npm - cli-claw-kit - Versions diffs - 0.0.1 - Mend

cli-claw-kit 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/LICENSE +21 -0
package/README.md +245 -0
package/config/default-groups.json +1 -0
package/config/global-agents-md.template.md +37 -0
package/config/mount-allowlist.json +11 -0
package/container/Dockerfile +160 -0
package/container/agent-runner/dist/.tsbuildinfo +1 -0
package/container/agent-runner/dist/agent-definitions.js +22 -0
package/container/agent-runner/dist/channel-prefixes.js +16 -0
package/container/agent-runner/dist/codex-config.js +29 -0
package/container/agent-runner/dist/image-detector.js +96 -0
package/container/agent-runner/dist/index.js +2587 -0
package/container/agent-runner/dist/mcp-tools.js +1076 -0
package/container/agent-runner/dist/stream-event.types.js +5 -0
package/container/agent-runner/dist/stream-processor.js +867 -0
package/container/agent-runner/dist/types.js +6 -0
package/container/agent-runner/dist/utils.js +115 -0
package/container/agent-runner/package.json +36 -0
package/container/agent-runner/prompts/security-rules.md +31 -0
package/container/agent-runner/src/agent-definitions.ts +27 -0
package/container/agent-runner/src/channel-prefixes.ts +16 -0
package/container/agent-runner/src/codex-config.ts +40 -0
package/container/agent-runner/src/image-detector.ts +116 -0
package/container/agent-runner/src/index.ts +3107 -0
package/container/agent-runner/src/mcp-tools.ts +1295 -0
package/container/agent-runner/src/stream-event.types.ts +10 -0
package/container/agent-runner/src/stream-processor.ts +932 -0
package/container/agent-runner/src/types.ts +75 -0
package/container/agent-runner/src/utils.ts +114 -0
package/container/agent-runner/tsconfig.json +17 -0
package/container/build.sh +28 -0
package/container/entrypoint.sh +64 -0
package/container/skills/agent-browser/SKILL.md +159 -0
package/container/skills/install-skill/SKILL.md +64 -0
package/container/skills/post-test-cleanup/SKILL.md +121 -0
package/dist/.tsbuildinfo +1 -0
package/dist/agent-output-parser.js +459 -0
package/dist/app-root.js +52 -0
package/dist/assistant-meta-footer.js +1 -0
package/dist/auth.js +91 -0
package/dist/billing.js +694 -0
package/dist/channel-prefixes.js +16 -0
package/dist/cli.js +86 -0
package/dist/commands.js +79 -0
package/dist/config.js +120 -0
package/dist/container-runner.js +981 -0
package/dist/daily-summary.js +210 -0
package/dist/db.js +3683 -0
package/dist/dingtalk.js +1347 -0
package/dist/feishu-markdown-style.js +97 -0
package/dist/feishu-streaming-card.js +1875 -0
package/dist/feishu.js +1628 -0
package/dist/file-manager.js +270 -0
package/dist/group-queue.js +1070 -0
package/dist/group-runtime.js +35 -0
package/dist/host-workspace-cwd.js +85 -0
package/dist/im-channel.js +384 -0
package/dist/im-command-utils.js +142 -0
package/dist/im-downloader.js +45 -0
package/dist/im-manager.js +527 -0
package/dist/im-utils.js +53 -0
package/dist/image-detector.js +96 -0
package/dist/index.js +5828 -0
package/dist/logger.js +22 -0
package/dist/mcp-utils.js +66 -0
package/dist/message-attachments.js +69 -0
package/dist/message-notifier.js +36 -0
package/dist/middleware/auth.js +85 -0
package/dist/mount-security.js +315 -0
package/dist/permissions.js +67 -0
package/dist/project-memory.js +6 -0
package/dist/provider-pool.js +189 -0
package/dist/qq.js +826 -0
package/dist/reset-admin.js +42 -0
package/dist/routes/admin.js +543 -0
package/dist/routes/agent-definitions.js +241 -0
package/dist/routes/agents.js +533 -0
package/dist/routes/auth.js +675 -0
package/dist/routes/billing.js +490 -0
package/dist/routes/browse.js +210 -0
package/dist/routes/bug-report.js +387 -0
package/dist/routes/config.js +1868 -0
package/dist/routes/files.js +671 -0
package/dist/routes/groups.js +1367 -0
package/dist/routes/mcp-servers.js +320 -0
package/dist/routes/memory.js +523 -0
package/dist/routes/monitor.js +307 -0
package/dist/routes/skills.js +777 -0
package/dist/routes/tasks.js +509 -0
package/dist/routes/usage.js +64 -0
