amalgm 0.1.44 → 0.1.47

package/runtime/scripts/fs-watcher.js

@@ -1,923 +0,0 @@
-/**
- * Filesystem Watcher — computer-side WebSocket daemon for real-time FS awareness.
- *
- * Runs on the selected computer on port 8082. The browser can connect directly
- * on this device, or through the preview/tunnel gateway for a remote computer.
- *
- * Features:
- *   - Real-time filesystem change notifications (inotify via fs.watch)
- *   - Request/response operations: list, read, stat, search
- *   - Heartbeat keep-alive (30s ping)
- *   - Multiple concurrent WebSocket clients
- *
- * Protocol (JSON over WebSocket):
- *
- *   Client → Server:
- *     { type: "list",   id: "req-1", path: "/workspace" }
- *     { type: "read",   id: "req-2", path: "/workspace/file.txt" }
- *     { type: "stat",   id: "req-3", path: "/workspace/file.txt" }
- *     { type: "search", id: "req-4", basePath: "/workspace", pattern: "src", maxDepth: 3 }
- *     { type: "pong" }
- *
- *   Server → Client:
- *     { type: "list:result",   id: "req-1", files: [...] }
- *     { type: "read:result",   id: "req-2", content: "..." }
- *     { type: "stat:result",   id: "req-3", stat: {...} }
- *     { type: "search:result", id: "req-4", matches: [...] }
- *     { type: "watch",  event: "change|rename", filename: "file.ts", dir: "/workspace/src" }
- *     { type: "ping" }
- *     { type: "error",  id: "req-1", message: "..." }
- *     { type: "connected" }
- *
- * Dependencies: ws (installed at /opt/ws-dep/node_modules/ws during snapshot build)
- */
-
-const fs = require('fs');
-const path = require('path');
-const http = require('http');
-const { execSync } = require('child_process');
-const {
-  applyRuntimeCors,
-  authorizeRuntimeHttp,
-  isAuthorizedRuntimeRequest,
-  runtimeAuthRequired,
-} = require('./runtime-auth');
-
-// Try to load ws from several possible locations
-let WebSocketServer;
-try {
-  ({ WebSocketServer } = require('/opt/ws-dep/node_modules/ws'));
-} catch {
-  try {
-    ({ WebSocketServer } = require('ws'));
-  } catch {
-    console.error('[FsWatcher] Cannot find ws module. Install with: npm install ws --prefix /opt/ws-dep');
-    process.exit(1);
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Configuration
-// ---------------------------------------------------------------------------
-
-const PORT = parseInt(process.env.FS_WATCHER_PORT || '8082', 10);
-const BIND_HOST = process.env.AMALGM_BIND_HOST || '0.0.0.0';
-const WATCH_ROOT = process.env.FS_WATCHER_ROOT || '/workspace';
-const HEARTBEAT_INTERVAL_MS = 30000;
-const HEARTBEAT_TIMEOUT_MS = 10000;
-const MAX_FILE_READ_SIZE = 10 * 1024 * 1024; // 10MB max file read
-const PORT_POLL_INTERVAL_MS = 2000;
-const AGENT_PORT = parseInt(process.env.SANDBOX_AGENT_PORT || process.env.PORT || '8080', 10);
-const PLATFORM_AGENT_PORT = parseInt(process.env.SANDBOX_AGENT_PLATFORM_PORT || '8085', 10);
-const PORT_MONITOR_PORT = parseInt(process.env.PORT_MONITOR_PORT || '8081', 10);
-const AMALGM_MCP_PORT = parseInt(process.env.AMALGM_MCP_PORT || '8083', 10);
-const CHAT_SERVER_PORT = parseInt(process.env.CHAT_SERVER_PORT || '8084', 10);
-const AMALGM_GATEWAY_PORT = parseInt(process.env.AMALGM_GATEWAY_PORT || '28781', 10);
