npm - @xopcai/xopc - Versions diffs - 0.0.82 → 0.0.84 - Mend

@xopcai/xopc 0.0.82 → 0.0.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (740) hide show

package/dist/src/gateway/hono/routes/tunnel.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tunnel.js","names":[],"sources":["../../../../../src/gateway/hono/routes/tunnel.ts"],"sourcesContent":["import type { Hono, MiddlewareHandler } from 'hono';\n\nimport type { Config } from '../../../config/schema.js';\nimport { resolveGatewayEffectiveHost } from '../../../config/gateway-bind.js';\nimport { extractToken } from '../../auth.js';\nimport {\n assertTunnelMayStart,\n getTunnelConsentState,\n TUNNEL_CONSENT_REQUIRED_CODE,\n TunnelConsentError,\n} from '../../../tunnel/consent.js';\nimport { hashGatewayToken } from '../../../tunnel/tunnel-service.js';\nimport { configureTunnelFromGatewayConfig } from '../../../tunnel/gateway-lifecycle.js';\nimport {\n getTunnelRegistrationSecretMeta,\n readTunnelRegistrationSecretFromConfigOnly,\n resolveTunnelBrokerUrl,\n} from '../../../tunnel/env.js';\nimport { getTunnelService } from '../../../tunnel/index.js';\nimport { createPairingSecret, exchangePairingSecretOnce, getCachedPairingExchange } from '../../../tunnel/pairing.js';\nimport { buildMobilePairContext } from '../../../tunnel/pair-context.js';\nimport { applyLanPairingGatewayPatch } from '../../../tunnel/enable-lan-pairing.js';\nimport {\n buildMobileConnectUrlOrder,\n resolveMobilePairLanUrl,\n validateMobilePairBaseUrl,\n} from '../../../tunnel/pair-url.js';\nimport { consumePairingExchangeFailLimit } from '../../../tunnel/pairing-rate-limit.js';\nimport { loadTunnelState } from '../../../tunnel/tunnel-state.js';\nimport { logTunnelAudit } from '../../../tunnel/tunnel-audit.js';\nimport {\n applyTunnelConsentToConfig,\n setTunnelEnabledInConfig,\n} from '../../../tunnel/tunnel-config.js';\nimport { consumeTunnelMutationLimit } from '../../../tunnel/tunnel-rate-limit.js';\nimport type { AuthenticatedRouteDeps } from './deps.js';\nimport type { GatewayService } from '../../service.js';\nimport { getClientIpFromHeaders } from '../../auth-rate-limit.js';\n\nasync function configureTunnelFromService(\n deps: AuthenticatedRouteDeps,\n opts?: { force?: boolean },\n): Promise<void> {\n await configureTunnelFromGatewayConfig(deps.service.currentConfig, opts);\n}\n\nfunction enrichTunnelStatus(config: Config, status: ReturnType<ReturnType<typeof getTunnelService>['getStatus']>) {\n const consent = getTunnelConsentState(config);\n const brokerUrl = resolveTunnelBrokerUrl(config.tunnel?.brokerUrl);\n const registrationSecret = getTunnelRegistrationSecretMeta(config, process.env, brokerUrl);\n return {\n ...status,\n consentRequired: consent.consentRequired,\n consent: {\n currentVersion: consent.currentVersion,\n acceptedVersion: consent.acceptedVersion,\n acceptedAt: consent.acceptedAt,\n valid: consent.valid,\n },\n canAutoStart: consent.canAutoStart,\n registrationSecret,\n };\n}\n\nfunction requireGatewayToken(c: { req: { header: (name: string) => string \| undefined } }): string \| null {\n return (\n extractToken({\n authorization: c.req.header('authorization') ?? undefined,\n }) ?? null\n );\n}\n\nfunction createTunnelMutationRateLimitMiddleware(): MiddlewareHandler {\n return async (c, next) => {\n const token = requireGatewayToken(c);\n if (!token) {\n return c.json({ error: 'Gateway token required' }, 401);\n }\n const result = consumeTunnelMutationLimit(token);\n if (!result.allowed) {\n c.header('Retry-After', String(Math.ceil(result.retryAfterMs / 1000)));\n return c.json(\n {\n error: 'Too many tunnel operations. Try again later.',\n code: 'TUNNEL_RATE_LIMITED',\n retryAfterMs: result.retryAfterMs,\n },\n 429,\n );\n }\n await next();\n };\n}\n\nexport function registerTunnelPublicRoutes(app: Hono, service: GatewayService): void {\n app.get('/api/tunnel/pair/ping', async (c) => {\n const config = service.currentConfig as Config;\n const tunnel = getTunnelService();\n const status = tunnel.getStatus();\n const context = buildMobilePairContext({\n config,\n tunnelPublicUrl: status.publicUrl,\n tunnelConnected: status.state === 'connected',\n });\n return c.json({\n ok: true,\n service: 'xopc-gateway',\n mobilePairing: true,\n port: context.port,\n bindMode: context.bindMode,\n listenHost: context.listenHost,\n pairingReady: context.pairingReady,\n blockReason: context.blockReason ?? null,\n tunnelConnected: status.state === 'connected',\n connectUrls: context.connectUrls,\n });\n });\n\n app.post('/api/tunnel/pair/validate-url', async (c) => {\n let body: { baseUrl?: unknown };\n try {\n body = (await c.req.json()) as { baseUrl?: unknown };\n } catch {\n return c.json({ error: 'Invalid JSON body' }, 400);\n }\n const baseUrl = typeof body.baseUrl === 'string' ? body.baseUrl : '';\n const result = validateMobilePairBaseUrl(baseUrl);\n if (result.ok === false) {\n return c.json({\n ok: false,\n code: result.code,\n message: result.message,\n });\n }\n return c.json({\n ok: true,\n url: result.url,\n loopback: false,\n probePath: '/api/tunnel/pair/ping',\n });\n });\n\n app.post('/api/tunnel/exchange-token', async (c) => {\n const clientIp =\n getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n }) ?? 'unknown';\n\n let body: { pairingSecret?: unknown };\n try {\n body = (await c.req.json()) as { pairingSecret?: unknown };\n } catch {\n return c.json({ error: 'Invalid JSON body' }, 400);\n }\n\n const pairingSecret = typeof body.pairingSecret === 'string' ? body.pairingSecret.trim() : '';\n if (!pairingSecret) {\n return c.json({ error: 'pairingSecret required' }, 400);\n }\n\n const cached = getCachedPairingExchange(pairingSecret);\n if (cached) {\n logTunnelAudit(\n 'tunnel.exchange_token',\n { ok: true, clientIp, phase: 'pairing_exchange', replay: true },\n 'Pairing secret replayed (duplicate mobile exchange)',\n );\n return c.json(cached);\n }\n\n const token = service.getAuthToken();\n if (!token) {\n return c.json({ error: 'Gateway token not configured' }, 500);\n }\n\n const persisted = loadTunnelState();\n const config = service.currentConfig as Config;\n const publicUrl = persisted?.publicUrl?.trim() \|\| null;\n const lanUrl = resolveMobilePairLanUrl(config);\n const connectUrls = buildMobileConnectUrlOrder({ baseUrl: publicUrl, lanUrl });\n\n const payload = await exchangePairingSecretOnce(pairingSecret, () => ({\n token,\n baseUrl: publicUrl,\n lanUrl,\n connectUrls,\n }));\n\n if (!payload) {\n const limited = consumePairingExchangeFailLimit(clientIp);\n if (!limited.allowed) {\n c.header('Retry-After', String(Math.ceil(limited.retryAfterMs / 1000)));\n }\n logTunnelAudit(\n 'tunnel.exchange_token',\n { ok: false, clientIp, phase: 'pairing_exchange' },\n 'Pairing exchange denied: invalid or expired secret',\n );\n return c.json({ error: 'Invalid or expired pairing secret', code: 'PAIRING_INVALID' }, 401);\n }\n\n logTunnelAudit(\n 'tunnel.exchange_token',\n { ok: true, clientIp, subdomain: persisted?.subdomain ?? null, phase: 'pairing_exchange' },\n 'Pairing secret exchanged for gateway token',\n );\n return c.json(payload);\n });\n}\n\nexport function registerTunnelRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void {\n const { strictRateLimitMiddleware } = deps;\n const tunnel = getTunnelService();\n const tunnelMutationLimit = createTunnelMutationRateLimitMiddleware();\n\n authenticated.get('/api/tunnel/pair/context', async (c) => {\n await configureTunnelFromService(deps);\n const config = deps.service.currentConfig as Config;\n const status = tunnel.getStatus();\n const context = buildMobilePairContext({\n config,\n tunnelPublicUrl: status.publicUrl,\n tunnelConnected: status.state === 'connected',\n });\n return c.json(context);\n });\n\n authenticated.post('/api/tunnel/pair/enable-lan', tunnelMutationLimit, async (c) => {\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n const config = deps.service.currentConfig as Config;\n const patchResult = applyLanPairingGatewayPatch(config);\n if (patchResult.ok === false) {\n return c.json({ ok: false, error: { message: patchResult.message, code: 'LAN_PAIRING_CONFIG' } }, 400);\n }\n\n if (patchResult.changed) {\n const saveResult = await deps.service.saveConfig(config);\n if (!saveResult.saved) {\n return c.json(\n { ok: false, error: { message: saveResult.error ?? 'Failed to save config', code: 'SAVE_FAILED' } },\n 500,\n );\n }\n logTunnelAudit(\n 'tunnel.enable_lan_pairing',\n { gatewayTokenHash: hashGatewayToken(token).slice(0, 12) },\n 'Gateway bind switched to LAN for mobile pairing',\n );\n }\n\n const status = tunnel.getStatus();\n let context = buildMobilePairContext({\n config: deps.service.currentConfig as Config,\n tunnelPublicUrl: status.publicUrl,\n tunnelConnected: status.state === 'connected',\n });\n\n if (patchResult.changed) {\n context = {\n ...context,\n pairingReady: false,\n blockReason: 'GATEWAY_LOOPBACK_ONLY',\n };\n }\n\n return c.json({\n ok: true,\n requiresRestart: patchResult.changed,\n context,\n });\n });\n\n authenticated.post('/api/tunnel/pair', tunnelMutationLimit, async (c) => {\n await configureTunnelFromService(deps);\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n const { secret, expiresAt } = createPairingSecret();\n logTunnelAudit(\n 'tunnel.pair',\n {\n expiresAt: expiresAt.toISOString(),\n gatewayTokenHash: hashGatewayToken(token).slice(0, 12),\n },\n 'Mobile pairing session created',\n );\n return c.json({ pairingSecret: secret, expiresAt: expiresAt.toISOString() });\n });\n\n authenticated.get('/api/tunnel/status', async (c) => {\n await configureTunnelFromService(deps);\n const config = deps.service.currentConfig as Config;\n return c.json(enrichTunnelStatus(config, tunnel.getStatus()));\n });\n\n authenticated.post('/api/tunnel/consent', tunnelMutationLimit, async (c) => {\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n const config = deps.service.currentConfig as Config;\n applyTunnelConsentToConfig(config);\n const result = await deps.service.saveConfig(config);\n if (!result.saved) {\n return c.json({ ok: false, error: result.error ?? 'Failed to save config' }, 500);\n }\n const consent = getTunnelConsentState(config);\n logTunnelAudit(\n 'tunnel.consent',\n {\n consentVersion: consent.currentVersion,\n gatewayTokenHash: hashGatewayToken(token).slice(0, 12),\n },\n 'Remote access security consent recorded',\n );\n return c.json({\n ok: true,\n consent: {\n currentVersion: consent.currentVersion,\n acceptedVersion: consent.acceptedVersion,\n acceptedAt: consent.acceptedAt,\n valid: consent.valid,\n },\n });\n });\n\n authenticated.post('/api/tunnel/start', tunnelMutationLimit, async (c) => {\n await configureTunnelFromService(deps, { force: true });\n const config = deps.service.currentConfig as Config;\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n try {\n assertTunnelMayStart(config);\n } catch (err) {\n if (err instanceof TunnelConsentError) {\n logTunnelAudit(\n 'tunnel.start_denied',\n { reason: TUNNEL_CONSENT_REQUIRED_CODE, gatewayTokenHash: hashGatewayToken(token).slice(0, 12) },\n 'Tunnel start denied: consent required',\n );\n return c.json({ error: err.message, code: TUNNEL_CONSENT_REQUIRED_CODE }, 403);\n }\n throw err;\n }\n\n const gateway = config.gateway;\n const port = gateway.port ?? 18790;\n try {\n const qr = await tunnel.start(port, token);\n setTunnelEnabledInConfig(config, true);\n await deps.service.saveConfig(config);\n const status = tunnel.getStatus();\n return c.json({\n publicUrl: qr.publicUrl,\n subdomain: status.subdomain,\n qrPayload: qr.qrPayload,\n lanUrl: qr.lanUrl,\n });\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n return c.json({ error: message }, 500);\n }\n });\n\n authenticated.post('/api/tunnel/stop', tunnelMutationLimit, async (c) => {\n await configureTunnelFromService(deps);\n const config = deps.service.currentConfig as Config;\n let release = false;\n try {\n const body = (await c.req.json().catch(() => ({}))) as { release?: unknown };\n release = body.release === true;\n } catch {\n release = false;\n }\n const { released } = await tunnel.stop({ release });\n setTunnelEnabledInConfig(config, false);\n await deps.service.saveConfig(config);\n return c.json({ ok: true, released });\n });\n\n authenticated.get('/api/tunnel/qr', async (c) => {\n await configureTunnelFromService(deps);\n const gateway = deps.service.currentConfig.gateway;\n const port = gateway.port ?? 18790;\n const host = resolveGatewayEffectiveHost(deps.service.currentConfig);\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n const qr = await tunnel.buildQr(port, host);\n return c.json(qr);\n });\n\n authenticated.get('/api/tunnel/transport-status', async (c) => {\n await configureTunnelFromService(deps);\n return c.json({\n transport: { tls: 'broker_terminated' as const },\n });\n });\n\n /*\n POST /api/tunnel/reveal-registration-secret — plaintext only when stored in config file.\n */\n authenticated.post('/api/tunnel/reveal-registration-secret', strictRateLimitMiddleware, async (c) => {\n const config = deps.service.currentConfig as Config;\n const registrationSecret = readTunnelRegistrationSecretFromConfigOnly(config);\n return c.json({\n ok: true,\n payload: {\n registrationSecret,\n source: registrationSecret ? ('config' as const) : ('none' as const),\n },\n });\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAuCA,eAAe,2BACb,MACA,MACe;AACf,OAAM,iCAAiC,KAAK,QAAQ,eAAe,KAAK;;AAG1E,SAAS,mBAAmB,QAAgB,QAAsE;CAChH,MAAM,UAAU,sBAAsB,OAAO;CAC7C,MAAM,YAAY,uBAAuB,OAAO,QAAQ,UAAU;CAClE,MAAM,qBAAqB,gCAAgC,QAAQ,QAAQ,KAAK,UAAU;AAC1F,QAAO;EACL,GAAG;EACH,iBAAiB,QAAQ;EACzB,SAAS;GACP,gBAAgB,QAAQ;GACxB,iBAAiB,QAAQ;GACzB,YAAY,QAAQ;GACpB,OAAO,QAAQ;GAChB;EACD,cAAc,QAAQ;EACtB;EACD;;AAGH,SAAS,oBAAoB,GAA6E;AACxG,QACE,aAAa,EACX,eAAe,EAAE,IAAI,OAAO,gBAAgB,IAAI,KAAA,GACjD,CAAC,IAAI;;AAIV,SAAS,0CAA6D;AACpE,QAAO,OAAO,GAAG,SAAS;EACxB,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MACH,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEzD,MAAM,SAAS,2BAA2B,MAAM;AAChD,MAAI,CAAC,OAAO,SAAS;AACnB,KAAE,OAAO,eAAe,OAAO,KAAK,KAAK,OAAO,eAAe,IAAK,CAAC,CAAC;AACtE,UAAO,EAAE,KACP;IACE,OAAO;IACP,MAAM;IACN,cAAc,OAAO;IACtB,EACD,IACD;;AAEH,QAAM,MAAM;;;AAIhB,SAAgB,2BAA2B,KAAW,SAA+B;AACnF,KAAI,IAAI,yBAAyB,OAAO,MAAM;EAC5C,MAAM,SAAS,QAAQ;EAEvB,MAAM,SADS,kBACM,CAAC,WAAW;EACjC,MAAM,UAAU,uBAAuB;GACrC;GACA,iBAAiB,OAAO;GACxB,iBAAiB,OAAO,UAAU;GACnC,CAAC;AACF,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;GACT,eAAe;GACf,MAAM,QAAQ;GACd,UAAU,QAAQ;GAClB,YAAY,QAAQ;GACpB,cAAc,QAAQ;GACtB,aAAa,QAAQ,eAAe;GACpC,iBAAiB,OAAO,UAAU;GAClC,aAAa,QAAQ;GACtB,CAAC;GACF;AAEF,KAAI,KAAK,iCAAiC,OAAO,MAAM;EACrD,IAAI;AACJ,MAAI;AACF,UAAQ,MAAM,EAAE,IAAI,MAAM;UACpB;AACN,UAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,EAAE,IAAI;;EAGpD,MAAM,SAAS,0BADC,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,GACjB;AACjD,MAAI,OAAO,OAAO,MAChB,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,MAAM,OAAO;GACb,SAAS,OAAO;GACjB,CAAC;AAEJ,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,KAAK,OAAO;GACZ,UAAU;GACV,WAAW;GACZ,CAAC;GACF;AAEF,KAAI,KAAK,8BAA8B,OAAO,MAAM;EAClD,MAAM,WACJ,uBAAuB,EACrB,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC,IAAI;EAER,IAAI;AACJ,MAAI;AACF,UAAQ,MAAM,EAAE,IAAI,MAAM;UACpB;AACN,UAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,EAAE,IAAI;;EAGpD,MAAM,gBAAgB,OAAO,KAAK,kBAAkB,WAAW,KAAK,cAAc,MAAM,GAAG;AAC3F,MAAI,CAAC,cACH,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAGzD,MAAM,SAAS,yBAAyB,cAAc;AACtD,MAAI,QAAQ;AACV,kBACE,yBACA;IAAE,IAAI;IAAM;IAAU,OAAO;IAAoB,QAAQ;IAAM,EAC/D,sDACD;AACD,UAAO,EAAE,KAAK,OAAO;;EAGvB,MAAM,QAAQ,QAAQ,cAAc;AACpC,MAAI,CAAC,MACH,QAAO,EAAE,KAAK,EAAE,OAAO,gCAAgC,EAAE,IAAI;EAG/D,MAAM,YAAY,iBAAiB;EACnC,MAAM,SAAS,QAAQ;EACvB,MAAM,YAAY,WAAW,WAAW,MAAM,IAAI;EAClD,MAAM,SAAS,wBAAwB,OAAO;EAC9C,MAAM,cAAc,2BAA2B;GAAE,SAAS;GAAW;GAAQ,CAAC;EAE9E,MAAM,UAAU,MAAM,0BAA0B,sBAAsB;GACpE;GACA,SAAS;GACT;GACA;GACD,EAAE;AAEH,MAAI,CAAC,SAAS;GACZ,MAAM,UAAU,gCAAgC,SAAS;AACzD,OAAI,CAAC,QAAQ,QACX,GAAE,OAAO,eAAe,OAAO,KAAK,KAAK,QAAQ,eAAe,IAAK,CAAC,CAAC;AAEzE,kBACE,yBACA;IAAE,IAAI;IAAO;IAAU,OAAO;IAAoB,EAClD,qDACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAqC,MAAM;IAAmB,EAAE,IAAI;;AAG7F,iBACE,yBACA;GAAE,IAAI;GAAM;GAAU,WAAW,WAAW,aAAa;GAAM,OAAO;GAAoB,EAC1F,6CACD;AACD,SAAO,EAAE,KAAK,QAAQ;GACtB;;AAGJ,SAAgB,qBAAqB,eAAqB,MAAoC;CAC5F,MAAM,EAAE,8BAA8B;CACtC,MAAM,SAAS,kBAAkB;CACjC,MAAM,sBAAsB,yCAAyC;AAErE,eAAc,IAAI,4BAA4B,OAAO,MAAM;AACzD,QAAM,2BAA2B,KAAK;EACtC,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,SAAS,OAAO,WAAW;EACjC,MAAM,UAAU,uBAAuB;GACrC;GACA,iBAAiB,OAAO;GACxB,iBAAiB,OAAO,UAAU;GACnC,CAAC;AACF,SAAO,EAAE,KAAK,QAAQ;GACtB;AAEF,eAAc,KAAK,+BAA+B,qBAAqB,OAAO,MAAM;EAClF,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEnE,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,cAAc,4BAA4B,OAAO;AACvD,MAAI,YAAY,OAAO,MACrB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,SAAS,YAAY;IAAS,MAAM;IAAsB;GAAE,EAAE,IAAI;AAGxG,MAAI,YAAY,SAAS;GACvB,MAAM,aAAa,MAAM,KAAK,QAAQ,WAAW,OAAO;AACxD,OAAI,CAAC,WAAW,MACd,QAAO,EAAE,KACP;IAAE,IAAI;IAAO,OAAO;KAAE,SAAS,WAAW,SAAS;KAAyB,MAAM;KAAe;IAAE,EACnG,IACD;AAEH,kBACE,6BACA,EAAE,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,EAC1D,kDACD;;EAGH,MAAM,SAAS,OAAO,WAAW;EACjC,IAAI,UAAU,uBAAuB;GACnC,QAAQ,KAAK,QAAQ;GACrB,iBAAiB,OAAO;GACxB,iBAAiB,OAAO,UAAU;GACnC,CAAC;AAEF,MAAI,YAAY,QACd,WAAU;GACR,GAAG;GACH,cAAc;GACd,aAAa;GACd;AAGH,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,iBAAiB,YAAY;GAC7B;GACD,CAAC;GACF;AAEF,eAAc,KAAK,oBAAoB,qBAAqB,OAAO,MAAM;AACvE,QAAM,2BAA2B,KAAK;EACtC,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEnE,MAAM,EAAE,QAAQ,cAAc,qBAAqB;AACnD,iBACE,eACA;GACE,WAAW,UAAU,aAAa;GAClC,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG;GACvD,EACD,iCACD;AACD,SAAO,EAAE,KAAK;GAAE,eAAe;GAAQ,WAAW,UAAU,aAAa;GAAE,CAAC;GAC5E;AAEF,eAAc,IAAI,sBAAsB,OAAO,MAAM;AACnD,QAAM,2BAA2B,KAAK;EACtC,MAAM,SAAS,KAAK,QAAQ;AAC5B,SAAO,EAAE,KAAK,mBAAmB,QAAQ,OAAO,WAAW,CAAC,CAAC;GAC7D;AAEF,eAAc,KAAK,uBAAuB,qBAAqB,OAAO,MAAM;EAC1E,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEnE,MAAM,SAAS,KAAK,QAAQ;AAC5B,6BAA2B,OAAO;EAClC,MAAM,SAAS,MAAM,KAAK,QAAQ,WAAW,OAAO;AACpD,MAAI,CAAC,OAAO,MACV,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,OAAO,SAAS;GAAyB,EAAE,IAAI;EAEnF,MAAM,UAAU,sBAAsB,OAAO;AAC7C,iBACE,kBACA;GACE,gBAAgB,QAAQ;GACxB,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG;GACvD,EACD,0CACD;AACD,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,gBAAgB,QAAQ;IACxB,iBAAiB,QAAQ;IACzB,YAAY,QAAQ;IACpB,OAAO,QAAQ;IAChB;GACF,CAAC;GACF;AAEF,eAAc,KAAK,qBAAqB,qBAAqB,OAAO,MAAM;AACxE,QAAM,2BAA2B,MAAM,EAAE,OAAO,MAAM,CAAC;EACvD,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;AAEnE,MAAI;AACF,wBAAqB,OAAO;WACrB,KAAK;AACZ,OAAI,eAAe,oBAAoB;AACrC,mBACE,uBACA;KAAE,QAAQ;KAA8B,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG;KAAE,EAChG,wCACD;AACD,WAAO,EAAE,KAAK;KAAE,OAAO,IAAI;KAAS,MAAM;KAA8B,EAAE,IAAI;;AAEhF,SAAM;;EAIR,MAAM,OADU,OAAO,QACF,QAAQ;AAC7B,MAAI;GACF,MAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM;AAC1C,4BAAyB,QAAQ,KAAK;AACtC,SAAM,KAAK,QAAQ,WAAW,OAAO;GACrC,MAAM,SAAS,OAAO,WAAW;AACjC,UAAO,EAAE,KAAK;IACZ,WAAW,GAAG;IACd,WAAW,OAAO;IAClB,WAAW,GAAG;IACd,QAAQ,GAAG;IACZ,CAAC;WACK,KAAK;GACZ,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAChE,UAAO,EAAE,KAAK,EAAE,OAAO,SAAS,EAAE,IAAI;;GAExC;AAEF,eAAc,KAAK,oBAAoB,qBAAqB,OAAO,MAAM;AACvE,QAAM,2BAA2B,KAAK;EACtC,MAAM,SAAS,KAAK,QAAQ;EAC5B,IAAI,UAAU;AACd,MAAI;AAEF,cAAU,MADU,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE,EACnC,YAAY;UACrB;AACN,aAAU;;EAEZ,MAAM,EAAE,aAAa,MAAM,OAAO,KAAK,EAAE,SAAS,CAAC;AACnD,2BAAyB,QAAQ,MAAM;AACvC,QAAM,KAAK,QAAQ,WAAW,OAAO;AACrC,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM;GAAU,CAAC;GACrC;AAEF,eAAc,IAAI,kBAAkB,OAAO,MAAM;AAC/C,QAAM,2BAA2B,KAAK;EAEtC,MAAM,OADU,KAAK,QAAQ,cAAc,QACtB,QAAQ;EAC7B,MAAM,OAAO,4BAA4B,KAAK,QAAQ,cAAc;AAEpE,MAAI,CADU,oBAAoB,EACxB,CAAE,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EACnE,MAAM,KAAK,MAAM,OAAO,QAAQ,MAAM,KAAK;AAC3C,SAAO,EAAE,KAAK,GAAG;GACjB;AAEF,eAAc,IAAI,gCAAgC,OAAO,MAAM;AAC7D,QAAM,2BAA2B,KAAK;AACtC,SAAO,EAAE,KAAK,EACZ,WAAW,EAAE,KAAK,qBAA8B,EACjD,CAAC;GACF;;;;AAKF,eAAc,KAAK,0CAA0C,2BAA2B,OAAO,MAAM;EACnG,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,qBAAqB,2CAA2C,OAAO;AAC7E,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP;IACA,QAAQ,qBAAsB,WAAsB;IACrD;GACF,CAAC;GACF"}
1	+ {"version":3,"file":"tunnel.js","names":[],"sources":["../../../../../src/gateway/hono/routes/tunnel.ts"],"sourcesContent":["import type { Hono, MiddlewareHandler } from 'hono';\n\nimport type { Config } from '../../../config/schema.js';\nimport { resolveGatewayEffectiveHost } from '../../../config/gateway-bind.js';\nimport { extractToken } from '../../auth.js';\nimport {\n assertTunnelMayStart,\n getTunnelConsentState,\n TUNNEL_CONSENT_REQUIRED_CODE,\n TunnelConsentError,\n} from '../../../tunnel/consent.js';\nimport { hashGatewayToken } from '../../../tunnel/tunnel-service.js';\nimport { configureTunnelFromGatewayConfig } from '../../../tunnel/gateway-lifecycle.js';\nimport {\n getTunnelRegistrationSecretMeta,\n readTunnelRegistrationSecretFromConfigOnly,\n resolveTunnelBrokerUrl,\n} from '../../../tunnel/env.js';\nimport { getTunnelService } from '../../../tunnel/index.js';\nimport { createPairingSecret, exchangePairingSecretOnce, getCachedPairingExchange } from '../../../tunnel/pairing.js';\nimport { buildMobilePairContext } from '../../../tunnel/pair-context.js';\nimport { applyLanPairingGatewayPatch } from '../../../tunnel/enable-lan-pairing.js';\nimport {\n buildMobileConnectUrlOrder,\n resolveMobilePairLanUrl,\n validateMobilePairBaseUrl,\n} from '../../../tunnel/pair-url.js';\nimport { consumePairingExchangeFailLimit } from '../../../tunnel/pairing-rate-limit.js';\nimport { loadTunnelState } from '../../../tunnel/tunnel-state.js';\nimport { logTunnelAudit } from '../../../tunnel/tunnel-audit.js';\nimport {\n applyTunnelConsentToConfig,\n setTunnelEnabledInConfig,\n} from '../../../tunnel/tunnel-config.js';\nimport { consumeTunnelMutationLimit } from '../../../tunnel/tunnel-rate-limit.js';\nimport type { AuthenticatedRouteDeps } from './deps.js';\nimport type { GatewayService } from '../../service.js';\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\n\nasync function configureTunnelFromService(\n deps: AuthenticatedRouteDeps,\n opts?: { force?: boolean },\n): Promise<void> {\n await configureTunnelFromGatewayConfig(deps.service.currentConfig, opts);\n}\n\nfunction enrichTunnelStatus(config: Config, status: ReturnType<ReturnType<typeof getTunnelService>['getStatus']>) {\n const consent = getTunnelConsentState(config);\n const brokerUrl = resolveTunnelBrokerUrl(config.tunnel?.brokerUrl);\n const registrationSecret = getTunnelRegistrationSecretMeta(config, process.env, brokerUrl);\n return {\n ...status,\n consentRequired: consent.consentRequired,\n consent: {\n currentVersion: consent.currentVersion,\n acceptedVersion: consent.acceptedVersion,\n acceptedAt: consent.acceptedAt,\n valid: consent.valid,\n },\n canAutoStart: consent.canAutoStart,\n registrationSecret,\n };\n}\n\nfunction requireGatewayToken(c: { req: { header: (name: string) => string \| undefined } }): string \| null {\n return (\n extractToken({\n authorization: c.req.header('authorization') ?? undefined,\n }) ?? null\n );\n}\n\nfunction createTunnelMutationRateLimitMiddleware(): MiddlewareHandler {\n return async (c, next) => {\n const token = requireGatewayToken(c);\n if (!token) {\n return c.json({ error: 'Gateway token required' }, 401);\n }\n const result = consumeTunnelMutationLimit(token);\n if (!result.allowed) {\n c.header('Retry-After', String(Math.ceil(result.retryAfterMs / 1000)));\n return c.json(\n {\n error: 'Too many tunnel operations. Try again later.',\n code: 'TUNNEL_RATE_LIMITED',\n retryAfterMs: result.retryAfterMs,\n },\n 429,\n );\n }\n await next();\n };\n}\n\nexport function registerTunnelPublicRoutes(app: Hono, service: GatewayService): void {\n app.get('/api/tunnel/pair/ping', async (c) => {\n const config = service.currentConfig as Config;\n const tunnel = getTunnelService();\n const status = tunnel.getStatus();\n const context = buildMobilePairContext({\n config,\n tunnelPublicUrl: status.publicUrl,\n tunnelConnected: status.state === 'connected',\n });\n return c.json({\n ok: true,\n service: 'xopc-gateway',\n mobilePairing: true,\n port: context.port,\n bindMode: context.bindMode,\n listenHost: context.listenHost,\n pairingReady: context.pairingReady,\n blockReason: context.blockReason ?? null,\n tunnelConnected: status.state === 'connected',\n connectUrls: context.connectUrls,\n });\n });\n\n app.post('/api/tunnel/pair/validate-url', async (c) => {\n let body: { baseUrl?: unknown };\n try {\n body = (await c.req.json()) as { baseUrl?: unknown };\n } catch {\n return c.json({ error: 'Invalid JSON body' }, 400);\n }\n const baseUrl = typeof body.baseUrl === 'string' ? body.baseUrl : '';\n const result = validateMobilePairBaseUrl(baseUrl);\n if (result.ok === false) {\n return c.json({\n ok: false,\n code: result.code,\n message: result.message,\n });\n }\n return c.json({\n ok: true,\n url: result.url,\n loopback: false,\n probePath: '/api/tunnel/pair/ping',\n });\n });\n\n app.post('/api/tunnel/exchange-token', async (c) => {\n const clientIp =\n getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n }) ?? 'unknown';\n\n let body: { pairingSecret?: unknown };\n try {\n body = (await c.req.json()) as { pairingSecret?: unknown };\n } catch {\n return c.json({ error: 'Invalid JSON body' }, 400);\n }\n\n const pairingSecret = typeof body.pairingSecret === 'string' ? body.pairingSecret.trim() : '';\n if (!pairingSecret) {\n return c.json({ error: 'pairingSecret required' }, 400);\n }\n\n const cached = getCachedPairingExchange(pairingSecret);\n if (cached) {\n logTunnelAudit(\n 'tunnel.exchange_token',\n { ok: true, clientIp, phase: 'pairing_exchange', replay: true },\n 'Pairing secret replayed (duplicate mobile exchange)',\n );\n return c.json(cached);\n }\n\n const token = service.getAuthToken();\n if (!token) {\n return c.json({ error: 'Gateway token not configured' }, 500);\n }\n\n const persisted = loadTunnelState();\n const config = service.currentConfig as Config;\n const publicUrl = persisted?.publicUrl?.trim() \|\| null;\n const lanUrl = resolveMobilePairLanUrl(config);\n const connectUrls = buildMobileConnectUrlOrder({ baseUrl: publicUrl, lanUrl });\n\n const payload = await exchangePairingSecretOnce(pairingSecret, () => ({\n token,\n baseUrl: publicUrl,\n lanUrl,\n connectUrls,\n }));\n\n if (!payload) {\n const limited = consumePairingExchangeFailLimit(clientIp);\n if (!limited.allowed) {\n c.header('Retry-After', String(Math.ceil(limited.retryAfterMs / 1000)));\n }\n logTunnelAudit(\n 'tunnel.exchange_token',\n { ok: false, clientIp, phase: 'pairing_exchange' },\n 'Pairing exchange denied: invalid or expired secret',\n );\n return c.json({ error: 'Invalid or expired pairing secret', code: 'PAIRING_INVALID' }, 401);\n }\n\n logTunnelAudit(\n 'tunnel.exchange_token',\n { ok: true, clientIp, subdomain: persisted?.subdomain ?? null, phase: 'pairing_exchange' },\n 'Pairing secret exchanged for gateway token',\n );\n return c.json(payload);\n });\n}\n\nexport function registerTunnelRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void {\n const { strictRateLimitMiddleware } = deps;\n const tunnel = getTunnelService();\n const tunnelMutationLimit = createTunnelMutationRateLimitMiddleware();\n\n authenticated.get('/api/tunnel/pair/context', async (c) => {\n await configureTunnelFromService(deps);\n const config = deps.service.currentConfig as Config;\n const status = tunnel.getStatus();\n const context = buildMobilePairContext({\n config,\n tunnelPublicUrl: status.publicUrl,\n tunnelConnected: status.state === 'connected',\n });\n return c.json(context);\n });\n\n authenticated.post('/api/tunnel/pair/enable-lan', tunnelMutationLimit, async (c) => {\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n const config = deps.service.currentConfig as Config;\n const patchResult = applyLanPairingGatewayPatch(config);\n if (patchResult.ok === false) {\n return c.json({ ok: false, error: { message: patchResult.message, code: 'LAN_PAIRING_CONFIG' } }, 400);\n }\n\n if (patchResult.changed) {\n const saveResult = await deps.service.saveConfig(config);\n if (!saveResult.saved) {\n return c.json(\n { ok: false, error: { message: saveResult.error ?? 'Failed to save config', code: 'SAVE_FAILED' } },\n 500,\n );\n }\n logTunnelAudit(\n 'tunnel.enable_lan_pairing',\n { gatewayTokenHash: hashGatewayToken(token).slice(0, 12) },\n 'Gateway bind switched to LAN for mobile pairing',\n );\n }\n\n const status = tunnel.getStatus();\n let context = buildMobilePairContext({\n config: deps.service.currentConfig as Config,\n tunnelPublicUrl: status.publicUrl,\n tunnelConnected: status.state === 'connected',\n });\n\n if (patchResult.changed) {\n context = {\n ...context,\n pairingReady: false,\n blockReason: 'GATEWAY_LOOPBACK_ONLY',\n };\n }\n\n return c.json({\n ok: true,\n requiresRestart: patchResult.changed,\n context,\n });\n });\n\n authenticated.post('/api/tunnel/pair', tunnelMutationLimit, async (c) => {\n await configureTunnelFromService(deps);\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n const { secret, expiresAt } = createPairingSecret();\n logTunnelAudit(\n 'tunnel.pair',\n {\n expiresAt: expiresAt.toISOString(),\n gatewayTokenHash: hashGatewayToken(token).slice(0, 12),\n },\n 'Mobile pairing session created',\n );\n return c.json({ pairingSecret: secret, expiresAt: expiresAt.toISOString() });\n });\n\n authenticated.get('/api/tunnel/status', async (c) => {\n await configureTunnelFromService(deps);\n const config = deps.service.currentConfig as Config;\n return c.json(enrichTunnelStatus(config, tunnel.getStatus()));\n });\n\n authenticated.post('/api/tunnel/consent', tunnelMutationLimit, async (c) => {\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n const config = deps.service.currentConfig as Config;\n applyTunnelConsentToConfig(config);\n const result = await deps.service.saveConfig(config);\n if (!result.saved) {\n return c.json({ ok: false, error: result.error ?? 'Failed to save config' }, 500);\n }\n const consent = getTunnelConsentState(config);\n logTunnelAudit(\n 'tunnel.consent',\n {\n consentVersion: consent.currentVersion,\n gatewayTokenHash: hashGatewayToken(token).slice(0, 12),\n },\n 'Remote access security consent recorded',\n );\n return c.json({\n ok: true,\n consent: {\n currentVersion: consent.currentVersion,\n acceptedVersion: consent.acceptedVersion,\n acceptedAt: consent.acceptedAt,\n valid: consent.valid,\n },\n });\n });\n\n authenticated.post('/api/tunnel/start', tunnelMutationLimit, async (c) => {\n await configureTunnelFromService(deps, { force: true });\n const config = deps.service.currentConfig as Config;\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n\n try {\n assertTunnelMayStart(config);\n } catch (err) {\n if (err instanceof TunnelConsentError) {\n logTunnelAudit(\n 'tunnel.start_denied',\n { reason: TUNNEL_CONSENT_REQUIRED_CODE, gatewayTokenHash: hashGatewayToken(token).slice(0, 12) },\n 'Tunnel start denied: consent required',\n );\n return c.json({ error: err.message, code: TUNNEL_CONSENT_REQUIRED_CODE }, 403);\n }\n throw err;\n }\n\n const gateway = config.gateway;\n const port = gateway.port ?? 18790;\n try {\n const qr = await tunnel.start(port, token);\n setTunnelEnabledInConfig(config, true);\n await deps.service.saveConfig(config);\n const status = tunnel.getStatus();\n return c.json({\n publicUrl: qr.publicUrl,\n subdomain: status.subdomain,\n qrPayload: qr.qrPayload,\n lanUrl: qr.lanUrl,\n });\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n return c.json({ error: message }, 500);\n }\n });\n\n authenticated.post('/api/tunnel/stop', tunnelMutationLimit, async (c) => {\n await configureTunnelFromService(deps);\n const config = deps.service.currentConfig as Config;\n let release = false;\n try {\n const body = (await c.req.json().catch(() => ({}))) as { release?: unknown };\n release = body.release === true;\n } catch {\n release = false;\n }\n const { released } = await tunnel.stop({ release });\n setTunnelEnabledInConfig(config, false);\n await deps.service.saveConfig(config);\n return c.json({ ok: true, released });\n });\n\n authenticated.get('/api/tunnel/qr', async (c) => {\n await configureTunnelFromService(deps);\n const gateway = deps.service.currentConfig.gateway;\n const port = gateway.port ?? 18790;\n const host = resolveGatewayEffectiveHost(deps.service.currentConfig);\n const token = requireGatewayToken(c);\n if (!token) return c.json({ error: 'Gateway token required' }, 401);\n const qr = await tunnel.buildQr(port, host);\n return c.json(qr);\n });\n\n authenticated.get('/api/tunnel/transport-status', async (c) => {\n await configureTunnelFromService(deps);\n return c.json({\n transport: { tls: 'broker_terminated' as const },\n });\n });\n\n /*\n POST /api/tunnel/reveal-registration-secret — plaintext only when stored in config file.\n */\n authenticated.post('/api/tunnel/reveal-registration-secret', strictRateLimitMiddleware, async (c) => {\n const config = deps.service.currentConfig as Config;\n const registrationSecret = readTunnelRegistrationSecretFromConfigOnly(config);\n return c.json({\n ok: true,\n payload: {\n registrationSecret,\n source: registrationSecret ? ('config' as const) : ('none' as const),\n },\n });\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAuCA,eAAe,2BACb,MACA,MACe;AACf,OAAM,iCAAiC,KAAK,QAAQ,eAAe,KAAK;;AAG1E,SAAS,mBAAmB,QAAgB,QAAsE;CAChH,MAAM,UAAU,sBAAsB,OAAO;CAC7C,MAAM,YAAY,uBAAuB,OAAO,QAAQ,UAAU;CAClE,MAAM,qBAAqB,gCAAgC,QAAQ,QAAQ,KAAK,UAAU;AAC1F,QAAO;EACL,GAAG;EACH,iBAAiB,QAAQ;EACzB,SAAS;GACP,gBAAgB,QAAQ;GACxB,iBAAiB,QAAQ;GACzB,YAAY,QAAQ;GACpB,OAAO,QAAQ;GAChB;EACD,cAAc,QAAQ;EACtB;EACD;;AAGH,SAAS,oBAAoB,GAA6E;AACxG,QACE,aAAa,EACX,eAAe,EAAE,IAAI,OAAO,gBAAgB,IAAI,KAAA,GACjD,CAAC,IAAI;;AAIV,SAAS,0CAA6D;AACpE,QAAO,OAAO,GAAG,SAAS;EACxB,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MACH,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEzD,MAAM,SAAS,2BAA2B,MAAM;AAChD,MAAI,CAAC,OAAO,SAAS;AACnB,KAAE,OAAO,eAAe,OAAO,KAAK,KAAK,OAAO,eAAe,IAAK,CAAC,CAAC;AACtE,UAAO,EAAE,KACP;IACE,OAAO;IACP,MAAM;IACN,cAAc,OAAO;IACtB,EACD,IACD;;AAEH,QAAM,MAAM;;;AAIhB,SAAgB,2BAA2B,KAAW,SAA+B;AACnF,KAAI,IAAI,yBAAyB,OAAO,MAAM;EAC5C,MAAM,SAAS,QAAQ;EAEvB,MAAM,SADS,kBACM,CAAC,WAAW;EACjC,MAAM,UAAU,uBAAuB;GACrC;GACA,iBAAiB,OAAO;GACxB,iBAAiB,OAAO,UAAU;GACnC,CAAC;AACF,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;GACT,eAAe;GACf,MAAM,QAAQ;GACd,UAAU,QAAQ;GAClB,YAAY,QAAQ;GACpB,cAAc,QAAQ;GACtB,aAAa,QAAQ,eAAe;GACpC,iBAAiB,OAAO,UAAU;GAClC,aAAa,QAAQ;GACtB,CAAC;GACF;AAEF,KAAI,KAAK,iCAAiC,OAAO,MAAM;EACrD,IAAI;AACJ,MAAI;AACF,UAAQ,MAAM,EAAE,IAAI,MAAM;UACpB;AACN,UAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,EAAE,IAAI;;EAGpD,MAAM,SAAS,0BADC,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,GACjB;AACjD,MAAI,OAAO,OAAO,MAChB,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,MAAM,OAAO;GACb,SAAS,OAAO;GACjB,CAAC;AAEJ,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,KAAK,OAAO;GACZ,UAAU;GACV,WAAW;GACZ,CAAC;GACF;AAEF,KAAI,KAAK,8BAA8B,OAAO,MAAM;EAClD,MAAM,WACJ,uBAAuB,EACrB,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC,IAAI;EAER,IAAI;AACJ,MAAI;AACF,UAAQ,MAAM,EAAE,IAAI,MAAM;UACpB;AACN,UAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,EAAE,IAAI;;EAGpD,MAAM,gBAAgB,OAAO,KAAK,kBAAkB,WAAW,KAAK,cAAc,MAAM,GAAG;AAC3F,MAAI,CAAC,cACH,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAGzD,MAAM,SAAS,yBAAyB,cAAc;AACtD,MAAI,QAAQ;AACV,kBACE,yBACA;IAAE,IAAI;IAAM;IAAU,OAAO;IAAoB,QAAQ;IAAM,EAC/D,sDACD;AACD,UAAO,EAAE,KAAK,OAAO;;EAGvB,MAAM,QAAQ,QAAQ,cAAc;AACpC,MAAI,CAAC,MACH,QAAO,EAAE,KAAK,EAAE,OAAO,gCAAgC,EAAE,IAAI;EAG/D,MAAM,YAAY,iBAAiB;EACnC,MAAM,SAAS,QAAQ;EACvB,MAAM,YAAY,WAAW,WAAW,MAAM,IAAI;EAClD,MAAM,SAAS,wBAAwB,OAAO;EAC9C,MAAM,cAAc,2BAA2B;GAAE,SAAS;GAAW;GAAQ,CAAC;EAE9E,MAAM,UAAU,MAAM,0BAA0B,sBAAsB;GACpE;GACA,SAAS;GACT;GACA;GACD,EAAE;AAEH,MAAI,CAAC,SAAS;GACZ,MAAM,UAAU,gCAAgC,SAAS;AACzD,OAAI,CAAC,QAAQ,QACX,GAAE,OAAO,eAAe,OAAO,KAAK,KAAK,QAAQ,eAAe,IAAK,CAAC,CAAC;AAEzE,kBACE,yBACA;IAAE,IAAI;IAAO;IAAU,OAAO;IAAoB,EAClD,qDACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAqC,MAAM;IAAmB,EAAE,IAAI;;AAG7F,iBACE,yBACA;GAAE,IAAI;GAAM;GAAU,WAAW,WAAW,aAAa;GAAM,OAAO;GAAoB,EAC1F,6CACD;AACD,SAAO,EAAE,KAAK,QAAQ;GACtB;;AAGJ,SAAgB,qBAAqB,eAAqB,MAAoC;CAC5F,MAAM,EAAE,8BAA8B;CACtC,MAAM,SAAS,kBAAkB;CACjC,MAAM,sBAAsB,yCAAyC;AAErE,eAAc,IAAI,4BAA4B,OAAO,MAAM;AACzD,QAAM,2BAA2B,KAAK;EACtC,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,SAAS,OAAO,WAAW;EACjC,MAAM,UAAU,uBAAuB;GACrC;GACA,iBAAiB,OAAO;GACxB,iBAAiB,OAAO,UAAU;GACnC,CAAC;AACF,SAAO,EAAE,KAAK,QAAQ;GACtB;AAEF,eAAc,KAAK,+BAA+B,qBAAqB,OAAO,MAAM;EAClF,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEnE,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,cAAc,4BAA4B,OAAO;AACvD,MAAI,YAAY,OAAO,MACrB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,SAAS,YAAY;IAAS,MAAM;IAAsB;GAAE,EAAE,IAAI;AAGxG,MAAI,YAAY,SAAS;GACvB,MAAM,aAAa,MAAM,KAAK,QAAQ,WAAW,OAAO;AACxD,OAAI,CAAC,WAAW,MACd,QAAO,EAAE,KACP;IAAE,IAAI;IAAO,OAAO;KAAE,SAAS,WAAW,SAAS;KAAyB,MAAM;KAAe;IAAE,EACnG,IACD;AAEH,kBACE,6BACA,EAAE,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,EAC1D,kDACD;;EAGH,MAAM,SAAS,OAAO,WAAW;EACjC,IAAI,UAAU,uBAAuB;GACnC,QAAQ,KAAK,QAAQ;GACrB,iBAAiB,OAAO;GACxB,iBAAiB,OAAO,UAAU;GACnC,CAAC;AAEF,MAAI,YAAY,QACd,WAAU;GACR,GAAG;GACH,cAAc;GACd,aAAa;GACd;AAGH,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,iBAAiB,YAAY;GAC7B;GACD,CAAC;GACF;AAEF,eAAc,KAAK,oBAAoB,qBAAqB,OAAO,MAAM;AACvE,QAAM,2BAA2B,KAAK;EACtC,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEnE,MAAM,EAAE,QAAQ,cAAc,qBAAqB;AACnD,iBACE,eACA;GACE,WAAW,UAAU,aAAa;GAClC,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG;GACvD,EACD,iCACD;AACD,SAAO,EAAE,KAAK;GAAE,eAAe;GAAQ,WAAW,UAAU,aAAa;GAAE,CAAC;GAC5E;AAEF,eAAc,IAAI,sBAAsB,OAAO,MAAM;AACnD,QAAM,2BAA2B,KAAK;EACtC,MAAM,SAAS,KAAK,QAAQ;AAC5B,SAAO,EAAE,KAAK,mBAAmB,QAAQ,OAAO,WAAW,CAAC,CAAC;GAC7D;AAEF,eAAc,KAAK,uBAAuB,qBAAqB,OAAO,MAAM;EAC1E,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EAEnE,MAAM,SAAS,KAAK,QAAQ;AAC5B,6BAA2B,OAAO;EAClC,MAAM,SAAS,MAAM,KAAK,QAAQ,WAAW,OAAO;AACpD,MAAI,CAAC,OAAO,MACV,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,OAAO,SAAS;GAAyB,EAAE,IAAI;EAEnF,MAAM,UAAU,sBAAsB,OAAO;AAC7C,iBACE,kBACA;GACE,gBAAgB,QAAQ;GACxB,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG;GACvD,EACD,0CACD;AACD,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,gBAAgB,QAAQ;IACxB,iBAAiB,QAAQ;IACzB,YAAY,QAAQ;IACpB,OAAO,QAAQ;IAChB;GACF,CAAC;GACF;AAEF,eAAc,KAAK,qBAAqB,qBAAqB,OAAO,MAAM;AACxE,QAAM,2BAA2B,MAAM,EAAE,OAAO,MAAM,CAAC;EACvD,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,QAAQ,oBAAoB,EAAE;AACpC,MAAI,CAAC,MAAO,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;AAEnE,MAAI;AACF,wBAAqB,OAAO;WACrB,KAAK;AACZ,OAAI,eAAe,oBAAoB;AACrC,mBACE,uBACA;KAAE,QAAQ;KAA8B,kBAAkB,iBAAiB,MAAM,CAAC,MAAM,GAAG,GAAG;KAAE,EAChG,wCACD;AACD,WAAO,EAAE,KAAK;KAAE,OAAO,IAAI;KAAS,MAAM;KAA8B,EAAE,IAAI;;AAEhF,SAAM;;EAIR,MAAM,OADU,OAAO,QACF,QAAQ;AAC7B,MAAI;GACF,MAAM,KAAK,MAAM,OAAO,MAAM,MAAM,MAAM;AAC1C,4BAAyB,QAAQ,KAAK;AACtC,SAAM,KAAK,QAAQ,WAAW,OAAO;GACrC,MAAM,SAAS,OAAO,WAAW;AACjC,UAAO,EAAE,KAAK;IACZ,WAAW,GAAG;IACd,WAAW,OAAO;IAClB,WAAW,GAAG;IACd,QAAQ,GAAG;IACZ,CAAC;WACK,KAAK;GACZ,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAChE,UAAO,EAAE,KAAK,EAAE,OAAO,SAAS,EAAE,IAAI;;GAExC;AAEF,eAAc,KAAK,oBAAoB,qBAAqB,OAAO,MAAM;AACvE,QAAM,2BAA2B,KAAK;EACtC,MAAM,SAAS,KAAK,QAAQ;EAC5B,IAAI,UAAU;AACd,MAAI;AAEF,cAAU,MADU,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE,EACnC,YAAY;UACrB;AACN,aAAU;;EAEZ,MAAM,EAAE,aAAa,MAAM,OAAO,KAAK,EAAE,SAAS,CAAC;AACnD,2BAAyB,QAAQ,MAAM;AACvC,QAAM,KAAK,QAAQ,WAAW,OAAO;AACrC,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM;GAAU,CAAC;GACrC;AAEF,eAAc,IAAI,kBAAkB,OAAO,MAAM;AAC/C,QAAM,2BAA2B,KAAK;EAEtC,MAAM,OADU,KAAK,QAAQ,cAAc,QACtB,QAAQ;EAC7B,MAAM,OAAO,4BAA4B,KAAK,QAAQ,cAAc;AAEpE,MAAI,CADU,oBAAoB,EACxB,CAAE,QAAO,EAAE,KAAK,EAAE,OAAO,0BAA0B,EAAE,IAAI;EACnE,MAAM,KAAK,MAAM,OAAO,QAAQ,MAAM,KAAK;AAC3C,SAAO,EAAE,KAAK,GAAG;GACjB;AAEF,eAAc,IAAI,gCAAgC,OAAO,MAAM;AAC7D,QAAM,2BAA2B,KAAK;AACtC,SAAO,EAAE,KAAK,EACZ,WAAW,EAAE,KAAK,qBAA8B,EACjD,CAAC;GACF;;;;AAKF,eAAc,KAAK,0CAA0C,2BAA2B,OAAO,MAAM;EACnG,MAAM,SAAS,KAAK,QAAQ;EAC5B,MAAM,qBAAqB,2CAA2C,OAAO;AAC7E,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP;IACA,QAAQ,qBAAsB,WAAsB;IACrD;GACF,CAAC;GACF"}

