npm - @xopcai/xopc - Versions diffs - 0.0.90 → 0.0.92 - Mend

@xopcai/xopc 0.0.90 → 0.0.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/src/gateway/hono/middleware/auth.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport type { ResolvedGatewayAuth } from '../../auth.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport {\n authPolicyConfig,\n buckets,\n isAuthRateLimitGloballyDisabled,\n resolveAuthRateLimit,\n resolveAuthTracking,\n type ResolvedAuthRateLimitConfig,\n} from '../../rate-limit/index.js';\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { safeEqualSecret } from '../../security/secret-equal.js';\nimport { authorizeTrustedProxy } from '../../trusted-proxy.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n token?: string;\n /** Current gateway auth from config (for rate-limit settings); optional. /\n getGatewayAuth?: () => GatewayAuthConfig \| undefined;\n getResolvedAuth?: () => ResolvedGatewayAuth;\n getTrustedProxyContext?: () => {\n trustedProxies?: string[];\n allowRealIpFallback?: boolean;\n };\n}\n\nfunction validateToken(providedToken: string \| undefined, expectedToken: string): boolean {\n if (!providedToken) return false;\n return safeEqualSecret(providedToken, expectedToken);\n}\n\nfunction extractTokenFromHeader(authHeader: string \| null): string \| null {\n if (!authHeader) return null;\n const parts = authHeader.split(' ');\n if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') return parts[1];\n return authHeader;\n}\n\n/\n SECURITY: query-string tokens leak into server logs, Referer headers, and\n * browser history. We accept them only where the `Authorization` header cannot\n * be set — SSE/WebSocket (`EventSource`) and `<img>` subresource loads for agent\n * avatars. For normal REST requests prefer the `Authorization: Bearer <token>`\n * header.\n /\nfunction extractTokenFromQuery(url: string): string \| null {\n return new URL(url).searchParams.get('token');\n}\n\nconst QUERY_TOKEN_ALLOWED_PATHS = new Set(['/api/events', '/api/ws']);\n\nconst AGENT_AVATAR_GET_PATH = /^\\/api\\/agents\\/[^/]+\\/avatar$/;\n\n/* Exported for gateway security tests. /\nexport function isQueryTokenAllowedPath(path: string, method: string): boolean {\n if (QUERY_TOKEN_ALLOWED_PATHS.has(path) \|\| path.startsWith('/api/events')) {\n return true;\n }\n // `<img src>` cannot send Bearer tokens; gateway console loads custom avatars here.\n if (method === 'GET' && AGENT_AVATAR_GET_PATH.test(path)) {\n return true;\n }\n return false;\n}\n\nfunction resolveRemoteAddress(c: Context): string \| undefined {\n try {\n return getConnInfo(c).remote.address;\n } catch {\n return undefined;\n }\n}\n\nfunction resolveMiddlewareClientIp(\n c: Context,\n trustedProxies?: string[],\n allowRealIpFallback?: boolean,\n): string {\n if (trustedProxies?.length) {\n return resolveClientIpFromRequest({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n allowRealIpFallback,\n });\n }\n return getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n });\n}\n\ntype RateLimitContext = {\n active: boolean;\n cfg: ResolvedAuthRateLimitConfig;\n /* `undefined` when the client is exempted (loopback, disabled, etc.). */\n trackingKey: string \| undefined;\n};\n\nfunction buildRateLimitContext(\n getGatewayAuth: AuthConfig['getGatewayAuth'],\n clientIp: string,\n origin: string \| undefined,\n): RateLimitContext {\n const cfg = resolveAuthRateLimit(getGatewayAuth?.()?.rateLimit);\n const active = cfg.enabled && !isAuthRateLimitGloballyDisabled();\n if (!active) return { active: false, cfg, trackingKey: undefined };\n const tracking = resolveAuthTracking({ clientIp, origin, cfg: authPolicyConfig(cfg) });\n return {\n active: true,\n cfg,\n trackingKey: tracking.exempt ? undefined : tracking.key,\n };\n}\n\nfunction checkBlocked(rl: RateLimitContext): { blocked: false } \| { blocked: true; retryAfterSec: number } {\n if (!rl.active \|\| rl.trackingKey === undefined) return { blocked: false };\n return buckets.authFailure(rl.cfg).check(rl.trackingKey);\n}\n\nfunction recordFailure(rl: RateLimitContext): void {\n if (!rl.active \|\| rl.trackingKey === undefined) return;\n buckets.authFailure(rl.cfg).fail(rl.trackingKey);\n}\n\nfunction recordSuccess(rl: RateLimitContext): void {\n if (!rl.active \|\| rl.trackingKey === undefined) return;\n buckets.authFailure(rl.cfg).succeed(rl.trackingKey);\n}\n\nfunction blockedResponse(c: Context, retryAfterSec: number) {\n c.header('Retry-After', String(retryAfterSec));\n return c.json(\n {\n error: 'Too Many Requests',\n code: 'auth_blocked',\n message: 'Too many authentication attempts',\n retryAfter: retryAfterSec,\n },\n 429,\n );\n}\n\nexport function auth(config?: AuthConfig) {\n const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config \|\| {};\n\n return createMiddleware(async (c, next) => {\n const resolvedAuth = getResolvedAuth?.();\n const authMode = resolvedAuth?.mode ?? (token ? 'token' : 'none');\n\n if (authMode === 'trusted-proxy') {\n const proxyContext = getTrustedProxyContext?.();\n const trustedProxies = proxyContext?.trustedProxies;\n const trustedProxyConfig = resolvedAuth?.trustedProxy;\n\n const clientIp = resolveMiddlewareClientIp(c, trustedProxies, proxyContext?.allowRealIpFallback);\n const origin = c.req.header('origin');\n const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n // Server misconfiguration — not an attack signal. Don't count.\n if (!trustedProxyConfig) {\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'trusted_proxy_config_missing' },\n 'HTTP auth rejected: trusted-proxy config missing',\n );\n return c.json(\n { error: 'Unauthorized', code: 'auth_unconfigured', message: 'Trusted-proxy auth is not configured' },\n 401,\n );\n }\n\n const blocked = checkBlocked(rl);\n if (blocked.blocked) {\n log.warn(\n { clientIp, origin: origin ?? undefined, path: c.req.path, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n 'Auth rate limit blocked',\n );\n return blockedResponse(c, blocked.retryAfterSec);\n }\n\n const result = authorizeTrustedProxy({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n trustedProxyConfig,\n });\n\n if (result.ok === false) {\n recordFailure(rl);\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: result.reason },\n `HTTP auth rejected: trusted-proxy validation failed (${result.reason})`,\n );\n return c.json(\n { error: 'Unauthorized', code: 'invalid_proxy_credentials', message: 'Trusted-proxy authentication failed' },\n 401,\n );\n }\n\n recordSuccess(rl);\n await next();\n return;\n }\n\n if (authMode === 'none' \|\| !token) {\n return next();\n }\n\n const proxyContext = getTrustedProxyContext?.();\n const clientIp = resolveMiddlewareClientIp(c, proxyContext?.trustedProxies, proxyContext?.allowRealIpFallback);\n const origin = c.req.header('origin');\n const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n const requestPath = new URL(c.req.url).pathname;\n const queryToken = isQueryTokenAllowedPath(requestPath, c.req.method)\n ? extractTokenFromQuery(c.req.url)\n : null;\n\n if (!authHeader && queryToken === null && new URL(c.req.url).searchParams.has('token')) {\n log.warn(\n { path: requestPath, method: c.req.method, clientIp },\n 'Token in query string rejected: use Authorization header for this endpoint',\n );\n }\n\n const providedToken = authHeader \|\| queryToken;\n\n if (providedToken && validateToken(providedToken, token)) {\n recordSuccess(rl);\n await next();\n return;\n }\n\n const blocked = checkBlocked(rl);\n if (blocked.blocked) {\n log.warn(\n { clientIp, origin: origin ?? undefined, path: requestPath, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n 'Auth rate limit blocked',\n );\n return blockedResponse(c, blocked.retryAfterSec);\n }\n\n // Missing token is an unauthenticated request, not a brute-force signal —\n // page reloads / SDK cold starts often hit endpoints before the token is\n // attached. Counting this would lock users out of the token-entry path.\n if (!providedToken) {\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n 'HTTP auth rejected: no Bearer or ?token=',\n );\n return c.json(\n { error: 'Unauthorized', code: 'missing_token', message: 'Missing authentication token' },\n 401,\n );\n }\n\n recordFailure(rl);\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n 'HTTP auth rejected: token mismatch',\n );\n return c.json(\n { error: 'Unauthorized', code: 'invalid_token', message: 'Invalid authentication token' },\n 401,\n );\n });\n}\n"],"mappings":";;;;;;;;;;;;;aAkBwD;AAExD,MAAM,MAAM,aAAa,YAAY;AAarC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,gBAAgB,eAAe,cAAc;;AAGtD,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CACxB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SAAU,QAAO,MAAM;AAC5E,QAAO;;;;;;;;;AAUT,SAAS,sBAAsB,KAA4B;AACzD,QAAO,IAAI,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ;;AAG/C,MAAM,4BAA4B,IAAI,IAAI,CAAC,eAAe,UAAU,CAAC;AAErE,MAAM,wBAAwB;;AAG9B,SAAgB,wBAAwB,MAAc,QAAyB;AAC7E,KAAI,0BAA0B,IAAI,KAAK,IAAI,KAAK,WAAW,cAAc,CACvE,QAAO;AAGT,KAAI,WAAW,SAAS,sBAAsB,KAAK,KAAK,CACtD,QAAO;AAET,QAAO;;AAGT,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,0BACP,GACA,gBACA,qBACQ;AACR,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA;EACD,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;;AAUJ,SAAS,sBACP,gBACA,UACA,QACkB;CAClB,MAAM,MAAM,qBAAqB,kBAAkB,EAAE,UAAU;AAE/D,KAAI,EADW,IAAI,WAAW,CAAC,iCAAiC,EACnD,QAAO;EAAE,QAAQ;EAAO;EAAK,aAAa,KAAA;EAAW;CAClE,MAAM,WAAW,oBAAoB;EAAE;EAAU;EAAQ,KAAK,iBAAiB,IAAI;EAAE,CAAC;AACtF,QAAO;EACL,QAAQ;EACR;EACA,aAAa,SAAS,SAAS,KAAA,IAAY,SAAS;EACrD;;AAGH,SAAS,aAAa,IAAqF;AACzG,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW,QAAO,EAAE,SAAS,OAAO;AACzE,QAAO,QAAQ,YAAY,GAAG,IAAI,CAAC,MAAM,GAAG,YAAY;;AAG1D,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,KAAK,GAAG,YAAY;;AAGlD,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,QAAQ,GAAG,YAAY;;AAGrD,SAAS,gBAAgB,GAAY,eAAuB;AAC1D,GAAE,OAAO,eAAe,OAAO,cAAc,CAAC;AAC9C,QAAO,EAAE,KACP;EACE,OAAO;EACP,MAAM;EACN,SAAS;EACT,YAAY;EACb,EACD,IACD;;AAGH,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,gBAAgB,iBAAiB,2BAA2B,UAAU,EAAE;AAEvF,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,eAAe,mBAAmB;EACxC,MAAM,WAAW,cAAc,SAAS,QAAQ,UAAU;AAE1D,MAAI,aAAa,iBAAiB;GAChC,MAAM,eAAe,0BAA0B;GAC/C,MAAM,iBAAiB,cAAc;GACrC,MAAM,qBAAqB,cAAc;GAEzC,MAAM,WAAW,0BAA0B,GAAG,gBAAgB,cAAc,oBAAoB;GAChG,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;GACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;AAGlE,OAAI,CAAC,oBAAoB;AACvB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ;KAAgC,EAC5F,mDACD;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAAqB,SAAS;KAAwC,EACrG,IACD;;GAGH,MAAM,UAAU,aAAa,GAAG;AAChC,OAAI,QAAQ,SAAS;AACnB,QAAI,KACF;KAAE;KAAU,QAAQ,UAAU,KAAA;KAAW,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ,eAAe,QAAQ;KAAe,QAAQ;KAAgB,EAC/I,0BACD;AACD,WAAO,gBAAgB,GAAG,QAAQ,cAAc;;GAGlD,MAAM,SAAS,sBAAsB;IACnC,eAAe,qBAAqB,EAAE;IACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;IACvC;IACA;IACD,CAAC;AAEF,OAAI,OAAO,OAAO,OAAO;AACvB,kBAAc,GAAG;AACjB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ,OAAO;KAAQ,EAC3E,wDAAwD,OAAO,OAAO,GACvE;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAA6B,SAAS;KAAuC,EAC5G,IACD;;AAGH,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;AAGF,MAAI,aAAa,UAAU,CAAC,MAC1B,QAAO,MAAM;EAGf,MAAM,eAAe,0BAA0B;EAC/C,MAAM,WAAW,0BAA0B,GAAG,cAAc,gBAAgB,cAAc,oBAAoB;EAC9G,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;EACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;EAElE,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,cAAc,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC;EACvC,MAAM,aAAa,wBAAwB,aAAa,EAAE,IAAI,OAAO,GACjE,sBAAsB,EAAE,IAAI,IAAI,GAChC;AAEJ,MAAI,CAAC,cAAc,eAAe,QAAQ,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,CACpF,KAAI,KACF;GAAE,MAAM;GAAa,QAAQ,EAAE,IAAI;GAAQ;GAAU,EACrD,6EACD;EAGH,MAAM,gBAAgB,cAAc;AAEpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;EAGF,MAAM,UAAU,aAAa,GAAG;AAChC,MAAI,QAAQ,SAAS;AACnB,OAAI,KACF;IAAE;IAAU,QAAQ,UAAU,KAAA;IAAW,MAAM;IAAa,QAAQ,EAAE,IAAI;IAAQ,eAAe,QAAQ;IAAe,QAAQ;IAAgB,EAChJ,0BACD;AACD,UAAO,gBAAgB,GAAG,QAAQ,cAAc;;AAMlD,MAAI,CAAC,eAAe;AAClB,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KACP;IAAE,OAAO;IAAgB,MAAM;IAAiB,SAAS;IAAgC,EACzF,IACD;;AAGH,gBAAc,GAAG;AACjB,MAAI,KACF;GAAE,MAAM,EAAE,IAAI;GAAM,QAAQ,EAAE,IAAI;GAAQ;GAAU,QAAQ;GAAiB,EAC7E,qCACD;AACD,SAAO,EAAE,KACP;GAAE,OAAO;GAAgB,MAAM;GAAiB,SAAS;GAAgC,EACzF,IACD;GACD"}
1	+ {"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { Context } from 'hono';\nimport { getConnInfo } from '@hono/node-server/conninfo';\n\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport type { ResolvedGatewayAuth } from '../../auth.js';\nimport { resolveClientIpFromRequest } from '../../client-ip.js';\nimport {\n authPolicyConfig,\n buckets,\n isAuthRateLimitGloballyDisabled,\n resolveAuthRateLimit,\n resolveAuthTracking,\n type ResolvedAuthRateLimitConfig,\n} from '../../rate-limit/index.js';\nimport { getClientIpFromHeaders } from '../../security/loopback.js';\nimport { safeEqualSecret } from '../../security/secret-equal.js';\nimport { authorizeTrustedProxy } from '../../trusted-proxy.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n token?: string;\n /** Current gateway auth from config (for rate-limit settings); optional. /\n getGatewayAuth?: () => GatewayAuthConfig \| undefined;\n getResolvedAuth?: () => ResolvedGatewayAuth;\n getTrustedProxyContext?: () => {\n trustedProxies?: string[];\n allowRealIpFallback?: boolean;\n };\n}\n\nfunction validateToken(providedToken: string \| undefined, expectedToken: string): boolean {\n if (!providedToken) return false;\n return safeEqualSecret(providedToken, expectedToken);\n}\n\nfunction extractTokenFromHeader(authHeader: string \| null): string \| null {\n if (!authHeader) return null;\n const parts = authHeader.split(' ');\n if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') return parts[1];\n return authHeader;\n}\n\n/\n SECURITY: query-string tokens leak into server logs, Referer headers, and\n * browser history. We accept them only where the `Authorization` header cannot\n * be set — SSE/WebSocket (`EventSource`) and `<img>` subresource loads for agent\n * avatars. Note media uses Bearer-authenticated blob fetch in the gateway console.\n /\nfunction extractTokenFromQuery(url: string): string \| null {\n return new URL(url).searchParams.get('token');\n}\n\nconst QUERY_TOKEN_ALLOWED_PATHS = new Set(['/api/events', '/api/ws']);\n\nconst AGENT_AVATAR_GET_PATH = /^\\/api\\/agents\\/[^/]+\\/avatar$/;\n\n/* Exported for gateway security tests. /\nexport function isQueryTokenAllowedPath(path: string, method: string): boolean {\n if (QUERY_TOKEN_ALLOWED_PATHS.has(path) \|\| path.startsWith('/api/events')) {\n return true;\n }\n if (method === 'GET' && AGENT_AVATAR_GET_PATH.test(path)) {\n return true;\n }\n return false;\n}\n\nfunction resolveRemoteAddress(c: Context): string \| undefined {\n try {\n return getConnInfo(c).remote.address;\n } catch {\n return undefined;\n }\n}\n\nfunction resolveMiddlewareClientIp(\n c: Context,\n trustedProxies?: string[],\n allowRealIpFallback?: boolean,\n): string {\n if (trustedProxies?.length) {\n return resolveClientIpFromRequest({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n allowRealIpFallback,\n });\n }\n return getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n });\n}\n\ntype RateLimitContext = {\n active: boolean;\n cfg: ResolvedAuthRateLimitConfig;\n /* `undefined` when the client is exempted (loopback, disabled, etc.). */\n trackingKey: string \| undefined;\n};\n\nfunction buildRateLimitContext(\n getGatewayAuth: AuthConfig['getGatewayAuth'],\n clientIp: string,\n origin: string \| undefined,\n): RateLimitContext {\n const cfg = resolveAuthRateLimit(getGatewayAuth?.()?.rateLimit);\n const active = cfg.enabled && !isAuthRateLimitGloballyDisabled();\n if (!active) return { active: false, cfg, trackingKey: undefined };\n const tracking = resolveAuthTracking({ clientIp, origin, cfg: authPolicyConfig(cfg) });\n return {\n active: true,\n cfg,\n trackingKey: tracking.exempt ? undefined : tracking.key,\n };\n}\n\nfunction checkBlocked(rl: RateLimitContext): { blocked: false } \| { blocked: true; retryAfterSec: number } {\n if (!rl.active \|\| rl.trackingKey === undefined) return { blocked: false };\n return buckets.authFailure(rl.cfg).check(rl.trackingKey);\n}\n\nfunction recordFailure(rl: RateLimitContext): void {\n if (!rl.active \|\| rl.trackingKey === undefined) return;\n buckets.authFailure(rl.cfg).fail(rl.trackingKey);\n}\n\nfunction recordSuccess(rl: RateLimitContext): void {\n if (!rl.active \|\| rl.trackingKey === undefined) return;\n buckets.authFailure(rl.cfg).succeed(rl.trackingKey);\n}\n\nfunction blockedResponse(c: Context, retryAfterSec: number) {\n c.header('Retry-After', String(retryAfterSec));\n return c.json(\n {\n error: 'Too Many Requests',\n code: 'auth_blocked',\n message: 'Too many authentication attempts',\n retryAfter: retryAfterSec,\n },\n 429,\n );\n}\n\nexport function auth(config?: AuthConfig) {\n const { token, getGatewayAuth, getResolvedAuth, getTrustedProxyContext } = config \|\| {};\n\n return createMiddleware(async (c, next) => {\n const resolvedAuth = getResolvedAuth?.();\n const authMode = resolvedAuth?.mode ?? (token ? 'token' : 'none');\n\n if (authMode === 'trusted-proxy') {\n const proxyContext = getTrustedProxyContext?.();\n const trustedProxies = proxyContext?.trustedProxies;\n const trustedProxyConfig = resolvedAuth?.trustedProxy;\n\n const clientIp = resolveMiddlewareClientIp(c, trustedProxies, proxyContext?.allowRealIpFallback);\n const origin = c.req.header('origin');\n const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n // Server misconfiguration — not an attack signal. Don't count.\n if (!trustedProxyConfig) {\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'trusted_proxy_config_missing' },\n 'HTTP auth rejected: trusted-proxy config missing',\n );\n return c.json(\n { error: 'Unauthorized', code: 'auth_unconfigured', message: 'Trusted-proxy auth is not configured' },\n 401,\n );\n }\n\n const blocked = checkBlocked(rl);\n if (blocked.blocked) {\n log.warn(\n { clientIp, origin: origin ?? undefined, path: c.req.path, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n 'Auth rate limit blocked',\n );\n return blockedResponse(c, blocked.retryAfterSec);\n }\n\n const result = authorizeTrustedProxy({\n remoteAddress: resolveRemoteAddress(c),\n getHeader: (name) => c.req.header(name),\n trustedProxies,\n trustedProxyConfig,\n });\n\n if (result.ok === false) {\n recordFailure(rl);\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: result.reason },\n `HTTP auth rejected: trusted-proxy validation failed (${result.reason})`,\n );\n return c.json(\n { error: 'Unauthorized', code: 'invalid_proxy_credentials', message: 'Trusted-proxy authentication failed' },\n 401,\n );\n }\n\n recordSuccess(rl);\n await next();\n return;\n }\n\n if (authMode === 'none' \|\| !token) {\n return next();\n }\n\n const proxyContext = getTrustedProxyContext?.();\n const clientIp = resolveMiddlewareClientIp(c, proxyContext?.trustedProxies, proxyContext?.allowRealIpFallback);\n const origin = c.req.header('origin');\n const rl = buildRateLimitContext(getGatewayAuth, clientIp, origin);\n\n const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n const requestPath = new URL(c.req.url).pathname;\n const queryToken = isQueryTokenAllowedPath(requestPath, c.req.method)\n ? extractTokenFromQuery(c.req.url)\n : null;\n\n if (!authHeader && queryToken === null && new URL(c.req.url).searchParams.has('token')) {\n log.warn(\n { path: requestPath, method: c.req.method, clientIp },\n 'Token in query string rejected: use Authorization header for this endpoint',\n );\n }\n\n const providedToken = authHeader \|\| queryToken;\n\n if (providedToken && validateToken(providedToken, token)) {\n recordSuccess(rl);\n await next();\n return;\n }\n\n const blocked = checkBlocked(rl);\n if (blocked.blocked) {\n log.warn(\n { clientIp, origin: origin ?? undefined, path: requestPath, method: c.req.method, retryAfterSec: blocked.retryAfterSec, reason: 'auth_blocked' },\n 'Auth rate limit blocked',\n );\n return blockedResponse(c, blocked.retryAfterSec);\n }\n\n // Missing token is an unauthenticated request, not a brute-force signal —\n // page reloads / SDK cold starts often hit endpoints before the token is\n // attached. Counting this would lock users out of the token-entry path.\n if (!providedToken) {\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n 'HTTP auth rejected: no Bearer or ?token=',\n );\n return c.json(\n { error: 'Unauthorized', code: 'missing_token', message: 'Missing authentication token' },\n 401,\n );\n }\n\n recordFailure(rl);\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n 'HTTP auth rejected: token mismatch',\n );\n return c.json(\n { error: 'Unauthorized', code: 'invalid_token', message: 'Invalid authentication token' },\n 401,\n );\n });\n}\n"],"mappings":";;;;;;;;;;;;;aAkBwD;AAExD,MAAM,MAAM,aAAa,YAAY;AAarC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,gBAAgB,eAAe,cAAc;;AAGtD,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CACxB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SAAU,QAAO,MAAM;AAC5E,QAAO;;;;;;;;AAST,SAAS,sBAAsB,KAA4B;AACzD,QAAO,IAAI,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ;;AAG/C,MAAM,4BAA4B,IAAI,IAAI,CAAC,eAAe,UAAU,CAAC;AAErE,MAAM,wBAAwB;;AAG9B,SAAgB,wBAAwB,MAAc,QAAyB;AAC7E,KAAI,0BAA0B,IAAI,KAAK,IAAI,KAAK,WAAW,cAAc,CACvE,QAAO;AAET,KAAI,WAAW,SAAS,sBAAsB,KAAK,KAAK,CACtD,QAAO;AAET,QAAO;;AAGT,SAAS,qBAAqB,GAAgC;AAC5D,KAAI;AACF,SAAO,YAAY,EAAE,CAAC,OAAO;SACvB;AACN;;;AAIJ,SAAS,0BACP,GACA,gBACA,qBACQ;AACR,KAAI,gBAAgB,OAClB,QAAO,2BAA2B;EAChC,eAAe,qBAAqB,EAAE;EACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;EACvC;EACA;EACD,CAAC;AAEJ,QAAO,uBAAuB,EAC5B,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;;AAUJ,SAAS,sBACP,gBACA,UACA,QACkB;CAClB,MAAM,MAAM,qBAAqB,kBAAkB,EAAE,UAAU;AAE/D,KAAI,EADW,IAAI,WAAW,CAAC,iCAAiC,EACnD,QAAO;EAAE,QAAQ;EAAO;EAAK,aAAa,KAAA;EAAW;CAClE,MAAM,WAAW,oBAAoB;EAAE;EAAU;EAAQ,KAAK,iBAAiB,IAAI;EAAE,CAAC;AACtF,QAAO;EACL,QAAQ;EACR;EACA,aAAa,SAAS,SAAS,KAAA,IAAY,SAAS;EACrD;;AAGH,SAAS,aAAa,IAAqF;AACzG,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW,QAAO,EAAE,SAAS,OAAO;AACzE,QAAO,QAAQ,YAAY,GAAG,IAAI,CAAC,MAAM,GAAG,YAAY;;AAG1D,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,KAAK,GAAG,YAAY;;AAGlD,SAAS,cAAc,IAA4B;AACjD,KAAI,CAAC,GAAG,UAAU,GAAG,gBAAgB,KAAA,EAAW;AAChD,SAAQ,YAAY,GAAG,IAAI,CAAC,QAAQ,GAAG,YAAY;;AAGrD,SAAS,gBAAgB,GAAY,eAAuB;AAC1D,GAAE,OAAO,eAAe,OAAO,cAAc,CAAC;AAC9C,QAAO,EAAE,KACP;EACE,OAAO;EACP,MAAM;EACN,SAAS;EACT,YAAY;EACb,EACD,IACD;;AAGH,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,gBAAgB,iBAAiB,2BAA2B,UAAU,EAAE;AAEvF,QAAO,iBAAiB,OAAO,GAAG,SAAS;EACzC,MAAM,eAAe,mBAAmB;EACxC,MAAM,WAAW,cAAc,SAAS,QAAQ,UAAU;AAE1D,MAAI,aAAa,iBAAiB;GAChC,MAAM,eAAe,0BAA0B;GAC/C,MAAM,iBAAiB,cAAc;GACrC,MAAM,qBAAqB,cAAc;GAEzC,MAAM,WAAW,0BAA0B,GAAG,gBAAgB,cAAc,oBAAoB;GAChG,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;GACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;AAGlE,OAAI,CAAC,oBAAoB;AACvB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ;KAAgC,EAC5F,mDACD;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAAqB,SAAS;KAAwC,EACrG,IACD;;GAGH,MAAM,UAAU,aAAa,GAAG;AAChC,OAAI,QAAQ,SAAS;AACnB,QAAI,KACF;KAAE;KAAU,QAAQ,UAAU,KAAA;KAAW,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ,eAAe,QAAQ;KAAe,QAAQ;KAAgB,EAC/I,0BACD;AACD,WAAO,gBAAgB,GAAG,QAAQ,cAAc;;GAGlD,MAAM,SAAS,sBAAsB;IACnC,eAAe,qBAAqB,EAAE;IACtC,YAAY,SAAS,EAAE,IAAI,OAAO,KAAK;IACvC;IACA;IACD,CAAC;AAEF,OAAI,OAAO,OAAO,OAAO;AACvB,kBAAc,GAAG;AACjB,QAAI,KACF;KAAE,MAAM,EAAE,IAAI;KAAM,QAAQ,EAAE,IAAI;KAAQ;KAAU,QAAQ,OAAO;KAAQ,EAC3E,wDAAwD,OAAO,OAAO,GACvE;AACD,WAAO,EAAE,KACP;KAAE,OAAO;KAAgB,MAAM;KAA6B,SAAS;KAAuC,EAC5G,IACD;;AAGH,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;AAGF,MAAI,aAAa,UAAU,CAAC,MAC1B,QAAO,MAAM;EAGf,MAAM,eAAe,0BAA0B;EAC/C,MAAM,WAAW,0BAA0B,GAAG,cAAc,gBAAgB,cAAc,oBAAoB;EAC9G,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;EACrC,MAAM,KAAK,sBAAsB,gBAAgB,UAAU,OAAO;EAElE,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,cAAc,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC;EACvC,MAAM,aAAa,wBAAwB,aAAa,EAAE,IAAI,OAAO,GACjE,sBAAsB,EAAE,IAAI,IAAI,GAChC;AAEJ,MAAI,CAAC,cAAc,eAAe,QAAQ,IAAI,IAAI,EAAE,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,CACpF,KAAI,KACF;GAAE,MAAM;GAAa,QAAQ,EAAE,IAAI;GAAQ;GAAU,EACrD,6EACD;EAGH,MAAM,gBAAgB,cAAc;AAEpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,iBAAc,GAAG;AACjB,SAAM,MAAM;AACZ;;EAGF,MAAM,UAAU,aAAa,GAAG;AAChC,MAAI,QAAQ,SAAS;AACnB,OAAI,KACF;IAAE;IAAU,QAAQ,UAAU,KAAA;IAAW,MAAM;IAAa,QAAQ,EAAE,IAAI;IAAQ,eAAe,QAAQ;IAAe,QAAQ;IAAgB,EAChJ,0BACD;AACD,UAAO,gBAAgB,GAAG,QAAQ,cAAc;;AAMlD,MAAI,CAAC,eAAe;AAClB,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KACP;IAAE,OAAO;IAAgB,MAAM;IAAiB,SAAS;IAAgC,EACzF,IACD;;AAGH,gBAAc,GAAG;AACjB,MAAI,KACF;GAAE,MAAM,EAAE,IAAI;GAAM,QAAQ,EAAE,IAAI;GAAQ;GAAU,QAAQ;GAAiB,EAC7E,qCACD;AACD,SAAO,EAAE,KACP;GAAE,OAAO;GAAgB,MAAM;GAAiB,SAAS;GAAgC,EACzF,IACD;GACD"}

