npm - @wrongstack/webui - Versions diffs - 0.63.4 → 0.68.0 - Mend

@wrongstack/webui 0.63.4 → 0.68.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/dist/server/entry.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 // src/server/index.ts
-import * as fs2 from "fs/promises";
-import * as path2 from "path";
+import * as fs4 from "fs/promises";
+import * as path4 from "path";
 // src/server/http-server.ts
 import * as fs from "fs/promises";
@@ -16,8 +16,18 @@ var MIME_TYPES = {
   ".png": "image/png",
   ".ico": "image/x-icon"
 };
-function buildCspHeader(wsPort2) {
-  return `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort2} wss://127.0.0.1:${wsPort2} ws://[::1]:${wsPort2} wss://[::1]:${wsPort2}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
+function injectWsPort(html, wsPort) {
+  const tag = `<meta name="wrongstack-ws-port" content="${wsPort}" />`;
+  if (html.includes('name="wrongstack-ws-port"')) return html;
+  if (html.includes("</head>")) {
+    return html.replace("</head>", `  ${tag}
+  </head>`);
+  }
+  return `${tag}
+${html}`;
+}
+function buildCspHeader(wsPort) {
+  return `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort} ws://[::1]:${wsPort} wss://[::1]:${wsPort}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
 }
 function isInsideDist(candidate, distDir) {
   const root = path.resolve(distDir);
@@ -27,7 +37,7 @@ function isInsideDist(candidate, distDir) {
 function createHttpServer(opts) {
   const port = opts.port ?? Number.parseInt(process.env["PORT"] ?? "3456", 10);
   const distDir = path.resolve(opts.distDir);
-  const wsPort2 = opts.wsPort;
+  const wsPort = opts.wsPort;
   return http.createServer(async (req, res) => {
     try {
       const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
@@ -55,7 +65,11 @@ function createHttpServer(opts) {
       res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
       if (ext === ".html") {
         res.setHeader("Cache-Control", "no-cache");
-        res.setHeader("Content-Security-Policy", buildCspHeader(wsPort2));
+        res.setHeader("Content-Security-Policy", buildCspHeader(wsPort));
+        const html = await fs.readFile(resolvedPath, "utf8");
+        res.writeHead(200);
+        res.end(injectWsPort(html, wsPort));
+        return;
       }
       const fileContent = await fs.readFile(resolvedPath);
       res.writeHead(200);
@@ -63,15 +77,15 @@ function createHttpServer(opts) {
     } catch (err) {
       if (err.code === "ENOENT") {
         try {
-          const fileContent = await fs.readFile(path.join(distDir, "index.html"));
+          const html = await fs.readFile(path.join(distDir, "index.html"), "utf8");
           res.writeHead(200, {
             "Content-Type": "text/html",
             "X-Content-Type-Options": "nosniff",
             "X-Frame-Options": "DENY",
             "Referrer-Policy": "strict-origin-when-cross-origin",
-            "Content-Security-Policy": buildCspHeader(wsPort2)
+            "Content-Security-Policy": buildCspHeader(wsPort)
           });
-          res.end(fileContent);
+          res.end(injectWsPort(html, wsPort));
         } catch {
           res.writeHead(404);
           res.end("Not found");
@@ -155,7 +169,7 @@ import {
   ProviderRegistry,
   TOKENS as TOKENS2,
   ToolRegistry,
-  atomicWrite,
+  atomicWrite as atomicWrite3,
   createDefaultPipelines,
   DEFAULT_CONTEXT_WINDOW_MODE_ID,
   DEFAULT_TOOLS_CONFIG,
@@ -164,11 +178,9 @@ import {
   resolveContextWindowPolicy
 } from "@wrongstack/core";
 import { ToolExecutor } from "@wrongstack/core/execution";
-import { decryptConfigSecrets, encryptConfigSecrets } from "@wrongstack/core/security";
 import { buildProviderFactoriesFromRegistry, makeProviderFromConfig } from "@wrongstack/providers";
 import { builtinToolsPack, forgetTool, rememberTool } from "@wrongstack/tools";
-import { WebSocket, WebSocketServer } from "ws";
-import { randomBytes } from "crypto";
+import { WebSocketServer } from "ws";
 // ../runtime/src/container.ts
 import {
@@ -228,6 +240,7 @@ function createDefaultContainer(opts) {
       trustFile: wpaths.projectTrust,
       yolo: opts.permission?.yolo ?? false,
       yoloDestructive: opts.permission?.yoloDestructive ?? opts.permission?.forceAllYolo ?? false,
+      confirmDestructive: opts.permission?.confirmDestructive ?? false,
       promptDelegate: opts.permission?.promptDelegate
     })
   );
@@ -1386,8 +1399,8 @@ import { timingSafeEqual } from "crypto";
 function isLoopbackHostname(hostname) {
   return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
 }
-function isLoopbackBind(wsHost2) {
-  return wsHost2 === "127.0.0.1" || wsHost2 === "::1" || wsHost2 === "localhost";
+function isLoopbackBind(wsHost) {
+  return wsHost === "127.0.0.1" || wsHost === "::1" || wsHost === "localhost";
 }
 function tokenMatches(provided, expected) {