package/dist/routes/workspace-config.js +458 -0
package/dist/runtime-build.js +112 -0
package/dist/runtime-command-handler.js +189 -0
package/dist/runtime-command-registry.js +1 -0
package/dist/runtime-config.js +1777 -0
package/dist/runtime-identity.js +52 -0
package/dist/schemas.js +590 -0
package/dist/script-runner.js +64 -0
package/dist/sdk-query.js +82 -0
package/dist/skill-utils.js +145 -0
package/dist/sqlite-compat.js +19 -0
package/dist/stream-event.types.js +5 -0
package/dist/streaming-runtime-meta.js +29 -0
package/dist/task-scheduler.js +695 -0
package/dist/task-utils.js +13 -0
package/dist/telegram-pairing.js +59 -0
package/dist/telegram.js +897 -0
package/dist/terminal-manager.js +307 -0
package/dist/tool-step-display.js +1 -0
package/dist/types.js +1 -0
package/dist/utils.js +85 -0
package/dist/web-context.js +161 -0
package/dist/web.js +1377 -0
package/dist/wechat-crypto.js +182 -0
package/dist/wechat.js +589 -0
package/dist/workspace-runtime-reset.js +35 -0
package/package.json +107 -0
package/shared/assistant-meta-footer.ts +127 -0
package/shared/channel-prefixes.ts +16 -0
package/shared/dist/assistant-meta-footer.d.ts +29 -0
package/shared/dist/assistant-meta-footer.js +85 -0
package/shared/dist/channel-prefixes.d.ts +4 -0
package/shared/dist/channel-prefixes.js +16 -0
package/shared/dist/image-detector.d.ts +20 -0
package/shared/dist/image-detector.js +96 -0
package/shared/dist/runtime-command-registry.d.ts +38 -0
package/shared/dist/runtime-command-registry.js +185 -0
package/shared/dist/stream-event.d.ts +65 -0
package/shared/dist/stream-event.js +8 -0
package/shared/dist/tool-step-display.d.ts +4 -0
package/shared/dist/tool-step-display.js +11 -0
package/shared/image-detector.ts +116 -0
package/shared/runtime-command-registry.ts +252 -0
package/shared/stream-event.ts +67 -0
package/shared/tool-step-display.ts +21 -0
package/shared/tsconfig.json +24 -0
package/web/dist/assets/BillingPage-B1wBR_o-.js +52 -0
package/web/dist/assets/ChatPage-6GBZ9nXN.css +32 -0
package/web/dist/assets/ChatPage-BOJcXtaj.js +161 -0
package/web/dist/assets/KaTeX_AMS-Regular-BQhdFMY1.woff2 +0 -0
package/web/dist/assets/KaTeX_AMS-Regular-DMm9YOAa.woff +0 -0
package/web/dist/assets/KaTeX_AMS-Regular-DRggAlZN.ttf +0 -0
package/web/dist/assets/KaTeX_Caligraphic-Bold-ATXxdsX0.ttf +0 -0
package/web/dist/assets/KaTeX_Caligraphic-Bold-BEiXGLvX.woff +0 -0
package/web/dist/assets/KaTeX_Caligraphic-Bold-Dq_IR9rO.woff2 +0 -0
package/web/dist/assets/KaTeX_Caligraphic-Regular-CTRA-rTL.woff +0 -0
package/web/dist/assets/KaTeX_Caligraphic-Regular-Di6jR-x-.woff2 +0 -0
package/web/dist/assets/KaTeX_Caligraphic-Regular-wX97UBjC.ttf +0 -0
package/web/dist/assets/KaTeX_Fraktur-Bold-BdnERNNW.ttf +0 -0
package/web/dist/assets/KaTeX_Fraktur-Bold-BsDP51OF.woff +0 -0
package/web/dist/assets/KaTeX_Fraktur-Bold-CL6g_b3V.woff2 +0 -0
package/web/dist/assets/KaTeX_Fraktur-Regular-CB_wures.ttf +0 -0
package/web/dist/assets/KaTeX_Fraktur-Regular-CTYiF6lA.woff2 +0 -0
package/web/dist/assets/KaTeX_Fraktur-Regular-Dxdc4cR9.woff +0 -0
package/web/dist/assets/KaTeX_Main-Bold-Cx986IdX.woff2 +0 -0
package/web/dist/assets/KaTeX_Main-Bold-Jm3AIy58.woff +0 -0
package/web/dist/assets/KaTeX_Main-Bold-waoOVXN0.ttf +0 -0
package/web/dist/assets/KaTeX_Main-BoldItalic-DxDJ3AOS.woff2 +0 -0
package/web/dist/assets/KaTeX_Main-BoldItalic-DzxPMmG6.ttf +0 -0
package/web/dist/assets/KaTeX_Main-BoldItalic-SpSLRI95.woff +0 -0
package/web/dist/assets/KaTeX_Main-Italic-3WenGoN9.ttf +0 -0
package/web/dist/assets/KaTeX_Main-Italic-BMLOBm91.woff +0 -0
package/web/dist/assets/KaTeX_Main-Italic-NWA7e6Wa.woff2 +0 -0
package/web/dist/assets/KaTeX_Main-Regular-B22Nviop.woff2 +0 -0
package/web/dist/assets/KaTeX_Main-Regular-Dr94JaBh.woff +0 -0
package/web/dist/assets/KaTeX_Main-Regular-ypZvNtVU.ttf +0 -0
package/web/dist/assets/KaTeX_Math-BoldItalic-B3XSjfu4.ttf +0 -0
package/web/dist/assets/KaTeX_Math-BoldItalic-CZnvNsCZ.woff2 +0 -0
package/web/dist/assets/KaTeX_Math-BoldItalic-iY-2wyZ7.woff +0 -0
package/web/dist/assets/KaTeX_Math-Italic-DA0__PXp.woff +0 -0
