agent-pager 0.1.0

package/dist/src/server.js

@@ -0,0 +1,441 @@
+import { createServer } from "node:http";
+import { readFileSync, existsSync } from "node:fs";
+import { dirname, extname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { canonicalRequest, newId, nowIso, signText, stableJson, verifyText } from "./crypto.js";
+import { Store } from "./store.js";
+const MESSAGE_MAX = 600;
+const RATE_LIMIT_WINDOW_MS = 60_000;
+const RATE_LIMIT_MAX = 8;
+const WEB_ROOT = findWebRoot();
+export async function runServer(argv) {
+    const port = Number(readArg(argv, "--port") || process.env.PORT || 8787);
+    const host = readArg(argv, "--host") || process.env.HOST || "127.0.0.1";
+    const publicUrl = process.env.AGENT_PAGER_PUBLIC_URL || `http://${host === "0.0.0.0" ? "localhost" : host}:${port}`;
+    const store = new Store();
+    const listeners = new Set();
+    const server = createServer(async (req, res) => {
+        try {
+            setCors(req, res);
+            if (req.method === "OPTIONS") {
+                res.writeHead(204).end();
+                return;
+            }
+            const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+            if (req.method === "GET" && url.pathname.startsWith("/assets/")) {
+                serveStatic(res, url.pathname);
+                return;
+            }
+            if (req.method === "GET" && !url.pathname.startsWith("/api/")) {
+                serveIndex(res);
+                return;
+            }
+            if (req.method === "GET" && url.pathname === "/api/health") {
+                sendJson(res, { ok: true, service: "agent-pager", users: store.data().users.length, publicUrl });
+                return;
+            }
+            if (req.method === "GET" && url.pathname === "/api/config") {
+                sendJson(res, { mode: "prototype", publicUrl });
+                return;
+            }
+            if (req.method === "GET" && url.pathname === "/api/public/state") {
+                const db = store.data();
+                sendJson(res, {
+                    publicUrl,
+                    users: db.users.map((user) => publicUser(user, db.devices.filter((device) => device.userId === user.id))),
+                    pages: db.pages.slice(-30).reverse(),
+                    auditEvents: db.auditEvents.slice(0, 60),
+                    friendRequests: db.friendRequests.slice(0, 30),
+                    friendships: db.friendships
+                });
+                return;
+            }
+            if (req.method === "GET" && url.pathname.startsWith("/api/public/users/")) {
+                const username = decodeURIComponent(url.pathname.split("/").pop() || "");
+                const user = store.data().users.find((candidate) => candidate.username === username);
+                if (!user || !user.publicProfileEnabled) {
+                    sendJson(res, { error: "profile not found" }, 404);
+                    return;
+                }
+                sendJson(res, publicUser(user, store.data().devices.filter((device) => device.userId === user.id)));
+                return;
+            }
+            if (req.method === "POST" && url.pathname === "/api/dev/login") {
+                const body = await readJson(req);
+                const username = cleanUsername(body.username);
+                const displayName = cleanText(body.displayName || username, 80);
+                const publicKeyPem = String(body.publicKeyPem || "");
+                const deviceName = cleanText(body.deviceName || "local terminal", 80);
+                if (!username || !publicKeyPem.includes("PUBLIC KEY")) {
+                    sendJson(res, { error: "username and publicKeyPem are required" }, 400);
+                    return;
+                }
+                const db = store.data();
+                let user = db.users.find((candidate) => candidate.username === username);
+                const at = nowIso();
+                if (!user) {
+                    user = {
+                        id: newId("usr"),
