd: workspaceDir, user });
+                if (seen.has(canonicalWorkspaceDir))
+                    continue;
+                seen.add(canonicalWorkspaceDir);
+                validatedWorkspaceDirs.push(canonicalWorkspaceDir);
+            }
+            const workspaceDirs = await opts.userWorkspaceStore.replaceUserWorkspaceDirs(username, validatedWorkspaceDirs);
+            res.json({ ok: true, workspaceDirs });
+        }
+        catch (error) {
+            const mapped = mapWorkspaceValidationError(error);
+            res.status(mapped.status).json({ ok: false, error: mapped.code, details: mapped.details });
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=userWorkspaceRoutes.js.map

package/server/dist/workspace/userWorkspaceRoutes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userWorkspaceRoutes.js","sourceRoot":"","sources":["../../src/workspace/userWorkspaceRoutes.ts"],"names":[],"mappings":";;;;;AAgFA,8DAmDC;AAnID,sDAA8B;AAC9B,gEAAkC;AAClC,0DAA6B;AAC7B,gCAAqC;AACrC,mDAAwG;AAQxG,SAAS,2BAA2B,CAAC,gBAAyB;IAC5D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAc;IACjD,MAAM,OAAO,GAAG,MAAM,CAAE,KAAa,EAAE,OAAO,IAAI,KAAK,IAAI,uBAAuB,CAAC,CAAC;IACpF,IAAI,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACxC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC;IAC5D,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACvH,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,uBAAuB,EAAE,OAAO,EAAE,CAAC;IACjE,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,yBAAyB,CAAC,aAAqB;IAC5D,OAAO,kBAAE,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,mBAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,4BAA4B,CAAC,YAAoB;IACxD,mDAAmD;IACnD,MAAM,OAAO,GAAG,mBAAI,CAAC,OAAO,CAAC,IAAA,iBAAW,GAAE,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;IACnE,IAAI,CAAC,eAAe;QAAE,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;IACrD,OAAO,mBAAI,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,mBAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,mBAAI,CAAC,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;AACnH,CAAC;AAED,KAAK,UAAU,uCAAuC,CAAC,UAAkB;IACvE,wDAAwD;IACxD,IAAI,oBAAoB,GAAG,mBAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACpD,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;YACpC,MAAM;QACR,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,UAAU,GAAG,mBAAI,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;YACtD,IAAI,UAAU,KAAK,oBAAoB;gBAAE,MAAM;YAC/C,oBAAoB,GAAG,UAAU,CAAC;QACpC,CAAC;IACH,CAAC;IAED,MAAM,wBAAwB,GAAG,MAAM,yBAAyB,CAAC,oBAAoB,CAAC,CAAC;IACvF,MAAM,kBAAkB,GAAG,mBAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE,mBAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;IACzF,OAAO,kBAAkB,CAAC,CAAC,CAAC,mBAAI,CAAC,OAAO,CAAC,wBAAwB,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC,wBAAwB,CAAC;AACpH,CAAC;AAED,KAAK,UAAU,kCAAkC,CAAC,YAAoB,EAAE,IAAS;IAC/E,MAAM,oBAAoB,GAAG,4BAA4B,CAAC,YAAY,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,IAAA,0CAA0B,EAAC,IAAI,CAAC,CAAC;IAChD,IAAI,MAAM,CAAC,YAAY;QAAE,OAAO,oBAAoB,CAAC;IACrD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,oBAAoB,EAAE,CAAC,CAAC;IAEtF,MAAM,6BAA6B,GAAG,MAAM,uCAAuC,CAAC,oBAAoB,CAAC,CAAC;IAC1G,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,yBAAyB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACpH,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,IAAA,gCAAgB,EAAC,YAAY,EAAE,6BAA6B,CAAC,CAAC,CAAC;IACtI,IAAI,CAAC,kBAAkB;