agent-yes 1.143.0 → 1.145.0

package/README.md

@@ -143,8 +143,10 @@ ZAI_API_KEY=... glm-yes -- help me with this code
 
 # Use OpenRouter directly — runs Claude Code against OpenRouter's
 # Anthropic-compatible endpoint. Set OPENROUTER_API_KEY first
-# (https://openrouter.ai/keys).
-OPENROUTER_API_KEY=... openrouter-yes -- help me with this code
+# (https://openrouter.ai/keys). `orcy` is the short alias
+# (openrouter-claude-yes) and defaults to the z-ai/glm-5.2 model
+# (override via ANTHROPIC_DEFAULT_*_MODEL or ~/.claude/settings.json).
+OPENROUTER_API_KEY=... orcy -- help me with this code
 
 # Use Pi directly — minimal multi-provider coding agent
 # (https://github.com/earendil-works/pi)

package/default.config.yaml

@@ -169,6 +169,13 @@ clis:
       ANTHROPIC_BASE_URL: https://openrouter.ai/api
       ANTHROPIC_AUTH_TOKEN: ${OPENROUTER_API_KEY}
       ANTHROPIC_API_KEY: ""
+      # Default to GLM 5.2 (verified to work through OpenRouter's Anthropic skin).
+      # `${VAR:-default}` keeps it overridable: export ANTHROPIC_DEFAULT_*_MODEL or
+      # ANTHROPIC_MODEL (or set them in ~/.claude/settings.json) to use another
+      # OpenRouter slug. Reachable as `orcy` (openrouter-claude-yes).
+      ANTHROPIC_DEFAULT_SONNET_MODEL: ${ANTHROPIC_DEFAULT_SONNET_MODEL:-z-ai/glm-5.2}
+      ANTHROPIC_DEFAULT_OPUS_MODEL: ${ANTHROPIC_DEFAULT_OPUS_MODEL:-z-ai/glm-5.2}
+      ANTHROPIC_DEFAULT_HAIKU_MODEL: ${ANTHROPIC_DEFAULT_HAIKU_MODEL:-z-ai/glm-5.2}
     promptArg: last-arg
     systemPrompt: --append-system-prompt
     yesArgs:

package/dist/SUPPORTED_CLIS-DDFMfNQu.js

@@ -0,0 +1,8 @@
+import "./ts-Cg31cRC5.js";
+import "./logger-CDIsZ-Pp.js";
+import "./versionChecker-DK7tFI0U.js";
+import "./pidStore-fqXqTKkh.js";
+import "./globalPidIndex-DlmmJlO8.js";
+import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-D_aVmqPt.js";
+
+export { SUPPORTED_CLIS };

package/dist/{SUPPORTED_CLIS-DdzFdshj.js → SUPPORTED_CLIS-D_aVmqPt.js}

@@ -1,8 +1,8 @@
-import { t as CLIS_CONFIG } from "./ts-CV4m7CUC.js";
+import { t as CLIS_CONFIG } from "./ts-Cg31cRC5.js";
 
 //#region ts/SUPPORTED_CLIS.ts
 const SUPPORTED_CLIS = Object.keys(CLIS_CONFIG);
 
 //#endregion
 export { SUPPORTED_CLIS as t };
-//# sourceMappingURL=SUPPORTED_CLIS-DdzFdshj.js.map
+//# sourceMappingURL=SUPPORTED_CLIS-D_aVmqPt.js.map

