npm - @wrongstack/webui - Versions diffs - 0.32.0 → 0.51.3 - Mend

@wrongstack/webui 0.32.0 → 0.51.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/assets/index-5ECutVTP.css +1 -0
package/dist/index.css +3 -0
package/dist/index.css.map +1 -1
package/dist/index.html +2 -2
package/dist/server/entry.js +457 -376
package/dist/server/entry.js.map +1 -1
package/dist/server/index.js +457 -376
package/dist/server/index.js.map +1 -1
package/package.json +5 -5
package/dist/assets/index-Ec0lUwfB.css +0 -1
/package/dist/assets/{index-26E8h-cq.js → index-BRHGqfHg.js} +0 -0

package/dist/server/entry.js CHANGED Viewed

@@ -1,8 +1,138 @@
 #!/usr/bin/env node
 // src/server/index.ts
 import * as fs2 from "fs/promises";
+import * as path2 from "path";
+// src/server/http-server.ts
+import * as fs from "fs/promises";
 import * as http from "http";
 import * as path from "path";
+var MIME_TYPES = {
+  ".html": "text/html",
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".ico": "image/x-icon"
+};
+function buildCspHeader(wsPort2) {
+  return `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort2} wss://127.0.0.1:${wsPort2} ws://[::1]:${wsPort2} wss://[::1]:${wsPort2}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
+}
+function isInsideDist(candidate, distDir) {
+  const root = path.resolve(distDir);
+  const resolved = path.resolve(candidate);
+  return resolved === root || resolved.startsWith(root + path.sep);
+}
+function createHttpServer(opts) {
+  const port = opts.port ?? Number.parseInt(process.env["PORT"] ?? "3456", 10);
+  const distDir = path.resolve(opts.distDir);
+  const wsPort2 = opts.wsPort;
+  return http.createServer(async (req, res) => {
+    try {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+      let filePath;
+      if (url.pathname === "/" || url.pathname === "") {
+        filePath = path.join(distDir, "index.html");
+      } else if (url.pathname.startsWith("/assets/")) {
+        filePath = path.join(distDir, url.pathname);
+      } else if (url.pathname.startsWith("/")) {
+        filePath = path.join(distDir, url.pathname);
+      } else {
+        filePath = path.join(distDir, "index.html");
+      }
+      const resolvedPath = path.resolve(filePath);
+      if (!isInsideDist(resolvedPath, distDir)) {
+        res.writeHead(403, { "Content-Type": "text/plain" });
+        res.end("Forbidden");
+        return;
+      }
+      const ext = path.extname(resolvedPath);
+      const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
+      res.setHeader("Content-Type", contentType);
+      res.setHeader("X-Content-Type-Options", "nosniff");
+      res.setHeader("X-Frame-Options", "DENY");
+      res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+      if (ext === ".html") {
+        res.setHeader("Cache-Control", "no-cache");
+        res.setHeader("Content-Security-Policy", buildCspHeader(wsPort2));
+      }
+      const fileContent = await fs.readFile(resolvedPath);
+      res.writeHead(200);
+      res.end(fileContent);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        try {
+          const fileContent = await fs.readFile(path.join(distDir, "index.html"));
+          res.writeHead(200, {
+            "Content-Type": "text/html",
+            "X-Content-Type-Options": "nosniff",
+            "X-Frame-Options": "DENY",
+            "Referrer-Policy": "strict-origin-when-cross-origin",
+            "Content-Security-Policy": buildCspHeader(wsPort2)
+          });
+          res.end(fileContent);
+        } catch {
+          res.writeHead(404);
+          res.end("Not found");
+        }
+      } else {
+        res.writeHead(500);
+        res.end("Server error");
+      }
+    }
+  });
+}
+// src/server/file-picker.ts
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  "node_modules",
+  "dist",
+  "build",
+  ".next",
+  ".turbo",
+  ".cache",
+  "target",
+  "coverage",
+  ".nyc_output",
+  "out",
+  ".pnpm-store",
+  ".parcel-cache"
+]);
+var KEEP_DOTFILES = /* @__PURE__ */ new Set([
+  ".wrongstack",
+  ".env.example",
+  ".gitignore",
+  ".eslintrc",
+  ".prettierrc"
+]);
+function isHiddenEntry(name) {
+  return name.startsWith(".") && !KEEP_DOTFILES.has(name);
+}
+function rankFiles(paths, query, limit) {
+  const q = query.toLowerCase();
+  const scored = [];
+  for (const p of paths) {
+    if (!q) {
+      scored.push({ path: p, score: 0 });
+      continue;
+    }
+    const lower = p.toLowerCase();
+    const base = lower.split("/").pop() ?? lower;
+    let score = 0;
+    if (base === q) score = 100;
+    else if (base.startsWith(q)) score = 60;
+    else if (lower.includes(q)) score = 20;
+    else continue;
+    score -= p.split("/").length;
+    scored.push({ path: p, score });
+  }
+  scored.sort((a, b) => b.score - a.score || a.path.localeCompare(b.path));
+  return scored.slice(0, limit).map((s) => s.path);
+}
+// src/server/index.ts
 import {
   Agent,
   AutoCompactionMiddleware,
@@ -38,7 +168,7 @@ import { decryptConfigSecrets, encryptConfigSecrets } from "@wrongstack/core/sec
 import { buildProviderFactoriesFromRegistry, makeProviderFromConfig } from "@wrongstack/providers";