   if (!provided) return false;
@@ -1413,14 +1426,14 @@ function hostHeaderOk(input) {
   return isLoopbackHostname(hostname);
 }
 function verifyClient(input) {
-  const { origin, url, hostHeader, remoteAddress, wsHost: wsHost2, expectedToken } = input;
+  const { origin, url, hostHeader, remoteAddress, wsHost, expectedToken } = input;
   const tokenOk = tokenMatches(extractToken(url ?? ""), expectedToken);
-  if (!hostHeaderOk({ hostHeader, wsHost: wsHost2 })) return false;
+  if (!hostHeaderOk({ hostHeader, wsHost })) return false;
   if (!origin) {
     const remoteIp = remoteAddress ?? "";
     const isRemoteLoopback = remoteIp === "127.0.0.1" || remoteIp === "::1";
-    if (!isRemoteLoopback && wsHost2 === "0.0.0.0") return false;
-    return tokenOk || isLoopbackBind(wsHost2);
+    if (!isRemoteLoopback && wsHost === "0.0.0.0") return false;
+    return tokenOk || isLoopbackBind(wsHost);
   }
   try {
     const { hostname } = new URL(origin);
@@ -1447,6 +1460,13 @@ function createShutdown(res) {
     }
     for (const ws of res.clients()) ws.close();
     for (const server of res.servers) server?.close();
+    if (res.onShutdown) {
+      try {
+        await res.onShutdown();
+      } catch (e) {
+        log(`[WebUI] Error during shutdown cleanup: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
     exit(0);
   };
 }
@@ -1460,6 +1480,138 @@ function registerShutdownHandlers(res) {
   };
 }
+// src/server/instance-registry.ts
+import * as os from "os";
+import * as path2 from "path";
+import * as fs2 from "fs/promises";
+import { atomicWrite } from "@wrongstack/core";
+function defaultBaseDir() {
+  return path2.join(os.homedir(), ".wrongstack");
+}
+function registryPath(baseDir = defaultBaseDir()) {
+  return path2.join(baseDir, "webui-instances.json");
+}
+function isPidAlive(pid) {
+  if (!Number.isInteger(pid) || pid <= 0) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    return err.code !== "ESRCH";
+  }
+}
+async function load(file) {
+  try {
+    const raw = await fs2.readFile(file, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed?.version === 1 && Array.isArray(parsed.instances)) {
+      return parsed;
+    }
+  } catch {
+  }
+  return { version: 1, instances: [] };
+}
+async function save(file, instances) {
+  await atomicWrite(file, `${JSON.stringify({ version: 1, instances }, null, 2)}
+`, {
+    mode: 384
+  });
+}
+function prune(instances, excludePid) {
+  return instances.filter((i) => i.pid !== excludePid && isPidAlive(i.pid));
+}
+async function registerInstance(record, baseDir = defaultBaseDir()) {
+  const file = registryPath(baseDir);
+  const data = await load(file);
+  const instances = prune(data.instances, record.pid);
+  instances.push(record);
+  await save(file, instances);
+}
+async function unregisterInstance(pid, baseDir = defaultBaseDir()) {
+  const file = registryPath(baseDir);
+  const data = await load(file);
+  const instances = prune(data.instances, pid);
+  await save(file, instances);
+}
+async function listInstances(baseDir = defaultBaseDir()) {
+  const file = registryPath(baseDir);
+  const data = await load(file);
+  const live = prune(data.instances);
+  if (live.length !== data.instances.length) {
+    await save(file, live).catch(() => {
+    });
+  }
+  return live;
+}
+function formatInstances(instances) {
+  if (instances.length === 0) {
+    return "No WebUI instances are currently running.";
+  }
+  const lines = [`Running WebUI instances (${instances.length}):`, ""];
+  for (const i of instances) {
+    lines.push(
+      `  \u2022 ${i.url}  \xB7  ws:${i.wsPort}  \xB7  pid ${i.pid}`,
+      `      project: ${i.projectName}  (${i.projectRoot})`,
+      `      since:   ${i.startedAt}`
+    );
+  }
+  return lines.join("\n");
+}
+// src/server/port-utils.ts
+import * as net from "net";
+function isPortFree(host, port) {
+  return new Promise((resolve3) => {
+    const srv = net.createServer();
+    srv.once("error", () => resolve3(false));
+    srv.once("listening", () => {
+      srv.close(() => resolve3(true));
+    });
+    try {
+      srv.listen(port, host);
+    } catch {
+      resolve3(false);
+    }
+  });
+}
+async function findFreePort(host, startPort, opts = {}) {
+  const exclude = opts.exclude ?? /* @__PURE__ */ new Set();
+  const maxTries = opts.maxTries ?? 200;
+  let port = startPort;
+  for (let i = 0; i < maxTries; i++) {
+    if (port > 65535) port = 1024 + port % 5e4;
+    if (!exclude.has(port) && await isPortFree(host, port)) {
+      return port;
+    }
+    port++;
+  }
+  throw new Error(
+    `No free port found near ${startPort} on ${host} after ${maxTries} attempts.`
+  );
+}
+// src/server/open-browser.ts
+import { spawn } from "child_process";
+function browserOpenCommand(url, platform = process.platform) {
+  if (platform === "win32") {
+    return { command: "cmd", args: ["/c", "start", "", url] };