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
-import { t as invokedCliName } from "./invokedCli-zdFbz1ST.js";
+import { t as invokedCliName } from "./invokedCli-uqM2YYA7.js";
 import { n as logger } from "./logger-CDIsZ-Pp.js";
-import { i as versionString, n as displayVersion, r as getInstalledPackage, t as checkAndAutoUpdate } from "./versionChecker-DatX-QMn.js";
+import { i as versionString, n as displayVersion, r as getInstalledPackage, t as checkAndAutoUpdate } from "./versionChecker-DK7tFI0U.js";
 import { argv } from "process";
 import { execFileSync, spawn } from "child_process";
 import ms from "ms";
@@ -480,7 +480,7 @@ function buildRustArgs(argv, cliFromScript, supportedClis) {
 	const rawArg = process.argv[2];
 	const managerCommands = !invokedCliName(process.argv);
 	const isHelpFlag = rawArg === "-h" || rawArg === "--help";
-	const { isSubcommand, runSubcommand, cmdHelp } = await import("./subcommands-BtCnrZmr.js");
+	const { isSubcommand, runSubcommand, cmdHelp } = await import("./subcommands-Dm1UwXKC.js");
 	if (isHelpFlag && process.argv.length === 3) {
 		cmdHelp(managerCommands);
 		process.exit(0);
@@ -494,12 +494,12 @@ await checkAndAutoUpdate();
 logger.info(versionString());
 const config = parseCliArgs(process.argv);
 if (config.tray) {
-	const { startTray } = await import("./tray-DsTv-C04.js");
+	const { startTray } = await import("./tray-5Hezw9uj.js");
 	await startTray();
 	await new Promise(() => {});
 }
 {
-	const { ensureTray } = await import("./tray-DsTv-C04.js");
+	const { ensureTray } = await import("./tray-5Hezw9uj.js");
 	ensureTray();
 }
 if (config.useRust) {
@@ -513,7 +513,7 @@ if (config.useRust) {
 		}
 	}
 	if (rustBinary) {
-		const { SUPPORTED_CLIS } = await import("./SUPPORTED_CLIS-CPLtBfWE.js");
+		const { SUPPORTED_CLIS } = await import("./SUPPORTED_CLIS-DDFMfNQu.js");
 		const rustArgs = buildRustArgs(process.argv, config.cli, SUPPORTED_CLIS);
 		if (config.verbose) {
 			console.log(`[rust] Using binary: ${rustBinary}`);