package/dist/src/gateway/hono/oauth.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { CredentialResolver, init_credentials } from "../../auth/credentials.js";
-import { anthropicOAuthProvider } from "../../auth/oauth/anthropic.js";
 import { getProviderAuthState, init_providers, isProviderConfigured } from "../../providers/index.js";
+import { anthropicOAuthProvider } from "../../auth/oauth/anthropic.js";
 import { minimaxOAuthProvider } from "../../auth/oauth/minimax.js";
 import { minimaxCnOAuthProvider } from "../../auth/oauth/minimax-cn.js";
 import { kimiCodingOAuthProvider } from "../../auth/oauth/kimi-coding.js";

package/dist/src/gateway/hono/routes/agents.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { init_agent_scope, normalizeAgentId } from "../../../agent/agent-scope.js";
 import { init_localized_text, normalizeLocalizedText } from "../../../config/localized-text.js";
 import { init_schema, parseModelRef } from "../../../config/schema.js";
+import { init_agent_scope, normalizeAgentId } from "../../../agent/agent-scope.js";
 import { init_providers, isProviderConfigured, resolveModel } from "../../../providers/index.js";
 import { getVoiceModelsConfig } from "../../../config/voice.js";
 import { deleteAgentAvatarFile, finalizeCreateAgentDirs, listAgentProfileFiles, listGatewayAgents, prepareCreateAgent, prepareCreateAgentsBatch, prepareDeleteAgent, prepareUpdateAgent, readAgentAvatarFile, readAgentProfileFile, runAfterDeletePurge, writeAgentAvatarFromBase64, writeAgentProfileFile } from "../../agents-admin.js";

package/dist/src/gateway/hono/routes/auth-registry-extensions.js CHANGED Viewed

@@ -7,8 +7,8 @@ import { createOAuthHandler } from "../oauth.js";
 import { createOAuthAsyncHandler } from "../oauth-async.js";
 import { extensionAssetMimeType } from "../lib/extension-assets.js";
 import { loadExtensionStore, saveExtensionStore } from "../lib/extension-store.js";
-import { existsSync, readFileSync, statSync } from "node:fs";
 import { relative, resolve } from "node:path";
+import { existsSync, readFileSync, statSync } from "node:fs";
 //#region src/gateway/hono/routes/auth-registry-extensions.ts
 init_providers();
 const EXTENSION_ASSET_CSP = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; frame-ancestors 'self'; frame-src 'none'; base-uri 'none'; object-src 'none'; form-action 'none'";

package/dist/src/gateway/hono/routes/config-patch/gateway.d.ts CHANGED Viewed

@@ -3,8 +3,8 @@
  *
  * Covers heartbeat, bind/customBindHost/port, tailscale, auth (mode + token +
  * password + rateLimit + trustedProxy), trustedProxies, allowRealIpFallback,
- * dangerouslyAllowHostHeaderOriginFallback, security, share, corsOrigins,
- * maxSseConnections, and channelConnectDefer{Mode,Ids,SkipIds}.
+ * dangerouslyAllowHostHeaderOriginFallback, security, share, publicUrl,
+ * corsOrigins, maxSseConnections, and channelConnectDefer{Mode,Ids,SkipIds}.
  *
  * Validation policy: each subsection that can reject rejects with a 400 and a
  * specific `message`. The dispatcher converts these into `c.json(...)`.

