aws-runtime-bridge 1.0.1 → 1.0.3

package/README.md

@@ -30,10 +30,9 @@ aws-bridge
 ```
 
 `aws-runtime-bridge` 命令仍作为兼容别名保留。安装 `aws-runtime-bridge` 后，包内会随附
-`aws-client-agent-mcp` 的编译产物；bridge 启动时会自动准备该 MCP，并在 **Claude Code SDK 模式**
-启动 Agent 时默认注入名为 `aws-mcp` 的 MCP Server。
+`aws-client-agent-mcp` 的编译产物；bridge 启动时只负责准备该 MCP 产物，不再在 Agent 启动时默认动态注入 `aws-mcp`。
 
-> 当前 `Codex` SDK 不支持和 Claude Code 相同的动态 `extraMcpServers` 注入；如果使用 Codex，需走其原生 MCP 配置持久化链路。
+请在面板中为目标运行时安装/配置 MCP；这样 Claude Code、Codex、OpenCode、PTY 等不同启动模式都走一致的持久化 MCP 配置链路。
 
 如需使用自定义 MCP 可执行文件，可设置：
 

package/dist/config.d.ts

@@ -67,7 +67,7 @@ export declare const AUTO_REGISTER_PROJECT_NAME: string;
 export declare const AUTO_REGISTER_ROLE_NAME: string;
 /** 工作空间路径 */
 export declare const AUTO_REGISTER_WORKSPACE_PATH: string;
-/** 虚拟 IP（EasyTier） */
+/** 注册 IP（优先），兼容 EasyTier 虚拟 IP */
 export declare const AUTO_REGISTER_VIRTUAL_IP: string;
 /** 注册重试次数 */
 export declare const AUTO_REGISTER_MAX_RETRIES: number;

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,WAAW;AACX,eAAO,MAAM,IAAI,EAAE,MAA6D,CAAC;AAEjF,gBAAgB;AAChB,eAAO,MAAM,gBAAgB,EAAE,MAA8E,CAAC;AAE9G,oBAAoB;AACpB,eAAO,MAAM,8BAA8B,gCAAgC,CAAC;AAE5E,cAAc;AACd,eAAO,MAAM,OAAO,EAAE,MAA8C,CAAC;AAErE,kBAAkB;AAClB,eAAO,MAAM,YAAY,EAAE,MAAiF,CAAC;AAE7G,2BAA2B;AAC3B,eAAO,MAAM,wBAAwB,EAAE,OAAgE,CAAC;AAExG,oCAAoC;AACpC,eAAO,MAAM,oBAAoB,EAAE,OAA4D,CAAC;AAEhG,8BAA8B;AAC9B,eAAO,MAAM,kBAAkB,EAAE,MAAM,EAKC,CAAC;AAEzC,uBAAuB;AACvB,wBAAgB,uBAAuB,IAAI,IAAI,CAU9C;AAED,eAAe;AACf,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,8CAA8C;AAC9C,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED,2BAA2B;AAC3B,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAGlE;AAED,0BAA0B;AAC1B,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED,yBAAyB;AACzB,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAGjE;AAED,sBAAsB;AACtB,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED,4BAA4B;AAC5B,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAGhE;AAED;;GAEG;AAEH,yBAAyB;AACzB,eAAO,MAAM,oBAAoB,QAAwD,CAAC;AAE1F,0CAA0C;AAC1C,eAAO,MAAM,sBAAsB,EAA0D,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEzH,eAAe;AACf,eAAO,MAAM,mBAAmB,SAAkD,CAAC;AAEnF,iCAAiC;AACjC,eAAO,MAAM,2BAA2B,QAAgE,CAAC;AAEzG,0CAA0C;AAC1C,eAAO,MAAM,oBAAoB,QAAsD,CAAC;AAExF,qCAAqC;AACrC,eAAO,MAAM,uBAAuB,QAA0D,CAAC;AAE/F;;GAEG;AAEH,eAAe;AACf,eAAO,MAAM,qBAAqB,SAA2C,CAAC;AAE9E,YAAY;AACZ,eAAO,MAAM,uBAAuB,QAAkC,CAAC;AAEvE,iBAAiB;AACjB,eAAO,MAAM,sBAAsB,QAAiC,CAAC;AAErE,oBAAoB;AACpB,eAAO,MAAM,2BAA2B,QAAsC,CAAC;AAE/E,WAAW;AACX,eAAO,MAAM,0BAA0B,QAAqC,CAAC;AAE7E,WAAW;AACX,eAAO,MAAM,uBAAuB,QAAkC,CAAC;AAEvE,aAAa;AACb,eAAO,MAAM,4BAA4B,QAAuC,CAAC;AAEjF,sBAAsB;AACtB,eAAO,MAAM,wBAAwB,QAAmC,CAAC;AAEzE,aAAa;AACb,eAAO,MAAM,yBAAyB,QAAoD,CAAC;AAE3F,iBAAiB;AACjB,eAAO,MAAM,4BAA4B,QAA0D,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,WAAW;AACX,eAAO,MAAM,IAAI,EAAE,MAElB,CAAC;AAEF,gBAAgB;AAChB,eAAO,MAAM,gBAAgB,EAAE,MACwC,CAAC;AAExE,oBAAoB;AACpB,eAAO,MAAM,8BAA8B,gCAAgC,CAAC;AAE5E,cAAc;AACd,eAAO,MAAM,OAAO,EAAE,MAA8C,CAAC;AAErE,kBAAkB;AAClB,eAAO,MAAM,YAAY,EAAE,MAC+C,CAAC;AAE3E,2BAA2B;AAC3B,eAAO,MAAM,wBAAwB,EAAE,OACiB,CAAC;AAEzD,oCAAoC;AACpC,eAAO,MAAM,oBAAoB,EAAE,OACiB,CAAC;AAErD,8BAA8B;AAC9B,eAAO,MAAM,kBAAkB,EAAE,MAAM,EAMC,CAAC;AAEzC,uBAAuB;AACvB,wBAAgB,uBAAuB,IAAI,IAAI,CAc9C;AAED,eAAe;AACf,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,8CAA8C;AAC9C,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAK/D;AAED,2BAA2B;AAC3B,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAKlE;AAED,0BAA0B;AAC1B,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAK9D;AAED,yBAAyB;AACzB,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAKjE;AAED,sBAAsB;AACtB,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAK9D;AAED,4BAA4B;AAC5B,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAKhE;AAED;;GAEG;AAEH,yBAAyB;AACzB,eAAO,MAAM,oBAAoB,QAEhC,CAAC;AAEF,0CAA0C;AAC1C,eAAO,MAAM,sBAAsB,EACrB,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;AAE1C,eAAe;AACf,eAAO,MAAM,mBAAmB,SACiB,CAAC;AAElD,iCAAiC;AACjC,eAAO,MAAM,2BAA2B,QAEvC,CAAC;AAEF,0CAA0C;AAC1C,eAAO,MAAM,oBAAoB,QAEhC,CAAC;AAEF,qCAAqC;AACrC,eAAO,MAAM,uBAAuB,QAEnC,CAAC;AAEF;;GAEG;AAEH,eAAe;AACf,eAAO,MAAM,qBAAqB,SAA2C,CAAC;AAE9E,YAAY;AACZ,eAAO,MAAM,uBAAuB,QAAkC,CAAC;AAEvE,iBAAiB;AACjB,eAAO,MAAM,sBAAsB,QAAiC,CAAC;AAErE,oBAAoB;AACpB,eAAO,MAAM,2BAA2B,QAAsC,CAAC;AAE/E,WAAW;AACX,eAAO,MAAM,0BAA0B,QAAqC,CAAC;AAE7E,WAAW;AACX,eAAO,MAAM,uBAAuB,QAAkC,CAAC;AAEvE,aAAa;AACb,eAAO,MAAM,4BAA4B,QACH,CAAC;AAEvC,kCAAkC;AAClC,eAAO,MAAM,wBAAwB,QAC4B,CAAC;AAElE,aAAa;AACb,eAAO,MAAM,yBAAyB,QAErC,CAAC;AAEF,iBAAiB;AACjB,eAAO,MAAM,4BAA4B,QAExC,CAAC"}