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,6BAA6B,EAAE,CAAC,CAAC;IAE9F,OAAO,oBAAoB,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,8BAA8B,CAAC,YAAoB,EAAE,IAAS;IAC3E,MAAM,yBAAyB,GAAG,MAAM,kCAAkC,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IAC/F,sBAAsB;IACtB,MAAM,kBAAE,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,SAAgB,yBAAyB,CAAC,IAAsC;IAC9E,MAAM,MAAM,GAAG,iBAAO,CAAC,MAAM,EAAE,CAAC;IAEhC,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7C,MAAM,QAAQ,GAAG,MAAM,CAAE,GAAW,CAAC,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAClE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QACpF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7C,MAAM,QAAQ,GAAG,MAAM,CAAE,GAAW,CAAC,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAClE,MAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAC;QAC/B,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;YACvB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAQ,CAAC;QACrC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;YACvG,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,kBAAkB,GAAG,2BAA2B,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC3E,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;YAC/B,MAAM,sBAAsB,GAAa,EAAE,CAAC;YAC5C,KAAK,MAAM,YAAY,IAAI,kBAAkB,EAAE,CAAC;gBAC9C,iCAAiC;gBACjC,MAAM,8BAA8B,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;gBACzD,+CAA+C;gBAC/C,MAAM,qBAAqB,GAAG,MAAM,IAAA,uCAAuB,EAAC,EAAE,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;gBACzF,IAAI,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC;oBAAE,SAAS;gBAC9C,IAAI,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;gBAChC,sBAAsB,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,CAAC,QAAQ,EAAE,sBAAsB,CAAC,CAAC;YAC/G,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,2BAA2B,CAAC,KAAK,CAAC,CAAC;YAClD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/server/dist/workspace/userWorkspaceStore.d.ts

@@ -0,0 +1,12 @@
+import { type AuthDb } from "../auth/sqlite/authDb";
+export type UserWorkspaceStore = {
+    listUserWorkspaceDirs(username: string): Promise<string[]>;
+    replaceUserWorkspaceDirs(username: string, workspaceDirs: string[]): Promise<string[]>;
+};
+type CreateUserWorkspaceStoreOptions = {
+    filePath?: string;
+    dbPath?: string;
+    authDb?: AuthDb;
+};
+export declare function createUserWorkspaceStore(opts: CreateUserWorkspaceStoreOptions): Promise<UserWorkspaceStore>;
+export {};

package/server/dist/workspace/userWorkspaceStore.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUserWorkspaceStore = createUserWorkspaceStore;
+const node_path_1 = __importDefault(require("node:path"));
+const authDb_1 = require("../auth/sqlite/authDb");
+const sqliteUserWorkspaceStore_1 = require("./sqliteUserWorkspaceStore");
+/**
+ * 解析用户工作目录仓库 SQLite 路径。
+ */
+function resolveUserWorkspaceStoreDbPath(opts) {
+    const rawDbPath = String(opts.dbPath ?? opts.filePath ?? "").trim();
+    if (!rawDbPath)
+        throw new Error("user workspace store dbPath is required");
+    return node_path_1.default.resolve(rawDbPath);
+}
+async function createUserWorkspaceStore(opts) {
+    const authDb = opts.authDb ?? (0, authDb_1.createAuthDb)({ dbPath: resolveUserWorkspaceStoreDbPath(opts) });
+    return (0, sqliteUserWorkspaceStore_1.createSqliteUserWorkspaceStore)({ authDb });
+}
+//# sourceMappingURL=userWorkspaceStore.js.map

