camelagi 0.5.0

package/dist/gateway/csrf.js

@@ -0,0 +1,44 @@
+// CSRF protection — blocks cross-origin mutation requests from browsers
+const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "::1"]);
+const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
+function isLoopbackOrigin(raw) {
+    try {
+        const url = new URL(raw);
+        return LOOPBACK_HOSTS.has(url.hostname);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Blocks browser-originated cross-site mutation requests.
+ * Non-browser clients (curl, Node fetch) that don't send Origin/Sec-Fetch-Site pass through.
+ */
+export function csrfProtection() {
+    return (req, res, next) => {
+        if (SAFE_METHODS.has(req.method)) {
+            next();
+            return;
+        }
+        // Sec-Fetch-Site: if present, only allow same-origin / same-site / none
+        const fetchSite = req.headers["sec-fetch-site"];
+        if (fetchSite === "cross-site") {
+            res.status(403).json({ error: "Cross-site requests are not allowed" });
+            return;
+        }
+        // Origin header: if present, must be loopback
+        const origin = req.headers.origin;
+        if (origin && !isLoopbackOrigin(origin)) {
+            res.status(403).json({ error: "Non-local origin is not allowed" });
+            return;
+        }
+        // Referer header: if present and no Origin, must be loopback
+        const referer = req.headers.referer;
+        if (!origin && referer && !isLoopbackOrigin(referer)) {
+            res.status(403).json({ error: "Non-local referer is not allowed" });
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=csrf.js.map

package/dist/gateway/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/gateway/csrf.ts"],"names":[],"mappings":"AAAA,wEAAwE;AAIxE,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;AAClE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;AAEzD,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAAC,IAAI,EAAE,CAAC;YAAC,OAAO;QAAC,CAAC;QAErD,wEAAwE;QACxE,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAuB,CAAC;QACtE,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;YAC/B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC,CAAC;YACvE,OAAO;QACT,CAAC;QAED,8CAA8C;QAC9C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QAClC,IAAI,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAED,6DAA6D;QAC7D,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;QACpC,IAAI,CAAC,MAAM,IAAI,OAAO,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC,CAAC;YACpE,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/gateway/logger.js

@@ -0,0 +1,81 @@
+// JSON-line request logger — writes to ~/.camelagi/logs/server.log
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+const LOG_DIR = path.join(os.homedir(), ".camelagi", "logs");
+const LOG_FILE = path.join(LOG_DIR, "server.log");
+const MAX_AGE_DAYS = 7;
+function ensureLogDir() {
+    fs.mkdirSync(LOG_DIR, { recursive: true });
+}
+/** Delete rotated log files older than MAX_AGE_DAYS */
+export function rotateOldLogs() {
+    ensureLogDir();
+    const cutoff = Date.now() - MAX_AGE_DAYS * 86_400_000;
+    try {
+        for (const f of fs.readdirSync(LOG_DIR)) {
+            if (!f.startsWith("server-") || !f.endsWith(".log"))
+                continue;
+            const stat = fs.statSync(path.join(LOG_DIR, f));
+            if (stat.mtimeMs < cutoff)
+                fs.unlinkSync(path.join(LOG_DIR, f));
+        }
+    }
+    catch { /* best effort */ }
+}
+/** Rotate current log if it's from a previous day */
+function maybeRotate() {
+    try {
+        if (!fs.existsSync(LOG_FILE))
+            return;
+        const stat = fs.statSync(LOG_FILE);
+        const logDate = new Date(stat.mtimeMs).toISOString().slice(0, 10);
+        const today = new Date().toISOString().slice(0, 10);
+        if (logDate !== today) {
+            fs.renameSync(LOG_FILE, path.join(LOG_DIR, `server-${logDate}.log`));
+        }
+    }
+    catch { /* best effort */ }
+}
+function writeLog(entry) {
+    try {
+        fs.appendFileSync(LOG_FILE, JSON.stringify(entry) + "\n");
+    }
+    catch { /* best effort */ }
+}
+/** Express middleware that logs each request as a JSON line */
+export function requestLogger() {
+    ensureLogDir();
+    maybeRotate();
+    rotateOldLogs();
+    return (req, res, next) => {
+        const start = Date.now();
+        res.on("finish", () => {
+            const entry = {
+                ts: new Date().toISOString(),
+                method: req.method,
+                path: req.path,
+                status: res.statusCode,
+                ms: Date.now() - start,
+            };
+            const sid = req.body?.session ?? req.params?.id;
+            if (sid)
+                entry.sessionId = sid;
+            if (res.statusCode >= 400)
+                entry.error = res.statusMessage;
+            writeLog(entry);
+        });
+        next();
+    };
+}
+/** Tail the current log file — used by `camelagi logs` */
+export function tailLog(lines = 50) {
+    if (!fs.existsSync(LOG_FILE))
+        return "No logs yet.";
+    const content = fs.readFileSync(LOG_FILE, "utf-8").trim();
+    if (!content)
+        return "No logs yet.";
+    const allLines = content.split("\n");
+    return allLines.slice(-lines).join("\n");
+}
+//# sourceMappingURL=logger.js.map