package/dist/src/gateway/hono/routes/config-patch/gateway.js CHANGED Viewed

@@ -1,8 +1,10 @@
+import { init_public_url, validatePublicUrl } from "../../../../config/public-url.js";
 import { isValidIPv4 } from "../../../../config/gateway-bind.js";
 import { mergeShareConfigPatch } from "../../../../share/share-config.js";
 import { isMaskedSecretPatchValue } from "../../lib/mask-secret-length.js";
 import { PATCH_OK, patchError } from "./result.js";
 //#region src/gateway/hono/routes/config-patch/gateway.ts
+init_public_url();
 /**
 * Shared default for "user PATCH'd a gateway subsection but `config.gateway`
 * was never initialised". Identical to the inline literal repeated in the
@@ -219,6 +221,16 @@ function applyGatewayPatch(config, body) {
 		const shareResult = mergeShareConfigPatch(config, body.gateway.share);
 		if (shareResult.ok === false) return patchError(shareResult.message);
 	}
+	if (body.gateway?.publicUrl !== void 0) {
+		const gw = ensureGateway(config);
+		if (body.gateway.publicUrl === null || body.gateway.publicUrl === "") delete gw.publicUrl;
+		else if (typeof body.gateway.publicUrl !== "string") return patchError("gateway.publicUrl must be a string or null");
+		else {
+			const validation = validatePublicUrl(body.gateway.publicUrl);
+			if (validation.ok === false) return patchError(`gateway.publicUrl: ${validation.message}`);
+			gw.publicUrl = validation.url;
+		}
+	}
 	if (body.gateway?.corsOrigins !== void 0) {
 		if (!Array.isArray(body.gateway.corsOrigins)) return patchError("gateway.corsOrigins must be an array");
 		const gw = ensureGateway(config);