package/server/dist/workspace/userWorkspaceStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userWorkspaceStore.js","sourceRoot":"","sources":["../../src/workspace/userWorkspaceStore.ts"],"names":[],"mappings":";;;;;AA6BA,4DAGC;AAhCD,0DAA6B;AAC7B,kDAAkE;AAClE,yEAA4E;AAkB5E;;GAEG;AACH,SAAS,+BAA+B,CAAC,IAAqC;IAC5E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACpE,IAAI,CAAC,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC3E,OAAO,mBAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAEM,KAAK,UAAU,wBAAwB,CAAC,IAAqC;IAClF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,IAAA,qBAAY,EAAC,EAAE,MAAM,EAAE,+BAA+B,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC9F,OAAO,IAAA,yDAA8B,EAAC,EAAE,MAAM,EAAE,CAAC,CAAC;AACpD,CAAC"}

package/server/dist/ws/socketIoBridge.d.ts

@@ -0,0 +1,32 @@
+import { Server as SocketIoServer, Socket } from "socket.io";
+/**
+ * Socket.IO bridge 的生命周期句柄。
+ */
+export type SocketIoBridge = {
+    /**
+     * 清理 bridge 绑定的事件监听。
+     */
+    dispose: () => void;
+};
+/**
+ * 生成上游 ws URL 的参数。
+ */
+type UpstreamWsUrlFactoryInput = {
+    socket: Socket;
+    rawWsPath: string;
+    host: string;
+    port: number;
+};
+/**
+ * 创建 Socket.IO bridge 的入参。
+ */
+type CreateSocketIoBridgeInput = {
+    ioServer: SocketIoServer;
+    rawWsPath?: string;
+    upstreamWsUrlFactory?: (input: UpstreamWsUrlFactoryInput) => string;
+};
+/**
+ * 创建 Socket.IO -> 原 ws Hub 的桥接层。
+ */
+export declare function createSocketIoBridge(input: CreateSocketIoBridgeInput): SocketIoBridge;
+export {};

package/server/dist/ws/socketIoBridge.js

@@ -0,0 +1,194 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSocketIoBridge = createSocketIoBridge;
+const ws_1 = __importDefault(require("ws"));
+/**
+ * 连接桥中的消息事件名，统一复用单一事件承载现有 ws 协议对象。
+ */
+const SOCKET_IO_MESSAGE_EVENT = "message";
+/**
+ * 创建 Socket.IO -> 原 ws Hub 的桥接层。
+ */
+function createSocketIoBridge(input) {
+    /**
+     * 目标 ws path，默认沿用现有 ws hub 路径。
+     */
+    const rawWsPath = input.rawWsPath ?? "/ws";
+    /**
+     * 统一处理 Socket.IO 客户端连接，并桥接到内部 ws。
+     */
+    const onConnection = (socket) => {
+        /**
+         * 上游 ws 地址，默认指向当前进程监听端口。
+         */
+        const upstreamWsUrl = buildUpstreamWsUrl({
+            socket,
+            rawWsPath,
+            upstreamWsUrlFactory: input.upstreamWsUrlFactory,
+        });
+        /**
+         * 透传 cookie 到上游 ws，以复用现有鉴权逻辑。
+         */
+        const cookieHeader = typeof socket.handshake.headers.cookie === "string" ? socket.handshake.headers.cookie : "";
+        /**
+         * 上游 ws 客户端实例。
+         */
+        const upstreamWs = new ws_1.default(upstreamWsUrl, cookieHeader ? { headers: { Cookie: cookieHeader } } : undefined);
+        /**
+         * 在 socket.io 侧发送标准化错误消息。
+         */
+        const emitBridgeError = (message, details) => {
+            socket.emit(SOCKET_IO_MESSAGE_EVENT, {
+                type: "error",
+                message,
+                details,
+            });
+        };
+        /**
+         * socket.io -> ws：转发前端消息。
+         */
+        const onSocketMessage = (payload) => {
+            if (upstreamWs.readyState !== ws_1.default.OPEN)
+                return;
+            try {
+                upstreamWs.send(JSON.stringify(payload));
+            }
+            catch (err) {
+                emitBridgeError("socket.io bridge send failed", String(err));
+            }
+        };
+        /**
+         * ws -> socket.io：转发服务端消息。
+         */