package/dist/e2e-ClOI_aqV.js

@@ -0,0 +1,175 @@
+//#region lab/ui/e2e.js
+const V = 1;
+const PROTO = `ay-e2e-${V}`;
+const MARKER = `e${V}.`;
+const INFO_AUTH = `ay/${PROTO}/auth`;
+const INFO_H2C = `ay/${PROTO}/key/host->client`;
+const INFO_C2H = `ay/${PROTO}/key/client->host`;
+const MAX_CHUNK = 12e3;
+const CONFIRM_TIMEOUT_MS = 5e3;
+const VER = 1;
+const FLAG_CONFIRM = 1;
+const HEADER_LEN = 14;
+const NONCE_LEN = 12;
+const TAG_LEN = 16;
+const COUNTER_MAX = (1n << 64n) - 1n;
+if (PROTO !== `ay-e2e-${V}` || MARKER !== `e${V}.` || !INFO_AUTH.startsWith(`ay/${PROTO}/`)) throw new Error("e2e: version constants disagree");
+const subtle = globalThis.crypto.subtle;
+const enc = new TextEncoder();
+const dec = new TextDecoder();
+const HEX64 = /^[0-9a-f]{64}$/;
+function concatBytes(...arrs) {
+	let len = 0;
+	for (const a of arrs) len += a.length;
+	const out = new Uint8Array(len);
+	let o = 0;
+	for (const a of arrs) {
+		out.set(a, o);
+		o += a.length;
+	}
+	return out;
+}
+function hexToBytes(hex) {
+	const out = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < out.length; i++) out[i] = parseInt(hex.substr(i * 2, 2), 16);
+	return out;
+}
+function bytesToHex(b) {
+	let s = "";
+	for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+	return s;
+}
+async function sha256(bytes) {
+	return new Uint8Array(await subtle.digest("SHA-256", bytes));
+}
+async function hkdf32(ikm, salt, info) {
+	const base = await subtle.importKey("raw", ikm, "HKDF", false, ["deriveBits"]);
+	const bits = await subtle.deriveBits({
+		name: "HKDF",
+		hash: "SHA-256",
+		salt,
+		info: enc.encode(info)
+	}, base, 256);
+	return new Uint8Array(bits);
+}
+function validateS(s) {
+	if (typeof s !== "string" || !HEX64.test(s)) throw new Error("invalid share token");
+	return s;
+}
+function ikmFromS(s) {
+	return hexToBytes(validateS(s));
+}
+async function deriveAuthToken(s, room, sighost) {
+	const salt = await sha256(enc.encode(`${room}\n${sighost}`));
+	return bytesToHex(await hkdf32(ikmFromS(s), salt, INFO_AUTH));
+}
+async function importAesKey(raw) {
+	return subtle.importKey("raw", raw, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+}
+async function deriveDirKeys(s, transcriptHash) {
+	const ikm = ikmFromS(s);
+	const h2c = await hkdf32(ikm, transcriptHash, INFO_H2C);
+	const c2h = await hkdf32(ikm, transcriptHash, INFO_C2H);
+	return {
+		keyH2C: await importAesKey(h2c),
+		keyC2H: await importAesKey(c2h)
+	};
+}
+function allFingerprints(sdp) {
+	const out = [];
+	const re = /^a=fingerprint:(.*)$/gim;
+	let m;
+	while (m = re.exec(sdp)) out.push(m[1].trim().toLowerCase());
+	return out;
+}
+function firstAttr(sdp, name) {
+	const m = new RegExp(`^a=${name}:(.*)$`, "im").exec(sdp);
+	return m ? m[1].trim().toLowerCase() : "";
+}
+async function computeTranscriptHash(offerSdp, answerSdp) {
+	const offerFps = allFingerprints(offerSdp).sort();
+	const answerFps = allFingerprints(answerSdp).sort();
+	if (!offerFps.length || !answerFps.length) throw new Error("e2e: missing DTLS fingerprint");
+	for (const fp of offerFps.concat(answerFps)) if (!fp.startsWith("sha-256")) throw new Error("e2e: non-sha-256 DTLS fingerprint");
+	const input = `${PROTO}\noffer=${offerFps.join(",")};setup=${firstAttr(offerSdp, "setup")};ufrag=${firstAttr(offerSdp, "ice-ufrag")}\nanswer=${answerFps.join(",")};setup=${firstAttr(answerSdp, "setup")};ufrag=${firstAttr(answerSdp, "ice-ufrag")}`;
+	return await sha256(enc.encode(input));
+}
+function nonceFromCounter(ctr) {
+	const n = new Uint8Array(NONCE_LEN);
+	new DataView(n.buffer).setBigUint64(4, ctr, false);
+	return n;
+}
+async function seal(key, sendState, flags, transcriptHash, plaintext) {
+	const ctr = sendState.sendCtr;
+	if (ctr >= COUNTER_MAX) throw new Error("e2e: nonce counter overflow");
+	sendState.sendCtr = ctr + 1n;
+	const nonce = nonceFromCounter(ctr);
+	const header = new Uint8Array(HEADER_LEN);
+	header[0] = VER;
+	header[1] = flags & 255;
+	header.set(nonce, 2);
+	const aad = concatBytes(header, transcriptHash);
+	return concatBytes(header, new Uint8Array(await subtle.encrypt({
+		name: "AES-GCM",
+		iv: nonce,
+		additionalData: aad,
+		tagLength: 128
+	}, key, plaintext))).buffer;
+}
+async function open(key, frame, transcriptHash, recvState) {
+	const buf = frame instanceof Uint8Array ? frame : new Uint8Array(frame);
+	if (buf.length < HEADER_LEN + TAG_LEN) throw new Error("e2e: short frame");
+	if (buf[0] !== VER) throw new Error("e2e: bad version");
+	const header = buf.subarray(0, HEADER_LEN);
+	const nonce = buf.subarray(2, HEADER_LEN);
+	const ndv = new DataView(nonce.buffer, nonce.byteOffset, NONCE_LEN);
+	if (ndv.getUint32(0, false) !== 0) throw new Error("e2e: bad epoch");
+	const ctr = ndv.getBigUint64(4, false);
+	const sealed = buf.subarray(HEADER_LEN);
+	const aad = concatBytes(header, transcriptHash);
+	const ptBuf = await subtle.decrypt({
+		name: "AES-GCM",
+		iv: nonce,
+		additionalData: aad,
+		tagLength: 128
+	}, key, sealed);
+	if (recvState.lastSeen === -1n && ctr !== 0n) throw new Error("e2e: first frame must be counter-0");
+	if (ctr <= recvState.lastSeen) throw new Error("e2e: replay/reorder");
+	recvState.lastSeen = ctr;
+	return {
+		counter: ctr,
+		flags: header[1],
+		plaintext: new Uint8Array(ptBuf)
+	};
+}
+function packEnvelope(obj) {
+	return enc.encode(JSON.stringify(obj));
+}
+function unpackEnvelope(bytes) {
+	return JSON.parse(dec.decode(bytes));
+}
+function parseSecret(token) {
+	const mk = /^e(\d+)\.(.*)$/.exec(token);
+	if (mk) {
+		if (mk[1] !== String(V)) throw new Error("update required");
+		if (!HEX64.test(mk[2])) throw new Error("malformed encrypted link");
+		return {
+			s: mk[2],
+			v2: true
+		};
+	}
+	if (/^e\d/i.test(token)) throw new Error("malformed encrypted link");
+	return {
+		s: token,
+		v2: false
+	};
+}
+function randomHex(n) {
+	const b = new Uint8Array(n);
+	globalThis.crypto.getRandomValues(b);
+	return bytesToHex(b);
+}
+
+//#endregion
+export { computeTranscriptHash as a, open as c, randomHex as d, seal as f, MAX_CHUNK as i, packEnvelope as l, FLAG_CONFIRM as n, deriveAuthToken as o, unpackEnvelope as p, MARKER as r, deriveDirKeys as s, CONFIRM_TIMEOUT_MS as t, parseSecret as u };
+//# sourceMappingURL=e2e-ClOI_aqV.js.map

