agent-yes 1.120.0 → 1.121.0

package/dist/SUPPORTED_CLIS-CegJgoEf.js

@@ -0,0 +1,8 @@
+import "./ts-D91dm1E0.js";
+import "./logger-B9h0djqx.js";
+import "./versionChecker-CAtpgnoQ.js";
+import "./pidStore-B5vBu8Px.js";
+import "./globalPidIndex-gZuTvTBs.js";
+import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-O57LGUEG.js";
+
+export { SUPPORTED_CLIS };

package/dist/{SUPPORTED_CLIS-BD8zWc7O.js → SUPPORTED_CLIS-O57LGUEG.js}

@@ -1,8 +1,8 @@
-import { t as CLIS_CONFIG } from "./ts-C78N0K4F.js";
+import { t as CLIS_CONFIG } from "./ts-D91dm1E0.js";
 
 //#region ts/SUPPORTED_CLIS.ts
 const SUPPORTED_CLIS = Object.keys(CLIS_CONFIG);
 
 //#endregion
 export { SUPPORTED_CLIS as t };
-//# sourceMappingURL=SUPPORTED_CLIS-BD8zWc7O.js.map
+//# sourceMappingURL=SUPPORTED_CLIS-O57LGUEG.js.map

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env bun
 import { n as logger } from "./logger-B9h0djqx.js";
-import { i as versionString, n as displayVersion, r as getInstalledPackage, t as checkAndAutoUpdate } from "./versionChecker-CYZtJKMG.js";
+import { i as versionString, n as displayVersion, r as getInstalledPackage, t as checkAndAutoUpdate } from "./versionChecker-CAtpgnoQ.js";
 import { argv } from "process";
 import { execFileSync, spawn } from "child_process";
 import ms from "ms";
@@ -482,7 +482,7 @@ function buildRustArgs(argv, cliFromScript, supportedClis) {
 {
 	const rawArg = process.argv[2];
 	const isHelpFlag = rawArg === "-h" || rawArg === "--help";
-	const { isSubcommand, runSubcommand, cmdHelp } = await import("./subcommands-BVcos4UW.js");
+	const { isSubcommand, runSubcommand, cmdHelp } = await import("./subcommands-DobVXouH.js");
 	if (isHelpFlag && process.argv.length === 3) {
 		cmdHelp();
 		process.exit(0);
@@ -515,7 +515,7 @@ if (config.useRust) {
 		}
 	}
 	if (rustBinary) {
-		const { SUPPORTED_CLIS } = await import("./SUPPORTED_CLIS-CoYWGWbP.js");
+		const { SUPPORTED_CLIS } = await import("./SUPPORTED_CLIS-CegJgoEf.js");
 		const rustArgs = buildRustArgs(process.argv, config.cli, SUPPORTED_CLIS);
 		if (config.verbose) {
 			console.log(`[rust] Using binary: ${rustBinary}`);

package/dist/index.js

@@ -1,6 +1,6 @@
-import { a as removeControlCharacters, i as AgentContext, n as agentYes, r as config, t as CLIS_CONFIG } from "./ts-C78N0K4F.js";
+import { a as removeControlCharacters, i as AgentContext, n as agentYes, r as config, t as CLIS_CONFIG } from "./ts-D91dm1E0.js";
 import "./logger-B9h0djqx.js";
-import "./versionChecker-CYZtJKMG.js";
+import "./versionChecker-CAtpgnoQ.js";
 import "./pidStore-B5vBu8Px.js";
 import "./globalPidIndex-gZuTvTBs.js";
 