package/web/dist/assets/KaTeX_Math-Italic-flOr_0UB.ttf +0 -0
package/web/dist/assets/KaTeX_Math-Italic-t53AETM-.woff2 +0 -0
package/web/dist/assets/KaTeX_SansSerif-Bold-CFMepnvq.ttf +0 -0
package/web/dist/assets/KaTeX_SansSerif-Bold-D1sUS0GD.woff2 +0 -0
package/web/dist/assets/KaTeX_SansSerif-Bold-DbIhKOiC.woff +0 -0
package/web/dist/assets/KaTeX_SansSerif-Italic-C3H0VqGB.woff2 +0 -0
package/web/dist/assets/KaTeX_SansSerif-Italic-DN2j7dab.woff +0 -0
package/web/dist/assets/KaTeX_SansSerif-Italic-YYjJ1zSn.ttf +0 -0
package/web/dist/assets/KaTeX_SansSerif-Regular-BNo7hRIc.ttf +0 -0
package/web/dist/assets/KaTeX_SansSerif-Regular-CS6fqUqJ.woff +0 -0
package/web/dist/assets/KaTeX_SansSerif-Regular-DDBCnlJ7.woff2 +0 -0
package/web/dist/assets/KaTeX_Script-Regular-C5JkGWo-.ttf +0 -0
package/web/dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 +0 -0
package/web/dist/assets/KaTeX_Script-Regular-D5yQViql.woff +0 -0
package/web/dist/assets/KaTeX_Size1-Regular-C195tn64.woff +0 -0
package/web/dist/assets/KaTeX_Size1-Regular-Dbsnue_I.ttf +0 -0
package/web/dist/assets/KaTeX_Size1-Regular-mCD8mA8B.woff2 +0 -0
package/web/dist/assets/KaTeX_Size2-Regular-B7gKUWhC.ttf +0 -0
package/web/dist/assets/KaTeX_Size2-Regular-Dy4dx90m.woff2 +0 -0
package/web/dist/assets/KaTeX_Size2-Regular-oD1tc_U0.woff +0 -0
package/web/dist/assets/KaTeX_Size3-Regular-CTq5MqoE.woff +0 -0
package/web/dist/assets/KaTeX_Size3-Regular-DgpXs0kz.ttf +0 -0
package/web/dist/assets/KaTeX_Size4-Regular-BF-4gkZK.woff +0 -0
package/web/dist/assets/KaTeX_Size4-Regular-DWFBv043.ttf +0 -0
package/web/dist/assets/KaTeX_Size4-Regular-Dl5lxZxV.woff2 +0 -0
package/web/dist/assets/KaTeX_Typewriter-Regular-C0xS9mPB.woff +0 -0
package/web/dist/assets/KaTeX_Typewriter-Regular-CO6r4hn1.woff2 +0 -0
package/web/dist/assets/KaTeX_Typewriter-Regular-D3Ib7_Hf.ttf +0 -0
package/web/dist/assets/SettingsPage-DoY7FoZ_.js +153 -0
package/web/dist/assets/ShareImageDialog-C1ga8b7l.js +22 -0
package/web/dist/assets/TasksPage-CRivnNsx.js +14 -0
package/web/dist/assets/_basePickBy-Bf-bSoS9.js +1 -0
package/web/dist/assets/_baseUniq-zAOaCuKw.js +1 -0
package/web/dist/assets/arc-Dm9mVQ9U.js +1 -0
package/web/dist/assets/architectureDiagram-2XIMDMQ5-BLmzX1wr.js +36 -0
package/web/dist/assets/band-CquvqAHh.js +1 -0
package/web/dist/assets/blockDiagram-WCTKOSBZ-B9pcqm3j.js +132 -0
package/web/dist/assets/c4Diagram-IC4MRINW-Cytx1q3b.js +10 -0
package/web/dist/assets/channel-BOVj73LR.js +1 -0
package/web/dist/assets/channel-meta-CQD0Pei-.js +41 -0
package/web/dist/assets/chunk-4BX2VUAB-0ToDr6RE.js +1 -0
package/web/dist/assets/chunk-55IACEB6-DQDjnXfS.js +1 -0
package/web/dist/assets/chunk-FMBD7UC4-Di8ABm6c.js +15 -0
package/web/dist/assets/chunk-JSJVCQXG-BZQN6rnX.js +1 -0
package/web/dist/assets/chunk-KX2RTZJC-zBbcpaN_.js +1 -0
package/web/dist/assets/chunk-NQ4KR5QH-BCrLoU88.js +220 -0
package/web/dist/assets/chunk-QZHKN3VN-Bqk8juan.js +1 -0
package/web/dist/assets/chunk-WL4C6EOR-D2YX-MHY.js +189 -0
package/web/dist/assets/classDiagram-VBA2DB6C-DUUoMyaK.js +1 -0
package/web/dist/assets/classDiagram-v2-RAHNMMFH-DUUoMyaK.js +1 -0
package/web/dist/assets/clone-BmaCesfa.js +1 -0
package/web/dist/assets/cose-bilkent-S5V4N54A-CTsv6qQA.js +1 -0
package/web/dist/assets/cytoscape.esm-BQaXIfA_.js +331 -0
package/web/dist/assets/dagre-KLK3FWXG-Ci4Jh9nu.js +4 -0
package/web/dist/assets/defaultLocale-DX6XiGOO.js +1 -0
package/web/dist/assets/diagram-E7M64L7V-BFRnfTI2.js +24 -0
package/web/dist/assets/diagram-IFDJBPK2-B7Zhnp0b.js +43 -0
package/web/dist/assets/diagram-P4PSJMXO-BVyP7nwq.js +24 -0
package/web/dist/assets/erDiagram-INFDFZHY-NorKdTOF.js +70 -0
package/web/dist/assets/error-CGD5mp5f.js +1 -0
package/web/dist/assets/flowDiagram-PKNHOUZH-Ch97nABF.js +162 -0
package/web/dist/assets/ganttDiagram-A5KZAMGK-BQ2pLWsy.js +292 -0
package/web/dist/assets/gitGraphDiagram-K3NZZRJ6-bcvnBsD2.js +65 -0
package/web/dist/assets/graph-CeAEckur.js +1 -0
package/web/dist/assets/index-CPnL1_qC.js +768 -0
package/web/dist/assets/index-DVevCbcO.css +10 -0