package/dist/src/gateway/hono/routes/config-patch/gateway.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"gateway.js","names":[],"sources":["../../../../../../src/gateway/hono/routes/config-patch/gateway.ts"],"sourcesContent":["/*\n `PATCH /api/config` — `body.gateway.` section.\n \n * Covers heartbeat, bind/customBindHost/port, tailscale, auth (mode + token +\n * password + rateLimit + trustedProxy), trustedProxies, allowRealIpFallback,\n * dangerouslyAllowHostHeaderOriginFallback, security, share, corsOrigins,\n * maxSseConnections, and channelConnectDefer{Mode,Ids,SkipIds}.\n \n Validation policy: each subsection that can reject rejects with a 400 and a\n * specific `message`. The dispatcher converts these into `c.json(...)`.\n \n Initial-state branches use the same literal defaults the inline code did\n * (loopback + port 18790 + 1800s heartbeat + 100 SSE conn + empty CORS) so\n * a brand-new install gets a working gateway after the first PATCH.\n /\nimport type { Config, GatewayBindMode } from '../../../../config/schema.js';\nimport { isValidIPv4 } from '../../../../config/gateway-bind.js';\nimport { mergeShareConfigPatch } from '../../../../share/share-config.js';\nimport { isMaskedSecretPatchValue } from '../../lib/mask-secret-length.js';\nimport { type PatchResult, PATCH_OK, patchError } from './result.js';\n\n/\n Shared default for \"user PATCH'd a gateway subsection but `config.gateway`\n * was never initialised\". Identical to the inline literal repeated in the\n * pre-extraction handler so this is behavior-preserving.\n */\nfunction ensureGateway(config: Config): NonNullable<Config['gateway']> {\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: 18790,\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n }\n return config.gateway;\n}\n\nfunction parseDeferIdList(raw: unknown): string[] \| null {\n if (!Array.isArray(raw)) return null;\n const ids = raw\n .filter((x): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x) => x.trim());\n if (ids.length > 24) return null;\n return ids;\n}\n\nexport function applyGatewayPatch(config: Config, body: any): PatchResult {\n if (body.gateway?.heartbeat !== undefined && typeof body.gateway.heartbeat === 'object') {\n const gw = ensureGateway(config);\n if (!gw.heartbeat) {\n gw.heartbeat = { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false };\n }\n const h = gw.heartbeat;\n const p = body.gateway.heartbeat as Record<string, unknown>;\n if (p.enabled !== undefined) h.enabled = Boolean(p.enabled);\n if (p.intervalMs !== undefined && typeof p.intervalMs === 'number' && Number.isFinite(p.intervalMs)) {\n h.intervalMs = p.intervalMs;\n }\n if (p.includeSystemPromptSection !== undefined) {\n h.includeSystemPromptSection = Boolean(p.includeSystemPromptSection);\n }\n if (p.target !== undefined) {\n if (p.target === null \|\| p.target === '') delete (h as { target?: string }).target;\n else (h as { target?: string }).target = String(p.target);\n }\n if (p.targetChatId !== undefined) {\n if (p.targetChatId === null \|\| p.targetChatId === '') delete (h as { targetChatId?: string }).targetChatId;\n else (h as { targetChatId?: string }).targetChatId = String(p.targetChatId);\n }\n if (p.prompt !== undefined) {\n if (p.prompt === null \|\| p.prompt === '') delete (h as { prompt?: string }).prompt;\n else (h as { prompt?: string }).prompt = String(p.prompt);\n }\n if (p.ackMaxChars !== undefined) {\n if (p.ackMaxChars === null \|\| p.ackMaxChars === '') delete (h as { ackMaxChars?: number }).ackMaxChars;\n else if (typeof p.ackMaxChars === 'number' && Number.isFinite(p.ackMaxChars)) {\n (h as { ackMaxChars?: number }).ackMaxChars = p.ackMaxChars;\n }\n }\n if (p.isolatedSession !== undefined) {\n if (p.isolatedSession === null \|\| p.isolatedSession === false) {\n delete (h as { isolatedSession?: boolean }).isolatedSession;\n } else {\n (h as { isolatedSession?: boolean }).isolatedSession = Boolean(p.isolatedSession);\n }\n }\n if (p.activeHours !== undefined) {\n if (p.activeHours === null) {\n delete (h as { activeHours?: unknown }).activeHours;\n } else if (typeof p.activeHours === 'object' && p.activeHours !== null) {\n const ah = p.activeHours as Record<string, unknown>;\n const start = typeof ah.start === 'string' ? ah.start : '';\n const end = typeof ah.end === 'string' ? ah.end : '';\n if (start && end) {\n (h as { activeHours?: { start: string; end: string; timezone?: string } }).activeHours = {\n start,\n end,\n ...(typeof ah.timezone === 'string' && ah.timezone.trim() ? { timezone: ah.timezone } : {}),\n };\n } else {\n delete (h as { activeHours?: unknown }).activeHours;\n }\n }\n }\n }\n\n if (body.gateway?.bind !== undefined) {\n const bindModes = new Set(['auto', 'loopback', 'lan', 'tailnet', 'custom']);\n const bind = body.gateway.bind;\n if (typeof bind !== 'string' \|\| !bindModes.has(bind)) {\n return patchError('gateway.bind must be one of: auto, loopback, lan, tailnet, custom');\n }\n if (!config.gateway) {\n config.gateway = {\n bind: bind as GatewayBindMode,\n port: 18790,\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n } else {\n config.gateway.bind = bind as GatewayBindMode;\n }\n if (bind !== 'custom') {\n delete config.gateway.customBindHost;\n }\n }\n\n if (body.gateway?.customBindHost !== undefined) {\n if (body.gateway.customBindHost === null \|\| body.gateway.customBindHost === '') {\n if (config.gateway) {\n delete config.gateway.customBindHost;\n }\n } else if (typeof body.gateway.customBindHost !== 'string' \|\| !isValidIPv4(body.gateway.customBindHost.trim())) {\n return patchError('gateway.customBindHost must be a valid IPv4 address');\n } else if (config.gateway) {\n config.gateway.customBindHost = body.gateway.customBindHost.trim();\n config.gateway.bind = 'custom';\n }\n }\n\n if (body.gateway?.port !== undefined) {\n if (\n typeof body.gateway.port !== 'number' \|\|\n !Number.isFinite(body.gateway.port) \|\|\n body.gateway.port < 1 \|\|\n body.gateway.port > 65535\n ) {\n return patchError('gateway.port must be an integer from 1 to 65535');\n }\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: Math.floor(body.gateway.port),\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n } else {\n config.gateway.port = Math.floor(body.gateway.port);\n }\n }\n\n if (body.gateway?.tailscale !== undefined && typeof body.gateway.tailscale === 'object') {\n const ts = body.gateway.tailscale as Record<string, unknown>;\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: 18790,\n auth: { mode: 'token' },\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n }\n config.gateway.tailscale = {\n ...(config.gateway.tailscale ?? { mode: 'off', resetOnExit: true }),\n };\n if (ts.mode !== undefined) {\n if (ts.mode !== 'off' && ts.mode !== 'serve' && ts.mode !== 'funnel') {\n return patchError('gateway.tailscale.mode must be off, serve, or funnel');\n }\n config.gateway.tailscale.mode = ts.mode as 'off' \| 'serve' \| 'funnel';\n }\n if (ts.resetOnExit !== undefined) {\n config.gateway.tailscale.resetOnExit = ts.resetOnExit === true;\n }\n }\n\n if (body.gateway?.auth !== undefined) {\n const gw = ensureGateway(config);\n if (!gw.auth) gw.auth = { mode: 'token' };\n const a = body.gateway.auth;\n if (a.mode !== undefined) {\n if (\n a.mode !== 'none' &&\n a.mode !== 'token' &&\n a.mode !== 'password' &&\n a.mode !== 'trusted-proxy'\n ) {\n return patchError('gateway.auth.mode must be none, token, password, or trusted-proxy');\n }\n gw.auth.mode = a.mode;\n }\n if (a.token !== undefined) {\n if (a.token === null \|\| (typeof a.token === 'string' && !a.token.trim())) {\n delete gw.auth.token;\n } else if (typeof a.token === 'string' && !isMaskedSecretPatchValue(a.token)) {\n gw.auth.token = a.token;\n }\n }\n if (a.password !== undefined) {\n if (a.password === null \|\| (typeof a.password === 'string' && !a.password.trim())) {\n delete gw.auth.password;\n } else if (typeof a.password === 'string' && !isMaskedSecretPatchValue(a.password)) {\n gw.auth.password = a.password;\n }\n }\n if (a.rateLimit !== undefined && typeof a.rateLimit === 'object' && a.rateLimit !== null) {\n const rlIn = a.rateLimit as Record<string, unknown>;\n if (!gw.auth.rateLimit) {\n gw.auth.rateLimit = {\n enabled: true,\n maxAttempts: 5,\n windowMs: 900_000,\n blockDurationMs: 300_000,\n burstCoalesceMs: 1000,\n exemptLoopback: true,\n };\n }\n const rl = gw.auth.rateLimit!;\n if (rlIn.enabled !== undefined) rl.enabled = Boolean(rlIn.enabled);\n if (typeof rlIn.maxAttempts === 'number' && Number.isFinite(rlIn.maxAttempts)) {\n rl.maxAttempts = Math.max(1, Math.floor(rlIn.maxAttempts));\n }\n if (typeof rlIn.windowMs === 'number' && Number.isFinite(rlIn.windowMs) && rlIn.windowMs > 0) {\n rl.windowMs = Math.floor(rlIn.windowMs);\n }\n if (\n typeof rlIn.blockDurationMs === 'number' &&\n Number.isFinite(rlIn.blockDurationMs) &&\n rlIn.blockDurationMs > 0\n ) {\n rl.blockDurationMs = Math.floor(rlIn.blockDurationMs);\n }\n if (\n typeof rlIn.lockoutMs === 'number' &&\n Number.isFinite(rlIn.lockoutMs) &&\n rlIn.lockoutMs > 0\n ) {\n rl.blockDurationMs = Math.floor(rlIn.lockoutMs);\n }\n if (rlIn.exemptLoopback !== undefined) {\n rl.exemptLoopback = Boolean(rlIn.exemptLoopback);\n }\n }\n if (a.trustedProxy !== undefined) {\n if (a.trustedProxy === null) {\n delete gw.auth.trustedProxy;\n } else if (typeof a.trustedProxy === 'object' && a.trustedProxy !== null) {\n const tpIn = a.trustedProxy as Record<string, unknown>;\n const userHeader =\n typeof tpIn.userHeader === 'string' ? tpIn.userHeader.trim() : '';\n if (!userHeader) {\n return patchError('gateway.auth.trustedProxy.userHeader is required');\n }\n const trustedProxy: NonNullable<(typeof gw.auth)['trustedProxy']> = {\n userHeader,\n };\n if (tpIn.requiredHeaders !== undefined) {\n if (!Array.isArray(tpIn.requiredHeaders)) {\n return patchError('gateway.auth.trustedProxy.requiredHeaders must be an array');\n }\n trustedProxy.requiredHeaders = tpIn.requiredHeaders\n .filter((x): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x) => x.trim());\n }\n if (tpIn.allowUsers !== undefined) {\n if (!Array.isArray(tpIn.allowUsers)) {\n return patchError('gateway.auth.trustedProxy.allowUsers must be an array');\n }\n trustedProxy.allowUsers = tpIn.allowUsers\n .filter((x): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x) => x.trim());\n }\n if (tpIn.allowLoopback !== undefined) {\n trustedProxy.allowLoopback = Boolean(tpIn.allowLoopback);\n }\n gw.auth.trustedProxy = trustedProxy;\n }\n }\n }\n\n if (body.gateway?.trustedProxies !== undefined) {\n if (!Array.isArray(body.gateway.trustedProxies)) {\n return patchError('gateway.trustedProxies must be an array');\n }\n const gw = ensureGateway(config);\n gw.trustedProxies = body.gateway.trustedProxies\n .filter((x: unknown): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x: string) => x.trim());\n }\n\n if (body.gateway?.allowRealIpFallback !== undefined) {\n const gw = ensureGateway(config);\n gw.allowRealIpFallback = Boolean(body.gateway.allowRealIpFallback);\n }\n\n if (body.gateway?.dangerouslyAllowHostHeaderOriginFallback !== undefined) {\n const gw = ensureGateway(config);\n gw.dangerouslyAllowHostHeaderOriginFallback = Boolean(\n body.gateway.dangerouslyAllowHostHeaderOriginFallback,\n );\n }\n\n if (body.gateway?.security !== undefined) {\n if (typeof body.gateway.security !== 'object' \|\| body.gateway.security === null) {\n return patchError('gateway.security must be an object');\n }\n const gw = ensureGateway(config);\n const secIn = body.gateway.security as Record<string, unknown>;\n if (!gw.security) {\n gw.security = {};\n }\n if (secIn.strict !== undefined) {\n gw.security.strict = Boolean(secIn.strict);\n }\n }\n\n if (body.gateway?.share !== undefined) {\n if (typeof body.gateway.share !== 'object' \|\| body.gateway.share === null \|\| Array.isArray(body.gateway.share)) {\n return patchError('gateway.share must be an object');\n }\n const shareResult = mergeShareConfigPatch(config, body.gateway.share as Record<string, unknown>);\n if (shareResult.ok === false) {\n return patchError(shareResult.message);\n }\n }\n\n if (body.gateway?.corsOrigins !== undefined) {\n if (!Array.isArray(body.gateway.corsOrigins)) {\n return patchError('gateway.corsOrigins must be an array');\n }\n const gw = ensureGateway(config);\n gw.corsOrigins = body.gateway.corsOrigins\n .filter((x: unknown): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x: string) => x.trim());\n }\n\n if (body.gateway?.maxSseConnections !== undefined) {\n if (\n typeof body.gateway.maxSseConnections !== 'number' \|\|\n !Number.isFinite(body.gateway.maxSseConnections) \|\|\n body.gateway.maxSseConnections < 1\n ) {\n return patchError('gateway.maxSseConnections must be a positive integer');\n }\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: 18790,\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: Math.floor(body.gateway.maxSseConnections),\n corsOrigins: [],\n };\n } else {\n config.gateway.maxSseConnections = Math.floor(body.gateway.maxSseConnections);\n }\n }\n\n if (body.gateway?.channelConnectDeferMode !== undefined) {\n const mode = body.gateway.channelConnectDeferMode;\n if (mode !== 'auto' && mode !== 'off' && mode !== 'explicit') {\n return patchError('gateway.channelConnectDeferMode must be auto, off, or explicit');\n }\n const gw = ensureGateway(config);\n gw.channelConnectDeferMode = mode;\n }\n\n if (body.gateway?.channelConnectDeferIds !== undefined) {\n const ids = parseDeferIdList(body.gateway.channelConnectDeferIds);\n if (ids === null) {\n return patchError('gateway.channelConnectDeferIds must be an array of up to 24 strings');\n }\n const gw = ensureGateway(config);\n gw.channelConnectDeferIds = ids;\n }\n\n if (body.gateway?.channelConnectDeferSkipIds !