-const INTERNAL_SERVICE_PORTS = new Set([
-  AGENT_PORT,
-  PLATFORM_AGENT_PORT,
-  PORT_MONITOR_PORT,
-  PORT,
-  AMALGM_MCP_PORT,
-  CHAT_SERVER_PORT,
-  AMALGM_GATEWAY_PORT,
-  4096,
-]);
-const COMMON_DEV_PORTS = new Set([3000, 3001, 3002, 3003, 4000, 4200, 4321, 5000, 5001, 5173, 5174, 6006, 7000, 8000, 8001, 8888]);
-const BLOCKED_PREVIEW_PROCESSES = new Set(['.opencode', 'controlce', 'figma_age', 'figma_agent', 'loom', 'opencode', 'rapportd']);
-const DEV_PREVIEW_PROCESS_RE = /^(node|bun|deno|npm|pnpm|yarn|vite|next|astro|nuxt|svelte|remix|webpack|rspack|parcel|serve|http-server|tsx|python|python3|uvicorn|gunicorn|flask|django|ruby|rails|puma|php|java|go|air|cargo|trunk|dotnet|nginx)$/i;
-const INTERNAL_COMMAND_RE = /(?:^|\s)(?:node(?:-[^\s]+)?\s+)?[^\s]*(?:\/|\\)runtime(?:\/|\\)scripts(?:\/|\\)(?:port-monitor|fs-watcher|chat-server|local-gateway|amalgm-mcp(?:\/|\\)index)\.js(?:\s|$)/i;
-const BLOCKED_COMMAND_RE = /(?:agent-browser|chromium|chrome)(?:\s|$)/i;
-
-function readProcessCommand(pid) {
-  if (!Number.isInteger(pid) || pid <= 0) return '';
-  try {
-    return fs.readFileSync(`/proc/${pid}/cmdline`, 'utf8').replace(/\0/g, ' ').trim();
-  } catch {
-    return '';
-  }
-}
-
-function normalizeProcessName(processName) {
-  const name = String(processName || '').trim().toLowerCase();
-  if (/^node(?:$|[-_])/.test(name)) return 'node';
-  return name;
-}
-
-function publicProcessName(info) {
-  if (!info || typeof info !== 'object') return info || null;
-  return info.processName || null;
-}
-
-function isPreviewablePort(port, processInfo) {
-  if (!Number.isInteger(port) || port < 3000 || port > 65535) return false;
-  if (INTERNAL_SERVICE_PORTS.has(port)) return false;
-  if (port >= 9100 && port <= 9199) return false;
-  const command = typeof processInfo === 'object' && processInfo ? String(processInfo.command || '') : '';
-  if (INTERNAL_COMMAND_RE.test(command) || BLOCKED_COMMAND_RE.test(command)) return false;
-  const name = normalizeProcessName(typeof processInfo === 'object' && processInfo ? processInfo.processName : processInfo);
-  if (BLOCKED_PREVIEW_PROCESSES.has(name) || name.startsWith('figma')) return false;
-  if (!name) return COMMON_DEV_PORTS.has(port);
-  if (DEV_PREVIEW_PROCESS_RE.test(name)) return true;
-  return COMMON_DEV_PORTS.has(port) && name === 'unknown';
-}
-
-const HOME_DIR = process.env.HOME || require('os').homedir();
-const AMALGM_DIR = process.env.AMALGM_DIR || path.join(HOME_DIR, '.amalgm');
-const AUTH_BACKUP_DIR = path.join(AMALGM_DIR, 'auth-configs');
-const AUTH_BACKUP_ENABLED = process.env.AMALGM_AUTH_BACKUP_ENABLED !== 'false';
-const CREATE_AUTH_WATCH_DIRS = process.env.AMALGM_CREATE_AUTH_WATCH_DIRS !== 'false';
-
-// ---------------------------------------------------------------------------
-// Auth status monitoring — watch CLI credential files for real auth state
-// ---------------------------------------------------------------------------
-
-// Maps harnessId → array of paths that prove the user has authenticated.
-// A harness is "authenticated" if ANY of its credential paths exist and are non-empty.
-// Check both HOME_DIR and /root/ — container HOME varies.