+        const onUpstreamMessage = (buffer) => {
+            const raw = Buffer.isBuffer(buffer) ? buffer.toString("utf8") : String(buffer);
+            try {
+                const parsed = JSON.parse(raw);
+                socket.emit(SOCKET_IO_MESSAGE_EVENT, parsed);
+            }
+            catch {
+                // 仅透传 JSON 协议消息，非 JSON 直接忽略。
+            }
+        };
+        /**
+         * 上游 ws 关闭后，主动断开 socket.io 客户端，触发其重连策略。
+         */
+        const onUpstreamClose = (code, reasonBuffer) => {
+            if (code === 1008) {
+                emitBridgeError("unauthorized", reasonBuffer.toString("utf8"));
+            }
+            if (socket.connected)
+                socket.disconnect(true);
+        };
+        /**
+         * 上游 ws 错误处理，便于前端可观测。
+         */
+        const onUpstreamError = (err) => {
+            emitBridgeError("socket.io bridge upstream error", String(err));
+            if (socket.connected)
+                socket.disconnect(true);
+        };
+        /**
+         * socket.io 断开时，清理上游 ws。
+         */
+        const onSocketDisconnect = () => {
+            if (upstreamWs.readyState === ws_1.default.OPEN || upstreamWs.readyState === ws_1.default.CONNECTING) {
+                upstreamWs.close();
+            }
+        };
+        socket.on(SOCKET_IO_MESSAGE_EVENT, onSocketMessage);
+        socket.on("disconnect", onSocketDisconnect);
+        upstreamWs.on("message", onUpstreamMessage);
+        upstreamWs.on("close", onUpstreamClose);
+        upstreamWs.on("error", onUpstreamError);
+    };
+    input.ioServer.on("connection", onConnection);
+    return {
+        dispose: () => {
+            input.ioServer.off("connection", onConnection);
+        },
+    };
+}
+/**
+ * 构建上游 ws 地址。
+ */
+function buildUpstreamWsUrl(input) {
+    /**
+     * 基于本地监听地址推导可回环访问的 host。
+     */
+    const host = normalizeLoopbackHost(resolveLocalAddress(input.socket));
+    /**
+     * 当前连接可解析出的本地端口。
+     */
+    const port = resolveLocalPort(input.socket);
+    if (input.upstreamWsUrlFactory) {
+        return input.upstreamWsUrlFactory({
+            socket: input.socket,
+            rawWsPath: input.rawWsPath,
+            host,
+            port,
+        });
+    }
+    if (!port || !Number.isFinite(port))
+        throw new Error("socket.io bridge failed to resolve local port");
+    return `ws://${host}:${port}${input.rawWsPath}`;
+}
+/**
+ * 将监听地址标准化为可用于回环连接的 host。
+ */
+function normalizeLoopbackHost(host) {
+    const normalizedHost = String(host || "").trim().toLowerCase();
+    if (!normalizedHost)
+        return "127.0.0.1";
+    if (normalizedHost === "::" || normalizedHost === "0.0.0.0")
+        return "127.0.0.1";
+    if (normalizedHost === "::1")
+        return "127.0.0.1";
+    if (normalizedHost.startsWith("::ffff:"))
+        return normalizedHost.slice("::ffff:".length);
+    return normalizedHost;
+}
+/**
+ * 解析 Socket.IO 连接的本地地址（用于构建回环 ws URL）。
+ */
+function resolveLocalAddress(socket) {
+    const fromRequest = socket.request?.socket?.localAddress;
+    const fromConnRequest = socket.conn?.request?.socket?.localAddress;
+    const fromConnTransport = socket.conn?.transport?.socket?.localAddress;
+    const fromServer = resolveServerAddress(socket)?.address;
+    return String(fromRequest || fromConnRequest || fromConnTransport || fromServer || "127.0.0.1");
+}
+/**
+ * 解析 Socket.IO 连接对应的本地端口。
+ */