== undefined) {\n const ids = parseDeferIdList(body.gateway.channelConnectDeferSkipIds);\n if (ids === null) {\n return patchError('gateway.channelConnectDeferSkipIds must be an array of up to 24 strings');\n }\n const gw = ensureGateway(config);\n gw.channelConnectDeferSkipIds = ids;\n }\n\n return PATCH_OK;\n}\n"],"mappings":";;;;;;;;;;AA0BA,SAAS,cAAc,QAAgD;AACrE,KAAI,CAAC,OAAO,QACV,QAAO,UAAU;EACf,MAAM;EACN,MAAM;EACN,WAAW;GAAE,SAAS;GAAM,YAAY;GAAW,4BAA4B;GAAO;EACtF,mBAAmB;EACnB,aAAa,EAAE;EAChB;AAEH,QAAO,OAAO;;AAGhB,SAAS,iBAAiB,KAA+B;AACvD,KAAI,CAAC,MAAM,QAAQ,IAAI,CAAE,QAAO;CAChC,MAAM,MAAM,IACT,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACxE,KAAK,MAAM,EAAE,MAAM,CAAC;AACvB,KAAI,IAAI,SAAS,GAAI,QAAO;AAC5B,QAAO;;AAGT,SAAgB,kBAAkB,QAAgB,MAAwB;AACxE,KAAI,KAAK,SAAS,cAAc,KAAA,KAAa,OAAO,KAAK,QAAQ,cAAc,UAAU;EACvF,MAAM,KAAK,cAAc,OAAO;AAChC,MAAI,CAAC,GAAG,UACN,IAAG,YAAY;GAAE,SAAS;GAAM,YAAY;GAAW,4BAA4B;GAAO;EAE5F,MAAM,IAAI,GAAG;EACb,MAAM,IAAI,KAAK,QAAQ;AACvB,MAAI,EAAE,YAAY,KAAA,EAAW,GAAE,UAAU,QAAQ,EAAE,QAAQ;AAC3D,MAAI,EAAE,eAAe,KAAA,KAAa,OAAO,EAAE,eAAe,YAAY,OAAO,SAAS,EAAE,WAAW,CACjG,GAAE,aAAa,EAAE;AAEnB,MAAI,EAAE,+BAA+B,KAAA,EACnC,GAAE,6BAA6B,QAAQ,EAAE,2BAA2B;AAEtE,MAAI,EAAE,WAAW,KAAA,EACf,KAAI,EAAE,WAAW,QAAQ,EAAE,WAAW,GAAI,QAAQ,EAA0B;MACtE,GAA0B,SAAS,OAAO,EAAE,OAAO;AAE3D,MAAI,EAAE,iBAAiB,KAAA,EACrB,KAAI,EAAE,iBAAiB,QAAQ,EAAE,iBAAiB,GAAI,QAAQ,EAAgC;MACxF,GAAgC,eAAe,OAAO,EAAE,aAAa;AAE7E,MAAI,EAAE,WAAW,KAAA,EACf,KAAI,EAAE,WAAW,QAAQ,EAAE,WAAW,GAAI,QAAQ,EAA0B;MACtE,GAA0B,SAAS,OAAO,EAAE,OAAO;AAE3D,MAAI,EAAE,gBAAgB,KAAA;OAChB,EAAE,gBAAgB,QAAQ,EAAE,gBAAgB,GAAI,QAAQ,EAA+B;YAClF,OAAO,EAAE,gBAAgB,YAAY,OAAO,SAAS,EAAE,YAAY,CACzE,GAA+B,cAAc,EAAE;;AAGpD,MAAI,EAAE,oBAAoB,KAAA,EACxB,KAAI,EAAE,oBAAoB,QAAQ,EAAE,oBAAoB,MACtD,QAAQ,EAAoC;MAE3C,GAAoC,kBAAkB,QAAQ,EAAE,gBAAgB;AAGrF,MAAI,EAAE,gBAAgB,KAAA;OAChB,EAAE,gBAAgB,KACpB,QAAQ,EAAgC;YAC/B,OAAO,EAAE,gBAAgB,YAAY,EAAE,gBAAgB,MAAM;IACtE,MAAM,KAAK,EAAE;IACb,MAAM,QAAQ,OAAO,GAAG,UAAU,WAAW,GAAG,QAAQ;IACxD,MAAM,MAAM,OAAO,GAAG,QAAQ,WAAW,GAAG,MAAM;AAClD,QAAI,SAAS,IACV,GAA0E,cAAc;KACvF;KACA;KACA,GAAI,OAAO,GAAG,aAAa,YAAY,GAAG,SAAS,MAAM,GAAG,EAAE,UAAU,GAAG,UAAU,GAAG,EAAE;KAC3F;QAED,QAAQ,EAAgC;;;;AAMhD,KAAI,KAAK,SAAS,SAAS,KAAA,GAAW;EACpC,MAAM,YAAY,IAAI,IAAI;GAAC;GAAQ;GAAY;GAAO;GAAW;GAAS,CAAC;EAC3E,MAAM,OAAO,KAAK,QAAQ;AAC1B,MAAI,OAAO,SAAS,YAAY,CAAC,UAAU,IAAI,KAAK,CAClD,QAAO,WAAW,oEAAoE;AAExF,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACT;GACN,MAAM;GACN,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB;GACnB,aAAa,EAAE;GAChB;MAED,QAAO,QAAQ,OAAO;AAExB,MAAI,SAAS,SACX,QAAO,OAAO,QAAQ;;AAI1B,KAAI,KAAK,SAAS,mBAAmB,KAAA;MAC/B,KAAK,QAAQ,mBAAmB,QAAQ,KAAK,QAAQ,mBAAmB;OACtE,OAAO,QACT,QAAO,OAAO,QAAQ;aAEf,OAAO,KAAK,QAAQ,mBAAmB,YAAY,CAAC,YAAY,KAAK,QAAQ,eAAe,MAAM,CAAC,CAC5G,QAAO,WAAW,sDAAsD;WAC/D,OAAO,SAAS;AACzB,UAAO,QAAQ,iBAAiB,KAAK,QAAQ,eAAe,MAAM;AAClE,UAAO,QAAQ,OAAO;;;AAI1B,KAAI,KAAK,SAAS,SAAS,KAAA,GAAW;AACpC,MACE,OAAO,KAAK,QAAQ,SAAS,YAC7B,CAAC,OAAO,SAAS,KAAK,QAAQ,KAAK,IACnC,KAAK,QAAQ,OAAO,KACpB,KAAK,QAAQ,OAAO,MAEpB,QAAO,WAAW,kDAAkD;AAEtE,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACf,MAAM;GACN,MAAM,KAAK,MAAM,KAAK,QAAQ,KAAK;GACnC,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB;GACnB,aAAa,EAAE;GAChB;MAED,QAAO,QAAQ,OAAO,KAAK,MAAM,KAAK,QAAQ,KAAK;;AAIvD,KAAI,KAAK,SAAS,cAAc,KAAA,KAAa,OAAO,KAAK,QAAQ,cAAc,UAAU;EACvF,MAAM,KAAK,KAAK,QAAQ;AACxB,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACf,MAAM;GACN,MAAM;GACN,MAAM,EAAE,MAAM,SAAS;GACvB,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB;GACnB,aAAa,EAAE;GAChB;AAEH,SAAO,QAAQ,YAAY,EACzB,GAAI,OAAO,QAAQ,aAAa;GAAE,MAAM;GAAO,aAAa;GAAM,EACnE;AACD,MAAI,GAAG,SAAS,KAAA,GAAW;AACzB,OAAI,GAAG,SAAS,SAAS,GAAG,SAAS,WAAW,GAAG,SAAS,SAC1D,QAAO,WAAW,uDAAuD;AAE3E,UAAO,QAAQ,UAAU,OAAO,GAAG;;AAErC,MAAI,GAAG,gBAAgB,KAAA,EACrB,QAAO,QAAQ,UAAU,cAAc,GAAG,gBAAgB;;AAI9D,KAAI,KAAK,SAAS,SAAS,KAAA,GAAW;EACpC,MAAM,KAAK,cAAc,OAAO;AAChC,MAAI,CAAC,GAAG,KAAM,IAAG,OAAO,EAAE,MAAM,SAAS;EACzC,MAAM,IAAI,KAAK,QAAQ;AACvB,MAAI,EAAE,SAAS,KAAA,GAAW;AACxB,OACE,EAAE,SAAS,UACX,EAAE,SAAS,WACX,EAAE,SAAS,cACX,EAAE,SAAS,gBAEX,QAAO,WAAW,oEAAoE;AAExF,MAAG,KAAK,OAAO,EAAE;;AAEnB,MAAI,EAAE,UAAU,KAAA;OACV,EAAE,UAAU,QAAS,OAAO,EAAE,UAAU,YAAY,CAAC,EAAE,MAAM,MAAM,CACrE,QAAO,GAAG,KAAK;YACN,OAAO,EAAE,UAAU,YAAY,CAAC,yBAAyB,EAAE,MAAM,CAC1E,IAAG,KAAK,QAAQ,EAAE;;AAGtB,MAAI,EAAE,aAAa,KAAA;OACb,EAAE,aAAa,QAAS,OAAO,EAAE,aAAa,YAAY,CAAC,EAAE,SAAS,MAAM,CAC9E,QAAO,GAAG,KAAK;YACN,OAAO,EAAE,aAAa,YAAY,CAAC,yBAAyB,EAAE,SAAS,CAChF,IAAG,KAAK,WAAW,EAAE;;AAGzB,MAAI,EAAE,cAAc,KAAA,KAAa,OAAO,EAAE,cAAc,YAAY,EAAE,cAAc,MAAM;GACxF,MAAM,OAAO,EAAE;AACf,OAAI,CAAC,GAAG,KAAK,UACX,IAAG,KAAK,YAAY;IAClB,SAAS;IACT,aAAa;IACb,UAAU;IACV,iBAAiB;IACjB,iBAAiB;IACjB,gBAAgB;IACjB;GAEH,MAAM,KAAK,GAAG,KAAK;AACnB,OAAI,KAAK,YAAY,KAAA,EAAW,IAAG,UAAU,QAAQ,KAAK,QAAQ;AAClE,OAAI,OAAO,KAAK,gBAAgB,YAAY,OAAO,SAAS,KAAK,YAAY,CAC3E,IAAG,cAAc,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,CAAC;AAE5D,OAAI,OAAO,KAAK,aAAa,YAAY,OAAO,SAAS,KAAK,SAAS,IAAI,KAAK,WAAW,EACzF,IAAG,WAAW,KAAK,MAAM,KAAK,SAAS;AAEzC,OACE,OAAO,KAAK,oBAAoB,YAChC,OAAO,SAAS,KAAK,gBAAgB,IACrC,KAAK,kBAAkB,EAEvB,IAAG,kBAAkB,KAAK,MAAM,KAAK,gBAAgB;AAEvD,OACE,OAAO,KAAK,cAAc,YAC1B,OAAO,SAAS,KAAK,UAAU,IAC/B,KAAK,YAAY,EAEjB,IAAG,kBAAkB,KAAK,MAAM,KAAK,UAAU;AAEjD,OAAI,KAAK,mBAAmB,KAAA,EAC1B,IAAG,iBAAiB,QAAQ,KAAK,eAAe;;AAGpD,MAAI,EAAE,iBAAiB,KAAA;OACjB,EAAE,iBAAiB,KACrB,QAAO,GAAG,KAAK;YACN,OAAO,EAAE,iBAAiB,YAAY,EAAE,iBAAiB,MAAM;IACxE,MAAM,OAAO,EAAE;IACf,MAAM,aACJ,OAAO,KAAK,eAAe,WAAW,KAAK,WAAW,MAAM,GAAG;AACjE,QAAI,CAAC,WACH,QAAO,WAAW,mDAAmD;IAEvE,MAAM,eAA8D,EAClE,YACD;AACD,QAAI,KAAK,oBAAoB,KAAA,GAAW;AACtC,SAAI,CAAC,MAAM,QAAQ,KAAK,gBAAgB,CACtC,QAAO,WAAW,6DAA6D;AAEjF,kBAAa,kBAAkB,KAAK,gBACjC,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACxE,KAAK,MAAM,EAAE,MAAM,CAAC;;AAEzB,QAAI,KAAK,eAAe,KAAA,GAAW;AACjC,SAAI,CAAC,MAAM,QAAQ,KAAK,WAAW,CACjC,QAAO,WAAW,wDAAwD;AAE5E,kBAAa,aAAa,KAAK,WAC5B,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACxE,KAAK,MAAM,EAAE,MAAM,CAAC;;AAEzB,QAAI,KAAK,kBAAkB,KAAA,EACzB,cAAa,gBAAgB,QAAQ,KAAK,cAAc;AAE1D,OAAG,KAAK,eAAe;;;;AAK7B,KAAI,KAAK,SAAS,mBAAmB,KAAA,GAAW;AAC9C,MAAI,CAAC,MAAM,QAAQ,KAAK,QAAQ,eAAe,CAC7C,QAAO,WAAW,0CAA0C;EAE9D,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,iBAAiB,KAAK,QAAQ,eAC9B,QAAQ,MAA4B,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACjF,KAAK,MAAc,EAAE,MAAM,CAAC;;AAGjC,KAAI,KAAK,SAAS,wBAAwB,KAAA,GAAW;EACnD,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,sBAAsB,QAAQ,KAAK,QAAQ,oBAAoB;;AAGpE,KAAI,KAAK,SAAS,6CAA6C,KAAA,GAAW;EACxE,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,2CAA2C,QAC5C,KAAK,QAAQ,yCACd;;AAGH,KAAI,KAAK,SAAS,aAAa,KAAA,GAAW;AACxC,MAAI,OAAO,KAAK,QAAQ,aAAa,YAAY,KAAK,QAAQ,aAAa,KACzE,QAAO,WAAW,qCAAqC;EAEzD,MAAM,KAAK,cAAc,OAAO;EAChC,MAAM,QAAQ,KAAK,QAAQ;AAC3B,MAAI,CAAC,GAAG,SACN,IAAG,WAAW,EAAE;AAElB,MAAI,MAAM,WAAW,KAAA,EACnB,IAAG,SAAS,SAAS,QAAQ,MAAM,OAAO;;AAI9C,KAAI,KAAK,SAAS,UAAU,KAAA,GAAW;AACrC,MAAI,OAAO,KAAK,QAAQ,UAAU,YAAY,KAAK,QAAQ,UAAU,QAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,CAC5G,QAAO,WAAW,kCAAkC;EAEtD,MAAM,cAAc,sBAAsB,QAAQ,KAAK,QAAQ,MAAiC;AAChG,MAAI,YAAY,OAAO,MACrB,QAAO,WAAW,YAAY,QAAQ;;AAI1C,KAAI,KAAK,SAAS,gBAAgB,KAAA,GAAW;AAC3C,MAAI,CAAC,MAAM,QAAQ,KAAK,QAAQ,YAAY,CAC1C,QAAO,WAAW,uCAAuC;EAE3D,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,cAAc,KAAK,QAAQ,YAC3B,QAAQ,MAA4B,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACjF,KAAK,MAAc,EAAE,MAAM,CAAC;;AAGjC,KAAI,KAAK,SAAS,sBAAsB,KAAA,GAAW;AACjD,MACE,OAAO,KAAK,QAAQ,sBAAsB,YAC1C,CAAC,OAAO,SAAS,KAAK,QAAQ,kBAAkB,IAChD,KAAK,QAAQ,oBAAoB,EAEjC,QAAO,WAAW,uDAAuD;AAE3E,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACf,MAAM;GACN,MAAM;GACN,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB,KAAK,MAAM,KAAK,QAAQ,kBAAkB;GAC7D,aAAa,EAAE;GAChB;MAED,QAAO,QAAQ,oBAAoB,KAAK,MAAM,KAAK,QAAQ,kBAAkB;;AAIjF,KAAI,KAAK,SAAS,4BAA4B,KAAA,GAAW;EACvD,MAAM,OAAO,KAAK,QAAQ;AAC1B,MAAI,SAAS,UAAU,SAAS,SAAS,SAAS,WAChD,QAAO,WAAW,iEAAiE;EAErF,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,0BAA0B;;AAG/B,KAAI,KAAK,SAAS,2BAA2B,KAAA,GAAW;EACtD,MAAM,MAAM,iBAAiB,KAAK,QAAQ,uBAAuB;AACjE,MAAI,QAAQ,KACV,QAAO,WAAW,sEAAsE;EAE1F,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,yBAAyB;;AAG9B,KAAI,KAAK,SAAS,+BAA+B,KAAA,GAAW;EAC1D,MAAM,MAAM,iBAAiB,KAAK,QAAQ,2BAA2B;AACrE,MAAI,QAAQ,KACV,QAAO,WAAW,0EAA0E;EAE9F,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,6BAA6B;;AAGlC,QAAO"}
1	+ {"version":3,"file":"gateway.js","names":[],"sources":["../../../../../../src/gateway/hono/routes/config-patch/gateway.ts"],"sourcesContent":["/*\n `PATCH /api/config` — `body.gateway.` section.\n \n * Covers heartbeat, bind/customBindHost/port, tailscale, auth (mode + token +\n * password + rateLimit + trustedProxy), trustedProxies, allowRealIpFallback,\n * dangerouslyAllowHostHeaderOriginFallback, security, share, publicUrl,\n * corsOrigins, maxSseConnections, and channelConnectDefer{Mode,Ids,SkipIds}.\n \n Validation policy: each subsection that can reject rejects with a 400 and a\n * specific `message`. The dispatcher converts these into `c.json(...)`.\n \n Initial-state branches use the same literal defaults the inline code did\n * (loopback + port 18790 + 1800s heartbeat + 100 SSE conn + empty CORS) so\n * a brand-new install gets a working gateway after the first PATCH.\n /\nimport type { Config, GatewayBindMode } from '../../../../config/schema.js';\nimport { isValidIPv4 } from '../../../../config/gateway-bind.js';\nimport { validatePublicUrl } from '../../../../config/public-url.js';\nimport { mergeShareConfigPatch } from '../../../../share/share-config.js';\nimport { isMaskedSecretPatchValue } from '../../lib/mask-secret-length.js';\nimport { type PatchResult, PATCH_OK, patchError } from './result.js';\n\n/\n Shared default for \"user PATCH'd a gateway subsection but `config.gateway`\n * was never initialised\". Identical to the inline literal repeated in the\n * pre-extraction handler so this is behavior-preserving.\n */\nfunction ensureGateway(config: Config): NonNullable<Config['gateway']> {\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: 18790,\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n }\n return config.gateway;\n}\n\nfunction parseDeferIdList(raw: unknown): string[] \| null {\n if (!Array.isArray(raw)) return null;\n const ids = raw\n .filter((x): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x) => x.trim());\n if (ids.length > 24) return null;\n return ids;\n}\n\nexport function applyGatewayPatch(config: Config, body: any): PatchResult {\n if (body.gateway?.heartbeat !== undefined && typeof body.gateway.heartbeat === 'object') {\n const gw = ensureGateway(config);\n if (!gw.heartbeat) {\n gw.heartbeat = { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false };\n }\n const h = gw.heartbeat;\n const p = body.gateway.heartbeat as Record<string, unknown>;\n if (p.enabled !== undefined) h.enabled = Boolean(p.enabled);\n if (p.intervalMs !== undefined && typeof p.intervalMs === 'number' && Number.isFinite(p.intervalMs)) {\n h.intervalMs = p.intervalMs;\n }\n if (p.includeSystemPromptSection !== undefined) {\n h.includeSystemPromptSection = Boolean(p.includeSystemPromptSection);\n }\n if (p.target !== undefined) {\n if (p.target === null \|\| p.target === '') delete (h as { target?: string }).target;\n else (h as { target?: string }).target = String(p.target);\n }\n if (p.targetChatId !== undefined) {\n if (p.targetChatId === null \|\| p.targetChatId === '') delete (h as { targetChatId?: string }).targetChatId;\n else (h as { targetChatId?: string }).targetChatId = String(p.targetChatId);\n }\n if (p.prompt !== undefined) {\n if (p.prompt === null \|\| p.prompt === '') delete (h as { prompt?: string }).prompt;\n else (h as { prompt?: string }).prompt = String(p.prompt);\n }\n if (p.ackMaxChars !== undefined) {\n if (p.ackMaxChars === null \|\| p.ackMaxChars === '') delete (h as { ackMaxChars?: number }).ackMaxChars;\n else if (typeof p.ackMaxChars === 'number' && Number.isFinite(p.ackMaxChars)) {\n (h as { ackMaxChars?: number }).ackMaxChars = p.ackMaxChars;\n }\n }\n if (p.isolatedSession !== undefined) {\n if (p.isolatedSession === null \|\| p.isolatedSession === false) {\n delete (h as { isolatedSession?: boolean }).isolatedSession;\n } else {\n (h as { isolatedSession?: boolean }).isolatedSession = Boolean(p.isolatedSession);\n }\n }\n if (p.activeHours !== undefined) {\n if (p.activeHours === null) {\n delete (h as { activeHours?: unknown }).activeHours;\n } else if (typeof p.activeHours === 'object' && p.activeHours !== null) {\n const ah = p.activeHours as Record<string, unknown>;\n const start = typeof ah.start === 'string' ? ah.start : '';\n const end = typeof ah.end === 'string' ? ah.end : '';\n if (start && end) {\n (h as { activeHours?: { start: string; end: string; timezone?: string } }).activeHours = {\n start,\n end,\n ...(typeof ah.timezone === 'string' && ah.timezone.trim() ? { timezone: ah.timezone } : {}),\n };\n } else {\n delete (h as { activeHours?: unknown }).activeHours;\n }\n }\n }\n }\n\n if (body.gateway?.bind !== undefined) {\n const bindModes = new Set(['auto', 'loopback', 'lan', 'tailnet', 'custom']);\n const bind = body.gateway.bind;\n if (typeof bind !== 'string' \|\| !bindModes.has(bind)) {\n return patchError('gateway.bind must be one of: auto, loopback, lan, tailnet, custom');\n }\n if (!config.gateway) {\n config.gateway = {\n bind: bind as GatewayBindMode,\n port: 18790,\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n } else {\n config.gateway.bind = bind as GatewayBindMode;\n }\n if (bind !== 'custom') {\n delete config.gateway.customBindHost;\n }\n }\n\n if (body.gateway?.customBindHost !== undefined) {\n if (body.gateway.customBindHost === null \|\| body.gateway.customBindHost === '') {\n if (config.gateway) {\n delete config.gateway.customBindHost;\n }\n } else if (typeof body.gateway.customBindHost !== 'string' \|\| !isValidIPv4(body.gateway.customBindHost.trim())) {\n return patchError('gateway.customBindHost must be a valid IPv4 address');\n } else if (config.gateway) {\n config.gateway.customBindHost = body.gateway.customBindHost.trim();\n config.gateway.bind = 'custom';\n }\n }\n\n if (body.gateway?.port !== undefined) {\n if (\n typeof body.gateway.port !== 'number' \|\|\n !Number.isFinite(body.gateway.port) \|\|\n body.gateway.port < 1 \|\|\n body.gateway.port > 65535\n ) {\n return patchError('gateway.port must be an integer from 1 to 65535');\n }\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: Math.floor(body.gateway.port),\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n } else {\n config.gateway.port = Math.floor(body.gateway.port);\n }\n }\n\n if (body.gateway?.tailscale !== undefined && typeof body.gateway.tailscale === 'object') {\n const ts = body.gateway.tailscale as Record<string, unknown>;\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: 18790,\n auth: { mode: 'token' },\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: 100,\n corsOrigins: [],\n };\n }\n config.gateway.tailscale = {\n ...(config.gateway.tailscale ?? { mode: 'off', resetOnExit: true }),\n };\n if (ts.mode !== undefined) {\n if (ts.mode !== 'off' && ts.mode !== 'serve' && ts.mode !== 'funnel') {\n return patchError('gateway.tailscale.mode must be off, serve, or funnel');\n }\n config.gateway.tailscale.mode = ts.mode as 'off' \| 'serve' \| 'funnel';\n }\n if (ts.resetOnExit !== undefined) {\n config.gateway.tailscale.resetOnExit = ts.resetOnExit === true;\n }\n }\n\n if (body.gateway?.auth !== undefined) {\n const gw = ensureGateway(config);\n if (!gw.auth) gw.auth = { mode: 'token' };\n const a = body.gateway.auth;\n if (a.mode !== undefined) {\n if (\n a.mode !== 'none' &&\n a.mode !== 'token' &&\n a.mode !== 'password' &&\n a.mode !== 'trusted-proxy'\n ) {\n return patchError('gateway.auth.mode must be none, token, password, or trusted-proxy');\n }\n gw.auth.mode = a.mode;\n }\n if (a.token !== undefined) {\n if (a.token === null \|\| (typeof a.token === 'string' && !a.token.trim())) {\n delete gw.auth.token;\n } else if (typeof a.token === 'string' && !isMaskedSecretPatchValue(a.token)) {\n gw.auth.token = a.token;\n }\n }\n if (a.password !== undefined) {\n if (a.password === null \|\| (typeof a.password === 'string' && !a.password.trim())) {\n delete gw.auth.password;\n } else if (typeof a.password === 'string' && !isMaskedSecretPatchValue(a.password)) {\n gw.auth.password = a.password;\n }\n }\n if (a.rateLimit !