package/dist/gateway/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/gateway/logger.ts"],"names":[],"mappings":"AAAA,mEAAmE;AAEnE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAGzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;AAClD,MAAM,YAAY,GAAG,CAAC,CAAC;AAEvB,SAAS,YAAY;IACnB,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,aAAa;IAC3B,YAAY,EAAE,CAAC;IACf,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,UAAU,CAAC;IACtD,IAAI,CAAC;QACH,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAAE,SAAS;YAC9D,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;YAChD,IAAI,IAAI,CAAC,OAAO,GAAG,MAAM;gBAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;AAC/B,CAAC;AAED,qDAAqD;AACrD,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO;QACrC,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpD,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;YACtB,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,OAAO,MAAM,CAAC,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;AAC/B,CAAC;AAYD,SAAS,QAAQ,CAAC,KAAe;IAC/B,IAAI,CAAC;QACH,EAAE,CAAC,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;AAC/B,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,aAAa;IAC3B,YAAY,EAAE,CAAC;IACf,WAAW,EAAE,CAAC;IACd,aAAa,EAAE,CAAC;IAEhB,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;YACpB,MAAM,KAAK,GAAa;gBACtB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBAC5B,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,UAAU;gBACtB,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aACvB,CAAC;YAEF,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,OAAO,IAAI,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;YAChD,IAAI,GAAG;gBAAE,KAAK,CAAC,SAAS,GAAG,GAAG,CAAC;YAE/B,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG;gBAAE,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,aAAa,CAAC;YAE3D,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,OAAO,CAAC,QAAgB,EAAE;IACxC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,cAAc,CAAC;IACpD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,CAAC,OAAO;QAAE,OAAO,cAAc,CAAC;IACpC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC3C,CAAC"}

package/dist/gateway/rate-limit.js

@@ -0,0 +1,33 @@
+// Simple in-memory rate limiter — no dependencies
+const hits = new Map();
+export function rateLimit(opts) {
+    // Periodically clean up expired entries
+    setInterval(() => {
+        const now = Date.now();
+        for (const [key, entry] of hits) {
+            if (now >= entry.resetAt)
+                hits.delete(key);
+        }
+    }, opts.windowMs).unref();
+    return (req, res, next) => {
+        const key = req.ip ?? "unknown";
+        const now = Date.now();
+        let entry = hits.get(key);
+        if (!entry || now >= entry.resetAt) {
+            entry = { count: 0, resetAt: now + opts.windowMs };
+            hits.set(key, entry);
+        }
+        entry.count++;
+        res.setHeader("X-RateLimit-Limit", opts.max);
+        res.setHeader("X-RateLimit-Remaining", Math.max(0, opts.max - entry.count));
+        res.setHeader("X-RateLimit-Reset", Math.ceil(entry.resetAt / 1000));
+        if (entry.count > opts.max) {
+            const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
+            res.setHeader("Retry-After", retryAfter);
+            res.status(429).json({ error: "Too many requests, please try again later" });
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/gateway/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/gateway/rate-limit.ts"],"names":[],"mappings":"AAAA,kDAAkD;AASlD,MAAM,IAAI,GAAG,IAAI,GAAG,EAA8C,CAAC;AAEnE,MAAM,UAAU,SAAS,CAAC,IAAmB;IAC3C,wCAAwC;IACxC,WAAW,CAAC,GAAG,EAAE;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;YAChC,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO;gBAAE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,CAAC;IAE1B,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,GAAG,GAAG,GAAG,CAAC,EAAE,IAAI,SAAS,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACnC,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvB,CAAC;QAED,KAAK,CAAC,KAAK,EAAE,CAAC;QAEd,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7C,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QAC5E,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;QAEpE,IAAI,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAC3D,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;YACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;YAC7E,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/gateway/routes.js