package/dist/src/gateway/hono/routes/workspace.js CHANGED Viewed

@@ -1,10 +1,10 @@
-import { init_agent_scope, listAgentEntries, normalizeAgentId, resolveAgentHomeDir, resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../../../agent/agent-scope.js";
-import { getWorkspacePath, init_schema } from "../../../config/schema.js";
-import { extractProfileAgentId } from "../../../config/agent-profile.js";
 import { createLogger } from "../../../utils/logger/index.js";
 import { init_logger } from "../../../utils/logger.js";
+import { init_agent_scope, listAgentEntries, normalizeAgentId, resolveAgentHomeDir, resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../../../agent/agent-scope.js";
+import { extractProfileAgentId } from "../../../config/agent-profile.js";
 import { validateWritePath } from "../../../agent/sandbox/path-policy.js";
 import { resolveSafeInboundFilePath } from "../../../channels/attachments/inbound-persist.js";
+import { getWorkspacePath } from "../../../config/workspace-path-helpers.js";
 import { isPathUnderWorkspace, resolveWorkspaceSafePath, toWorkspaceRelativePosix } from "../../workspace-editor-path.js";
 import { resolveSafeTtsFilePath } from "../../../channels/attachments/outbound-tts-persist.js";
 import { buildFilePathClassifierContext, classifyFileLocation, displayNameForPath, fileRefSessionKeysMatch, resolveFileReferenceCandidate } from "../../file-path-classifier.js";
@@ -12,12 +12,11 @@ import { fileReferenceRegistry } from "../../file-reference-registry.js";
 import { resolveHeartbeatMdPath } from "../../workspace-heartbeat-path.js";
 import { listWorkspaceRelativeFilesFsFallback } from "../../workspace-fs-file-list.js";
 import { runRipgrepInDirectory, runRipgrepListFiles } from "../../workspace-ripgrep.js";
-import { basename, dirname, join, resolve } from "node:path";
-import { constants } from "node:fs";
 import { randomUUID } from "node:crypto";
+import { constants } from "node:fs";
 import { copyFile, link, mkdir, readFile, readdir, rename, stat, unlink, writeFile } from "node:fs/promises";
+import { basename, dirname, join, resolve } from "node:path";
 //#region src/gateway/hono/routes/workspace.ts
-init_schema();
 init_agent_scope();
 init_logger();
 const log = createLogger("HonoApp");
@@ -123,7 +122,7 @@ async function resolveEditorWorkspaceRootAsync(service, cfg, sessionKeyRaw, agen
 	if (sk) try {
 		return {
 			ok: true,
-			root: await service.getEffectiveWorkspacePathForSession(sk)
+			root: await service.sessions.getEffectiveWorkspacePath(sk)
 		};
 	} catch (err) {
 		const em = err instanceof Error ? err.message : String(err);

