npm - codeharbor - Versions diffs - 0.1.10 → 0.1.11 - Mend

codeharbor 0.1.10 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -353,9 +353,10 @@ Note: `PUT /api/admin/config/global` writes to `.env` and marks changes as resta
 1. Start server: `codeharbor admin serve`.
 2. Open `/settings/global`, set `Admin Token` (if enabled), then click `Save Auth`.
 3. Adjust global fields and click `Save Global Config` (UI shows restart-required warning).
-4. Open `/settings/rooms`, fill `Room ID + Workdir`, then `Save Room`.
-5. Open `/health` to run connectivity checks (`codex` + Matrix).
-6. Open `/audit` to verify config revisions (actor/summary/payload).
+4. Use `Restart Main Service` or `Restart Main + Admin` buttons for one-click restart from Admin UI (requires root-capable service context).
+5. Open `/settings/rooms`, fill `Room ID + Workdir`, then `Save Room`.
+6. Open `/health` to run connectivity checks (`codex` + Matrix).
+7. Open `/audit` to verify config revisions (actor/summary/payload).
 ## Standalone Admin Deployment

package/dist/cli.js CHANGED Viewed

@@ -30,14 +30,14 @@ var import_node_path12 = __toESM(require("path"));
 var import_commander = require("commander");
 // src/app.ts
-var import_node_child_process3 = require("child_process");
+var import_node_child_process4 = require("child_process");
 var import_node_util2 = require("util");
 // src/admin-server.ts
-var import_node_child_process = require("child_process");
-var import_node_fs2 = __toESM(require("fs"));
+var import_node_child_process2 = require("child_process");
+var import_node_fs4 = __toESM(require("fs"));
 var import_node_http = __toESM(require("http"));
-var import_node_path2 = __toESM(require("path"));
+var import_node_path4 = __toESM(require("path"));
 var import_node_util = require("util");
 // src/init.ts
@@ -220,117 +220,413 @@ async function askYesNo(rl, question, defaultValue) {
   return answer === "y" || answer === "yes";
 }
-// src/admin-server.ts
-var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
-var HttpError = class extends Error {
-  statusCode;
-  constructor(statusCode, message) {
-    super(message);
-    this.statusCode = statusCode;
+// src/service-manager.ts
+var import_node_child_process = require("child_process");
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_os2 = __toESM(require("os"));
+var import_node_path3 = __toESM(require("path"));
+// src/runtime-home.ts
+var import_node_fs2 = __toESM(require("fs"));
+var import_node_os = __toESM(require("os"));
+var import_node_path2 = __toESM(require("path"));
+var LEGACY_RUNTIME_HOME = "/opt/codeharbor";
+var USER_RUNTIME_HOME_DIR = ".codeharbor";
+var DEFAULT_RUNTIME_HOME = import_node_path2.default.resolve(import_node_os.default.homedir(), USER_RUNTIME_HOME_DIR);
+var RUNTIME_HOME_ENV_KEY = "CODEHARBOR_HOME";
+function resolveRuntimeHome(env = process.env) {
+  const configured = env[RUNTIME_HOME_ENV_KEY]?.trim();
+  if (configured) {
+    return import_node_path2.default.resolve(configured);
   }
-};
-var AdminServer = class {
-  config;
-  logger;
-  stateStore;
-  configService;
-  host;
-  port;
-  adminToken;
-  adminIpAllowlist;
-  adminAllowedOrigins;
-  cwd;
-  checkCodex;
-  checkMatrix;
-  server = null;
-  address = null;
-  constructor(config, logger, stateStore, configService, options) {
-    this.config = config;
-    this.logger = logger;
-    this.stateStore = stateStore;
-    this.configService = configService;
-    this.host = options.host;
-    this.port = options.port;
-    this.adminToken = options.adminToken;
-    this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
-    this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
-    this.cwd = options.cwd ?? process.cwd();
-    this.checkCodex = options.checkCodex ?? defaultCheckCodex;