package/web/dist/assets/infoDiagram-LFFYTUFH-CcsrFdj-.js +2 -0
package/web/dist/assets/init-Dmth1JHB.js +1 -0
package/web/dist/assets/ishikawaDiagram-PHBUUO56-1upyMfHN.js +70 -0
package/web/dist/assets/journeyDiagram-4ABVD52K-CKUi-V0c.js +139 -0
package/web/dist/assets/kanban-definition-K7BYSVSG-DOnQwXfL.js +89 -0
package/web/dist/assets/layout-BmMMqTnJ.js +1 -0
package/web/dist/assets/linear-DiaJloY5.js +1 -0
package/web/dist/assets/mermaid.core-BWLV1B2v.js +254 -0
package/web/dist/assets/mindmap-definition-YRQLILUH-BeAKHVWP.js +68 -0
package/web/dist/assets/ordinal-DILIJJjt.js +1 -0
package/web/dist/assets/pieDiagram-SKSYHLDU-DfiMSfWo.js +30 -0
package/web/dist/assets/quadrantDiagram-337W2JSQ-wZxZOJxd.js +7 -0
package/web/dist/assets/requirementDiagram-Z7DCOOCP-BK4HHm17.js +73 -0
package/web/dist/assets/sankeyDiagram-WA2Y5GQK-BX6t2avX.js +10 -0
package/web/dist/assets/sequenceDiagram-2WXFIKYE-BPQlkbAa.js +145 -0
package/web/dist/assets/sheet-rI0FfB1g.js +6 -0
package/web/dist/assets/sliders-horizontal-CuijWFNK.js +6 -0
package/web/dist/assets/sparkles-BsMYXJoT.js +11 -0
package/web/dist/assets/square-0CqMX1Q3.js +11 -0
package/web/dist/assets/stateDiagram-RAJIS63D-DxkV0Vwd.js +1 -0
package/web/dist/assets/stateDiagram-v2-FVOUBMTO-qLYoiOPe.js +1 -0
package/web/dist/assets/step-D51IIHGA.js +1 -0
package/web/dist/assets/tasks-D8JjBTwx.js +1 -0
package/web/dist/assets/time-O8zIGux3.js +1 -0
package/web/dist/assets/timeline-definition-YZTLITO2-kNp1DyFc.js +61 -0
package/web/dist/assets/treemap-KZPCXAKY-CkrClVhk.js +162 -0
package/web/dist/assets/utils-KGAn0XTg.js +11 -0
package/web/dist/assets/vennDiagram-LZ73GAT5-CgdzEZz4.js +34 -0
package/web/dist/assets/xychartDiagram-JWTSCODW-DfYGPfNB.js +7 -0
package/web/dist/assets/zap-_hKJYy7J.js +6 -0
package/web/dist/favicon.svg +332 -0
package/web/dist/fonts/AlibabaPuHuiTi-3-55-Regular.woff2 +0 -0
package/web/dist/fonts/AlibabaPuHuiTi-3-65-Medium.woff2 +0 -0
package/web/dist/fonts/AlibabaPuHuiTi-3-75-SemiBold.woff2 +0 -0
package/web/dist/fonts/DMSans-latin-ext.woff2 +0 -0
package/web/dist/fonts/DMSans-latin.woff2 +0 -0
package/web/dist/icons/README.md +20 -0
package/web/dist/icons/apple-touch-icon-180.png +0 -0
package/web/dist/icons/icon-128.png +0 -0
package/web/dist/icons/icon-144.png +0 -0
package/web/dist/icons/icon-152.png +0 -0
package/web/dist/icons/icon-192.png +0 -0
package/web/dist/icons/icon-192.svg +332 -0
package/web/dist/icons/icon-384.png +0 -0
package/web/dist/icons/icon-48.png +0 -0
package/web/dist/icons/icon-512-maskable.png +0 -0
package/web/dist/icons/icon-512.png +0 -0
package/web/dist/icons/icon-512.svg +332 -0
package/web/dist/icons/icon-72.png +0 -0
package/web/dist/icons/icon-96.png +0 -0
package/web/dist/icons/loading-logo.svg +332 -0
package/web/dist/icons/logo-1024.png +0 -0
package/web/dist/icons/logo-icon.svg +332 -0
package/web/dist/icons/logo-text.svg +332 -0
package/web/dist/index.html +30 -0
package/web/dist/manifest.webmanifest +1 -0
package/web/dist/registerSW.js +1 -0
package/web/dist/sw.js +1 -0
package/web/dist/workbox-08d6266a.js +1 -0

package/dist/routes/browse.js ADDED Viewed

@@ -0,0 +1,210 @@
+import { Hono } from 'hono';
+import fs from 'node:fs';
+import path from 'node:path';
+import { hasHostExecutionPermission } from '../web-context.js';
+import { authMiddleware } from '../middleware/auth.js';
+import { logger } from '../logger.js';
+import { loadMountAllowlist, expandPath, findAllowedRoot, matchesBlockedPattern, } from '../mount-security.js';
+const MAX_ENTRIES = 200;
+const browseRoutes = new Hono();
+/**
+ * List subdirectories of a given path, filtering hidden dirs and blocked patterns.
+ */
+function listSubdirectories(dirPath, blockedPatterns) {
+    let entries;
+    try {
+        entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+    const dirs = [];
+    for (const entry of entries) {
+        if (!entry.isDirectory())
+            continue;
+        // Skip hidden directories
+        if (entry.name.startsWith('.'))