== undefined && typeof a.rateLimit === 'object' && a.rateLimit !== null) {\n const rlIn = a.rateLimit as Record<string, unknown>;\n if (!gw.auth.rateLimit) {\n gw.auth.rateLimit = {\n enabled: true,\n maxAttempts: 5,\n windowMs: 900_000,\n blockDurationMs: 300_000,\n burstCoalesceMs: 1000,\n exemptLoopback: true,\n };\n }\n const rl = gw.auth.rateLimit!;\n if (rlIn.enabled !== undefined) rl.enabled = Boolean(rlIn.enabled);\n if (typeof rlIn.maxAttempts === 'number' && Number.isFinite(rlIn.maxAttempts)) {\n rl.maxAttempts = Math.max(1, Math.floor(rlIn.maxAttempts));\n }\n if (typeof rlIn.windowMs === 'number' && Number.isFinite(rlIn.windowMs) && rlIn.windowMs > 0) {\n rl.windowMs = Math.floor(rlIn.windowMs);\n }\n if (\n typeof rlIn.blockDurationMs === 'number' &&\n Number.isFinite(rlIn.blockDurationMs) &&\n rlIn.blockDurationMs > 0\n ) {\n rl.blockDurationMs = Math.floor(rlIn.blockDurationMs);\n }\n if (\n typeof rlIn.lockoutMs === 'number' &&\n Number.isFinite(rlIn.lockoutMs) &&\n rlIn.lockoutMs > 0\n ) {\n rl.blockDurationMs = Math.floor(rlIn.lockoutMs);\n }\n if (rlIn.exemptLoopback !== undefined) {\n rl.exemptLoopback = Boolean(rlIn.exemptLoopback);\n }\n }\n if (a.trustedProxy !== undefined) {\n if (a.trustedProxy === null) {\n delete gw.auth.trustedProxy;\n } else if (typeof a.trustedProxy === 'object' && a.trustedProxy !== null) {\n const tpIn = a.trustedProxy as Record<string, unknown>;\n const userHeader =\n typeof tpIn.userHeader === 'string' ? tpIn.userHeader.trim() : '';\n if (!userHeader) {\n return patchError('gateway.auth.trustedProxy.userHeader is required');\n }\n const trustedProxy: NonNullable<(typeof gw.auth)['trustedProxy']> = {\n userHeader,\n };\n if (tpIn.requiredHeaders !== undefined) {\n if (!Array.isArray(tpIn.requiredHeaders)) {\n return patchError('gateway.auth.trustedProxy.requiredHeaders must be an array');\n }\n trustedProxy.requiredHeaders = tpIn.requiredHeaders\n .filter((x): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x) => x.trim());\n }\n if (tpIn.allowUsers !== undefined) {\n if (!Array.isArray(tpIn.allowUsers)) {\n return patchError('gateway.auth.trustedProxy.allowUsers must be an array');\n }\n trustedProxy.allowUsers = tpIn.allowUsers\n .filter((x): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x) => x.trim());\n }\n if (tpIn.allowLoopback !== undefined) {\n trustedProxy.allowLoopback = Boolean(tpIn.allowLoopback);\n }\n gw.auth.trustedProxy = trustedProxy;\n }\n }\n }\n\n if (body.gateway?.trustedProxies !== undefined) {\n if (!Array.isArray(body.gateway.trustedProxies)) {\n return patchError('gateway.trustedProxies must be an array');\n }\n const gw = ensureGateway(config);\n gw.trustedProxies = body.gateway.trustedProxies\n .filter((x: unknown): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x: string) => x.trim());\n }\n\n if (body.gateway?.allowRealIpFallback !== undefined) {\n const gw = ensureGateway(config);\n gw.allowRealIpFallback = Boolean(body.gateway.allowRealIpFallback);\n }\n\n if (body.gateway?.dangerouslyAllowHostHeaderOriginFallback !== undefined) {\n const gw = ensureGateway(config);\n gw.dangerouslyAllowHostHeaderOriginFallback = Boolean(\n body.gateway.dangerouslyAllowHostHeaderOriginFallback,\n );\n }\n\n if (body.gateway?.security !== undefined) {\n if (typeof body.gateway.security !== 'object' \|\| body.gateway.security === null) {\n return patchError('gateway.security must be an object');\n }\n const gw = ensureGateway(config);\n const secIn = body.gateway.security as Record<string, unknown>;\n if (!gw.security) {\n gw.security = {};\n }\n if (secIn.strict !== undefined) {\n gw.security.strict = Boolean(secIn.strict);\n }\n }\n\n if (body.gateway?.share !== undefined) {\n if (typeof body.gateway.share !== 'object' \|\| body.gateway.share === null \|\| Array.isArray(body.gateway.share)) {\n return patchError('gateway.share must be an object');\n }\n const shareResult = mergeShareConfigPatch(config, body.gateway.share as Record<string, unknown>);\n if (shareResult.ok === false) {\n return patchError(shareResult.message);\n }\n }\n\n if (body.gateway?.publicUrl !== undefined) {\n const gw = ensureGateway(config);\n if (body.gateway.publicUrl === null \|\| body.gateway.publicUrl === '') {\n delete gw.publicUrl;\n } else if (typeof body.gateway.publicUrl !== 'string') {\n return patchError('gateway.publicUrl must be a string or null');\n } else {\n const validation = validatePublicUrl(body.gateway.publicUrl);\n if (validation.ok === false) {\n return patchError(`gateway.publicUrl: ${validation.message}`);\n }\n gw.publicUrl = validation.url;\n }\n }\n\n if (body.gateway?.corsOrigins !== undefined) {\n if (!Array.isArray(body.gateway.corsOrigins)) {\n return patchError('gateway.corsOrigins must be an array');\n }\n const gw = ensureGateway(config);\n gw.corsOrigins = body.gateway.corsOrigins\n .filter((x: unknown): x is string => typeof x === 'string' && x.trim().length > 0)\n .map((x: string) => x.trim());\n }\n\n if (body.gateway?.maxSseConnections !== undefined) {\n if (\n typeof body.gateway.maxSseConnections !== 'number' \|\|\n !Number.isFinite(body.gateway.maxSseConnections) \|\|\n body.gateway.maxSseConnections < 1\n ) {\n return patchError('gateway.maxSseConnections must be a positive integer');\n }\n if (!config.gateway) {\n config.gateway = {\n bind: 'loopback',\n port: 18790,\n heartbeat: { enabled: true, intervalMs: 1_800_000, includeSystemPromptSection: false },\n maxSseConnections: Math.floor(body.gateway.maxSseConnections),\n corsOrigins: [],\n };\n } else {\n config.gateway.maxSseConnections = Math.floor(body.gateway.maxSseConnections);\n }\n }\n\n if (body.gateway?.channelConnectDeferMode !== undefined) {\n const mode = body.gateway.channelConnectDeferMode;\n if (mode !== 'auto' && mode !== 'off' && mode !== 'explicit') {\n return patchError('gateway.channelConnectDeferMode must be auto, off, or explicit');\n }\n const gw = ensureGateway(config);\n gw.channelConnectDeferMode = mode;\n }\n\n if (body.gateway?.channelConnectDeferIds !== undefined) {\n const ids = parseDeferIdList(body.gateway.channelConnectDeferIds);\n if (ids === null) {\n return patchError('gateway.channelConnectDeferIds must be an array of up to 24 strings');\n }\n const gw = ensureGateway(config);\n gw.channelConnectDeferIds = ids;\n }\n\n if (body.gateway?.channelConnectDeferSkipIds !== undefined) {\n const ids = parseDeferIdList(body.gateway.channelConnectDeferSkipIds);\n if (ids === null) {\n return patchError('gateway.channelConnectDeferSkipIds must be an array of up to 24 strings');\n }\n const gw = ensureGateway(config);\n gw.channelConnectDeferSkipIds = ids;\n }\n\n return PATCH_OK;\n}\n"],"mappings":";;;;;;iBAiBqE;;;;;;AAUrE,SAAS,cAAc,QAAgD;AACrE,KAAI,CAAC,OAAO,QACV,QAAO,UAAU;EACf,MAAM;EACN,MAAM;EACN,WAAW;GAAE,SAAS;GAAM,YAAY;GAAW,4BAA4B;GAAO;EACtF,mBAAmB;EACnB,aAAa,EAAE;EAChB;AAEH,QAAO,OAAO;;AAGhB,SAAS,iBAAiB,KAA+B;AACvD,KAAI,CAAC,MAAM,QAAQ,IAAI,CAAE,QAAO;CAChC,MAAM,MAAM,IACT,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACxE,KAAK,MAAM,EAAE,MAAM,CAAC;AACvB,KAAI,IAAI,SAAS,GAAI,QAAO;AAC5B,QAAO;;AAGT,SAAgB,kBAAkB,QAAgB,MAAwB;AACxE,KAAI,KAAK,SAAS,cAAc,KAAA,KAAa,OAAO,KAAK,QAAQ,cAAc,UAAU;EACvF,MAAM,KAAK,cAAc,OAAO;AAChC,MAAI,CAAC,GAAG,UACN,IAAG,YAAY;GAAE,SAAS;GAAM,YAAY;GAAW,4BAA4B;GAAO;EAE5F,MAAM,IAAI,GAAG;EACb,MAAM,IAAI,KAAK,QAAQ;AACvB,MAAI,EAAE,YAAY,KAAA,EAAW,GAAE,UAAU,QAAQ,EAAE,QAAQ;AAC3D,MAAI,EAAE,eAAe,KAAA,KAAa,OAAO,EAAE,eAAe,YAAY,OAAO,SAAS,EAAE,WAAW,CACjG,GAAE,aAAa,EAAE;AAEnB,MAAI,EAAE,+BAA+B,KAAA,EACnC,GAAE,6BAA6B,QAAQ,EAAE,2BAA2B;AAEtE,MAAI,EAAE,WAAW,KAAA,EACf,KAAI,EAAE,WAAW,QAAQ,EAAE,WAAW,GAAI,QAAQ,EAA0B;MACtE,GAA0B,SAAS,OAAO,EAAE,OAAO;AAE3D,MAAI,EAAE,iBAAiB,KAAA,EACrB,KAAI,EAAE,iBAAiB,QAAQ,EAAE,iBAAiB,GAAI,QAAQ,EAAgC;MACxF,GAAgC,eAAe,OAAO,EAAE,aAAa;AAE7E,MAAI,EAAE,WAAW,KAAA,EACf,KAAI,EAAE,WAAW,QAAQ,EAAE,WAAW,GAAI,QAAQ,EAA0B;MACtE,GAA0B,SAAS,OAAO,EAAE,OAAO;AAE3D,MAAI,EAAE,gBAAgB,KAAA;OAChB,EAAE,gBAAgB,QAAQ,EAAE,gBAAgB,GAAI,QAAQ,EAA+B;YAClF,OAAO,EAAE,gBAAgB,YAAY,OAAO,SAAS,EAAE,YAAY,CACzE,GAA+B,cAAc,EAAE;;AAGpD,MAAI,EAAE,oBAAoB,KAAA,EACxB,KAAI,EAAE,oBAAoB,QAAQ,EAAE,oBAAoB,MACtD,QAAQ,EAAoC;MAE3C,GAAoC,kBAAkB,QAAQ,EAAE,gBAAgB;AAGrF,MAAI,EAAE,gBAAgB,KAAA;OAChB,EAAE,gBAAgB,KACpB,QAAQ,EAAgC;YAC/B,OAAO,EAAE,gBAAgB,YAAY,EAAE,gBAAgB,MAAM;IACtE,MAAM,KAAK,EAAE;IACb,MAAM,QAAQ,OAAO,GAAG,UAAU,WAAW,GAAG,QAAQ;IACxD,MAAM,MAAM,OAAO,GAAG,QAAQ,WAAW,GAAG,MAAM;AAClD,QAAI,SAAS,IACV,GAA0E,cAAc;KACvF;KACA;KACA,GAAI,OAAO,GAAG,aAAa,YAAY,GAAG,SAAS,MAAM,GAAG,EAAE,UAAU,GAAG,UAAU,GAAG,EAAE;KAC3F;QAED,QAAQ,EAAgC;;;;AAMhD,KAAI,KAAK,SAAS,SAAS,KAAA,GAAW;EACpC,MAAM,YAAY,IAAI,IAAI;GAAC;GAAQ;GAAY;GAAO;GAAW;GAAS,CAAC;EAC3E,MAAM,OAAO,KAAK,QAAQ;AAC1B,MAAI,OAAO,SAAS,YAAY,CAAC,UAAU,IAAI,KAAK,CAClD,QAAO,WAAW,oEAAoE;AAExF,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACT;GACN,MAAM;GACN,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB;GACnB,aAAa,EAAE;GAChB;MAED,QAAO,QAAQ,OAAO;AAExB,MAAI,SAAS,SACX,QAAO,OAAO,QAAQ;;AAI1B,KAAI,KAAK,SAAS,mBAAmB,KAAA;MAC/B,KAAK,QAAQ,mBAAmB,QAAQ,KAAK,QAAQ,mBAAmB;OACtE,OAAO,QACT,QAAO,OAAO,QAAQ;aAEf,OAAO,KAAK,QAAQ,mBAAmB,YAAY,CAAC,YAAY,KAAK,QAAQ,eAAe,MAAM,CAAC,CAC5G,QAAO,WAAW,sDAAsD;WAC/D,OAAO,SAAS;AACzB,UAAO,QAAQ,iBAAiB,KAAK,QAAQ,eAAe,MAAM;AAClE,UAAO,QAAQ,OAAO;;;AAI1B,KAAI,KAAK,SAAS,SAAS,KAAA,GAAW;AACpC,MACE,OAAO,KAAK,QAAQ,SAAS,YAC7B,CAAC,OAAO,SAAS,KAAK,QAAQ,KAAK,IACnC,KAAK,QAAQ,OAAO,KACpB,KAAK,QAAQ,OAAO,MAEpB,QAAO,WAAW,kDAAkD;AAEtE,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACf,MAAM;GACN,MAAM,KAAK,MAAM,KAAK,QAAQ,KAAK;GACnC,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB;GACnB,aAAa,EAAE;GAChB;MAED,QAAO,QAAQ,OAAO,KAAK,MAAM,KAAK,QAAQ,KAAK;;AAIvD,KAAI,KAAK,SAAS,cAAc,KAAA,KAAa,OAAO,KAAK,QAAQ,cAAc,UAAU;EACvF,MAAM,KAAK,KAAK,QAAQ;AACxB,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACf,MAAM;GACN,MAAM;GACN,MAAM,EAAE,MAAM,SAAS;GACvB,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB;GACnB,aAAa,EAAE;GAChB;AAEH,SAAO,QAAQ,YAAY,EACzB,GAAI,OAAO,QAAQ,aAAa;GAAE,MAAM;GAAO,aAAa;GAAM,EACnE;AACD,MAAI,GAAG,SAAS,KAAA,GAAW;AACzB,OAAI,GAAG,SAAS,SAAS,GAAG,SAAS,WAAW,GAAG,SAAS,SAC1D,QAAO,WAAW,uDAAuD;AAE3E,UAAO,QAAQ,UAAU,OAAO,GAAG;;AAErC,MAAI,GAAG,gBAAgB,KAAA,EACrB,QAAO,QAAQ,UAAU,cAAc,GAAG,gBAAgB;;AAI9D,KAAI,KAAK,SAAS,SAAS,KAAA,GAAW;EACpC,MAAM,KAAK,cAAc,OAAO;AAChC,MAAI,CAAC,GAAG,KAAM,IAAG,OAAO,EAAE,MAAM,SAAS;EACzC,MAAM,IAAI,KAAK,QAAQ;AACvB,MAAI,EAAE,SAAS,KAAA,GAAW;AACxB,OACE,EAAE,SAAS,UACX,EAAE,SAAS,WACX,EAAE,SAAS,cACX,EAAE,SAAS,gBAEX,QAAO,WAAW,oEAAoE;AAExF,MAAG,KAAK,OAAO,EAAE;;AAEnB,MAAI,EAAE,UAAU,KAAA;OACV,EAAE,UAAU,QAAS,OAAO,EAAE,UAAU,YAAY,CAAC,EAAE,MAAM,MAAM,CACrE,QAAO,GAAG,KAAK;YACN,OAAO,EAAE,UAAU,YAAY,CAAC,yBAAyB,EAAE,MAAM,CAC1E,IAAG,KAAK,QAAQ,EAAE;;AAGtB,MAAI,EAAE,aAAa,KAAA;OACb,EAAE,aAAa,QAAS,OAAO,EAAE,aAAa,YAAY,CAAC,EAAE,SAAS,MAAM,CAC9E,QAAO,GAAG,KAAK;YACN,OAAO,EAAE,aAAa,YAAY,CAAC,yBAAyB,EAAE,SAAS,CAChF,IAAG,KAAK,WAAW,EAAE;;AAGzB,MAAI,EAAE,cAAc,KAAA,KAAa,OAAO,EAAE,cAAc,YAAY,EAAE,cAAc,MAAM;GACxF,MAAM,OAAO,EAAE;AACf,OAAI,CAAC,GAAG,KAAK,UACX,IAAG,KAAK,YAAY;IAClB,SAAS;IACT,aAAa;IACb,UAAU;IACV,iBAAiB;IACjB,iBAAiB;IACjB,gBAAgB;IACjB;GAEH,MAAM,KAAK,GAAG,KAAK;AACnB,OAAI,KAAK,YAAY,KAAA,EAAW,IAAG,UAAU,QAAQ,KAAK,QAAQ;AAClE,OAAI,OAAO,KAAK,gBAAgB,YAAY,OAAO,SAAS,KAAK,YAAY,CAC3E,IAAG,cAAc,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,CAAC;AAE5D,OAAI,OAAO,KAAK,aAAa,YAAY,OAAO,SAAS,KAAK,SAAS,IAAI,KAAK,WAAW,EACzF,IAAG,WAAW,KAAK,MAAM,KAAK,SAAS;AAEzC,OACE,OAAO,KAAK,oBAAoB,YAChC,OAAO,SAAS,KAAK,gBAAgB,IACrC,KAAK,kBAAkB,EAEvB,IAAG,kBAAkB,KAAK,MAAM,KAAK,gBAAgB;AAEvD,OACE,OAAO,KAAK,cAAc,YAC1B,OAAO,SAAS,KAAK,UAAU,IAC/B,KAAK,YAAY,EAEjB,IAAG,kBAAkB,KAAK,MAAM,KAAK,UAAU;AAEjD,OAAI,KAAK,mBAAmB,KAAA,EAC1B,IAAG,iBAAiB,QAAQ,KAAK,eAAe;;AAGpD,MAAI,EAAE,iBAAiB,KAAA;OACjB,EAAE,iBAAiB,KACrB,QAAO,GAAG,KAAK;YACN,OAAO,EAAE,iBAAiB,YAAY,EAAE,iBAAiB,MAAM;IACxE,MAAM,OAAO,EAAE;IACf,MAAM,aACJ,OAAO,KAAK,eAAe,WAAW,KAAK,WAAW,MAAM,GAAG;AACjE,QAAI,CAAC,WACH,QAAO,WAAW,mDAAmD;IAEvE,MAAM,eAA8D,EAClE,YACD;AACD,QAAI,KAAK,oBAAoB,KAAA,GAAW;AACtC,SAAI,CAAC,MAAM,QAAQ,KAAK,gBAAgB,CACtC,QAAO,WAAW,6DAA6D;AAEjF,kBAAa,kBAAkB,KAAK,gBACjC,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACxE,KAAK,MAAM,EAAE,MAAM,CAAC;;AAEzB,QAAI,KAAK,eAAe,KAAA,GAAW;AACjC,SAAI,CAAC,MAAM,QAAQ,KAAK,WAAW,CACjC,QAAO,WAAW,wDAAwD;AAE5E,kBAAa,aAAa,KAAK,WAC5B,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACxE,KAAK,MAAM,EAAE,MAAM,CAAC;;AAEzB,QAAI,KAAK,kBAAkB,KAAA,EACzB,cAAa,gBAAgB,QAAQ,KAAK,cAAc;AAE1D,OAAG,KAAK,eAAe;;;;AAK7B,KAAI,KAAK,SAAS,mBAAmB,KAAA,GAAW;AAC9C,MAAI,CAAC,MAAM,QAAQ,KAAK,QAAQ,eAAe,CAC7C,QAAO,WAAW,0CAA0C;EAE9D,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,iBAAiB,KAAK,QAAQ,eAC9B,QAAQ,MAA4B,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACjF,KAAK,MAAc,EAAE,MAAM,CAAC;;AAGjC,KAAI,KAAK,SAAS,wBAAwB,KAAA,GAAW;EACnD,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,sBAAsB,QAAQ,KAAK,QAAQ,oBAAoB;;AAGpE,KAAI,KAAK,SAAS,6CAA6C,KAAA,GAAW;EACxE,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,2CAA2C,QAC5C,KAAK,QAAQ,yCACd;;AAGH,KAAI,KAAK,SAAS,aAAa,KAAA,GAAW;AACxC,MAAI,OAAO,KAAK,QAAQ,aAAa,YAAY,KAAK,QAAQ,aAAa,KACzE,QAAO,WAAW,qCAAqC;EAEzD,MAAM,KAAK,cAAc,OAAO;EAChC,MAAM,QAAQ,KAAK,QAAQ;AAC3B,MAAI,CAAC,GAAG,SACN,IAAG,WAAW,EAAE;AAElB,MAAI,MAAM,WAAW,KAAA,EACnB,IAAG,SAAS,SAAS,QAAQ,MAAM,OAAO;;AAI9C,KAAI,KAAK,SAAS,UAAU,KAAA,GAAW;AACrC,MAAI,OAAO,KAAK,QAAQ,UAAU,YAAY,KAAK,QAAQ,UAAU,QAAQ,MAAM,QAAQ,KAAK,QAAQ,MAAM,CAC5G,QAAO,WAAW,kCAAkC;EAEtD,MAAM,cAAc,sBAAsB,QAAQ,KAAK,QAAQ,MAAiC;AAChG,MAAI,YAAY,OAAO,MACrB,QAAO,WAAW,YAAY,QAAQ;;AAI1C,KAAI,KAAK,SAAS,cAAc,KAAA,GAAW;EACzC,MAAM,KAAK,cAAc,OAAO;AAChC,MAAI,KAAK,QAAQ,cAAc,QAAQ,KAAK,QAAQ,cAAc,GAChE,QAAO,GAAG;WACD,OAAO,KAAK,QAAQ,cAAc,SAC3C,QAAO,WAAW,6CAA6C;OAC1D;GACL,MAAM,aAAa,kBAAkB,KAAK,QAAQ,UAAU;AAC5D,OAAI,WAAW,OAAO,MACpB,QAAO,WAAW,sBAAsB,WAAW,UAAU;AAE/D,MAAG,YAAY,WAAW;;;AAI9B,KAAI,KAAK,SAAS,gBAAgB,KAAA,GAAW;AAC3C,MAAI,CAAC,MAAM,QAAQ,KAAK,QAAQ,YAAY,CAC1C,QAAO,WAAW,uCAAuC;EAE3D,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,cAAc,KAAK,QAAQ,YAC3B,QAAQ,MAA4B,OAAO,MAAM,YAAY,EAAE,MAAM,CAAC,SAAS,EAAE,CACjF,KAAK,MAAc,EAAE,MAAM,CAAC;;AAGjC,KAAI,KAAK,SAAS,sBAAsB,KAAA,GAAW;AACjD,MACE,OAAO,KAAK,QAAQ,sBAAsB,YAC1C,CAAC,OAAO,SAAS,KAAK,QAAQ,kBAAkB,IAChD,KAAK,QAAQ,oBAAoB,EAEjC,QAAO,WAAW,uDAAuD;AAE3E,MAAI,CAAC,OAAO,QACV,QAAO,UAAU;GACf,MAAM;GACN,MAAM;GACN,WAAW;IAAE,SAAS;IAAM,YAAY;IAAW,4BAA4B;IAAO;GACtF,mBAAmB,KAAK,MAAM,KAAK,QAAQ,kBAAkB;GAC7D,aAAa,EAAE;GAChB;MAED,QAAO,QAAQ,oBAAoB,KAAK,MAAM,KAAK,QAAQ,kBAAkB;;AAIjF,KAAI,KAAK,SAAS,4BAA4B,KAAA,GAAW;EACvD,MAAM,OAAO,KAAK,QAAQ;AAC1B,MAAI,SAAS,UAAU,SAAS,SAAS,SAAS,WAChD,QAAO,WAAW,iEAAiE;EAErF,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,0BAA0B;;AAG/B,KAAI,KAAK,SAAS,2BAA2B,KAAA,GAAW;EACtD,MAAM,MAAM,iBAAiB,KAAK,QAAQ,uBAAuB;AACjE,MAAI,QAAQ,KACV,QAAO,WAAW,sEAAsE;EAE1F,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,yBAAyB;;AAG9B,KAAI,KAAK,SAAS,+BAA+B,KAAA,GAAW;EAC1D,MAAM,MAAM,iBAAiB,KAAK,QAAQ,2BAA2B;AACrE,MAAI,QAAQ,KACV,QAAO,WAAW,0EAA0E;EAE9F,MAAM,KAAK,cAAc,OAAO;AAChC,KAAG,6BAA6B;;AAGlC,QAAO"}