-    this.checkMatrix = options.checkMatrix ?? defaultCheckMatrix;
+  const legacyEnvPath = import_node_path2.default.resolve(LEGACY_RUNTIME_HOME, ".env");
+  if (import_node_fs2.default.existsSync(legacyEnvPath)) {
+    return LEGACY_RUNTIME_HOME;
   }
-  getAddress() {
-    return this.address;
+  return resolveUserRuntimeHome(env);
+}
+function resolveUserRuntimeHome(env = process.env) {
+  const home = env.HOME?.trim() || import_node_os.default.homedir();
+  return import_node_path2.default.resolve(home, USER_RUNTIME_HOME_DIR);
+}
+// src/service-manager.ts
+var SYSTEMD_DIR = "/etc/systemd/system";
+var MAIN_SERVICE_NAME = "codeharbor.service";
+var ADMIN_SERVICE_NAME = "codeharbor-admin.service";
+function resolveDefaultRunUser(env = process.env) {
+  const sudoUser = env.SUDO_USER?.trim();
+  if (sudoUser) {
+    return sudoUser;
   }
-  async start() {
-    if (this.server) {
-      return;
+  const user = env.USER?.trim();
+  if (user) {
+    return user;
+  }
+  try {
+    return import_node_os2.default.userInfo().username;
+  } catch {
+    return "root";
+  }
+}
+function resolveRuntimeHomeForUser(runUser, env = process.env, explicitRuntimeHome) {
+  const configuredRuntimeHome = explicitRuntimeHome?.trim() || env[RUNTIME_HOME_ENV_KEY]?.trim();
+  if (configuredRuntimeHome) {
+    return import_node_path3.default.resolve(configuredRuntimeHome);
+  }
+  const userHome = resolveUserHome(runUser);
+  if (userHome) {
+    return import_node_path3.default.resolve(userHome, USER_RUNTIME_HOME_DIR);
+  }
+  return import_node_path3.default.resolve(import_node_os2.default.homedir(), USER_RUNTIME_HOME_DIR);
+}
+function buildMainServiceUnit(options) {
+  validateUnitOptions(options);
+  const runtimeHome2 = import_node_path3.default.resolve(options.runtimeHome);
+  return [
+    "[Unit]",
+    "Description=CodeHarbor main service",
+    "After=network-online.target",
+    "Wants=network-online.target",
+    "",
+    "[Service]",
+    "Type=simple",
+    `User=${options.runUser}`,
+    `WorkingDirectory=${runtimeHome2}`,
+    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
+    `ExecStart=${import_node_path3.default.resolve(options.nodeBinPath)} ${import_node_path3.default.resolve(options.cliScriptPath)} start`,
+    "Restart=always",
+    "RestartSec=3",
+    "NoNewPrivileges=true",
+    "PrivateTmp=true",
+    "ProtectSystem=full",
+    "ProtectHome=false",
+    `ReadWritePaths=${runtimeHome2}`,
+    "",
+    "[Install]",
+    "WantedBy=multi-user.target",
+    ""
+  ].join("\n");
+}
+function buildAdminServiceUnit(options) {
+  validateUnitOptions(options);
+  const runtimeHome2 = import_node_path3.default.resolve(options.runtimeHome);
+  return [
+    "[Unit]",
+    "Description=CodeHarbor admin service",
+    "After=network-online.target",
+    "Wants=network-online.target",
+    "",
+    "[Service]",
+    "Type=simple",
+    `User=${options.runUser}`,
+    `WorkingDirectory=${runtimeHome2}`,
+    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
+    `ExecStart=${import_node_path3.default.resolve(options.nodeBinPath)} ${import_node_path3.default.resolve(options.cliScriptPath)} admin serve`,
+    "Restart=always",
+    "RestartSec=3",
+    "NoNewPrivileges=true",
+    "PrivateTmp=true",
+    "ProtectSystem=full",
+    "ProtectHome=false",
+    `ReadWritePaths=${runtimeHome2}`,
+    "",
+    "[Install]",
+    "WantedBy=multi-user.target",
+    ""
+  ].join("\n");
+}
+function installSystemdServices(options) {
+  assertLinuxWithSystemd();
+  assertRootPrivileges();
+  const output = options.output ?? process.stdout;
+  const runUser = options.runUser.trim();
+  const runtimeHome2 = import_node_path3.default.resolve(options.runtimeHome);
+  validateSimpleValue(runUser, "runUser");