+function resolveLocalPort(socket) {
+    const fromRequest = Number(socket.request?.socket?.localPort || 0);
+    if (Number.isFinite(fromRequest) && fromRequest > 0)
+        return fromRequest;
+    const fromConnRequest = Number(socket.conn?.request?.socket?.localPort || 0);
+    if (Number.isFinite(fromConnRequest) && fromConnRequest > 0)
+        return fromConnRequest;
+    const fromConnTransport = Number(socket.conn?.transport?.socket?.localPort || 0);
+    if (Number.isFinite(fromConnTransport) && fromConnTransport > 0)
+        return fromConnTransport;
+    const fromServer = Number(resolveServerAddress(socket)?.port || 0);
+    if (Number.isFinite(fromServer) && fromServer > 0)
+        return fromServer;
+    return 0;
+}
+/**
+ * 从 Socket.IO server 提取监听地址对象。
+ */
+function resolveServerAddress(socket) {
+    const httpServer = socket.nsp?.server?.httpServer;
+    if (!httpServer)
+        return null;
+    const serverAddress = httpServer.address();
+    if (!serverAddress || typeof serverAddress === "string")
+        return null;
+    return serverAddress;
+}
+//# sourceMappingURL=socketIoBridge.js.map

package/server/dist/ws/socketIoBridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"socketIoBridge.js","sourceRoot":"","sources":["../../src/ws/socketIoBridge.ts"],"names":[],"mappings":";;;;;AAwCA,oDAwGC;AA/ID,4CAA2B;AA+B3B;;GAEG;AACH,MAAM,uBAAuB,GAAG,SAAS,CAAC;AAE1C;;GAEG;AACH,SAAgB,oBAAoB,CAAC,KAAgC;IACnE;;OAEG;IACH,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC;IAE3C;;OAEG;IACH,MAAM,YAAY,GAAG,CAAC,MAAc,EAAE,EAAE;QACtC;;WAEG;QACH,MAAM,aAAa,GAAG,kBAAkB,CAAC;YACvC,MAAM;YACN,SAAS;YACT,oBAAoB,EAAE,KAAK,CAAC,oBAAoB;SACjD,CAAC,CAAC;QACH;;WAEG;QACH,MAAM,YAAY,GAAG,OAAO,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAChH;;WAEG;QACH,MAAM,UAAU,GAAG,IAAI,YAAS,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAElH;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,OAAe,EAAE,OAAiB,EAAE,EAAE;YAC7D,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE;gBACnC,IAAI,EAAE,OAAO;gBACb,OAAO;gBACP,OAAO;aACR,CAAC,CAAC;QACL,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,OAAgB,EAAE,EAAE;YAC3C,IAAI,UAAU,CAAC,UAAU,KAAK,YAAS,CAAC,IAAI;gBAAE,OAAO;YACrD,IAAI,CAAC;gBACH,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;YAC3C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,eAAe,CAAC,8BAA8B,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,CAAC;QACH,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,iBAAiB,GAAG,CAAC,MAAyB,EAAE,EAAE;YACtD,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/E,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC/B,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,6BAA6B;YAC/B,CAAC;QACH,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,IAAY,EAAE,YAAoB,EAAE,EAAE;YAC7D,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAClB,eAAe,CAAC,cAAc,EAAE,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACjE,CAAC;YACD,IAAI,MAAM,CAAC,SAAS;gBAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAChD,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,eAAe,GAAG,CAAC,GAAY,EAAE,EAAE;YACvC,eAAe,CAAC,iCAAiC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAChE,IAAI,MAAM,CAAC,SAAS;gBAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAChD,CAAC,CAAC;QAEF;;WAEG;QACH,MAAM,kBAAkB,GAAG,GAAG,EAAE;YAC9B,IAAI,UAAU,CAAC,UAAU,KAAK,YAAS,CAAC,IAAI,IAAI,UAAU,CAAC,UAAU,KAAK,YAAS,CAAC,UAAU,EAAE,CAAC;gBAC/F,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