+            continue;
+        // Skip blocked patterns
+        const fullPath = path.join(dirPath, entry.name);
+        if (matchesBlockedPattern(fullPath, blockedPatterns) !== null)
+            continue;
+        // Check if has subdirectories (for expand indicator)
+        let hasChildren = false;
+        try {
+            const children = fs.readdirSync(fullPath, { withFileTypes: true });
+            hasChildren = children.some((c) => c.isDirectory() && !c.name.startsWith('.'));
+        }
+        catch {
+            // Permission denied or other error — treat as no children
+        }
+        dirs.push({ name: entry.name, path: fullPath, hasChildren });
+        if (dirs.length >= MAX_ENTRIES)
+            break;
+    }
+    dirs.sort((a, b) => a.name.localeCompare(b.name));
+    return dirs;
+}
+// GET /api/browse/directories?path=xxx
+browseRoutes.get('/directories', authMiddleware, (c) => {
+    const authUser = c.get('user');
+    if (!hasHostExecutionPermission(authUser)) {
+        return c.json({ error: 'Insufficient permissions' }, 403);
+    }
+    const requestedPath = c.req.query('path');
+    const allowlist = loadMountAllowlist();
+    const blockedPatterns = allowlist?.blockedPatterns ?? [];
+    const hasAllowlist = allowlist !== null && allowlist.allowedRoots.length > 0;
+    // No path → return root listing
+    if (!requestedPath) {
+        if (hasAllowlist) {
+            // Return allowlist roots as top-level entries
+            const roots = [];
+            for (const root of allowlist.allowedRoots) {
+                const expanded = expandPath(root.path);
+                let realPath;
+                try {
+                    realPath = fs.realpathSync(expanded);
+                }
+                catch {
+                    continue; // Root doesn't exist, skip
+                }
+                if (!fs.existsSync(realPath) || !fs.statSync(realPath).isDirectory())
+                    continue;
+                let hasChildren = false;
+                try {
+                    const children = fs.readdirSync(realPath, { withFileTypes: true });
+                    hasChildren = children.some((ch) => ch.isDirectory() && !ch.name.startsWith('.'));
+                }
+                catch {
+                    /* ignore */
+                }
+                roots.push({
+                    name: root.description || path.basename(realPath),
+                    path: realPath,
+                    hasChildren,
+                });
+            }
+            return c.json({
+                currentPath: null,
+                parentPath: null,
+                directories: roots,
+                hasAllowlist: true,
+            });
+        }
+        // No allowlist → return HOME directory
+        const homeDir = process.env.HOME || '/';
+        return c.json({
+            currentPath: homeDir,
+            parentPath: homeDir === '/' ? null : path.dirname(homeDir),
+            directories: listSubdirectories(homeDir, blockedPatterns),
+            hasAllowlist: false,
+        });
+    }
+    // Validate path
+    if (!path.isAbsolute(requestedPath)) {
+        return c.json({ error: 'Path must be absolute' }, 400);
+    }
+    let realPath;
+    try {
+        realPath = fs.realpathSync(requestedPath);
+    }
+    catch {
+        return c.json({ error: 'Path does not exist' }, 400);
+    }
+    if (!fs.statSync(realPath).isDirectory()) {
+        return c.json({ error: 'Path is not a directory' }, 400);
+    }
+    // Allowlist range check
+    if (hasAllowlist) {
+        const root = findAllowedRoot(realPath, allowlist.allowedRoots);
+        if (!root) {
+            return c.json({ error: 'Path is not within allowed roots' }, 403);
+        }
+    }
+    // Compute parentPath
+    let parentPath = path.dirname(realPath);
+    if (parentPath === realPath) {
+        // At filesystem root
+        parentPath = null;
+    }
+    else if (hasAllowlist) {
+        // Check if parent is still within an allowed root
+        const parentRoot = findAllowedRoot(parentPath, allowlist.allowedRoots);
+        if (!parentRoot) {
+            // Parent is outside allowed roots — return null to go back to root listing
+            parentPath = null;
+        }
+    }
+    return c.json({
+        currentPath: realPath,
+        parentPath,
+        directories: listSubdirectories(realPath, blockedPatterns),
+        hasAllowlist,
+    });
+});
+// POST /api/browse/directories — create a new folder
+browseRoutes.post('/directories', authMiddleware, async (c) => {
+    const authUser = c.get('user');
+    if (!hasHostExecutionPermission(authUser)) {
+        return c.json({ error: 'Insufficient permissions' }, 403);
+    }
+    const body = await c.req.json().catch(() => ({}));
+    const { parentPath, name } = body;
+    if (!parentPath || typeof parentPath !== 'string') {
+        return c.json({ error: 'parentPath is required' }, 400);
+    }
+    if (!name || typeof name !== 'string') {
+        return c.json({ error: 'name is required' }, 400);
+    }
+    // Validate name
+    if (name.includes('/') || name.includes('..') || name.startsWith('.')) {