package/dist/src/gateway/hono/routes/workspace.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"workspace.js","names":["fsConstants"],"sources":["../../../../../src/gateway/hono/routes/workspace.ts"],"sourcesContent":["import type { Hono } from 'hono';\nimport { randomUUID } from 'node:crypto';\nimport { constants as fsConstants } from 'node:fs';\nimport { copyFile, link, mkdir, readdir, readFile, rename, stat, unlink, writeFile } from 'node:fs/promises';\nimport { basename, dirname, join, resolve } from 'node:path';\n\nimport { extractProfileAgentId } from '../../../config/agent-profile.js';\nimport { type Config, getWorkspacePath } from '../../../config/schema.js';\nimport { validateWritePath } from '../../../agent/sandbox/path-policy.js';\nimport { resolveSafeInboundFilePath } from '../../../channels/attachments/inbound-persist.js';\nimport { resolveSafeTtsFilePath } from '../../../channels/attachments/outbound-tts-persist.js';\nimport {\n listAgentEntries,\n normalizeAgentId,\n resolveAgentHomeDir,\n resolveAgentWorkspaceDir,\n resolveDefaultAgentId,\n} from '../../../agent/agent-scope.js';\nimport { createLogger } from '../../../utils/logger.js';\nimport { resolveHeartbeatMdPath } from '../../workspace-heartbeat-path.js';\nimport {\n isPathUnderWorkspace,\n resolveWorkspaceSafePath,\n toWorkspaceRelativePosix,\n} from '../../workspace-editor-path.js';\nimport { listWorkspaceRelativeFilesFsFallback } from '../../workspace-fs-file-list.js';\nimport { runRipgrepInDirectory, runRipgrepListFiles } from '../../workspace-ripgrep.js';\nimport {\n buildFilePathClassifierContext,\n classifyFileLocation,\n displayNameForPath,\n fileRefSessionKeysMatch,\n resolveFileReferenceCandidate,\n} from '../../file-path-classifier.js';\nimport {\n fileReferenceRegistry,\n type FileReferenceCapability,\n type FileReferenceLocationKind,\n type FileReferenceScope,\n} from '../../file-reference-registry.js';\nimport type { AuthenticatedRouteDeps } from './deps.js';\nimport type { GatewayService } from '../../service.js';\n\nconst log = createLogger('HonoApp');\n\n/** Agent home for persisted `inbound/` and `tts/` attachments (matches `persistOutboundTtsAudio` / `prepareInboundAttachments`). /\nfunction resolvePersistedAttachmentAgentHome(cfg: Config, sessionKeyRaw: string \| undefined): string {\n const sk = typeof sessionKeyRaw === 'string' ? sessionKeyRaw.trim() : '';\n const agentId = sk ? extractProfileAgentId(sk, cfg) : resolveDefaultAgentId(cfg);\n return resolveAgentHomeDir(cfg, agentId);\n}\n\nconst FILE_SEARCH_MAX_LIMIT = 50;\n\n/* Subsequence fuzzy match: all query chars appear in order in `candidate` (case-insensitive). /\nfunction fuzzySubsequenceScore(query: string, candidate: string): number \| null {\n const q = query.toLowerCase();\n const c = candidate.toLowerCase();\n if (q.length === 0) return 0;\n let qi = 0;\n for (let ci = 0; ci < c.length && qi < q.length; ci++) {\n if (c[ci] === q[qi]) qi++;\n }\n if (qi < q.length) return null;\n const base = c.split('/').pop() ?? c;\n let score = 10;\n if (c.startsWith(q)) score += 40;\n if (base.startsWith(q)) score += 35;\n else if (base.includes(q)) score += 20;\n else if (c.includes(q)) score += 10;\n score -= c.length 0.0001;\n return score;\n}\n\nasync function fuzzySearchWorkspaceFiles(\n workspaceRoot: string,\n query: string,\n limit: number,\n): Promise<Array<{ name: string; path: string; isDirectory: boolean }>> {\n let files = await runRipgrepListFiles(workspaceRoot);\n if (files.length === 0) {\n files = await listWorkspaceRelativeFilesFsFallback(workspaceRoot, 120_000);\n if (files.length > 0) {\n log.debug(\n { workspaceRoot, fileCount: files.length },\n 'workspace files/search: file list from fs walk (ripgrep unavailable or returned empty)',\n );\n }\n }\n const q = query.trim();\n const capped = Math.min(Math.max(limit, 1), FILE_SEARCH_MAX_LIMIT);\n\n type Row = { name: string; path: string; isDirectory: boolean; score: number };\n const rows: Row[] = [];\n\n if (!q) {\n const sorted = [...files].sort((a, b) => a.localeCompare(b));\n for (const rel of sorted.slice(0, capped)) {\n const name = rel.split('/').pop() ?? rel;\n rows.push({ name, path: rel, isDirectory: false, score: 0 });\n }\n return rows;\n }\n\n for (const rel of files) {\n const name = rel.split('/').pop() ?? rel;\n const scorePath = fuzzySubsequenceScore(q, rel);\n const scoreName = fuzzySubsequenceScore(q, name);\n const score = Math.max(scorePath ?? -Infinity, scoreName ?? -Infinity);\n if (score === -Infinity) continue;\n rows.push({ name, path: rel, isDirectory: false, score });\n }\n\n rows.sort((a, b) => b.score - a.score \|\| a.path.localeCompare(b.path));\n return rows.slice(0, capped).map(({ name, path, isDirectory }) => ({ name, path, isDirectory }));\n}\n\nfunction isKnownEditorAgentId(cfg: Config, id: string): boolean {\n const n = normalizeAgentId(id);\n if (n === resolveDefaultAgentId(cfg)) return true;\n return listAgentEntries(cfg).some((e) => normalizeAgentId(e.id) === n);\n}\n\nfunction resolveEditorWorkspaceRoot(\n cfg: Config,\n agentIdRaw: string \| undefined,\n): { ok: true; root: string } \| { ok: false; message: string } {\n const trimmed = typeof agentIdRaw === 'string' ? agentIdRaw.trim() : '';\n if (!trimmed) {\n const root = getWorkspacePath(cfg);\n if (!root) return { ok: false, message: 'Workspace not configured' };\n return { ok: true, root };\n }\n const id = normalizeAgentId(trimmed);\n if (!isKnownEditorAgentId(cfg, id)) {\n return { ok: false, message: 'Unknown agent' };\n }\n return { ok: true, root: resolveAgentWorkspaceDir(cfg, id) };\n}\n\n/** Prefer `sessionKey` (per-session workspace override) over `agentId`. /\nasync function resolveEditorWorkspaceRootAsync(\n service: GatewayService,\n cfg: Config,\n sessionKeyRaw: string \| undefined,\n agentIdRaw: string \| undefined,\n): Promise<{ ok: true; root: string } \| { ok: false; message: string }> {\n const sk = typeof sessionKeyRaw === 'string' ? sessionKeyRaw.trim() : '';\n if (sk) {\n try {\n const root = await service.getEffectiveWorkspacePathForSession(sk);\n return { ok: true, root };\n } catch (err) {\n const em = err instanceof Error ? err.message : String(err);\n log.warn({ err, sessionKey: sk }, 'Session workspace root resolution failed');\n return { ok: false, message: em \|\| 'Session workspace resolution failed' };\n }\n }\n return resolveEditorWorkspaceRoot(cfg, agentIdRaw);\n}\n\ninterface ResolvedWorkspaceImportConfig {\n targetDir: string;\n maxBytes: number;\n allowOverwrite: boolean;\n}\n\nfunction resolveWorkspaceImportConfig(cfg: Config): ResolvedWorkspaceImportConfig {\n const raw = cfg.workspace?.import;\n return {\n targetDir: raw?.targetDir?.trim() \|\| 'imports',\n maxBytes: raw?.maxBytes ?? 104_857_600,\n allowOverwrite: raw?.allowOverwrite ?? true,\n };\n}\n\n/* Strip path separators, NULs and control chars from a basename so it stays in the destination dir. /\nfunction sanitizeImportBasename(name: string): string {\n return name\n .replace(/[\\\\/]/g, '')\n .replace(/[\\x00-\\x1f\\x7f]/g, '')\n .trim();\n}\n\n/\n Race-safe target picker for the `rename`-on-conflict strategy. Uses `link(tmp, target)`\n * which atomically fails with EEXIST when the candidate is taken; on success the tmp\n * file is left in place for the caller to unlink. Returns the linked target path.\n /\nasync function pickAvailableTargetWithLink(\n tmpAbs: string,\n initialDestAbs: string,\n maxAttempts = 1000,\n): Promise<{ ok: true; path: string; attempts: number } \| { ok: false; attempts: number }> {\n const dir = dirname(initialDestAbs);\n const original = basename(initialDestAbs);\n const dotIdx = original.lastIndexOf('.');\n const stem = dotIdx > 0 ? original.slice(0, dotIdx) : original;\n const ext = dotIdx > 0 ? original.slice(dotIdx) : '';\n for (let attempt = 1; attempt <= maxAttempts; attempt++) {\n const candidate = attempt === 1 ? initialDestAbs : join(dir, `${stem}-${attempt}${ext}`);\n try {\n await link(tmpAbs, candidate);\n return { ok: true, path: candidate, attempts: attempt };\n } catch (err) {\n const code = (err as NodeJS.ErrnoException)?.code;\n if (code !== 'EEXIST') {\n throw err;\n }\n }\n }\n return { ok: false, attempts: maxAttempts };\n}\n\nfunction fileReferenceCapabilities(\n scope: FileReferenceScope,\n isDirectory: boolean,\n locationKind?: FileReferenceLocationKind,\n): FileReferenceCapability[] {\n if (scope === 'workspace') {\n return isDirectory\n ? ['openExternal', 'revealInFolder', 'copyPath']\n : ['preview', 'edit', 'openExternal', 'revealInFolder', 'copyPath'];\n }\n if (scope === 'external' \|\| scope === 'agent-profile' \|\| scope === 'session-artifact') {\n const base: FileReferenceCapability[] = ['openExternal', 'revealInFolder', 'copyPath'];\n // v1: importToWorkspace for files only; exclude xopc-config to prevent copying\n // app config into the workspace (semantically wrong).\n if (!isDirectory && locationKind !== 'xopc-config') {\n base.push('importToWorkspace');\n }\n return base;\n }\n if (scope === 'missing') return ['copyPath'];\n return [];\n}\n\nfunction isFileReferenceAction(action: unknown): action is 'openExternal' \| 'revealInFolder' {\n return action === 'openExternal' \|\| action === 'revealInFolder';\n}\n\nexport function registerWorkspaceRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void {\n const { service } = deps;\n\n authenticated.get('/api/workspace/inbound-file', async (c) => {\n const rel = c.req.query('rel');\n if (!rel \|\| typeof rel !== 'string') {\n return c.json({ ok: false, error: { message: 'Missing rel' } }, 400);\n }\n const cfg = service.currentConfig;\n const agentHome = resolvePersistedAttachmentAgentHome(cfg, c.req.query('sessionKey'));\n const abs = resolveSafeInboundFilePath({ agentHome }, rel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Forbidden' } }, 403);\n }\n try {\n const buf = await readFile(abs);\n const ext = rel.split('.').pop()?.toLowerCase() ?? '';\n const mimeByExt: Record<string, string> = {\n pdf: 'application/pdf',\n png: 'image/png',\n jpg: 'image/jpeg',\n jpeg: 'image/jpeg',\n webp: 'image/webp',\n gif: 'image/gif',\n md: 'text/markdown',\n txt: 'text/plain',\n json: 'application/json',\n html: 'text/html',\n css: 'text/css',\n js: 'text/javascript',\n ts: 'text/typescript',\n webm: 'audio/webm',\n ogg: 'audio/ogg',\n opus: 'audio/ogg',\n mp3: 'audio/mpeg',\n wav: 'audio/wav',\n m4a: 'audio/mp4',\n };\n const contentType = mimeByExt[ext] \|\| 'application/octet-stream';\n return new Response(buf, {\n headers: {\n 'Content-Type': contentType,\n 'Cache-Control': 'private, max-age=3600',\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n });\n\n authenticated.get('/api/workspace/tts-file', async (c) => {\n const rel = c.req.query('rel');\n if (!rel \|\| typeof rel !== 'string') {\n return c.json({ ok: false, error: { message: 'Missing rel' } }, 400);\n }\n const cfg = service.currentConfig;\n const agentHome = resolvePersistedAttachmentAgentHome(cfg, c.req.query('sessionKey'));\n const abs = resolveSafeTtsFilePath({ agentHome }, rel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Forbidden' } }, 403);\n }\n try {\n const buf = await readFile(abs);\n const ext = rel.split('.').pop()?.toLowerCase() ?? '';\n const mimeByExt: Record<string, string> = {\n ogg: 'audio/ogg',\n opus: 'audio/ogg',\n mp3: 'audio/mpeg',\n wav: 'audio/wav',\n m4a: 'audio/mp4',\n };\n const contentType = mimeByExt[ext] \|\| 'application/octet-stream';\n return new Response(buf, {\n headers: {\n 'Content-Type': contentType,\n 'Cache-Control': 'private, max-age=3600',\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n });\n\n authenticated.get('/api/workspace/heartbeat-md', async (c) => {\n const abs = resolveHeartbeatMdPath(service.currentConfig);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Workspace not configured' } }, 400);\n }\n try {\n const content = await readFile(abs, 'utf-8');\n return c.json({ ok: true, payload: { content: content, file: 'HEARTBEAT.md' } });\n } catch {\n return c.json({ ok: true, payload: { content: '', file: 'HEARTBEAT.md' } });\n }\n });\n\n authenticated.put('/api/workspace/heartbeat-md', async (c) => {\n const abs = resolveHeartbeatMdPath(service.currentConfig);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Workspace not configured' } }, 400);\n }\n let body: unknown;\n try {\n body = await c.req.json();\n } catch {\n return c.json({ ok: false, error: { message: 'Invalid JSON' } }, 400);\n }\n const content =\n typeof body === 'object' &&\n body !== null &&\n 'content' in body &&\n typeof (body as { content: unknown }).content === 'string'\n ? (body as { content: string }).content\n : '';\n try {\n await writeFile(abs, content, 'utf-8');\n return c.json({ ok: true, payload: { file: 'HEARTBEAT.md' } });\n } catch (err) {\n log.error({ err, path: abs }, 'Failed to write HEARTBEAT.md');\n return c.json({ ok: false, error: { message: 'Write failed' } }, 500);\n }\n });\n\n authenticated.get('/api/workspace/editor/list', async (c) => {\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const dirRel = typeof c.req.query('dir') === 'string' ? c.req.query('dir')! : '';\n const absDir = resolveWorkspaceSafePath(workspaceRoot, dirRel);\n if (!absDir) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(absDir);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isDirectory()) {\n return c.json({ ok: false, error: { message: 'Not a directory' } }, 400);\n }\n const dirents = await readdir(absDir, { withFileTypes: true });\n const entries: { name: string; path: string; absolutePath: string; isDirectory: boolean }[] = [];\n for (const entry of dirents) {\n if (entry.name.startsWith('.')) continue;\n const fullPath = join(absDir, entry.name);\n if (entry.isDirectory()) {\n entries.push({\n name: entry.name,\n path: toWorkspaceRelativePosix(workspaceRoot, fullPath),\n absolutePath: fullPath,\n isDirectory: true,\n });\n } else {\n entries.push({\n name: entry.name,\n path: toWorkspaceRelativePosix(workspaceRoot, fullPath),\n absolutePath: fullPath,\n isDirectory: false,\n });\n }\n }\n entries.sort((a, b) => {\n if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;\n return a.name.localeCompare(b.name);\n });\n return c.json({ ok: true, payload: { entries } });\n });\n\n authenticated.get('/api/workspace/editor/read', async (c) => {\n const pathRel = typeof c.req.query('path') === 'string' ? c.req.query('path')! : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(abs);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n try {\n const content = await readFile(abs, 'utf-8');\n return c.json({\n ok: true,\n payload: {\n content,\n path: toWorkspaceRelativePosix(workspaceRoot, abs),\n absolutePath: abs,\n mtimeMs: st.mtimeMs,\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Read failed' } }, 500);\n }\n });\n\n /* Read file as raw bytes and return base64 (for PDF/images in workspace preview — avoids UTF-8 corruption). /\n authenticated.get('/api/workspace/editor/read-base64', async (c) => {\n const pathRel = typeof c.req.query('path') === 'string' ? c.req.query('path')! : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(abs);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n try {\n const buf = await readFile(abs);\n return c.json({\n ok: true,\n payload: {\n contentBase64: buf.toString('base64'),\n path: toWorkspaceRelativePosix(workspaceRoot, abs),\n /* Host absolute path — Electron can open with the default app (shell.openPath). /\n absolutePath: abs,\n mtimeMs: st.mtimeMs,\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Read failed' } }, 500);\n }\n });\n\n /* Map an absolute host path to a workspace-relative path (if under this session’s workspace). /\n authenticated.get('/api/workspace/editor/resolve-path', async (c) => {\n const raw = c.req.query('absolutePath');\n if (!raw \|\| typeof raw !== 'string' \|\| !raw.trim()) {\n return c.json({ ok: false, error: { message: 'Missing absolutePath' } }, 400);\n }\n const absolutePath = raw.trim();\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const normalized = resolve(absolutePath);\n if (!isPathUnderWorkspace(workspaceRoot, normalized)) {\n return c.json({ ok: false, error: { message: 'Path not under workspace' } }, 403);\n }\n const rel = toWorkspaceRelativePosix(workspaceRoot, normalized);\n return c.json({ ok: true, payload: { workspaceRelativePath: rel } });\n });\n\n authenticated.get('/api/workspace/editor/resolve-reference', async (c) => {\n const rawPath = typeof c.req.query('path') === 'string' ? c.req.query('path')!.trim() : '';\n if (!rawPath) {\n return c.json({ ok: false, error: { code: 'INVALID_PATH', message: 'Missing path' } }, 400);\n }\n\n const sessionKey = typeof c.req.query('sessionKey') === 'string' ? c.req.query('sessionKey')!.trim() : '';\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n sessionKey,\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { code: 'WORKSPACE_RESOLUTION_FAILED', message: ws.message } }, 400);\n }\n\n const workspaceRoot = ws.root;\n const classifierCtx = { ...buildFilePathClassifierContext(service.currentConfig, sessionKey), workspaceRoot };\n const displayName = displayNameForPath(rawPath);\n const { candidate, invalid } = await resolveFileReferenceCandidate(rawPath, workspaceRoot, classifierCtx);\n\n if (!candidate \|\| invalid) {\n return c.json({\n ok: true,\n payload: {\n inputPath: rawPath,\n displayName,\n scope: 'invalid' satisfies FileReferenceScope,\n exists: false,\n capabilities: [] as FileReferenceCapability[],\n errorCode: 'INVALID_PATH',\n },\n });\n }\n\n let st: Awaited<ReturnType<typeof stat>> \| null = null;\n try {\n st = await stat(candidate);\n } catch {\n st = null;\n }\n\n if (!st) {\n // Always include the resolved candidate so the UI's \"Copy path\" yields\n // something actionable (\"I looked here, no file\"). Without this, bare\n // workspace-relative mentions fall back to the `rel:<path>` UI sentinel.\n return c.json({\n ok: true,\n payload: {\n inputPath: rawPath,\n displayName,\n scope: 'missing' satisfies FileReferenceScope,\n exists: false,\n absolutePath: candidate,\n capabilities: fileReferenceCapabilities('missing', false),\n errorCode: 'FILE_NOT_FOUND',\n },\n });\n }\n\n const classified = classifyFileLocation(candidate, classifierCtx);\n const { scope, locationKind, manageRoute } = classified;\n const inWorkspace = scope === 'workspace';\n const isDirectory = st.isDirectory();\n const capabilities = fileReferenceCapabilities(scope, isDirectory, locationKind);\n const ref = fileReferenceRegistry.register({\n absolutePath: candidate,\n sessionKey: sessionKey \|\| undefined,\n scope,\n locationKind,\n capabilities,\n });\n\n return c.json({\n ok: true,\n payload: {\n fileRefId: ref.id,\n inputPath: rawPath,\n displayName,\n scope,\n locationKind,\n manageRoute,\n exists: true,\n isDirectory,\n absolutePath: candidate,\n workspaceRelativePath: inWorkspace ? toWorkspaceRelativePosix(workspaceRoot, candidate) : undefined,\n capabilities,\n mtimeMs: st.mtimeMs,\n },\n });\n });\n\n authenticated.post('/api/workspace/file-ref/:id/resolve-action', async (c) => {\n const id = c.req.param('id')?.trim() ?? '';\n if (!id) {\n return c.json({ ok: false, error: { code: 'INVALID_FILE_REF', message: 'Missing file reference' } }, 400);\n }\n\n const ref = fileReferenceRegistry.resolve(id);\n if (!ref) {\n return c.json({ ok: false, error: { code: 'FILE_REF_EXPIRED', message: 'File reference expired' } }, 404);\n }\n\n const sessionKey = typeof c.req.query('sessionKey') === 'string' ? c.req.query('sessionKey')!.trim() : '';\n if (!fileRefSessionKeysMatch(ref.sessionKey, sessionKey)) {\n return c.json({ ok: false, error: { code: 'FILE_REF_FORBIDDEN', message: 'File reference forbidden' } }, 403);\n }\n\n const body = (await c.req.json().catch(() => ({}))) as { action?: unknown };\n const action = body.action;\n if (!isFileReferenceAction(action)) {\n return c.json({ ok: false, error: { code: 'INVALID_ACTION', message: 'Invalid action' } }, 400);\n }\n if (!ref.capabilities.includes(action)) {\n return c.json({ ok: false, error: { code: 'ACTION_NOT_ALLOWED', message: 'Action not allowed' } }, 403);\n }\n\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(ref.absolutePath);\n } catch {\n return c.json({ ok: false, error: { code: 'FILE_NOT_FOUND', message: 'File not found' } }, 404);\n }\n\n return c.json({\n ok: true,\n payload: {\n absolutePath: ref.absolutePath,\n isDirectory: st.isDirectory(),\n },\n });\n });\n\n authenticated.post('/api/workspace/import-file-ref/:id', async (c) => {\n const id = c.req.param('id')?.trim() ?? '';\n if (!id) {\n return c.json({ ok: false, error: { code: 'INVALID_FILE_REF', message: 'Missing file reference' } }, 400);\n }\n\n const ref = fileReferenceRegistry.resolve(id);\n if (!ref) {\n return c.json({ ok: false, error: { code: 'FILE_REF_EXPIRED', message: 'File reference expired' } }, 404);\n }\n\n const sessionKey = typeof c.req.query('sessionKey') === 'string' ? c.req.query('sessionKey')!.trim() : '';\n if (!fileRefSessionKeysMatch(ref.sessionKey, sessionKey)) {\n return c.json({ ok: false, error: { code: 'FILE_REF_FORBIDDEN', message: 'File reference forbidden' } }, 403);\n }\n\n if (!ref.capabilities.includes('importToWorkspace')) {\n return c.json({ ok: false, error: { code: 'IMPORT_NOT_ALLOWED', message: 'Import not allowed for this file' } }, 403);\n }\n\n let sourceStat: Awaited<ReturnType<typeof stat>>;\n try {\n sourceStat = await stat(ref.absolutePath);\n } catch {\n fileReferenceRegistry.expireById(id);\n return c.json({ ok: false, error: { code: 'SOURCE_NOT_FOUND', message: 'Source file no longer exists' } }, 404);\n }\n if (!sourceStat.isFile()) {\n return c.json({ ok: false, error: { code: 'SOURCE_NOT_FILE', message: 'Source is not a regular file' } }, 400);\n }\n\n const importCfg = resolveWorkspaceImportConfig(service.currentConfig);\n if (sourceStat.size > importCfg.maxBytes) {\n return c.json(\n {\n ok: false,\n error: {\n code: 'SOURCE_TOO_LARGE',\n message: `Source exceeds maximum import size (${importCfg.maxBytes} bytes)`,\n },\n },\n 413,\n );\n }\n\n const ws = await resolveEditorWorkspaceRootAsync(service, service.currentConfig, sessionKey, undefined);\n if (ws.ok === false) {\n return c.json({ ok: false, error: { code: 'WORKSPACE_RESOLUTION_FAILED', message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n\n let body: { destination?: unknown; onConflict?: unknown };\n try {\n body = (await c.req.json().catch(() => ({}))) as typeof body;\n } catch {\n body = {};\n }\n const requestedDestRaw = typeof body.destination === 'string' ? body.destination.trim() : '';\n const onConflictRaw = typeof body.onConflict === 'string' ? body.onConflict : 'rename';\n if (onConflictRaw !