ai-cli-online 2.1.0

package/install-service.sh

@@ -0,0 +1,319 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ============================================
+#  AI-CLI-Online systemd 服务安装脚本
+#  用法: sudo bash install-service.sh
+# ============================================
+
+SERVICE_NAME="ai-cli-online"
+SERVICE_FILE="/etc/systemd/system/${SERVICE_NAME}.service"
+
+# --- 检测环境 ---
+
+# 项目目录 = 脚本所在目录
+PROJECT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# 运行用户 (优先 SUDO_USER，回退当前用户)
+RUN_USER="${SUDO_USER:-$(whoami)}"
+RUN_HOME=$(eval echo "~${RUN_USER}")
+
+# Node.js 路径
+NODE_BIN=$(su - "$RUN_USER" -c "which node" 2>/dev/null || true)
+if [[ -z "$NODE_BIN" ]]; then
+  echo "[错误] 未找到 node，请先安装 Node.js >= 18"
+  exit 1
+fi
+NODE_DIR=$(dirname "$NODE_BIN")
+NODE_VERSION=$("$NODE_BIN" --version)
+
+NPM_BIN=$(su - "$RUN_USER" -c "which npm" 2>/dev/null || true)
+if [[ -z "$NPM_BIN" ]]; then
+  echo "[错误] 未找到 npm"
+  exit 1
+fi
+
+# 检查 tmux
+if ! command -v tmux &>/dev/null; then
+  echo "[错误] 未找到 tmux，请先安装: sudo apt install tmux"
+  exit 1
+fi
+
+# --- 确认信息 ---
+
+echo "================================"
+echo "  AI-CLI-Online 服务安装"
+echo "================================"
+echo ""
+echo "  项目目录:  $PROJECT_DIR"
+echo "  运行用户:  $RUN_USER"
+echo "  Node.js:   $NODE_BIN ($NODE_VERSION)"
+echo "  npm:       $NPM_BIN"
+echo "  服务文件:  $SERVICE_FILE"
+echo ""
+
+# 非交互模式 (传 -y 跳过确认)
+if [[ "${1:-}" != "-y" ]]; then
+  read -rp "确认安装? [Y/n] " answer
+  if [[ "$answer" =~ ^[Nn] ]]; then
+    echo "已取消"
+    exit 0
+  fi
+fi
+
+# --- 生成 service 文件 ---
+
+cat > "$SERVICE_FILE" <<EOF
+[Unit]
+Description=AI-CLI-Online Web Terminal
+After=network.target
+
+[Service]
+Type=simple
+User=${RUN_USER}
+WorkingDirectory=${PROJECT_DIR}/server
+Environment=PATH=${NODE_DIR}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+Environment=NODE_ENV=production
+EnvironmentFile=-${PROJECT_DIR}/server/.env
+ExecStartPre=${NPM_BIN} run --prefix ${PROJECT_DIR} build
+ExecStart=${NODE_BIN} dist/index.js
+Restart=on-failure
+RestartSec=5
+
+# 进程管理
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=10
+
+# 安全加固
+NoNewPrivileges=true
+ProtectSystem=strict
+ReadWritePaths=${RUN_HOME}
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo "[完成] 已写入 $SERVICE_FILE"
+
+# --- 启用服务 ---
+
+systemctl daemon-reload
+systemctl enable "$SERVICE_NAME"
+
+echo ""
+echo "================================"
+echo "  systemd 服务安装完成"
+echo "================================"
+echo ""
+
+# ==========================================================
+#  可选: nginx 反向代理配置
+# ==========================================================
+
+SETUP_NGINX="n"
+if command -v nginx &>/dev/null; then
+  echo ""
+  echo "检测到 nginx 已安装，是否配置反向代理?"
+  echo "  - 自动生成 nginx 站点配置"
+  echo "  - 自动设置 WebSocket 代理"
+  echo "  - 自动设置 HTTPS_ENABLED=false (由 nginx 做 SSL 终端)"
+  echo ""
+  if [[ "${1:-}" == "-y" ]]; then
+    SETUP_NGINX="y"
+  else
+    read -rp "配置 nginx 反向代理? [y/N] " SETUP_NGINX
+  fi
+fi
+
+if [[ "$SETUP_NGINX" =~ ^[Yy] ]]; then
+  # 读取端口 (从 .env 或默认 3001)
+  BACKEND_PORT="3001"
+  ENV_FILE="${PROJECT_DIR}/server/.env"
+  if [[ -f "$ENV_FILE" ]]; then
+    ENV_PORT=$(grep -E '^PORT=' "$ENV_FILE" 2>/dev/null | cut -d= -f2 | tr -d ' "'"'" || true)
+    if [[ -n "$ENV_PORT" ]]; then
+      BACKEND_PORT="$ENV_PORT"
+    fi
+  fi
+
+  # 交互获取域名
+  read -rp "域名 (留空则使用 _ 匹配所有): " NGINX_DOMAIN
+  NGINX_DOMAIN="${NGINX_DOMAIN:-_}"
+
+  # 交互获取监听端口
+  read -rp "nginx 监听端口 [443]: " NGINX_LISTEN_PORT
+  NGINX_LISTEN_PORT="${NGINX_LISTEN_PORT:-443}"
+
+  # SSL 配置
+  NGINX_SSL_BLOCK=""
+  if [[ "$NGINX_LISTEN_PORT" == "443" ]]; then
+    echo ""
+    echo "SSL 证书配置:"
+    echo "  1) 已有证书 (输入路径)"
+    echo "  2) 自签名证书 (自动生成)"
+    echo "  3) 不使用 SSL (改为监听 80 端口)"
+    read -rp "选择 [1/2/3]: " SSL_CHOICE
+
+    case "${SSL_CHOICE:-1}" in
+      1)
+        read -rp "证书文件路径 (.crt/.pem): " SSL_CERT
+        read -rp "私钥文件路径 (.key): " SSL_KEY
+        if [[ ! -f "$SSL_CERT" || ! -f "$SSL_KEY" ]]; then
+          echo "[错误] 证书或私钥文件不存在"
+          exit 1