+                        username,
+                        displayName,
+                        status: "offline",
+                        publicProfileEnabled: true,
+                        createdAt: at,
+                        updatedAt: at
+                    };
+                    db.users.push(user);
+                }
+                const device = {
+                    id: newId("dev"),
+                    userId: user.id,
+                    name: deviceName,
+                    publicKeyPem,
+                    createdAt: at,
+                    lastSeenAt: at
+                };
+                db.devices.push(device);
+                store.save();
+                store.audit({ actorUserId: user.id, action: "device.login", target: device.id, meta: { username } });
+                sendJson(res, { user, device, serverPublicKeyPem: db.serverKeyPair.publicKeyPem, publicUrl });
+                return;
+            }
+            if (req.method === "GET" && url.pathname === "/api/events") {
+                const authed = await authenticate(req, url, store);
+                authed.user.status = authed.user.status === "offline" ? "online" : authed.user.status;
+                authed.user.updatedAt = nowIso();
+                authed.device.lastSeenAt = nowIso();
+                store.save();
+                openEvents(res, listeners, authed.user.id, store);
+                return;
+            }
+            const authed = await authenticate(req, url, store);
+            if (req.method === "GET" && url.pathname === "/api/me") {
+                sendJson(res, {
+                    user: authed.user,
+                    device: authed.device,
+                    friends: getFriends(store, authed.user.id),
+                    pendingPages: pendingPages(store, authed.user.id)
+                });
+                return;
+            }
+            if (req.method === "POST" && url.pathname === "/api/presence") {
+                const body = parseBody(authed.bodyText);
+                const status = ["online", "busy", "muted", "offline"].includes(body.status) ? body.status : "online";
+                authed.user.status = status;
+                authed.user.updatedAt = nowIso();
+                authed.device.lastSeenAt = nowIso();
+                store.save();
+                store.audit({ actorUserId: authed.user.id, action: "presence.update", meta: { status } });
+                sendJson(res, { ok: true, user: authed.user });
+                return;
+            }
+            if (req.method === "POST" && url.pathname === "/api/invites") {
+                const body = parseBody(authed.bodyText);
+                const ttlHours = Math.min(Math.max(Number(body.ttlHours || 24), 1), 168);
+                const invite = {
+                    code: randomCode(),
+                    createdByUserId: authed.user.id,
+                    createdAt: nowIso(),
+                    expiresAt: new Date(Date.now() + ttlHours * 3600_000).toISOString()
+                };
+                store.data().invites.push(invite);
+                store.save();
+                store.audit({ actorUserId: authed.user.id, action: "invite.create", target: invite.code });
+                sendJson(res, { invite, url: `${publicUrl}/invite/${invite.code}` });
+                return;
+            }
+            const inviteAcceptMatch = url.pathname.match(/^\/api\/invites\/([^/]+)\/accept$/);
+            if (req.method === "POST" && inviteAcceptMatch) {
+                const code = inviteAcceptMatch[1];
+                const db = store.data();
+                const invite = db.invites.find((candidate) => candidate.code === code);
+                if (!invite || invite.revokedAt || invite.acceptedByUserId || Date.parse(invite.expiresAt) < Date.now()) {
+                    sendJson(res, { error: "invite is invalid or expired" }, 400);
+                    return;
+                }
+                if (invite.createdByUserId === authed.user.id) {
+                    sendJson(res, { error: "cannot accept your own invite" }, 400);