-const AUTH_HOME_DIRS = [
-  HOME_DIR,
-  ...(process.platform === 'linux' ? ['/root'] : []),
-].filter((v, i, a) => a.indexOf(v) === i);
-
-const AUTH_CREDENTIAL_PATHS = {
-  claude_code: AUTH_HOME_DIRS.flatMap((h) => [
-    path.join(h, '.claude', '.credentials.json'),
-    path.join(h, '.claude', 'credentials.json'),
-    path.join(h, '.config', 'claude', 'credentials.json'),
-  ]),
-  codex: AUTH_HOME_DIRS.flatMap((h) => [
-    path.join(h, '.codex', 'auth.json'),
-    path.join(h, '.codex', 'credentials.json'),
-  ]),
-  opencode: AUTH_HOME_DIRS.flatMap((h) => [
-    path.join(h, '.local', 'share', 'opencode', 'auth.json'),
-    path.join(h, '.config', 'opencode', 'auth.json'),
-  ]),
-  pi: AUTH_HOME_DIRS.flatMap((h) => [
-    path.join(h, '.pi', 'agent', 'auth.json'),
-  ]),
-  amp: AUTH_HOME_DIRS.flatMap((h) => [
-    path.join(h, '.config', 'amp', 'settings.json'),
-    path.join(h, '.amp', 'config.json'),
-    path.join(h, '.amp', 'auth.json'),
-  ]),
-  cursor: AUTH_HOME_DIRS.flatMap((h) => [
-    path.join(h, '.cursor', 'cli-config.json'),
-    path.join(h, '.cursor', 'credentials.json'),
-    path.join(h, '.config', 'cursor', 'credentials.json'),
-    path.join(h, '.local', 'share', 'cursor-agent', 'auth.json'),
-  ]),
-};
-
-// Directories to watch for auth changes
-const AUTH_WATCH_DIRS = AUTH_HOME_DIRS.flatMap((h) => [
-  path.join(h, '.claude'),
-  path.join(h, '.codex'),
-  path.join(h, '.config', 'claude'),
-  path.join(h, '.config', 'opencode'),
-  path.join(h, '.local', 'share', 'opencode'),
-  path.join(h, '.pi', 'agent'),
-  path.join(h, '.config', 'amp'),
-  path.join(h, '.amp'),
-  path.join(h, '.cursor'),
-  path.join(h, '.config', 'cursor'),
-  path.join(h, '.local', 'share', 'cursor-agent'),
-]);
-
-const AUTH_WATCH_FILES_BY_DIR = new Map();
-for (const credentialPaths of Object.values(AUTH_CREDENTIAL_PATHS)) {
-  for (const credentialPath of credentialPaths) {
-    const dir = path.dirname(credentialPath);
-    const filename = path.basename(credentialPath);
-    const files = AUTH_WATCH_FILES_BY_DIR.get(dir) ?? new Set();
-    files.add(filename);
-    AUTH_WATCH_FILES_BY_DIR.set(dir, files);
-  }
-}
-
-function isAuthCredentialEvent(dir, filename) {
-  if (!filename) return true;
-
-  const files = AUTH_WATCH_FILES_BY_DIR.get(dir);
-  if (!files) return false;
-
-  return files.has(path.basename(String(filename)));
-}
-
-/** @type {Map<string, fs.FSWatcher>} */
-const authWatchers = new Map();
-
-/** Last known auth status per harness (avoids duplicate broadcasts) */
-const lastAuthStatus = new Map();
-
-function checkCursorAuth() {
-  for (const h of AUTH_HOME_DIRS) {
-    const candidates = [
-      path.join(h, '.local', 'bin', 'cursor-agent'),
-      '/usr/local/bin/cursor-agent',
-      'cursor-agent',
-    ];
-
-    for (const executable of candidates) {
-      try {
-        const raw = execSync(`${JSON.stringify(executable)} status`, {
-          encoding: 'utf8',
-          timeout: 3000,
-          stdio: ['ignore', 'pipe', 'ignore'],
-        });
-        if (/logged in|authenticated/i.test(raw) && !/not logged in|not authenticated/i.test(raw)) {
-          return true;
-        }
-      } catch { /* try next executable */ }
-    }
-  }
-  return false;
-}
-
-function checkAuthForHarness(harnessId) {
-  if (harnessId === 'cursor' && checkCursorAuth()) return true;
-
-  const paths = AUTH_CREDENTIAL_PATHS[harnessId];
-  if (!paths) return false;
-
-  for (const p of paths) {
-    try {
-      const stat = fs.statSync(p);
-      if (!stat.isFile() || stat.size === 0) continue;
-
-      // Codex stores both proxy API-key auth and real user auth in auth.json.
-      // Only treat non-apikey auth as provider_auth-ready.