+        fi
+        NGINX_SSL_BLOCK="    ssl_certificate     ${SSL_CERT};
+    ssl_certificate_key ${SSL_KEY};
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;"
+        ;;
+      2)
+        SELF_SIGN_DIR="/etc/nginx/ssl"
+        mkdir -p "$SELF_SIGN_DIR"
+        SELF_CERT="${SELF_SIGN_DIR}/${SERVICE_NAME}.crt"
+        SELF_KEY="${SELF_SIGN_DIR}/${SERVICE_NAME}.key"
+        echo "[SSL] 生成自签名证书..."
+        openssl req -x509 -nodes -days 3650 \
+          -newkey rsa:2048 \
+          -keyout "$SELF_KEY" \
+          -out "$SELF_CERT" \
+          -subj "/CN=${NGINX_DOMAIN}" \
+          2>/dev/null
+        echo "[SSL] 证书: $SELF_CERT"
+        echo "[SSL] 私钥: $SELF_KEY"
+        NGINX_SSL_BLOCK="    ssl_certificate     ${SELF_CERT};
+    ssl_certificate_key ${SELF_KEY};
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;"
+        ;;
+      3)
+        NGINX_LISTEN_PORT="80"
+        ;;
+    esac
+  fi
+
+  # 构建 listen 指令
+  if [[ -n "$NGINX_SSL_BLOCK" ]]; then
+    LISTEN_DIRECTIVE="listen ${NGINX_LISTEN_PORT} ssl;"
+  else
+    LISTEN_DIRECTIVE="listen ${NGINX_LISTEN_PORT};"
+  fi
+
+  # 生成 nginx 配置
+  NGINX_CONF="/etc/nginx/sites-available/${SERVICE_NAME}"
+  cat > "$NGINX_CONF" <<NGINX_EOF
+# AI-CLI-Online nginx reverse proxy
+# Auto-generated by install-service.sh
+
+server {
+    ${LISTEN_DIRECTIVE}
+    server_name ${NGINX_DOMAIN};
+
+${NGINX_SSL_BLOCK}
+
+    # 文件上传大小限制 (与 multer 100MB 限制匹配)
+    client_max_body_size 100m;
+
+    location / {
+        proxy_pass http://127.0.0.1:${BACKEND_PORT};
+        proxy_http_version 1.1;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+
+    location /ws {
+        proxy_pass http://127.0.0.1:${BACKEND_PORT}/ws;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+    }
+}
+NGINX_EOF
+
+  echo "[nginx] 已写入 $NGINX_CONF"
+
+  # 启用站点 (symlink to sites-enabled)
+  NGINX_ENABLED="/etc/nginx/sites-enabled/${SERVICE_NAME}"
+  if [[ -L "$NGINX_ENABLED" ]]; then
+    rm "$NGINX_ENABLED"
+  fi
+  ln -s "$NGINX_CONF" "$NGINX_ENABLED"
+  echo "[nginx] 已启用站点"
+
+  # 设置 server/.env 的 HTTPS_ENABLED=false 和 TRUST_PROXY=1
+  if [[ -f "$ENV_FILE" ]]; then
+    # 更新已有的 HTTPS_ENABLED
+    if grep -q '^HTTPS_ENABLED=' "$ENV_FILE"; then
+      sed -i 's/^HTTPS_ENABLED=.*/HTTPS_ENABLED=false/' "$ENV_FILE"
+    else
+      echo 'HTTPS_ENABLED=false' >> "$ENV_FILE"
+    fi
+    # 更新已有的 TRUST_PROXY
+    if grep -q '^TRUST_PROXY=' "$ENV_FILE"; then
+      sed -i 's/^TRUST_PROXY=.*/TRUST_PROXY=1/' "$ENV_FILE"
+    else
+      echo 'TRUST_PROXY=1' >> "$ENV_FILE"
+    fi
+    echo "[env] 已设置 HTTPS_ENABLED=false, TRUST_PROXY=1"
+  else
+    cat > "$ENV_FILE" <<ENV_EOF
+PORT=${BACKEND_PORT}
+HOST=0.0.0.0
+HTTPS_ENABLED=false
+TRUST_PROXY=1
+AUTH_TOKEN=
+DEFAULT_WORKING_DIR=${RUN_HOME}
+ENV_EOF
+    chown "$RUN_USER:$RUN_USER" "$ENV_FILE" 2>/dev/null || true
+    echo "[env] 已创建 $ENV_FILE (HTTPS_ENABLED=false, TRUST_PROXY=1)"
+  fi
+
+  # 测试 nginx 配置
+  echo "[nginx] 测试配置..."
+  if nginx -t 2>&1; then
+    systemctl reload nginx
+    echo "[nginx] 配置已生效"
+  else
+    echo "[警告] nginx 配置测试失败，请手动检查: $NGINX_CONF"
+  fi
+
+  echo ""
+  echo "================================"
+  echo "  nginx 反向代理配置完成"
+  echo "================================"
+  echo ""
+  if [[ -n "$NGINX_SSL_BLOCK" ]]; then
+    echo "  访问地址:   https://${NGINX_DOMAIN}:${NGINX_LISTEN_PORT}"
+  else
+    echo "  访问地址:   http://${NGINX_DOMAIN}:${NGINX_LISTEN_PORT}"
+  fi
+  echo "  后端端口:   ${BACKEND_PORT}"
+  echo "  站点配置:   $NGINX_CONF"
+  echo ""
+  echo "  卸载 nginx 配置:"
+  echo "    sudo rm ${NGINX_ENABLED} ${NGINX_CONF} && sudo nginx -s reload"
+  echo ""
+fi
+
+# --- 最终提示 ---
+
+echo "================================"
+echo "  常用命令"
+echo "================================"
+echo ""
+echo "  启动服务:   sudo systemctl start $SERVICE_NAME"
+echo "  查看状态:   sudo systemctl status $SERVICE_NAME"
+echo "  查看日志:   sudo journalctl -u $SERVICE_NAME -f"
+echo "  停止服务:   sudo systemctl stop $SERVICE_NAME"
+echo "  卸载服务:   sudo systemctl disable $SERVICE_NAME && sudo rm $SERVICE_FILE"
+echo ""

