aegis-bridge 2.2.2

package/dist/validation.js

@@ -0,0 +1,268 @@
+/**
+ * validation.ts — Zod schemas for API request body validation.
+ *
+ * Issue #359: Centralized validation for all POST route bodies.
+ * Issue #435: Path traversal defense in validateWorkDir.
+ */
+import { z } from 'zod';
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+/** Regex for UUID v4 format: 8-4-4-4-12 hex digits */
+export const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+/** POST /v1/auth/keys */
+export const authKeySchema = z.object({
+    name: z.string().min(1),
+    rateLimit: z.number().int().positive().optional(),
+}).strict();
+/** POST /v1/sessions/:id/send */
+export const sendMessageSchema = z.object({
+    text: z.string().min(1),
+}).strict();
+/** POST /v1/sessions/:id/command */
+export const commandSchema = z.object({
+    command: z.string().min(1),
+}).strict();
+/** POST /v1/sessions/:id/bash */
+export const bashSchema = z.object({
+    command: z.string().min(1),
+}).strict();
+/** POST /v1/sessions/:id/screenshot */
+export const screenshotSchema = z.object({
+    url: z.string().min(1),
+    fullPage: z.boolean().optional(),
+    width: z.number().int().positive().max(7680).optional(),
+    height: z.number().int().positive().max(4320).optional(),
+}).strict();
+/** Webhook endpoint — validates structure of each webhook entry */
+export const webhookEndpointSchema = z.object({
+    url: z.string().min(1),
+    events: z.array(z.string()).optional(),
+    headers: z.record(z.string(), z.string()).optional(),
+    timeoutMs: z.number().int().positive().optional(),
+}).strict();
+/** POST /v1/sessions/:id/hooks/permission */
+export const permissionHookSchema = z.object({
+    session_id: z.string().optional(),
+    tool_name: z.string().optional(),
+    tool_input: z.unknown().optional(),
+    permission_mode: z.string().optional(),
+    hook_event_name: z.string().optional(),
+}).strict();
+/** POST /v1/sessions/:id/hooks/stop */
+export const stopHookSchema = z.object({
+    session_id: z.string().optional(),
+    stop_reason: z.string().optional(),
+    hook_event_name: z.string().optional(),
+}).strict();
+const batchSessionSpecSchema = z.object({
+    name: z.string().max(200).optional(),
+    workDir: z.string().min(1),
+    prompt: z.string().max(100_000).optional(),
+    permissionMode: z.enum(['default', 'bypassPermissions', 'plan']).optional(),
+    autoApprove: z.boolean().optional(),
+    stallThresholdMs: z.number().int().positive().max(3_600_000).optional(),
+});
+/** POST /v1/sessions/batch — max 50 sessions per batch */
+export const batchSessionSchema = z.object({
+    sessions: z.array(batchSessionSpecSchema).min(1).max(50),
+}).strict();
+const pipelineStageSchema = z.object({
+    name: z.string().min(1),
+    workDir: z.string().min(1).optional(),
+    prompt: z.string().min(1),
+    dependsOn: z.array(z.string()).optional(),
+    permissionMode: z.enum(['default', 'bypassPermissions', 'plan']).optional(),
+    autoApprove: z.boolean().optional(),
+});
+/** POST /v1/pipelines */
+export const pipelineSchema = z.object({
+    name: z.string().min(1),
+    workDir: z.string().min(1),
+    stages: z.array(pipelineStageSchema).min(1),
+}).strict();
+/** Clamp a numeric value to [min, max]. Returns default if input is NaN. */
+export function clamp(value, min, max, fallback) {
+    if (Number.isNaN(value))
+        return fallback;
+    return Math.max(min, Math.min(max, value));
+}
+/** Parse an env string to integer with NaN/isFinite guard. Returns fallback on failure. */
+export function parseIntSafe(value, fallback) {
+    if (value === undefined)
+        return fallback;
+    const parsed = parseInt(value, 10);
+    if (!Number.isFinite(parsed))
+        return fallback;
+    return parsed;
+}
+/** Validate that a string looks like a UUID. */
+export function isValidUUID(id) {
+    return UUID_REGEX.test(id);
+}
+// ── JSON.parse boundary validation (Issue #410) ──────────────────
+const UIStateEnum = z.enum([
+    'idle', 'working', 'permission_prompt', 'bash_approval',
+    'plan_mode', 'ask_question', 'settings', 'unknown',
+]);
+/** Schema for persisted SessionState (sessions: { [id]: SessionInfo }). */
+export const persistedStateSchema = z.record(z.string(), z.object({
+    id: z.string(),