 import { builtinToolsPack, forgetTool, rememberTool } from "@wrongstack/tools";
 import { WebSocket, WebSocketServer } from "ws";
-import { randomBytes, timingSafeEqual } from "crypto";
+import { randomBytes } from "crypto";
 // ../runtime/src/container.ts
 import {
@@ -112,43 +242,14 @@ function createDefaultContainer(opts) {
 }
 // src/server/boot.ts
-import * as fs from "fs/promises";
-import * as os from "os";
 import {
-  DefaultConfigLoader,
-  DefaultLogger,
-  DefaultPathResolver,
-  DefaultSecretVault,
-  migratePlaintextSecrets,
-  resolveWstackPaths
+  bootConfig as coreBootConfig
 } from "@wrongstack/core";
 async function bootConfig() {
-  const cwd = process.cwd();
-  const pathResolver = new DefaultPathResolver(cwd);
-  const projectRoot = pathResolver.projectRoot;
-  const userHome = os.homedir();
-  const wpaths = resolveWstackPaths({ projectRoot, userHome });
-  await fs.mkdir(wpaths.globalRoot, { recursive: true });
-  await fs.mkdir(wpaths.projectDir, { recursive: true });
-  await fs.mkdir(wpaths.projectSessions, { recursive: true });
-  const vault = new DefaultSecretVault({ keyFile: wpaths.secretsKey });
-  for (const file of [wpaths.globalConfig, wpaths.projectLocalConfig]) {
-    try {
-      const { migrated } = await migratePlaintextSecrets(file, vault);
-      if (migrated > 0) {
-        process.stderr.write(`[WebUI] Encrypted ${migrated} plaintext secret(s) in ${file}
-`);
-      }
-    } catch {
-    }
-  }
-  const configLoader = new DefaultConfigLoader({ paths: wpaths, vault });
-  const config = await configLoader.load({ cliFlags: {} });
-  const logger = new DefaultLogger({
-    level: config.log?.level ?? "info",
-    file: wpaths.logFile
+  const { config, vault, globalConfigPath, projectRoot, wpaths, logger } = await coreBootConfig({
+    appLabel: "WebUI"
   });
-  return { config, vault, globalConfigPath: wpaths.globalConfig, projectRoot, wpaths, logger };
+  return { config, vault, globalConfigPath, projectRoot, wpaths, logger };
 }
 function patchConfig(config, updates) {
   return Object.freeze({ ...config, ...updates });
@@ -1279,7 +1380,255 @@ var WorktreeWebSocketHandler = class {
   }
 };
+// src/server/ws-auth.ts
+import { Buffer } from "buffer";
+import { timingSafeEqual } from "crypto";
+function isLoopbackHostname(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+}
+function isLoopbackBind(wsHost2) {
+  return wsHost2 === "127.0.0.1" || wsHost2 === "::1" || wsHost2 === "localhost";
+}
+function tokenMatches(provided, expected) {
+  if (!provided) return false;
+  const a = Buffer.from(provided);
+  const b = Buffer.from(expected);
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(a, b);
+}
+function extractToken(url) {
+  const match = url.match(/[?&]token=([^&]+)/);
+  return match ? match[1] : void 0;
+}
+function hostHeaderOk(input) {
+  if (!isLoopbackBind(input.wsHost)) return true;
+  const hostHeader = (input.hostHeader ?? "").trim();
+  if (!hostHeader) return false;
+  let hostname;
+  try {
+    hostname = new URL(`http://${hostHeader}`).hostname;
+  } catch {
+    return false;
+  }
+  return isLoopbackHostname(hostname);
+}
+function verifyClient(input) {
+  const { origin, url, hostHeader, remoteAddress, wsHost: wsHost2, expectedToken } = input;
+  const tokenOk = tokenMatches(extractToken(url ?? ""), expectedToken);
+  if (!hostHeaderOk({ hostHeader, wsHost: wsHost2 })) return false;
+  if (!origin) {
+    const remoteIp = remoteAddress ?? "";
+    const isRemoteLoopback = remoteIp === "127.0.0.1" || remoteIp === "::1";
+    if (!isRemoteLoopback && wsHost2 === "0.0.0.0") return false;
+    return tokenOk || isLoopbackBind(wsHost2);
+  }
+  try {
+    const { hostname } = new URL(origin);
+    if (isLoopbackHostname(hostname)) return true;
+    return tokenOk;
+  } catch {
+    return false;
+  }
+}
+// src/server/lifecycle.ts
+function createShutdown(res) {
+  const log = res.log ?? ((m) => console.log(m));
+  const exit = res.exit ?? ((code) => process.exit(code));
+  let shuttingDown = false;
+  return async () => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    log("[WebUI] Shutting down...");
+    try {
+      await res.flushSession();
+    } catch (e) {
+      log(`[WebUI] Error closing session: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    for (const ws of res.clients()) ws.close();
+    for (const server of res.servers) server?.close();
+    exit(0);
+  };
+}
+function registerShutdownHandlers(res) {
+  const shutdown = createShutdown(res);
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+  return () => {
+    process.off("SIGINT", shutdown);
+    process.off("SIGTERM", shutdown);
+  };
+}
+// src/server/usage-cost.ts
+function getCostRates(model) {
+  const cost = model?.cost;
+  return {
+    input: cost?.input ?? 0,
+    output: cost?.output ?? 0,
+    cacheRead: cost?.cache_read ?? 0
+  };
+}
+function computeUsageCost(usage, rates) {
+  return (usage.input * rates.input + usage.output * rates.output + (usage.cacheRead ?? 0) * rates.cacheRead) / 1e6;
+}
+// src/server/provider-keys.ts
+function normalizeKeys(cfg) {
+  if (Array.isArray(cfg.apiKeys) && cfg.apiKeys.length > 0) {