== 'rename' && onConflictRaw !== 'overwrite' && onConflictRaw !== 'error') {\n return c.json({ ok: false, error: { code: 'INVALID_CONFLICT_MODE', message: 'Invalid onConflict value' } }, 400);\n }\n const onConflict = onConflictRaw as 'rename' \| 'overwrite' \| 'error';\n if (onConflict === 'overwrite' && !importCfg.allowOverwrite) {\n return c.json({ ok: false, error: { code: 'OVERWRITE_DISABLED', message: 'Overwrite is disabled by config' } }, 403);\n }\n\n const sourceBasename = sanitizeImportBasename(basename(ref.absolutePath)) \|\| 'imported-file';\n let requestedRel: string;\n if (!requestedDestRaw) {\n requestedRel = `${importCfg.targetDir}/${sourceBasename}`;\n } else {\n const trimmedDest = requestedDestRaw.replace(/\\\\/g, '/');\n // Path ending with `/` is treated as a directory; append source basename.\n requestedRel = trimmedDest.endsWith('/') ? `${trimmedDest}${sourceBasename}` : trimmedDest;\n }\n\n let initialDestAbs = resolveWorkspaceSafePath(workspaceRoot, requestedRel);\n if (!initialDestAbs) {\n return c.json({ ok: false, error: { code: 'INVALID_DESTINATION', message: 'Invalid destination path' } }, 400);\n }\n\n // Sandbox: blocks `.xopc/xopc.json`, `.env`, etc.; canonical symlink resolution included.\n const writePolicy = validateWritePath(initialDestAbs, workspaceRoot);\n if (!writePolicy.allowed) {\n return c.json({ ok: false, error: { code: 'DESTINATION_BLOCKED', message: writePolicy.reason ?? 'Destination blocked' } }, 403);\n }\n\n if (resolve(ref.absolutePath) === resolve(initialDestAbs)) {\n return c.json({ ok: false, error: { code: 'SAME_LOCATION', message: 'Destination is the same as source' } }, 400);\n }\n\n const destDir = dirname(initialDestAbs);\n try {\n await mkdir(destDir, { recursive: true });\n } catch (err) {\n log.warn({ err, destDir }, 'Failed to create import destination directory');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to prepare destination' } }, 500);\n }\n\n // Stage source into a hidden tmp file inside the destination directory so we\n // can atomically `link` (rename strategy) or `rename` (overwrite) to land it.\n const tmpName = `.${basename(initialDestAbs)}.import-${randomUUID()}.tmp`;\n const tmpAbs = join(destDir, tmpName);\n\n const started = Date.now();\n let renamed = false;\n let overwrote = false;\n let finalDestAbs = initialDestAbs;\n\n try {\n try {\n await copyFile(ref.absolutePath, tmpAbs, fsConstants.COPYFILE_FICLONE);\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ err, source: ref.absolutePath, tmpAbs }, 'Failed to copy source into staging tmp');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to copy source file' } }, 500);\n }\n\n if (onConflict === 'overwrite') {\n // Snapshot pre-rename existence for telemetry; the actual overwrite is unconditional.\n overwrote = await stat(initialDestAbs).then(() => true).catch(() => false);\n try {\n await rename(tmpAbs, initialDestAbs);\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ err, target: initialDestAbs }, 'Atomic rename failed');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to finalize import' } }, 500);\n }\n } else if (onConflict === 'error') {\n const exists = await stat(initialDestAbs).then(() => true).catch(() => false);\n if (exists) {\n await unlink(tmpAbs).catch(() => {});\n return c.json({ ok: false, error: { code: 'DESTINATION_EXISTS', message: 'Destination already exists' } }, 409);\n }\n try {\n await link(tmpAbs, initialDestAbs);\n await unlink(tmpAbs).catch(() => {});\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ err, target: initialDestAbs }, 'Hard link to destination failed');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to finalize import' } }, 500);\n }\n } else {\n // rename: race-safe loop using O_EXCL semantics of `link`.\n const picked = await pickAvailableTargetWithLink(tmpAbs, initialDestAbs);\n if (!picked.ok) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ target: initialDestAbs, attempts: picked.attempts }, 'Failed to find free import target name');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'No free destination name available' } }, 500);\n }\n await unlink(tmpAbs).catch(() => {});\n finalDestAbs = picked.path;\n renamed = picked.path !== initialDestAbs;\n }\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.error({ err }, 'Import file unexpected failure');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Import failed' } }, 500);\n }\n\n let finalMtime: number;\n try {\n finalMtime = (await stat(finalDestAbs)).mtimeMs;\n } catch {\n finalMtime = Date.now();\n }\n\n const workspaceRel = toWorkspaceRelativePosix(workspaceRoot, finalDestAbs);\n\n fileReferenceRegistry.expireById(id);\n const newRef = fileReferenceRegistry.register({\n absolutePath: finalDestAbs,\n sessionKey: sessionKey \|\| undefined,\n scope: 'workspace',\n capabilities: fileReferenceCapabilities('workspace', false),\n });\n\n const sourceScope = ref.scope;\n const sourceLocationKind = ref.locationKind;\n\n service.emit('workspace.file-imported', {\n sessionKey: sessionKey \|\| undefined,\n workspaceRelativePath: workspaceRel,\n absolutePath: finalDestAbs,\n bytes: sourceStat.size,\n sourceScope,\n sourceLocationKind,\n });\n\n log.info(\n {\n sessionKey,\n fileRefId: id,\n sourceAbsolutePath: ref.absolutePath,\n sourceScope,\n sourceLocationKind,\n destWorkspaceRelativePath: workspaceRel,\n bytes: sourceStat.size,\n renamed,\n overwrote,\n durationMs: Date.now() - started,\n },\n 'Workspace file import succeeded',\n );\n\n return c.json({\n ok: true,\n payload: {\n workspaceRelativePath: workspaceRel,\n absolutePath: finalDestAbs,\n bytesCopied: sourceStat.size,\n sourceAbsolutePath: ref.absolutePath,\n sourceScope,\n sourceLocationKind,\n renamed,\n overwrote,\n mtimeMs: finalMtime,\n newFileRefId: newRef.id,\n },\n });\n });\n\n /*\n Serve a workspace file as raw bytes (e.g. <img> after auth fetch + blob URL).\n * Path is workspace-relative; scope via sessionKey / agentId like other editor routes.\n /\n authenticated.get('/api/workspace/editor/raw', async (c) => {\n const pathRel = typeof c.req.query('path') === 'string' ? c.req.query('path')! : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(abs);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n const ext = pathRel.split('.').pop()?.toLowerCase() ?? '';\n const mimeByExt: Record<string, string> = {\n png: 'image/png',\n jpg: 'image/jpeg',\n jpeg: 'image/jpeg',\n gif: 'image/gif',\n webp: 'image/webp',\n bmp: 'image/bmp',\n svg: 'image/svg+xml',\n pdf: 'application/pdf',\n docx: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',\n xlsx: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',\n pptx: 'application/vnd.openxmlformats-officedocument.presentationml.presentation',\n txt: 'text/plain',\n md: 'text/markdown',\n json: 'application/json',\n html: 'text/html',\n css: 'text/css',\n js: 'text/javascript',\n ts: 'text/typescript',\n mp3: 'audio/mpeg',\n wav: 'audio/wav',\n ogg: 'audio/ogg',\n webm: 'video/webm',\n mp4: 'video/mp4',\n mov: 'video/quicktime',\n };\n const contentType = mimeByExt[ext] \|\| 'application/octet-stream';\n try {\n const buf = await readFile(abs);\n return new Response(buf, {\n headers: {\n 'Content-Type': contentType,\n 'Cache-Control': 'private, max-age=3600',\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Read failed' } }, 500);\n }\n });\n\n authenticated.put('/api/workspace/editor/write', async (c) => {\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n let body: unknown;\n try {\n body = await c.req.json();\n } catch {\n return c.json({ ok: false, error: { message: 'Invalid JSON' } }, 400);\n }\n const pathRel =\n typeof body === 'object' &&\n body !== null &&\n 'path' in body &&\n typeof (body as { path: unknown }).path === 'string'\n ? (body as { path: string }).path\n : '';\n const content =\n typeof body === 'object' &&\n body !== null &&\n 'content' in body &&\n typeof (body as { content: unknown }).content === 'string'\n ? (body as { content: string }).content\n : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>> \| undefined;\n try {\n st = await stat(abs);\n } catch {\n st = undefined;\n }\n if (st && !st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n try {\n await writeFile(abs, content, 'utf-8');\n let mtimeMs: number;\n try {\n mtimeMs = (await stat(abs)).mtimeMs;\n } catch {\n mtimeMs = Date.now();\n }\n return c.json({\n ok: true,\n payload: { path: toWorkspaceRelativePosix(workspaceRoot, abs), mtimeMs },\n });\n } catch (err) {\n log.error({ err, path: abs }, 'workspace editor write failed');\n return c.json({ ok: false, error: { message: 'Write failed' } }, 500);\n }\n });\n\n authenticated.get('/api/workspace/editor/search', async (c) => {\n const q = typeof c.req.query('q') === 'string' ? c.req.query('q')!.trim() : '';\n const dirRel = typeof c.req.query('dir') === 'string' ? c.req.query('dir')! : '';\n if (!q) {\n return c.json({\n ok: true,\n payload: { results: [] as { filePath: string; lineNumber: number; lineContent: string; matchStart: number; matchEnd: number }[] },\n });\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const absDir = resolveWorkspaceSafePath(workspaceRoot, dirRel);\n if (!absDir) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(absDir);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isDirectory()) {\n return c.json({ ok: false, error: { message: 'Not a directory' } }, 400);\n }\n const raw = await runRipgrepInDirectory(q, absDir);\n const results = raw\n .filter((r) => isPathUnderWorkspace(workspaceRoot, r.filePath))\n .map((r) => ({\n ...r,\n filePath: toWorkspaceRelativePosix(workspaceRoot, resolve(r.filePath)),\n }));\n return c.json({ ok: true, payload: { results } });\n });\n\n /* Fuzzy filename / path search over the session workspace (ripgrep `--files` + subsequence scoring). */\n authenticated.get('/api/workspace/editor/files/search', async (c) => {\n const q = typeof c.req.query('q') === 'string' ? c.req.query('q')!.trim() : '';\n const limitRaw = c.req.query('limit');\n const limit = Math.min(\n Math.max(parseInt(typeof limitRaw === 'string' ? limitRaw : '15', 10) \|\| 15, 1),\n FILE_SEARCH_MAX_LIMIT,\n );\n\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n\n const entries = await fuzzySearchWorkspaceFiles(ws.root, q, limit);\n return c.json({ ok: true, payload: { entries } });\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;aAO0E;kBAUnC;aACiB;AAyBxD,MAAM,MAAM,aAAa,UAAU;;AAGnC,SAAS,oCAAoC,KAAa,eAA2C;CACnG,MAAM,KAAK,OAAO,kBAAkB,WAAW,cAAc,MAAM,GAAG;AAEtE,QAAO,oBAAoB,KADX,KAAK,sBAAsB,IAAI,IAAI,GAAG,sBAAsB,IAAI,CACxC;;AAG1C,MAAM,wBAAwB;;AAG9B,SAAS,sBAAsB,OAAe,WAAkC;CAC9E,MAAM,IAAI,MAAM,aAAa;CAC7B,MAAM,IAAI,UAAU,aAAa;AACjC,KAAI,EAAE,WAAW,EAAG,QAAO;CAC3B,IAAI,KAAK;AACT,MAAK,IAAI,KAAK,GAAG,KAAK,EAAE,UAAU,KAAK,EAAE,QAAQ,KAC/C,KAAI,EAAE,QAAQ,EAAE,IAAK;AAEvB,KAAI,KAAK,EAAE,OAAQ,QAAO;CAC1B,MAAM,OAAO,EAAE,MAAM,IAAI,CAAC,KAAK,IAAI;CACnC,IAAI,QAAQ;AACZ,KAAI,EAAE,WAAW,EAAE,CAAE,UAAS;AAC9B,KAAI,KAAK,WAAW,EAAE,CAAE,UAAS;UACxB,KAAK,SAAS,EAAE,CAAE,UAAS;UAC3B,EAAE,SAAS,EAAE,CAAE,UAAS;AACjC,UAAS,EAAE,SAAS;AACpB,QAAO;;AAGT,eAAe,0BACb,eACA,OACA,OACsE;CACtE,IAAI,QAAQ,MAAM,oBAAoB,cAAc;AACpD,KAAI,MAAM,WAAW,GAAG;AACtB,UAAQ,MAAM,qCAAqC,eAAe,KAAQ;AAC1E,MAAI,MAAM,SAAS,EACjB,KAAI,MACF;GAAE;GAAe,WAAW,MAAM;GAAQ,EAC1C,yFACD;;CAGL,MAAM,IAAI,MAAM,MAAM;CACtB,MAAM,SAAS,KAAK,IAAI,KAAK,IAAI,OAAO,EAAE,EAAE,sBAAsB;CAGlE,MAAM,OAAc,EAAE;AAEtB,KAAI,CAAC,GAAG;EACN,MAAM,SAAS,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,EAAE,cAAc,EAAE,CAAC;AAC5D,OAAK,MAAM,OAAO,OAAO,MAAM,GAAG,OAAO,EAAE;GACzC,MAAM,OAAO,IAAI,MAAM,IAAI,CAAC,KAAK,IAAI;AACrC,QAAK,KAAK;IAAE;IAAM,MAAM;IAAK,aAAa;IAAO,OAAO;IAAG,CAAC;;AAE9D,SAAO;;AAGT,MAAK,MAAM,OAAO,OAAO;EACvB,MAAM,OAAO,IAAI,MAAM,IAAI,CAAC,KAAK,IAAI;EACrC,MAAM,YAAY,sBAAsB,GAAG,IAAI;EAC/C,MAAM,YAAY,sBAAsB,GAAG,KAAK;EAChD,MAAM,QAAQ,KAAK,IAAI,aAAa,WAAW,aAAa,UAAU;AACtE,MAAI,UAAU,UAAW;AACzB,OAAK,KAAK;GAAE;GAAM,MAAM;GAAK,aAAa;GAAO;GAAO,CAAC;;AAG3D,MAAK,MAAM,GAAG,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,cAAc,EAAE,KAAK,CAAC;AACtE,QAAO,KAAK,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,MAAM,MAAM,mBAAmB;EAAE;EAAM;EAAM;EAAa,EAAE;;AAGlG,SAAS,qBAAqB,KAAa,IAAqB;CAC9D,MAAM,IAAI,iBAAiB,GAAG;AAC9B,KAAI,MAAM,sBAAsB,IAAI,CAAE,QAAO;AAC7C,QAAO,iBAAiB,IAAI,CAAC,MAAM,MAAM,iBAAiB,EAAE,GAAG,KAAK,EAAE;;AAGxE,SAAS,2BACP,KACA,YAC6D;CAC7D,MAAM,UAAU,OAAO,eAAe,WAAW,WAAW,MAAM,GAAG;AACrE,KAAI,CAAC,SAAS;EACZ,MAAM,OAAO,iBAAiB,IAAI;AAClC,MAAI,CAAC,KAAM,QAAO;GAAE,IAAI;GAAO,SAAS;GAA4B;AACpE,SAAO;GAAE,IAAI;GAAM;GAAM;;CAE3B,MAAM,KAAK,iBAAiB,QAAQ;AACpC,KAAI,CAAC,qBAAqB,KAAK,GAAG,CAChC,QAAO;EAAE,IAAI;EAAO,SAAS;EAAiB;AAEhD,QAAO;EAAE,IAAI;EAAM,MAAM,yBAAyB,KAAK,GAAG;EAAE;;;AAI9D,eAAe,gCACb,SACA,KACA,eACA,YACsE;CACtE,MAAM,KAAK,OAAO,kBAAkB,WAAW,cAAc,MAAM,GAAG;AACtE,KAAI,GACF,KAAI;AAEF,SAAO;GAAE,IAAI;GAAM,MAAA,MADA,QAAQ,oCAAoC,GAAG;GACzC;UAClB,KAAK;EACZ,MAAM,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC3D,MAAI,KAAK;GAAE;GAAK,YAAY;GAAI,EAAE,2CAA2C;AAC7E,SAAO;GAAE,IAAI;GAAO,SAAS,MAAM;GAAuC;;AAG9E,QAAO,2BAA2B,KAAK,WAAW;;AASpD,SAAS,6BAA6B,KAA4C;CAChF,MAAM,MAAM,IAAI,WAAW;AAC3B,QAAO;EACL,WAAW,KAAK,WAAW,MAAM,IAAI;EACrC,UAAU,KAAK,YAAY;EAC3B,gBAAgB,KAAK,kBAAkB;EACxC;;;AAIH,SAAS,uBAAuB,MAAsB;AACpD,QAAO,KACJ,QAAQ,UAAU,GAAG,CACrB,QAAQ,oBAAoB,GAAG,CAC/B,MAAM;;;;;;;AAQX,eAAe,4BACb,QACA,gBACA,cAAc,KAC2E;CACzF,MAAM,MAAM,QAAQ,eAAe;CACnC,MAAM,WAAW,SAAS,eAAe;CACzC,MAAM,SAAS,SAAS,YAAY,IAAI;CACxC,MAAM,OAAO,SAAS,IAAI,SAAS,MAAM,GAAG,OAAO,GAAG;CACtD,MAAM,MAAM,SAAS,IAAI,SAAS,MAAM,OAAO,GAAG;AAClD,MAAK,IAAI,UAAU,GAAG,WAAW,aAAa,WAAW;EACvD,MAAM,YAAY,YAAY,IAAI,iBAAiB,KAAK,KAAK,GAAG,KAAK,GAAG,UAAU,MAAM;AACxF,MAAI;AACF,SAAM,KAAK,QAAQ,UAAU;AAC7B,UAAO;IAAE,IAAI;IAAM,MAAM;IAAW,UAAU;IAAS;WAChD,KAAK;AAEZ,OADc,KAA+B,SAChC,SACX,OAAM;;;AAIZ,QAAO;EAAE,IAAI;EAAO,UAAU;EAAa;;AAG7C,SAAS,0BACP,OACA,aACA,cAC2B;AAC3B,KAAI,UAAU,YACZ,QAAO,cACH;EAAC;EAAgB;EAAkB;EAAW,GAC9C;EAAC;EAAW;EAAQ;EAAgB;EAAkB;EAAW;AAEvE,KAAI,UAAU,cAAc,UAAU,mBAAmB,UAAU,oBAAoB;EACrF,MAAM,OAAkC;GAAC;GAAgB;GAAkB;GAAW;AAGtF,MAAI,CAAC,eAAe,iBAAiB,cACnC,MAAK,KAAK,oBAAoB;AAEhC,SAAO;;AAET,KAAI,UAAU,UAAW,QAAO,CAAC,WAAW;AAC5C,QAAO,EAAE;;AAGX,SAAS,sBAAsB,QAA8D;AAC3F,QAAO,WAAW,kBAAkB,WAAW;;AAGjD,SAAgB,wBAAwB,eAAqB,MAAoC;CAC/F,MAAM,EAAE,YAAY;AAEpB,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,MAAM,EAAE,IAAI,MAAM,MAAM;AAC9B,MAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,eAAe;GAAE,EAAE,IAAI;EAEtE,MAAM,MAAM,QAAQ;EAEpB,MAAM,MAAM,2BAA2B,EAAE,WADvB,oCAAoC,KAAK,EAAE,IAAI,MAAM,aAAa,CAClC,EAAE,EAAE,IAAI;AAC1D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,aAAa;GAAE,EAAE,IAAI;AAEpE,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;GAuB/B,MAAM,cAAc;IApBlB,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,KAAK;IACL,KAAK;IACL,KAAK;IAEsB,CAtBjB,IAAI,MAAM,IAAI,CAAC,KAAK,EAAE,aAAa,IAAI,OAsBb;AACtC,UAAO,IAAI,SAAS,KAAK,EACvB,SAAS;IACP,gBAAgB;IAChB,iBAAiB;IAClB,EACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;GAEpE;AAEF,eAAc,IAAI,2BAA2B,OAAO,MAAM;EACxD,MAAM,MAAM,EAAE,IAAI,MAAM,MAAM;AAC9B,MAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,eAAe;GAAE,EAAE,IAAI;EAEtE,MAAM,MAAM,QAAQ;EAEpB,MAAM,MAAM,uBAAuB,EAAE,WADnB,oCAAoC,KAAK,EAAE,IAAI,MAAM,aAAa,CACtC,EAAE,EAAE,IAAI;AACtD,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,aAAa;GAAE,EAAE,IAAI;AAEpE,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;GAS/B,MAAM,cAAc;IANlB,KAAK;IACL,MAAM;IACN,KAAK;IACL,KAAK;IACL,KAAK;IAEsB,CARjB,IAAI,MAAM,IAAI,CAAC,KAAK,EAAE,aAAa,IAAI,OAQb;AACtC,UAAO,IAAI,SAAS,KAAK,EACvB,SAAS;IACP,gBAAgB;IAChB,iBAAiB;IAClB,EACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;GAEpE;AAEF,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,MAAM,uBAAuB,QAAQ,cAAc;AACzD,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,4BAA4B;GAAE,EAAE,IAAI;AAEnF,MAAI;GACF,MAAM,UAAU,MAAM,SAAS,KAAK,QAAQ;AAC5C,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS;KAAW;KAAS,MAAM;KAAgB;IAAE,CAAC;UAC1E;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS;KAAE,SAAS;KAAI,MAAM;KAAgB;IAAE,CAAC;;GAE7E;AAEF,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,MAAM,uBAAuB,QAAQ,cAAc;AACzD,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,4BAA4B;GAAE,EAAE,IAAI;EAEnF,IAAI;AACJ,MAAI;AACF,UAAO,MAAM,EAAE,IAAI,MAAM;UACnB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;EAEvE,MAAM,UACJ,OAAO,SAAS,YAChB,SAAS,QACT,aAAa,QACb,OAAQ,KAA8B,YAAY,WAC7C,KAA6B,UAC9B;AACN,MAAI;AACF,SAAM,UAAU,KAAK,SAAS,QAAQ;AACtC,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS,EAAE,MAAM,gBAAgB;IAAE,CAAC;WACvD,KAAK;AACZ,OAAI,MAAM;IAAE;IAAK,MAAM;IAAK,EAAE,+BAA+B;AAC7D,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;GAEvE;AAEF,eAAc,IAAI,8BAA8B,OAAO,MAAM;EAC3D,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EAEzB,MAAM,SAAS,yBAAyB,eADzB,OAAO,EAAE,IAAI,MAAM,MAAM,KAAK,WAAW,EAAE,IAAI,MAAM,MAAM,GAAI,GAChB;AAC9D,MAAI,CAAC,OACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,OAAO;UACjB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,aAAa,CACnB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,mBAAmB;GAAE,EAAE,IAAI;EAE1E,MAAM,UAAU,MAAM,QAAQ,QAAQ,EAAE,eAAe,MAAM,CAAC;EAC9D,MAAM,UAAwF,EAAE;AAChG,OAAK,MAAM,SAAS,SAAS;AAC3B,OAAI,MAAM,KAAK,WAAW,IAAI,CAAE;GAChC,MAAM,WAAW,KAAK,QAAQ,MAAM,KAAK;AACzC,OAAI,MAAM,aAAa,CACrB,SAAQ,KAAK;IACX,MAAM,MAAM;IACZ,MAAM,yBAAyB,eAAe,SAAS;IACvD,cAAc;IACd,aAAa;IACd,CAAC;OAEF,SAAQ,KAAK;IACX,MAAM,MAAM;IACZ,MAAM,yBAAyB,eAAe,SAAS;IACvD,cAAc;IACd,aAAa;IACd,CAAC;;AAGN,UAAQ,MAAM,GAAG,MAAM;AACrB,OAAI,EAAE,gBAAgB,EAAE,YAAa,QAAO,EAAE,cAAc,KAAK;AACjE,UAAO,EAAE,KAAK,cAAc,EAAE,KAAK;IACnC;AACF,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,SAAS;GAAE,CAAC;GACjD;AAEF,eAAc,IAAI,8BAA8B,OAAO,MAAM;EAC3D,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,GAAI;AACjF,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,QAAQ,CACd,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;AAErE,MAAI;GACF,MAAM,UAAU,MAAM,SAAS,KAAK,QAAQ;AAC5C,UAAO,EAAE,KAAK;IACZ,IAAI;IACJ,SAAS;KACP;KACA,MAAM,yBAAyB,eAAe,IAAI;KAClD,cAAc;KACd,SAAS,GAAG;KACb;IACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,eAAe;IAAE,EAAE,IAAI;;GAEtE;;AAGF,eAAc,IAAI,qCAAqC,OAAO,MAAM;EAClE,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,GAAI;AACjF,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,QAAQ,CACd,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;AAErE,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;AAC/B,UAAO,EAAE,KAAK;IACZ,IAAI;IACJ,SAAS;KACP,eAAe,IAAI,SAAS,SAAS;KACrC,MAAM,yBAAyB,eAAe,IAAI;;KAElD,cAAc;KACd,SAAS,GAAG;KACb;IACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,eAAe;IAAE,EAAE,IAAI;;GAEtE;;AAGF,eAAc,IAAI,sCAAsC,OAAO,MAAM;EACnE,MAAM,MAAM,EAAE,IAAI,MAAM,eAAe;AACvC,MAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,MAAM,CAChD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,wBAAwB;GAAE,EAAE,IAAI;EAE/E,MAAM,eAAe,IAAI,MAAM;EAC/B,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,aAAa,QAAQ,aAAa;AACxC,MAAI,CAAC,qBAAqB,eAAe,WAAW,CAClD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,4BAA4B;GAAE,EAAE,IAAI;EAEnF,MAAM,MAAM,yBAAyB,eAAe,WAAW;AAC/D,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,uBAAuB,KAAK;GAAE,CAAC;GACpE;AAEF,eAAc,IAAI,2CAA2C,OAAO,MAAM;EACxE,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,CAAE,MAAM,GAAG;AACxF,MAAI,CAAC,QACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAgB,SAAS;IAAgB;GAAE,EAAE,IAAI;EAG7F,MAAM,aAAa,OAAO,EAAE,IAAI,MAAM,aAAa,KAAK,WAAW,EAAE,IAAI,MAAM,aAAa,CAAE,MAAM,GAAG;EACvG,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,YACA,