+    windowId: z.string(),
+    windowName: z.string(),
+    workDir: z.string(),
+    claudeSessionId: z.string().optional(),
+    jsonlPath: z.string().optional(),
+    byteOffset: z.number(),
+    monitorOffset: z.number(),
+    status: UIStateEnum,
+    createdAt: z.number(),
+    lastActivity: z.number(),
+    stallThresholdMs: z.number(),
+    permissionStallMs: z.number().default(300_000),
+    permissionMode: z.string(),
+    settingsPatched: z.boolean().optional(),
+    hookSettingsFile: z.string().optional(),
+    lastHookAt: z.number().optional(),
+    activeSubagents: z.array(z.string()).optional(),
+    permissionPromptAt: z.number().optional(),
+    permissionRespondedAt: z.number().optional(),
+    lastHookReceivedAt: z.number().optional(),
+    lastHookEventAt: z.number().optional(),
+    model: z.string().optional(),
+    lastDeadAt: z.number().optional(),
+    ccPid: z.number().optional(),
+}));
+/** Schema for session_map.json entries. */
+export const sessionMapSchema = z.record(z.string(), z.object({
+    session_id: z.string(),
+    cwd: z.string(),
+    window_name: z.string(),
+    transcript_path: z.string().nullable().optional(),
+    permission_mode: z.string().nullable().optional(),
+    agent_id: z.string().nullable().optional(),
+    source: z.string().nullable().optional(),
+    agent_type: z.string().nullable().optional(),
+    model: z.string().nullable().optional(),
+    written_at: z.number(),
+}));
+/** Schema for stop_signals.json entries. */
+export const stopSignalsSchema = z.record(z.string(), z.object({
+    event: z.string().optional(),
+    timestamp: z.number().optional(),
+    error: z.unknown().optional(),
+    error_details: z.unknown().optional(),
+    last_assistant_message: z.unknown().optional(),
+    agent_id: z.unknown().optional(),
+    stop_reason: z.string().optional(),
+}));
+/** Schema for persisted auth keys store (Issue #506). */
+export const authStoreSchema = z.object({
+    keys: z.array(z.object({
+        id: z.string(),
+        name: z.string(),
+        hash: z.string(),
+        createdAt: z.number(),
+        lastUsedAt: z.number(),
+        rateLimit: z.number(),
+    })),
+});
+/** Schema for sessions-index.json entries (Issue #506). */
+export const sessionsIndexSchema = z.object({
+    entries: z.array(z.object({
+        sessionId: z.string(),
+        fullPath: z.string(),
+    })).optional(),
+});
+/** Schema for persisted metrics file (Issue #506). */
+export const metricsFileSchema = z.object({
+    global: z.object({
+        sessionsCreated: z.number().optional(),
+        sessionsCompleted: z.number().optional(),
+        sessionsFailed: z.number().optional(),
+        totalMessages: z.number().optional(),
+        totalToolCalls: z.number().optional(),
+        autoApprovals: z.number().optional(),
+        webhooksSent: z.number().optional(),
+        webhooksFailed: z.number().optional(),
+        screenshotsTaken: z.number().optional(),
+        pipelinesCreated: z.number().optional(),
+        batchesCreated: z.number().optional(),
+        promptsSent: z.number().optional(),
+        promptsDelivered: z.number().optional(),
+        promptsFailed: z.number().optional(),
+    }).passthrough().optional(),
+    savedAt: z.number().optional(),
+}).passthrough();
+/** Schema for WebSocket inbound messages (Issue #506). */
+export const wsInboundMessageSchema = z.discriminatedUnion('type', [
+    z.object({ type: z.literal('input'), text: z.string() }).strict(),
+    z.object({ type: z.literal('resize'), cols: z.number().optional(), rows: z.number().optional() }).strict(),
+    z.object({ type: z.literal('auth'), token: z.string().optional() }).strict(),
+]);
+/** Schema for CC settings.json shape (Issue #506).
+ *  Permissive — only validates the fields Aegis cares about. */
+export const ccSettingsSchema = z.object({
+    permissions: z.object({
+        defaultMode: z.string().optional(),
+    }).passthrough().optional(),
+}).passthrough();
+/** Helper: extract error message from unknown catch value. */
+export function getErrorMessage(e) {
+    if (e instanceof Error)
+        return e.message;
+    if (typeof e === 'string')
+        return e;
+    return String(e);
+}
+/** Default safe base directories used when allowedWorkDirs is not configured.