+  }
+  if (platform === "darwin") {
+    return { command: "open", args: [url] };
+  }
+  return { command: "xdg-open", args: [url] };
+}
+function openBrowser(url, platform = process.platform) {
+  try {
+    const { command, args } = browserOpenCommand(url, platform);
+    const child = spawn(command, args, { stdio: "ignore", detached: true });
+    child.on("error", () => {
+    });
+    child.unref();
+  } catch {
+  }
+}
 // src/server/usage-cost.ts
 function getCostRates(model) {
   const cost = model?.cost;
@@ -1473,6 +1625,60 @@ function computeUsageCost(usage, rates) {
   return (usage.input * rates.input + usage.output * rates.output + (usage.cacheRead ?? 0) * rates.cacheRead) / 1e6;
 }
+// src/server/provider-config-io.ts
+import * as fs3 from "fs/promises";
+import * as path3 from "path";
+import { atomicWrite as atomicWrite2 } from "@wrongstack/core";
+import { decryptConfigSecrets, encryptConfigSecrets } from "@wrongstack/core/security";
+import { DefaultSecretVault } from "@wrongstack/core";
+async function loadSavedProviders(configPath, vault) {
+  let raw;
+  try {
+    raw = await fs3.readFile(configPath, "utf8");
+  } catch {
+    return {};
+  }
+  let parsed = {};
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return {};
+  }
+  if (!parsed.providers) return {};
+  return decryptConfigSecrets(parsed.providers, vault);
+}
+async function saveProviders(configPath, vault, providers) {
+  let raw;
+  let fileExists = true;
+  try {
+    raw = await fs3.readFile(configPath, "utf8");
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      throw new Error(
+        `Refusing to mutate ${configPath}: ${err.message}`,
+        { cause: err }
+      );
+    }
+    fileExists = false;
+    raw = "{}";
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    if (fileExists) {
+      throw new Error(
+        `Refusing to overwrite corrupt config at ${configPath} (${err.message}). Fix or move the file aside before retrying.`,
+        { cause: err }
+      );
+    }
+    parsed = {};
+  }
+  parsed.providers = providers;
+  const encrypted = encryptConfigSecrets(parsed, vault);
+  await atomicWrite2(configPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
+}
 // src/server/provider-keys.ts
 function normalizeKeys(cfg) {
   if (Array.isArray(cfg.apiKeys) && cfg.apiKeys.length > 0) {
@@ -1568,6 +1774,159 @@ function removeProvider(providers, providerId) {
   return { ok: true, message: `Provider "${providerId}" removed` };
 }
+// src/server/ws-utils.ts
+import { randomBytes } from "crypto";
+import { WebSocket } from "ws";
+function send(ws, msg) {
+  if (ws.readyState === WebSocket.OPEN) {
+    ws.send(JSON.stringify(msg));
+  }
+}
+function broadcast(clients, msg) {
+  const data = JSON.stringify(msg);
+  for (const [ws] of clients) {
+    if (ws.readyState === WebSocket.OPEN) {
+      try {
+        ws.send(data);
+      } catch {
+      }
+    }
+  }
+}
+function sendResult(ws, success, message) {
+  send(ws, { type: "key.operation_result", payload: { success, message } });
+}
+function errMessage(err) {
+  return err instanceof Error ? err.message : String(err);
+}
+function generateAuthToken() {
+  return randomBytes(16).toString("hex");
+}
+// src/server/provider-handlers.ts
+function createProviderHandlers(deps) {
+  const { globalConfigPath, vault } = deps;
+  let configWriteLock = deps.getConfigWriteLock();
+  async function loadConfigProviders() {
+    return loadSavedProviders(globalConfigPath, vault);
+  }
+  async function saveConfigProviders(providers) {
+    const next = configWriteLock.then(() => saveProviders(globalConfigPath, vault, providers));
+    configWriteLock = next;
+    deps.setConfigWriteLock(next);
+    await next;
+  }
+  async function handleKeyUpsert(ws, providerId, label, apiKey) {
+    try {
+      const providers = await loadConfigProviders();
+      const result = upsertKey(providers, providerId, label, apiKey, (/* @__PURE__ */ new Date()).toISOString());
+      if (result.ok) await saveConfigProviders(providers);
+      sendResult(ws, result.ok, result.message);
+    } catch (err) {
+      sendResult(ws, false, errMessage(err));
+    }
+  }
+  async function handleKeyDelete(ws, providerId, label) {
+    try {
+      const providers = await loadConfigProviders();
+      const result = deleteKey(providers, providerId, label);
+      if (result.ok) await saveConfigProviders(providers);
+      sendResult(ws, result.ok, result.message);
+    } catch (err) {
+      sendResult(ws, false, errMessage(err));
+    }
+  }
+  async function handleKeySetActive(ws, providerId, label) {
+    try {
+      const providers = await loadConfigProviders();
+      const result = setActiveKey(providers, providerId, label);
+      if (result.ok) await saveConfigProviders(providers);
+      sendResult(ws, result.ok, result.message);
+    } catch (err) {