package/dist/{serve-6RqphTG0.js → serve-D2czcYNC.js}

@@ -1,11 +1,11 @@
-import "./ts-C78N0K4F.js";
+import "./ts-D91dm1E0.js";
 import "./logger-B9h0djqx.js";
-import { r as getInstalledPackage } from "./versionChecker-CYZtJKMG.js";
+import { r as getInstalledPackage } from "./versionChecker-CAtpgnoQ.js";
 import "./pidStore-B5vBu8Px.js";
 import "./globalPidIndex-gZuTvTBs.js";
-import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-BD8zWc7O.js";
+import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-O57LGUEG.js";
 import "./remotes-BufkGk0e.js";
-import { c as listRecords, d as renderRawLog, f as resolveOne, g as writeToIpc, m as snapshotStatus, r as controlCodeFromName, u as readNotes } from "./subcommands-CCgzXvQ-.js";
+import { c as listRecords, d as renderRawLog, f as resolveOne, g as writeToIpc, m as snapshotStatus, r as controlCodeFromName, u as readNotes } from "./subcommands-CzpZQHO6.js";
 import yargs from "yargs";
 import { mkdir, open, readFile, writeFile } from "fs/promises";
 import { homedir, hostname, userInfo } from "os";
@@ -248,7 +248,7 @@ async function cmdServeDaemon(sub, args) {
 			}
 			process.stdout.write(`  ay serve logs                # view server logs\n`);
 			process.stdout.write(`  ay serve uninstall           # remove daemon\n`);
-			if (webrtcish) process.stdout.write("\nthe WebRTC share link is printed by the daemon — see: ay serve logs\n(the room persists in ~/.agent-yes/.share-room, so the link survives restarts)\n");
+			if (webrtcish) process.stdout.write("\nthe WebRTC share link carries a secret, so the daemon does NOT log it —\nread it from ~/.agent-yes/.share-link (mode 0600). The room persists in\n~/.agent-yes/.share-room, so the link survives restarts.\n");
 		}
 		return code ?? 1;
 	}
@@ -780,6 +780,7 @@ Options:
 		if (req.method === "GET" && (p === "/" || p === "/index.html")) return serveUiFile("index.html", "text/html; charset=utf-8");
 		if (req.method === "GET" && p === "/room-client.js") return serveUiFile("room-client.js", "text/javascript; charset=utf-8");
 		if (req.method === "GET" && p === "/console-logic.js") return serveUiFile("console-logic.js", "text/javascript; charset=utf-8");
+		if (req.method === "GET" && p === "/e2e.js") return serveUiFile("e2e.js", "text/javascript; charset=utf-8");
 		if (req.method === "GET" && p === "/favicon.ico") return new Response(null, { status: 204 });
 		return apiFetch(req);
 	};
@@ -822,14 +823,22 @@ Options:
 		const webrtcVal = argv.webrtc ?? argv.share;
 		const explicitUrl = typeof webrtcVal === "string" && webrtcVal.startsWith("webrtc://") ? webrtcVal : void 0;
 		try {
-			const { startShare, loadOrCreateShareRoom } = await import("./share-B7J79Wq9.js");
-			const { link, close } = await startShare({
+			const { startShare, loadOrCreateShareRoom } = await import("./share-B6QVr5D1.js");
+			const { room, link, close } = await startShare({
 				url: explicitUrl ?? await loadOrCreateShareRoom(),
 				localFetch: apiFetch,
 				apiToken: token
 			});
 			closeShare = close;
-			process.stdout.write(`${wantHttp ? "\n" : ""}shared over WebRTC — open this link (the token is eaten from the URL on open):\n  ${link}\n` + (explicitUrl ? "\n" : `  (persistent room — same link across restarts; delete ~/.agent-yes/.share-room to rotate)\n\n`));
+			const persistNote = explicitUrl ? "\n" : `  (persistent room — same link across restarts; delete ~/.agent-yes/.share-room to rotate)\n\n`;
+			if (process.stdout.isTTY) process.stdout.write(`${wantHttp ? "\n" : ""}shared over WebRTC — open this link (the token is eaten from the URL on open):\n  ${link}\n` + persistNote);
+			else {
+				const linkFile = path.join(process.env.AGENT_YES_HOME ?? path.join(homedir(), ".agent-yes"), ".share-link");
+				try {
+					await writeFile(linkFile, link + "\n", { mode: 384 });
+				} catch {}
+				process.stdout.write(`${wantHttp ? "\n" : ""}shared over WebRTC · room ${room} — the link carries a secret, so it is NOT logged.\n  read it from ${linkFile} (mode 0600); delete ~/.agent-yes/.share-room to rotate\n\n`);
+			}
 		} catch (e) {
 			process.stderr.write(`ay serve --webrtc failed: ${e.message}\n`);
 			if (!wantHttp) return 1;
@@ -853,4 +862,4 @@ Options:
 