package/dist/config.js

@@ -3,71 +3,73 @@
  *
  * 集中管理所有环境变量和配置常量
  */
-import os from 'node:os';
-import path from 'node:path';
-import { logger } from './utils/logger.js';
+import os from "node:os";
+import path from "node:path";
+import { logger } from "./utils/logger.js";
 /** 服务端口 */
 export const port = Number(process.env.AWS_RUNTIME_BRIDGE_PORT || 18081);
 /** 调度器基础 URL */
-export const schedulerBaseUrl = process.env.AWS_RUNTIME_SCHEDULER_BASE_URL || 'http://localhost:8080';
+export const schedulerBaseUrl = process.env.AWS_RUNTIME_SCHEDULER_BASE_URL || "http://localhost:8080";
 /** 默认运行时回调 Token */
-export const DEFAULT_RUNTIME_CALLBACK_TOKEN = 'agentswork-runtime-callback';
+export const DEFAULT_RUNTIME_CALLBACK_TOKEN = "agentswork-runtime-callback";
 /** Node 环境 */
-export const nodeEnv = process.env.NODE_ENV || 'development';
+export const nodeEnv = process.env.NODE_ENV || "development";
 /** 运行时回调 Token */
 export const runtimeToken = process.env.AWS_RUNTIME_CALLBACK_TOKEN || DEFAULT_RUNTIME_CALLBACK_TOKEN;
 /** 是否显式允许本地开发使用默认 Token */
-export const allowDefaultRuntimeToken = process.env.AWS_ALLOW_DEFAULT_RUNTIME_TOKEN === 'true';
+export const allowDefaultRuntimeToken = process.env.AWS_ALLOW_DEFAULT_RUNTIME_TOKEN === "true";
 /** 是否允许浏览宿主机任意目录（默认关闭，仅建议本地排障启用） */
-export const allowHostFileBrowser = process.env.AWS_ALLOW_HOST_FILE_BROWSER === 'true';
+export const allowHostFileBrowser = process.env.AWS_ALLOW_HOST_FILE_BROWSER === "true";
 /** CORS 允许来源列表，默认仅允许本机开发前端 */
-export const allowedCorsOrigins = String(process.env.AWS_RUNTIME_CORS_ORIGINS || 'http://localhost:3000,http://127.0.0.1:3000,http://localhost:5173,http://127.0.0.1:5173')
-    .split(',')
+export const allowedCorsOrigins = String(process.env.AWS_RUNTIME_CORS_ORIGINS ||
+    "http://localhost:3000,http://127.0.0.1:3000,http://localhost:5173,http://127.0.0.1:5173")
+    .split(",")
     .map((origin) => origin.trim())
     .filter((origin) => origin.length > 0);
 /** 验证生产环境必须设置 Token */
 export function validateProductionToken() {
     if (!process.env.AWS_RUNTIME_CALLBACK_TOKEN) {
-        if (nodeEnv === 'production' || !allowDefaultRuntimeToken) {
-            throw new Error('[runtime-bridge] AWS_RUNTIME_CALLBACK_TOKEN must be set. ' +
-                'For isolated local development only, set AWS_ALLOW_DEFAULT_RUNTIME_TOKEN=true.');
+        if (allowDefaultRuntimeToken) {
+            logger.warn("[runtime-bridge] AWS_RUNTIME_CALLBACK_TOKEN not set, using default development token");
+            return;
         }
-        logger.warn('[runtime-bridge] AWS_RUNTIME_CALLBACK_TOKEN not set, using default development token');
+        logger.info("[runtime-bridge] AWS_RUNTIME_CALLBACK_TOKEN not set; starting in unpaired mode. " +
+            "Sensitive APIs require a panel/server issued runtime access token after pairing.");
     }
 }
 /** 获取运行时主目录 */
 export function getRuntimeHomeDir() {
-    return String(process.env.AWS_RUNTIME_HOME_DIR || '').trim() || os.homedir();
+    return String(process.env.AWS_RUNTIME_HOME_DIR || "").trim() || os.homedir();
 }
 /** 获取 Claude 配置文件路径（AI 配置写入 settings.json） */
 export function getClaudeConfigFile(runtimeHome) {
-    return String(process.env.AWS_RUNTIME_CLAUDE_CONFIG_FILE || '').trim()
-        || path.join(runtimeHome, '.claude', 'settings.json');
+    return (String(process.env.AWS_RUNTIME_CLAUDE_CONFIG_FILE || "").trim() ||
+        path.join(runtimeHome, ".claude", "settings.json"));
 }
 /** 获取 Claude MCP 配置文件路径 */
 export function getClaudeMcpConfigFile(runtimeHome) {
-    return String(process.env.AWS_RUNTIME_CLAUDE_MCP_CONFIG_FILE || '').trim()
-        || path.join(runtimeHome, '.claude.json');
+    return (String(process.env.AWS_RUNTIME_CLAUDE_MCP_CONFIG_FILE || "").trim() ||