+      sendResult(ws, false, errMessage(err));
+    }
+  }
+  async function handleProviderAdd(ws, payload) {
+    try {
+      const providers = await loadConfigProviders();
+      const result = addProvider(providers, payload, (/* @__PURE__ */ new Date()).toISOString());
+      if (result.ok) await saveConfigProviders(providers);
+      sendResult(ws, result.ok, result.message);
+    } catch (err) {
+      sendResult(ws, false, errMessage(err));
+    }
+  }
+  async function handleProviderRemove(ws, providerId) {
+    try {
+      const providers = await loadConfigProviders();
+      const result = removeProvider(providers, providerId);
+      if (result.ok) await saveConfigProviders(providers);
+      sendResult(ws, result.ok, result.message);
+    } catch (err) {
+      sendResult(ws, false, errMessage(err));
+    }
+  }
+  return { handleKeyUpsert, handleKeyDelete, handleKeySetActive, handleProviderAdd, handleProviderRemove, loadConfigProviders };
+}
+// src/server/setup-events.ts
+function setupEvents(deps) {
+  const { events, broadcast: broadcast2, clients, config, context, pendingConfirms } = deps;
+  events.on("iteration.started", (e) => {
+    broadcast2(clients, {
+      type: "iteration.started",
+      payload: { index: e.index, maxIterations: config.tools?.maxIterations ?? 100 }
+    });
+  });
+  events.on("provider.text_delta", (e) => {
+    broadcast2(clients, { type: "provider.text_delta", payload: { text: e.text, messageId: "current" } });
+  });
+  events.on("provider.thinking_delta", (e) => {
+    broadcast2(clients, { type: "provider.thinking_delta", payload: { text: e.text } });
+  });
+  events.on("tool.started", (e) => {
+    broadcast2(clients, {
+      type: "tool.started",
+      payload: { id: e.id, name: e.name, input: e.input, messageId: `tool_${e.id}` }
+    });
+  });
+  events.on("tool.progress", (e) => {
+    broadcast2(clients, {
+      type: "tool.progress",
+      payload: { id: e.id, name: e.name, eventType: e.event.type, text: e.event.text }
+    });
+  });
+  events.on("tool.executed", (e) => {
+    broadcast2(clients, {
+      type: "tool.executed",
+      payload: { id: e.id, name: e.name, durationMs: e.durationMs, ok: e.ok, input: e.input, output: e.output }
+    });
+    broadcast2(clients, { type: "todos.updated", payload: { todos: [...context.todos] } });
+  });
+  events.on("provider.response", (e) => {
+    broadcast2(clients, { type: "provider.response", payload: { usage: e.usage, stopReason: e.stopReason, messageId: "current" } });
+  });
+  events.on("context.repaired", (e) => {
+    broadcast2(clients, { type: "context.repaired", payload: { removedToolUses: e.removedToolUses, removedToolResults: e.removedToolResults, removedMessages: e.removedMessages } });
+  });
+  events.on("tool.confirm_needed", (e) => {
+    const id = e.toolUseId ?? `confirm_${Date.now()}`;
+    pendingConfirms.set(id, e.resolve);
+    broadcast2(clients, { type: "tool.confirm_needed", payload: { id, toolName: e.tool?.name ?? "unknown", input: e.input, suggestedPattern: e.suggestedPattern } });
+  });
+  events.on("error", (e) => {
+    broadcast2(clients, { type: "error", payload: { phase: e.phase, message: e.err instanceof Error ? e.err.message : String(e.err) } });
+  });
+  const forwardSubagent = (kind, payload) => broadcast2(clients, { type: "subagent.event", payload: { kind, ...payload } });
+  events.on("subagent.spawned", (e) => forwardSubagent("spawned", { subagentId: e.subagentId, taskId: e.taskId, name: e.name, provider: e.provider, model: e.model, description: e.description }));
+  events.on("subagent.task_started", (e) => forwardSubagent("task_started", { subagentId: e.subagentId, taskId: e.taskId, description: e.description }));
+  events.on("subagent.tool_executed", (e) => forwardSubagent("tool_executed", { subagentId: e.subagentId, toolName: e.name, durationMs: e.durationMs, ok: e.ok }));
+  events.on("subagent.iteration_summary", (e) => forwardSubagent("iteration_summary", { subagentId: e.subagentId, iteration: e.iteration, toolCalls: e.toolCalls, costUsd: e.costUsd, currentTool: e.currentTool }));
+  events.on("subagent.budget_extended", (e) => forwardSubagent("budget_extended", { subagentId: e.subagentId, totalExtensions: e.totalExtensions }));
+  events.on("subagent.ctx_pct", (e) => forwardSubagent("ctx_pct", { subagentId: e.subagentId, load: e.load, tokens: e.tokens, maxContext: e.maxContext }));
+  events.on("subagent.task_completed", (e) => forwardSubagent("task_completed", { subagentId: e.subagentId, status: e.status, iterations: e.iterations, toolCalls: e.toolCalls, error: e.error ? { kind: e.error.kind, message: e.error.message } : void 0 }));
+}
 // src/server/token-estimator.ts
 function estimateTokens(s) {
   return Math.ceil(s.length / 4);
@@ -1626,12 +1985,23 @@ function estimateContextBreakdown(input) {
 }
 // src/server/index.ts