+    return cfg.apiKeys.map((k) => ({ ...k }));
+  }
+  if (typeof cfg.apiKey === "string" && cfg.apiKey.length > 0) {
+    return [{ label: "default", apiKey: cfg.apiKey, createdAt: "" }];
+  }
+  return [];
+}
+function writeKeysBack(cfg, keys) {
+  if (keys.length === 0) {
+    delete cfg.apiKeys;
+    delete cfg.apiKey;
+    delete cfg.activeKey;
+    return;
+  }
+  cfg.apiKeys = keys;
+  const active = keys.find((k) => k.label === cfg.activeKey) ?? keys[0];
+  cfg.apiKey = active.apiKey;
+  if (!cfg.activeKey || !keys.some((k) => k.label === cfg.activeKey)) {
+    cfg.activeKey = active.label;
+  }
+}
+function maskedKey(key) {
+  if (!key) return "\u2014";
+  if (key.length <= 8) return "\u2022".repeat(key.length);
+  return `${key.slice(0, 4)}\u2026${key.slice(-4)}`;
+}
+function upsertKey(providers, providerId, label, apiKey, nowIso) {
+  const existing = providers[providerId] ?? { type: providerId };
+  const keys = normalizeKeys(existing);
+  const idx = keys.findIndex((k) => k.label === label);
+  if (idx >= 0) {
+    keys[idx] = { ...keys[idx], apiKey, createdAt: nowIso };
+  } else {
+    keys.push({ label, apiKey, createdAt: nowIso });
+  }
+  writeKeysBack(existing, keys);
+  if (!existing.activeKey) existing.activeKey = label;
+  providers[providerId] = existing;
+  return { ok: true, message: `Key "${label}" saved for ${providerId}` };
+}
+function deleteKey(providers, providerId, label) {
+  const existing = providers[providerId];
+  if (!existing) {
+    return { ok: false, message: `Provider "${providerId}" not found` };
+  }
+  const keys = normalizeKeys(existing).filter((k) => k.label !== label);
+  if (keys.length === 0) {
+    delete providers[providerId];
+  } else {
+    writeKeysBack(existing, keys);
+    if (existing.activeKey === label) existing.activeKey = keys[0].label;
+    providers[providerId] = existing;
+  }
+  return { ok: true, message: `Key "${label}" deleted from ${providerId}` };
+}
+function setActiveKey(providers, providerId, label) {
+  const existing = providers[providerId];
+  if (!existing) {
+    return { ok: false, message: `Provider "${providerId}" not found` };
+  }
+  existing.activeKey = label;
+  writeKeysBack(existing, normalizeKeys(existing));
+  providers[providerId] = existing;
+  return { ok: true, message: `Active key for ${providerId} set to "${label}"` };
+}
+function addProvider(providers, payload, nowIso) {
+  if (providers[payload.id]) {
+    return {
+      ok: false,
+      message: `Provider "${payload.id}" already exists. Use key.add to add a key.`
+    };
+  }
+  const newProv = {
+    type: payload.id,
+    family: payload.family,
+    baseUrl: payload.baseUrl
+  };
+  if (payload.apiKey) {
+    newProv.apiKeys = [{ label: "default", apiKey: payload.apiKey, createdAt: nowIso }];
+    newProv.activeKey = "default";
+  }
+  providers[payload.id] = newProv;
+  return { ok: true, message: `Provider "${payload.id}" added` };
+}
+function removeProvider(providers, providerId) {
+  if (!providers[providerId]) {
+    return { ok: false, message: `Provider "${providerId}" not found` };
+  }
+  delete providers[providerId];
+  return { ok: true, message: `Provider "${providerId}" removed` };
+}
+// src/server/token-estimator.ts
+function estimateTokens(s) {
+  return Math.ceil(s.length / 4);
+}
+function stringifyContent(c) {
+  if (typeof c === "string") return c;
+  try {
+    return JSON.stringify(c);
+  } catch {
+    return String(c);
+  }
+}
+function messageTokens(content) {
+  if (typeof content === "string") return estimateTokens(content);
+  if (!Array.isArray(content)) return 0;
+  let tk = 0;
+  for (const b of content) {
+    if (b.type === "text") tk += estimateTokens(b.text ?? "");
+    else if (b.type === "tool_use") tk += estimateTokens(stringifyContent(b.input));
+    else if (b.type === "tool_result") tk += estimateTokens(stringifyContent(b.content));
+    else tk += estimateTokens(stringifyContent(b));
+  }
+  return tk;
+}
+function messagePreview(content) {
+  if (typeof content === "string") return content.slice(0, 60);
+  if (!Array.isArray(content)) return "";
+  return content.map(
+    (b) => b.type === "text" ? (b.text ?? "").slice(0, 40) : b.type === "tool_use" ? `[tool_use: ${b.name}]` : b.type === "tool_result" ? "[tool_result]" : `[${b.type}]`
+  ).join(" ").slice(0, 60);
+}
+function estimateContextBreakdown(input) {
+  const sysTokens = input.systemPrompt.reduce((acc, b) => acc + estimateTokens(b.text ?? ""), 0);
+  const toolBreakdown = input.tools.map((t) => {
+    const schema = t.inputSchema ?? {};
+    const desc = t.description ?? "";
+    return {
+      name: t.name,
+      tokens: estimateTokens(t.name) + estimateTokens(desc) + estimateTokens(stringifyContent(schema))
+    };
+  });
+  const toolTokens = toolBreakdown.reduce((a, b) => a + b.tokens, 0);
+  const messageBreakdown = input.messages.map((m, i) => ({
+    index: i,
+    role: m.role,
+    tokens: messageTokens(m.content),
+    preview: messagePreview(m.content)
+  }));
+  const msgTokens = messageBreakdown.reduce((a, b) => a + b.tokens, 0);
+  return {
+    total: sysTokens + toolTokens + msgTokens,