+        return c.json({ error: 'Invalid folder name: must not contain /, .., or start with .' }, 400);
+    }
+    if (!path.isAbsolute(parentPath)) {
+        return c.json({ error: 'parentPath must be absolute' }, 400);
+    }
+    let realParent;
+    try {
+        realParent = fs.realpathSync(parentPath);
+    }
+    catch {
+        return c.json({ error: 'Parent path does not exist' }, 400);
+    }
+    if (!fs.statSync(realParent).isDirectory()) {
+        return c.json({ error: 'Parent path is not a directory' }, 400);
+    }
+    // Allowlist range check
+    const allowlist = loadMountAllowlist();
+    const hasAllowlist = allowlist !== null && allowlist.allowedRoots.length > 0;
+    if (hasAllowlist) {
+        const root = findAllowedRoot(realParent, allowlist.allowedRoots);
+        if (!root) {
+            return c.json({ error: 'Parent path is not within allowed roots' }, 403);
+        }
+    }
+    // Blocked patterns check
+    const blockedPatterns = allowlist?.blockedPatterns ?? [];
+    const targetPath = path.join(realParent, name);
+    if (matchesBlockedPattern(targetPath, blockedPatterns) !== null) {
+        return c.json({ error: 'Folder name matches a blocked pattern' }, 400);
+    }
+    // Check if already exists
+    if (fs.existsSync(targetPath)) {
+        return c.json({ error: 'Directory already exists' }, 400);
+    }
+    try {
+        fs.mkdirSync(targetPath, { recursive: false });
+        logger.info({ path: targetPath }, 'Directory created via browse API');
+    }
+    catch (err) {
+        logger.error({ err, path: targetPath }, 'Failed to create directory');
+        return c.json({ error: 'Failed to create directory' }, 500);
+    }
+    return c.json({
+        name,
+        path: targetPath,
+        hasChildren: false,
+    });
+});
+export default browseRoutes;

package/dist/routes/bug-report.js ADDED Viewed

@@ -0,0 +1,387 @@
+import { execFile } from 'child_process';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { promisify } from 'util';
+import { Hono } from 'hono';
+import { APP_ROOT, resolveAppPath } from '../app-root.js';
+import { DATA_DIR } from '../config.js';
+import { getUserHomeGroup } from '../db.js';
+import { getClaudeProviderConfig } from '../runtime-config.js';
+import { sdkQuery } from '../sdk-query.js';
+import { logger } from '../logger.js';
+import { authMiddleware } from '../middleware/auth.js';
+import { BugReportGenerateSchema, BugReportSubmitSchema } from '../schemas.js';
+import { getWebDeps } from '../web-context.js';
+const execFileAsync = promisify(execFile);
+const bugReportRoutes = new Hono();
+// --- Rate limiting (60s per user) ---
+const cooldowns = new Map();
+const COOLDOWN_MS = 60_000;
+const generateCooldowns = new Map();
+const GENERATE_COOLDOWN_MS = 30_000;
+function checkCooldown(userId, map = cooldowns, cooldownMs = COOLDOWN_MS) {
+    const last = map.get(userId);
+    if (last) {
+        const remaining = cooldownMs - (Date.now() - last);
+        if (remaining > 0) {
+            return `请等待 ${Math.ceil(remaining / 1000)} 秒后再试`;
+        }
+    }
+    return null;
+}
+// --- Capability detection (cached 5min) ---
+let capCache = null;
+const CAP_CACHE_TTL = 5 * 60 * 1000;
+async function checkCapabilities() {
+    if (capCache && Date.now() - capCache.checkedAt < CAP_CACHE_TTL) {
+        return {
+            ghAvailable: capCache.ghAvailable,
+            ghUsername: capCache.ghUsername,
+            claudeAvailable: capCache.claudeAvailable,
+        };
+    }
+    const [gh] = await Promise.all([
+        execFileAsync('gh', ['auth', 'status'], { timeout: 5000 })
+            .then(() => true)
+            .catch(() => false),
+    ]);
+    // Claude availability is determined by provider config, not CLI presence
+    const providerConfig = getClaudeProviderConfig();
+    const claude = !!(providerConfig.anthropicApiKey ||
+        providerConfig.claudeCodeOauthToken ||
+        providerConfig.claudeOAuthCredentials);
+    // Get gh username if available
+    let ghUsername = null;
+    if (gh) {
+        try {
+            const { stdout } = await execFileAsync('gh', ['api', 'user', '--jq', '.login'], { timeout: 5000 });
+            ghUsername = stdout.trim() || null;
+        }
+        catch {
+            // gh available but can't get username
+        }
+    }
+    capCache = {
+        ghAvailable: gh,
+        ghUsername,
+        claudeAvailable: claude,
+        checkedAt: Date.now(),
+    };
+    return { ghAvailable: gh, ghUsername, claudeAvailable: claude };
+}
+// --- Helpers ---
+function getVersion() {
+    try {
+        const pkg = JSON.parse(fs.readFileSync(resolveAppPath('package.json'), 'utf-8'));
+        return pkg.version || 'unknown';
+    }
+    catch {
+        return 'unknown';
+    }
+}
+function readRecentLogs(folder, maxLines = 50) {
+    const logsDir = path.join(DATA_DIR, 'groups', folder, 'logs');
+    try {
+        if (!fs.existsSync(logsDir))
+            return '(no logs directory)';
+        const files = fs
+            .readdirSync(logsDir)
+            .filter((f) => f.endsWith('.log'))
+            .sort()
+            .reverse();
+        if (files.length === 0)
+            return '(no log files)';