+                    return;
+                }
+                ensureFriendship(store, invite.createdByUserId, authed.user.id);
+                invite.acceptedByUserId = authed.user.id;
+                store.save();
+                store.audit({ actorUserId: authed.user.id, action: "invite.accept", target: code });
+                sendJson(res, { ok: true, friends: getFriends(store, authed.user.id) });
+                return;
+            }
+            if (req.method === "GET" && url.pathname === "/api/friends") {
+                sendJson(res, { friends: getFriends(store, authed.user.id) });
+                return;
+            }
+            if (req.method === "POST" && url.pathname === "/api/pages") {
+                const body = parseBody(authed.bodyText);
+                const to = cleanUsername(body.to);
+                const message = cleanText(body.message, MESSAGE_MAX);
+                const urgency = normalizeUrgency(body.urgency);
+                const recipient = store.data().users.find((user) => user.username === to);
+                if (!recipient) {
+                    sendJson(res, { error: "recipient not found" }, 404);
+                    return;
+                }
+                const allowed = canPage(store, authed.user.id, recipient.id);
+                if (!allowed.ok) {
+                    sendJson(res, { error: allowed.reason }, 403);
+                    return;
+                }
+                const limited = isRateLimited(store, authed.user.id, recipient.id);
+                if (limited) {
+                    sendJson(res, { error: "rate limited for this friend" }, 429);
+                    return;
+                }
+                if (!message) {
+                    sendJson(res, { error: "message is required" }, 400);
+                    return;
+                }
+                const page = {
+                    id: newId("page"),
+                    fromUserId: authed.user.id,
+                    toUserId: recipient.id,
+                    fromUsername: authed.user.username,
+                    toUsername: recipient.username,
+                    message,
+                    urgency,
+                    replyToPageId: body.replyToPageId ? String(body.replyToPageId) : undefined,
+                    createdAt: nowIso()
+                };
+                store.data().pages.push(page);
+                store.save();
+                store.audit({ actorUserId: authed.user.id, action: "page.send", target: recipient.username, meta: { urgency } });
+                pushPage(listeners, store, page);
+                sendJson(res, { ok: true, page });
+                return;
+            }
+            if (req.method === "GET" && url.pathname === "/api/pages") {
+                const pages = store.data().pages
+                    .filter((page) => page.fromUserId === authed.user.id || page.toUserId === authed.user.id)
+                    .slice(-100)
+                    .reverse();
+                sendJson(res, { pages });
+                return;
+            }
+            const pageAckMatch = url.pathname.match(/^\/api\/pages\/([^/]+)\/ack$/);
+            if (req.method === "POST" && pageAckMatch) {
+                const page = store.data().pages.find((candidate) => candidate.id === pageAckMatch[1] && candidate.toUserId === authed.user.id);
+                if (page && !page.deliveredAt) {
+                    page.deliveredAt = nowIso();
+                    store.save();
+                    store.audit({ actorUserId: authed.user.id, action: "page.deliver", target: page.id });
+                }
+                sendJson(res, { ok: true });
+                return;
+            }
+            sendJson(res, { error: "not found" }, 404);
+        }
+        catch (error) {
+            sendJson(res, { error: error instanceof Error ? error.message : "server error" }, 500);
+        }
+    });
+    await new Promise((resolveListen) => server.listen(port, host, resolveListen));
+    console.log(`Agent Pager service: ${publicUrl}`);