,CAAC,EAAE,CAAC,uBAAuB,EAAE,eAAe,CAAC,CAAC;QACpD,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;QAC5C,UAAU,CAAC,EAAE,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QAC5C,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACxC,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IAC1C,CAAC,CAAC;IAEF,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IAE9C,OAAO;QACL,OAAO,EAAE,GAAG,EAAE;YACZ,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QACjD,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,KAI3B;IACC;;OAEG;IACH,MAAM,IAAI,GAAG,qBAAqB,CAAC,mBAAmB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IACtE;;OAEG;IACH,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAE5C,IAAI,KAAK,CAAC,oBAAoB,EAAE,CAAC;QAC/B,OAAO,KAAK,CAAC,oBAAoB,CAAC;YAChC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,IAAI;YACJ,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACtG,OAAO,QAAQ,IAAI,IAAI,IAAI,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/D,IAAI,CAAC,cAAc;QAAE,OAAO,WAAW,CAAC;IACxC,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS;QAAE,OAAO,WAAW,CAAC;IAChF,IAAI,cAAc,KAAK,KAAK;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACxF,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAc;IACzC,MAAM,WAAW,GAAI,MAAM,CAAC,OAAe,EAAE,MAAM,EAAE,YAAY,CAAC;IAClE,MAAM,eAAe,GAAI,MAAM,CAAC,IAAY,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC;IAC5E,MAAM,iBAAiB,GAAI,MAAM,CAAC,IAAY,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,CAAC;IAChF,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IACzD,OAAO,MAAM,CAAC,WAAW,IAAI,eAAe,IAAI,iBAAiB,IAAI,UAAU,IAAI,WAAW,CAAC,CAAC;AAClG,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,MAAc;IACtC,MAAM,WAAW,GAAG,MAAM,CAAE,MAAM,CAAC,OAAe,EAAE,MAAM,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC;IAC5E,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,WAAW,GAAG,CAAC;QAAE,OAAO,WAAW,CAAC;IAExE,MAAM,eAAe,GAAG,MAAM,CAAE,MAAM,CAAC,IAAY,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC;IACtF,IAAI,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,eAAe,GAAG,CAAC;QAAE,OAAO,eAAe,CAAC;IAEpF,MAAM,iBAAiB,GAAG,MAAM,CAAE,MAAM,CAAC,IAAY,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC;IAC1F,IAAI,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,iBAAiB,GAAG,CAAC;QAAE,OAAO,iBAAiB,CAAC;IAE1F,MAAM,UAAU,GAAG,MAAM,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC;IACnE,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAErE,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,MAAc;IAC1C,MAAM,UAAU,GAAI,MAAM,CAAC,GAAG,EAAE,MAAc,EAAE,UAA8G,CAAC;IAC/J,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC;IAC3C,IAAI,CAAC,aAAa,IAAI,OAAO,aAAa,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACrE,OAAO,aAAa,CAAC;AACvB,CAAC"}

package/server/dist/ws/types.d.ts

@@ -0,0 +1,113 @@
+import type { ChatItem, ChatOp, FileChange } from "../chat/types";
+import type { TodoPlanUpdate } from "../chat/todoPlanTypes";
+export type WsClientMessage = {
+    type: "hello";
+    token: string;
+    clientVersion?: string;
+} | {
+    type: "get_status";
+} | {
+    type: "list_threads";
+    cwd?: string;
+    requestId?: string;
+} | {
+    type: "open_thread";
+    threadId?: string;
+    clientMessageId?: string;
+    cwd?: string;
+    approvalPolicy?: "untrusted" | "on-failure" | "on-request" | "never";
+    sandbox?: "read-only" | "workspace-write" | "danger-full-access";
+    model?: string;