package/dist/index.js

@@ -1,6 +1,6 @@
-import { a as removeControlCharacters, i as AgentContext, n as agentYes, r as config, t as CLIS_CONFIG } from "./ts-CV4m7CUC.js";
+import { a as removeControlCharacters, i as AgentContext, n as agentYes, r as config, t as CLIS_CONFIG } from "./ts-Cg31cRC5.js";
 import "./logger-CDIsZ-Pp.js";
-import "./versionChecker-DatX-QMn.js";
+import "./versionChecker-DK7tFI0U.js";
 import "./pidStore-fqXqTKkh.js";
 import "./globalPidIndex-DlmmJlO8.js";
 

package/dist/{invokedCli-zdFbz1ST.js → invokedCli-uqM2YYA7.js}

@@ -10,7 +10,10 @@
 * resolves to `undefined`. Callers use that `undefined` to tell "the agent-yes
 * manager" apart from "a cli-bound runner alias".
 */
-const CLI_ALIASES = { cy: "claude" };
+const CLI_ALIASES = {
+	cy: "claude",
+	orcy: "openrouter"
+};
 /**
 * The agent CLI implied by argv[1] (cy / claude-yes → "claude", codex-yes →
 * "codex", …), or `undefined` for the generic `ay` / `agent-yes` / `cli` entry.
@@ -22,4 +25,4 @@ function invokedCliName(argv) {
 
 //#endregion
 export { invokedCliName as t };
-//# sourceMappingURL=invokedCli-zdFbz1ST.js.map
+//# sourceMappingURL=invokedCli-uqM2YYA7.js.map

package/dist/orcy.js

@@ -0,0 +1,10 @@
+#!/usr/bin/env bun
+import { existsSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+const root = join(dirname(fileURLToPath(import.meta.url)), "..");
+if (typeof Bun !== "undefined" && existsSync(join(root, ".git"))) {
+  await import("../ts/cli.ts");
+} else {
+  await import("./cli.js");
+}

package/dist/{remotes-BdankQeI.js → remotes-5lHLAAqn.js}

@@ -1,3 +1,5 @@
-import { a as resolveRemoteSpec, i as readRemotes, n as deleteRemoteAlias, o as writeRemoteAlias, r as parseDirectRemoteSpec, t as cmdRemote } from "./remotes-PKKjfTI1.js";
+import "./e2e-ClOI_aqV.js";
+import "./webrtcLink-BWhuA74k.js";
+import { a as resolveRemoteSpec, i as readRemotes, n as deleteRemoteAlias, o as writeRemoteAlias, r as parseDirectRemoteSpec, t as cmdRemote } from "./remotes-qK6uozO4.js";
 
 export { cmdRemote };