-      if (harnessId === 'codex' && p.endsWith('/auth.json')) {
-        try {
-          const parsed = JSON.parse(fs.readFileSync(p, 'utf8'));
-          if (parsed?.auth_mode && parsed.auth_mode !== 'apikey') return true;
-          continue;
-        } catch {
-          continue;
-        }
-      }
-
-      return true;
-    } catch { /* file doesn't exist */ }
-  }
-  return false;
-}
-
-function getFullAuthStatus() {
-  const status = {};
-  for (const harnessId of Object.keys(AUTH_CREDENTIAL_PATHS)) {
-    status[harnessId] = checkAuthForHarness(harnessId);
-  }
-  return status;
-}
-
-function broadcastAuthStatus() {
-  const status = getFullAuthStatus();
-
-  // Only broadcast if something changed
-  const statusStr = JSON.stringify(status);
-  if (statusStr === lastAuthStatus.get('_all')) return;
-  lastAuthStatus.set('_all', statusStr);
-
-  console.log('[FsWatcher:Auth] Status changed:', status);
-
-  const msg = JSON.stringify({ type: 'auth:status', status, timestamp: Date.now() });
-  for (const ws of clients) {
-    try {
-      if (ws.readyState === 1) ws.send(msg);
-    } catch { /* ignore */ }
-  }
-
-  // Immediately back up auth configs when tokens change (don't wait for 5-min sync)
-  triggerAuthBackup();
-}
-
-function copyAuthBackupFile(source) {
-  const relative = path.relative(HOME_DIR, source);
-  if (relative.startsWith('..') || path.isAbsolute(relative)) return false;
-
-  try {
-    const stat = fs.statSync(source);
-    if (!stat.isFile() || stat.size === 0) return false;
-
-    const backup = path.join(AUTH_BACKUP_DIR, relative);
-    fs.mkdirSync(path.dirname(backup), { recursive: true });
-    fs.copyFileSync(source, backup);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function triggerAuthBackup() {
-  if (!AUTH_BACKUP_ENABLED) return;
-
-  try {
-    fs.rmSync(AUTH_BACKUP_DIR, { recursive: true, force: true });
-
-    let copied = 0;
-    const seen = new Set();
-    for (const credentialPaths of Object.values(AUTH_CREDENTIAL_PATHS)) {
-      for (const source of credentialPaths) {
-        if (seen.has(source)) continue;
-        seen.add(source);
-        if (copyAuthBackupFile(source)) copied += 1;
-      }
-    }
-
-    console.log(`[FsWatcher:Auth] Auth configs backed up to ${AUTH_BACKUP_DIR} (${copied} file${copied === 1 ? '' : 's'})`);
-  } catch (err) {
-    console.error('[FsWatcher:Auth] Backup failed:', err.message);
-  }
-}
-
-/** Debounce auth checks — credential writes can touch multiple files rapidly */
-let authCheckTimer = null;
-function scheduleAuthCheck() {
-  if (authCheckTimer) clearTimeout(authCheckTimer);
-  authCheckTimer = setTimeout(() => {
-    authCheckTimer = null;
-    broadcastAuthStatus();
-  }, 500);
-}
-
-function startAuthWatching() {
-  for (const dir of AUTH_WATCH_DIRS) {
-    if (authWatchers.has(dir)) continue;
-
-    if (CREATE_AUTH_WATCH_DIRS) {
-      // Container snapshots opt into this so auth directories can be watched
-      // before a CLI creates them. The npm runtime leaves user homes untouched.
-      try { fs.mkdirSync(dir, { recursive: true }); } catch {}
-    } else if (!fs.existsSync(dir)) {
-      continue;
-    }
-
-    try {
-      const watcher = fs.watch(dir, { recursive: false }, (eventType, filename) => {
-        if (!isAuthCredentialEvent(dir, filename)) return;
-        console.log(`[FsWatcher:Auth] ${eventType} in ${dir}: ${filename}`);
-        scheduleAuthCheck();
-      });
-
-      watcher.on('error', (err) => {
-        console.error(`[FsWatcher:Auth] Watch error on ${dir}:`, err.message);
-        authWatchers.delete(dir);
-        // Retry after a delay
-        setTimeout(() => startAuthWatching(), 5000);
-      });
-
-      authWatchers.set(dir, watcher);
-      console.log(`[FsWatcher:Auth] Watching ${dir}`);
-    } catch (err) {
-      console.error(`[FsWatcher:Auth] Cannot watch ${dir}:`, err.message);
-    }
-  }
-
-  // Initial status check
-  broadcastAuthStatus();
-}
-
-// Extensions that should always be read as UTF-8 text
-const TEXT_EXTENSIONS = new Set([
-  'txt', 'md', 'json', 'js', 'ts', 'tsx', 'jsx', 'py', 'html', 'css',