+  validateSimpleValue(runtimeHome2, "runtimeHome");
+  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
+  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
+  ensureUserExists(runUser);
+  const runGroup = resolveUserGroup(runUser);
+  import_node_fs3.default.mkdirSync(runtimeHome2, { recursive: true });
+  runCommand("chown", ["-R", `${runUser}:${runGroup}`, runtimeHome2]);
+  const mainPath = import_node_path3.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
+  const adminPath = import_node_path3.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
+  const unitOptions = {
+    runUser,
+    runtimeHome: runtimeHome2,
+    nodeBinPath: options.nodeBinPath,
+    cliScriptPath: options.cliScriptPath
+  };
+  import_node_fs3.default.writeFileSync(mainPath, buildMainServiceUnit(unitOptions), "utf8");
+  if (options.installAdmin) {
+    import_node_fs3.default.writeFileSync(adminPath, buildAdminServiceUnit(unitOptions), "utf8");
+  }
+  runSystemctl(["daemon-reload"]);
+  if (options.startNow) {
+    runSystemctl(["enable", "--now", MAIN_SERVICE_NAME]);
+    if (options.installAdmin) {
+      runSystemctl(["enable", "--now", ADMIN_SERVICE_NAME]);
+    }
+  } else {
+    runSystemctl(["enable", MAIN_SERVICE_NAME]);
+    if (options.installAdmin) {
+      runSystemctl(["enable", ADMIN_SERVICE_NAME]);
     }
-    this.server = import_node_http.default.createServer((req, res) => {
-      void this.handleRequest(req, res);
-    });
-    await new Promise((resolve, reject) => {
-      if (!this.server) {
-        reject(new Error("admin server is not initialized"));
-        return;
-      }
-      this.server.once("error", reject);
-      this.server.listen(this.port, this.host, () => {
-        this.server?.removeListener("error", reject);
-        const address = this.server?.address();
-        if (!address || typeof address === "string") {
-          reject(new Error("failed to resolve admin server address"));
-          return;
-        }
-        this.address = {
-          host: address.address,
-          port: address.port
-        };
-        resolve();
-      });
-    });
   }
-  async stop() {
-    if (!this.server) {
-      return;
+  output.write(`Installed systemd unit: ${mainPath}
+`);
+  if (options.installAdmin) {
+    output.write(`Installed systemd unit: ${adminPath}
+`);
+  }
+  output.write("Done. Check status with: systemctl status codeharbor --no-pager\n");
+}
+function uninstallSystemdServices(options) {
+  assertLinuxWithSystemd();
+  assertRootPrivileges();
+  const output = options.output ?? process.stdout;
+  const mainPath = import_node_path3.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
+  const adminPath = import_node_path3.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
+  stopAndDisableIfPresent(MAIN_SERVICE_NAME);
+  if (import_node_fs3.default.existsSync(mainPath)) {
+    import_node_fs3.default.unlinkSync(mainPath);
+  }
+  if (options.removeAdmin) {
+    stopAndDisableIfPresent(ADMIN_SERVICE_NAME);
+    if (import_node_fs3.default.existsSync(adminPath)) {
+      import_node_fs3.default.unlinkSync(adminPath);
     }
-    const server = this.server;
-    this.server = null;
-    this.address = null;
-    await new Promise((resolve, reject) => {
-      server.close((error) => {
-        if (error) {
-          reject(error);
-          return;
-        }
-        resolve();
-      });
-    });
   }
-  async handleRequest(req, res) {
-    try {
-      const url = new URL(req.url ?? "/", "http://localhost");
-      this.setSecurityHeaders(res);
-      const corsDecision = this.resolveCors(req);
-      this.setCorsHeaders(res, corsDecision);
-      if (!this.isClientAllowed(req)) {
-        this.sendJson(res, 403, {
-          ok: false,
-          error: "Forbidden by ADMIN_IP_ALLOWLIST."