+        const latestFile = path.join(logsDir, files[0]);
+        const content = fs.readFileSync(latestFile, 'utf-8');
+        const lines = content.split('\n');
+        return lines.slice(-maxLines).join('\n');
+    }
+    catch {
+        return '(failed to read logs)';
+    }
+}
+/** Mask environment variable values in log text */
+function sanitizeLogs(text) {
+    let result = text;
+    // Replace absolute paths to project root and home directory with placeholders
+    const projectRoot = APP_ROOT;
+    const homeDir = os.homedir();
+    // Replace longer path first to avoid partial replacement
+    if (projectRoot.startsWith(homeDir)) {
+        result = result.replaceAll(projectRoot, '<project>');
+        result = result.replaceAll(homeDir, '<home>');
+    }
+    else {
+        result = result.replaceAll(homeDir, '<home>');
+        result = result.replaceAll(projectRoot, '<project>');
+    }
+    // Generic pattern matching any env var name containing sensitive keywords
+    const sensitivePattern = /(\b\w*(?:token|password|passwd|secret|api[_-]?key|auth[_-]?token|authorization|cookie|credential|private[_-]?key|access[_-]?key|app[_-]?secret)\w*)[=:]\s*\S+/gi;
+    result = result.replace(sensitivePattern, '$1=***');
+    return result;
+}
+function buildGeneratePrompt(description, systemInfo, logs, screenshotCount) {
+    const sysInfoText = Object.entries(systemInfo)
+        .map(([k, v]) => `- ${k}: ${v}`)
+        .join('\n');
+    const screenshotNote = screenshotCount > 0
+        ? `\n\n## 附加截图\n用户附加了 ${screenshotCount} 张截图（截图内容无法在此展示）。请在 Issue 正文末尾添加提示：「报告者附加了 ${screenshotCount} 张截图，如需查看请联系报告者。」`
+        : '';
+    return `你是一个 Bug 报告助手，帮用户将 bug 描述整理为结构化的 GitHub Issue。
+## 用户描述
+${description}${screenshotNote}
+## 系统信息
+${sysInfoText}
+## 最近日志（最后 50 行）
+\`\`\`
+${logs}
+\`\`\`
+请生成一个结构化的 GitHub Issue。输出**纯 JSON**（不要 markdown 代码块），包含两个字段：
+- "title": 简洁的 issue 标题，格式为 "bug: 简要描述"（小写 bug: 前缀，不超过 80 字符）
+- "body": 结构化的 Markdown 正文，严格按照以下模板：
+  ## 用户现象
+  （从用户视角描述看到了什么、体验上有什么异常）
+  ## 问题描述
+  （从技术视角简要说明发生了什么）
+  ## 复现路径
+  1. 步骤一
+  2. 步骤二
+  3. 期望行为 vs 实际行为
+  （如果能从描述和日志推断出复现步骤就写，无法推断则省略此章节）
+  ## 根因（可选）
+  （如果能从日志分析出代码层面的原因就写，否则省略）
+  ## 影响
+  （对用户体验/数据/安全的影响）
+  ## 环境信息
+  （系统信息表格）
+  ## 相关日志
+  （如有错误日志，摘录关键部分）
+只输出 JSON，不要其他内容。`;
+}
+function buildFallbackReport(description, systemInfo, logs) {
+    const sysInfoTable = Object.entries(systemInfo)
+        .map(([k, v]) => `| ${k} | ${v} |`)
+        .join('\n');
+    const body = `## 用户现象
+${description}
+## 问题描述
+（待补充技术分析）
+## 影响
+（待补充）
+## 环境信息
+| 项目 | 值 |
+|------|-----|
+${sysInfoTable}
+## 相关日志
+\`\`\`
+${logs.slice(0, 3000)}
+\`\`\`
+`;
+    return {
+        title: `bug: ${description.slice(0, 70)}`,
+        body,
+    };
+}
+/** Try multiple strategies to extract JSON { title, body } from Claude output */
+function tryParseJsonOutput(raw) {
+    const candidates = [];
+    // Strategy 1: strip markdown fencing (greedy to handle nested backticks)
+    const fenceMatch = raw.match(/```(?:json)?\s*([\s\S]*?)```\s*$/);
+    if (fenceMatch)
+        candidates.push(fenceMatch[1].trim());
+    // Strategy 2: extract first { ... } block
+    const braceMatch = raw.match(/\{[\s\S]*\}/);
+    if (braceMatch)
+        candidates.push(braceMatch[0]);
+    // Strategy 3: raw string as-is
+    candidates.push(raw.trim());
+    for (const candidate of candidates) {
+        try {
+            const parsed = JSON.parse(candidate);
+            if (typeof parsed === 'object' && parsed !== null && parsed.body) {
+                return parsed;
+            }
+        }
+        catch {
+            // try next candidate
+        }
+    }
+    return null;
+}
+// ========== Routes ==========
+/**
+ * GET /api/bug-report/capabilities
+ * Check what tools are available for bug reporting
+ */
+bugReportRoutes.get('/capabilities', authMiddleware, async (c) => {
+    const caps = await checkCapabilities();
+    return c.json(caps);
+});
+/**
+ * POST /api/bug-report/generate
+ * Analyze the bug with Claude and generate a structured report
+ */
+bugReportRoutes.post('/generate', authMiddleware, async (c) => {
+    const user = c.get('user');
+    // Rate limiting — 30s cooldown per user for generate
+    const generateCooldownMsg = checkCooldown(user.id, generateCooldowns, GENERATE_COOLDOWN_MS);
+    if (generateCooldownMsg) {
+        return c.json({ error: generateCooldownMsg }, 429);
+    }
+    const parseResult = BugReportGenerateSchema.safeParse(await c.req.json());
+    if (!parseResult.success) {
+        return c.json({ error: 'Invalid request', details: parseResult.error.issues }, 400);
+    }
+    const { description, screenshots } = parseResult.data;
+    // Set cooldown immediately to prevent concurrent requests
+    generateCooldowns.set(user.id, Date.now());
+    // Collect system info
+    const homeGroup = getUserHomeGroup(user.id);
+    const folder = homeGroup?.folder || 'main';
+    const deps = getWebDeps();
+    const queueStatus = deps?.queue.getStatus();
+    const systemInfo = {
+        'cli-claw版本': getVersion(),
+        'Node.js': process.version,
+        操作系统: `${os.platform()} ${os.release()}`,
+        架构: os.arch(),
+        活跃容器数: String(queueStatus?.activeContainerCount ?? 'N/A'),