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "ai-cli-online",
+  "version": "2.1.0",
+  "description": "AI-Cli Online - Web Terminal for Claude Code via xterm.js + tmux",
+  "license": "MIT",
+  "bin": {
+    "ai-cli-online": "./bin/ai-cli-online.mjs"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/huacheng/ai-cli-online.git"
+  },
+  "homepage": "https://github.com/huacheng/ai-cli-online#readme",
+  "bugs": {
+    "url": "https://github.com/huacheng/ai-cli-online/issues"
+  },
+  "keywords": [
+    "terminal",
+    "web-terminal",
+    "xterm",
+    "tmux",
+    "claude",
+    "claude-code",
+    "cli"
+  ],
+  "files": [
+    "bin/",
+    "shared/dist/",
+    "shared/package.json",
+    "server/dist/",
+    "server/package.json",
+    "server/.env.example",
+    "web/dist/",
+    "web/package.json",
+    "start.sh",
+    "install-service.sh"
+  ],
+  "workspaces": [
+    "shared",
+    "server",
+    "web"
+  ],
+  "scripts": {
+    "dev": "concurrently \"npm run dev:server\" \"npm run dev:web\"",
+    "dev:server": "npm run dev --workspace=server",
+    "dev:web": "npm run dev --workspace=web",
+    "build": "npm run build --workspace=shared && npm run build --workspace=server && npm run build --workspace=web",
+    "start": "npm run start --workspace=server"
+  },
+  "devDependencies": {
+    "concurrently": "^8.2.2",
+    "typescript": "^5.9.3"
+  }
+}