 //#endregion
 export { cmdServe };
-//# sourceMappingURL=serve-6RqphTG0.js.map
+//# sourceMappingURL=serve-D2czcYNC.js.map

package/dist/{setup-B5TPF2MV.js → setup-f1FIFcZm.js}

@@ -69,7 +69,7 @@ async function cmdSetup(rest) {
 	if (!existsSync$1(abs)) process.stderr.write(`  note: that directory doesn't exist yet — create it, or agents spawned there will fail\n`);
 	if (noShare) return 0;
 	process.stdout.write(`\nsharing this machine to agent-yes.com…\n`);
-	const { cmdServe } = await import("./serve-6RqphTG0.js");
+	const { cmdServe } = await import("./serve-D2czcYNC.js");
 	return cmdServe([
 		"install",
 		"--share",
@@ -79,4 +79,4 @@ async function cmdSetup(rest) {
 
 //#endregion
 export { cmdSetup };
-//# sourceMappingURL=setup-B5TPF2MV.js.map
+//# sourceMappingURL=setup-f1FIFcZm.js.map

package/dist/share-B6QVr5D1.js

@@ -0,0 +1,522 @@
+import { mkdir, readFile, writeFile } from "fs/promises";
+import { homedir } from "os";
+import path from "path";
+import { randomBytes } from "crypto";
+
+//#region lab/ui/e2e.js
+const V = 1;
+const PROTO = `ay-e2e-${V}`;
+const MARKER = `e${V}.`;
+const INFO_AUTH = `ay/${PROTO}/auth`;
+const INFO_H2C = `ay/${PROTO}/key/host->client`;
+const INFO_C2H = `ay/${PROTO}/key/client->host`;
+const MAX_CHUNK = 12e3;
+const CONFIRM_TIMEOUT_MS = 5e3;
+const VER = 1;
+const FLAG_CONFIRM = 1;
+const HEADER_LEN = 14;
+const NONCE_LEN = 12;
+const TAG_LEN = 16;
+const COUNTER_MAX = (1n << 64n) - 1n;
+if (PROTO !== `ay-e2e-${V}` || MARKER !== `e${V}.` || !INFO_AUTH.startsWith(`ay/${PROTO}/`)) throw new Error("e2e: version constants disagree");
+const subtle = globalThis.crypto.subtle;
+const enc = new TextEncoder();
+const dec = new TextDecoder();
+const HEX64 = /^[0-9a-f]{64}$/;
+function concatBytes(...arrs) {
+	let len = 0;
+	for (const a of arrs) len += a.length;
+	const out = new Uint8Array(len);
+	let o = 0;
+	for (const a of arrs) {
+		out.set(a, o);
+		o += a.length;
+	}
+	return out;
+}
+function hexToBytes(hex) {
+	const out = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < out.length; i++) out[i] = parseInt(hex.substr(i * 2, 2), 16);
+	return out;
+}
+function bytesToHex(b) {
+	let s = "";
+	for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+	return s;
+}
+async function sha256(bytes) {
+	return new Uint8Array(await subtle.digest("SHA-256", bytes));
+}
+async function hkdf32(ikm, salt, info) {
+	const base = await subtle.importKey("raw", ikm, "HKDF", false, ["deriveBits"]);
+	const bits = await subtle.deriveBits({
+		name: "HKDF",
+		hash: "SHA-256",
+		salt,
+		info: enc.encode(info)
+	}, base, 256);
+	return new Uint8Array(bits);
+}
+function validateS(s) {
+	if (typeof s !== "string" || !HEX64.test(s)) throw new Error("invalid share token");
+	return s;
+}
+function ikmFromS(s) {
+	return hexToBytes(validateS(s));
+}
+async function deriveAuthToken(s, room, sighost) {
+	const salt = await sha256(enc.encode(`${room}\n${sighost}`));
+	return bytesToHex(await hkdf32(ikmFromS(s), salt, INFO_AUTH));
+}
+async function importAesKey(raw) {
+	return subtle.importKey("raw", raw, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+}
+async function deriveDirKeys(s, transcriptHash) {
+	const ikm = ikmFromS(s);
+	const h2c = await hkdf32(ikm, transcriptHash, INFO_H2C);
+	const c2h = await hkdf32(ikm, transcriptHash, INFO_C2H);
+	return {
+		keyH2C: await importAesKey(h2c),
+		keyC2H: await importAesKey(c2h)
+	};
+}
+function allFingerprints(sdp) {
+	const out = [];
+	const re = /^a=fingerprint:(.*)$/gim;
+	let m;
+	while (m = re.exec(sdp)) out.push(m[1].trim().toLowerCase());