+    console.log("Authorized Human Contact Service is online.");
+}
+function readArg(argv, name) {
+    const index = argv.indexOf(name);
+    return index >= 0 ? argv[index + 1] : undefined;
+}
+async function authenticate(req, url, store) {
+    const bodyText = ["POST", "PUT", "PATCH"].includes(req.method || "") ? await readText(req) : "";
+    const deviceId = String(req.headers["x-ap-device-id"] || "");
+    const timestamp = String(req.headers["x-ap-timestamp"] || "");
+    const signature = String(req.headers["x-ap-signature"] || "");
+    const device = store.data().devices.find((candidate) => candidate.id === deviceId && !candidate.revokedAt);
+    if (!device) {
+        throw new Error("unknown device");
+    }
+    const user = store.data().users.find((candidate) => candidate.id === device.userId);
+    if (!user) {
+        throw new Error("device has no user");
+    }
+    const ageMs = Math.abs(Date.now() - Date.parse(timestamp));
+    if (!timestamp || !Number.isFinite(ageMs) || ageMs > 5 * 60_000) {
+        throw new Error("stale request timestamp");
+    }
+    const pathAndQuery = `${url.pathname}${url.search}`;
+    const canonical = canonicalRequest(req.method || "GET", pathAndQuery, timestamp, bodyText);
+    if (!verifyText(device.publicKeyPem, canonical, signature)) {
+        throw new Error("invalid request signature");
+    }
+    device.lastSeenAt = nowIso();
+    return { device, user, bodyText };
+}
+function publicUser(user, devices) {
+    return {
+        id: user.id,
+        username: user.username,
+        displayName: user.displayName,
+        status: user.status,
+        reachable: user.status !== "offline" && devices.some((device) => !device.revokedAt),
+        deviceCount: devices.filter((device) => !device.revokedAt).length
+    };
+}
+function getFriends(store, userId) {
+    const db = store.data();
+    return db.friendships
+        .filter((friendship) => friendship.userA === userId || friendship.userB === userId)
+        .map((friendship) => {
+        const friendId = friendship.userA === userId ? friendship.userB : friendship.userA;
+        const user = db.users.find((candidate) => candidate.id === friendId);
+        return user ? { ...publicUser(user, db.devices.filter((device) => device.userId === user.id)), muted: friendship.mutedByUserIds.includes(userId) } : null;
+    })
+        .filter(Boolean);
+}
+function ensureFriendship(store, userA, userB) {
+    const [left, right] = [userA, userB].sort();
+    const exists = store.data().friendships.some((friendship) => friendship.userA === left && friendship.userB === right);
+    if (!exists) {
+        store.data().friendships.push({
+            id: newId("fr"),
+            userA: left,
+            userB: right,
+            createdAt: nowIso(),
+            mutedByUserIds: [],
+            blockedByUserIds: []
+        });
+    }
+}
+function canPage(store, fromUserId, toUserId) {
+    const friendship = store.data().friendships.find((candidate) => (candidate.userA === fromUserId && candidate.userB === toUserId) || (candidate.userA === toUserId && candidate.userB === fromUserId));
+    if (!friendship) {
+        return { ok: false, reason: "not friends" };
+    }
+    if (friendship.blockedByUserIds.includes(toUserId) || friendship.mutedByUserIds.includes(toUserId)) {
+        return { ok: false, reason: "recipient is not accepting pages from you" };
+    }
+    const recipient = store.data().users.find((user) => user.id === toUserId);
+    if (recipient?.status === "muted") {
+        return { ok: false, reason: "recipient is muted" };
+    }
+    return { ok: true };
+}
+function isRateLimited(store, fromUserId, toUserId) {
+    const cutoff = Date.now() - RATE_LIMIT_WINDOW_MS;
+    const recent = store.data().pages.filter((page) => page.fromUserId === fromUserId && page.toUserId === toUserId && Date.parse(page.createdAt) >= cutoff);
+    return recent.length >= RATE_LIMIT_MAX;
+}
+function pendingPages(store, userId) {
+    return store.data().pages.filter((page) => page.toUserId === userId && !page.deliveredAt);