-  'xml', 'yaml', 'yml', 'sh', 'bash', 'env', 'gitignore', 'dockerfile',
-  'svg', 'csv', 'sql', 'toml', 'rs', 'go', 'rb', 'java', 'kt', 'swift',
-  'c', 'cpp', 'cs', 'php', 'scss', 'log', 'ini', 'cfg', 'conf', 'tsv',
-  'makefile', 'cmake', 'gradle', 'properties', 'lock', 'editorconfig',
-  'dockerignore', 'zsh',
-]);
-
-// ---------------------------------------------------------------------------
-// Active clients
-// ---------------------------------------------------------------------------
-
-/** @type {Set<import('ws').WebSocket>} */
-const clients = new Set();
-
-// ---------------------------------------------------------------------------
-// Filesystem watcher
-// ---------------------------------------------------------------------------
-
-/** @type {Map<string, fs.FSWatcher>} */
-const watchers = new Map();
-
-function isSameOrChildPath(candidate, root) {
-  const relative = path.relative(root, candidate);
-  return relative === '' || (!!relative && !relative.startsWith('..') && !path.isAbsolute(relative));
-}
-
-function getWatchRoots() {
-  const roots = [];
-
-  for (const rawRoot of [WATCH_ROOT, AMALGM_DIR]) {
-    const root = path.resolve(rawRoot);
-    if (roots.some((existingRoot) => isSameOrChildPath(root, existingRoot))) continue;
-    roots.push(root);
-  }
-
-  return roots;
-}
-
-function startWatching() {
-  try {
-    fs.mkdirSync(AMALGM_DIR, { recursive: true });
-  } catch { /* best effort */ }
-
-  for (const root of getWatchRoots()) {
-    watchDirectory(root);
-    console.log(`[FsWatcher] Watching ${root}`);
-  }
-}
-
-function watchDirectory(dirPath) {
-  if (watchers.has(dirPath)) return;
-
-  try {
-    // Use recursive watching if supported (Linux kernel 5.9+ with inotify)
-    const watcher = fs.watch(dirPath, { recursive: true }, (eventType, filename) => {
-      if (!filename) return;
-
-      // Detect git HEAD changes in split-gitdir layout (.gitdirs/<repo>/HEAD)
-      if (filename.match(/^\.gitdirs\/[^/]+\/HEAD$/)) {
-        const fullPath = path.join(dirPath, filename);
-        const repoName = filename.split('/')[1];
-        broadcastGitBranchChange(fullPath, `/workspace/${repoName}`);
-        return;
-      }
-
-      // Skip hidden/temp files (allow .amalgm for internal platform data)
-      if (filename.startsWith('.') && filename !== '.env' && filename !== '.gitignore' && !filename.startsWith('.amalgm')) return;
-      if (filename.includes('node_modules')) return;
-      if (filename.includes('.git/')) return;
-
-      const fullPath = path.join(dirPath, filename);
-      broadcastFsEvent(eventType, filename, dirPath, fullPath);
-    });
-
-    watcher.on('error', (err) => {
-      console.error(`[FsWatcher] Watch error on ${dirPath}:`, err.message);
-      watchers.delete(dirPath);
-    });
-
-    watchers.set(dirPath, watcher);
-  } catch (err) {
-    // Recursive watching not supported — fall back to non-recursive
-    try {
-      const watcher = fs.watch(dirPath, (eventType, filename) => {
-        if (!filename) return;
-        if ((filename.startsWith('.') && !filename.startsWith('.amalgm')) || filename === 'node_modules') return;
-
-        const fullPath = path.join(dirPath, filename);
-        broadcastFsEvent(eventType, filename, dirPath, fullPath);
-
-        // If a new directory was created, watch it too
-        try {
-          if (fs.statSync(fullPath).isDirectory()) {
-            watchDirectory(fullPath);
-          }
-        } catch { /* file may have been deleted */ }
-      });
-
-      watcher.on('error', () => {
-        watchers.delete(dirPath);
-      });
-
-      watchers.set(dirPath, watcher);
-
-      // Watch subdirectories
-      try {
-        const entries = fs.readdirSync(dirPath, { withFileTypes: true });
-        for (const entry of entries) {
-          if (entry.isDirectory() && (!entry.name.startsWith('.') || entry.name.startsWith('.amalgm')) && entry.name !== 'node_modules') {
-            watchDirectory(path.join(dirPath, entry.name));
-          }
-        }
-      } catch { /* permission denied */ }
-    } catch (err2) {