package/dist/{remotes-PKKjfTI1.js → remotes-qK6uozO4.js}

@@ -1,3 +1,4 @@
+import { n as isWebrtcSpec } from "./webrtcLink-BWhuA74k.js";
 import { mkdir, readFile, writeFile } from "fs/promises";
 import { homedir } from "os";
 import path from "path";
@@ -60,6 +61,7 @@ function parseDirectRemoteSpec(spec) {
 * Returns null if the spec doesn't match any remote.
 */
 async function resolveRemoteSpec(spec) {
+	if (isWebrtcSpec(spec)) return resolveWebrtc(spec, void 0);
 	const direct = parseDirectRemoteSpec(spec);
 	if (direct) return {
 		url: direct.baseUrl,
@@ -71,16 +73,31 @@ async function resolveRemoteSpec(spec) {
 	const keyword = colonIdx >= 0 ? spec.slice(colonIdx + 1) || void 0 : void 0;
 	const cfg = (await readRemotes()).get(alias);
 	if (!cfg) return null;
+	if (isWebrtcSpec(cfg.url)) return resolveWebrtc(cfg.url, keyword);
 	return {
 		url: cfg.url,
 		token: cfg.token,
 		keyword
 	};
 }
+/**
+* Start a local HTTP↔WebRTC bridge for a share link and present it as an
+* ordinary http remote, so every fetch-based remote command works unchanged.
+* The bridge lives for the rest of the process (torn down on `process.exit`).
+*/
+async function resolveWebrtc(link, keyword) {
+	const { startWebrtcBridge } = await import("./webrtcRemote-jGM3ZHK3.js");
+	const bridge = await startWebrtcBridge(link);
+	return {
+		url: bridge.baseUrl,
+		token: bridge.token,
+		keyword
+	};
+}
 async function cmdRemote(rest) {
 	const sub = rest[0];
 	if (sub === "-h" || sub === "--help") {
-		process.stdout.write("Usage: ay remote <subcommand>\n\nManage saved remote server aliases.\n\nSubcommands:\n  ay remote ls                                           list configured remotes\n  ay remote add <alias> http://<token>@<host>:<port>    add a remote\n  ay remote rm <alias>                                   remove a remote\n\nOnce added, use the alias anywhere a keyword is accepted:\n  ay ls   <alias>\n  ay tail <alias>:<keyword>\n  ay send <alias>:<keyword> \"message\"\n");
+		process.stdout.write("Usage: ay remote <subcommand>\n\nManage saved remote server aliases.\n\nSubcommands:\n  ay remote ls                                           list configured remotes\n  ay remote add <alias> http://<token>@<host>:<port>    add an http remote\n  ay remote add <alias> webrtc://<room>:<token>@<host>  add a WebRTC share remote\n  ay remote add <alias> https://agent-yes.com/w/#<room>:<token>   (share link form)\n  ay remote rm <alias>                                   remove a remote\n\nOnce added, use the alias anywhere a keyword is accepted:\n  ay ls   <alias>\n  ay tail <alias>:<keyword>\n  ay send <alias>:<keyword> \"message\"\n");
 		return 0;
 	}
 	if (!sub || sub === "ls" || sub === "list") {
@@ -103,6 +120,15 @@ async function cmdRemote(rest) {
 			process.stderr.write("  example: ay remote add work-mac http://mytoken123@192.168.1.5:7432\n");
 			return 1;
 		}
+		if (isWebrtcSpec(rawUrl)) {
+			await writeRemoteAlias(alias, {
+				url: rawUrl,
+				token: ""
+			});
+			process.stdout.write(`remote '${alias}' added → ${rawUrl} (webrtc)\n`);
+			process.stderr.write(`\n  ay ls ${alias}            # list agents on ${alias}\n`);
+			return 0;
+		}
 		let url, token;
 		try {
 			const parsed = new URL(rawUrl);
@@ -147,4 +173,4 @@ async function cmdRemote(rest) {
 
 //#endregion
 export { resolveRemoteSpec as a, readRemotes as i, deleteRemoteAlias as n, writeRemoteAlias as o, parseDirectRemoteSpec as r, cmdRemote as t };
-//# sourceMappingURL=remotes-PKKjfTI1.js.map
+//# sourceMappingURL=remotes-qK6uozO4.js.map

package/dist/{schedule-C8QKzvq-.js → schedule-BDi11K0Y.js}

@@ -1,10 +1,10 @@
-import "./ts-CV4m7CUC.js";
+import "./ts-Cg31cRC5.js";
 import "./logger-CDIsZ-Pp.js";
-import "./versionChecker-DatX-QMn.js";
+import "./versionChecker-DK7tFI0U.js";
 import "./pidStore-fqXqTKkh.js";
 import "./globalPidIndex-DlmmJlO8.js";
-import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-DdzFdshj.js";
-import { n as resolveSpawnCwd } from "./workspaceConfig-BCOqRBEW.js";
+import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-D_aVmqPt.js";
+import { n as resolveSpawnCwd } from "./workspaceConfig-B3ylOZAO.js";
 import { createHash } from "node:crypto";
 
 //#region ts/oxmgrService.ts
@@ -141,4 +141,4 @@ async function cmdSchedule(rest) {
 