+    systemPrompt: sysTokens,
+    tools: { total: toolTokens, count: input.tools.length, breakdown: toolBreakdown },
+    messages: { total: msgTokens, count: input.messages.length, breakdown: messageBreakdown }
+  };
+}
 // src/server/index.ts
+function errMessage(err) {
+  return err instanceof Error ? err.message : String(err);
+}
 async function startWebUI(opts = {}) {
   const wsPort2 = opts.wsPort ?? 3457;
   const wsHost2 = opts.wsHost ?? "127.0.0.1";
@@ -1514,10 +1863,10 @@ async function startWebUI(opts = {}) {
     try {
       const m = await modelsRegistry.getModel(config.provider, config.model);
       maxContext = m?.capabilities?.maxContext ?? 0;
-      const cost = m?.cost;
-      inputCost = cost?.input ?? 0;
-      outputCost = cost?.output ?? 0;
-      cacheReadCost = cost?.cache_read ?? 0;
+      const rates = getCostRates(m);
+      inputCost = rates.input;
+      outputCost = rates.output;
+      cacheReadCost = rates.cacheRead;
     } catch {
     }
     return {
@@ -1528,7 +1877,7 @@ async function startWebUI(opts = {}) {
       inputCost,
       outputCost,
       cacheReadCost,
-      projectName: path.basename(projectRoot) || projectRoot,
+      projectName: path2.basename(projectRoot) || projectRoot,
       cwd: projectRoot,
       mode: modeId,
       contextMode: String(context.meta["contextWindowMode"] ?? DEFAULT_CONTEXT_WINDOW_MODE_ID),
@@ -1537,59 +1886,25 @@ async function startWebUI(opts = {}) {
   }
   const wsToken = randomBytes(16).toString("hex");
   console.log(`[WebUI] WS auth token: ${wsToken.slice(0, 4)}\u2026${wsToken.slice(-4)} (masked)`);
-  const isLoopback = (hostname) => hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
-  const tokenMatches = (provided) => {
-    if (!provided) return false;
-    const a = Buffer.from(provided);
-    const b = Buffer.from(wsToken);
-    if (a.length !== b.length) return false;
-    return timingSafeEqual(a, b);
-  };
-  const hostHeaderOk = (req) => {
-    const boundToLoopback = wsHost2 === "127.0.0.1" || wsHost2 === "::1" || wsHost2 === "localhost";
-    if (!boundToLoopback) return true;
-    const hostHeader = (req.headers.host ?? "").trim();
-    if (!hostHeader) return false;
-    let hostname;
-    try {
-      hostname = new URL(`http://${hostHeader}`).hostname;
-    } catch {
-      return false;
-    }
-    return isLoopback(hostname);
-  };
-  const verifyClient = (info) => {
-    const origin = info.origin;
-    const url = info.req.url ?? "";
-    const tokenMatch = url.match(/[?&]token=([^&]+)/);
-    const providedToken = tokenMatch ? tokenMatch[1] : void 0;
-    const tokenOk = tokenMatches(providedToken);
-    if (!hostHeaderOk(info.req)) return false;
-    if (!origin) {
-      const remoteIp = info.req.socket.remoteAddress ?? "";
-      const isRemoteLoopback = remoteIp === "127.0.0.1" || remoteIp === "::1";
-      if (!isRemoteLoopback && wsHost2 === "0.0.0.0") return false;
-      return tokenOk || wsHost2 === "127.0.0.1" || wsHost2 === "::1" || wsHost2 === "localhost";
-    }
-    try {
-      const { hostname } = new URL(origin);
-      if (isLoopback(hostname)) return true;
-      return tokenOk;
-    } catch {
-      return false;
-    }
-  };
+  const verifyClient2 = (info) => verifyClient({
+    origin: info.origin,
+    url: info.req.url ?? "",
+    hostHeader: info.req.headers.host,
+    remoteAddress: info.req.socket.remoteAddress,
+    wsHost: wsHost2,
+    expectedToken: wsToken
+  });
   const WS_MAX_PAYLOAD = 8 * 1024 * 1024;
   const wssPrimary = new WebSocketServer({
     port: wsPort2,
     host: wsHost2,
-    verifyClient,
+    verifyClient: verifyClient2,
     maxPayload: WS_MAX_PAYLOAD
   });
   const wssSecondary = wsHost2 === "127.0.0.1" ? new WebSocketServer({
     port: wsPort2,
     host: "::1",
-    verifyClient,
+    verifyClient: verifyClient2,
     maxPayload: WS_MAX_PAYLOAD
   }) : null;
   const clients = /* @__PURE__ */ new Map();
@@ -1762,8 +2077,8 @@ async function startWebUI(opts = {}) {
       rateLimits.delete(String(ws));
       console.log("[WebUI] Client disconnected, total:", clients.size);
       if (pendingConfirms.size > 0) {
-        for (const [id, resolve2] of pendingConfirms) {
-          resolve2("no");
+        for (const [id, resolve3] of pendingConfirms) {
+          resolve3("no");
           pendingConfirms.delete(id);
         }
       }
@@ -1841,7 +2156,7 @@ async function startWebUI(opts = {}) {
             type: "error",
             payload: {
               phase: "agent.run",
-              message: err instanceof Error ? err.message : String(err)
+              message: errMessage(err)
             }
           });
         } finally {
@@ -1853,10 +2168,10 @@ async function startWebUI(opts = {}) {
       }
       case "tool.confirm_result": {
         const { id, decision } = msg.payload;
-        const resolve2 = pendingConfirms.get(id);
-        if (resolve2) {
+        const resolve3 = pendingConfirms.get(id);
+        if (resolve3) {
           pendingConfirms.delete(id);
-          resolve2(decision);
+          resolve3(decision);
         }
         break;
       }