+        path.join(runtimeHome, ".claude.json"));
 }
 /** 获取 Claude Skills 目录 */
 export function getClaudeSkillsDir(runtimeHome) {
-    return String(process.env.AWS_RUNTIME_CLAUDE_SKILLS_DIR || '').trim()
-        || path.join(runtimeHome, '.claude', 'skills');
+    return (String(process.env.AWS_RUNTIME_CLAUDE_SKILLS_DIR || "").trim() ||
+        path.join(runtimeHome, ".claude", "skills"));
 }
 /** 获取 OpenCode 配置文件路径 */
 export function getOpencodeConfigFile(runtimeHome) {
-    return String(process.env.AWS_RUNTIME_OPENCODE_CONFIG_FILE || '').trim()
-        || path.join(runtimeHome, '.config', 'opencode', 'opencode.json');
+    return (String(process.env.AWS_RUNTIME_OPENCODE_CONFIG_FILE || "").trim() ||
+        path.join(runtimeHome, ".config", "opencode", "opencode.json"));
 }
 /** 获取 Codex 配置文件路径 */
 export function getCodexConfigFile(runtimeHome) {
-    return String(process.env.AWS_RUNTIME_CODEX_CONFIG_FILE || '').trim()
-        || path.join(runtimeHome, '.codex', 'config.toml');
+    return (String(process.env.AWS_RUNTIME_CODEX_CONFIG_FILE || "").trim() ||
+        path.join(runtimeHome, ".codex", "config.toml"));
 }
 /** 获取 OpenCode Skills 目录 */
 export function getOpencodeSkillsDir(runtimeHome) {
-    return String(process.env.AWS_RUNTIME_OPENCODE_SKILLS_DIR || '').trim()
-        || path.join(runtimeHome, '.opencode', 'skills');
+    return (String(process.env.AWS_RUNTIME_OPENCODE_SKILLS_DIR || "").trim() ||
+        path.join(runtimeHome, ".opencode", "skills"));
 }
 /**
  * 孤儿进程监控配置
@@ -75,9 +77,10 @@ export function getOpencodeSkillsDir(runtimeHome) {
 /** 定期扫描间隔（毫秒），默认 30 秒 */
 export const ORPHAN_SCAN_INTERVAL = Number(process.env.AWS_ORPHAN_SCAN_INTERVAL || 30000);
 /** 自动清理模式: 'auto' | 'alert' | 'manual' */
-export const ORPHAN_AUTO_CLEAN_MODE = (process.env.AWS_ORPHAN_AUTO_CLEAN_MODE || 'alert');
+export const ORPHAN_AUTO_CLEAN_MODE = (process.env.AWS_ORPHAN_AUTO_CLEAN_MODE ||
+    "alert");
 /** 是否启用定期扫描 */
-export const ORPHAN_SCAN_ENABLED = process.env.AWS_ORPHAN_SCAN_ENABLED !== 'false';
+export const ORPHAN_SCAN_ENABLED = process.env.AWS_ORPHAN_SCAN_ENABLED !== "false";
 /** 健康检测：进程最大无响应时间（毫秒），默认 5 分钟 */
 export const ORPHAN_UNRESPONSIVE_TIMEOUT = Number(process.env.AWS_ORPHAN_UNRESPONSIVE_TIMEOUT || 300000);
 /** 健康检测：CPU 使用率阈值（百分比），超过则认为卡死，默认 100% */
@@ -88,21 +91,21 @@ export const ORPHAN_MEMORY_THRESHOLD = Number(process.env.AWS_ORPHAN_MEMORY_THRE
  * 自动注册配置
  */
 /** 是否启用自动注册 */
-export const AUTO_REGISTER_ENABLED = process.env.AWS_AUTO_REGISTER === 'true';
+export const AUTO_REGISTER_ENABLED = process.env.AWS_AUTO_REGISTER === "true";
 /** 租户 ID */
-export const AUTO_REGISTER_TENANT_ID = process.env.AWS_TENANT_ID || '';
+export const AUTO_REGISTER_TENANT_ID = process.env.AWS_TENANT_ID || "";
 /** 用户 API Key */
-export const AUTO_REGISTER_USER_KEY = process.env.AWS_USER_KEY || '';
+export const AUTO_REGISTER_USER_KEY = process.env.AWS_USER_KEY || "";
 /** 实例名称（默认使用主机名） */
-export const AUTO_REGISTER_INSTANCE_NAME = process.env.AWS_INSTANCE_NAME || '';
+export const AUTO_REGISTER_INSTANCE_NAME = process.env.AWS_INSTANCE_NAME || "";
 /** 项目名称 */
-export const AUTO_REGISTER_PROJECT_NAME = process.env.AWS_PROJECT_NAME || '';
+export const AUTO_REGISTER_PROJECT_NAME = process.env.AWS_PROJECT_NAME || "";
 /** 角色名称 */
-export const AUTO_REGISTER_ROLE_NAME = process.env.AWS_ROLE_NAME || '';
+export const AUTO_REGISTER_ROLE_NAME = process.env.AWS_ROLE_NAME || "";
 /** 工作空间路径 */
-export const AUTO_REGISTER_WORKSPACE_PATH = process.env.AWS_WORKSPACE_PATH || '';
-/** 虚拟 IP（EasyTier） */
-export const AUTO_REGISTER_VIRTUAL_IP = process.env.AWS_VIRTUAL_IP || '';
+export const AUTO_REGISTER_WORKSPACE_PATH = process.env.AWS_WORKSPACE_PATH || "";
+/** 注册 IP（优先），兼容 EasyTier 虚拟 IP */
+export const AUTO_REGISTER_VIRTUAL_IP = process.env.AWS_REGISTER_IP || process.env.AWS_VIRTUAL_IP || "";
 /** 注册重试次数 */
 export const AUTO_REGISTER_MAX_RETRIES = Number(process.env.AWS_REGISTER_MAX_RETRIES || 5);
 /** 注册重试间隔（毫秒） */

package/dist/index.js

@@ -21,18 +21,20 @@ import { gitRouter } from "./routes/git.js";
 import { fileBrowserRouter } from "./routes/file-browser.js";