package/dist/src/gateway/hono/routes/config-patch/misc.js CHANGED Viewed

@@ -1,5 +1,5 @@
-import { CredentialResolver, init_credentials } from "../../../../auth/credentials.js";
 import { BindingsConfigSchema, McpConfigSchema, init_schema } from "../../../../config/schema.js";
+import { CredentialResolver, init_credentials } from "../../../../auth/credentials.js";
 import { canonicalizeConfiguredMcpServer } from "../../../../config/mcp-config-normalize.js";
 import { mergeCronConfigPatch, mergeGatewaySkillsMarketplacePatch, mergeGoalsConfigPatch, mergeSessionConfigPatch, mergeUpdateConfigPatch } from "../../../../config/web-patch.js";
 import { assertGatewayAuthConfigured, resolveGatewayAuth } from "../../../auth.js";

package/dist/src/gateway/hono/routes/connectors.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Hono } from 'hono';
+import type { AuthenticatedRouteDeps } from './deps.js';
+export declare function registerConnectorRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void;

package/dist/src/gateway/hono/routes/connectors.js ADDED Viewed

@@ -0,0 +1,177 @@
+import { listConnectorProviders } from "../../../connectors/providers.js";
+import { getConnectorDefinition, listConnectorCatalog } from "../../../connectors/catalog.js";
+import { recordConnectorHealthUsage } from "../../../connectors/usage.js";
+import { getConnectorInstance, listConnectorInstances } from "../../../connectors/instances.js";
+import { testConnectorInstance } from "../../../connectors/health.js";
+import { completeConnectorOAuth, startConnectorOAuth } from "../../../connectors/oauth.js";
+import { installConnector, uninstallConnector } from "../../../connectors/install.js";
+//#region src/gateway/hono/routes/connectors.ts
+function errorMessage(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+function registerConnectorRoutes(authenticated, deps) {
+	const { service, strictRateLimitMiddleware } = deps;
+	authenticated.get("/api/connectors/catalog", (c) => {
+		return c.json({
+			ok: true,
+			payload: {
+				connectors: listConnectorCatalog(),
+				providers: listConnectorProviders().map((provider) => ({
+					id: provider.id,
+					displayName: provider.displayName
+				}))
+			}
+		});
+	});
+	authenticated.get("/api/connectors/installed", (c) => {
+		const config = service.currentConfig;
+		return c.json({
+			ok: true,
+			payload: { instances: listConnectorInstances(config) }
+		});
+	});
+	authenticated.get("/api/connectors/:id", (c) => {
+		const connectorId = c.req.param("id");
+		const connector = getConnectorDefinition(connectorId);
+		if (!connector) return c.json({
+			ok: false,
+			error: `Unknown connector: ${connectorId}`
+		}, 404);
+		const config = service.currentConfig;
+		const instances = listConnectorInstances(config).filter((instance) => instance.connectorId === connectorId);
+		return c.json({
+			ok: true,
+			payload: {
+				connector,
+				instances
+			}
+		});
+	});
+	authenticated.post("/api/connectors/approvals/respond", async (c) => {
+		const body = await c.req.json().catch(() => ({}));
+		return c.json({
+			ok: true,
+			payload: {
+				acknowledged: true,
+				body
+			}
+		});
+	});
+	authenticated.post("/api/connectors/:id/oauth/start", strictRateLimitMiddleware, async (c) => {
+		const connectorId = c.req.param("id");
+		const connector = getConnectorDefinition(connectorId);
+		if (!connector) return c.json({
+			ok: false,
+			error: `Unknown connector: ${connectorId}`
+		}, 404);
+		try {
+			const oauth = await startConnectorOAuth(connector);
+			return c.json({
+				ok: true,
+				payload: { oauth }
+			});
+		} catch (error) {
+			return c.json({
+				ok: false,
+				error: errorMessage(error)
+			}, 400);
+		}
+	});
+	authenticated.post("/api/connectors/:id/oauth/complete", strictRateLimitMiddleware, async (c) => {
+		const connectorId = c.req.param("id");
+		const connector = getConnectorDefinition(connectorId);
+		if (!connector) return c.json({
+			ok: false,
+			error: `Unknown connector: ${connectorId}`
+		}, 404);
+		const body = await c.req.json().catch(() => ({}));
+		const deviceCode = body && typeof body === "object" && !Array.isArray(body) && typeof body.deviceCode === "string" ? body.deviceCode : "";
+		try {
+			const oauth = await completeConnectorOAuth(connector, { deviceCode });
+			return c.json({
+				ok: true,
+				payload: { oauth }
+			});
+		} catch (error) {
+			return c.json({
+				ok: false,
+				error: errorMessage(error)
+			}, 400);
+		}
+	});
+	authenticated.post("/api/connectors/:id/install", strictRateLimitMiddleware, async (c) => {
+		const connectorId = c.req.param("id");
+		const body = await c.req.json().catch(() => ({}));
+		const input = body && typeof body === "object" && !Array.isArray(body) ? body : {};
+		const config = service.currentConfig;
+		try {
+			const instance = await installConnector(config, connectorId, input);
+			const saved = await service.saveConfig(config);
+			if (!saved.saved) return c.json({
+				ok: false,
+				error: saved.error
+			}, 500);
+			return c.json({
+				ok: true,
+				payload: { instance }
+			});
+		} catch (error) {
+			return c.json({
+				ok: false,
+				error: errorMessage(error)
+			}, 400);
+		}
+	});
+	authenticated.post("/api/connectors/:id/test", async (c) => {
+		const instanceId = c.req.param("id");
+		const config = service.currentConfig;
+		const instance = getConnectorInstance(config, instanceId);
+		if (!instance) return c.json({
+			ok: false,
+			error: `Connector instance not found: ${instanceId}`
+		}, 404);
+		try {
+			const result = await testConnectorInstance(config, instance.materialized.serverId);
+			recordConnectorHealthUsage(config, instance.instanceId, result);
+			const saved = await service.saveConfig(config);
+			if (!saved.saved) return c.json({
+				ok: false,
+				error: saved.error
+			}, 500);
+			return c.json({
+				ok: true,
+				payload: result
+			});
+		} catch (error) {
+			return c.json({
+				ok: false,
+				error: errorMessage(error)
+			}, 500);
+		}
+	});
+	authenticated.delete("/api/connectors/:id", strictRateLimitMiddleware, async (c) => {
+		const instanceId = c.req.param("id");
+		const config = service.currentConfig;
+		try {
+			const instance = uninstallConnector(config, instanceId);
+			const saved = await service.saveConfig(config);
+			if (!saved.saved) return c.json({
+				ok: false,
+				error: saved.error
+			}, 500);
+			return c.json({
+				ok: true,
+				payload: { instance }
+			});
+		} catch (error) {
+			return c.json({
+				ok: false,
+				error: errorMessage(error)
+			}, 400);
+		}
+	});
+}
+//#endregion
+export { registerConnectorRoutes };
+//# sourceMappingURL=connectors.js.map