@@ -1898,62 +2213,17 @@ async function startWebUI(opts = {}) {
         break;
       }
       case "context.debug": {
-        const estimate = (s) => Math.ceil(s.length / 4);
-        const stringifyContent = (c) => {
-          if (typeof c === "string") return c;
-          try {
-            return JSON.stringify(c);
-          } catch {
-            return String(c);
-          }
-        };
-        const sysTokens = context.systemPrompt.reduce((acc, b) => acc + estimate(b.text ?? ""), 0);
-        const tools = toolRegistry.list();
-        const toolBreakdown = tools.map((t) => {
-          const schema = t.inputSchema ?? {};
-          const desc = t.description ?? "";
-          return {
-            name: t.name,
-            tokens: estimate(t.name) + estimate(desc) + estimate(stringifyContent(schema))
-          };
-        });
-        const toolTokens = toolBreakdown.reduce((a, b) => a + b.tokens, 0);
-        const messageBreakdown = context.messages.map((m, i) => {
-          let tk = 0;
-          if (typeof m.content === "string") {
-            tk = estimate(m.content);
-          } else if (Array.isArray(m.content)) {
-            for (const b of m.content) {
-              if (b.type === "text") tk += estimate(b.text ?? "");
-              else if (b.type === "tool_use") tk += estimate(stringifyContent(b.input));
-              else if (b.type === "tool_result") tk += estimate(stringifyContent(b.content));
-              else tk += estimate(stringifyContent(b));
-            }
-          }
-          return {
-            index: i,
-            role: m.role,
-            tokens: tk,
-            preview: typeof m.content === "string" ? m.content.slice(0, 60) : Array.isArray(m.content) ? m.content.map(
-              (b) => b.type === "text" ? (b.text ?? "").slice(0, 40) : b.type === "tool_use" ? `[tool_use: ${b.name}]` : b.type === "tool_result" ? `[tool_result]` : `[${b.type}]`
-            ).join(" ").slice(0, 60) : ""
-          };
+        const breakdown = estimateContextBreakdown({
+          systemPrompt: context.systemPrompt,
+          tools: toolRegistry.list(),
+          messages: context.messages
         });
-        const msgTokens = messageBreakdown.reduce((a, b) => a + b.tokens, 0);
-        const total = sysTokens + toolTokens + msgTokens;
         send(ws, {
           type: "context.debug",
           payload: {
-            total,
+            ...breakdown,
             mode: context.meta["contextWindowMode"] ?? DEFAULT_CONTEXT_WINDOW_MODE_ID,
-            policy: context.meta["contextWindowPolicy"],
-            systemPrompt: sysTokens,
-            tools: { total: toolTokens, count: tools.length, breakdown: toolBreakdown },
-            messages: {
-              total: msgTokens,
-              count: context.messages.length,
-              breakdown: messageBreakdown
-            }
+            policy: context.meta["contextWindowPolicy"]
           }
         });
         break;
@@ -1978,7 +2248,7 @@ async function startWebUI(opts = {}) {
             `Compacted: ${report.before} \u2192 ${report.after} tokens (saved ~${Math.max(0, report.before - report.after)})`
           );
         } catch (err) {
-          sendResult(ws, false, err instanceof Error ? err.message : String(err));
+          sendResult(ws, false, errMessage(err));
         }
         break;
       }
@@ -2137,7 +2407,7 @@ async function startWebUI(opts = {}) {
             type: "key.operation_result",
             payload: {
               success: false,
-              message: `Switch failed: ${err instanceof Error ? err.message : String(err)}`
+              message: `Switch failed: ${errMessage(err)}`
             }
           });
           break;
@@ -2192,7 +2462,7 @@ async function startWebUI(opts = {}) {
         } catch (err) {
           send(ws, {
             type: "sessions.list",
-            payload: { sessions: [], error: err instanceof Error ? err.message : String(err) }
+            payload: { sessions: [], error: errMessage(err) }
           });
         }
         break;
@@ -2207,7 +2477,7 @@ async function startWebUI(opts = {}) {
           await sessionStore.delete(id);
           sendResult(ws, true, `Session ${id} deleted`);
         } catch (err) {
-          sendResult(ws, false, err instanceof Error ? err.message : String(err));
+          sendResult(ws, false, errMessage(err));
         }
         break;
       }
@@ -2242,7 +2512,7 @@ async function startWebUI(opts = {}) {
           });
           sendResult(ws, true, `Resumed session ${id}`);
         } catch (err) {
-          sendResult(ws, false, err instanceof Error ? err.message : String(err));
+          sendResult(ws, false, errMessage(err));
         }
         break;
       }
@@ -2270,7 +2540,7 @@ async function startWebUI(opts = {}) {
         } catch (err) {
           send(ws, {
             type: "memory.list",
-            payload: { text: "", error: err instanceof Error ? err.message : String(err) }
+            payload: { text: "", error: errMessage(err) }
           });
         }
         break;
@@ -2281,7 +2551,7 @@ async function startWebUI(opts = {}) {