 import { aiSourcesRouter } from "./routes/ai-sources.js";
 import { processesRouter } from "./routes/processes.js";
+import { runtimeBindingRouter, logRuntimeBindingStartupState, } from "./routes/runtime-binding.js";
 import { sessions, flushSessionOutput } from "./services/session-output.js";
-import { loadPersistedSessions, savePersistedSessions } from "./services/terminal-persistence.js";
+import { loadPersistedSessions, savePersistedSessions, } from "./services/terminal-persistence.js";
 import { detectOrphanProcesses } from "./services/process-detector.js";
-import { startOrphanMonitor, stopOrphanMonitor } from "./services/orphan-monitor.js";
+import { startOrphanMonitor, stopOrphanMonitor, } from "./services/orphan-monitor.js";
 import { getAgentProcessManager } from "./services/agent-process-manager.js";
 import { adapterRegistry } from "./adapter/index.js";
 import { logger } from "./utils/logger.js";
-import { autoRegister, unregister, bridgeRestartCleanup } from "./services/auto-register.js";
+import { autoRegister, unregister, bridgeRestartCleanup, } from "./services/auto-register.js";
 import { ensureAwsClientAgentMcpReleased } from "./services/aws-client-agent-mcp.js";
 // 验证生产环境配置
 validateProductionToken();
 ensureAwsClientAgentMcpReleased();
+logRuntimeBindingStartupState();
 // ★ 启动时自动注册
 async function performAutoRegister() {
     try {
@@ -71,7 +73,7 @@ performAutoRegister()
     // 这样可以确保 bridge 重启后，之前启动的 Agent 显示为"离线+停止"状态
     return performBridgeRestartCleanup();
 })
-    .catch(err => {
+    .catch((err) => {
     logger.warn("[runtime-bridge] 自动注册或清理出错:", err);
 });
 // ★★★ Bridge 重启清理
@@ -109,13 +111,13 @@ async function rebuildProcessRegistry() {
             return;
         }
         const manager = getAgentProcessManager();
-        await manager.rebuildRegistry(persistedSessions.map(s => ({
+        await manager.rebuildRegistry(persistedSessions.map((s) => ({
             agentId: s.agentId,
             sessionId: s.sessionId,
             pid: s.pid,
             workspacePath: s.workspacePath,
             command: s.command,
-            mode: s.mode || 'pty',
+            mode: s.mode || "pty",
         })));
         logger.info(`[runtime-bridge] 进程注册表重建完成: ${persistedSessions.length} 条记录`);
     }
@@ -124,7 +126,7 @@ async function rebuildProcessRegistry() {
         logger.warn("[runtime-bridge] 进程注册表重建失败:", err.message);
     }
 }
-rebuildProcessRegistry().catch(err => {
+rebuildProcessRegistry().catch((err) => {
     logger.warn("[runtime-bridge] 进程注册表重建出错:", err);
 });
 // ★ 启动时检测孤儿进程并自动清理
@@ -134,13 +136,13 @@ rebuildProcessRegistry().catch(err => {
 async function detectOrphansOnStartup() {
     try {
         // ★★★ 检查是否存在保留会话标记文件
-        const fs = await import('fs/promises');
-        const path = await import('path');
-        const os = await import('os');
-        const restartFlagFile = path.join(os.tmpdir(), 'agentswork-runtime-bridge', '.preserve-sessions');
+        const fs = await import("fs/promises");
+        const path = await import("path");
+        const os = await import("os");
+        const restartFlagFile = path.join(os.tmpdir(), "agentswork-runtime-bridge", ".preserve-sessions");
         let preserveSessions = false;
         try {
-            const flagContent = await fs.readFile(restartFlagFile, 'utf-8');
+            const flagContent = await fs.readFile(restartFlagFile, "utf-8");
             const flag = JSON.parse(flagContent);
             preserveSessions = flag.preserveSessions === true;
             // 读取后删除标记文件
@@ -160,20 +162,20 @@ async function detectOrphansOnStartup() {
             logger.info(`[runtime-bridge] ★ aws-mcp-server 重启恢复场景，保留 ${persistedSessions.length} 个会话`);
             // 重建进程注册表
             const manager = getAgentProcessManager();
-            await manager.rebuildRegistry(persistedSessions.map(s => ({
+            await manager.rebuildRegistry(persistedSessions.map((s) => ({
                 agentId: s.agentId,
                 sessionId: s.sessionId,
                 pid: s.pid,
                 workspacePath: s.workspacePath,
                 command: s.command,