package/server/.env.example

@@ -0,0 +1,18 @@
+# Server port
+PORT=3001
+
+# Bind address
+HOST=0.0.0.0
+
+# Enable HTTPS (set to false when behind nginx reverse proxy)
+HTTPS_ENABLED=true
+
+# Authentication token (REQUIRED for production)
+# Generate one with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+AUTH_TOKEN=
+
+# Trust proxy (set to 1 when behind nginx/reverse proxy)
+# TRUST_PROXY=1
+
+# Default working directory for terminal sessions
+DEFAULT_WORKING_DIR=/home/ubuntu

package/server/dist/auth.d.ts

@@ -0,0 +1,3 @@
+/** Constant-time string comparison using HMAC to prevent timing side-channel attacks.
+ *  HMAC digests are always 32 bytes, so comparison is constant-time regardless of input lengths. */
+export declare function safeTokenCompare(a: string, b: string): boolean;

package/server/dist/auth.js

@@ -0,0 +1,9 @@
+import { createHmac, timingSafeEqual } from 'crypto';
+/** Constant-time string comparison using HMAC to prevent timing side-channel attacks.
+ *  HMAC digests are always 32 bytes, so comparison is constant-time regardless of input lengths. */
+export function safeTokenCompare(a, b) {
+    const key = 'ai-cli-online-token-compare';
+    const hmacA = createHmac('sha256', key).update(a).digest();
+    const hmacB = createHmac('sha256', key).update(b).digest();
+    return timingSafeEqual(hmacA, hmacB);
+}

package/server/dist/claude.d.ts

@@ -0,0 +1,16 @@
+import type { ClaudeCodeResult } from './types.js';
+export interface ClaudeCodeOptions {
+    workingDir: string;
+    message: string;
+    sessionId?: string;
+    isNewSession?: boolean;
+    onData?: (data: string) => void;
+}
+/**
+ * Execute Claude Code CLI with streaming JSON output for real-time updates
+ */
+export declare function executeClaudeCode(options: ClaudeCodeOptions): Promise<ClaudeCodeResult>;
+/**
+ * Check if Claude Code CLI is available
+ */
+export declare function checkClaudeCodeAvailable(): Promise<boolean>;