+	return out;
+}
+function firstAttr(sdp, name) {
+	const m = new RegExp(`^a=${name}:(.*)$`, "im").exec(sdp);
+	return m ? m[1].trim().toLowerCase() : "";
+}
+async function computeTranscriptHash(offerSdp, answerSdp) {
+	const offerFps = allFingerprints(offerSdp).sort();
+	const answerFps = allFingerprints(answerSdp).sort();
+	if (!offerFps.length || !answerFps.length) throw new Error("e2e: missing DTLS fingerprint");
+	for (const fp of offerFps.concat(answerFps)) if (!fp.startsWith("sha-256")) throw new Error("e2e: non-sha-256 DTLS fingerprint");
+	const input = `${PROTO}\noffer=${offerFps.join(",")};setup=${firstAttr(offerSdp, "setup")};ufrag=${firstAttr(offerSdp, "ice-ufrag")}\nanswer=${answerFps.join(",")};setup=${firstAttr(answerSdp, "setup")};ufrag=${firstAttr(answerSdp, "ice-ufrag")}`;
+	return await sha256(enc.encode(input));
+}
+function nonceFromCounter(ctr) {
+	const n = new Uint8Array(NONCE_LEN);
+	new DataView(n.buffer).setBigUint64(4, ctr, false);
+	return n;
+}
+async function seal(key, sendState, flags, transcriptHash, plaintext) {
+	const ctr = sendState.sendCtr;
+	if (ctr >= COUNTER_MAX) throw new Error("e2e: nonce counter overflow");
+	sendState.sendCtr = ctr + 1n;
+	const nonce = nonceFromCounter(ctr);
+	const header = new Uint8Array(HEADER_LEN);
+	header[0] = VER;
+	header[1] = flags & 255;
+	header.set(nonce, 2);
+	const aad = concatBytes(header, transcriptHash);
+	return concatBytes(header, new Uint8Array(await subtle.encrypt({
+		name: "AES-GCM",
+		iv: nonce,
+		additionalData: aad,
+		tagLength: 128
+	}, key, plaintext))).buffer;
+}
+async function open$1(key, frame, transcriptHash, recvState) {
+	const buf = frame instanceof Uint8Array ? frame : new Uint8Array(frame);
+	if (buf.length < HEADER_LEN + TAG_LEN) throw new Error("e2e: short frame");
+	if (buf[0] !== VER) throw new Error("e2e: bad version");
+	const header = buf.subarray(0, HEADER_LEN);
+	const nonce = buf.subarray(2, HEADER_LEN);
+	const ndv = new DataView(nonce.buffer, nonce.byteOffset, NONCE_LEN);
+	if (ndv.getUint32(0, false) !== 0) throw new Error("e2e: bad epoch");
+	const ctr = ndv.getBigUint64(4, false);
+	const sealed = buf.subarray(HEADER_LEN);
+	const aad = concatBytes(header, transcriptHash);
+	const ptBuf = await subtle.decrypt({
+		name: "AES-GCM",
+		iv: nonce,
+		additionalData: aad,
+		tagLength: 128
+	}, key, sealed);
+	if (recvState.lastSeen === -1n && ctr !== 0n) throw new Error("e2e: first frame must be counter-0");
+	if (ctr <= recvState.lastSeen) throw new Error("e2e: replay/reorder");
+	recvState.lastSeen = ctr;
+	return {
+		counter: ctr,
+		flags: header[1],
+		plaintext: new Uint8Array(ptBuf)
+	};
+}
+function packEnvelope(obj) {
+	return enc.encode(JSON.stringify(obj));
+}
+function unpackEnvelope(bytes) {
+	return JSON.parse(dec.decode(bytes));
+}
+function parseSecret(token) {
+	const mk = /^e(\d+)\.(.*)$/.exec(token);
+	if (mk) {
+		if (mk[1] !== String(V)) throw new Error("update required");
+		if (!HEX64.test(mk[2])) throw new Error("malformed encrypted link");
+		return {
+			s: mk[2],
+			v2: true
+		};
+	}
+	if (/^e\d/i.test(token)) throw new Error("malformed encrypted link");
+	return {
+		s: token,
+		v2: false
+	};
+}
+function randomHex(n) {
+	const b = new Uint8Array(n);
+	globalThis.crypto.getRandomValues(b);
+	return bytesToHex(b);
+}
+
+//#endregion
+//#region ts/share.ts
+const SUB = "ay-signal-1";
+const ICE = [{ urls: "stun:stun.l.google.com:19302" }];
+const DEFAULT_SIGHOST = "s.agent-yes.com";
+function shareRoomPath() {
+	const home = process.env.AGENT_YES_HOME ?? path.join(homedir(), ".agent-yes");