+ *  Prevents sessions from running in system-critical directories. */
+function getDefaultSafeDirs() {
+    return [
+        os.homedir(),
+        '/tmp',
+        '/var/tmp',
+        process.cwd(),
+    ];
+}
+/** Check whether `childPath` is equal to or under `parentPath`. */
+function isUnderOrEqual(childPath, parentPath) {
+    if (childPath === parentPath)
+        return true;
+    return childPath.startsWith(parentPath + path.sep);
+}
+/** Validate workDir to prevent path traversal attacks (Issue #435).
+ *  1. Reject raw strings containing ".." before any normalization.
+ *  2. Resolve to absolute path and resolve symlinks via fs.realpath().
+ *  3. Verify the resolved path is under an allowed directory:
+ *     - If allowedWorkDirs is configured, use that list.
+ *     - Otherwise, use default safe dirs (home, /tmp, cwd).
+ *  Returns the resolved real path on success, or an error object on failure. */
+export async function validateWorkDir(workDir, allowedWorkDirs = []) {
+    if (typeof workDir !== 'string')
+        return { error: 'workDir must be a string', code: 'INVALID_WORKDIR' };
+    // Step 1: Reject path traversal in the raw string BEFORE any normalization.
+    // path.normalize() would resolve ".." components, making the check useless.
+    if (workDir.includes('..')) {
+        return { error: 'workDir must not contain path traversal components (..)', code: 'INVALID_WORKDIR' };
+    }
+    // Step 2: Resolve to absolute path and follow symlinks.
+    const resolved = path.resolve(workDir);
+    let realPath;
+    try {
+        realPath = await fs.realpath(resolved);
+    }
+    catch { /* path does not exist on disk */
+        return { error: `workDir does not exist: ${resolved}`, code: 'INVALID_WORKDIR' };
+    }
+    // Step 3: Directory allowlist check.
+    const safeDirs = allowedWorkDirs.length > 0
+        ? allowedWorkDirs.map((d) => path.resolve(d))
+        : getDefaultSafeDirs();
+    const allowed = safeDirs.some((dir) => isUnderOrEqual(realPath, dir));
+    if (!allowed) {
+        return { error: 'workDir is not in the allowed directories list', code: 'INVALID_WORKDIR' };
+    }
+    return realPath;
+}
+//# sourceMappingURL=validation.js.map

package/dist/ws-terminal.d.ts

@@ -0,0 +1,32 @@
+/**
+ * ws-terminal.ts — WebSocket endpoint for live terminal streaming.
+ *
+ * WS /v1/sessions/:id/terminal
+ *
+ * Protocol:
+ *   Server → Client: { type: "pane", content: "..." }
+ *   Server → Client: { type: "status", status: "idle" }
+ *   Server → Client: { type: "error", message: "..." }
+ *   Client → Server: { type: "input", text: "..." }
+ *   Client → Server: { type: "resize", cols: 80, rows: 24 }
+ *
+ * Security (Issue #303, #503):
+ *   - Auth validation via first-message handshake: client sends
+ *     { type: "auth", token: "..." } as first message (#503)
+ *   - Bearer header auth still works for non-browser clients
+ *   - 5s auth timeout — connection dropped if not authenticated
+ *   - Per-connection message rate limiting (10 msg/sec)
+ *   - Shared tmux capture polls (one per session, not per connection)
+ *   - Ping/pong keep-alive with dead connection detection
+ */
+import type { FastifyInstance } from 'fastify';
+import type { SessionManager } from './session.js';
+import type { TmuxManager } from './tmux.js';
+import type { AuthManager } from './auth.js';
+/** Reset all internal state (for testing). */
+export declare function _resetForTesting(): void;
+/** Get the number of active shared polls (for testing). */
+export declare function _activePollCount(): number;
+/** Get subscriber count for a session (for testing). */
+export declare function _subscriberCount(sessionId: string): number;
+export declare function registerWsTerminalRoute(app: FastifyInstance, sessions: SessionManager, tmux: TmuxManager, auth: AuthManager): void;

package/dist/ws-terminal.js

@@ -0,0 +1,297 @@
+/**
+ * ws-terminal.ts — WebSocket endpoint for live terminal streaming.