@@ -0,0 +1,315 @@
+// Gateway REST API routes
+import { loadConfig, saveConfig } from "../core/config.js";
+import { createClient } from "../model.js";
+import { buildSystemPrompt } from "../system-prompt.js";
+import { agentMemoryDir, seedAgentWorkspace } from "../workspace.js";
+import { loadMessages, listSessions, deleteSession } from "../session.js";
+import { getActiveRunCount } from "../runtime/runs.js";
+import { getLaneStats } from "../runtime/lanes.js";
+import { orchestrate } from "../runtime/orchestrate.js";
+import { errorMessage } from "../core/errors.js";
+import { submitDecision } from "../extensions/approvals.js";
+import fs from "node:fs";
+import path from "node:path";
+import { listPendingRequests, approveRequest, denyRequest } from "../telegram/pairing.js";
+import { listPendingBotApprovals, approveBotApproval, denyBotApproval } from "../telegram/bot-approval.js";
+import { notifyUserApproved, notifyUserOfDenial } from "../telegram/pairing-notify.js";
+import { checkAuth, logMessage } from "./state.js";
+export function registerRoutes(app, state) {
+    app.get("/health", (_req, res) => {
+        res.json({
+            status: "ok",
+            uptime: Math.floor((Date.now() - state.startTime) / 1000),
+            sessions: listSessions().length,
+            clients: state.clients.size,
+            activeRuns: getActiveRunCount(),
+            lanes: getLaneStats(),
+        });
+    });
+    app.post("/chat", async (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const { message, session } = req.body;
+        if (!message || typeof message !== "string") {
+            res.status(400).json({ error: "message is required" });
+            return;
+        }
+        const sid = session ?? `http-${Date.now()}`;
+        logMessage(state, "http", "in", sid, message);
+        try {
+            const result = await orchestrate({
+                sessionId: sid,
+                message,
+                config: state.config,
+                systemPrompt: state.systemPrompt,
+                client: state.client,
+            });
+            if (result.response) {
+                logMessage(state, "http", "out", sid, result.response);
+            }
+            res.json({ response: result.response, session: sid });
+        }
+        catch (err) {
+            logMessage(state, "http", "out", sid, `ERROR: ${errorMessage(err)}`);
+            res.status(500).json({ error: errorMessage(err) });
+        }
+    });
+    // Sessions
+    app.get("/sessions", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        res.json(listSessions());
+    });
+    app.get("/sessions/:id/messages", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const messages = loadMessages(req.params.id);
+        res.json(messages.map((m) => ({ role: m.role, content: m.content })));
+    });
+    app.delete("/sessions/:id", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        deleteSession(req.params.id);
+        res.json({ ok: true });
+    });
+    // Agents
+    app.get("/agents", async (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        let runningIds = [];
+        try {
+            const { getAllChannels } = await import("../channels/registry.js");
+            runningIds = getAllChannels().flatMap(c => c.getActiveAgentIds());
+        }
+        catch { /* channels may not be loaded */ }
+        const agents = Object.entries(state.config.agents).map(([id, a]) => ({
+            id,
+            name: a.name,
+            admin: a.admin ?? false,
+            model: a.model ?? state.config.model,
+            telegram: !!a.telegram?.botToken,
+            running: runningIds.includes(id),
+            dir: agentMemoryDir(id),
+        }));
+        res.json(agents);
+    });
+    app.post("/agents", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const { id, name, model, description, telegramToken, allowedUsers } = req.body;
+        if (!id || !name) {
+            res.status(400).json({ error: "id and name are required" });
+            return;
+        }
+        if (state.config.agents[id]) {
+            res.status(409).json({ error: `Agent "${id}" already exists` });
+            return;
+        }
+        seedAgentWorkspace(id, name, description);
+        const agentConfig = { name };
+        if (model && model !== state.config.model)
+            agentConfig.model = model;
+        if (telegramToken) {
+            agentConfig.telegram = { botToken: telegramToken, allowedUsers: allowedUsers ?? [] };
+        }
+        const agents = { ...state.config.agents, [id]: agentConfig };
+        saveConfig({ agents });
+        state.config = loadConfig();
+        res.status(201).json({ id, name, dir: agentMemoryDir(id) });
+    });
+    app.delete("/agents/:id", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const { id } = req.params;
+        if (!state.config.agents[id]) {
+            res.status(404).json({ error: `Agent "${id}" not found` });
+            return;
+        }
+        const agents = { ...state.config.agents };
+        delete agents[id];
+        saveConfig({ agents });
+        state.config = loadConfig();
+        res.json({ ok: true });
+    });
+    // SOUL.md
+    app.get("/agents/:id/soul", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const { id } = req.params;
+        if (!state.config.agents[id]) {
+            res.status(404).json({ error: `Agent "${id}" not found` });
+            return;
+        }
+        const soulPath = path.join(agentMemoryDir(id), "SOUL.md");
+        if (!fs.existsSync(soulPath)) {
+            res.json({ content: "" });
+            return;
+        }
+        res.json({ content: fs.readFileSync(soulPath, "utf-8") });
+    });
+    app.put("/agents/:id/soul", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const { id } = req.params;
+        if (!state.config.agents[id]) {
+            res.status(404).json({ error: `Agent "${id}" not found` });
+            return;
+        }
+        const { content } = req.body;
+        if (typeof content !== "string") {
+            res.status(400).json({ error: "content is required" });
+            return;
+        }
+        const dir = agentMemoryDir(id);
+        fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(path.join(dir, "SOUL.md"), content);
+        res.json({ ok: true });
+    });
+    // Config
+    app.get("/config", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const safe = { ...state.config, apiKey: state.config.apiKey ? `***${state.config.apiKey.slice(-4)}` : undefined };
+        res.json(safe);
+    });
+    app.patch("/config", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const updates = req.body;
+        if (!updates || typeof updates !== "object") {
+            res.status(400).json({ error: "JSON body required" });
+            return;
+        }
+        delete updates.apiKey;
+        delete updates.serve;
+        saveConfig(updates);
+        state.config = loadConfig();
+        state.client = createClient(state.config);
+        state.systemPrompt = buildSystemPrompt(state.config.systemPrompt, state.config.skills);
+        res.json({ ok: true });
+    });
+    // Pairing
+    app.get("/pairing", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        res.json(listPendingRequests());
+    });
+    app.post("/pairing/:code/approve", async (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const request = approveRequest(req.params.code);
+        if (request) {
+            res.json({ ok: true, userId: request.userId, agentId: request.agentId });
+            // Notify the Telegram user they've been approved
+            try {
+                const { getActiveBots } = await import("../telegram.js");
+                await notifyUserApproved(request, getActiveBots());
+            }
+            catch { /* telegram may not be running */ }
+        }
+        else {
+            res.status(404).json({ error: "Request not found or expired" });
+        }
+    });
+    app.post("/pairing/:code/deny", async (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const request = denyRequest(req.params.code);
+        if (request) {
+            res.json({ ok: true });
+            // Notify the Telegram user of denial
+            try {
+                const { getActiveBots } = await import("../telegram.js");
+                await notifyUserOfDenial(request, getActiveBots());
+            }
+            catch { /* telegram may not be running */ }
+        }
+        else {
+            res.status(404).json({ error: "Request not found or expired" });
+        }
+    });
+    // Bot approvals
+    app.get("/bot-approvals", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        res.json(listPendingBotApprovals());
+    });
+    app.post("/bot-approvals/:agentId/approve", async (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const approval = approveBotApproval(req.params.agentId);
+        if (!approval) {
+            res.status(404).json({ error: "Approval not found" });
+            return;
+        }
+        try {
+            const { startBot } = await import("../telegram.js");
+            await startBot(approval.agentId, approval.botToken, () => state.config, () => state.systemPrompt);
+            res.json({ ok: true, agentId: approval.agentId, botUsername: approval.botUsername });
+        }
+        catch (err) {
+            res.status(500).json({ error: errorMessage(err) });
+        }
+    });
+    app.post("/bot-approvals/:agentId/deny", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const approval = denyBotApproval(req.params.agentId);
+        if (approval) {
+            res.json({ ok: true });
+        }
+        else {
+            res.status(404).json({ error: "Approval not found" });
+        }
+    });
+    // Approvals
+    app.post("/approvals/:id/decide", (req, res) => {
+        if (!checkAuth(state, req.headers.authorization)) {
+            res.status(401).json({ error: "Unauthorized" });
+            return;
+        }
+        const { id } = req.params;
+        const { decision } = req.body;
+        if (!decision) {
+            res.status(400).json({ error: "decision is required (allow-once, allow-always, deny)" });
+            return;
+        }
+        const resolved = submitDecision(id, decision);
+        res.json({ ok: resolved });
+    });
+}
+//# sourceMappingURL=routes.js.map