+}
+function openEvents(res, listeners, userId, store) {
+    res.writeHead(200, {
+        "content-type": "text/event-stream",
+        "cache-control": "no-cache",
+        connection: "keep-alive"
+    });
+    const listener = { userId, res };
+    listeners.add(listener);
+    writeEvent(res, "ready", { ok: true, at: nowIso() });
+    for (const page of pendingPages(store, userId)) {
+        writeEvent(res, "page", signedEnvelope(store, page));
+    }
+    const keepAlive = setInterval(() => writeEvent(res, "heartbeat", { at: nowIso() }), 15000);
+    res.on("close", () => {
+        clearInterval(keepAlive);
+        listeners.delete(listener);
+    });
+}
+function pushPage(listeners, store, page) {
+    for (const listener of listeners) {
+        if (listener.userId === page.toUserId) {
+            writeEvent(listener.res, "page", signedEnvelope(store, page));
+        }
+    }
+}
+function signedEnvelope(store, page) {
+    const unsigned = {
+        page,
+        serverTime: nowIso(),
+        nonce: newId("nonce")
+    };
+    return {
+        ...unsigned,
+        signature: signText(store.data().serverKeyPair.privateKeyPem, stableJson(unsigned))
+    };
+}
+function writeEvent(res, event, data) {
+    res.write(`event: ${event}\n`);
+    res.write(`data: ${JSON.stringify(data)}\n\n`);
+}
+function parseBody(bodyText) {
+    return bodyText ? JSON.parse(bodyText) : {};
+}
+async function readJson(req) {
+    return parseBody(await readText(req));
+}
+function readText(req) {
+    return new Promise((resolveRead, reject) => {
+        let body = "";
+        req.setEncoding("utf8");
+        req.on("data", (chunk) => {
+            body += chunk;
+            if (body.length > 32_000) {
+                reject(new Error("request body too large"));
+                req.destroy();
+            }
+        });
+        req.on("end", () => resolveRead(body));
+        req.on("error", reject);
+    });
+}
+function sendJson(res, body, status = 200) {
+    res.writeHead(status, { "content-type": "application/json" });
+    res.end(JSON.stringify(body, null, 2));
+}
+function setCors(req, res) {
+    res.setHeader("access-control-allow-origin", req.headers.origin || "*");
+    res.setHeader("access-control-allow-methods", "GET,POST,OPTIONS");
+    res.setHeader("access-control-allow-headers", "content-type,x-ap-device-id,x-ap-timestamp,x-ap-signature");
+}
+function serveIndex(res) {
+    res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+    res.end(readFileSync(resolve(WEB_ROOT, "index.html"), "utf8"));
+}
+function serveStatic(res, pathname) {
+    const path = resolve(WEB_ROOT, pathname.replace(/^\/assets\//, ""));
+    if (!existsSync(path)) {
+        sendJson(res, { error: "asset not found" }, 404);
+        return;
+    }
+    const contentTypes = {
+        ".css": "text/css",
+        ".js": "application/javascript",
+        ".png": "image/png",
+        ".svg": "image/svg+xml"
+    };
+    res.writeHead(200, { "content-type": contentTypes[extname(path)] || "application/octet-stream" });
+    res.end(readFileSync(path));
+}
+function findWebRoot() {
+    const moduleDir = dirname(fileURLToPath(import.meta.url));
+    for (const candidate of [
+        resolve(moduleDir, "..", "web"),
+        resolve(moduleDir, "..", "..", "web"),
+        resolve(process.cwd(), "web")
+    ]) {
+        if (existsSync(resolve(candidate, "index.html")))
+            return candidate;
+    }
+    return resolve(moduleDir, "..", "..", "web");
+}
+function cleanUsername(value) {
+    return String(value || "").toLowerCase().replace(/[^a-z0-9_.-]/g, "").slice(0, 32);
+}
+function cleanText(value, max) {
+    return String(value || "").trim().slice(0, max);
+}
+function normalizeUrgency(value) {
+    const urgency = String(value || "normal");
+    return ["gentle", "normal", "firm", "professionally-dramatic"].includes(urgency) ? urgency : "normal";
+}
+function randomCode() {
+    return Math.random().toString(36).slice(2, 8) + Math.random().toString(36).slice(2, 8);
+}