-                mode: s.mode || 'pty',
+                mode: s.mode || "pty",
             })));
             return;
         }
         logger.info(`[runtime-bridge] ★ Bridge 重启，检测 ${persistedSessions.length} 个持久化会话的孤儿进程...`);
         // ★★★ 修复：不再区分 SDK 和 PTY 模式，全部清理
         // bridge 重启 = 整个运行环境重启，所有 agent 都应该被终止
-        const orphans = detectOrphanProcesses(persistedSessions.map(s => ({
+        const orphans = detectOrphanProcesses(persistedSessions.map((s) => ({
             agentId: s.agentId,
             pid: s.pid,
             workspacePath: s.workspacePath,
@@ -190,13 +192,16 @@ async function detectOrphansOnStartup() {
                 try {
                     if (orphan.process.pid) {
                         // 使用跨平台方式终止进程
-                        if (process.platform === 'win32') {
-                            const { execSync } = await import('child_process');
-                            execSync(`taskkill /PID ${orphan.process.pid} /T /F`, { encoding: 'utf8', timeout: 3000 });
+                        if (process.platform === "win32") {
+                            const { execSync } = await import("child_process");
+                            execSync(`taskkill /PID ${orphan.process.pid} /T /F`, {
+                                encoding: "utf8",
+                                timeout: 3000,
+                            });
                             logger.info(`[runtime-bridge] 已自动终止孤儿进程: agentId=${orphan.agentId}, PID=${orphan.process.pid}`);
                         }
                         else {
-                            process.kill(orphan.process.pid, 'SIGKILL');
+                            process.kill(orphan.process.pid, "SIGKILL");
                             logger.info(`[runtime-bridge] 已自动终止孤儿进程: agentId=${orphan.agentId}, PID=${orphan.process.pid}`);
                         }
                     }
@@ -207,7 +212,7 @@ async function detectOrphansOnStartup() {
                 }
             }
             // 等待进程完全终止
-            await new Promise(resolve => setTimeout(resolve, 1000));
+            await new Promise((resolve) => setTimeout(resolve, 1000));
         }
         // ★★★ 修复：bridge 重启后清空所有持久化会话
         // 不再保留任何会话，因为所有 agent 都应该被清理
@@ -220,11 +225,11 @@ async function detectOrphansOnStartup() {
     }
 }
 // 执行孤儿进程检测
-detectOrphansOnStartup().catch(err => {
+detectOrphansOnStartup().catch((err) => {
     logger.warn("[runtime-bridge] 孤儿进程检测出错:", err);
 });
 // ★ 启动孤儿进程定期监控
-startOrphanMonitor().catch(err => {
+startOrphanMonitor().catch((err) => {
     logger.warn("[runtime-bridge] 启动孤儿进程监控失败:", err);
 });
 // 创建 Express 应用
@@ -241,6 +246,7 @@ app.use(cors({
 }));
 app.use(express.json({ limit: "1mb" }));
 // 注册路由
+app.use("/runtime", runtimeBindingRouter);
 app.use("/runtime", propertiesRouter);
 app.use("/runtime", ymlRouter);
 app.use("/runtime", instanceRouter);
@@ -345,7 +351,7 @@ async function gracefulShutdown(signal, server, preserveSessions = false) {
                 const providerId = entry.providerId || "claude-code";
                 const adapter = adapterRegistry.get(providerId);
                 // 尝试获取 PID 用于日志
-                let pidInfo = '';
+                let pidInfo = "";
                 try {
                     const pid = adapter.getSessionPid?.(sessionId);
                     if (pid) {
@@ -371,14 +377,14 @@ async function gracefulShutdown(signal, server, preserveSessions = false) {
         stopOrphanMonitor();
         // 4. ★ 验证所有进程已终止（等待一小段时间让进程完全退出）
         logger.info("[runtime-bridge] 等待进程完全终止...");
-        await new Promise(resolve => setTimeout(resolve, 1000));
+        await new Promise((resolve) => setTimeout(resolve, 1000));
         // 5. 检查是否还有残留进程，如果有则强制终止
         try {
             const { detectOrphanProcesses, terminateProcessTree } = await import("./services/process-detector.js");
             const { loadPersistedSessions } = await import("./services/terminal-persistence.js");
             const persistedSessions = await loadPersistedSessions();
             if (persistedSessions.length > 0) {
-                const orphans = detectOrphanProcesses(persistedSessions.map(s => ({