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAA+B,SAAS,GAAG;IAAS;GAAE,EAAE,IAAI;EAGxG,MAAM,gBAAgB,GAAG;EACzB,MAAM,gBAAgB;GAAE,GAAG,+BAA+B,QAAQ,eAAe,WAAW;GAAE;GAAe;EAC7G,MAAM,cAAc,mBAAmB,QAAQ;EAC/C,MAAM,EAAE,WAAW,YAAY,MAAM,8BAA8B,SAAS,eAAe,cAAc;AAEzG,MAAI,CAAC,aAAa,QAChB,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,WAAW;IACX;IACA,OAAO;IACP,QAAQ;IACR,cAAc,EAAE;IAChB,WAAW;IACZ;GACF,CAAC;EAGJ,IAAI,KAA8C;AAClD,MAAI;AACF,QAAK,MAAM,KAAK,UAAU;UACpB;AACN,QAAK;;AAGP,MAAI,CAAC,GAIH,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,WAAW;IACX;IACA,OAAO;IACP,QAAQ;IACR,cAAc;IACd,cAAc,0BAA0B,WAAW,MAAM;IACzD,WAAW;IACZ;GACF,CAAC;EAIJ,MAAM,EAAE,OAAO,cAAc,gBADV,qBAAqB,WAAW,cACI;EACvD,MAAM,cAAc,UAAU;EAC9B,MAAM,cAAc,GAAG,aAAa;EACpC,MAAM,eAAe,0BAA0B,OAAO,aAAa,aAAa;EAChF,MAAM,MAAM,sBAAsB,SAAS;GACzC,cAAc;GACd,YAAY,cAAc,KAAA;GAC1B;GACA;GACA;GACD,CAAC;AAEF,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,WAAW,IAAI;IACf,WAAW;IACX;IACA;IACA;IACA;IACA,QAAQ;IACR;IACA,cAAc;IACd,uBAAuB,cAAc,yBAAyB,eAAe,UAAU,GAAG,KAAA;IAC1F;IACA,SAAS,GAAG;IACb;GACF,CAAC;GACF;AAEF,eAAc,KAAK,8CAA8C,OAAO,MAAM;EAC5E,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,EAAE,MAAM,IAAI;AACxC,MAAI,CAAC,GACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,MAAM,sBAAsB,QAAQ,GAAG;AAC7C,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,aAAa,OAAO,EAAE,IAAI,MAAM,aAAa,KAAK,WAAW,EAAE,IAAI,MAAM,aAAa,CAAE,MAAM,GAAG;AACvG,MAAI,CAAC,wBAAwB,IAAI,YAAY,WAAW,CACtD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAA4B;GAAE,EAAE,IAAI;EAI/G,MAAM,UAAS,MADK,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE,EAC9B;AACpB,MAAI,CAAC,sBAAsB,OAAO,CAChC,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAkB,SAAS;IAAkB;GAAE,EAAE,IAAI;AAEjG,MAAI,CAAC,IAAI,aAAa,SAAS,OAAO,CACpC,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAAsB;GAAE,EAAE,IAAI;EAGzG,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI,aAAa;UAC3B;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAkB,SAAS;KAAkB;IAAE,EAAE,IAAI;;AAGjG,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,cAAc,IAAI;IAClB,aAAa,GAAG,aAAa;IAC9B;GACF,CAAC;GACF;AAEF,eAAc,KAAK,sCAAsC,OAAO,MAAM;EACpE,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,EAAE,MAAM,IAAI;AACxC,MAAI,CAAC,GACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,MAAM,sBAAsB,QAAQ,GAAG;AAC7C,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,aAAa,OAAO,EAAE,IAAI,MAAM,aAAa,KAAK,WAAW,EAAE,IAAI,MAAM,aAAa,CAAE,MAAM,GAAG;AACvG,MAAI,CAAC,wBAAwB,IAAI,YAAY,WAAW,CACtD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAA4B;GAAE,EAAE,IAAI;AAG/G,MAAI,CAAC,IAAI,aAAa,SAAS,oBAAoB,CACjD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAAoC;GAAE,EAAE,IAAI;EAGvH,IAAI;AACJ,MAAI;AACF,gBAAa,MAAM,KAAK,IAAI,aAAa;UACnC;AACN,yBAAsB,WAAW,GAAG;AACpC,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAoB,SAAS;KAAgC;IAAE,EAAE,IAAI;;AAEjH,MAAI,CAAC,WAAW,QAAQ,CACtB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAmB,SAAS;IAAgC;GAAE,EAAE,IAAI;EAGhH,MAAM,YAAY,6BAA6B,QAAQ,cAAc;AACrE,MAAI,WAAW,OAAO,UAAU,SAC9B,QAAO,EAAE,KACP;GACE,IAAI;GACJ,OAAO;IACL,MAAM;IACN,SAAS,uCAAuC,UAAU,SAAS;IACpE;GACF,EACD,IACD;EAGH,MAAM,KAAK,MAAM,gCAAgC,SAAS,QAAQ,eAAe,YAAY,KAAA,EAAU;AACvG,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAA+B,SAAS,GAAG;IAAS;GAAE,EAAE,IAAI;EAExG,MAAM,gBAAgB,GAAG;EAEzB,IAAI;AACJ,MAAI;AACF,UAAQ,MAAM,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE;UACtC;AACN,UAAO,EAAE;;EAEX,MAAM,mBAAmB,OAAO,KAAK,gBAAgB,WAAW,KAAK,YAAY,MAAM,GAAG;EAC1F,MAAM,gBAAgB,OAAO,KAAK,eAAe,WAAW,KAAK,aAAa;AAC9E,MAAI,kBAAkB,YAAY,kBAAkB,eAAe,kBAAkB,QACnF,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAyB,SAAS;IAA4B;GAAE,EAAE,IAAI;EAElH,MAAM,aAAa;AACnB,MAAI,eAAe,eAAe,CAAC,UAAU,eAC3C,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAAmC;GAAE,EAAE,IAAI;EAGtH,MAAM,iBAAiB,uBAAuB,SAAS,IAAI,aAAa,CAAC,IAAI;EAC7E,IAAI;AACJ,MAAI,CAAC,iBACH,gBAAe,GAAG,UAAU,UAAU,GAAG;OACpC;GACL,MAAM,cAAc,iBAAiB,QAAQ,OAAO,IAAI;AAExD,kBAAe,YAAY,SAAS,IAAI,GAAG,GAAG,cAAc,mBAAmB;;EAGjF,IAAI,iBAAiB,yBAAyB,eAAe,aAAa;AAC1E,MAAI,CAAC,eACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAuB,SAAS;IAA4B;GAAE,EAAE,IAAI;EAIhH,MAAM,cAAc,kBAAkB,gBAAgB,cAAc;AACpE,MAAI,CAAC,YAAY,QACf,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAuB,SAAS,YAAY,UAAU;IAAuB;GAAE,EAAE,IAAI;AAGjI,MAAI,QAAQ,IAAI,aAAa,KAAK,QAAQ,eAAe,CACvD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqC;GAAE,EAAE,IAAI;EAGnH,MAAM,UAAU,QAAQ,eAAe;AACvC,MAAI;AACF,SAAM,MAAM,SAAS,EAAE,WAAW,MAAM,CAAC;WAClC,KAAK;AACZ,OAAI,KAAK;IAAE;IAAK;IAAS,EAAE,gDAAgD;AAC3E,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAiB,SAAS;KAAiC;IAAE,EAAE,IAAI;;EAM/G,MAAM,SAAS,KAAK,SAAS,IADT,SAAS,eAAe,CAAC,UAAU,YAAY,CAAC,MAC/B;EAErC,MAAM,UAAU,KAAK,KAAK;EAC1B,IAAI,UAAU;EACd,IAAI,YAAY;EAChB,IAAI,eAAe;AAEnB,MAAI;AACF,OAAI;AACF,UAAM,SAAS,IAAI,cAAc,QAAQA,UAAY,iBAAiB;YAC/D,KAAK;AACZ,UAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,QAAI,KAAK;KAAE;KAAK,QAAQ,IAAI;KAAc;KAAQ,EAAE,yCAAyC;AAC7F,WAAO,EAAE,KAAK;KAAE,IAAI;KAAO,OAAO;MAAE,MAAM;MAAiB,SAAS;MAA8B;KAAE,EAAE,IAAI;;AAG5G,OAAI,eAAe,aAAa;AAE9B,gBAAY,MAAM,KAAK,eAAe,CAAC,WAAW,KAAK,CAAC,YAAY,MAAM;AAC1E,QAAI;AACF,WAAM,OAAO,QAAQ,eAAe;aAC7B,KAAK;AACZ,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,SAAI,KAAK;MAAE;MAAK,QAAQ;MAAgB,EAAE,uBAAuB;AACjE,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAiB,SAAS;OAA6B;MAAE,EAAE,IAAI;;cAElG,eAAe,SAAS;AAEjC,QAAI,MADiB,KAAK,eAAe,CAAC,WAAW,KAAK,CAAC,YAAY,MAAM,EACjE;AACV,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAsB,SAAS;OAA8B;MAAE,EAAE,IAAI;;AAEjH,QAAI;AACF,WAAM,KAAK,QAAQ,eAAe;AAClC,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;aAC7B,KAAK;AACZ,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,SAAI,KAAK;MAAE;MAAK,QAAQ;MAAgB,EAAE,kCAAkC;AAC5E,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAiB,SAAS;OAA6B;MAAE,EAAE,IAAI;;UAEtG;IAEL,MAAM,SAAS,MAAM,4BAA4B,QAAQ,eAAe;AACxE,QAAI,CAAC,OAAO,IAAI;AACd,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,SAAI,KAAK;MAAE,QAAQ;MAAgB,UAAU,OAAO;MAAU,EAAE,yCAAyC;AACzG,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAiB,SAAS;OAAsC;MAAE,EAAE,IAAI;;AAEpH,UAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,mBAAe,OAAO;AACtB,cAAU,OAAO,SAAS;;WAErB,KAAK;AACZ,SAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,OAAI,MAAM,EAAE,KAAK,EAAE,iCAAiC;AACpD,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAiB,SAAS;KAAiB;IAAE,EAAE,IAAI;;EAG/F,IAAI;AACJ,MAAI;AACF,iBAAc,MAAM,KAAK,aAAa,EAAE;UAClC;AACN,gBAAa,KAAK,KAAK;;EAGzB,MAAM,eAAe,yBAAyB,eAAe,aAAa;AAE1E,wBAAsB,WAAW,GAAG;EACpC,MAAM,SAAS,sBAAsB,SAAS;GAC5C,cAAc;GACd,YAAY,cAAc,KAAA;GAC1B,OAAO;GACP,cAAc,0BAA0B,aAAa,MAAM;GAC5D,CAAC;EAEF,MAAM,cAAc,IAAI;EACxB,MAAM,qBAAqB,IAAI;AAE/B,UAAQ,KAAK,2BAA2B;GACtC,YAAY,cAAc,KAAA;GAC1B,uBAAuB;GACvB,cAAc;GACd,OAAO,WAAW;GAClB;GACA;GACD,CAAC;AAEF,MAAI,KACF;GACE;GACA,WAAW;GACX,oBAAoB,IAAI;GACxB;GACA;GACA,2BAA2B;GAC3B,OAAO,WAAW;GAClB;GACA;GACA,YAAY,KAAK,KAAK,GAAG;GAC1B,EACD,kCACD;AAED,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,uBAAuB;IACvB,cAAc;IACd,aAAa,WAAW;IACxB,oBAAoB,IAAI;IACxB;IACA;IACA;IACA;IACA,SAAS;IACT,cAAc,OAAO;IACtB;GACF,CAAC;GACF;;;;;AAMF,eAAc,IAAI,6BAA6B,OAAO,MAAM;EAC1D,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,GAAI;AACjF,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,QAAQ,CACd,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;EA6BrE,MAAM,cAAc;GAzBlB,KAAK;GACL,KAAK;GACL,MAAM;GACN,KAAK;GACL,MAAM;GACN,KAAK;GACL,KAAK;GACL,KAAK;GACL,MAAM;GACN,MAAM;GACN,MAAM;GACN,KAAK;GACL,IAAI;GACJ,MAAM;GACN,MAAM;GACN,KAAK;GACL,IAAI;GACJ,IAAI;GACJ,KAAK;GACL,KAAK;GACL,KAAK;GACL,MAAM;GACN,KAAK;GACL,KAAK;GAEsB,CA3BjB,QAAQ,MAAM,IAAI,CAAC,KAAK,EAAE,aAAa,IAAI,OA2BjB;AACtC,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;AAC/B,UAAO,IAAI,SAAS,KAAK,EACvB,SAAS;IACP,gBAAgB;IAChB,iBAAiB;IAClB,EACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,eAAe;IAAE,EAAE,IAAI;;GAEtE;AAEF,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,IAAI;AACJ,MAAI;AACF,UAAO,MAAM,EAAE,IAAI,MAAM;UACnB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;EAEvE,MAAM,UACJ,OAAO,SAAS,YAChB,SAAS,QACT,UAAU,QACV,OAAQ,KAA2B,SAAS,WACvC,KAA0B,OAC3B;EACN,MAAM,UACJ,OAAO,SAAS,YAChB,SAAS,QACT,aAAa,QACb,OAAQ,KAA8B,YAAY,WAC7C,KAA6B,UAC9B;AACN,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,QAAK,KAAA;;AAEP,MAAI,MAAM,CAAC,GAAG,QAAQ,CACpB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;AAErE,MAAI;AACF,SAAM,UAAU,KAAK,SAAS,QAAQ;GACtC,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,KAAK,IAAI,EAAE;WACtB;AACN,cAAU,KAAK,KAAK;;AAEtB,UAAO,EAAE,KAAK;IACZ,IAAI;IACJ,SAAS;KAAE,MAAM,yBAAyB,eAAe,IAAI;KAAE;KAAS;IACzE,CAAC;WACK,KAAK;AACZ,OAAI,MAAM;IAAE;IAAK,MAAM;IAAK,EAAE,gCAAgC;AAC9D,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;GAEvE;AAEF,eAAc,IAAI,gCAAgC,OAAO,MAAM;EAC7D,MAAM,IAAI,OAAO,EAAE,IAAI,MAAM,IAAI,KAAK,WAAW,EAAE,IAAI,MAAM,IAAI,CAAE,MAAM,GAAG;EAC5E,MAAM,SAAS,OAAO,EAAE,IAAI,MAAM,MAAM,KAAK,WAAW,EAAE,IAAI,MAAM,MAAM,GAAI;AAC9E,MAAI,CAAC,EACH,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS,EAAE,SAAS,EAAE,EAA2G;GAClI,CAAC;EAEJ,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,SAAS,yBAAyB,eAAe,OAAO;AAC9D,MAAI,CAAC,OACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,OAAO;UACjB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,aAAa,CACnB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,mBAAmB;GAAE,EAAE,IAAI;EAG1E,MAAM,WAAU,MADE,sBAAsB,GAAG,OAAO,EAE/C,QAAQ,MAAM,qBAAqB,eAAe,EAAE,SAAS,CAAC,CAC9D,KAAK,OAAO;GACX,GAAG;GACH,UAAU,yBAAyB,eAAe,QAAQ,EAAE,SAAS,CAAC;GACvE,EAAE;AACL,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,SAAS;GAAE,CAAC;GACjD;;AAGF,eAAc,IAAI,sCAAsC,OAAO,MAAM;EACnE,MAAM,IAAI,OAAO,EAAE,IAAI,MAAM,IAAI,KAAK,WAAW,EAAE,IAAI,MAAM,IAAI,CAAE,MAAM,GAAG;EAC5E,MAAM,WAAW,EAAE,IAAI,MAAM,QAAQ;EACrC,MAAM,QAAQ,KAAK,IACjB,KAAK,IAAI,SAAS,OAAO,aAAa,WAAW,WAAW,MAAM,GAAG,IAAI,IAAI,EAAE,EAC/E,sBACD;EAED,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAGnE,MAAM,UAAU,MAAM,0BAA0B,GAAG,MAAM,GAAG,MAAM;AAClE,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,SAAS;GAAE,CAAC;GACjD"}
1	+ {"version":3,"file":"workspace.js","names":["fsConstants"],"sources":["../../../../../src/gateway/hono/routes/workspace.ts"],"sourcesContent":["import type { Hono } from 'hono';\nimport { randomUUID } from 'node:crypto';\nimport { constants as fsConstants } from 'node:fs';\nimport { copyFile, link, mkdir, readdir, readFile, rename, stat, unlink, writeFile } from 'node:fs/promises';\nimport { basename, dirname, join, resolve } from 'node:path';\n\nimport { extractProfileAgentId } from '../../../config/agent-profile.js';\nimport { type Config } from '../../../config/schema.js';\nimport { getWorkspacePath } from '../../../config/workspace-path-helpers.js';\nimport { validateWritePath } from '../../../agent/sandbox/path-policy.js';\nimport { resolveSafeInboundFilePath } from '../../../channels/attachments/inbound-persist.js';\nimport { resolveSafeTtsFilePath } from '../../../channels/attachments/outbound-tts-persist.js';\nimport {\n listAgentEntries,\n normalizeAgentId,\n resolveAgentHomeDir,\n resolveAgentWorkspaceDir,\n resolveDefaultAgentId,\n} from '../../../agent/agent-scope.js';\nimport { createLogger } from '../../../utils/logger.js';\nimport { resolveHeartbeatMdPath } from '../../workspace-heartbeat-path.js';\nimport {\n isPathUnderWorkspace,\n resolveWorkspaceSafePath,\n toWorkspaceRelativePosix,\n} from '../../workspace-editor-path.js';\nimport { listWorkspaceRelativeFilesFsFallback } from '../../workspace-fs-file-list.js';\nimport { runRipgrepInDirectory, runRipgrepListFiles } from '../../workspace-ripgrep.js';\nimport {\n buildFilePathClassifierContext,\n classifyFileLocation,\n displayNameForPath,\n fileRefSessionKeysMatch,\n resolveFileReferenceCandidate,\n} from '../../file-path-classifier.js';\nimport {\n fileReferenceRegistry,\n type FileReferenceCapability,\n type FileReferenceLocationKind,\n type FileReferenceScope,\n} from '../../file-reference-registry.js';\nimport type { AuthenticatedRouteDeps } from './deps.js';\nimport type { GatewayService } from '../../service.js';\n\nconst log = createLogger('HonoApp');\n\n/** Agent home for persisted `inbound/` and `tts/` attachments (matches `persistOutboundTtsAudio` / `prepareInboundAttachments`). /\nfunction resolvePersistedAttachmentAgentHome(cfg: Config, sessionKeyRaw: string \| undefined): string {\n const sk = typeof sessionKeyRaw === 'string' ? sessionKeyRaw.trim() : '';\n const agentId = sk ? extractProfileAgentId(sk, cfg) : resolveDefaultAgentId(cfg);\n return resolveAgentHomeDir(cfg, agentId);\n}\n\nconst FILE_SEARCH_MAX_LIMIT = 50;\n\n/* Subsequence fuzzy match: all query chars appear in order in `candidate` (case-insensitive). /\nfunction fuzzySubsequenceScore(query: string, candidate: string): number \| null {\n const q = query.toLowerCase();\n const c = candidate.toLowerCase();\n if (q.length === 0) return 0;\n let qi = 0;\n for (let ci = 0; ci < c.length && qi < q.length; ci++) {\n if (c[ci] === q[qi]) qi++;\n }\n if (qi < q.length) return null;\n const base = c.split('/').pop() ?? c;\n let score = 10;\n if (c.startsWith(q)) score += 40;\n if (base.startsWith(q)) score += 35;\n else if (base.includes(q)) score += 20;\n else if (c.includes(q)) score += 10;\n score -= c.length 0.0001;\n return score;\n}\n\nasync function fuzzySearchWorkspaceFiles(\n workspaceRoot: string,\n query: string,\n limit: number,\n): Promise<Array<{ name: string; path: string; isDirectory: boolean }>> {\n let files = await runRipgrepListFiles(workspaceRoot);\n if (files.length === 0) {\n files = await listWorkspaceRelativeFilesFsFallback(workspaceRoot, 120_000);\n if (files.length > 0) {\n log.debug(\n { workspaceRoot, fileCount: files.length },\n 'workspace files/search: file list from fs walk (ripgrep unavailable or returned empty)',\n );\n }\n }\n const q = query.trim();\n const capped = Math.min(Math.max(limit, 1), FILE_SEARCH_MAX_LIMIT);\n\n type Row = { name: string; path: string; isDirectory: boolean; score: number };\n const rows: Row[] = [];\n\n if (!q) {\n const sorted = [...files].sort((a, b) => a.localeCompare(b));\n for (const rel of sorted.slice(0, capped)) {\n const name = rel.split('/').pop() ?? rel;\n rows.push({ name, path: rel, isDirectory: false, score: 0 });\n }\n return rows;\n }\n\n for (const rel of files) {\n const name = rel.split('/').pop() ?? rel;\n const scorePath = fuzzySubsequenceScore(q, rel);\n const scoreName = fuzzySubsequenceScore(q, name);\n const score = Math.max(scorePath ?? -Infinity, scoreName ?? -Infinity);\n if (score === -Infinity) continue;\n rows.push({ name, path: rel, isDirectory: false, score });\n }\n\n rows.sort((a, b) => b.score - a.score \|\| a.path.localeCompare(b.path));\n return rows.slice(0, capped).map(({ name, path, isDirectory }) => ({ name, path, isDirectory }));\n}\n\nfunction isKnownEditorAgentId(cfg: Config, id: string): boolean {\n const n = normalizeAgentId(id);\n if (n === resolveDefaultAgentId(cfg)) return true;\n return listAgentEntries(cfg).some((e) => normalizeAgentId(e.id) === n);\n}\n\nfunction resolveEditorWorkspaceRoot(\n cfg: Config,\n agentIdRaw: string \| undefined,\n): { ok: true; root: string } \| { ok: false; message: string } {\n const trimmed = typeof agentIdRaw === 'string' ? agentIdRaw.trim() : '';\n if (!trimmed) {\n const root = getWorkspacePath(cfg);\n if (!root) return { ok: false, message: 'Workspace not configured' };\n return { ok: true, root };\n }\n const id = normalizeAgentId(trimmed);\n if (!isKnownEditorAgentId(cfg, id)) {\n return { ok: false, message: 'Unknown agent' };\n }\n return { ok: true, root: resolveAgentWorkspaceDir(cfg, id) };\n}\n\n/** Prefer `sessionKey` (per-session workspace override) over `agentId`. /\nasync function resolveEditorWorkspaceRootAsync(\n service: GatewayService,\n cfg: Config,\n sessionKeyRaw: string \| undefined,\n agentIdRaw: string \| undefined,\n): Promise<{ ok: true; root: string } \| { ok: false; message: string }> {\n const sk = typeof sessionKeyRaw === 'string' ? sessionKeyRaw.trim() : '';\n if (sk) {\n try {\n const root = await service.sessions.getEffectiveWorkspacePath(sk);\n return { ok: true, root };\n } catch (err) {\n const em = err instanceof Error ? err.message : String(err);\n log.warn({ err, sessionKey: sk }, 'Session workspace root resolution failed');\n return { ok: false, message: em \|\| 'Session workspace resolution failed' };\n }\n }\n return resolveEditorWorkspaceRoot(cfg, agentIdRaw);\n}\n\ninterface ResolvedWorkspaceImportConfig {\n targetDir: string;\n maxBytes: number;\n allowOverwrite: boolean;\n}\n\nfunction resolveWorkspaceImportConfig(cfg: Config): ResolvedWorkspaceImportConfig {\n const raw = cfg.workspace?.import;\n return {\n targetDir: raw?.targetDir?.trim() \|\| 'imports',\n maxBytes: raw?.maxBytes ?? 104_857_600,\n allowOverwrite: raw?.allowOverwrite ?? true,\n };\n}\n\n/* Strip path separators, NULs and control chars from a basename so it stays in the destination dir. /\nfunction sanitizeImportBasename(name: string): string {\n return name\n .replace(/[\\\\/]/g, '')\n .replace(/[\\x00-\\x1f\\x7f]/g, '')\n .trim();\n}\n\n/\n Race-safe target picker for the `rename`-on-conflict strategy. Uses `link(tmp, target)`\n * which atomically fails with EEXIST when the candidate is taken; on success the tmp\n * file is left in place for the caller to unlink. Returns the linked target path.\n /\nasync function pickAvailableTargetWithLink(\n tmpAbs: string,\n initialDestAbs: string,\n maxAttempts = 1000,\n): Promise<{ ok: true; path: string; attempts: number } \| { ok: false; attempts: number }> {\n const dir = dirname(initialDestAbs);\n const original = basename(initialDestAbs);\n const dotIdx = original.lastIndexOf('.');\n const stem = dotIdx > 0 ? original.slice(0, dotIdx) : original;\n const ext = dotIdx > 0 ? original.slice(dotIdx) : '';\n for (let attempt = 1; attempt <= maxAttempts; attempt++) {\n const candidate = attempt === 1 ? initialDestAbs : join(dir, `${stem}-${attempt}${ext}`);\n try {\n await link(tmpAbs, candidate);\n return { ok: true, path: candidate, attempts: attempt };\n } catch (err) {\n const code = (err as NodeJS.ErrnoException)?.code;\n if (code !== 'EEXIST') {\n throw err;\n }\n }\n }\n return { ok: false, attempts: maxAttempts };\n}\n\nfunction fileReferenceCapabilities(\n scope: FileReferenceScope,\n isDirectory: boolean,\n locationKind?: FileReferenceLocationKind,\n): FileReferenceCapability[] {\n if (scope === 'workspace') {\n return isDirectory\n ? ['openExternal', 'revealInFolder', 'copyPath']\n : ['preview', 'edit', 'openExternal', 'revealInFolder', 'copyPath'];\n }\n if (scope === 'external' \|\| scope === 'agent-profile' \|\| scope === 'session-artifact') {\n const base: FileReferenceCapability[] = ['openExternal', 'revealInFolder', 'copyPath'];\n // v1: importToWorkspace for files only; exclude xopc-config to prevent copying\n // app config into the workspace (semantically wrong).\n if (!isDirectory && locationKind !== 'xopc-config') {\n base.push('importToWorkspace');\n }\n return base;\n }\n if (scope === 'missing') return ['copyPath'];\n return [];\n}\n\nfunction isFileReferenceAction(action: unknown): action is 'openExternal' \| 'revealInFolder' {\n return action === 'openExternal' \|\| action === 'revealInFolder';\n}\n\nexport function registerWorkspaceRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void {\n const { service } = deps;\n\n authenticated.get('/api/workspace/inbound-file', async (c) => {\n const rel = c.req.query('rel');\n if (!rel \|\| typeof rel !== 'string') {\n return c.json({ ok: false, error: { message: 'Missing rel' } }, 400);\n }\n const cfg = service.currentConfig;\n const agentHome = resolvePersistedAttachmentAgentHome(cfg, c.req.query('sessionKey'));\n const abs = resolveSafeInboundFilePath({ agentHome }, rel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Forbidden' } }, 403);\n }\n try {\n const buf = await readFile(abs);\n const ext = rel.split('.').pop()?.toLowerCase() ?? '';\n const mimeByExt: Record<string, string> = {\n pdf: 'application/pdf',\n png: 'image/png',\n jpg: 'image/jpeg',\n jpeg: 'image/jpeg',\n webp: 'image/webp',\n gif: 'image/gif',\n md: 'text/markdown',\n txt: 'text/plain',\n json: 'application/json',\n html: 'text/html',\n css: 'text/css',\n js: 'text/javascript',\n ts: 'text/typescript',\n webm: 'audio/webm',\n ogg: 'audio/ogg',\n opus: 'audio/ogg',\n mp3: 'audio/mpeg',\n wav: 'audio/wav',\n m4a: 'audio/mp4',\n };\n const contentType = mimeByExt[ext] \|\| 'application/octet-stream';\n return new Response(buf, {\n headers: {\n 'Content-Type': contentType,\n 'Cache-Control': 'private, max-age=3600',\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n });\n\n authenticated.get('/api/workspace/tts-file', async (c) => {\n const rel = c.req.query('rel');\n if (!rel \|\| typeof rel !