+} | {
+    type: "load_thread_turns";
+    threadId: string;
+    before: number;
+    limit?: number;
+    clientMessageId?: string;
+} | {
+    type: "submit";
+    threadId: string;
+    text: string;
+    model?: string;
+    effort?: string;
+    reasoningEffort?: string;
+    approvalPolicy?: "untrusted" | "on-failure" | "on-request" | "never";
+    sandbox?: "read-only" | "workspace-write" | "danger-full-access";
+    collaborationMode?: unknown;
+    clientMessageId?: string;
+} | {
+    type: "interrupt";
+    threadId: string;
+    clientMessageId?: string;
+} | {
+    type: "respond_user_input";
+    requestId: string | number;
+    response: unknown;
+    clientMessageId?: string;
+};
+export type WsServerMessage = {
+    type: "ack";
+    ackType: "submit" | "open_thread" | "load_thread_turns" | "interrupt" | "respond_user_input";
+    clientMessageId: string;
+    threadId?: string;
+    requestId?: string | number;
+} | {
+    type: "ready";
+    serverVersion: string;
+    threads: unknown[];
+} | {
+    type: "status";
+    snapshot: {
+        codex?: unknown;
+        codexTask?: unknown;
+        ws?: unknown;
+    };
+} | {
+    type: "threads";
+    threads: unknown[];
+    requestId?: string;
+    cwd?: string | null;
+} | {
+    type: "thread_opened";
+    thread: unknown;
+    chatItems?: ChatItem[];
+} | {
+    type: "thread_turns";
+    threadId: string;
+    turns: unknown[];
+    turnsStart: number;
+    turnsTotal: number;
+    chatItems?: ChatItem[];
+} | {
+    type: "chat_ops";
+    threadId: string;
+    ops: ChatOp[];
+} | {
+    type: "todo_plan_update";
+    update: TodoPlanUpdate;
+} | {
+    type: "thread_context_usage";
+    threadId: string;
+    usagePercent: number;
+} | {
+    type: "user_input_required";
+    requestId: string | number;
+    threadId: string | null;
+    method: string;
+    params: unknown;
+    fileChanges?: FileChange[];
+} | {
+    type: "user_input_resolved";
+    requestId: string | number;
+    threadId: string | null;
+    method?: string;
+    response?: unknown;
+    mappedResponse?: unknown;
+    requestParams?: unknown;
+} | {
+    type: "error";
+    message: string;
+    details?: unknown;
+    clientMessageId?: string;
+    requestId?: string;
+};

package/server/dist/ws/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/server/dist/ws/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/ws/types.ts"],"names":[],"mappings":""}

package/server/dist/ws/wsHub.d.ts

@@ -0,0 +1,119 @@
+import { WebSocketServer } from "ws";
+import type { CodexAppServer } from "../codex/codexAppServer";
+import type { UserStore } from "../auth/userStore";
+import type { HistoryIngestService } from "../history/types";
+type StatusSnapshot = {
+    codex?: unknown;
+    codexTask?: unknown;
+    ws?: unknown;
+};
+type WsHubOpts = {
+    getActiveTurnIds?: (threadId: string) => string[];
+    pendingTimeoutMs?: number;
+    heartbeatIntervalMs?: number;
+    userStore?: UserStore;
+    historyIngest?: HistoryIngestService | null;
+};
+export declare class WsHub {
+    private readonly wss;
+    private readonly codex;
+    private readonly sessionSecret;
+    private readonly getStatusSnapshot;
+    private readonly clients;
+    private readonly readyClients;
+    private readonly threadOwners;
+    private readonly threadOwnerUsername;
+    private readonly threadOwnerUsernameMax;
+    private readonly threadCwdById;