+                const orphans = detectOrphanProcesses(persistedSessions.map((s) => ({
                     agentId: s.agentId,
                     pid: s.pid,
                     workspacePath: s.workspacePath,
@@ -455,11 +461,11 @@ const server = startServer();
  *
  * 信号处理器必须使用同步 I/O，因为异步操作在信号上下文中不可靠。
  */
-const RESTART_FLAG_FILE = path.join(os.tmpdir(), 'agentswork-runtime-bridge', '.preserve-sessions');
+const RESTART_FLAG_FILE = path.join(os.tmpdir(), "agentswork-runtime-bridge", ".preserve-sessions");
 function checkPreserveFlagSync() {
     try {
         if (existsSync(RESTART_FLAG_FILE)) {
-            const content = readFileSync(RESTART_FLAG_FILE, 'utf-8');
+            const content = readFileSync(RESTART_FLAG_FILE, "utf-8");
             const flag = JSON.parse(content);
             return flag.preserveSessions === true;
         }

package/dist/middleware/auth.d.ts

@@ -3,10 +3,12 @@
  *
  * 验证请求头中的 X-Runtime-Token 是否与配置的 runtimeToken 匹配
  */
-import type { Request, Response, NextFunction } from 'express';
+import type { Request, Response, NextFunction } from "express";
 /**
  * Token 验证中间件
- * 检查请求头中的 X-Runtime-Token 是否有效
+ * 检查请求头中的 X-Runtime-Token 或 Authorization: Bearer 是否有效。
+ *
+ * 优先支持面板/服务器绑定时写入的动态令牌；仍兼容环境变量配置的静态令牌。
  */
 export declare function validateToken(req: Request, res: Response, next: NextFunction): void;
 //# sourceMappingURL=auth.d.ts.map

package/dist/middleware/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG/D;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,IAAI,CAOnF"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AA8B/D;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,IAAI,CAqBN"}

package/dist/middleware/auth.js

@@ -3,16 +3,46 @@
  *
  * 验证请求头中的 X-Runtime-Token 是否与配置的 runtimeToken 匹配
  */
-import { runtimeToken } from '../config.js';
+import { allowDefaultRuntimeToken, runtimeToken } from "../config.js";
+import { hasRuntimeBinding, validateRuntimeBindingToken, } from "../services/runtime-binding.js";
+function extractRuntimeToken(req) {
+    const headerToken = req.header("X-Runtime-Token");
+    if (headerToken) {
+        return headerToken.trim();
+    }
+    const authorization = req.header("Authorization") || "";
+    const bearerMatch = authorization.match(/^Bearer\s+(.+)$/i);
+    return bearerMatch?.[1]?.trim() || "";
+}
+function validateConfiguredToken(token) {
+    if (!token) {
+        return false;
+    }
+    if (process.env.AWS_RUNTIME_CALLBACK_TOKEN) {
+        return token === runtimeToken;
+    }
+    return allowDefaultRuntimeToken && token === runtimeToken;
+}
 /**
  * Token 验证中间件
- * 检查请求头中的 X-Runtime-Token 是否有效
+ * 检查请求头中的 X-Runtime-Token 或 Authorization: Bearer 是否有效。
+ *
+ * 优先支持面板/服务器绑定时写入的动态令牌；仍兼容环境变量配置的静态令牌。
  */
 export function validateToken(req, res, next) {
-    const token = req.header('X-Runtime-Token');
-    if (token !== runtimeToken) {
-        res.status(401).json({ error: 'unauthorized' });
+    const token = extractRuntimeToken(req);
+    if (validateRuntimeBindingToken(token) || validateConfiguredToken(token)) {
+        next();
+        return;
+    }
+    if (!hasRuntimeBinding() &&
+        !process.env.AWS_RUNTIME_CALLBACK_TOKEN &&
+        !allowDefaultRuntimeToken) {
+        res.status(401).json({
+            error: "runtime_bridge_unpaired",
+            message: "Runtime bridge is not paired. Add this instance from the panel first.",
+        });
         return;
     }
-    next();
+    res.status(401).json({ error: "unauthorized" });
 }

package/dist/routes/instance.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"instance.d.ts","sourceRoot":"","sources":["../../src/routes/instance.ts"],"names":[],"mappings":"AAeA,wBAAgB,qBAAqB,CAAC,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAE5G;AAED,eAAO,MAAM,cAAc,4CAAW,CAAC"}
+{"version":3,"file":"instance.d.ts","sourceRoot":"","sources":["../../src/routes/instance.ts"],"names":[],"mappings":"AAwBA,wBAAgB,qBAAqB,CACnC,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAC/D,IAAI,CAEN;AAED,eAAO,MAAM,cAAc,4CAAW,CAAC"}

package/dist/routes/instance.js

@@ -1,12 +1,12 @@
-import { Router } from 'express';
-import axios from 'axios';