+	return path.join(home, ".share-room");
+}
+async function loadOrCreateShareRoom(sighost = DEFAULT_SIGHOST) {
+	try {
+		const url = (await readFile(shareRoomPath(), "utf-8")).trim();
+		if (url.startsWith("webrtc://")) {
+			if (parseShareUrl(url).token.startsWith(MARKER)) return url;
+		}
+	} catch {}
+	const url = `webrtc://${"r" + randomBytes(3).toString("hex")}:${MARKER}${randomBytes(32).toString("hex")}@${sighost}`;
+	await mkdir(path.dirname(shareRoomPath()), { recursive: true });
+	await writeFile(shareRoomPath(), url, { mode: 384 });
+	return url;
+}
+function parseShareUrl(s) {
+	const m = /^webrtc:\/\/([^:@/]+):([^@/]+)@(.+)$/.exec(s);
+	if (!m) throw new Error(`bad --share url: ${s} (want webrtc://room:token@host)`);
+	return {
+		room: m[1],
+		token: m[2],
+		host: m[3]
+	};
+}
+async function linkFromBunCache() {
+	const { existsSync, symlinkSync, mkdirSync, readdirSync } = await import("fs");
+	const path = (await import("path")).default;
+	const { createRequire } = await import("module");
+	const require = createRequire(import.meta.url);
+	const pkg = path.dirname(require.resolve("node-datachannel/package.json"));
+	const bin = path.join(pkg, "build", "Release", "node_datachannel.node");
+	const cacheRoot = path.join((await import("os")).homedir(), ".bun", "install", "cache");
+	if (existsSync(bin) && existsSync(cacheRoot)) for (const d of readdirSync(cacheRoot)) {
+		if (!d.startsWith("node-datachannel@")) continue;
+		const dst = path.join(cacheRoot, d, "build", "Release");
+		mkdirSync(dst, { recursive: true });
+		const link = path.join(dst, "node_datachannel.node");
+		if (!existsSync(link)) symlinkSync(bin, link);
+	}
+}
+async function ndPackageDir() {
+	try {
+		const path = (await import("path")).default;
+		const { createRequire } = await import("module");
+		const require = createRequire(import.meta.url);
+		return path.dirname(require.resolve("node-datachannel/package.json"));
+	} catch {
+		return null;
+	}
+}
+async function ensureAddon(ndDir) {
+	const { existsSync } = await import("fs");
+	const path = (await import("path")).default;
+	if (existsSync(path.join(ndDir, "build", "Release", "node_datachannel.node"))) return;
+	try {
+		const { createRequire } = await import("module");
+		const binJs = createRequire(import.meta.url).resolve("prebuild-install/bin.js", { paths: [ndDir] });
+		const { spawnSync } = await import("child_process");
+		process.stderr.write("fetching node-datachannel prebuilt binary (one-time)…\n");
+		spawnSync(process.execPath, [
+			binJs,
+			"-r",
+			"napi"
+		], {
+			cwd: ndDir,
+			stdio: "ignore"
+		});
+	} catch {}
+}
+async function importRTC() {
+	const ndDir = await ndPackageDir();
+	if (ndDir) await ensureAddon(ndDir);
+	try {
+		return (await import("node-datachannel/polyfill")).RTCPeerConnection;
+	} catch (firstErr) {
+		await linkFromBunCache().catch(() => {});
+		try {
+			return (await import("node-datachannel/polyfill")).RTCPeerConnection;
+		} catch {
+			throw firstErr;
+		}
+	}
+}
+/** Start the share bridge. Resolves once signaling is connected; runs until the
+*  process exits, reconnecting signaling on drop. Returns the shareable link. */
+async function startShare(opts) {
+	opts.url;
+	const sighost = opts.sighost ?? DEFAULT_SIGHOST;
+	const { room, token, host } = opts.url ? parseShareUrl(opts.url) : {
+		room: "r" + randomBytes(3).toString("hex"),
+		token: `${MARKER}${randomBytes(32).toString("hex")}`,
+		host: sighost
+	};
+	const { s: S, v2 } = parseSecret(token);