package/dist/src/session-adapters.js

@@ -0,0 +1,23 @@
+import { appendFileSync, mkdirSync } from "node:fs";
+import { dirname } from "node:path";
+import { execFile } from "node:child_process";
+import { inboxPath } from "./local-config.js";
+import { pageBox } from "./render.js";
+export async function deliverPageLocally(page) {
+    const path = inboxPath();
+    mkdirSync(dirname(path), { recursive: true });
+    appendFileSync(path, `${JSON.stringify({ ...page, receivedAt: new Date().toISOString() })}\n`);
+    console.log(`\n${pageBox(page)}\n`);
+    await notify(page).catch(() => undefined);
+}
+async function notify(page) {
+    if (process.platform !== "darwin") {
+        return;
+    }
+    await new Promise((resolve, reject) => {
+        execFile("osascript", [
+            "-e",
+            `display notification ${JSON.stringify(page.message.slice(0, 120))} with title "Agent Pager" subtitle ${JSON.stringify(`From ${page.fromUsername}`)}`
+        ], (error) => (error ? reject(error) : resolve()));
+    });
+}

package/dist/src/setup.js

@@ -0,0 +1,90 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+const codexSkill = `---
+name: agent-pager
+description: Use Agent Pager to contact trusted friends through their active coding agent sessions. Trigger when the user asks to page, ping, message, reach, contact, or get a friend's attention through their agent.
+---
+
+# Agent Pager
+
+Agent Pager lets this agent contact trusted friends' active coding agent sessions.
+
+Use the Agent Pager MCP tools when the user wants to reach a person through their agent.
+
+Rules:
+- Page only approved friends.
+- Keep pages concise and action-oriented.
+- Include the requested action and enough context for the recipient.
+- Do not fake urgency.
+- Use "professionally-dramatic" only when the user is clearly joking.
+- If the user asks who is reachable, call list_friends.
+- If the user asks for their Page my agent link or share link, call get_share_link.
+- If the user wants to add or request access to a person, call request_friend with a human-approved note.
+- If page_friend fails because the recipient is not approved, explain that friendship is required and ask before calling request_friend.
+- If the user asks about pending access requests, call list_friend_requests.
+- If the user explicitly asks to approve, deny, or cancel a specific friend request, call approve_friend_request, deny_friend_request, or cancel_friend_request.
+- If the user asks whether anyone paged them, call check_pages.
+- If the user explicitly asks to remove, unfriend, or end access for a friend, call remove_friend.
+- If the user asks to silence or pause a friend's pages, call mute_friend with a clear duration.
+- If the user explicitly asks to unmute or resume a friend's pages, call unmute_friend.
+- If the user explicitly asks to block or unblock someone, call block_friend or unblock_friend.
+- If the user explicitly asks to report abuse or spam, call report_abuse with a short reason and page id if available.
+`;
+const claudeSkill = `---
+description: Use Agent Pager to contact trusted friends through their active coding agent sessions. Trigger when the user asks to page, ping, message, reach, contact, or get a friend's attention through their agent.
+---
+
+# Agent Pager
+
+Agent Pager lets Claude contact trusted friends' active coding agent sessions.
+
+Use the Agent Pager MCP tools when the user wants to reach a person through their agent.
+
+Rules:
+- Page only approved friends.
+- Keep pages concise and action-oriented.
+- Include the requested action and enough context for the recipient.
+- Do not fake urgency.
+- Use "professionally-dramatic" only when the user is clearly joking.
+- If the user asks who is reachable, call list_friends.
+- If the user asks for their Page my agent link or share link, call get_share_link.
+- If the user wants to add or request access to a person, call request_friend with a human-approved note.
+- If page_friend fails because the recipient is not approved, explain that friendship is required and ask before calling request_friend.
+- If the user asks about pending access requests, call list_friend_requests.
+- If the user explicitly asks to approve, deny, or cancel a specific friend request, call approve_friend_request, deny_friend_request, or cancel_friend_request.
+- If the user asks whether anyone paged them, call check_pages.
+- If the user explicitly asks to remove, unfriend, or end access for a friend, call remove_friend.
+- If the user asks to silence or pause a friend's pages, call mute_friend with a clear duration.
+- If the user explicitly asks to unmute or resume a friend's pages, call unmute_friend.
+- If the user explicitly asks to block or unblock someone, call block_friend or unblock_friend.
+- If the user explicitly asks to report abuse or spam, call report_abuse with a short reason and page id if available.
+`;
+export function setupCodex() {
+    const skillPath = join(homedir(), ".codex", "skills", "agent-pager", "SKILL.md");
+    mkdirSync(dirname(skillPath), { recursive: true });
+    writeFileSync(skillPath, codexSkill);
+    const configPath = join(homedir(), ".codex", "config.toml");
+    mkdirSync(dirname(configPath), { recursive: true });
+    const snippet = `[mcp_servers.agent_pager]
+command = "agent-pager"
+args = ["mcp"]
+`;
+    const current = existsSync(configPath) ? readFileSync(configPath, "utf8") : "";
+    if (!current.includes("[mcp_servers.agent_pager]")) {
+        writeFileSync(configPath, `${current.trimEnd()}\n\n${snippet}`);
+    }
+    return `Installed Codex skill at ${skillPath}\nConfigured MCP in ${configPath}\nRestart Codex or start a new thread to load it.`;
+}
+export function setupClaude() {
+    const skillPath = join(homedir(), ".claude", "skills", "agent-pager", "SKILL.md");
+    mkdirSync(dirname(skillPath), { recursive: true });
+    writeFileSync(skillPath, claudeSkill);
+    return [
+        `Installed Claude skill at ${skillPath}`,
+        "Add the MCP server with:",
+        "  claude mcp add agent-pager -- agent-pager mcp",
+        "For true push into Claude Code sessions, Agent Pager should later ship as a Claude channel plugin and be launched with:",
+        "  claude --channels plugin:agent-pager"
+    ].join("\n");
+}