-import { validateToken } from '../middleware/auth.js';
-import { schedulerBaseUrl, runtimeToken } from '../config.js';
-import { loadInstanceState, saveInstanceState } from '../services/instance-state.js';
-import { initInstance } from '../services/instance-init-service.js';
-import { detectToolStatuses, ensureToolsInstalled, SUPPORTED_INSTALLABLE_TOOLS } from '../services/tool-installer.js';
-import { createLogger } from '../utils/logger.js';
-const log = createLogger('instance');
+import { Router } from "express";
+import axios from "axios";
+import { validateToken } from "../middleware/auth.js";
+import { schedulerBaseUrl, runtimeToken } from "../config.js";
+import { loadInstanceState, saveInstanceState, } from "../services/instance-state.js";
+import { initInstance } from "../services/instance-init-service.js";
+import { detectToolStatuses, ensureToolsInstalled, SUPPORTED_INSTALLABLE_TOOLS, } from "../services/tool-installer.js";
+import { createLogger } from "../utils/logger.js";
+const log = createLogger("instance");
 // ★★★ 导出 gracefulShutdown 的触发函数
 // 用于 aws-mcp-server 通知 bridge 保留会话状态关闭
 let gracefulShutdownFn = null;
@@ -14,12 +14,18 @@ export function setGracefulShutdownFn(fn) {
     gracefulShutdownFn = fn;
 }
 export const instanceRouter = Router();
-instanceRouter.get('/ping', validateToken, async (_req, res) => {
+instanceRouter.get("/healthz", (_req, res) => {
+    res.json({
+        ok: true,
+        runtimeBridge: "healthy",
+    });
+});
+instanceRouter.get("/ping", validateToken, async (_req, res) => {
     try {
-        const schedulerResponse = await axios.get(`${schedulerBaseUrl}/api/runtime/ping`, { headers: { 'X-Runtime-Token': runtimeToken } });
+        const schedulerResponse = await axios.get(`${schedulerBaseUrl}/api/runtime/ping`, { headers: { "X-Runtime-Token": runtimeToken } });
         res.json({
             ok: true,
-            runtimeBridge: 'healthy',
+            runtimeBridge: "healthy",
             schedulerReachable: schedulerResponse.status >= 200 && schedulerResponse.status < 300,
             schedulerBaseUrl,
         });
@@ -28,15 +34,15 @@ instanceRouter.get('/ping', validateToken, async (_req, res) => {
         const err = error;
         res.status(502).json({
             ok: false,
-            error: err?.message || 'scheduler ping failed',
+            error: err?.message || "scheduler ping failed",
             schedulerBaseUrl,
         });
     }
 });
-instanceRouter.post('/init-instance', validateToken, async (req, res) => {
+instanceRouter.post("/init-instance", validateToken, async (req, res) => {
     const { agentId, workspacePath, skillEnabled, mcpEnabled, ccSwitchEnabledTools, skillPackage, skillPackages, mcpServers, } = req.body || {};
     if (!agentId || !workspacePath) {
-        res.status(400).json({ error: 'agentId and workspacePath are required' });
+        res.status(400).json({ error: "agentId and workspacePath are required" });
         return;
     }
     try {
@@ -53,39 +59,51 @@ instanceRouter.post('/init-instance', validateToken, async (req, res) => {
     catch (error) {
         const err = error;
         res.status(400).json({
-            error: err?.message || 'initialize instance failed',
+            error: err?.message || "initialize instance failed",
         });
     }
 });
-instanceRouter.post('/cc-switch/state', validateToken, async (req, res) => {
+instanceRouter.post("/cc-switch/state", validateToken, async (req, res) => {
     const { agentId } = req.body || {};
     if (!agentId) {
-        res.status(400).json({ error: 'agentId is required' });
+        res.status(400).json({ error: "agentId is required" });
         return;
     }
     try {
         const state = await loadInstanceState(agentId);
         const toolStatus = await detectToolStatuses(state.enabledTools || []);
-        res.json({ ok: true, agentId: String(agentId), state: { ...state, toolStatus } });
+        res.json({
+            ok: true,
+            agentId: String(agentId),
+            state: { ...state, toolStatus },
+        });
     }
     catch (error) {
         const err = error;