-function errMessage(err) {
-  return err instanceof Error ? err.message : String(err);
-}
 async function startWebUI(opts = {}) {
-  const wsPort2 = opts.wsPort ?? 3457;
-  const wsHost2 = opts.wsHost ?? "127.0.0.1";
+  const requestedWsPort = opts.wsPort ?? 3457;
+  const wsHost = opts.wsHost ?? "127.0.0.1";
+  const requestedHttpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
+  const strictPort = process.env["WEBUI_STRICT_PORT"] === "1" || process.env["WEBUI_STRICT_PORT"] === "true";
+  let wsPort = requestedWsPort;
+  let httpPort = requestedHttpPort;
+  if (!strictPort) {
+    httpPort = await findFreePort(wsHost, requestedHttpPort);
+    wsPort = await findFreePort(wsHost, requestedWsPort, { exclude: /* @__PURE__ */ new Set([httpPort]) });
+    if (httpPort !== requestedHttpPort) {
+      console.warn(`[WebUI] HTTP port ${requestedHttpPort} in use \u2192 using ${httpPort}`);
+    }
+    if (wsPort !== requestedWsPort) {
+      console.warn(`[WebUI] WS port ${requestedWsPort} in use \u2192 using ${wsPort}`);
+    }
+  }
   console.log("[WebUI] Starting backend services...");
   const boot = await bootConfig();
   const { config: baseConfig, vault, globalConfigPath, projectRoot, wpaths, logger } = boot;
@@ -1885,41 +2255,42 @@ async function startWebUI(opts = {}) {
       inputCost,
       outputCost,
       cacheReadCost,
-      projectName: path2.basename(projectRoot) || projectRoot,
+      projectName: path4.basename(projectRoot) || projectRoot,
       cwd: projectRoot,
       mode: modeId,
       contextMode: String(context.meta["contextWindowMode"] ?? DEFAULT_CONTEXT_WINDOW_MODE_ID),
       wsToken
     };
   }
-  const wsToken = randomBytes(16).toString("hex");
+  const wsToken = generateAuthToken();
   console.log(`[WebUI] WS auth token: ${wsToken.slice(0, 4)}\u2026${wsToken.slice(-4)} (masked)`);
   const verifyClient2 = (info) => verifyClient({
     origin: info.origin,
     url: info.req.url ?? "",
     hostHeader: info.req.headers.host,
     remoteAddress: info.req.socket.remoteAddress,
-    wsHost: wsHost2,
+    wsHost,
     expectedToken: wsToken
   });
   const WS_MAX_PAYLOAD = 8 * 1024 * 1024;
   const wssPrimary = new WebSocketServer({
-    port: wsPort2,
-    host: wsHost2,
+    port: wsPort,
+    host: wsHost,
     verifyClient: verifyClient2,
     maxPayload: WS_MAX_PAYLOAD
   });
-  const wssSecondary = wsHost2 === "127.0.0.1" ? new WebSocketServer({
-    port: wsPort2,
+  const wssSecondary = wsHost === "127.0.0.1" ? new WebSocketServer({
+    port: wsPort,
     host: "::1",
     verifyClient: verifyClient2,
     maxPayload: WS_MAX_PAYLOAD
   }) : null;
   const clients = /* @__PURE__ */ new Map();
-  const RATE_LIMIT_MESSAGES = 60;
+  const RATE_LIMIT_MESSAGES = Number.parseInt(process.env["WEBUI_RATE_LIMIT"] ?? "0", 10);
   const RATE_LIMIT_WINDOW_MS = 6e4;
   const rateLimits = /* @__PURE__ */ new Map();
   function checkRateLimit(ws, client) {
+    if (RATE_LIMIT_MESSAGES <= 0) return true;
     const now = Date.now();
     const key = client.sessionId ?? String(ws);
     const limit = rateLimits.get(key);
@@ -1933,116 +2304,9 @@ async function startWebUI(opts = {}) {
   }
   let runLock = null;
   console.log(
-    `[WebUI] WebSocket server running on ws://${wsHost2}:${wsPort2}` + (wssSecondary ? ` (and ws://[::1]:${wsPort2})` : "")
+    `[WebUI] WebSocket server running on ws://${wsHost}:${wsPort}` + (wssSecondary ? ` (and ws://[::1]:${wsPort})` : "")
   );
   const pendingConfirms = /* @__PURE__ */ new Map();
-  function setupEvents() {
-    events.on("iteration.started", (e) => {
-      broadcast({
-        type: "iteration.started",
-        payload: { index: e.index, maxIterations: config.tools?.maxIterations ?? 100 }
-      });
-    });
-    events.on("provider.text_delta", (e) => {
-      broadcast({ type: "provider.text_delta", payload: { text: e.text, messageId: "current" } });
-    });
-    events.on("provider.thinking_delta", (e) => {
-      broadcast({ type: "provider.thinking_delta", payload: { text: e.text } });
-    });
-    events.on("tool.started", (e) => {
-      broadcast({
-        type: "tool.started",
-        payload: { id: e.id, name: e.name, input: e.input, messageId: `tool_${e.id}` }
-      });
-    });
-    events.on("tool.progress", (e) => {
-      broadcast({
-        type: "tool.progress",
-        payload: {
-          id: e.id,
-          name: e.name,
-          eventType: e.event.type,
-          text: e.event.text
-        }
-      });
-    });
-    events.on("tool.executed", (e) => {
-      broadcast({
-        type: "tool.executed",
-        payload: {
-          // Forward the tool_use id so frontend can correlate with the
-          // matching tool.started bubble — without this, parallel tool calls
-          // all stay stuck on "Running…" because the frontend can't tell
-          // which bubble this result belongs to.