package/server/dist/claude.js

@@ -0,0 +1,141 @@
+import { spawn } from 'child_process';
+const CLAUDE_PATH = process.env.CLAUDE_PATH || '/home/ubuntu/.local/bin/claude';
+/**
+ * Execute Claude Code CLI with streaming JSON output for real-time updates
+ */
+export async function executeClaudeCode(options) {
+    const { workingDir, message, sessionId, isNewSession, onData } = options;
+    return new Promise((resolve) => {
+        // Use --output-format stream-json for real streaming (not --print which buffers)
+        const args = ['--output-format', 'stream-json', '--dangerously-skip-permissions', '--verbose'];
+        // Handle session management
+        if (sessionId) {
+            if (isNewSession) {
+                // First message in conversation - create new session with specified ID
+                args.push('--session-id', sessionId);
+            }
+            else {
+                // Subsequent messages - resume existing session
+                args.push('--resume', sessionId);
+            }
+        }
+        // Add the message as the last argument
+        args.push(message);
+        console.log(`[Claude] Executing in ${workingDir}: ${CLAUDE_PATH}`, args);
+        const proc = spawn(CLAUDE_PATH, args, {
+            cwd: workingDir,
+            env: {
+                ...process.env,
+                CI: 'true', // Non-interactive mode
+            },
+        });
+        let fullOutput = '';
+        let streamedText = '';
+        let buffer = '';
+        // Process stdout line by line (each line is a JSON event)
+        proc.stdout.on('data', (data) => {
+            buffer += data.toString();
+            // Process complete lines
+            const lines = buffer.split('\n');
+            buffer = lines.pop() || ''; // Keep incomplete line in buffer
+            for (const line of lines) {
+                if (!line.trim())
+                    continue;
+                try {
+                    const event = JSON.parse(line);
+                    console.log(`[Claude stream] Event type: ${event.type}`);
+                    // Extract text from various event types
+                    let text = '';
+                    if (event.type === 'assistant' && event.message?.content) {
+                        // Final message with full content
+                        text = event.message.content;
+                        fullOutput = text;
+                    }
+                    else if (event.type === 'content_block_delta' && event.delta?.text) {
+                        // Streaming delta
+                        text = event.delta.text;
+                        streamedText += text;
+                        fullOutput = streamedText;
+                    }
+                    else if (event.type === 'content_block_start' && event.content_block?.text) {
+                        text = event.content_block.text;
+                        streamedText += text;
+                        fullOutput = streamedText;
+                    }
+                    // Send streaming update if we got text
+                    if (text && onData) {
+                        console.log(`[Claude stream] Sending chunk: ${text.length} chars`);
+                        onData(text);
+                    }
+                }
+                catch (e) {
+                    // Not JSON, might be raw output - just append it
+                    console.log(`[Claude raw] ${line}`);
+                    if (line.trim()) {
+                        fullOutput += line + '\n';
+                        if (onData) {
+                            onData(line + '\n');
+                        }
+                    }
+                }
+            }
+        });
+        proc.stderr.on('data', (data) => {
+            const text = data.toString();
+            console.log(`[Claude stderr] ${text}`);
+        });
+        proc.on('close', (exitCode) => {
+            // Process any remaining buffer
+            if (buffer.trim()) {
+                try {
+                    const event = JSON.parse(buffer);
+                    if (event.type === 'assistant' && event.message?.content) {
+                        fullOutput = event.message.content;
+                    }
+                }
+                catch {
+                    fullOutput += buffer;
+                }
+            }
+            console.log(`[Claude] Process exited with code ${exitCode}`);
+            if (exitCode === 0) {
+                resolve({
+                    success: true,
+                    output: fullOutput.trim() || streamedText.trim(),
+                    sessionId,
+                });
+            }
+            else {
+                resolve({
+                    success: false,
+                    output: fullOutput.trim() || streamedText.trim(),
+                    error: `Process exited with code ${exitCode}`,
+                    sessionId,
+                });
+            }
+        });
+        proc.on('error', (err) => {
+            console.error(`[Claude] Process error:`, err);
+            resolve({
+                success: false,
+                output: '',
+                error: err.message,
+                sessionId,
+            });
+        });
+    });
+}
+/**
+ * Check if Claude Code CLI is available
+ */
+export async function checkClaudeCodeAvailable() {
+    return new Promise((resolve) => {
+        const proc = spawn(CLAUDE_PATH, ['--version']);
+        proc.on('close', (code) => {
+            resolve(code === 0);
+        });
+        proc.on('error', () => {
+            resolve(false);
+        });
+    });
+}