package/dist/gateway/routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/gateway/routes.ts"],"names":[],"mappings":"AAAA,0BAA0B;AAG1B,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAyB,MAAM,4BAA4B,CAAC;AACnF,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC3G,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAEvF,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAEnD,MAAM,UAAU,cAAc,CAAC,GAAY,EAAE,KAAmB;IAC9D,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC/B,GAAG,CAAC,IAAI,CAAC;YACP,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;YACzD,QAAQ,EAAE,YAAY,EAAE,CAAC,MAAM;YAC/B,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI;YAC3B,UAAU,EAAE,iBAAiB,EAAE;YAC/B,KAAK,EAAE,YAAY,EAAE;SACtB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACnC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAChD,OAAO;QACT,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QACtC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;YACvD,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,OAAO,IAAI,QAAQ,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5C,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC;gBAC/B,SAAS,EAAE,GAAG;gBACd,OAAO;gBACP,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,MAAM,EAAE,KAAK,CAAC,MAAM;aACrB,CAAC,CAAC;YAEH,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YACzD,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,UAAU,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACrE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,WAAW;IACX,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAChC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7C,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC7C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC7B,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,SAAS;IACT,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACpC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,IAAI,UAAU,GAAa,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;YACnE,UAAU,GAAG,cAAc,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,iBAAiB,EAAE,CAAC,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC,CAAC,gCAAgC,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACnE,EAAE;YACF,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,KAAK;YACvB,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK;YACpC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ;YAChC,OAAO,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,GAAG,EAAE,cAAc,CAAC,EAAE,CAAC;SACxB,CAAC,CAAC,CAAC;QACJ,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAC/E,IAAI,CAAC,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC1F,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAEzG,kBAAkB,CAAC,EAAE,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC;QAC1C,MAAM,WAAW,GAA4B,EAAE,IAAI,EAAE,CAAC;QACtD,IAAI,KAAK,IAAI,KAAK,KAAK,KAAK,CAAC,MAAM,CAAC,KAAK;YAAE,WAAW,CAAC,KAAK,GAAG,KAAK,CAAC;QACrE,IAAI,aAAa,EAAE,CAAC;YAClB,WAAW,CAAC,QAAQ,GAAG,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,IAAI,EAAE,EAAE,CAAC;QACvF,CAAC;QACD,MAAM,MAAM,GAAG,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC;QAC7D,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACvB,KAAK,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,cAAc,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACrC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACrG,MAAM,MAAM,GAAG,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC1C,OAAO,MAAM,CAAC,EAAE,CAAC,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACvB,KAAK,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,UAAU;IACV,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACrG,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;QAC1D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACpE,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACrG,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAC7B,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACpG,MAAM,GAAG,GAAG,cAAc,CAAC,EAAE,CAAC,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,OAAO,CAAC,CAAC;QACrD,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,SAAS;IACT,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC9B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,IAAI,GAAG,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;QAClH,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAChC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC/G,OAAO,OAAO,CAAC,MAAM,CAAC;QACtB,OAAO,OAAO,CAAC,KAAK,CAAC;QACrB,UAAU,CAAC,OAAO,CAAC,CAAC;QACpB,KAAK,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,KAAK,CAAC,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1C,KAAK,CAAC,YAAY,GAAG,iBAAiB,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACvF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,UAAU;IACV,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,wBAAwB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACpD,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YACzE,iDAAiD;YACjD,IAAI,CAAC;gBACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBACzD,MAAM,kBAAkB,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC,CAAC,iCAAiC,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACjD,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;YACvB,qCAAqC;YACrC,IAAI,CAAC;gBACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;gBACzD,MAAM,kBAAkB,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC,CAAC,iCAAiC,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,gBAAgB;IAChB,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACrC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,iCAAiC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7D,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACxD,IAAI,CAAC,QAAQ,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAEjF,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACpD,MAAM,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAClG,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;QACvF,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACpD,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrD,IAAI,QAAQ,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,YAAY;IACZ,GAAG,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7C,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC9G,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAC1B,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;QAC9B,IAAI,CAAC,QAAQ,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uDAAuD,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACpH,MAAM,QAAQ,GAAG,cAAc,CAAC,EAAE,EAAE,QAA4B,CAAC,CAAC;QAClE,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/gateway/state.js