 //#endregion
 export { cmdSchedule };
-//# sourceMappingURL=schedule-C8QKzvq-.js.map
+//# sourceMappingURL=schedule-BDi11K0Y.js.map

package/dist/{serve-Bathp8Fu.js → serve-CogqhRFd.js}

@@ -1,13 +1,15 @@
-import "./ts-CV4m7CUC.js";
+import "./ts-Cg31cRC5.js";
 import "./logger-CDIsZ-Pp.js";
-import { r as getInstalledPackage } from "./versionChecker-DatX-QMn.js";
+import { r as getInstalledPackage } from "./versionChecker-DK7tFI0U.js";
 import "./pidStore-fqXqTKkh.js";
 import { a as updateGlobalPidStatus } from "./globalPidIndex-DlmmJlO8.js";
 import { t as pgidForWrapper } from "./reaper-C-eWAxIj.js";
 import "./configShared-C1C04bbq.js";
-import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-DdzFdshj.js";
-import "./remotes-PKKjfTI1.js";
-import { S as snapshotStatus, _ as renderRawLog, c as extractTaskCounts, g as readNotes, i as controlCodeFromName, m as listRecords, o as deriveLiveStatus, w as writeToIpc, y as resolveOne } from "./subcommands-BthznoYM.js";
+import { t as SUPPORTED_CLIS } from "./SUPPORTED_CLIS-D_aVmqPt.js";
+import "./e2e-ClOI_aqV.js";
+import "./webrtcLink-BWhuA74k.js";
+import "./remotes-qK6uozO4.js";
+import { S as snapshotStatus, _ as renderRawLog, c as extractTaskCounts, g as readNotes, i as controlCodeFromName, m as listRecords, o as deriveLiveStatus, w as writeToIpc, y as resolveOne } from "./subcommands-BcvCjFLt.js";
 import yargs from "yargs";
 import { mkdir, open, readFile, stat, writeFile } from "fs/promises";
 import { homedir, hostname, userInfo } from "os";
@@ -248,7 +250,7 @@ async function cmdServeDaemon(sub, args) {
 		let shareLink = null;
 		let shareLinkMinted = false;
 		if (webrtcDaemon) try {
-			const { loadOrCreateShareRoom, shareLinkFromRoomUrl } = await import("./share-CoyAOa6e.js");
+			const { loadOrCreateShareRoom, shareLinkFromRoomUrl } = await import("./share-ShLKJTUE.js");
 			const explicit = explicitWebrtcUrl(effArgs);
 			shareLink = shareLinkFromRoomUrl(explicit ?? await loadOrCreateShareRoom());
 			shareLinkMinted = !explicit;
@@ -1122,7 +1124,7 @@ Options:
 		const webrtcVal = argv.webrtc ?? argv.share;
 		const explicitUrl = typeof webrtcVal === "string" && webrtcVal.startsWith("webrtc://") ? webrtcVal : void 0;
 		try {
-			const { startShare, loadOrCreateShareRoom } = await import("./share-CoyAOa6e.js");
+			const { startShare, loadOrCreateShareRoom } = await import("./share-ShLKJTUE.js");
 			const linkFile = path.join(process.env.AGENT_YES_HOME ?? path.join(homedir(), ".agent-yes"), ".share-link");
 			const announce = async (room, link, rotated) => {
 				const lead = rotated ? "the room was rejected by signaling (stale generation) — rotated to a fresh link" : "shared over WebRTC — open this link (the token is eaten from the URL on open)";
@@ -1177,4 +1179,4 @@ Options:
 
 //#endregion
 export { cmdServe };
-//# sourceMappingURL=serve-Bathp8Fu.js.map
+//# sourceMappingURL=serve-CogqhRFd.js.map

package/dist/{setup-ygcLSFBT.js → setup-H2coxV-T.js}

@@ -1,4 +1,4 @@
-import { r as setWorkspaceRoot, t as getWorkspaceRoot } from "./workspaceConfig-BCOqRBEW.js";
+import { r as setWorkspaceRoot, t as getWorkspaceRoot } from "./workspaceConfig-B3ylOZAO.js";
 import { existsSync } from "node:fs";
 import { stdin, stdout } from "node:process";
 import { createInterface } from "node:readline/promises";
@@ -32,7 +32,7 @@ async function cmdSetup(rest) {
 	if (!existsSync(abs)) process.stderr.write(`  note: that directory doesn't exist yet — create it, or agents spawned there will fail\n`);
 	if (noShare) return 0;
 	process.stdout.write(`\nsharing this machine to agent-yes.com…\n`);
-	const { cmdServe } = await import("./serve-Bathp8Fu.js");
+	const { cmdServe } = await import("./serve-CogqhRFd.js");
 	return cmdServe([
 		"install",
 		"--share",
@@ -42,4 +42,4 @@ async function cmdSetup(rest) {
 