-      console.error(`[FsWatcher] Cannot watch ${dirPath}:`, err2.message);
-    }
-  }
-}
-
-function broadcastGitBranchChange(headPath, projectPath) {
-  if (clients.size === 0) return;
-
-  try {
-    const content = fs.readFileSync(headPath, 'utf-8').trim();
-    // HEAD is either "ref: refs/heads/<branch>" or a raw commit hash
-    const refMatch = content.match(/^ref: refs\/heads\/(.+)$/);
-    const branch = refMatch ? refMatch[1] : content.slice(0, 7); // short hash if detached
-
-    const msg = JSON.stringify({
-      type: 'git:branch-change',
-      branch,
-      projectPath,
-      detached: !refMatch,
-      timestamp: Date.now(),
-    });
-
-    for (const ws of clients) {
-      try {
-        if (ws.readyState === 1) ws.send(msg);
-      } catch { /* ignore */ }
-    }
-  } catch { /* HEAD file may be mid-write */ }
-}
-
-function broadcastFsEvent(eventType, filename, dir, fullPath) {
-  if (clients.size === 0) return;
-
-  // Determine if path still exists
-  let exists = true;
-  let isDir = false;
-  try {
-    const stat = fs.statSync(fullPath);
-    isDir = stat.isDirectory();
-  } catch {
-    exists = false;
-  }
-
-  const msg = JSON.stringify({
-    type: 'watch',
-    event: eventType, // 'change' or 'rename'
-    filename,
-    dir,
-    fullPath,
-    exists,
-    isDir,
-    timestamp: Date.now(),
-  });
-
-  for (const ws of clients) {
-    try {
-      if (ws.readyState === 1) { // OPEN
-        ws.send(msg);
-      }
-    } catch { /* ignore */ }
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Request handlers
-// ---------------------------------------------------------------------------
-
-async function handleMessage(ws, raw) {
-  let msg;
-  try {
-    msg = JSON.parse(raw);
-  } catch {
-    sendError(ws, null, 'Invalid JSON');
-    return;
-  }
-
-  const { type, id } = msg;
-
-  switch (type) {
-    case 'pong':
-      ws._lastPong = Date.now();
-      return;
-
-    case 'list':
-      return handleList(ws, id, msg.path);
-
-    case 'read':
-      return handleRead(ws, id, msg.path);
-
-    case 'stat':
-      return handleStat(ws, id, msg.path);
-
-    case 'search':
-      return handleSearch(ws, id, msg.basePath, msg.pattern, msg.maxDepth);
-
-    case 'auth:check':
-      return handleAuthCheck(ws, id);
-
-    default:
-      sendError(ws, id, `Unknown message type: ${type}`);
-  }
-}
-
-function handleList(ws, id, dirPath) {
-  if (!dirPath) {
-    sendError(ws, id, 'path is required');
-    return;
-  }
-
-  try {
-    const entries = fs.readdirSync(dirPath, { withFileTypes: true });
-    const files = entries.map((entry) => {
-      const fullPath = path.join(dirPath, entry.name);
-      let size = 0;
-      let modTime = null;
-      try {
-        const stat = fs.statSync(fullPath);
-        size = stat.size;
-        modTime = stat.mtime.toISOString();
-      } catch { /* permission denied */ }
-
-      return {
-        name: entry.name,
-        isDir: entry.isDirectory(),
-        size,
-        modTime,
-      };
-    });
-
-    sendJson(ws, { type: 'list:result', id, files });
-  } catch (err) {
-    sendError(ws, id, `Failed to list ${dirPath}: ${err.message}`);
-  }
-}
-
-function handleRead(ws, id, filePath) {
-  if (!filePath) {
-    sendError(ws, id, 'path is required');
-    return;
-  }
-
-  try {
-    const stat = fs.statSync(filePath);
-    if (stat.size > MAX_FILE_READ_SIZE) {
-      sendError(ws, id, `File too large (${stat.size} bytes, max ${MAX_FILE_READ_SIZE})`);
-      return;
-    }
-
-    const ext = path.extname(filePath).slice(1).toLowerCase();
-    // Also treat extensionless dotfiles and known text files as text
-    const isText = TEXT_EXTENSIONS.has(ext) || ext === '' || stat.size === 0;
-
-    if (isText) {
-      const content = fs.readFileSync(filePath, 'utf-8');
-      sendJson(ws, { type: 'read:result', id, content, size: stat.size, encoding: 'utf-8' });
-    } else {
-      const buffer = fs.readFileSync(filePath);
-      const content = buffer.toString('base64');
-      sendJson(ws, { type: 'read:result', id, content, size: stat.size, encoding: 'base64' });