           await memoryStore.remember(text, scope ?? "project-memory");
           sendResult(ws, true, "Saved to memory");
         } catch (err) {
-          sendResult(ws, false, err instanceof Error ? err.message : String(err));
+          sendResult(ws, false, errMessage(err));
         }
         break;
       }
@@ -2295,7 +2565,7 @@ async function startWebUI(opts = {}) {
             removed > 0 ? `Removed ${removed} entr${removed === 1 ? "y" : "ies"}` : "No matching entries"
           );
         } catch (err) {
-          sendResult(ws, false, err instanceof Error ? err.message : String(err));
+          sendResult(ws, false, errMessage(err));
         }
         break;
       }
@@ -2329,7 +2599,7 @@ async function startWebUI(opts = {}) {
             payload: {
               skills: [],
               enabled: true,
-              error: err instanceof Error ? err.message : String(err)
+              error: errMessage(err)
             }
           });
         }
@@ -2423,29 +2693,13 @@ async function startWebUI(opts = {}) {
             payload: { plan }
           });
         } catch (err) {
-          sendResult(ws, false, err instanceof Error ? err.message : String(err));
+          sendResult(ws, false, errMessage(err));
         }
         break;
       }
       case "files.list": {
         const payload = msg.payload ?? {};
-        const query = (payload.query ?? "").toLowerCase();
         const limit = payload.limit ?? 50;
-        const SKIP_DIRS = /* @__PURE__ */ new Set([
-          ".git",
-          "node_modules",
-          "dist",
-          "build",
-          ".next",
-          ".turbo",
-          ".cache",
-          "target",
-          "coverage",
-          ".nyc_output",
-          "out",
-          ".pnpm-store",
-          ".parcel-cache"
-        ]);
         const results = [];
         async function walk(dir, rel, depth) {
           if (depth > 8 || results.length >= 600) return;
@@ -2457,40 +2711,20 @@ async function startWebUI(opts = {}) {
           }
           for (const e of entries) {
             if (results.length >= 600) return;
-            if (e.name.startsWith(".") && e.name !== ".wrongstack" && e.name !== ".env.example") {
-              if (e.name !== ".gitignore" && e.name !== ".eslintrc" && e.name !== ".prettierrc")
-                continue;
-            }
+            if (isHiddenEntry(e.name)) continue;
             const childRel = rel ? `${rel}/${e.name}` : e.name;
             if (e.isDirectory()) {
               if (SKIP_DIRS.has(e.name)) continue;
-              await walk(path.join(dir, e.name), childRel, depth + 1);
+              await walk(path2.join(dir, e.name), childRel, depth + 1);
             } else if (e.isFile()) {
               results.push(childRel);
             }
           }
         }
         await walk(projectRoot, "", 0);
-        const scored = [];
-        for (const p of results) {
-          if (!query) {
-            scored.push({ path: p, score: 0 });
-            continue;
-          }
-          const lower = p.toLowerCase();
-          const base = lower.split("/").pop() ?? lower;
-          let score = 0;
-          if (base === query) score = 100;
-          else if (base.startsWith(query)) score = 60;
-          else if (lower.includes(query)) score = 20;
-          else continue;
-          score -= p.split("/").length;
-          scored.push({ path: p, score });
-        }
-        scored.sort((a, b) => b.score - a.score || a.path.localeCompare(b.path));
         send(ws, {
           type: "files.list",
-          payload: { files: scored.slice(0, limit).map((s) => s.path) }
+          payload: { files: rankFiles(results, payload.query ?? "", limit) }
         });
         break;
       }
@@ -2516,7 +2750,7 @@ async function startWebUI(opts = {}) {
             payload: {
               modes: [],
               activeId: "default",
-              error: err instanceof Error ? err.message : String(err)
+              error: errMessage(err)
             }
           });
         }
@@ -2555,7 +2789,7 @@ async function startWebUI(opts = {}) {
             payload: { ...await sessionStartPayload() }
           });
         } catch (err) {
-          sendResult(ws, false, err instanceof Error ? err.message : String(err));
+          sendResult(ws, false, errMessage(err));
         }
         break;
       }
@@ -2563,10 +2797,7 @@ async function startWebUI(opts = {}) {
         const usage = tokenCounter.total();
         const cacheStats = tokenCounter.cacheStats();
         const m = await modelsRegistry.getModel(config.provider, config.model).catch(() => null);
-        const inputCost = m?.cost?.input ?? 0;
-        const outputCost = m?.cost?.output ?? 0;
-        const cacheReadCost = m?.cost?.cache_read ?? 0;
-        const cost = (usage.input * inputCost + usage.output * outputCost + (usage.cacheRead ?? 0) * cacheReadCost) / 1e6;
+        const cost = computeUsageCost(usage, getCostRates(m));
         send(ws, {
           type: "stats.get",
           payload: {
@@ -2617,230 +2848,80 @@ async function startWebUI(opts = {}) {
     });
     await configWriteLock;