+	if (!v2) throw new Error("refusing to host an unencrypted room — delete ~/.agent-yes/.share-room to rotate to an encrypted link");
+	const authToken = await deriveAuthToken(S, room, host);
+	const RTCPeerConnection = await importRTC();
+	const wsScheme = host.startsWith("localhost") || host.startsWith("127.") ? "ws" : "wss";
+	const link = `${host === "s.agent-yes.com" ? "https://agent-yes.com" : "http://localhost:7778"}/#${room}:${MARKER}${S}${host === "s.agent-yes.com" ? "" : "@" + host}`;
+	const peers = /* @__PURE__ */ new Map();
+	let closed = false;
+	let currentWs;
+	const connectSignaling = (onReady) => {
+		if (closed) return;
+		const ws = new WebSocket(`${wsScheme}://${host}/${room}`, [SUB]);
+		currentWs = ws;
+		let ready = false;
+		ws.onopen = () => {
+			ws.send(JSON.stringify({
+				type: "hello",
+				role: "host",
+				v: 2,
+				token: authToken
+			}));
+			ready = true;
+			onReady();
+		};
+		ws.onmessage = async (ev) => {
+			if (closed) return;
+			const m = JSON.parse(ev.data);
+			if (m.type === "peer-join") startPeer(ws, m.peer);
+			else if (m.type === "answer") {
+				const peer = peers.get(m.from);
+				if (!peer) return;
+				try {
+					await peer.pc.setRemoteDescription({
+						type: "answer",
+						sdp: m.sdp
+					});
+					peer.th = await computeTranscriptHash(peer.pc.localDescription.sdp, peer.pc.remoteDescription.sdp);
+					const { keyH2C, keyC2H } = await deriveDirKeys(S, peer.th);
+					peer.keyH2C = keyH2C;
+					peer.keyC2H = keyC2H;
+					peer.resolveKeys();
+				} catch {
+					closePeer(m.from);
+				}
+			} else if (m.type === "candidate") await peers.get(m.from)?.pc.addIceCandidate(m.candidate).catch(() => {});
+			else if (m.type === "peer-leave") closePeer(m.peer);
+		};
+		ws.onclose = (ev) => {
+			if (closed) return;
+			if (ev?.code === 1008) {
+				closed = true;
+				process.stderr.write("[share] room rejected by signaling server — delete ~/.agent-yes/.share-room to rotate the room\n");
+				return;
+			}
+			setTimeout(() => connectSignaling(() => {}), ready ? 1500 : 4e3);
+		};
+		ws.onerror = () => {};
+		return ws;
+	};
+	function startPeer(ws, peerId) {
+		const pc = new RTCPeerConnection({ iceServers: ICE });
+		let resolveKeys;
+		const keysReady = new Promise((r) => resolveKeys = r);
+		const peer = {
+			pc,
+			aborts: /* @__PURE__ */ new Map(),
+			send: { sendCtr: 0n },
+			recv: { lastSeen: -1n },
+			keysReady,
+			resolveKeys,
+			myNonce: randomHex(16),
+			confirmedIn: false,
+			confirmedOut: false,
+			confirmed: false,
+			recvChain: Promise.resolve(),
+			sendChain: Promise.resolve()
+		};
+		peers.set(peerId, peer);
+		pc.onicecandidate = (e) => {
+			if (e.candidate) ws.send(JSON.stringify({
+				type: "candidate",
+				to: peerId,
+				candidate: e.candidate
+			}));
+		};
+		pc.onconnectionstatechange = () => {
+			if ([
+				"failed",
+				"closed",
+				"disconnected"
+			].includes(pc.connectionState)) closePeer(peerId);
+		};
+		const dc = pc.createDataChannel("api");
+		dc.binaryType = "arraybuffer";
+		dc.onopen = async () => {
+			try {
+				await peer.keysReady;
+				enqueueSeal(peerId, dc, peer, FLAG_CONFIRM, {
+					t: "confirm",
+					nonce: peer.myNonce
+				});
+				peer.confirmTimer = setTimeout(() => {
+					if (!peer.confirmed) closePeer(peerId);
+				}, CONFIRM_TIMEOUT_MS);
+			} catch {
+				closePeer(peerId);
+			}
+		};
+		dc.onmessage = (e) => {
+			peer.recvChain = peer.recvChain.then(() => onFrame(peerId, dc, peer, e.data)).catch(() => {});
+		};
+		pc.createOffer().then((o) => pc.setLocalDescription(o)).then(() => ws.send(JSON.stringify({