+ *
+ * WS /v1/sessions/:id/terminal
+ *
+ * Protocol:
+ *   Server → Client: { type: "pane", content: "..." }
+ *   Server → Client: { type: "status", status: "idle" }
+ *   Server → Client: { type: "error", message: "..." }
+ *   Client → Server: { type: "input", text: "..." }
+ *   Client → Server: { type: "resize", cols: 80, rows: 24 }
+ *
+ * Security (Issue #303, #503):
+ *   - Auth validation via first-message handshake: client sends
+ *     { type: "auth", token: "..." } as first message (#503)
+ *   - Bearer header auth still works for non-browser clients
+ *   - 5s auth timeout — connection dropped if not authenticated
+ *   - Per-connection message rate limiting (10 msg/sec)
+ *   - Shared tmux capture polls (one per session, not per connection)
+ *   - Ping/pong keep-alive with dead connection detection
+ */
+import { clamp, wsInboundMessageSchema } from './validation.js';
+const POLL_INTERVAL_MS = 500;
+const KEEPALIVE_INTERVAL_TICKS = 60; // 30s at 500ms intervals
+const KEEPALIVE_TIMEOUT_MS = 35_000; // 30s interval + 5s grace
+const RATE_LIMIT_WINDOW_MS = 1000;
+const RATE_LIMIT_MAX_MESSAGES = 10;
+const AUTH_TIMEOUT_MS = 5_000;
+// ── Module state ───────────────────────────────────────────────────
+const sessionPolls = new Map();
+/** Reset all internal state (for testing). */
+export function _resetForTesting() {
+    for (const poll of sessionPolls.values()) {
+        clearInterval(poll.timer);
+    }
+    sessionPolls.clear();
+}
+/** Get the number of active shared polls (for testing). */
+export function _activePollCount() {
+    return sessionPolls.size;
+}
+/** Get subscriber count for a session (for testing). */
+export function _subscriberCount(sessionId) {
+    return sessionPolls.get(sessionId)?.subscribers.size ?? 0;
+}
+// ── Route registration ─────────────────────────────────────────────
+export function registerWsTerminalRoute(app, sessions, tmux, auth) {
+    app.get('/v1/sessions/:id/terminal', {
+        websocket: true,
+        preHandler: async (req, reply) => {
+            if (!auth.authEnabled)
+                return;
+            // Bearer header auth still works for non-browser clients
+            const header = req.headers.authorization;
+            if (header?.startsWith('Bearer ')) {
+                const token = header.slice(7);
+                const result = auth.validate(token);
+                if (!result.valid) {
+                    return reply.status(401).send({ error: 'Unauthorized — invalid API key' });
+                }
+                if (result.rateLimited) {
+                    return reply.status(429).send({ error: 'Rate limit exceeded' });
+                }
+                return;
+            }
+            // No Bearer header — allow connection through; auth will be validated
+            // via first-message handshake ({ type: "auth", token: "..." }).
+            // Issue #503: tokens must NOT appear in URLs.
+        },
+    }, (socket, req) => {
+        const sessionId = req.params.id;
+        const session = sessions.getSession(sessionId);
+        if (!session) {
+            sendError(socket, 'Session not found');
+            socket.close();
+            return;
+        }
+        // Check if already authenticated via Bearer header in preHandler
+        const preAuthed = auth.authEnabled && req.headers?.authorization?.startsWith('Bearer ');
+        // Create subscriber
+        const subscriber = {
+            lastContent: '',
+            lastStatus: '',
+            closed: false,
+            lastPongAt: Date.now(),
+            messageTimestamps: [],
+            authenticated: !auth.authEnabled || !!preAuthed,
+            authTimer: null,
+        };
+        // If auth is required but not yet provided, set auth timeout
+        if (auth.authEnabled && !subscriber.authenticated) {
+            subscriber.authTimer = setTimeout(() => {
+                if (!subscriber.closed && !subscriber.authenticated) {
+                    sendError(socket, 'Auth timeout — no auth message received');
+                    evictSubscriber(sessionId, socket, subscriber);
+                }
+            }, AUTH_TIMEOUT_MS);
+        }
+        // Get or create shared session poll
+        let poll = sessionPolls.get(sessionId);
+        if (!poll) {
+            poll = {
+                timer: null,
+                tickCount: 0,
+                subscribers: new Map(),
+            };
+            sessionPolls.set(sessionId, poll);
+            // Start the shared poll timer
+            poll.timer = setInterval(async () => {
+                poll.tickCount++;