@@ -0,0 +1,54 @@
+// Gateway shared state
+import { createHash, timingSafeEqual } from "node:crypto";
+import { loadMessages } from "../session.js";
+import { compactHistory } from "../runtime/compact.js";
+/** Timing-safe token comparison — prevents timing attacks that leak token info */
+function safeEqual(a, b) {
+    const ha = createHash("sha256").update(a).digest();
+    const hb = createHash("sha256").update(b).digest();
+    return timingSafeEqual(ha, hb);
+}
+export function checkAuth(state, authHeader) {
+    if (!state.token)
+        return true;
+    if (!authHeader)
+        return false;
+    return safeEqual(authHeader, `Bearer ${state.token}`);
+}
+export function send(ws, data) {
+    if (ws.readyState === 1 /* WebSocket.OPEN */) {
+        ws.send(JSON.stringify(data));
+    }
+}
+export function broadcast(state, data) {
+    const json = JSON.stringify(data);
+    for (const ws of state.clients) {
+        if (ws.readyState === 1)
+            ws.send(json);
+    }
+}
+export function logMessage(state, channel, direction, sessionId, text) {
+    if (state.silent)
+        return;
+    const arrow = direction === "in" ? `\x1b[36m→\x1b[0m` : `\x1b[32m←\x1b[0m`;
+    const tag = `\x1b[90m[${channel}:${sessionId.slice(0, 16)}]\x1b[0m`;
+    const preview = text.slice(0, 160).replace(/\n/g, " ");
+    const suffix = text.length > 160 ? `\x1b[90m…\x1b[0m` : "";
+    console.log(`  ${arrow} ${tag} ${preview}${suffix}`);
+}
+export function parseTokenFromUrl(url) {
+    if (!url)
+        return undefined;
+    const match = url.match(/[?&]token=([^&]+)/);
+    return match ? `Bearer ${match[1]}` : undefined;
+}
+/** Load history + run compaction for a session */
+export async function prepareHistory(state, sid) {
+    let history = loadMessages(sid);
+    const result = await compactHistory(state.client, state.config.model, history, state.config.compaction);
+    if (result) {
+        return { history: result, compacted: true };
+    }
+    return { history, compacted: false };
+}
+//# sourceMappingURL=state.js.map