+        活跃宿主机进程: String(queueStatus?.activeHostProcessCount ?? 'N/A'),
+        等待队列: String(queueStatus?.waitingCount ?? 'N/A'),
+        截图数量: String(screenshots?.length || 0),
+    };
+    // Read recent logs
+    const rawLogs = readRecentLogs(folder);
+    const logs = sanitizeLogs(rawLogs);
+    // Try Claude analysis
+    const caps = await checkCapabilities();
+    if (!caps.claudeAvailable) {
+        logger.info('bug-report: claude CLI not available, using fallback template');
+        const fallback = buildFallbackReport(description, systemInfo, logs);
+        return c.json({ ...fallback, systemInfo });
+    }
+    const prompt = buildGeneratePrompt(description, systemInfo, logs, screenshots?.length || 0);
+    try {
+        logger.info({ promptLen: prompt.length, userId: user.id }, 'bug-report: invoking Claude SDK');
+        const model = process.env.RECALL_MODEL || undefined;
+        const result = await sdkQuery(prompt, { model, timeout: 60_000 });
+        if (!result) {
+            const fallback = buildFallbackReport(description, systemInfo, logs);
+            return c.json({ ...fallback, systemInfo });
+        }
+        // Try to parse Claude's JSON output
+        const parsed = tryParseJsonOutput(result);
+        if (parsed?.body) {
+            return c.json({
+                title: parsed.title || `Bug: ${description.slice(0, 70)}`,
+                body: parsed.body,
+                systemInfo,
+            });
+        }
+        // Claude didn't return valid JSON, use raw output as body
+        logger.info('bug-report: claude output was not valid JSON, using as raw body');
+        return c.json({
+            title: `Bug: ${description.slice(0, 70)}`,
+            body: result,
+            systemInfo,
+        });
+    }
+    catch (err) {
+        logger.error({ error: err.message }, 'bug-report: unexpected error during generation');
+        const fallback = buildFallbackReport(description, systemInfo, logs);
+        return c.json({ ...fallback, systemInfo });
+    }
+});
+/**
+ * POST /api/bug-report/submit
+ * Create a GitHub issue or return a pre-filled URL
+ */
+bugReportRoutes.post('/submit', authMiddleware, async (c) => {
+    const user = c.get('user');
+    // Rate limiting — only on actual issue submission
+    const cooldownMsg = checkCooldown(user.id);
+    if (cooldownMsg) {
+        return c.json({ error: cooldownMsg }, 429);
+    }
+    const parseResult = BugReportSubmitSchema.safeParse(await c.req.json());
+    if (!parseResult.success) {
+        return c.json({ error: 'Invalid request', details: parseResult.error.issues }, 400);
+    }
+    const { title, body } = parseResult.data;
+    // Append submitter info
+    const fullBody = `${body}\n\n---\n> Submitted via cli-claw by ${user.display_name || user.username}`;
+    // Try gh CLI first
+    const caps = await checkCapabilities();
+    if (caps.ghAvailable) {
+        try {
+            logger.info({ userId: user.id }, 'bug-report: attempting gh issue create');
+            const result = await new Promise((resolve, reject) => {
+                const child = execFile('gh', [
+                    'issue',
+                    'create',
+                    '--repo',
+                    'RyanProMax/cli-claw',
+                    '--title',
+                    title,
+                    '--body-file',
+                    '-',
+                ], { timeout: 30000, maxBuffer: 1024 * 1024 }, (err, stdout, stderr) => {
+                    if (err) {
+                        logger.warn({
+                            message: err.message?.slice(0, 200),
+                            stderr: stderr?.slice(0, 300),
+                        }, 'bug-report: gh issue create failed');
+                        reject(err);
+                        return;
+                    }
+                    resolve(stdout.trim());
+                });
+                child.stdin?.write(fullBody);
+                child.stdin?.end();
+            });
+            // gh outputs the issue URL on success
+            const urlMatch = result.match(/https:\/\/github\.com\/[^\s]+\/issues\/\d+/);
+            const url = urlMatch ? urlMatch[0] : result;
+            logger.info({ url, userId: user.id }, 'bug-report: issue created via gh');
+            cooldowns.set(user.id, Date.now());
+            return c.json({ method: 'created', url });
+        }
+        catch {
+            // Fall through to manual URL
+            logger.info('bug-report: gh failed, falling back to manual URL');
+        }
+    }
+    // Fallback: pre-filled GitHub URL
+    const maxBodyLen = 6000; // conservative limit for URL length
+    const truncatedBody = fullBody.length > maxBodyLen
+        ? fullBody.slice(0, maxBodyLen) +
+            '\n\n...(内容过长已截断，请补充完整信息)'
+        : fullBody;
+    const url = `https://github.com/RyanProMax/cli-claw/issues/new?title=${encodeURIComponent(title)}&body=${encodeURIComponent(truncatedBody)}`;
+    logger.info({ userId: user.id }, 'bug-report: returning pre-filled URL');
+    cooldowns.set(user.id, Date.now());
+    return c.json({ method: 'manual', url });
+});
+export default bugReportRoutes;