+                await tickPoll(sessionId, sessions, tmux, poll);
+            }, POLL_INTERVAL_MS);
+        }
+        poll.subscribers.set(socket, subscriber);
+        // Handle pong responses for keep-alive
+        socket.on('pong', () => {
+            const sub = poll?.subscribers.get(socket);
+            if (sub)
+                sub.lastPongAt = Date.now();
+        });
+        // Handle incoming messages with rate limiting
+        socket.on('message', async (data) => {
+            if (subscriber.closed)
+                return;
+            // Rate limit check
+            if (!checkRateLimit(subscriber)) {
+                sendError(socket, 'Rate limit exceeded — max 10 messages per second');
+                evictSubscriber(sessionId, socket, subscriber);
+                return;
+            }
+            try {
+                const parsed = wsInboundMessageSchema.safeParse(JSON.parse(data.toString()));
+                if (!parsed.success) {
+                    sendError(socket, `Invalid message: ${parsed.error.issues.map(i => i.message).join(', ')}`);
+                    return;
+                }
+                const msg = parsed.data;
+                // Handle auth handshake (Issue #503)
+                if (msg.type === 'auth') {
+                    if (subscriber.authenticated) {
+                        sendError(socket, 'Already authenticated');
+                        return;
+                    }
+                    if (typeof msg.token !== 'string' || !msg.token) {
+                        sendError(socket, 'Auth message requires a token field');
+                        evictSubscriber(sessionId, socket, subscriber);
+                        return;
+                    }
+                    const result = auth.validate(msg.token);
+                    if (!result.valid) {
+                        sendError(socket, 'Unauthorized — invalid API key');
+                        evictSubscriber(sessionId, socket, subscriber);
+                        return;
+                    }
+                    if (result.rateLimited) {
+                        sendError(socket, 'Rate limit exceeded');
+                        evictSubscriber(sessionId, socket, subscriber);
+                        return;
+                    }
+                    // Auth successful
+                    subscriber.authenticated = true;
+                    if (subscriber.authTimer) {
+                        clearTimeout(subscriber.authTimer);
+                        subscriber.authTimer = null;
+                    }
+                    send(socket, { type: 'status', status: 'authenticated' });
+                    return;
+                }
+                // Reject non-auth messages when not yet authenticated
+                if (!subscriber.authenticated) {
+                    sendError(socket, 'Not authenticated — send { type: "auth", token: "..." } first');
+                    evictSubscriber(sessionId, socket, subscriber);
+                    return;
+                }
+                if (msg.type === 'input' && typeof msg.text === 'string') {
+                    await sessions.sendMessage(sessionId, msg.text);
+                }
+                else if (msg.type === 'resize') {
+                    const cols = clamp(msg.cols ?? 80, 1, 1000, 80);
+                    const rows = clamp(msg.rows ?? 24, 1, 1000, 24);
+                    await tmux.resizePane(session.windowId, cols, rows);
+                }
+            }
+            catch (e) {
+                sendError(socket, `Invalid message: ${e instanceof Error ? e.message : String(e)}`);
+            }
+        });
+        socket.on('close', () => {
+            evictSubscriber(sessionId, socket, subscriber);
+        });
+    });
+}
+// ── Shared poll logic ──────────────────────────────────────────────
+async function tickPoll(sessionId, sessions, tmux, poll) {
+    const session = sessions.getSession(sessionId);
+    if (!session) {
+        // Session gone — evict all subscribers
+        for (const [socket, sub] of [...poll.subscribers]) {
+            if (!sub.closed) {
+                sendError(socket, 'Session no longer exists');
+                evictSubscriber(sessionId, socket, sub);
+            }
+        }
+        return;
+    }
+    let content;
+    try {
+        content = await tmux.capturePane(session.windowId);
+    }
+    catch { /* pane gone — evict all subscribers */
+        for (const [socket, sub] of [...poll.subscribers]) {
+            if (!sub.closed) {