== 'string') {\n return c.json({ ok: false, error: { message: 'Missing rel' } }, 400);\n }\n const cfg = service.currentConfig;\n const agentHome = resolvePersistedAttachmentAgentHome(cfg, c.req.query('sessionKey'));\n const abs = resolveSafeTtsFilePath({ agentHome }, rel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Forbidden' } }, 403);\n }\n try {\n const buf = await readFile(abs);\n const ext = rel.split('.').pop()?.toLowerCase() ?? '';\n const mimeByExt: Record<string, string> = {\n ogg: 'audio/ogg',\n opus: 'audio/ogg',\n mp3: 'audio/mpeg',\n wav: 'audio/wav',\n m4a: 'audio/mp4',\n };\n const contentType = mimeByExt[ext] \|\| 'application/octet-stream';\n return new Response(buf, {\n headers: {\n 'Content-Type': contentType,\n 'Cache-Control': 'private, max-age=3600',\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n });\n\n authenticated.get('/api/workspace/heartbeat-md', async (c) => {\n const abs = resolveHeartbeatMdPath(service.currentConfig);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Workspace not configured' } }, 400);\n }\n try {\n const content = await readFile(abs, 'utf-8');\n return c.json({ ok: true, payload: { content: content, file: 'HEARTBEAT.md' } });\n } catch {\n return c.json({ ok: true, payload: { content: '', file: 'HEARTBEAT.md' } });\n }\n });\n\n authenticated.put('/api/workspace/heartbeat-md', async (c) => {\n const abs = resolveHeartbeatMdPath(service.currentConfig);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Workspace not configured' } }, 400);\n }\n let body: unknown;\n try {\n body = await c.req.json();\n } catch {\n return c.json({ ok: false, error: { message: 'Invalid JSON' } }, 400);\n }\n const content =\n typeof body === 'object' &&\n body !== null &&\n 'content' in body &&\n typeof (body as { content: unknown }).content === 'string'\n ? (body as { content: string }).content\n : '';\n try {\n await writeFile(abs, content, 'utf-8');\n return c.json({ ok: true, payload: { file: 'HEARTBEAT.md' } });\n } catch (err) {\n log.error({ err, path: abs }, 'Failed to write HEARTBEAT.md');\n return c.json({ ok: false, error: { message: 'Write failed' } }, 500);\n }\n });\n\n authenticated.get('/api/workspace/editor/list', async (c) => {\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const dirRel = typeof c.req.query('dir') === 'string' ? c.req.query('dir')! : '';\n const absDir = resolveWorkspaceSafePath(workspaceRoot, dirRel);\n if (!absDir) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(absDir);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isDirectory()) {\n return c.json({ ok: false, error: { message: 'Not a directory' } }, 400);\n }\n const dirents = await readdir(absDir, { withFileTypes: true });\n const entries: { name: string; path: string; absolutePath: string; isDirectory: boolean }[] = [];\n for (const entry of dirents) {\n if (entry.name.startsWith('.')) continue;\n const fullPath = join(absDir, entry.name);\n if (entry.isDirectory()) {\n entries.push({\n name: entry.name,\n path: toWorkspaceRelativePosix(workspaceRoot, fullPath),\n absolutePath: fullPath,\n isDirectory: true,\n });\n } else {\n entries.push({\n name: entry.name,\n path: toWorkspaceRelativePosix(workspaceRoot, fullPath),\n absolutePath: fullPath,\n isDirectory: false,\n });\n }\n }\n entries.sort((a, b) => {\n if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;\n return a.name.localeCompare(b.name);\n });\n return c.json({ ok: true, payload: { entries } });\n });\n\n authenticated.get('/api/workspace/editor/read', async (c) => {\n const pathRel = typeof c.req.query('path') === 'string' ? c.req.query('path')! : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(abs);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n try {\n const content = await readFile(abs, 'utf-8');\n return c.json({\n ok: true,\n payload: {\n content,\n path: toWorkspaceRelativePosix(workspaceRoot, abs),\n absolutePath: abs,\n mtimeMs: st.mtimeMs,\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Read failed' } }, 500);\n }\n });\n\n /* Read file as raw bytes and return base64 (for PDF/images in workspace preview — avoids UTF-8 corruption). /\n authenticated.get('/api/workspace/editor/read-base64', async (c) => {\n const pathRel = typeof c.req.query('path') === 'string' ? c.req.query('path')! : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(abs);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n try {\n const buf = await readFile(abs);\n return c.json({\n ok: true,\n payload: {\n contentBase64: buf.toString('base64'),\n path: toWorkspaceRelativePosix(workspaceRoot, abs),\n /* Host absolute path — Electron can open with the default app (shell.openPath). /\n absolutePath: abs,\n mtimeMs: st.mtimeMs,\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Read failed' } }, 500);\n }\n });\n\n /* Map an absolute host path to a workspace-relative path (if under this session’s workspace). /\n authenticated.get('/api/workspace/editor/resolve-path', async (c) => {\n const raw = c.req.query('absolutePath');\n if (!raw \|\| typeof raw !== 'string' \|\| !raw.trim()) {\n return c.json({ ok: false, error: { message: 'Missing absolutePath' } }, 400);\n }\n const absolutePath = raw.trim();\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const normalized = resolve(absolutePath);\n if (!isPathUnderWorkspace(workspaceRoot, normalized)) {\n return c.json({ ok: false, error: { message: 'Path not under workspace' } }, 403);\n }\n const rel = toWorkspaceRelativePosix(workspaceRoot, normalized);\n return c.json({ ok: true, payload: { workspaceRelativePath: rel } });\n });\n\n authenticated.get('/api/workspace/editor/resolve-reference', async (c) => {\n const rawPath = typeof c.req.query('path') === 'string' ? c.req.query('path')!.trim() : '';\n if (!rawPath) {\n return c.json({ ok: false, error: { code: 'INVALID_PATH', message: 'Missing path' } }, 400);\n }\n\n const sessionKey = typeof c.req.query('sessionKey') === 'string' ? c.req.query('sessionKey')!.trim() : '';\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n sessionKey,\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { code: 'WORKSPACE_RESOLUTION_FAILED', message: ws.message } }, 400);\n }\n\n const workspaceRoot = ws.root;\n const classifierCtx = { ...buildFilePathClassifierContext(service.currentConfig, sessionKey), workspaceRoot };\n const displayName = displayNameForPath(rawPath);\n const { candidate, invalid } = await resolveFileReferenceCandidate(rawPath, workspaceRoot, classifierCtx);\n\n if (!candidate \|\| invalid) {\n return c.json({\n ok: true,\n payload: {\n inputPath: rawPath,\n displayName,\n scope: 'invalid' satisfies FileReferenceScope,\n exists: false,\n capabilities: [] as FileReferenceCapability[],\n errorCode: 'INVALID_PATH',\n },\n });\n }\n\n let st: Awaited<ReturnType<typeof stat>> \| null = null;\n try {\n st = await stat(candidate);\n } catch {\n st = null;\n }\n\n if (!st) {\n // Always include the resolved candidate so the UI's \"Copy path\" yields\n // something actionable (\"I looked here, no file\"). Without this, bare\n // workspace-relative mentions fall back to the `rel:<path>` UI sentinel.\n return c.json({\n ok: true,\n payload: {\n inputPath: rawPath,\n displayName,\n scope: 'missing' satisfies FileReferenceScope,\n exists: false,\n absolutePath: candidate,\n capabilities: fileReferenceCapabilities('missing', false),\n errorCode: 'FILE_NOT_FOUND',\n },\n });\n }\n\n const classified = classifyFileLocation(candidate, classifierCtx);\n const { scope, locationKind, manageRoute } = classified;\n const inWorkspace = scope === 'workspace';\n const isDirectory = st.isDirectory();\n const capabilities = fileReferenceCapabilities(scope, isDirectory, locationKind);\n const ref = fileReferenceRegistry.register({\n absolutePath: candidate,\n sessionKey: sessionKey \|\| undefined,\n scope,\n locationKind,\n capabilities,\n });\n\n return c.json({\n ok: true,\n payload: {\n fileRefId: ref.id,\n inputPath: rawPath,\n displayName,\n scope,\n locationKind,\n manageRoute,\n exists: true,\n isDirectory,\n absolutePath: candidate,\n workspaceRelativePath: inWorkspace ? toWorkspaceRelativePosix(workspaceRoot, candidate) : undefined,\n capabilities,\n mtimeMs: st.mtimeMs,\n },\n });\n });\n\n authenticated.post('/api/workspace/file-ref/:id/resolve-action', async (c) => {\n const id = c.req.param('id')?.trim() ?? '';\n if (!id) {\n return c.json({ ok: false, error: { code: 'INVALID_FILE_REF', message: 'Missing file reference' } }, 400);\n }\n\n const ref = fileReferenceRegistry.resolve(id);\n if (!ref) {\n return c.json({ ok: false, error: { code: 'FILE_REF_EXPIRED', message: 'File reference expired' } }, 404);\n }\n\n const sessionKey = typeof c.req.query('sessionKey') === 'string' ? c.req.query('sessionKey')!.trim() : '';\n if (!fileRefSessionKeysMatch(ref.sessionKey, sessionKey)) {\n return c.json({ ok: false, error: { code: 'FILE_REF_FORBIDDEN', message: 'File reference forbidden' } }, 403);\n }\n\n const body = (await c.req.json().catch(() => ({}))) as { action?: unknown };\n const action = body.action;\n if (!isFileReferenceAction(action)) {\n return c.json({ ok: false, error: { code: 'INVALID_ACTION', message: 'Invalid action' } }, 400);\n }\n if (!ref.capabilities.includes(action)) {\n return c.json({ ok: false, error: { code: 'ACTION_NOT_ALLOWED', message: 'Action not allowed' } }, 403);\n }\n\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(ref.absolutePath);\n } catch {\n return c.json({ ok: false, error: { code: 'FILE_NOT_FOUND', message: 'File not found' } }, 404);\n }\n\n return c.json({\n ok: true,\n payload: {\n absolutePath: ref.absolutePath,\n isDirectory: st.isDirectory(),\n },\n });\n });\n\n authenticated.post('/api/workspace/import-file-ref/:id', async (c) => {\n const id = c.req.param('id')?.trim() ?? '';\n if (!id) {\n return c.json({ ok: false, error: { code: 'INVALID_FILE_REF', message: 'Missing file reference' } }, 400);\n }\n\n const ref = fileReferenceRegistry.resolve(id);\n if (!ref) {\n return c.json({ ok: false, error: { code: 'FILE_REF_EXPIRED', message: 'File reference expired' } }, 404);\n }\n\n const sessionKey = typeof c.req.query('sessionKey') === 'string' ? c.req.query('sessionKey')!.trim() : '';\n if (!fileRefSessionKeysMatch(ref.sessionKey, sessionKey)) {\n return c.json({ ok: false, error: { code: 'FILE_REF_FORBIDDEN', message: 'File reference forbidden' } }, 403);\n }\n\n if (!ref.capabilities.includes('importToWorkspace')) {\n return c.json({ ok: false, error: { code: 'IMPORT_NOT_ALLOWED', message: 'Import not allowed for this file' } }, 403);\n }\n\n let sourceStat: Awaited<ReturnType<typeof stat>>;\n try {\n sourceStat = await stat(ref.absolutePath);\n } catch {\n fileReferenceRegistry.expireById(id);\n return c.json({ ok: false, error: { code: 'SOURCE_NOT_FOUND', message: 'Source file no longer exists' } }, 404);\n }\n if (!sourceStat.isFile()) {\n return c.json({ ok: false, error: { code: 'SOURCE_NOT_FILE', message: 'Source is not a regular file' } }, 400);\n }\n\n const importCfg = resolveWorkspaceImportConfig(service.currentConfig);\n if (sourceStat.size > importCfg.maxBytes) {\n return c.json(\n {\n ok: false,\n error: {\n code: 'SOURCE_TOO_LARGE',\n message: `Source exceeds maximum import size (${importCfg.maxBytes} bytes)`,\n },\n },\n 413,\n );\n }\n\n const ws = await resolveEditorWorkspaceRootAsync(service, service.currentConfig, sessionKey, undefined);\n if (ws.ok === false) {\n return c.json({ ok: false, error: { code: 'WORKSPACE_RESOLUTION_FAILED', message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n\n let body: { destination?: unknown; onConflict?: unknown };\n try {\n body = (await c.req.json().catch(() => ({}))) as typeof body;\n } catch {\n body = {};\n }\n const requestedDestRaw = typeof body.destination === 'string' ? body.destination.trim() : '';\n const onConflictRaw = typeof body.onConflict === 'string' ? body.onConflict : 'rename';\n if (onConflictRaw !== 'rename' && onConflictRaw !== 'overwrite' && onConflictRaw !== 'error') {\n return c.json({ ok: false, error: { code: 'INVALID_CONFLICT_MODE', message: 'Invalid onConflict value' } }, 400);\n }\n const onConflict = onConflictRaw as 'rename' \| 'overwrite' \| 'error';\n if (onConflict === 'overwrite' && !importCfg.allowOverwrite) {\n return c.json({ ok: false, error: { code: 'OVERWRITE_DISABLED', message: 'Overwrite is disabled by config' } }, 403);\n }\n\n const sourceBasename = sanitizeImportBasename(basename(ref.absolutePath)) \|\| 'imported-file';\n let requestedRel: string;\n if (!requestedDestRaw) {\n requestedRel = `${importCfg.targetDir}/${sourceBasename}`;\n } else {\n const trimmedDest = requestedDestRaw.replace(/\\\\/g, '/');\n // Path ending with `/` is treated as a directory; append source basename.\n requestedRel = trimmedDest.endsWith('/') ? `${trimmedDest}${sourceBasename}` : trimmedDest;\n }\n\n let initialDestAbs = resolveWorkspaceSafePath(workspaceRoot, requestedRel);\n if (!initialDestAbs) {\n return c.json({ ok: false, error: { code: 'INVALID_DESTINATION', message: 'Invalid destination path' } }, 400);\n }\n\n // Sandbox: blocks `.xopc/xopc.json`, `.env`, etc.; canonical symlink resolution included.\n const writePolicy = validateWritePath(initialDestAbs, workspaceRoot);\n if (!writePolicy.allowed) {\n return c.json({ ok: false, error: { code: 'DESTINATION_BLOCKED', message: writePolicy.reason ?? 'Destination blocked' } }, 403);\n }\n\n if (resolve(ref.absolutePath) === resolve(initialDestAbs)) {\n return c.json({ ok: false, error: { code: 'SAME_LOCATION', message: 'Destination is the same as source' } }, 400);\n }\n\n const destDir = dirname(initialDestAbs);\n try {\n await mkdir(destDir, { recursive: true });\n } catch (err) {\n log.warn({ err, destDir }, 'Failed to create import destination directory');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to prepare destination' } }, 500);\n }\n\n // Stage source into a hidden tmp file inside the destination directory so we\n // can atomically `link` (rename strategy) or `rename` (overwrite) to land it.\n const tmpName = `.${basename(initialDestAbs)}.import-${randomUUID()}.tmp`;\n const tmpAbs = join(destDir, tmpName);\n\n const started = Date.now();\n let renamed = false;\n let overwrote = false;\n let finalDestAbs = initialDestAbs;\n\n try {\n try {\n await copyFile(ref.absolutePath, tmpAbs, fsConstants.COPYFILE_FICLONE);\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ err, source: ref.absolutePath, tmpAbs }, 'Failed to copy source into staging tmp');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to copy source file' } }, 500);\n }\n\n if (onConflict === 'overwrite') {\n // Snapshot pre-rename existence for telemetry; the actual overwrite is unconditional.\n overwrote = await stat(initialDestAbs).then(() => true).catch(() => false);\n try {\n await rename(tmpAbs, initialDestAbs);\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ err, target: initialDestAbs }, 'Atomic rename failed');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to finalize import' } }, 500);\n }\n } else if (onConflict === 'error') {\n const exists = await stat(initialDestAbs).then(() => true).catch(() => false);\n if (exists) {\n await unlink(tmpAbs).catch(() => {});\n return c.json({ ok: false, error: { code: 'DESTINATION_EXISTS', message: 'Destination already exists' } }, 409);\n }\n try {\n await link(tmpAbs, initialDestAbs);\n await unlink(tmpAbs).catch(() => {});\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ err, target: initialDestAbs }, 'Hard link to destination failed');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Failed to finalize import' } }, 500);\n }\n } else {\n // rename: race-safe loop using O_EXCL semantics of `link`.\n const picked = await pickAvailableTargetWithLink(tmpAbs, initialDestAbs);\n if (!picked.ok) {\n await unlink(tmpAbs).catch(() => {});\n log.warn({ target: initialDestAbs, attempts: picked.attempts }, 'Failed to find free import target name');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'No free destination name available' } }, 500);\n }\n await unlink(tmpAbs).catch(() => {});\n finalDestAbs = picked.path;\n renamed = picked.path !== initialDestAbs;\n }\n } catch (err) {\n await unlink(tmpAbs).catch(() => {});\n log.error({ err }, 'Import file unexpected failure');\n return c.json({ ok: false, error: { code: 'IMPORT_FAILED', message: 'Import failed' } }, 500);\n }\n\n let finalMtime: number;\n try {\n finalMtime = (await stat(finalDestAbs)).mtimeMs;\n } catch {\n finalMtime = Date.now();\n }\n\n const workspaceRel = toWorkspaceRelativePosix(workspaceRoot, finalDestAbs);\n\n fileReferenceRegistry.expireById(id);\n const newRef = fileReferenceRegistry.register({\n absolutePath: finalDestAbs,\n sessionKey: sessionKey \|\| undefined,\n scope: 'workspace',\n capabilities: fileReferenceCapabilities('workspace', false),\n });\n\n const sourceScope = ref.scope;\n const sourceLocationKind = ref.locationKind;\n\n service.emit('workspace.file-imported', {\n sessionKey: sessionKey \|\| undefined,\n workspaceRelativePath: workspaceRel,\n absolutePath: finalDestAbs,\n bytes: sourceStat.size,\n sourceScope,\n sourceLocationKind,\n });\n\n log.info(\n {\n sessionKey,\n fileRefId: id,\n sourceAbsolutePath: ref.absolutePath,\n sourceScope,\n sourceLocationKind,\n destWorkspaceRelativePath: workspaceRel,\n bytes: sourceStat.size,\n renamed,\n overwrote,\n durationMs: Date.now() - started,\n },\n 'Workspace file import succeeded',\n );\n\n return c.json({\n ok: true,\n payload: {\n workspaceRelativePath: workspaceRel,\n absolutePath: finalDestAbs,\n bytesCopied: sourceStat.size,\n sourceAbsolutePath: ref.absolutePath,\n sourceScope,\n sourceLocationKind,\n renamed,\n overwrote,\n mtimeMs: finalMtime,\n newFileRefId: newRef.id,\n },\n });\n });\n\n /*\n Serve a workspace file as raw bytes (e.g. <img> after auth fetch + blob URL).\n * Path is workspace-relative; scope via sessionKey / agentId like other editor routes.\n /\n authenticated.get('/api/workspace/editor/raw', async (c) => {\n const pathRel = typeof c.req.query('path') === 'string' ? c.req.query('path')! : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(abs);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n const ext = pathRel.split('.').pop()?.toLowerCase() ?? '';\n const mimeByExt: Record<string, string> = {\n png: 'image/png',\n jpg: 'image/jpeg',\n jpeg: 'image/jpeg',\n gif: 'image/gif',\n webp: 'image/webp',\n bmp: 'image/bmp',\n svg: 'image/svg+xml',\n pdf: 'application/pdf',\n docx: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',\n xlsx: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',\n pptx: 'application/vnd.openxmlformats-officedocument.presentationml.presentation',\n txt: 'text/plain',\n md: 'text/markdown',\n json: 'application/json',\n html: 'text/html',\n css: 'text/css',\n js: 'text/javascript',\n ts: 'text/typescript',\n mp3: 'audio/mpeg',\n wav: 'audio/wav',\n ogg: 'audio/ogg',\n webm: 'video/webm',\n mp4: 'video/mp4',\n mov: 'video/quicktime',\n };\n const contentType = mimeByExt[ext] \|\| 'application/octet-stream';\n try {\n const buf = await readFile(abs);\n return new Response(buf, {\n headers: {\n 'Content-Type': contentType,\n 'Cache-Control': 'private, max-age=3600',\n },\n });\n } catch {\n return c.json({ ok: false, error: { message: 'Read failed' } }, 500);\n }\n });\n\n authenticated.put('/api/workspace/editor/write', async (c) => {\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n let body: unknown;\n try {\n body = await c.req.json();\n } catch {\n return c.json({ ok: false, error: { message: 'Invalid JSON' } }, 400);\n }\n const pathRel =\n typeof body === 'object' &&\n body !== null &&\n 'path' in body &&\n typeof (body as { path: unknown }).path === 'string'\n ? (body as { path: string }).path\n : '';\n const content =\n typeof body === 'object' &&\n body !