   }
-  function normalizeKeys(cfg) {
-    if (Array.isArray(cfg.apiKeys) && cfg.apiKeys.length > 0) {
-      return cfg.apiKeys.map((k) => ({ ...k }));
-    }
-    if (typeof cfg.apiKey === "string" && cfg.apiKey.length > 0) {
-      return [{ label: "default", apiKey: cfg.apiKey, createdAt: "" }];
-    }
-    return [];
-  }
-  function writeKeysBack(cfg, keys) {
-    if (keys.length === 0) {
-      delete cfg.apiKeys;
-      delete cfg.apiKey;
-      delete cfg.activeKey;
-      return;
-    }
-    cfg.apiKeys = keys;
-    const active = keys.find((k) => k.label === cfg.activeKey) ?? keys[0];
-    cfg.apiKey = active.apiKey;
-    if (!cfg.activeKey || !keys.some((k) => k.label === cfg.activeKey)) {
-      cfg.activeKey = active.label;
-    }
-  }
-  function maskedKey(key) {
-    if (!key) return "\u2014";
-    if (key.length <= 8) return "\u2022".repeat(key.length);
-    return `${key.slice(0, 4)}\u2026${key.slice(-4)}`;
-  }
   function sendResult(ws, success, message) {
     send(ws, { type: "key.operation_result", payload: { success, message } });
   }
   async function handleKeyUpsert(ws, providerId, label, apiKey) {
     try {
       const providers = await loadSavedProviders();
-      const existing = providers[providerId] ?? { type: providerId };
-      const keys = normalizeKeys(existing);
-      const idx = keys.findIndex((k) => k.label === label);
-      const nowIso = (/* @__PURE__ */ new Date()).toISOString();
-      if (idx >= 0) {
-        keys[idx] = { ...keys[idx], apiKey, createdAt: nowIso };
-      } else {
-        keys.push({ label, apiKey, createdAt: nowIso });
-      }
-      writeKeysBack(existing, keys);
-      if (!existing.activeKey) existing.activeKey = label;
-      providers[providerId] = existing;
-      await saveProviders(providers);
-      sendResult(ws, true, `Key "${label}" saved for ${providerId}`);
+      const result = upsertKey(providers, providerId, label, apiKey, (/* @__PURE__ */ new Date()).toISOString());
+      if (result.ok) await saveProviders(providers);
+      sendResult(ws, result.ok, result.message);
     } catch (err) {
-      sendResult(ws, false, err instanceof Error ? err.message : String(err));
+      sendResult(ws, false, errMessage(err));
     }
   }
   async function handleKeyDelete(ws, providerId, label) {
     try {
       const providers = await loadSavedProviders();
-      const existing = providers[providerId];
-      if (!existing) {
-        sendResult(ws, false, `Provider "${providerId}" not found`);
-        return;
-      }
-      const keys = normalizeKeys(existing).filter((k) => k.label !== label);
-      if (keys.length === 0) {
-        delete providers[providerId];
-      } else {
-        writeKeysBack(existing, keys);
-        if (existing.activeKey === label) existing.activeKey = keys[0].label;
-        providers[providerId] = existing;
-      }
-      await saveProviders(providers);
-      sendResult(ws, true, `Key "${label}" deleted from ${providerId}`);
+      const result = deleteKey(providers, providerId, label);
+      if (result.ok) await saveProviders(providers);
+      sendResult(ws, result.ok, result.message);
     } catch (err) {
-      sendResult(ws, false, err instanceof Error ? err.message : String(err));
+      sendResult(ws, false, errMessage(err));
     }
   }
   async function handleKeySetActive(ws, providerId, label) {
     try {
       const providers = await loadSavedProviders();
-      const existing = providers[providerId];
-      if (!existing) {
-        sendResult(ws, false, `Provider "${providerId}" not found`);
-        return;
-      }
-      existing.activeKey = label;
-      writeKeysBack(existing, normalizeKeys(existing));
-      providers[providerId] = existing;
-      await saveProviders(providers);
-      sendResult(ws, true, `Active key for ${providerId} set to "${label}"`);
+      const result = setActiveKey(providers, providerId, label);
+      if (result.ok) await saveProviders(providers);
+      sendResult(ws, result.ok, result.message);
     } catch (err) {
-      sendResult(ws, false, err instanceof Error ? err.message : String(err));
+      sendResult(ws, false, errMessage(err));
     }
   }
   async function handleProviderAdd(ws, payload) {
     try {
       const providers = await loadSavedProviders();
-      if (providers[payload.id]) {
-        sendResult(ws, false, `Provider "${payload.id}" already exists. Use key.add to add a key.`);
-        return;
-      }
-      const newProv = {
-        type: payload.id,
-        family: payload.family,
-        baseUrl: payload.baseUrl
-      };
-      if (payload.apiKey) {
-        newProv.apiKeys = [
-          { label: "default", apiKey: payload.apiKey, createdAt: (/* @__PURE__ */ new Date()).toISOString() }
-        ];
-        newProv.activeKey = "default";
-      }
-      providers[payload.id] = newProv;
-      await saveProviders(providers);
-      sendResult(ws, true, `Provider "${payload.id}" added`);
+      const result = addProvider(providers, payload, (/* @__PURE__ */ new Date()).toISOString());
+      if (result.ok) await saveProviders(providers);
+      sendResult(ws, result.ok, result.message);