package/dist/gateway/state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.js","sourceRoot":"","sources":["../../src/gateway/state.ts"],"names":[],"mappings":"AAAA,uBAAuB;AAEvB,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAK1D,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAYvD,kFAAkF;AAClF,SAAS,SAAS,CAAC,CAAS,EAAE,CAAS;IACrC,MAAM,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACnD,MAAM,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACnD,OAAO,eAAe,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAmB,EAAE,UAA8B;IAC3E,IAAI,CAAC,KAAK,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,SAAS,CAAC,UAAU,EAAE,UAAU,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,EAAa,EAAE,IAAa;IAC/C,IAAI,EAAE,CAAC,UAAU,KAAK,CAAC,CAAC,oBAAoB,EAAE,CAAC;QAC7C,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAmB,EAAE,IAAa;IAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,EAAE,CAAC,UAAU,KAAK,CAAC;YAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,KAAmB,EACnB,OAAe,EACf,SAAuB,EACvB,SAAiB,EACjB,IAAY;IAEZ,IAAI,KAAK,CAAC,MAAM;QAAE,OAAO;IACzB,MAAM,KAAK,GAAG,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAC3E,MAAM,GAAG,GAAG,YAAY,OAAO,IAAI,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC;IACpE,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI,GAAG,IAAI,OAAO,GAAG,MAAM,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,GAAuB;IACvD,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;IAC7C,OAAO,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AAClD,CAAC;AAED,kDAAkD;AAClD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAmB,EACnB,GAAW;IAEX,IAAI,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACxG,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC9C,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AACvC,CAAC"}