== null &&\n 'content' in body &&\n typeof (body as { content: unknown }).content === 'string'\n ? (body as { content: string }).content\n : '';\n if (!pathRel.trim()) {\n return c.json({ ok: false, error: { message: 'Missing path' } }, 400);\n }\n const abs = resolveWorkspaceSafePath(workspaceRoot, pathRel);\n if (!abs) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>> \| undefined;\n try {\n st = await stat(abs);\n } catch {\n st = undefined;\n }\n if (st && !st.isFile()) {\n return c.json({ ok: false, error: { message: 'Not a file' } }, 400);\n }\n try {\n await writeFile(abs, content, 'utf-8');\n let mtimeMs: number;\n try {\n mtimeMs = (await stat(abs)).mtimeMs;\n } catch {\n mtimeMs = Date.now();\n }\n return c.json({\n ok: true,\n payload: { path: toWorkspaceRelativePosix(workspaceRoot, abs), mtimeMs },\n });\n } catch (err) {\n log.error({ err, path: abs }, 'workspace editor write failed');\n return c.json({ ok: false, error: { message: 'Write failed' } }, 500);\n }\n });\n\n authenticated.get('/api/workspace/editor/search', async (c) => {\n const q = typeof c.req.query('q') === 'string' ? c.req.query('q')!.trim() : '';\n const dirRel = typeof c.req.query('dir') === 'string' ? c.req.query('dir')! : '';\n if (!q) {\n return c.json({\n ok: true,\n payload: { results: [] as { filePath: string; lineNumber: number; lineContent: string; matchStart: number; matchEnd: number }[] },\n });\n }\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n const workspaceRoot = ws.root;\n const absDir = resolveWorkspaceSafePath(workspaceRoot, dirRel);\n if (!absDir) {\n return c.json({ ok: false, error: { message: 'Invalid path' } }, 400);\n }\n let st: Awaited<ReturnType<typeof stat>>;\n try {\n st = await stat(absDir);\n } catch {\n return c.json({ ok: false, error: { message: 'Not found' } }, 404);\n }\n if (!st.isDirectory()) {\n return c.json({ ok: false, error: { message: 'Not a directory' } }, 400);\n }\n const raw = await runRipgrepInDirectory(q, absDir);\n const results = raw\n .filter((r) => isPathUnderWorkspace(workspaceRoot, r.filePath))\n .map((r) => ({\n ...r,\n filePath: toWorkspaceRelativePosix(workspaceRoot, resolve(r.filePath)),\n }));\n return c.json({ ok: true, payload: { results } });\n });\n\n /* Fuzzy filename / path search over the session workspace (ripgrep `--files` + subsequence scoring). */\n authenticated.get('/api/workspace/editor/files/search', async (c) => {\n const q = typeof c.req.query('q') === 'string' ? c.req.query('q')!.trim() : '';\n const limitRaw = c.req.query('limit');\n const limit = Math.min(\n Math.max(parseInt(typeof limitRaw === 'string' ? limitRaw : '15', 10) \|\| 15, 1),\n FILE_SEARCH_MAX_LIMIT,\n );\n\n const ws = await resolveEditorWorkspaceRootAsync(\n service,\n service.currentConfig,\n c.req.query('sessionKey'),\n c.req.query('agentId'),\n );\n if (ws.ok === false) {\n return c.json({ ok: false, error: { message: ws.message } }, 400);\n }\n\n const entries = await fuzzySearchWorkspaceFiles(ws.root, q, limit);\n return c.json({ ok: true, payload: { entries } });\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;kBAkBuC;aACiB;AAyBxD,MAAM,MAAM,aAAa,UAAU;;AAGnC,SAAS,oCAAoC,KAAa,eAA2C;CACnG,MAAM,KAAK,OAAO,kBAAkB,WAAW,cAAc,MAAM,GAAG;AAEtE,QAAO,oBAAoB,KADX,KAAK,sBAAsB,IAAI,IAAI,GAAG,sBAAsB,IAAI,CACxC;;AAG1C,MAAM,wBAAwB;;AAG9B,SAAS,sBAAsB,OAAe,WAAkC;CAC9E,MAAM,IAAI,MAAM,aAAa;CAC7B,MAAM,IAAI,UAAU,aAAa;AACjC,KAAI,EAAE,WAAW,EAAG,QAAO;CAC3B,IAAI,KAAK;AACT,MAAK,IAAI,KAAK,GAAG,KAAK,EAAE,UAAU,KAAK,EAAE,QAAQ,KAC/C,KAAI,EAAE,QAAQ,EAAE,IAAK;AAEvB,KAAI,KAAK,EAAE,OAAQ,QAAO;CAC1B,MAAM,OAAO,EAAE,MAAM,IAAI,CAAC,KAAK,IAAI;CACnC,IAAI,QAAQ;AACZ,KAAI,EAAE,WAAW,EAAE,CAAE,UAAS;AAC9B,KAAI,KAAK,WAAW,EAAE,CAAE,UAAS;UACxB,KAAK,SAAS,EAAE,CAAE,UAAS;UAC3B,EAAE,SAAS,EAAE,CAAE,UAAS;AACjC,UAAS,EAAE,SAAS;AACpB,QAAO;;AAGT,eAAe,0BACb,eACA,OACA,OACsE;CACtE,IAAI,QAAQ,MAAM,oBAAoB,cAAc;AACpD,KAAI,MAAM,WAAW,GAAG;AACtB,UAAQ,MAAM,qCAAqC,eAAe,KAAQ;AAC1E,MAAI,MAAM,SAAS,EACjB,KAAI,MACF;GAAE;GAAe,WAAW,MAAM;GAAQ,EAC1C,yFACD;;CAGL,MAAM,IAAI,MAAM,MAAM;CACtB,MAAM,SAAS,KAAK,IAAI,KAAK,IAAI,OAAO,EAAE,EAAE,sBAAsB;CAGlE,MAAM,OAAc,EAAE;AAEtB,KAAI,CAAC,GAAG;EACN,MAAM,SAAS,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,EAAE,cAAc,EAAE,CAAC;AAC5D,OAAK,MAAM,OAAO,OAAO,MAAM,GAAG,OAAO,EAAE;GACzC,MAAM,OAAO,IAAI,MAAM,IAAI,CAAC,KAAK,IAAI;AACrC,QAAK,KAAK;IAAE;IAAM,MAAM;IAAK,aAAa;IAAO,OAAO;IAAG,CAAC;;AAE9D,SAAO;;AAGT,MAAK,MAAM,OAAO,OAAO;EACvB,MAAM,OAAO,IAAI,MAAM,IAAI,CAAC,KAAK,IAAI;EACrC,MAAM,YAAY,sBAAsB,GAAG,IAAI;EAC/C,MAAM,YAAY,sBAAsB,GAAG,KAAK;EAChD,MAAM,QAAQ,KAAK,IAAI,aAAa,WAAW,aAAa,UAAU;AACtE,MAAI,UAAU,UAAW;AACzB,OAAK,KAAK;GAAE;GAAM,MAAM;GAAK,aAAa;GAAO;GAAO,CAAC;;AAG3D,MAAK,MAAM,GAAG,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,cAAc,EAAE,KAAK,CAAC;AACtE,QAAO,KAAK,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,MAAM,MAAM,mBAAmB;EAAE;EAAM;EAAM;EAAa,EAAE;;AAGlG,SAAS,qBAAqB,KAAa,IAAqB;CAC9D,MAAM,IAAI,iBAAiB,GAAG;AAC9B,KAAI,MAAM,sBAAsB,IAAI,CAAE,QAAO;AAC7C,QAAO,iBAAiB,IAAI,CAAC,MAAM,MAAM,iBAAiB,EAAE,GAAG,KAAK,EAAE;;AAGxE,SAAS,2BACP,KACA,YAC6D;CAC7D,MAAM,UAAU,OAAO,eAAe,WAAW,WAAW,MAAM,GAAG;AACrE,KAAI,CAAC,SAAS;EACZ,MAAM,OAAO,iBAAiB,IAAI;AAClC,MAAI,CAAC,KAAM,QAAO;GAAE,IAAI;GAAO,SAAS;GAA4B;AACpE,SAAO;GAAE,IAAI;GAAM;GAAM;;CAE3B,MAAM,KAAK,iBAAiB,QAAQ;AACpC,KAAI,CAAC,qBAAqB,KAAK,GAAG,CAChC,QAAO;EAAE,IAAI;EAAO,SAAS;EAAiB;AAEhD,QAAO;EAAE,IAAI;EAAM,MAAM,yBAAyB,KAAK,GAAG;EAAE;;;AAI9D,eAAe,gCACb,SACA,KACA,eACA,YACsE;CACtE,MAAM,KAAK,OAAO,kBAAkB,WAAW,cAAc,MAAM,GAAG;AACtE,KAAI,GACF,KAAI;AAEF,SAAO;GAAE,IAAI;GAAM,MAAA,MADA,QAAQ,SAAS,0BAA0B,GAAG;GACxC;UAClB,KAAK;EACZ,MAAM,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC3D,MAAI,KAAK;GAAE;GAAK,YAAY;GAAI,EAAE,2CAA2C;AAC7E,SAAO;GAAE,IAAI;GAAO,SAAS,MAAM;GAAuC;;AAG9E,QAAO,2BAA2B,KAAK,WAAW;;AASpD,SAAS,6BAA6B,KAA4C;CAChF,MAAM,MAAM,IAAI,WAAW;AAC3B,QAAO;EACL,WAAW,KAAK,WAAW,MAAM,IAAI;EACrC,UAAU,KAAK,YAAY;EAC3B,gBAAgB,KAAK,kBAAkB;EACxC;;;AAIH,SAAS,uBAAuB,MAAsB;AACpD,QAAO,KACJ,QAAQ,UAAU,GAAG,CACrB,QAAQ,oBAAoB,GAAG,CAC/B,MAAM;;;;;;;AAQX,eAAe,4BACb,QACA,gBACA,cAAc,KAC2E;CACzF,MAAM,MAAM,QAAQ,eAAe;CACnC,MAAM,WAAW,SAAS,eAAe;CACzC,MAAM,SAAS,SAAS,YAAY,IAAI;CACxC,MAAM,OAAO,SAAS,IAAI,SAAS,MAAM,GAAG,OAAO,GAAG;CACtD,MAAM,MAAM,SAAS,IAAI,SAAS,MAAM,OAAO,GAAG;AAClD,MAAK,IAAI,UAAU,GAAG,WAAW,aAAa,WAAW;EACvD,MAAM,YAAY,YAAY,IAAI,iBAAiB,KAAK,KAAK,GAAG,KAAK,GAAG,UAAU,MAAM;AACxF,MAAI;AACF,SAAM,KAAK,QAAQ,UAAU;AAC7B,UAAO;IAAE,IAAI;IAAM,MAAM;IAAW,UAAU;IAAS;WAChD,KAAK;AAEZ,OADc,KAA+B,SAChC,SACX,OAAM;;;AAIZ,QAAO;EAAE,IAAI;EAAO,UAAU;EAAa;;AAG7C,SAAS,0BACP,OACA,aACA,cAC2B;AAC3B,KAAI,UAAU,YACZ,QAAO,cACH;EAAC;EAAgB;EAAkB;EAAW,GAC9C;EAAC;EAAW;EAAQ;EAAgB;EAAkB;EAAW;AAEvE,KAAI,UAAU,cAAc,UAAU,mBAAmB,UAAU,oBAAoB;EACrF,MAAM,OAAkC;GAAC;GAAgB;GAAkB;GAAW;AAGtF,MAAI,CAAC,eAAe,iBAAiB,cACnC,MAAK,KAAK,oBAAoB;AAEhC,SAAO;;AAET,KAAI,UAAU,UAAW,QAAO,CAAC,WAAW;AAC5C,QAAO,EAAE;;AAGX,SAAS,sBAAsB,QAA8D;AAC3F,QAAO,WAAW,kBAAkB,WAAW;;AAGjD,SAAgB,wBAAwB,eAAqB,MAAoC;CAC/F,MAAM,EAAE,YAAY;AAEpB,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,MAAM,EAAE,IAAI,MAAM,MAAM;AAC9B,MAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,eAAe;GAAE,EAAE,IAAI;EAEtE,MAAM,MAAM,QAAQ;EAEpB,MAAM,MAAM,2BAA2B,EAAE,WADvB,oCAAoC,KAAK,EAAE,IAAI,MAAM,aAAa,CAClC,EAAE,EAAE,IAAI;AAC1D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,aAAa;GAAE,EAAE,IAAI;AAEpE,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;GAuB/B,MAAM,cAAc;IApBlB,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,KAAK;IACL,KAAK;IACL,KAAK;IAEsB,CAtBjB,IAAI,MAAM,IAAI,CAAC,KAAK,EAAE,aAAa,IAAI,OAsBb;AACtC,UAAO,IAAI,SAAS,KAAK,EACvB,SAAS;IACP,gBAAgB;IAChB,iBAAiB;IAClB,EACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;GAEpE;AAEF,eAAc,IAAI,2BAA2B,OAAO,MAAM;EACxD,MAAM,MAAM,EAAE,IAAI,MAAM,MAAM;AAC9B,MAAI,CAAC,OAAO,OAAO,QAAQ,SACzB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,eAAe;GAAE,EAAE,IAAI;EAEtE,MAAM,MAAM,QAAQ;EAEpB,MAAM,MAAM,uBAAuB,EAAE,WADnB,oCAAoC,KAAK,EAAE,IAAI,MAAM,aAAa,CACtC,EAAE,EAAE,IAAI;AACtD,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,aAAa;GAAE,EAAE,IAAI;AAEpE,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;GAS/B,MAAM,cAAc;IANlB,KAAK;IACL,MAAM;IACN,KAAK;IACL,KAAK;IACL,KAAK;IAEsB,CARjB,IAAI,MAAM,IAAI,CAAC,KAAK,EAAE,aAAa,IAAI,OAQb;AACtC,UAAO,IAAI,SAAS,KAAK,EACvB,SAAS;IACP,gBAAgB;IAChB,iBAAiB;IAClB,EACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;GAEpE;AAEF,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,MAAM,uBAAuB,QAAQ,cAAc;AACzD,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,4BAA4B;GAAE,EAAE,IAAI;AAEnF,MAAI;GACF,MAAM,UAAU,MAAM,SAAS,KAAK,QAAQ;AAC5C,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS;KAAW;KAAS,MAAM;KAAgB;IAAE,CAAC;UAC1E;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS;KAAE,SAAS;KAAI,MAAM;KAAgB;IAAE,CAAC;;GAE7E;AAEF,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,MAAM,uBAAuB,QAAQ,cAAc;AACzD,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,4BAA4B;GAAE,EAAE,IAAI;EAEnF,IAAI;AACJ,MAAI;AACF,UAAO,MAAM,EAAE,IAAI,MAAM;UACnB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;EAEvE,MAAM,UACJ,OAAO,SAAS,YAChB,SAAS,QACT,aAAa,QACb,OAAQ,KAA8B,YAAY,WAC7C,KAA6B,UAC9B;AACN,MAAI;AACF,SAAM,UAAU,KAAK,SAAS,QAAQ;AACtC,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS,EAAE,MAAM,gBAAgB;IAAE,CAAC;WACvD,KAAK;AACZ,OAAI,MAAM;IAAE;IAAK,MAAM;IAAK,EAAE,+BAA+B;AAC7D,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;GAEvE;AAEF,eAAc,IAAI,8BAA8B,OAAO,MAAM;EAC3D,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EAEzB,MAAM,SAAS,yBAAyB,eADzB,OAAO,EAAE,IAAI,MAAM,MAAM,KAAK,WAAW,EAAE,IAAI,MAAM,MAAM,GAAI,GAChB;AAC9D,MAAI,CAAC,OACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,OAAO;UACjB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,aAAa,CACnB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,mBAAmB;GAAE,EAAE,IAAI;EAE1E,MAAM,UAAU,MAAM,QAAQ,QAAQ,EAAE,eAAe,MAAM,CAAC;EAC9D,MAAM,UAAwF,EAAE;AAChG,OAAK,MAAM,SAAS,SAAS;AAC3B,OAAI,MAAM,KAAK,WAAW,IAAI,CAAE;GAChC,MAAM,WAAW,KAAK,QAAQ,MAAM,KAAK;AACzC,OAAI,MAAM,aAAa,CACrB,SAAQ,KAAK;IACX,MAAM,MAAM;IACZ,MAAM,yBAAyB,eAAe,SAAS;IACvD,cAAc;IACd,aAAa;IACd,CAAC;OAEF,SAAQ,KAAK;IACX,MAAM,MAAM;IACZ,MAAM,yBAAyB,eAAe,SAAS;IACvD,cAAc;IACd,aAAa;IACd,CAAC;;AAGN,UAAQ,MAAM,GAAG,MAAM;AACrB,OAAI,EAAE,gBAAgB,EAAE,YAAa,QAAO,EAAE,cAAc,KAAK;AACjE,UAAO,EAAE,KAAK,cAAc,EAAE,KAAK;IACnC;AACF,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,SAAS;GAAE,CAAC;GACjD;AAEF,eAAc,IAAI,8BAA8B,OAAO,MAAM;EAC3D,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,GAAI;AACjF,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,QAAQ,CACd,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;AAErE,MAAI;GACF,MAAM,UAAU,MAAM,SAAS,KAAK,QAAQ;AAC5C,UAAO,EAAE,KAAK;IACZ,IAAI;IACJ,SAAS;KACP;KACA,MAAM,yBAAyB,eAAe,IAAI;KAClD,cAAc;KACd,SAAS,GAAG;KACb;IACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,eAAe;IAAE,EAAE,IAAI;;GAEtE;;AAGF,eAAc,IAAI,qCAAqC,OAAO,MAAM;EAClE,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,GAAI;AACjF,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,QAAQ,CACd,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;AAErE,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;AAC/B,UAAO,EAAE,KAAK;IACZ,IAAI;IACJ,SAAS;KACP,eAAe,IAAI,SAAS,SAAS;KACrC,MAAM,yBAAyB,eAAe,IAAI;;KAElD,cAAc;KACd,SAAS,GAAG;KACb;IACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,eAAe;IAAE,EAAE,IAAI;;GAEtE;;AAGF,eAAc,IAAI,sCAAsC,OAAO,MAAM;EACnE,MAAM,MAAM,EAAE,IAAI,MAAM,eAAe;AACvC,MAAI,CAAC,OAAO,OAAO,QAAQ,YAAY,CAAC,IAAI,MAAM,CAChD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,wBAAwB;GAAE,EAAE,IAAI;EAE/E,MAAM,eAAe,IAAI,MAAM;EAC/B,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,aAAa,QAAQ,aAAa;AACxC,MAAI,CAAC,qBAAqB,eAAe,WAAW,CAClD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,4BAA4B;GAAE,EAAE,IAAI;EAEnF,MAAM,MAAM,yBAAyB,eAAe,WAAW;AAC/D,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,uBAAuB,KAAK;GAAE,CAAC;GACpE;AAEF,eAAc,IAAI,2CAA2C,OAAO,MAAM;EACxE,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,CAAE,MAAM,GAAG;AACxF,MAAI,CAAC,QACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAgB,SAAS;IAAgB;GAAE,EAAE,IAAI;EAG7F,MAAM,aAAa,OAAO,EAAE,IAAI,MAAM,aAAa,KAAK,WAAW,EAAE,IAAI,MAAM,aAAa,CAAE,MAAM,GAAG;EACvG,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,YACA,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAA+B,SAAS,GAAG;IAAS;GAAE,EAAE,IAAI;EAGxG,MAAM,gBAAgB,GAAG;EACzB,MAAM,gBAAgB;GAAE,GAAG,+BAA+B,QAAQ,eAAe,WAAW;GAAE;GAAe;EAC7G,MAAM,cAAc,mBAAmB,QAAQ;EAC/C,MAAM,EAAE,WAAW,YAAY,MAAM,8BAA8B,SAAS,eAAe,cAAc;AAEzG,MAAI,CAAC,aAAa,QAChB,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,WAAW;IACX;IACA,OAAO;IACP,QAAQ;IACR,cAAc,EAAE;IAChB,WAAW;IACZ;GACF,CAAC;EAGJ,IAAI,KAA8C;AAClD,MAAI;AACF,QAAK,MAAM,KAAK,UAAU;UACpB;AACN,QAAK;;AAGP,MAAI,CAAC,GAIH,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,WAAW;IACX;IACA,OAAO;IACP,QAAQ;IACR,cAAc;IACd,cAAc,0BAA0B,WAAW,MAAM;IACzD,WAAW;IACZ;GACF,CAAC;EAIJ,MAAM,EAAE,OAAO,cAAc,gBADV,qBAAqB,WAAW,cACI;EACvD,MAAM,cAAc,UAAU;EAC9B,MAAM,cAAc,GAAG,aAAa;EACpC,MAAM,eAAe,0BAA0B,OAAO,aAAa,aAAa;EAChF,MAAM,MAAM,sBAAsB,SAAS;GACzC,cAAc;GACd,YAAY,cAAc,KAAA;GAC1B;GACA;GACA;GACD,CAAC;AAEF,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,WAAW,IAAI;IACf,WAAW;IACX;IACA;IACA;IACA;IACA,QAAQ;IACR;IACA,cAAc;IACd,uBAAuB,cAAc,yBAAyB,eAAe,UAAU,GAAG,KAAA;IAC1F;IACA,SAAS,GAAG;IACb;GACF,CAAC;GACF;AAEF,eAAc,KAAK,8CAA8C,OAAO,MAAM;EAC5E,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,EAAE,MAAM,IAAI;AACxC,MAAI,CAAC,GACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,MAAM,sBAAsB,QAAQ,GAAG;AAC7C,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,aAAa,OAAO,EAAE,IAAI,MAAM,aAAa,KAAK,WAAW,EAAE,IAAI,MAAM,aAAa,CAAE,MAAM,GAAG;AACvG,MAAI,CAAC,wBAAwB,IAAI,YAAY,WAAW,CACtD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAA4B;GAAE,EAAE,IAAI;EAI/G,MAAM,UAAS,MADK,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE,EAC9B;AACpB,MAAI,CAAC,sBAAsB,OAAO,CAChC,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAkB,SAAS;IAAkB;GAAE,EAAE,IAAI;AAEjG,MAAI,CAAC,IAAI,aAAa,SAAS,OAAO,CACpC,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAAsB;GAAE,EAAE,IAAI;EAGzG,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI,aAAa;UAC3B;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAkB,SAAS;KAAkB;IAAE,EAAE,IAAI;;AAGjG,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,cAAc,IAAI;IAClB,aAAa,GAAG,aAAa;IAC9B;GACF,CAAC;GACF;AAEF,eAAc,KAAK,sCAAsC,OAAO,MAAM;EACpE,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,EAAE,MAAM,IAAI;AACxC,MAAI,CAAC,GACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,MAAM,sBAAsB,QAAQ,GAAG;AAC7C,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAoB,SAAS;IAA0B;GAAE,EAAE,IAAI;EAG3G,MAAM,aAAa,OAAO,EAAE,IAAI,MAAM,aAAa,KAAK,WAAW,EAAE,IAAI,MAAM,aAAa,CAAE,MAAM,GAAG;AACvG,MAAI,CAAC,wBAAwB,IAAI,YAAY,WAAW,CACtD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAA4B;GAAE,EAAE,IAAI;AAG/G,MAAI,CAAC,IAAI,aAAa,SAAS,oBAAoB,CACjD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAAoC;GAAE,EAAE,IAAI;EAGvH,IAAI;AACJ,MAAI;AACF,gBAAa,MAAM,KAAK,IAAI,aAAa;UACnC;AACN,yBAAsB,WAAW,GAAG;AACpC,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAoB,SAAS;KAAgC;IAAE,EAAE,IAAI;;AAEjH,MAAI,CAAC,WAAW,QAAQ,CACtB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAmB,SAAS;IAAgC;GAAE,EAAE,IAAI;EAGhH,MAAM,YAAY,6BAA6B,QAAQ,cAAc;AACrE,MAAI,WAAW,OAAO,UAAU,SAC9B,QAAO,EAAE,KACP;GACE,IAAI;GACJ,OAAO;IACL,MAAM;IACN,SAAS,uCAAuC,UAAU,SAAS;IACpE;GACF,EACD,IACD;EAGH,MAAM,KAAK,MAAM,gCAAgC,SAAS,QAAQ,eAAe,YAAY,KAAA,EAAU;AACvG,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAA+B,SAAS,GAAG;IAAS;GAAE,EAAE,IAAI;EAExG,MAAM,gBAAgB,GAAG;EAEzB,IAAI;AACJ,MAAI;AACF,UAAQ,MAAM,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE;UACtC;AACN,UAAO,EAAE;;EAEX,MAAM,mBAAmB,OAAO,KAAK,gBAAgB,WAAW,KAAK,YAAY,MAAM,GAAG;EAC1F,MAAM,gBAAgB,OAAO,KAAK,eAAe,WAAW,KAAK,aAAa;AAC9E,MAAI,kBAAkB,YAAY,kBAAkB,eAAe,kBAAkB,QACnF,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAyB,SAAS;IAA4B;GAAE,EAAE,IAAI;EAElH,MAAM,aAAa;AACnB,MAAI,eAAe,eAAe,CAAC,UAAU,eAC3C,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAsB,SAAS;IAAmC;GAAE,EAAE,IAAI;EAGtH,MAAM,iBAAiB,uBAAuB,SAAS,IAAI,aAAa,CAAC,IAAI;EAC7E,IAAI;AACJ,MAAI,CAAC,iBACH,gBAAe,GAAG,UAAU,UAAU,GAAG;OACpC;GACL,MAAM,cAAc,iBAAiB,QAAQ,OAAO,IAAI;AAExD,kBAAe,YAAY,SAAS,IAAI,GAAG,GAAG,cAAc,mBAAmB;;EAGjF,IAAI,iBAAiB,yBAAyB,eAAe,aAAa;AAC1E,MAAI,CAAC,eACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAuB,SAAS;IAA4B;GAAE,EAAE,IAAI;EAIhH,MAAM,cAAc,kBAAkB,gBAAgB,cAAc;AACpE,MAAI,CAAC,YAAY,QACf,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAuB,SAAS,YAAY,UAAU;IAAuB;GAAE,EAAE,IAAI;AAGjI,MAAI,QAAQ,IAAI,aAAa,KAAK,QAAQ,eAAe,CACvD,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqC;GAAE,EAAE,IAAI;EAGnH,MAAM,UAAU,QAAQ,eAAe;AACvC,MAAI;AACF,SAAM,MAAM,SAAS,EAAE,WAAW,MAAM,CAAC;WAClC,KAAK;AACZ,OAAI,KAAK;IAAE;IAAK;IAAS,EAAE,gDAAgD;AAC3E,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAiB,SAAS;KAAiC;IAAE,EAAE,IAAI;;EAM/G,MAAM,SAAS,KAAK,SAAS,IADT,SAAS,eAAe,CAAC,UAAU,YAAY,CAAC,MAC/B;EAErC,MAAM,UAAU,KAAK,KAAK;EAC1B,IAAI,UAAU;EACd,IAAI,YAAY;EAChB,IAAI,eAAe;AAEnB,MAAI;AACF,OAAI;AACF,UAAM,SAAS,IAAI,cAAc,QAAQA,UAAY,iBAAiB;YAC/D,KAAK;AACZ,UAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,QAAI,KAAK;KAAE;KAAK,QAAQ,IAAI;KAAc;KAAQ,EAAE,yCAAyC;AAC7F,WAAO,EAAE,KAAK;KAAE,IAAI;KAAO,OAAO;MAAE,MAAM;MAAiB,SAAS;MAA8B;KAAE,EAAE,IAAI;;AAG5G,OAAI,eAAe,aAAa;AAE9B,gBAAY,MAAM,KAAK,eAAe,CAAC,WAAW,KAAK,CAAC,YAAY,MAAM;AAC1E,QAAI;AACF,WAAM,OAAO,QAAQ,eAAe;aAC7B,KAAK;AACZ,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,SAAI,KAAK;MAAE;MAAK,QAAQ;MAAgB,EAAE,uBAAuB;AACjE,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAiB,SAAS;OAA6B;MAAE,EAAE,IAAI;;cAElG,eAAe,SAAS;AAEjC,QAAI,MADiB,KAAK,eAAe,CAAC,WAAW,KAAK,CAAC,YAAY,MAAM,EACjE;AACV,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAsB,SAAS;OAA8B;MAAE,EAAE,IAAI;;AAEjH,QAAI;AACF,WAAM,KAAK,QAAQ,eAAe;AAClC,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;aAC7B,KAAK;AACZ,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,SAAI,KAAK;MAAE;MAAK,QAAQ;MAAgB,EAAE,kCAAkC;AAC5E,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAiB,SAAS;OAA6B;MAAE,EAAE,IAAI;;UAEtG;IAEL,MAAM,SAAS,MAAM,4BAA4B,QAAQ,eAAe;AACxE,QAAI,CAAC,OAAO,IAAI;AACd,WAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,SAAI,KAAK;MAAE,QAAQ;MAAgB,UAAU,OAAO;MAAU,EAAE,yCAAyC;AACzG,YAAO,EAAE,KAAK;MAAE,IAAI;MAAO,OAAO;OAAE,MAAM;OAAiB,SAAS;OAAsC;MAAE,EAAE,IAAI;;AAEpH,UAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,mBAAe,OAAO;AACtB,cAAU,OAAO,SAAS;;WAErB,KAAK;AACZ,SAAM,OAAO,OAAO,CAAC,YAAY,GAAG;AACpC,OAAI,MAAM,EAAE,KAAK,EAAE,iCAAiC;AACpD,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO;KAAE,MAAM;KAAiB,SAAS;KAAiB;IAAE,EAAE,IAAI;;EAG/F,IAAI;AACJ,MAAI;AACF,iBAAc,MAAM,KAAK,aAAa,EAAE;UAClC;AACN,gBAAa,KAAK,KAAK;;EAGzB,MAAM,eAAe,yBAAyB,eAAe,aAAa;AAE1E,wBAAsB,WAAW,GAAG;EACpC,MAAM,SAAS,sBAAsB,SAAS;GAC5C,cAAc;GACd,YAAY,cAAc,KAAA;GAC1B,OAAO;GACP,cAAc,0BAA0B,aAAa,MAAM;GAC5D,CAAC;EAEF,MAAM,cAAc,IAAI;EACxB,MAAM,qBAAqB,IAAI;AAE/B,UAAQ,KAAK,2BAA2B;GACtC,YAAY,cAAc,KAAA;GAC1B,uBAAuB;GACvB,cAAc;GACd,OAAO,WAAW;GAClB;GACA;GACD,CAAC;AAEF,MAAI,KACF;GACE;GACA,WAAW;GACX,oBAAoB,IAAI;GACxB;GACA;GACA,2BAA2B;GAC3B,OAAO,WAAW;GAClB;GACA;GACA,YAAY,KAAK,KAAK,GAAG;GAC1B,EACD,kCACD;AAED,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,uBAAuB;IACvB,cAAc;IACd,aAAa,WAAW;IACxB,oBAAoB,IAAI;IACxB;IACA;IACA;IACA;IACA,SAAS;IACT,cAAc,OAAO;IACtB;GACF,CAAC;GACF;;;;;AAMF,eAAc,IAAI,6BAA6B,OAAO,MAAM;EAC1D,MAAM,UAAU,OAAO,EAAE,IAAI,MAAM,OAAO,KAAK,WAAW,EAAE,IAAI,MAAM,OAAO,GAAI;AACjF,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,QAAQ,CACd,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;EA6BrE,MAAM,cAAc;GAzBlB,KAAK;GACL,KAAK;GACL,MAAM;GACN,KAAK;GACL,MAAM;GACN,KAAK;GACL,KAAK;GACL,KAAK;GACL,MAAM;GACN,MAAM;GACN,MAAM;GACN,KAAK;GACL,IAAI;GACJ,MAAM;GACN,MAAM;GACN,KAAK;GACL,IAAI;GACJ,IAAI;GACJ,KAAK;GACL,KAAK;GACL,KAAK;GACL,MAAM;GACN,KAAK;GACL,KAAK;GAEsB,CA3BjB,QAAQ,MAAM,IAAI,CAAC,KAAK,EAAE,aAAa,IAAI,OA2BjB;AACtC,MAAI;GACF,MAAM,MAAM,MAAM,SAAS,IAAI;AAC/B,UAAO,IAAI,SAAS,KAAK,EACvB,SAAS;IACP,gBAAgB;IAChB,iBAAiB;IAClB,EACF,CAAC;UACI;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,eAAe;IAAE,EAAE,IAAI;;GAEtE;AAEF,eAAc,IAAI,+BAA+B,OAAO,MAAM;EAC5D,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,IAAI;AACJ,MAAI;AACF,UAAO,MAAM,EAAE,IAAI,MAAM;UACnB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;EAEvE,MAAM,UACJ,OAAO,SAAS,YAChB,SAAS,QACT,UAAU,QACV,OAAQ,KAA2B,SAAS,WACvC,KAA0B,OAC3B;EACN,MAAM,UACJ,OAAO,SAAS,YAChB,SAAS,QACT,aAAa,QACb,OAAQ,KAA8B,YAAY,WAC7C,KAA6B,UAC9B;AACN,MAAI,CAAC,QAAQ,MAAM,CACjB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,MAAM,MAAM,yBAAyB,eAAe,QAAQ;AAC5D,MAAI,CAAC,IACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,IAAI;UACd;AACN,QAAK,KAAA;;AAEP,MAAI,MAAM,CAAC,GAAG,QAAQ,CACpB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,cAAc;GAAE,EAAE,IAAI;AAErE,MAAI;AACF,SAAM,UAAU,KAAK,SAAS,QAAQ;GACtC,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,KAAK,IAAI,EAAE;WACtB;AACN,cAAU,KAAK,KAAK;;AAEtB,UAAO,EAAE,KAAK;IACZ,IAAI;IACJ,SAAS;KAAE,MAAM,yBAAyB,eAAe,IAAI;KAAE;KAAS;IACzE,CAAC;WACK,KAAK;AACZ,OAAI,MAAM;IAAE;IAAK,MAAM;IAAK,EAAE,gCAAgC;AAC9D,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,gBAAgB;IAAE,EAAE,IAAI;;GAEvE;AAEF,eAAc,IAAI,gCAAgC,OAAO,MAAM;EAC7D,MAAM,IAAI,OAAO,EAAE,IAAI,MAAM,IAAI,KAAK,WAAW,EAAE,IAAI,MAAM,IAAI,CAAE,MAAM,GAAG;EAC5E,MAAM,SAAS,OAAO,EAAE,IAAI,MAAM,MAAM,KAAK,WAAW,EAAE,IAAI,MAAM,MAAM,GAAI;AAC9E,MAAI,CAAC,EACH,QAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS,EAAE,SAAS,EAAE,EAA2G;GAClI,CAAC;EAEJ,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAEnE,MAAM,gBAAgB,GAAG;EACzB,MAAM,SAAS,yBAAyB,eAAe,OAAO;AAC9D,MAAI,CAAC,OACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,gBAAgB;GAAE,EAAE,IAAI;EAEvE,IAAI;AACJ,MAAI;AACF,QAAK,MAAM,KAAK,OAAO;UACjB;AACN,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,EAAE,SAAS,aAAa;IAAE,EAAE,IAAI;;AAEpE,MAAI,CAAC,GAAG,aAAa,CACnB,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,mBAAmB;GAAE,EAAE,IAAI;EAG1E,MAAM,WAAU,MADE,sBAAsB,GAAG,OAAO,EAE/C,QAAQ,MAAM,qBAAqB,eAAe,EAAE,SAAS,CAAC,CAC9D,KAAK,OAAO;GACX,GAAG;GACH,UAAU,yBAAyB,eAAe,QAAQ,EAAE,SAAS,CAAC;GACvE,EAAE;AACL,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,SAAS;GAAE,CAAC;GACjD;;AAGF,eAAc,IAAI,sCAAsC,OAAO,MAAM;EACnE,MAAM,IAAI,OAAO,EAAE,IAAI,MAAM,IAAI,KAAK,WAAW,EAAE,IAAI,MAAM,IAAI,CAAE,MAAM,GAAG;EAC5E,MAAM,WAAW,EAAE,IAAI,MAAM,QAAQ;EACrC,MAAM,QAAQ,KAAK,IACjB,KAAK,IAAI,SAAS,OAAO,aAAa,WAAW,WAAW,MAAM,GAAG,IAAI,IAAI,EAAE,EAC/E,sBACD;EAED,MAAM,KAAK,MAAM,gCACf,SACA,QAAQ,eACR,EAAE,IAAI,MAAM,aAAa,EACzB,EAAE,IAAI,MAAM,UAAU,CACvB;AACD,MAAI,GAAG,OAAO,MACZ,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,EAAE,SAAS,GAAG,SAAS;GAAE,EAAE,IAAI;EAGnE,MAAM,UAAU,MAAM,0BAA0B,GAAG,MAAM,GAAG,MAAM;AAClE,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,SAAS;GAAE,CAAC;GACjD"}