-          id: e.id,
-          name: e.name,
-          durationMs: e.durationMs,
-          ok: e.ok,
-          input: e.input,
-          output: e.output
-        }
-      });
-      broadcast({
-        type: "todos.updated",
-        payload: { todos: [...context.todos] }
-      });
-    });
-    events.on("provider.response", (e) => {
-      broadcast({
-        type: "provider.response",
-        payload: {
-          usage: e.usage,
-          stopReason: e.stopReason,
-          messageId: "current"
-        }
-      });
-    });
-    events.on("context.repaired", (e) => {
-      broadcast({
-        type: "context.repaired",
-        payload: {
-          removedToolUses: e.removedToolUses,
-          removedToolResults: e.removedToolResults,
-          removedMessages: e.removedMessages
-        }
-      });
-    });
-    events.on("tool.confirm_needed", (e) => {
-      const id = e.toolUseId ?? `confirm_${Date.now()}`;
-      pendingConfirms.set(id, e.resolve);
-      broadcast({
-        type: "tool.confirm_needed",
-        payload: {
-          id,
-          toolName: e.tool?.name ?? "unknown",
-          input: e.input,
-          suggestedPattern: e.suggestedPattern
-        }
-      });
-    });
-    events.on("error", (e) => {
-      broadcast({
-        type: "error",
-        payload: {
-          phase: e.phase,
-          message: e.err instanceof Error ? e.err.message : String(e.err)
-        }
-      });
-    });
-  }
-  function send(ws, msg) {
-    if (ws.readyState === WebSocket.OPEN) {
-      ws.send(JSON.stringify(msg));
-    }
-  }
-  function broadcast(msg) {
-    const data = JSON.stringify(msg);
-    for (const [ws] of clients) {
-      if (ws.readyState === WebSocket.OPEN) {
-        ws.send(data);
-      }
-    }
-  }
   const handleConnection = (ws) => {
     const client = { ws, sessionId: session.id, connectedAt: Date.now() };
     clients.set(ws, client);
@@ -2100,15 +2364,15 @@ async function startWebUI(opts = {}) {
     if (eventsArmed) return;
     eventsArmed = true;
     console.log(`[WebUI] Backend ready (${label})`);
-    setupEvents();
+    setupEvents({ events, broadcast, clients, config, context, pendingConfirms });
   };
-  wssPrimary.on("listening", () => armOnce(`${wsHost2}:${wsPort2}`));
+  wssPrimary.on("listening", () => armOnce(`${wsHost}:${wsPort}`));
   wssPrimary.on("connection", handleConnection);
   wssPrimary.on("error", (err) => {
-    console.error(`[WebUI] Primary WS server error (${wsHost2}):`, err);
+    console.error(`[WebUI] Primary WS server error (${wsHost}):`, err);
   });
   if (wssSecondary) {
-    wssSecondary.on("listening", () => armOnce(`::1:${wsPort2}`));
+    wssSecondary.on("listening", () => armOnce(`::1:${wsPort}`));
     wssSecondary.on("connection", handleConnection);
     wssSecondary.on("error", (err) => {
       if (err.code === "EAFNOSUPPORT" || err.code === "EADDRNOTAVAIL") {
@@ -2185,7 +2449,7 @@ async function startWebUI(opts = {}) {
       }
       case "abort":
         runLock?.abort();
-        broadcast({ type: "error", payload: { phase: "abort", message: "User aborted" } });
+        broadcast(clients, { type: "error", payload: { phase: "abort", message: "User aborted" } });
         break;
       case "ping":
         send(ws, { type: "pong", payload: {} });
@@ -2204,7 +2468,7 @@ async function startWebUI(opts = {}) {
         context.fileMtimes.clear();
         tokenCounter.reset();
         sessionStartedAt = Date.now();
-        broadcast({ type: "session.start", payload: await sessionStartPayload() });
+        broadcast(clients, { type: "session.start", payload: await sessionStartPayload() });
         break;
       }
       case "context.clear": {
@@ -2214,7 +2478,7 @@ async function startWebUI(opts = {}) {
         context.fileMtimes.clear();
         tokenCounter.reset();
         sendResult(ws, true, "Context cleared");
-        broadcast({
+        broadcast(clients, {
           type: "session.start",
           payload: { ...await sessionStartPayload(), reset: true }
         });
@@ -2273,7 +2537,7 @@ async function startWebUI(opts = {}) {
           beforeMessages,
           afterMessages: context.messages.length
         };
-        broadcast({ type: "context.repaired", payload });
+        broadcast(clients, { type: "context.repaired", payload });
         const removed = payload.removedToolUses.length + payload.removedToolResults.length + payload.removedMessages;
         sendResult(
           ws,
@@ -2311,7 +2575,7 @@ async function startWebUI(opts = {}) {
         context.meta["contextWindowMode"] = policy.id;
         context.meta["contextWindowPolicy"] = policy;
         sendResult(ws, true, `Context mode switched to ${policy.id}`);
-        broadcast({
+        broadcast(clients, {
           type: "context.mode.changed",
           payload: { id: policy.id, name: policy.name, policy }
         });
@@ -2337,7 +2601,7 @@ async function startWebUI(opts = {}) {
         break;
       }
       case "providers.saved": {
-        const saved = await loadSavedProviders();
+        const saved = await providerHandlers.loadConfigProviders();
         send(ws, {
           type: "providers.saved",
           payload: {
@@ -2396,11 +2660,11 @@ async function startWebUI(opts = {}) {