 //#endregion
 export { cmdSetup };
-//# sourceMappingURL=setup-ygcLSFBT.js.map
+//# sourceMappingURL=setup-H2coxV-T.js.map

package/dist/{share-CoyAOa6e.js → share-ShLKJTUE.js}

@@ -1,181 +1,9 @@
+import { a as computeTranscriptHash, c as open$1, d as randomHex, f as seal, i as MAX_CHUNK, l as packEnvelope, n as FLAG_CONFIRM, o as deriveAuthToken, p as unpackEnvelope, r as MARKER, s as deriveDirKeys, t as CONFIRM_TIMEOUT_MS, u as parseSecret } from "./e2e-ClOI_aqV.js";
 import { mkdir, readFile, writeFile } from "fs/promises";
 import { homedir } from "os";
 import path from "path";
 import { randomBytes } from "crypto";
 
-//#region lab/ui/e2e.js
-const V = 1;
-const PROTO = `ay-e2e-${V}`;
-const MARKER = `e${V}.`;
-const INFO_AUTH = `ay/${PROTO}/auth`;
-const INFO_H2C = `ay/${PROTO}/key/host->client`;
-const INFO_C2H = `ay/${PROTO}/key/client->host`;
-const MAX_CHUNK = 12e3;
-const CONFIRM_TIMEOUT_MS = 5e3;
-const VER = 1;
-const FLAG_CONFIRM = 1;
-const HEADER_LEN = 14;
-const NONCE_LEN = 12;
-const TAG_LEN = 16;
-const COUNTER_MAX = (1n << 64n) - 1n;
-if (PROTO !== `ay-e2e-${V}` || MARKER !== `e${V}.` || !INFO_AUTH.startsWith(`ay/${PROTO}/`)) throw new Error("e2e: version constants disagree");
-const subtle = globalThis.crypto.subtle;
-const enc = new TextEncoder();
-const dec = new TextDecoder();
-const HEX64 = /^[0-9a-f]{64}$/;
-function concatBytes(...arrs) {
-	let len = 0;
-	for (const a of arrs) len += a.length;
-	const out = new Uint8Array(len);
-	let o = 0;
-	for (const a of arrs) {
-		out.set(a, o);
-		o += a.length;
-	}
-	return out;
-}
-function hexToBytes(hex) {
-	const out = new Uint8Array(hex.length / 2);
-	for (let i = 0; i < out.length; i++) out[i] = parseInt(hex.substr(i * 2, 2), 16);
-	return out;
-}
-function bytesToHex(b) {
-	let s = "";
-	for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
-	return s;
-}
-async function sha256(bytes) {
-	return new Uint8Array(await subtle.digest("SHA-256", bytes));
-}
-async function hkdf32(ikm, salt, info) {
-	const base = await subtle.importKey("raw", ikm, "HKDF", false, ["deriveBits"]);
-	const bits = await subtle.deriveBits({
-		name: "HKDF",
-		hash: "SHA-256",
-		salt,
-		info: enc.encode(info)
-	}, base, 256);
-	return new Uint8Array(bits);
-}
-function validateS(s) {
-	if (typeof s !== "string" || !HEX64.test(s)) throw new Error("invalid share token");
-	return s;
-}
-function ikmFromS(s) {
-	return hexToBytes(validateS(s));
-}
-async function deriveAuthToken(s, room, sighost) {
-	const salt = await sha256(enc.encode(`${room}\n${sighost}`));
-	return bytesToHex(await hkdf32(ikmFromS(s), salt, INFO_AUTH));
-}
-async function importAesKey(raw) {
-	return subtle.importKey("raw", raw, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
-}
-async function deriveDirKeys(s, transcriptHash) {
-	const ikm = ikmFromS(s);
-	const h2c = await hkdf32(ikm, transcriptHash, INFO_H2C);
-	const c2h = await hkdf32(ikm, transcriptHash, INFO_C2H);
-	return {
-		keyH2C: await importAesKey(h2c),
-		keyC2H: await importAesKey(c2h)
-	};
-}
-function allFingerprints(sdp) {
-	const out = [];
-	const re = /^a=fingerprint:(.*)$/gim;
-	let m;
-	while (m = re.exec(sdp)) out.push(m[1].trim().toLowerCase());
-	return out;
-}
-function firstAttr(sdp, name) {
-	const m = new RegExp(`^a=${name}:(.*)$`, "im").exec(sdp);
-	return m ? m[1].trim().toLowerCase() : "";
-}
-async function computeTranscriptHash(offerSdp, answerSdp) {