package/dist/src/gateway/hono/sse.js CHANGED Viewed

@@ -1,8 +1,8 @@
-import { buildSessionKey, init_session_key, parseSessionKey } from "../../routing/session-key.js";
-import { getDefaultAgentId, init_resolve_route } from "../../routing/resolve-route.js";
 import { updateAsyncLogContext } from "../../utils/logger/context.js";
 import { createLogger } from "../../utils/logger/index.js";
 import { init_logger } from "../../utils/logger.js";
+import { buildSessionKey, init_session_key, parseSessionKey } from "../../routing/session-key.js";
+import { getDefaultAgentId, init_resolve_route } from "../../routing/resolve-route.js";
 import { MAX_WEBCHAT_ATTACHMENT_FILE_BYTES } from "../chat-limits.js";
 import { stringifySSEData } from "./sse-json.js";
 import { randomUUID } from "node:crypto";

package/dist/src/gateway/index.d.ts CHANGED Viewed

@@ -12,4 +12,4 @@ export { isLoopbackHost, isAllInterfacesHost, buildDefaultCorsOrigins, resolveEf
 export { resolveGatewayListenHost, resolveGatewayListenPlan, } from './listen.js';
 export { resolveGatewayBindMode, resolveGatewayBindHost, resolveGatewayBindHostSync, resolveGatewayEffectiveHost, defaultGatewayBindMode, isContainerEnvironment, } from '../config/gateway-bind.js';
 export { isSecureWebSocketUrl, assertSecureWebSocketUrl, assertSecureGatewayHttpUrl, isInsecurePrivateWsAllowed, } from './ws-security.js';
-export { isGatewayStrictSecurityEnabled, buildBrowserOriginRateLimitKey, resolveAuthRateLimitTracking, resetAuthRateLimitersForTests, } from './auth-rate-limit.js';
+export { isGatewayStrictSecurityEnabled, buckets } from './rate-limit/index.js';

package/dist/src/gateway/index.js CHANGED Viewed

@@ -1,8 +1,10 @@
 import { buildDefaultCorsOrigins, isAllInterfacesHost, isLoopbackHost, resolveEffectiveGatewayPort, resolveGatewayServiceListenPort } from "./host.js";
 import { defaultGatewayBindMode, isContainerEnvironment, resolveGatewayBindHost, resolveGatewayBindHostSync, resolveGatewayBindMode, resolveGatewayEffectiveHost } from "../config/gateway-bind.js";
-import { buildBrowserOriginRateLimitKey, isGatewayStrictSecurityEnabled, resetAuthRateLimitersForTests, resolveAuthRateLimitTracking } from "./auth-rate-limit.js";
 import { assertGatewayAuthConfigured, extractToken, resolveGatewayAuth, validateToken } from "./auth.js";
 import { resolveGatewayListenHost, resolveGatewayListenPlan } from "./listen.js";
+import { buckets } from "./rate-limit/buckets.js";
+import { isGatewayStrictSecurityEnabled } from "./rate-limit/env-flags.js";
+import "./rate-limit/index.js";
 import { assertGatewayRuntimeConfig } from "./runtime-config.js";
 import { restartGatewayProcessWithFreshPid } from "./respawn.js";
 import { GatewayService } from "./service.js";
@@ -15,4 +17,4 @@ import { checkPortAvailable, forceFreePortAndWait, listPortListeners, parseLsofO
 import { apiError, apiOk } from "./protocol.js";
 import "./hono/index.js";
 import { assertSecureGatewayHttpUrl, assertSecureWebSocketUrl, isInsecurePrivateWsAllowed, isSecureWebSocketUrl } from "./ws-security.js";
-export { GatewayLockError, GatewayServer, GatewayService, acquireGatewayLock, apiError, apiOk, assertGatewayAuthConfigured, assertGatewayRuntimeConfig, assertSecureGatewayHttpUrl, assertSecureWebSocketUrl, buildBrowserOriginRateLimitKey, buildDefaultCorsOrigins, checkPortAvailable, createAgentResumeHandler, createAgentSSEHandler, createEventsSSEHandler, createHonoApp, createSendHandler, defaultGatewayBindMode, extractToken, forceFreePortAndWait, isAllInterfacesHost, isContainerEnvironment, isGatewayStrictSecurityEnabled, isInsecurePrivateWsAllowed, isLoopbackHost, isSecureWebSocketUrl, listPortListeners, parseLsofOutput, resetAuthRateLimitersForTests, resolveAuthRateLimitTracking, resolveEffectiveGatewayPort, resolveGatewayAuth, resolveGatewayBindHost, resolveGatewayBindHostSync, resolveGatewayBindMode, resolveGatewayEffectiveHost, resolveGatewayListenHost, resolveGatewayListenPlan, resolveGatewayServiceListenPort, restartGatewayProcessWithFreshPid, runGatewayLoop, validateToken };
+export { GatewayLockError, GatewayServer, GatewayService, acquireGatewayLock, apiError, apiOk, assertGatewayAuthConfigured, assertGatewayRuntimeConfig, assertSecureGatewayHttpUrl, assertSecureWebSocketUrl, buckets, buildDefaultCorsOrigins, checkPortAvailable, createAgentResumeHandler, createAgentSSEHandler, createEventsSSEHandler, createHonoApp, createSendHandler, defaultGatewayBindMode, extractToken, forceFreePortAndWait, isAllInterfacesHost, isContainerEnvironment, isGatewayStrictSecurityEnabled, isInsecurePrivateWsAllowed, isLoopbackHost, isSecureWebSocketUrl, listPortListeners, parseLsofOutput, resolveEffectiveGatewayPort, resolveGatewayAuth, resolveGatewayBindHost, resolveGatewayBindHostSync, resolveGatewayBindMode, resolveGatewayEffectiveHost, resolveGatewayListenHost, resolveGatewayListenPlan, resolveGatewayServiceListenPort, restartGatewayProcessWithFreshPid, runGatewayLoop, validateToken };

package/dist/src/gateway/lock.js CHANGED Viewed

@@ -1,9 +1,9 @@
-import path from "node:path";
-import fsSync from "node:fs";
 import { createHash } from "node:crypto";
+import fsSync from "node:fs";
 import fs from "node:fs/promises";
-import net from "node:net";
+import path from "node:path";
 import { homedir } from "os";
+import net from "node:net";
 //#region src/gateway/lock.ts
 /**
 * Gateway Lock - Prevents multiple gateway instances from running simultaneously

package/dist/src/gateway/rate-limit/auth-policy.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Auth-failure rate-limit policy: how to derive a tracking key from a request,
+ * and whether a given client should be exempted before counting.
+ *
+ * The {@link FailureLimiter} primitive is intentionally policy-free — this
+ * module is the only place that knows about IPs, browser origins, and the
+ * loopback exemption. Adding a new exemption rule (e.g. private CIDRs) means
+ * editing this file alone; the limiter primitive does not change.
+ */
+export type AuthRateLimitPolicyConfig = {
+    enabled: boolean;
+    exemptLoopback: boolean;
+};
+/**
+ * `key` is `''` when `exempt` is true. We use a flat shape rather than a
+ * tagged union because the project's tsconfig has `strict: false`, which
+ * disables boolean-discriminator narrowing.
+ */
+export type AuthRateLimitTracking = {
+    exempt: boolean;
+    key: string;
+};
+/**
+ * Decide whether to track this client and, if so, what key identifies them.
+ * Browser clients are tracked separately (origin + IP) so a rogue `<iframe>`
+ * cannot piggyback on a CLI client's bucket and DoS it.
+ */
+export declare function resolveAuthTracking(params: {
+    clientIp: string;
+    origin?: string | null;
+    cfg: AuthRateLimitPolicyConfig;
+}): AuthRateLimitTracking;
+/** Browser-tracking key format. Stable across reloads — survives state replay. */
+export declare function buildBrowserOriginKey(origin: string, clientIp: string): string;

package/dist/src/gateway/rate-limit/auth-policy.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { isLoopbackClientIp, isLoopbackEmbeddedBrowserClient } from "../security/loopback.js";
+//#region src/gateway/rate-limit/auth-policy.ts
+/**
+* Auth-failure rate-limit policy: how to derive a tracking key from a request,
+* and whether a given client should be exempted before counting.
+*
+* The {@link FailureLimiter} primitive is intentionally policy-free — this
+* module is the only place that knows about IPs, browser origins, and the
+* loopback exemption. Adding a new exemption rule (e.g. private CIDRs) means
+* editing this file alone; the limiter primitive does not change.
+*/
+/**
+* Decide whether to track this client and, if so, what key identifies them.
+* Browser clients are tracked separately (origin + IP) so a rogue `<iframe>`
+* cannot piggyback on a CLI client's bucket and DoS it.
+*/
+function resolveAuthTracking(params) {
+	if (!params.cfg.enabled) return {
+		exempt: true,
+		key: ""
+	};
+	const origin = params.origin?.trim();
+	if (origin) {
+		if (isLoopbackEmbeddedBrowserClient(origin, params.clientIp) && params.cfg.exemptLoopback) return {
+			exempt: true,
+			key: ""
+		};
+		return {
+			exempt: false,
+			key: buildBrowserOriginKey(origin, params.clientIp)
+		};
+	}
+	if (params.cfg.exemptLoopback && isLoopbackClientIp(params.clientIp)) return {
+		exempt: true,
+		key: ""
+	};
+	return {
+		exempt: false,
+		key: params.clientIp
+	};
+}
+/** Browser-tracking key format. Stable across reloads — survives state replay. */
+function buildBrowserOriginKey(origin, clientIp) {
+	return `browser-origin:${origin.trim().toLowerCase()}|${clientIp.trim()}`;
+}
+//#endregion
+export { buildBrowserOriginKey, resolveAuthTracking };
+//# sourceMappingURL=auth-policy.js.map