           updateAutoCompactionMaxContext?.(newProv);
           try {
             configWriteLock = configWriteLock.then(async () => {
-              const raw = await fs2.readFile(globalConfigPath, "utf8");
+              const raw = await fs4.readFile(globalConfigPath, "utf8");
               const parsed = JSON.parse(raw);
               parsed.provider = newProvider;
               parsed.model = newModel;
-              await atomicWrite(globalConfigPath, JSON.stringify(parsed, null, 2));
+              await atomicWrite3(globalConfigPath, JSON.stringify(parsed, null, 2));
             });
             await configWriteLock;
           } catch (err) {
@@ -2420,33 +2684,33 @@ async function startWebUI(opts = {}) {
           });
           break;
         }
-        broadcast({ type: "session.start", payload: await sessionStartPayload() });
+        broadcast(clients, { type: "session.start", payload: await sessionStartPayload() });
         break;
       }
       case "key.add":
       case "key.update": {
         const { providerId, label, apiKey } = msg.payload;
-        await handleKeyUpsert(ws, providerId, label, apiKey);
+        await providerHandlers.handleKeyUpsert(ws, providerId, label, apiKey);
         break;
       }
       case "key.delete": {
         const { providerId, label } = msg.payload;
-        await handleKeyDelete(ws, providerId, label);
+        await providerHandlers.handleKeyDelete(ws, providerId, label);
         break;
       }
       case "key.set_active": {
         const { providerId, label } = msg.payload;
-        await handleKeySetActive(ws, providerId, label);
+        await providerHandlers.handleKeySetActive(ws, providerId, label);
         break;
       }
       case "provider.add": {
         const p = msg.payload;
-        await handleProviderAdd(ws, p);
+        await providerHandlers.handleProviderAdd(ws, p);
         break;
       }
       case "provider.remove": {
         const { providerId } = msg.payload;
-        await handleProviderRemove(ws, providerId);
+        await providerHandlers.handleProviderRemove(ws, providerId);
         break;
       }
       case "sessions.list": {
@@ -2509,7 +2773,7 @@ async function startWebUI(opts = {}) {
           tokenCounter.reset();
           tokenCounter.account(resumed.data.usage, config.model);
           sessionStartedAt = Date.now();
-          broadcast({
+          broadcast(clients, {
             type: "session.start",
             payload: {
               ...await sessionStartPayload(),
@@ -2649,7 +2913,7 @@ async function startWebUI(opts = {}) {
       case "todos.clear": {
         context.state.replaceTodos([]);
         sendResult(ws, true, "Todos cleared");
-        broadcast({ type: "todos.updated", payload: { todos: [] } });
+        broadcast(clients, { type: "todos.updated", payload: { todos: [] } });
         break;
       }
       case "plan.get": {
@@ -2696,7 +2960,7 @@ async function startWebUI(opts = {}) {
           }
           await savePlan(planPath, plan);
           sendResult(ws, true, `Applied template "${tpl.name}" \u2014 ${tpl.items.length} items added.`);
-          broadcast({
+          broadcast(clients, {
             type: "plan.updated",
             payload: { plan }
           });
@@ -2713,7 +2977,7 @@ async function startWebUI(opts = {}) {
           if (depth > 8 || results.length >= 600) return;
           let entries = [];
           try {
-            entries = await fs2.readdir(dir, { withFileTypes: true });
+            entries = await fs4.readdir(dir, { withFileTypes: true });
           } catch {
             return;
           }
@@ -2723,7 +2987,7 @@ async function startWebUI(opts = {}) {
             const childRel = rel ? `${rel}/${e.name}` : e.name;
             if (e.isDirectory()) {
               if (SKIP_DIRS.has(e.name)) continue;
-              await walk(path2.join(dir, e.name), childRel, depth + 1);
+              await walk(path4.join(dir, e.name), childRel, depth + 1);
             } else if (e.isFile()) {
               results.push(childRel);
             }
@@ -2792,7 +3056,7 @@ async function startWebUI(opts = {}) {
             model: config.model
           });
           sendResult(ws, true, `Switched to mode "${id}"`);
-          broadcast({
+          broadcast(clients, {
             type: "session.start",
             payload: { ...await sessionStartPayload() }
           });
@@ -2831,92 +3095,37 @@ async function startWebUI(opts = {}) {
         }
     }
   }
-  async function loadSavedProviders() {
-    try {
-      const raw = await fs2.readFile(globalConfigPath, "utf8");
-      const parsed = JSON.parse(raw);
-      if (!parsed.providers) return {};
-      return decryptConfigSecrets(parsed.providers, vault);
-    } catch {
-      return {};
-    }
-  }
-  async function saveProviders(providers) {
-    configWriteLock = configWriteLock.then(async () => {
-      let parsed;
-      try {
-        const raw = await fs2.readFile(globalConfigPath, "utf8");
-        parsed = JSON.parse(raw);
-      } catch {
-        parsed = {};
-      }
-      parsed["providers"] = providers;
-      const encrypted = encryptConfigSecrets(parsed, vault);