package/server/dist/db.d.ts

@@ -0,0 +1,7 @@
+export declare function getSetting(tokenHash: string, key: string): string | null;
+export declare function saveSetting(tokenHash: string, key: string, value: string): void;
+export declare function getDraft(sessionName: string): string;
+export declare function saveDraft(sessionName: string, content: string): void;
+export declare function deleteDraft(sessionName: string): void;
+export declare function cleanupOldDrafts(maxAgeDays?: number): number;
+export declare function closeDb(): void;

package/server/dist/db.js

@@ -0,0 +1,73 @@
+import Database from 'better-sqlite3';
+import { existsSync, mkdirSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DATA_DIR = join(__dirname, '../data');
+const DB_PATH = join(DATA_DIR, 'ai-cli-online.db');
+if (!existsSync(DATA_DIR)) {
+    mkdirSync(DATA_DIR, { recursive: true });
+}
+const db = new Database(DB_PATH);
+db.pragma('journal_mode = WAL');
+db.exec(`
+  CREATE TABLE IF NOT EXISTS drafts (
+    session_name TEXT PRIMARY KEY,
+    content TEXT NOT NULL DEFAULT '',
+    updated_at INTEGER NOT NULL
+  )
+`);
+db.exec(`
+  CREATE TABLE IF NOT EXISTS settings (
+    token_hash TEXT NOT NULL,
+    key TEXT NOT NULL,
+    value TEXT NOT NULL,
+    updated_at INTEGER NOT NULL,
+    PRIMARY KEY (token_hash, key)
+  )
+`);
+// --- Drafts statements ---
+const stmtGet = db.prepare('SELECT content FROM drafts WHERE session_name = ?');
+const stmtUpsert = db.prepare(`
+  INSERT INTO drafts (session_name, content, updated_at) VALUES (?, ?, ?)
+  ON CONFLICT(session_name) DO UPDATE SET content = excluded.content, updated_at = excluded.updated_at
+`);
+const stmtDelete = db.prepare('DELETE FROM drafts WHERE session_name = ?');
+const stmtCleanup = db.prepare('DELETE FROM drafts WHERE updated_at < ?');
+// --- Settings statements ---
+const stmtSettingGet = db.prepare('SELECT value FROM settings WHERE token_hash = ? AND key = ?');
+const stmtSettingUpsert = db.prepare(`
+  INSERT INTO settings (token_hash, key, value, updated_at) VALUES (?, ?, ?, ?)
+  ON CONFLICT(token_hash, key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at
+`);
+export function getSetting(tokenHash, key) {
+    const row = stmtSettingGet.get(tokenHash, key);
+    return row?.value ?? null;
+}
+export function saveSetting(tokenHash, key, value) {
+    stmtSettingUpsert.run(tokenHash, key, value, Date.now());
+}
+// --- Draft functions ---
+export function getDraft(sessionName) {
+    const row = stmtGet.get(sessionName);
+    return row?.content ?? '';
+}
+export function saveDraft(sessionName, content) {
+    if (!content) {
+        stmtDelete.run(sessionName);
+    }
+    else {
+        stmtUpsert.run(sessionName, content, Date.now());
+    }
+}
+export function deleteDraft(sessionName) {
+    stmtDelete.run(sessionName);
+}
+export function cleanupOldDrafts(maxAgeDays = 7) {
+    const cutoff = Date.now() - maxAgeDays * 24 * 60 * 60 * 1000;
+    const result = stmtCleanup.run(cutoff);
+    return result.changes;
+}
+export function closeDb() {
+    db.close();
+}

package/server/dist/files.d.ts

@@ -0,0 +1,15 @@
+import type { FileEntry } from './types.js';
+export type { FileEntry };
+export declare const MAX_UPLOAD_SIZE: number;
+export declare const MAX_DOWNLOAD_SIZE: number;
+/** List files in a directory, directories first, then alphabetical */
+export declare function listFiles(dirPath: string): Promise<FileEntry[]>;
+/**
+ * Validate and resolve a requested path against a base CWD.
+ * Returns the resolved absolute path, or null if invalid.
+ *
+ * Since users already have full shell access, this mainly prevents
+ * REST API path traversal via encoded sequences like `../../../etc/passwd`.
+ * We resolve the path and ensure it's an absolute path that exists.
+ */
+export declare function validatePath(requested: string, baseCwd: string): Promise<string | null>;