-    }
-  } catch (err) {
-    sendError(ws, id, `Failed to read ${filePath}: ${err.message}`);
-  }
-}
-
-function handleStat(ws, id, filePath) {
-  if (!filePath) {
-    sendError(ws, id, 'path is required');
-    return;
-  }
-
-  try {
-    const stat = fs.statSync(filePath);
-    sendJson(ws, {
-      type: 'stat:result',
-      id,
-      stat: {
-        size: stat.size,
-        isDir: stat.isDirectory(),
-        isFile: stat.isFile(),
-        modTime: stat.mtime.toISOString(),
-        createTime: stat.birthtime.toISOString(),
-        mode: stat.mode,
-      },
-    });
-  } catch (err) {
-    sendError(ws, id, `Failed to stat ${filePath}: ${err.message}`);
-  }
-}
-
-function handleSearch(ws, id, basePath, pattern, maxDepth) {
-  if (!basePath || !pattern) {
-    sendError(ws, id, 'basePath and pattern are required');
-    return;
-  }
-
-  const depth = Math.min(maxDepth || 3, 5);
-
-  try {
-    // Use find command for efficient directory search
-    const cmd = `find ${JSON.stringify(basePath)} -maxdepth ${depth} -type d -iname '*${pattern.replace(/'/g, "\\'")}*' 2>/dev/null | head -50`;
-    const output = execSync(cmd, { encoding: 'utf-8', timeout: 5000 });
-    const matches = output.trim().split('\n').filter(Boolean);
-    sendJson(ws, { type: 'search:result', id, matches });
-  } catch (err) {
-    // find may fail or timeout — return empty
-    sendJson(ws, { type: 'search:result', id, matches: [] });
-  }
-}
-
-function handleAuthCheck(ws, id) {
-  const status = getFullAuthStatus();
-  sendJson(ws, { type: 'auth:check:result', id, status, timestamp: Date.now() });
-}
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-function sendJson(ws, obj) {
-  try {
-    if (ws.readyState === 1) {
-      ws.send(JSON.stringify(obj));
-    }
-  } catch { /* ignore */ }
-}
-
-function sendError(ws, id, message) {
-  sendJson(ws, { type: 'error', id, message });
-}
-
-// ---------------------------------------------------------------------------
-// Port monitoring (integrated — same logic as port-monitor.js but over WS)
-// ---------------------------------------------------------------------------
-
-/** @type {Map<number, string|null>} port -> processName */
-const knownPorts = new Map();
-
-function broadcastPortEvent(event) {
-  if (clients.size === 0) return;
-  const msg = JSON.stringify(event);
-  for (const ws of clients) {
-    try {
-      if (ws.readyState === 1) ws.send(msg);
-    } catch { /* ignore */ }
-  }
-}
-
-function getListeningPorts() {
-  /** @type {Map<number, { processName: string|null, pid: number|null, command: string }>} */
-  const currentPorts = new Map();
-
-  if (process.platform === 'darwin') {
-    const output = execSync('lsof -nP -iTCP -sTCP:LISTEN 2>/dev/null', { encoding: 'utf-8' });
-    const lines = output.split('\n').slice(1);
-
-    for (const line of lines) {
-      const trimmed = line.trim();
-      if (!trimmed) continue;
-      const match = trimmed.match(/^(\S+)\s+(\d+)\s+.+\sTCP\s+.+:(\d+)\s+\(LISTEN\)$/);
-      if (!match) continue;
-      currentPorts.set(parseInt(match[3], 10), {
-        processName: match[1] || null,
-        pid: parseInt(match[2], 10),
-        command: '',
-      });
-    }
-
-    return currentPorts;
-  }
-
-  const output = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { encoding: 'utf-8' });
-  const lines = output.split('\n');
-
-  for (const line of lines) {
-    const portMatch = line.match(/:(\d+)\s+/);
-    if (!portMatch) continue;
-
-    let processName = null;
-    const procMatch = line.match(/users:\(\("([^"]+)"/) || line.match(/\/([^\s/]+)\s*$/);
-    if (procMatch) processName = procMatch[1];
-    const pidMatch = line.match(/pid=(\d+)/);
-    const pid = pidMatch ? parseInt(pidMatch[1], 10) : null;
-
-    currentPorts.set(parseInt(portMatch[1], 10), {
-      processName,
-      pid,
-      command: pid ? readProcessCommand(pid) : '',
-    });
-  }
-
-  return currentPorts;
-}
-
-function checkPorts() {
-  try {
-    const currentPorts = getListeningPorts();
-
-    for (const [port, processInfo] of currentPorts) {