-        res.status(400).json({ error: err?.message || 'load state failed' });
+        res.status(400).json({ error: err?.message || "load state failed" });
     }
 });
-instanceRouter.post('/cc-switch/install-tools', validateToken, async (req, res) => {
+instanceRouter.post("/cc-switch/install-tools", validateToken, async (req, res) => {
     const { agentId, tools } = req.body || {};
     if (!agentId) {
-        res.status(400).json({ error: 'agentId is required' });
+        res.status(400).json({ error: "agentId is required" });
         return;
     }
     const requestedTools = Array.isArray(tools)
-        ? tools.map((tool) => String(tool || '').trim().toLowerCase()).filter(Boolean)
+        ? tools
+            .map((tool) => String(tool || "")
+            .trim()
+            .toLowerCase())
+            .filter(Boolean)
         : [];
     const supportedInstallableTools = new Set(SUPPORTED_INSTALLABLE_TOOLS);
     const installableTools = requestedTools.filter((tool) => supportedInstallableTools.has(tool));
     if (installableTools.length === 0) {
-        res.status(400).json({ error: `tools must include ${SUPPORTED_INSTALLABLE_TOOLS.join(', ')}` });
+        res
+            .status(400)
+            .json({
+            error: `tools must include ${SUPPORTED_INSTALLABLE_TOOLS.join(", ")}`,
+        });
         return;
     }
     try {
@@ -111,7 +129,7 @@ instanceRouter.post('/cc-switch/install-tools', validateToken, async (req, res)
     }
     catch (error) {
         const err = error;
-        res.status(400).json({ error: err?.message || 'install tools failed' });
+        res.status(400).json({ error: err?.message || "install tools failed" });
     }
 });
 /**
@@ -126,22 +144,22 @@ instanceRouter.post('/cc-switch/install-tools', validateToken, async (req, res)
  * - preserveSessions: true = 保留会话（aws-mcp-server 重启）
  *                     false = 清理会话（bridge 自己关闭）
  */
-instanceRouter.post('/prepare-restart', validateToken, async (req, res) => {
+instanceRouter.post("/prepare-restart", validateToken, async (req, res) => {
     const { preserveSessions = true } = req.body || {};
     try {
         log.info(`[prepare-restart] 收到准备重启通知，preserveSessions=${preserveSessions}`);
         // 记录重启模式到文件，供下次启动时判断
-        const fs = await import('fs/promises');
-        const path = await import('path');
-        const os = await import('os');
-        const restartFlagFile = path.join(os.tmpdir(), 'agentswork-runtime-bridge', '.preserve-sessions');
+        const fs = await import("fs/promises");
+        const path = await import("path");
+        const os = await import("os");
+        const restartFlagFile = path.join(os.tmpdir(), "agentswork-runtime-bridge", ".preserve-sessions");
         if (preserveSessions) {
             // 创建标记文件，表示 aws-mcp-server 重启，需要保留会话
             await fs.mkdir(path.dirname(restartFlagFile), { recursive: true });
             await fs.writeFile(restartFlagFile, JSON.stringify({
                 preserveSessions: true,
                 timestamp: new Date().toISOString(),
-            }), 'utf-8');
+            }), "utf-8");
             log.info(`[prepare-restart] 已创建保留会话标记文件: ${restartFlagFile}`);
         }
         else {
@@ -158,13 +176,13 @@ instanceRouter.post('/prepare-restart', validateToken, async (req, res) => {
             ok: true,
             preserveSessions,
             message: preserveSessions
-                ? 'Bridge will preserve sessions for aws-mcp-server restart'
-                : 'Bridge will clean up sessions on shutdown',
+                ? "Bridge will preserve sessions for aws-mcp-server restart"
+                : "Bridge will clean up sessions on shutdown",
         });
     }
     catch (error) {
         const err = error;
-        log.error('[prepare-restart] Error:', err);
+        log.error("[prepare-restart] Error:", err);
         res.status(500).json({ error: err.message });
     }
 });

package/dist/routes/runtime-binding.d.ts

@@ -0,0 +1,3 @@
+export declare const runtimeBindingRouter: import("express-serve-static-core").Router;
+export declare function logRuntimeBindingStartupState(): void;
+//# sourceMappingURL=runtime-binding.d.ts.map