     } catch (err) {
-      sendResult(ws, false, err instanceof Error ? err.message : String(err));
+      sendResult(ws, false, errMessage(err));
     }
   }
   async function handleProviderRemove(ws, providerId) {
     try {
       const providers = await loadSavedProviders();
-      if (!providers[providerId]) {
-        sendResult(ws, false, `Provider "${providerId}" not found`);
-        return;
-      }
-      delete providers[providerId];
-      await saveProviders(providers);
-      sendResult(ws, true, `Provider "${providerId}" removed`);
+      const result = removeProvider(providers, providerId);
+      if (result.ok) await saveProviders(providers);
+      sendResult(ws, result.ok, result.message);
     } catch (err) {
-      sendResult(ws, false, err instanceof Error ? err.message : String(err));
+      sendResult(ws, false, errMessage(err));
     }
   }
-  const httpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
-  const DIST_DIR = path.resolve(import.meta.dirname, "../../dist");
-  const mimeTypes = {
-    ".html": "text/html",
-    ".js": "application/javascript",
-    ".css": "text/css",
-    ".json": "application/json",
-    ".svg": "image/svg+xml",
-    ".png": "image/png",
-    ".ico": "image/x-icon"
-  };
-  const httpServer = http.createServer(async (req, res) => {
-    try {
-      const url = new URL(req.url ?? "/", `http://127.0.0.1:${httpPort}`);
-      let filePath;
-      if (url.pathname === "/" || url.pathname === "") {
-        filePath = path.join(DIST_DIR, "index.html");
-      } else if (url.pathname.startsWith("/assets/")) {
-        filePath = path.join(DIST_DIR, url.pathname);
-      } else if (url.pathname.startsWith("/")) {
-        filePath = path.join(DIST_DIR, url.pathname);
-      } else {
-        filePath = path.join(DIST_DIR, "index.html");
-      }
-      const resolvedPath = path.resolve(filePath);
-      const resolvedRoot = path.resolve(DIST_DIR);
-      if (!resolvedPath.startsWith(resolvedRoot + path.sep) && resolvedPath !== resolvedRoot) {
-        res.writeHead(403, { "Content-Type": "text/plain" });
-        res.end("Forbidden");
-        return;
-      }
-      const ext = path.extname(resolvedPath);
-      const contentType = mimeTypes[ext] ?? "application/octet-stream";
-      res.setHeader("Content-Type", contentType);
-      res.setHeader("X-Content-Type-Options", "nosniff");
-      res.setHeader("X-Frame-Options", "DENY");
-      res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
-      if (ext === ".html") {
-        res.setHeader("Cache-Control", "no-cache");
-        res.setHeader(
-          "Content-Security-Policy",
-          `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort2} wss://127.0.0.1:${wsPort2} ws://[::1]:${wsPort2} wss://[::1]:${wsPort2}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`
-        );
-      }
-      const fileContent = await fs2.readFile(resolvedPath);
-      res.writeHead(200);
-      res.end(fileContent);
-    } catch (err) {
-      if (err.code === "ENOENT") {
-        try {
-          const fileContent = await fs2.readFile(path.join(DIST_DIR, "index.html"));
-          res.writeHead(200, {
-            "Content-Type": "text/html",
-            "X-Content-Type-Options": "nosniff",
-            "X-Frame-Options": "DENY",
-            "Referrer-Policy": "strict-origin-when-cross-origin",
-            // SPA fallback previously shipped no CSP — apply the same policy as
-            // the direct .html branch so deep-linked routes aren't unprotected.
-            "Content-Security-Policy": `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort2} wss://127.0.0.1:${wsPort2} ws://[::1]:${wsPort2} wss://[::1]:${wsPort2}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`
-          });
-          res.end(fileContent);
-        } catch {
-          res.writeHead(404);
-          res.end("Not found");
-        }
-      } else {
-        res.writeHead(500);
-        res.end("Server error");
-      }
-    }
+  const httpServer = createHttpServer({
+    host: wsHost2,
+    distDir: path2.resolve(import.meta.dirname, "../../dist"),
+    wsPort: wsPort2
   });
+  const httpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
   httpServer.listen(httpPort, wsHost2, () => {
     console.log(`[WebUI] HTTP server running on http://${wsHost2}:${httpPort}`);
   });
-  const shutdown = async () => {
-    console.log("[WebUI] Shutting down...");
-    try {
+  registerShutdownHandlers({
+    flushSession: async () => {
       await session.append({
         type: "session_end",
         ts: (/* @__PURE__ */ new Date()).toISOString(),
         usage: tokenCounter.total()
       });
       await session.close();
-    } catch (e) {
-      console.warn("[WebUI] Error closing session:", e);
-    }
-    for (const [ws] of clients) ws.close();
-    httpServer.close();
-    wssPrimary.close();
-    wssSecondary?.close();
-    process.exit(0);
-  };
-  process.on("SIGINT", shutdown);
-  process.on("SIGTERM", shutdown);
+    },
+    clients: () => clients.keys(),
+    servers: [httpServer, wssPrimary, wssSecondary]
+  });
 }
 // src/server/entry.ts