+			type: "offer",
+			to: peerId,
+			sdp: pc.localDescription.sdp
+		})));
+	}
+	function closePeer(peerId) {
+		const p = peers.get(peerId);
+		if (!p) return;
+		if (p.confirmTimer) clearTimeout(p.confirmTimer);
+		for (const a of p.aborts.values()) a.abort();
+		try {
+			p.pc.close();
+		} catch {}
+		peers.delete(peerId);
+	}
+	function enqueueSeal(peerId, dc, peer, flags, obj) {
+		peer.sendChain = peer.sendChain.then(async () => {
+			if (dc.readyState !== "open" || !peer.keyH2C || !peer.th) return;
+			let frame;
+			try {
+				frame = await seal(peer.keyH2C, peer.send, flags, peer.th, packEnvelope(obj));
+			} catch {
+				closePeer(peerId);
+				return;
+			}
+			try {
+				dc.send(frame);
+			} catch {}
+		});
+		return peer.sendChain;
+	}
+	async function onFrame(peerId, dc, peer, data) {
+		if (!peers.has(peerId)) return;
+		if (typeof data === "string" || !peer.keyC2H || !peer.th) return closePeer(peerId);
+		let env;
+		try {
+			const { plaintext } = await open$1(peer.keyC2H, data, peer.th, peer.recv);
+			env = unpackEnvelope(plaintext);
+		} catch {
+			return closePeer(peerId);
+		}
+		if (!peer.confirmed) {
+			if (!env || env.t !== "confirm") return closePeer(peerId);
+			if (typeof env.nonce === "string" && !peer.confirmedOut) {
+				await enqueueSeal(peerId, dc, peer, FLAG_CONFIRM, {
+					t: "confirm",
+					nonce: peer.myNonce,
+					echo: env.nonce
+				});
+				peer.confirmedOut = true;
+			}
+			if (env.echo && env.echo === peer.myNonce) peer.confirmedIn = true;
+			if (peer.confirmedIn && peer.confirmedOut) {
+				peer.confirmed = true;
+				if (peer.confirmTimer) clearTimeout(peer.confirmTimer);
+			}
+			return;
+		}
+		if (!env || env.t === "confirm") return;
+		onReq(peerId, dc, peer, env);
+	}
+	async function onReq(peerId, dc, peer, req) {
+		if (req.t === "abort") {
+			peer.aborts.get(req.id)?.abort();
+			peer.aborts.delete(req.id);
+			return;
+		}
+		if (req.t !== "req") return;
+		const { id, method, path: p, body } = req;
+		const ac = new AbortController();
+		peer.aborts.set(id, ac);
+		try {
+			const res = await opts.localFetch(new Request(`http://ay.local${p}`, {
+				method,
+				headers: {
+					Authorization: `Bearer ${opts.apiToken}`,
+					...body ? { "Content-Type": "application/json" } : {}
+				},
+				body: body ?? void 0,
+				signal: ac.signal
+			}));
+			enqueueSeal(peerId, dc, peer, 0, {
+				t: "res",
+				id,
+				status: res.status,
+				ct: res.headers.get("content-type") ?? ""
+			});
+			const reader = res.body.getReader();
+			const dec = new TextDecoder();
+			let seq = 0;
+			for (;;) {
+				const { done, value } = await reader.read();
+				if (done) break;
+				const text = dec.decode(value, { stream: true });
+				for (let i = 0; i < text.length; i += MAX_CHUNK) enqueueSeal(peerId, dc, peer, 0, {
+					t: "data",
+					id,
+					seq: seq++,
+					chunk: text.slice(i, i + MAX_CHUNK)
+				});
+			}
+			enqueueSeal(peerId, dc, peer, 0, {
+				t: "end",
+				id,
+				seq
+			});
+		} catch (e) {
+			if (e.name !== "AbortError") enqueueSeal(peerId, dc, peer, 0, {
+				t: "end",
+				id,
+				error: String(e.message ?? e)
+			});
+		} finally {
+			peer.aborts.delete(id);
+		}
+	}
+	await new Promise((resolve) => connectSignaling(resolve));
+	const close = () => {
+		closed = true;
+		try {
+			currentWs?.close();
+		} catch {}
+		for (const peerId of [...peers.keys()]) closePeer(peerId);
+	};
+	return {
+		room,
+		link,
+		close
+	};
+}
+
+//#endregion
+export { loadOrCreateShareRoom, startShare };
+//# sourceMappingURL=share-B6QVr5D1.js.map