-	const offerFps = allFingerprints(offerSdp).sort();
-	const answerFps = allFingerprints(answerSdp).sort();
-	if (!offerFps.length || !answerFps.length) throw new Error("e2e: missing DTLS fingerprint");
-	for (const fp of offerFps.concat(answerFps)) if (!fp.startsWith("sha-256")) throw new Error("e2e: non-sha-256 DTLS fingerprint");
-	const input = `${PROTO}\noffer=${offerFps.join(",")};setup=${firstAttr(offerSdp, "setup")};ufrag=${firstAttr(offerSdp, "ice-ufrag")}\nanswer=${answerFps.join(",")};setup=${firstAttr(answerSdp, "setup")};ufrag=${firstAttr(answerSdp, "ice-ufrag")}`;
-	return await sha256(enc.encode(input));
-}
-function nonceFromCounter(ctr) {
-	const n = new Uint8Array(NONCE_LEN);
-	new DataView(n.buffer).setBigUint64(4, ctr, false);
-	return n;
-}
-async function seal(key, sendState, flags, transcriptHash, plaintext) {
-	const ctr = sendState.sendCtr;
-	if (ctr >= COUNTER_MAX) throw new Error("e2e: nonce counter overflow");
-	sendState.sendCtr = ctr + 1n;
-	const nonce = nonceFromCounter(ctr);
-	const header = new Uint8Array(HEADER_LEN);
-	header[0] = VER;
-	header[1] = flags & 255;
-	header.set(nonce, 2);
-	const aad = concatBytes(header, transcriptHash);
-	return concatBytes(header, new Uint8Array(await subtle.encrypt({
-		name: "AES-GCM",
-		iv: nonce,
-		additionalData: aad,
-		tagLength: 128
-	}, key, plaintext))).buffer;
-}
-async function open$1(key, frame, transcriptHash, recvState) {
-	const buf = frame instanceof Uint8Array ? frame : new Uint8Array(frame);
-	if (buf.length < HEADER_LEN + TAG_LEN) throw new Error("e2e: short frame");
-	if (buf[0] !== VER) throw new Error("e2e: bad version");
-	const header = buf.subarray(0, HEADER_LEN);
-	const nonce = buf.subarray(2, HEADER_LEN);
-	const ndv = new DataView(nonce.buffer, nonce.byteOffset, NONCE_LEN);
-	if (ndv.getUint32(0, false) !== 0) throw new Error("e2e: bad epoch");
-	const ctr = ndv.getBigUint64(4, false);
-	const sealed = buf.subarray(HEADER_LEN);
-	const aad = concatBytes(header, transcriptHash);
-	const ptBuf = await subtle.decrypt({
-		name: "AES-GCM",
-		iv: nonce,
-		additionalData: aad,
-		tagLength: 128
-	}, key, sealed);
-	if (recvState.lastSeen === -1n && ctr !== 0n) throw new Error("e2e: first frame must be counter-0");
-	if (ctr <= recvState.lastSeen) throw new Error("e2e: replay/reorder");
-	recvState.lastSeen = ctr;
-	return {
-		counter: ctr,
-		flags: header[1],
-		plaintext: new Uint8Array(ptBuf)
-	};
-}
-function packEnvelope(obj) {
-	return enc.encode(JSON.stringify(obj));
-}
-function unpackEnvelope(bytes) {
-	return JSON.parse(dec.decode(bytes));
-}
-function parseSecret(token) {
-	const mk = /^e(\d+)\.(.*)$/.exec(token);
-	if (mk) {
-		if (mk[1] !== String(V)) throw new Error("update required");
-		if (!HEX64.test(mk[2])) throw new Error("malformed encrypted link");
-		return {
-			s: mk[2],
-			v2: true
-		};
-	}
-	if (/^e\d/i.test(token)) throw new Error("malformed encrypted link");
-	return {
-		s: token,
-		v2: false
-	};
-}
-function randomHex(n) {
-	const b = new Uint8Array(n);
-	globalThis.crypto.getRandomValues(b);
-	return bytesToHex(b);
-}
-
-//#endregion
 //#region ts/share.ts
 const SUB = "ay-signal-1";
 const DEFAULT_SIGHOST = "s.agent-yes.com";
@@ -706,4 +534,4 @@ async function startShare(opts) {
 
 //#endregion
 export { loadOrCreateShareRoom, shareLinkFromRoomUrl, startShare };
-//# sourceMappingURL=share-CoyAOa6e.js.map
+//# sourceMappingURL=share-ShLKJTUE.js.map