+                sendError(socket, 'Failed to capture pane — session may have ended');
+                evictSubscriber(sessionId, socket, sub);
+            }
+        }
+        return;
+    }
+    const currentStatus = session.status;
+    // Fan out to all subscribers with per-subscriber deduplication
+    for (const [socket, sub] of [...poll.subscribers]) {
+        if (sub.closed || !sub.authenticated)
+            continue;
+        if (content !== sub.lastContent) {
+            sub.lastContent = content;
+            send(socket, { type: 'pane', content });
+        }
+        if (currentStatus !== sub.lastStatus) {
+            sub.lastStatus = currentStatus;
+            send(socket, { type: 'status', status: currentStatus });
+        }
+    }
+    // Keep-alive check (every 60 ticks ≈ 30s)
+    if (poll.tickCount % KEEPALIVE_INTERVAL_TICKS === 0) {
+        const now = Date.now();
+        for (const [socket, sub] of [...poll.subscribers]) {
+            if (sub.closed)
+                continue;
+            // Evict dead connections
+            if (now - sub.lastPongAt > KEEPALIVE_TIMEOUT_MS) {
+                evictSubscriber(sessionId, socket, sub);
+                continue;
+            }
+            // Send ping
+            try {
+                socket.ping();
+            }
+            catch { /* socket already closed */
+                evictSubscriber(sessionId, socket, sub);
+            }
+        }
+    }
+}
+// ── Rate limiting ──────────────────────────────────────────────────
+function checkRateLimit(sub) {
+    const now = Date.now();
+    sub.messageTimestamps = sub.messageTimestamps.filter(t => now - t < RATE_LIMIT_WINDOW_MS);
+    if (sub.messageTimestamps.length >= RATE_LIMIT_MAX_MESSAGES) {
+        return false;
+    }
+    sub.messageTimestamps.push(now);
+    return true;
+}
+// ── Subscriber management ──────────────────────────────────────────
+function evictSubscriber(sessionId, socket, sub) {
+    if (sub.closed)
+        return;
+    sub.closed = true;
+    // Clean up auth timer if pending
+    if (sub.authTimer) {
+        clearTimeout(sub.authTimer);
+        sub.authTimer = null;
+    }
+    const poll = sessionPolls.get(sessionId);
+    if (poll) {
+        poll.subscribers.delete(socket);
+        // If no more subscribers, clean up the poll timer
+        if (poll.subscribers.size === 0) {
+            clearInterval(poll.timer);
+            sessionPolls.delete(sessionId);
+        }
+    }
+    try {
+        socket.close();
+    }
+    catch { /* ignore */ }
+}
+// ── Helpers ────────────────────────────────────────────────────────
+function send(ws, msg) {
+    if (ws.readyState === ws.OPEN) {
+        ws.send(JSON.stringify(msg));
+    }
+}
+function sendError(ws, message) {
+    send(ws, { type: 'error', message });
+}
+//# sourceMappingURL=ws-terminal.js.map

package/package.json

@@ -0,0 +1,71 @@
+{
+  "name": "aegis-bridge",
+  "version": "2.2.2",
+  "type": "module",
+  "description": "Orchestrate Claude Code sessions via API. Create, brief, monitor, refine, ship.",
+  "main": "dist/server.js",
+  "types": "dist/server.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/server.js",
+      "types": "./dist/server.d.ts"
+    },
+    "./cli": {
+      "import": "./dist/cli.js"
+    }
+  },
+  "bin": {
+    "aegis-bridge": "dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "dashboard/dist",
+    "!dist/__tests__",
+    "!dist/**/*.map"
+  ],
+  "scripts": {
+    "build": "tsc && npm run build:copy-dashboard",
+    "build:copy-dashboard": "node scripts/copy-dashboard.mjs",
+    "build:dashboard": "cd dashboard && npm install && npm run build",
+    "start": "node dist/cli.js",
+    "dev": "tsc && node dist/cli.js",
+    "prepublishOnly": "npm run build:dashboard && npm run build",
+    "test": "vitest run"
+  },
+  "keywords": [
+    "claude",
+    "claude-code",
+    "ai",
+    "orchestration",
+    "coding-agent",
+    "tmux",
+    "session-management"
+  ],
+  "author": "Emanuele Santonastaso (@OneStepAt4time)",
+  "license": "MIT",
+  "dependencies": {
+    "@fastify/cors": "^11.2.0",
+    "@fastify/static": "^9.0.0",
+    "@fastify/websocket": "^11.2.0",
+    "@modelcontextprotocol/sdk": "^1.28.0",
+    "fastify": "^5.8.2",
+    "zod": "^4.3.6"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/OneStepAt4time/aegis.git"
+  },
+  "homepage": "https://github.com/OneStepAt4time/aegis#readme",
+  "bugs": {
+    "url": "https://github.com/OneStepAt4time/aegis/issues"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "@types/ws": "^8.18.1",
+    "typescript": "^6.0.2",
+    "vitest": "^4.1.2"
+  }
+}