package/dist/{subcommands-CCgzXvQ-.js → subcommands-CzpZQHO6.js}

@@ -231,11 +231,11 @@ async function runSubcommand(argv) {
 			case "restart": return await cmdRestart(rest);
 			case "note": return await cmdNote(rest);
 			case "serve": {
-				const { cmdServe } = await import("./serve-6RqphTG0.js");
+				const { cmdServe } = await import("./serve-D2czcYNC.js");
 				return cmdServe(rest);
 			}
 			case "setup": {
-				const { cmdSetup } = await import("./setup-B5TPF2MV.js");
+				const { cmdSetup } = await import("./setup-f1FIFcZm.js");
 				return cmdSetup(rest);
 			}
 			case "remote": {
@@ -1680,4 +1680,4 @@ async function cmdStatus(rest) {
 
 //#endregion
 export { finalizedLines as a, listRecords as c, renderRawLog as d, resolveOne as f, writeToIpc as g, stopTipForCli as h, cursorAbs as i, matchKeyword as l, snapshotStatus as m, cmdHelp as n, isPidAlive as o, runSubcommand as p, controlCodeFromName as r, isSubcommand as s, GRACEFUL_EXIT_COMMANDS as t, readNotes as u };
-//# sourceMappingURL=subcommands-CCgzXvQ-.js.map
+//# sourceMappingURL=subcommands-CzpZQHO6.js.map

package/dist/{subcommands-BVcos4UW.js → subcommands-DobVXouH.js}

@@ -1,6 +1,6 @@
 import "./logger-B9h0djqx.js";
 import "./globalPidIndex-gZuTvTBs.js";
 import "./remotes-BufkGk0e.js";
-import { a as finalizedLines, c as listRecords, d as renderRawLog, f as resolveOne, g as writeToIpc, h as stopTipForCli, i as cursorAbs, l as matchKeyword, m as snapshotStatus, n as cmdHelp, o as isPidAlive, p as runSubcommand, r as controlCodeFromName, s as isSubcommand, t as GRACEFUL_EXIT_COMMANDS, u as readNotes } from "./subcommands-CCgzXvQ-.js";
+import { a as finalizedLines, c as listRecords, d as renderRawLog, f as resolveOne, g as writeToIpc, h as stopTipForCli, i as cursorAbs, l as matchKeyword, m as snapshotStatus, n as cmdHelp, o as isPidAlive, p as runSubcommand, r as controlCodeFromName, s as isSubcommand, t as GRACEFUL_EXIT_COMMANDS, u as readNotes } from "./subcommands-CzpZQHO6.js";
 
 export { cmdHelp, isSubcommand, runSubcommand };