package/dist/src/gateway/hono/routes/connectors.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"connectors.js","names":[],"sources":["../../../../../src/gateway/hono/routes/connectors.ts"],"sourcesContent":["import type { Hono } from 'hono';\n\nimport type { Config } from '../../../config/schema.js';\nimport { getConnectorDefinition, listConnectorCatalog, listConnectorProviders } from '../../../connectors/catalog.js';\nimport { testConnectorInstance } from '../../../connectors/health.js';\nimport { installConnector, uninstallConnector } from '../../../connectors/install.js';\nimport { getConnectorInstance, listConnectorInstances } from '../../../connectors/instances.js';\nimport { startConnectorOAuth, completeConnectorOAuth } from '../../../connectors/oauth.js';\nimport { recordConnectorHealthUsage } from '../../../connectors/usage.js';\nimport type { ConnectorInstallInput } from '../../../connectors/types.js';\nimport type { AuthenticatedRouteDeps } from './deps.js';\n\nfunction errorMessage(error: unknown): string {\n return error instanceof Error ? error.message : String(error);\n}\n\nexport function registerConnectorRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void {\n const { service, strictRateLimitMiddleware } = deps;\n\n authenticated.get('/api/connectors/catalog', (c) => {\n return c.json({\n ok: true,\n payload: {\n connectors: listConnectorCatalog(),\n providers: listConnectorProviders().map((provider) => ({\n id: provider.id,\n displayName: provider.displayName,\n })),\n },\n });\n });\n\n authenticated.get('/api/connectors/installed', (c) => {\n const config = service.currentConfig as Config;\n return c.json({ ok: true, payload: { instances: listConnectorInstances(config) } });\n });\n\n authenticated.get('/api/connectors/:id', (c) => {\n const connectorId = c.req.param('id');\n const connector = getConnectorDefinition(connectorId);\n if (!connector) {\n return c.json({ ok: false, error: `Unknown connector: ${connectorId}` }, 404);\n }\n const config = service.currentConfig as Config;\n const instances = listConnectorInstances(config).filter((instance) => instance.connectorId === connectorId);\n return c.json({ ok: true, payload: { connector, instances } });\n });\n\n authenticated.post('/api/connectors/approvals/respond', async (c) => {\n const body = await c.req.json().catch(() => ({}));\n return c.json({ ok: true, payload: { acknowledged: true, body } });\n });\n\n authenticated.post('/api/connectors/:id/oauth/start', strictRateLimitMiddleware, async (c) => {\n const connectorId = c.req.param('id');\n const connector = getConnectorDefinition(connectorId);\n if (!connector) {\n return c.json({ ok: false, error: `Unknown connector: ${connectorId}` }, 404);\n }\n try {\n const oauth = await startConnectorOAuth(connector);\n return c.json({ ok: true, payload: { oauth } });\n } catch (error) {\n return c.json({ ok: false, error: errorMessage(error) }, 400);\n }\n });\n\n authenticated.post('/api/connectors/:id/oauth/complete', strictRateLimitMiddleware, async (c) => {\n const connectorId = c.req.param('id');\n const connector = getConnectorDefinition(connectorId);\n if (!connector) {\n return c.json({ ok: false, error: `Unknown connector: ${connectorId}` }, 404);\n }\n const body = await c.req.json().catch(() => ({}));\n const deviceCode = body && typeof body === 'object' && !Array.isArray(body) && typeof body.deviceCode === 'string'\n ? body.deviceCode\n : '';\n try {\n const oauth = await completeConnectorOAuth(connector, { deviceCode });\n return c.json({ ok: true, payload: { oauth } });\n } catch (error) {\n return c.json({ ok: false, error: errorMessage(error) }, 400);\n }\n });\n\n authenticated.post('/api/connectors/:id/install', strictRateLimitMiddleware, async (c) => {\n const connectorId = c.req.param('id');\n const body = await c.req.json().catch(() => ({}));\n const input: ConnectorInstallInput = body && typeof body === 'object' && !Array.isArray(body) ? body : {};\n const config = service.currentConfig as Config;\n try {\n const instance = await installConnector(config, connectorId, input);\n const saved = await service.saveConfig(config);\n if (!saved.saved) {\n return c.json({ ok: false, error: saved.error }, 500);\n }\n return c.json({ ok: true, payload: { instance } });\n } catch (error) {\n return c.json({ ok: false, error: errorMessage(error) }, 400);\n }\n });\n\n authenticated.post('/api/connectors/:id/test', async (c) => {\n const instanceId = c.req.param('id');\n const config = service.currentConfig as Config;\n const instance = getConnectorInstance(config, instanceId);\n if (!instance) {\n return c.json({ ok: false, error: `Connector instance not found: ${instanceId}` }, 404);\n }\n try {\n const result = await testConnectorInstance(config, instance.materialized.serverId);\n recordConnectorHealthUsage(config, instance.instanceId, result);\n const saved = await service.saveConfig(config);\n if (!saved.saved) {\n return c.json({ ok: false, error: saved.error }, 500);\n }\n return c.json({ ok: true, payload: result });\n } catch (error) {\n return c.json({ ok: false, error: errorMessage(error) }, 500);\n }\n });\n\n authenticated.delete('/api/connectors/:id', strictRateLimitMiddleware, async (c) => {\n const instanceId = c.req.param('id');\n const config = service.currentConfig as Config;\n try {\n const instance = uninstallConnector(config, instanceId);\n const saved = await service.saveConfig(config);\n if (!saved.saved) {\n return c.json({ ok: false, error: saved.error }, 500);\n }\n return c.json({ ok: true, payload: { instance } });\n } catch (error) {\n return c.json({ ok: false, error: errorMessage(error) }, 400);\n }\n });\n}\n"],"mappings":";;;;;;;;AAYA,SAAS,aAAa,OAAwB;AAC5C,QAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;;AAG/D,SAAgB,wBAAwB,eAAqB,MAAoC;CAC/F,MAAM,EAAE,SAAS,8BAA8B;AAE/C,eAAc,IAAI,4BAA4B,MAAM;AAClD,SAAO,EAAE,KAAK;GACZ,IAAI;GACJ,SAAS;IACP,YAAY,sBAAsB;IAClC,WAAW,wBAAwB,CAAC,KAAK,cAAc;KACrD,IAAI,SAAS;KACb,aAAa,SAAS;KACvB,EAAE;IACJ;GACF,CAAC;GACF;AAEF,eAAc,IAAI,8BAA8B,MAAM;EACpD,MAAM,SAAS,QAAQ;AACvB,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS,EAAE,WAAW,uBAAuB,OAAO,EAAE;GAAE,CAAC;GACnF;AAEF,eAAc,IAAI,wBAAwB,MAAM;EAC9C,MAAM,cAAc,EAAE,IAAI,MAAM,KAAK;EACrC,MAAM,YAAY,uBAAuB,YAAY;AACrD,MAAI,CAAC,UACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,sBAAsB;GAAe,EAAE,IAAI;EAE/E,MAAM,SAAS,QAAQ;EACvB,MAAM,YAAY,uBAAuB,OAAO,CAAC,QAAQ,aAAa,SAAS,gBAAgB,YAAY;AAC3G,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS;IAAE;IAAW;IAAW;GAAE,CAAC;GAC9D;AAEF,eAAc,KAAK,qCAAqC,OAAO,MAAM;EACnE,MAAM,OAAO,MAAM,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE;AACjD,SAAO,EAAE,KAAK;GAAE,IAAI;GAAM,SAAS;IAAE,cAAc;IAAM;IAAM;GAAE,CAAC;GAClE;AAEF,eAAc,KAAK,mCAAmC,2BAA2B,OAAO,MAAM;EAC5F,MAAM,cAAc,EAAE,IAAI,MAAM,KAAK;EACrC,MAAM,YAAY,uBAAuB,YAAY;AACrD,MAAI,CAAC,UACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,sBAAsB;GAAe,EAAE,IAAI;AAE/E,MAAI;GACF,MAAM,QAAQ,MAAM,oBAAoB,UAAU;AAClD,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS,EAAE,OAAO;IAAE,CAAC;WACxC,OAAO;AACd,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,aAAa,MAAM;IAAE,EAAE,IAAI;;GAE/D;AAEF,eAAc,KAAK,sCAAsC,2BAA2B,OAAO,MAAM;EAC/F,MAAM,cAAc,EAAE,IAAI,MAAM,KAAK;EACrC,MAAM,YAAY,uBAAuB,YAAY;AACrD,MAAI,CAAC,UACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,sBAAsB;GAAe,EAAE,IAAI;EAE/E,MAAM,OAAO,MAAM,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE;EACjD,MAAM,aAAa,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAQ,KAAK,IAAI,OAAO,KAAK,eAAe,WACtG,KAAK,aACL;AACJ,MAAI;GACF,MAAM,QAAQ,MAAM,uBAAuB,WAAW,EAAE,YAAY,CAAC;AACrE,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS,EAAE,OAAO;IAAE,CAAC;WACxC,OAAO;AACd,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,aAAa,MAAM;IAAE,EAAE,IAAI;;GAE/D;AAEF,eAAc,KAAK,+BAA+B,2BAA2B,OAAO,MAAM;EACxF,MAAM,cAAc,EAAE,IAAI,MAAM,KAAK;EACrC,MAAM,OAAO,MAAM,EAAE,IAAI,MAAM,CAAC,aAAa,EAAE,EAAE;EACjD,MAAM,QAA+B,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG,OAAO,EAAE;EACzG,MAAM,SAAS,QAAQ;AACvB,MAAI;GACF,MAAM,WAAW,MAAM,iBAAiB,QAAQ,aAAa,MAAM;GACnE,MAAM,QAAQ,MAAM,QAAQ,WAAW,OAAO;AAC9C,OAAI,CAAC,MAAM,MACT,QAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,MAAM;IAAO,EAAE,IAAI;AAEvD,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS,EAAE,UAAU;IAAE,CAAC;WAC3C,OAAO;AACd,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,aAAa,MAAM;IAAE,EAAE,IAAI;;GAE/D;AAEF,eAAc,KAAK,4BAA4B,OAAO,MAAM;EAC1D,MAAM,aAAa,EAAE,IAAI,MAAM,KAAK;EACpC,MAAM,SAAS,QAAQ;EACvB,MAAM,WAAW,qBAAqB,QAAQ,WAAW;AACzD,MAAI,CAAC,SACH,QAAO,EAAE,KAAK;GAAE,IAAI;GAAO,OAAO,iCAAiC;GAAc,EAAE,IAAI;AAEzF,MAAI;GACF,MAAM,SAAS,MAAM,sBAAsB,QAAQ,SAAS,aAAa,SAAS;AAClF,8BAA2B,QAAQ,SAAS,YAAY,OAAO;GAC/D,MAAM,QAAQ,MAAM,QAAQ,WAAW,OAAO;AAC9C,OAAI,CAAC,MAAM,MACT,QAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,MAAM;IAAO,EAAE,IAAI;AAEvD,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS;IAAQ,CAAC;WACrC,OAAO;AACd,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,aAAa,MAAM;IAAE,EAAE,IAAI;;GAE/D;AAEF,eAAc,OAAO,uBAAuB,2BAA2B,OAAO,MAAM;EAClF,MAAM,aAAa,EAAE,IAAI,MAAM,KAAK;EACpC,MAAM,SAAS,QAAQ;AACvB,MAAI;GACF,MAAM,WAAW,mBAAmB,QAAQ,WAAW;GACvD,MAAM,QAAQ,MAAM,QAAQ,WAAW,OAAO;AAC9C,OAAI,CAAC,MAAM,MACT,QAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,MAAM;IAAO,EAAE,IAAI;AAEvD,UAAO,EAAE,KAAK;IAAE,IAAI;IAAM,SAAS,EAAE,UAAU;IAAE,CAAC;WAC3C,OAAO;AACd,UAAO,EAAE,KAAK;IAAE,IAAI;IAAO,OAAO,aAAa,MAAM;IAAE,EAAE,IAAI;;GAE/D"}

package/dist/src/gateway/hono/routes/dreaming.js CHANGED Viewed

@@ -5,8 +5,8 @@ import { getWorkspacePath } from "../../../config/workspace-path-helpers.js";
 import { parseDreamingLastRunFile } from "../../../agent/memory/dreaming/last-run.js";
 import { readDreamingEvents } from "../../../agent/memory/dreaming/events.js";
 import { previewDreamingDeepPromotion } from "../../../agent/memory/dreaming/preview.js";
-import fs from "node:fs/promises";
 import path from "node:path";
+import fs from "node:fs/promises";
 //#region src/gateway/hono/routes/dreaming.ts
 function isRecord(v) {
 	return v !== null && typeof v === "object" && !Array.isArray(v);

package/dist/src/gateway/hono/routes/home.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Hono } from 'hono';
+import type { AuthenticatedRouteDeps } from './deps.js';
+/**
+ * GET /api/home — Aggregated home screen data for the mobile app.
+ *
+ * Returns:
+ *   - recentlyOpened: notes sorted by lastOpenedAt (continue rail)
+ *   - inboxCount: number of notes with status === 'inbox'
+ *   - pendingTasks: task notes where done === false
+ *   - recentSessions: last 5 active AI sessions (threads)
+ */
+export declare function registerHomeRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void;

package/dist/src/gateway/hono/routes/home.js ADDED Viewed

@@ -0,0 +1,50 @@
+//#region src/gateway/hono/routes/home.ts
+/**
+* GET /api/home — Aggregated home screen data for the mobile app.
+*
+* Returns:
+*   - recentlyOpened: notes sorted by lastOpenedAt (continue rail)
+*   - inboxCount: number of notes with status === 'inbox'
+*   - pendingTasks: task notes where done === false
+*   - recentSessions: last 5 active AI sessions (threads)
+*/
+function registerHomeRoutes(authenticated, deps) {
+	const { service } = deps;
+	authenticated.get("/api/home", async (c) => {
+		const notes = service.notesServiceInstance;
+		const sessions = service.sessions;
+		const [recentlyOpened, inbox, pendingTasks, recentSessions] = await Promise.all([
+			notes.listNotes({
+				sortBy: "lastOpenedAt",
+				sortOrder: "desc",
+				limit: 10
+			}),
+			notes.listNotes({
+				status: "inbox",
+				limit: 0
+			}),
+			notes.listNotes({
+				pendingTasksOnly: true,
+				sortBy: "createdAt",
+				sortOrder: "desc",
+				limit: 10
+			}),
+			sessions.listSessions({
+				sortBy: "updatedAt",
+				sortOrder: "desc",
+				limit: 5
+			})
+		]);
+		return c.json({
+			recentlyOpened: recentlyOpened.items.filter((n) => n.lastOpenedAt),
+			inboxCount: inbox.total,
+			pendingTasks: pendingTasks.items,
+			pendingTaskCount: pendingTasks.total,
+			recentSessions: recentSessions.items
+		});
+	});
+}
+//#endregion
+export { registerHomeRoutes };
+//# sourceMappingURL=home.js.map

package/dist/src/gateway/hono/routes/home.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"home.js","names":[],"sources":["../../../../../src/gateway/hono/routes/home.ts"],"sourcesContent":["import type { Hono } from 'hono';\n\nimport type { AuthenticatedRouteDeps } from './deps.js';\n\n/**\n * GET /api/home — Aggregated home screen data for the mobile app.\n *\n * Returns:\n * - recentlyOpened: notes sorted by lastOpenedAt (continue rail)\n * - inboxCount: number of notes with status === 'inbox'\n * - pendingTasks: task notes where done === false\n * - recentSessions: last 5 active AI sessions (threads)\n */\nexport function registerHomeRoutes(authenticated: Hono, deps: AuthenticatedRouteDeps): void {\n const { service } = deps;\n\n authenticated.get('/api/home', async (c) => {\n const notes = service.notesServiceInstance;\n const sessions = service.sessions;\n\n const [recentlyOpened, inbox, pendingTasks, recentSessions] = await Promise.all([\n notes.listNotes({ sortBy: 'lastOpenedAt', sortOrder: 'desc', limit: 10 }),\n notes.listNotes({ status: 'inbox', limit: 0 }),\n notes.listNotes({ pendingTasksOnly: true, sortBy: 'createdAt', sortOrder: 'desc', limit: 10 }),\n sessions.listSessions({ sortBy: 'updatedAt', sortOrder: 'desc', limit: 5 }),\n ]);\n\n return c.json({\n recentlyOpened: recentlyOpened.items.filter((n) => n.lastOpenedAt),\n inboxCount: inbox.total,\n pendingTasks: pendingTasks.items,\n pendingTaskCount: pendingTasks.total,\n recentSessions: recentSessions.items,\n });\n });\n}\n"],"mappings":";;;;;;;;;;AAaA,SAAgB,mBAAmB,eAAqB,MAAoC;CAC1F,MAAM,EAAE,YAAY;AAEpB,eAAc,IAAI,aAAa,OAAO,MAAM;EAC1C,MAAM,QAAQ,QAAQ;EACtB,MAAM,WAAW,QAAQ;EAEzB,MAAM,CAAC,gBAAgB,OAAO,cAAc,kBAAkB,MAAM,QAAQ,IAAI;GAC9E,MAAM,UAAU;IAAE,QAAQ;IAAgB,WAAW;IAAQ,OAAO;IAAI,CAAC;GACzE,MAAM,UAAU;IAAE,QAAQ;IAAS,OAAO;IAAG,CAAC;GAC9C,MAAM,UAAU;IAAE,kBAAkB;IAAM,QAAQ;IAAa,WAAW;IAAQ,OAAO;IAAI,CAAC;GAC9F,SAAS,aAAa;IAAE,QAAQ;IAAa,WAAW;IAAQ,OAAO;IAAG,CAAC;GAC5E,CAAC;AAEF,SAAO,EAAE,KAAK;GACZ,gBAAgB,eAAe,MAAM,QAAQ,MAAM,EAAE,aAAa;GAClE,YAAY,MAAM;GAClB,cAAc,aAAa;GAC3B,kBAAkB,aAAa;GAC/B,gBAAgB,eAAe;GAChC,CAAC;GACF"}

package/dist/src/gateway/hono/routes/host-fs.js CHANGED Viewed

@@ -1,8 +1,8 @@
 import { createLogger } from "../../../utils/logger/index.js";
 import { init_logger } from "../../../utils/logger.js";
-import { readdir, realpath, stat } from "node:fs/promises";
-import * as path$1 from "node:path";
 import * as os$1 from "node:os";
+import * as path$1 from "node:path";
+import { readdir, realpath, stat } from "node:fs/promises";
 //#region src/gateway/hono/routes/host-fs.ts
 init_logger();
 const log = createLogger("HostFs");

package/dist/src/gateway/hono/routes/lazy-bundles.js CHANGED Viewed

@@ -126,6 +126,22 @@ const AUTHENTICATED_LAZY_ROUTE_BUNDLES = [
 			return { register: registerGoalsRoutes };
 		}
 	},
+	{
+		id: "notes",
+		match: (path) => startsWithAny(path, ["/api/notes"]),
+		load: async () => {
+			const { registerNotesRoutes } = await import("./notes.js");
+			return { register: registerNotesRoutes };
+		}
+	},
+	{
+		id: "home",
+		match: (path) => startsWithAny(path, ["/api/home"]),
+		load: async () => {
+			const { registerHomeRoutes } = await import("./home.js");
+			return { register: registerHomeRoutes };
+		}
+	},
 	{
 		id: "workflows",
 		match: (path) => startsWithAny(path, ["/api/workflows"]),
@@ -199,11 +215,11 @@ const AUTHENTICATED_LAZY_ROUTE_BUNDLES = [
 		}
 	},
 	{
-		id: "mcp",
-		match: (path) => startsWithAny(path, ["/api/mcp"]),
+		id: "connectors",
+		match: (path) => startsWithAny(path, ["/api/connectors"]),
 		load: async () => {
-			const { registerMcpRoutes } = await import("./mcp.js");
-			return { register: registerMcpRoutes };
+			const { registerConnectorRoutes } = await import("./connectors.js");
+			return { register: registerConnectorRoutes };
 		}
 	}
 ];