package/dist/src/store.js

@@ -0,0 +1,52 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { createDeviceKeyPair, nowIso } from "./crypto.js";
+export const DEFAULT_DATA_PATH = resolve(process.cwd(), "data", "agent-pager-db.json");
+export class Store {
+    path;
+    db;
+    constructor(path = process.env.AGENT_PAGER_DB || DEFAULT_DATA_PATH) {
+        this.path = path;
+        this.db = this.load();
+    }
+    data() {
+        return this.db;
+    }
+    save() {
+        mkdirSync(dirname(this.path), { recursive: true });
+        writeFileSync(this.path, `${JSON.stringify(this.db, null, 2)}\n`);
+    }
+    audit(event) {
+        this.db.auditEvents.unshift({
+            id: `audit_${Date.now()}_${Math.random().toString(36).slice(2)}`,
+            at: nowIso(),
+            ...event
+        });
+        this.db.auditEvents = this.db.auditEvents.slice(0, 500);
+        this.save();
+    }
+    load() {
+        if (existsSync(this.path)) {
+            return JSON.parse(readFileSync(this.path, "utf8"));
+        }
+        const serverKeyPair = createDeviceKeyPair();
+        const createdAt = nowIso();
+        return {
+            serverKeyPair,
+            users: [],
+            devices: [],
+            friendships: [],
+            invites: [],
+            friendRequests: [],
+            pages: [],
+            auditEvents: [
+                {
+                    id: "audit_bootstrap",
+                    at: createdAt,
+                    action: "server.bootstrap",
+                    meta: { mode: "local-dev" }
+                }
+            ]
+        };
+    }
+}

package/dist/src/supabase.js

@@ -0,0 +1,32 @@
+import { createClient } from "@supabase/supabase-js";
+export function loadSupabaseRuntimeConfig(env = process.env) {
+    const url = env.NEXT_PUBLIC_SUPABASE_URL || env.SUPABASE_URL || "";
+    const anonKey = env.NEXT_PUBLIC_SUPABASE_ANON_KEY || env.SUPABASE_ANON_KEY || "";
+    if (!url || !anonKey) {
+        throw new Error("Missing NEXT_PUBLIC_SUPABASE_URL and NEXT_PUBLIC_SUPABASE_ANON_KEY.");
+    }
+    return {
+        url,
+        anonKey,
+        serviceRoleKey: env.SUPABASE_SERVICE_ROLE_KEY
+    };
+}
+export function createSupabaseUserClient(config = loadSupabaseRuntimeConfig()) {
+    return createClient(config.url, config.anonKey, {
+        auth: {
+            persistSession: false,
+            autoRefreshToken: false
+        }
+    });
+}
+export function createSupabaseServiceClient(config = loadSupabaseRuntimeConfig()) {
+    if (!config.serviceRoleKey) {
+        throw new Error("Missing SUPABASE_SERVICE_ROLE_KEY.");
+    }
+    return createClient(config.url, config.serviceRoleKey, {
+        auth: {
+            persistSession: false,
+            autoRefreshToken: false
+        }
+    });
+}

package/dist/src/supabase.types.js

@@ -0,0 +1,13 @@
+export const Constants = {
+    graphql_public: {
+        Enums: {},
+    },
+    public: {
+        Enums: {
+            delivery_status: ["pending", "delivered", "acked", "failed"],
+            friend_request_status: ["pending", "approved", "denied", "canceled"],
+            page_urgency: ["gentle", "normal", "firm", "professionally-dramatic"],
+            user_status: ["online", "busy", "muted", "offline"],
+        },
+    },
+};

package/dist/src/types.js

@@ -0,0 +1 @@
+export {};