-      await atomicWrite(globalConfigPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
-    });
-    await configWriteLock;
-  }
-  function sendResult(ws, success, message) {
-    send(ws, { type: "key.operation_result", payload: { success, message } });
-  }
-  async function handleKeyUpsert(ws, providerId, label, apiKey) {
-    try {
-      const providers = await loadSavedProviders();
-      const result = upsertKey(providers, providerId, label, apiKey, (/* @__PURE__ */ new Date()).toISOString());
-      if (result.ok) await saveProviders(providers);
-      sendResult(ws, result.ok, result.message);
-    } catch (err) {
-      sendResult(ws, false, errMessage(err));
-    }
-  }
-  async function handleKeyDelete(ws, providerId, label) {
-    try {
-      const providers = await loadSavedProviders();
-      const result = deleteKey(providers, providerId, label);
-      if (result.ok) await saveProviders(providers);
-      sendResult(ws, result.ok, result.message);
-    } catch (err) {
-      sendResult(ws, false, errMessage(err));
+  const providerHandlers = createProviderHandlers({
+    globalConfigPath,
+    vault,
+    getConfigWriteLock: () => configWriteLock,
+    setConfigWriteLock: (p) => {
+      configWriteLock = p;
     }
-  }
-  async function handleKeySetActive(ws, providerId, label) {
-    try {
-      const providers = await loadSavedProviders();
-      const result = setActiveKey(providers, providerId, label);
-      if (result.ok) await saveProviders(providers);
-      sendResult(ws, result.ok, result.message);
-    } catch (err) {
-      sendResult(ws, false, errMessage(err));
-    }
-  }
-  async function handleProviderAdd(ws, payload) {
-    try {
-      const providers = await loadSavedProviders();
-      const result = addProvider(providers, payload, (/* @__PURE__ */ new Date()).toISOString());
-      if (result.ok) await saveProviders(providers);
-      sendResult(ws, result.ok, result.message);
-    } catch (err) {
-      sendResult(ws, false, errMessage(err));
-    }
-  }
-  async function handleProviderRemove(ws, providerId) {
-    try {
-      const providers = await loadSavedProviders();
-      const result = removeProvider(providers, providerId);
-      if (result.ok) await saveProviders(providers);
-      sendResult(ws, result.ok, result.message);
-    } catch (err) {
-      sendResult(ws, false, errMessage(err));
-    }
-  }
+  });
   const httpServer = createHttpServer({
-    host: wsHost2,
-    distDir: path2.resolve(import.meta.dirname, "../../dist"),
-    wsPort: wsPort2
+    host: wsHost,
+    distDir: path4.resolve(import.meta.dirname, "../../dist"),
+    wsPort
   });
-  const httpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
-  httpServer.listen(httpPort, wsHost2, () => {
-    console.log(`[WebUI] HTTP server running on http://${wsHost2}:${httpPort}`);
+  const registryBaseDir = path4.dirname(globalConfigPath);
+  httpServer.listen(httpPort, wsHost, () => {
+    const openUrl = `http://${wsHost}:${httpPort}`;
+    console.log(`[WebUI] HTTP server running on ${openUrl}`);
+    if (opts.open) openBrowser(openUrl);
+    void registerInstance(
+      {
+        pid: process.pid,
+        httpPort,
+        wsPort,
+        host: wsHost,
+        projectRoot,
+        projectName: path4.basename(projectRoot) || projectRoot,
+        startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        url: `http://${wsHost}:${httpPort}`
+      },
+      registryBaseDir
+    ).catch((err) => console.warn("[WebUI] Could not record instance:", errMessage(err)));
   });
   registerShutdownHandlers({
     flushSession: async () => {
@@ -2928,16 +3137,31 @@ async function startWebUI(opts = {}) {
       await session.close();
     },
     clients: () => clients.keys(),
-    servers: [httpServer, wssPrimary, wssSecondary]
+    servers: [httpServer, wssPrimary, wssSecondary],
+    // Drop this instance from the registry on a clean exit so the file reflects
+    // reality. Crash exits are healed by the next register()/list() prune pass.
+    onShutdown: () => unregisterInstance(process.pid, registryBaseDir)
   });
 }
 // src/server/entry.ts
-var wsPort = Number.parseInt(process.env["WS_PORT"] ?? "3457", 10);
-var wsHost = process.env["WS_HOST"] ?? "127.0.0.1";
-console.log(`[WebUI] Starting standalone server on ${wsHost}:${wsPort}...`);
-startWebUI({ wsPort, wsHost }).catch((err) => {
-  console.error("[WebUI] Fatal error:", err);
-  process.exit(1);
-});
+var argv = process.argv.slice(2);
+if (argv.includes("--list") || argv.includes("-l") || argv[0] === "ls") {
+  listInstances().then((instances) => {
+    console.log(formatInstances(instances));
+    process.exit(0);
+  }).catch((err) => {
+    console.error("[WebUI] Could not read instance registry:", err);
+    process.exit(1);
+  });
+} else {
+  const wsPort = Number.parseInt(process.env["WS_PORT"] ?? "3457", 10);
+  const wsHost = process.env["WS_HOST"] ?? "127.0.0.1";
+  const open = argv.includes("--open") || argv.includes("-o") || process.env["WEBUI_OPEN"] === "1";
+  console.log(`[WebUI] Starting standalone server on ${wsHost}:${wsPort}...`);
+  startWebUI({ wsPort, wsHost, open }).catch((err) => {
+    console.error("[WebUI] Fatal error:", err);
+    process.exit(1);
+  });
+}
 //# sourceMappingURL=entry.js.map