+    private readonly pending;
+    private readonly seenSubmitIdsByThread;
+    private readonly submitDedupTtlMs;
+    private readonly submitDedupMaxPerThread;
+    private readonly wsUser;
+    private readonly wsByUser;
+    private readonly openThreadResultsByUser;
+    private readonly openThreadDedupTtlMs;
+    private readonly openThreadDedupMaxPerUser;
+    private readonly threadTurnsByUser;
+    private readonly threadTurnsCacheTtlMs;
+    private readonly threadTurnsCacheMaxPerUser;
+    private readonly threadContextUsageReader;
+    private readonly chatProjector;
+    private readonly threadCreatedAtMsById;
+    private readonly initialThreadTurnLimit;
+    private readonly loadThreadTurnsDefaultLimit;
+    private readonly loadThreadTurnsMaxLimit;
+    private readonly seenInterruptIdsByThread;
+    private readonly interruptDedupTtlMs;
+    private readonly interruptDedupMaxPerThread;
+    private statusTimer;
+    private lastStatusJson;
+    private readonly getActiveTurnIds;
+    private readonly pendingTimeoutMs;
+    private heartbeatTimer;
+    private readonly userStore;
+    private readonly historyIngest;
+    private workspaceRoutingSnapshot;
+    private workspaceRoutingSnapshotPromise;
+    private readonly workspaceRoutingSnapshotTtlMs;
+    constructor(wss: WebSocketServer, codex: CodexAppServer, sessionSecret: string, getStatusSnapshot: () => StatusSnapshot, opts?: WsHubOpts);
+    dispose(): void;
+    private onConnection;
+    private resolveWsUserInfo;
+    private getWsUserInfo;
+    private assertThreadAllowedForUser;
+    private startHeartbeat;
+    private handleAuthedMessage;
+    private listThreadsForClient;
+    private getWorkspaceRoutingSnapshot;
+    private isCwdVisibleToUser;
+    private getOrFetchThreadCwd;
+    /**
+     * 将消息广播给“对该 thread cwd 有权限”的在线用户，避免跨工作区泄露。
+     * 说明：同一通知可能对应多条下发消息（chat_ops + todo + usage），因此这里支持批量发送。
+     */
+    private broadcastMessagesToAuthorizedUsers;
+    private sendReady;
+    private rememberSubmitId;
+    private forgetSubmitId;
+    private getCachedOpenThreadResult;
+    private cacheOpenThreadResult;
+    private trimThreadTurnsForClient;
+    /**
+     * 从线程 session 文件中读取最新 token_count，并写入 `contextUsagePercent` 字段。
+     * 说明：前端会从 thread_opened payload 中读取该值，以解决“刚进来没有上下文使用率”的问题。
+     */
+    private attachThreadContextUsagePercent;
+    private cacheThreadTurns;
+    private getCachedThreadTurns;
+    private getOrFetchThreadTurns;
+    /**
+     * 解析本次 interrupt 应该尝试中断的 turnId 列表。
+     * 优先使用任务跟踪器提供的 active turnId；若为空，则回退为线程中最新的 turnId（尽力而为）。
+     */
+    private resolveInterruptTurnIds;
+    /**
+     * 从线程 turns 中提取“最新一个可用的 turnId”，用于 active turnId 缺失时的保底中断。
+     * 注意：这是 best-effort，任何读取/解析异常都应返回 null，避免影响 ack 流程。
+     */
+    private getLatestThreadTurnId;
+    private isThreadNotFoundError;
+    private recoverThreadForSubmit;
+    private rememberInterruptId;
+    private startStatusPump;
+    private sendStatus;
+    private broadcastStatus;
+    private broadcast;
+    private safeSend;
+    private handleCodexServerRequest;
+    private resolvePendingTargetUsername;
+    private setThreadOwner;
+    private pruneThreadOwnerUsernames;
+    private addUserClient;
+    private removeUserClient;
+    private isUserAuthorizedForPending;
+    private flushPendingForWs;
+    private dispatchPendingToReadyClients;
+    private broadcastUserInputResolved;
+}
+export {};