-      if (!isPreviewablePort(port, processInfo)) {
-        currentPorts.delete(port);
-      }
-    }
-
-    // Detect newly opened ports
-    for (const [port, processInfo] of currentPorts) {
-      if (!knownPorts.has(port)) {
-        knownPorts.set(port, processInfo);
-        const processName = publicProcessName(processInfo);
-        console.log(`[FsWatcher:Ports] Port opened: ${port} (${processName || 'unknown'})`);
-        broadcastPortEvent({ type: 'port', event: 'opened', port, processName, timestamp: Date.now() });
-      }
-    }
-
-    // Detect closed ports
-    for (const [port] of knownPorts) {
-      if (!currentPorts.has(port)) {
-        knownPorts.delete(port);
-        console.log(`[FsWatcher:Ports] Port closed: ${port}`);
-        broadcastPortEvent({ type: 'port', event: 'closed', port, timestamp: Date.now() });
-      }
-    }
-  } catch { /* ss may not be available */ }
-}
-
-// Start port polling
-setInterval(checkPorts, PORT_POLL_INTERVAL_MS);
-setTimeout(checkPorts, 1000); // Initial check after 1s
-
-// ---------------------------------------------------------------------------
-// HTTP server + WebSocket
-// ---------------------------------------------------------------------------
-
-const httpServer = http.createServer((req, res) => {
-  applyRuntimeCors(req, res, { methods: 'GET, OPTIONS' });
-
-  const url = new URL(req.url, `http://localhost:${PORT}`);
-
-  if (url.pathname === '/healthz' || url.pathname === '/') {
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({
-      status: 'ok',
-      clients: clients.size,
-      watchRoot: WATCH_ROOT,
-      watchers: watchers.size,
-      openPorts: [...knownPorts.entries()].map(([port, processName]) => ({ port, processName })),
-    }));
-    return;
-  }
-
-  // HTTP endpoint for auth status — faster than waiting for WS connect
-  if (url.pathname === '/auth/status') {
-    if (!authorizeRuntimeHttp(req, res, { methods: 'GET, OPTIONS' })) return;
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ status: getFullAuthStatus(), timestamp: Date.now() }));
-    return;
-  }
-
-  res.writeHead(404);
-  res.end('Not found');
-});
-
-const wss = new WebSocketServer({
-  server: httpServer,
-  verifyClient(info, done) {
-    if (!runtimeAuthRequired() || isAuthorizedRuntimeRequest(info.req)) {
-      done(true);
-      return;
-    }
-    done(false, 401, 'Unauthorized');
-  },
-});
-
-wss.on('connection', (ws, req) => {
-  console.log(`[FsWatcher] Client connected (total: ${clients.size + 1})`);
-  clients.add(ws);
-  ws._lastPong = Date.now();
-
-  // Send connected confirmation + current open ports + auth status
-  sendJson(ws, { type: 'connected', watchRoot: WATCH_ROOT });
-  if (knownPorts.size > 0) {
-    sendJson(ws, {
-      type: 'port_init',
-      ports: [...knownPorts.entries()].map(([port, processName]) => ({ port, processName })),
-    });
-  }
-  // Send current auth status immediately on connect
-  sendJson(ws, { type: 'auth:status', status: getFullAuthStatus(), timestamp: Date.now() });
-
-  // Heartbeat
-  const heartbeat = setInterval(() => {
-    if (Date.now() - ws._lastPong > HEARTBEAT_INTERVAL_MS + HEARTBEAT_TIMEOUT_MS) {
-      console.log('[FsWatcher] Client heartbeat timeout, disconnecting');
-      ws.terminate();
-      return;
-    }
-    sendJson(ws, { type: 'ping' });
-  }, HEARTBEAT_INTERVAL_MS);
-
-  ws.on('message', (raw) => {
-    handleMessage(ws, raw.toString());
-  });
-
-  ws.on('close', () => {
-    console.log(`[FsWatcher] Client disconnected (remaining: ${clients.size - 1})`);
-    clients.delete(ws);
-    clearInterval(heartbeat);
-  });
-
-  ws.on('error', (err) => {
-    console.error('[FsWatcher] Client error:', err.message);
-    clients.delete(ws);
-    clearInterval(heartbeat);
-  });
-});
-
-// ---------------------------------------------------------------------------
-// Start
-// ---------------------------------------------------------------------------
-
-httpServer.listen(PORT, BIND_HOST, () => {
-  console.log(`[FsWatcher] Listening on ${BIND_HOST}:${PORT} (ws + http)`);
-  startWatching();
-  startAuthWatching();
-});