-        });
-        return;
-      }
-      if (url.pathname.startsWith("/api/admin/") && corsDecision.origin && !corsDecision.allowed) {
-        this.sendJson(res, 403, {
-          ok: false,
-          error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
-        });
-        return;
-      }
-      if (req.method === "OPTIONS") {
-        if (corsDecision.origin && !corsDecision.allowed) {
-          this.sendJson(res, 403, {
-            ok: false,
-            error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
+  runSystemctl(["daemon-reload"]);
+  runSystemctlIgnoreFailure(["reset-failed"]);
+  output.write(`Removed systemd unit: ${mainPath}
+`);
+  if (options.removeAdmin) {
+    output.write(`Removed systemd unit: ${adminPath}
+`);
+  }
+  output.write("Done.\n");
+}
+function restartSystemdServices(options) {
+  assertLinuxWithSystemd();
+  assertRootPrivileges();
+  const output = options.output ?? process.stdout;
+  runSystemctl(["restart", MAIN_SERVICE_NAME]);
+  output.write(`Restarted service: ${MAIN_SERVICE_NAME}
+`);
+  if (options.restartAdmin) {
+    runSystemctl(["restart", ADMIN_SERVICE_NAME]);
+    output.write(`Restarted service: ${ADMIN_SERVICE_NAME}
+`);
+  }
+  output.write("Done.\n");
+}
+function resolveUserHome(runUser) {
+  try {
+    const passwdRaw = import_node_fs3.default.readFileSync("/etc/passwd", "utf8");
+    const line = passwdRaw.split(/\r?\n/).find((item) => item.startsWith(`${runUser}:`));
+    if (!line) {
+      return null;
+    }
+    const fields = line.split(":");
+    return fields[5] ? fields[5].trim() : null;
+  } catch {
+    return null;
+  }
+}
+function validateUnitOptions(options) {
+  validateSimpleValue(options.runUser, "runUser");
+  validateSimpleValue(options.runtimeHome, "runtimeHome");
+  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
+  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
+}
+function validateSimpleValue(value, key) {
+  if (!value.trim()) {
+    throw new Error(`${key} cannot be empty.`);
+  }
+  if (/[\r\n]/.test(value)) {
+    throw new Error(`${key} contains invalid newline characters.`);
+  }
+}
+function assertLinuxWithSystemd() {
+  if (process.platform !== "linux") {
+    throw new Error("Systemd service install only supports Linux.");
+  }
+  try {
+    (0, import_node_child_process.execFileSync)("systemctl", ["--version"], { stdio: "ignore" });
+  } catch {
+    throw new Error("systemctl is required but not found.");
+  }
+}
+function assertRootPrivileges() {
+  if (typeof process.getuid !== "function") {
+    return;
+  }
+  if (process.getuid() !== 0) {
+    throw new Error("Root privileges are required. Run with sudo.");
+  }
+}
+function ensureUserExists(runUser) {
+  runCommand("id", ["-u", runUser]);
+}
+function resolveUserGroup(runUser) {
+  return runCommand("id", ["-gn", runUser]).trim();
+}
+function runSystemctl(args) {
+  runCommand("systemctl", args);
+}
+function stopAndDisableIfPresent(unitName) {
+  runSystemctlIgnoreFailure(["disable", "--now", unitName]);
+}
+function runSystemctlIgnoreFailure(args) {
+  try {
+    runCommand("systemctl", args);
+  } catch {
+  }
+}
+function runCommand(file, args) {
+  try {
+    return (0, import_node_child_process.execFileSync)(file, args, {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch (error) {
+    throw new Error(formatCommandError(file, args, error), { cause: error });
+  }
+}
+function formatCommandError(file, args, error) {
+  const command = `${file} ${args.join(" ")}`.trim();
+  if (error && typeof error === "object") {
+    const maybeError = error;
+    const stderr = bufferToTrimmedString(maybeError.stderr);
+    const stdout = bufferToTrimmedString(maybeError.stdout);
+    const details = stderr || stdout || maybeError.message || "command failed";
+    return `Command failed: ${command}. ${details}`;
+  }
+  return `Command failed: ${command}. ${String(error)}`;
+}
+function bufferToTrimmedString(value) {
+  if (!value) {
+    return "";
+  }
+  const text = typeof value === "string" ? value : value.toString("utf8");
+  return text.trim();
+}
+// src/admin-server.ts
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile);
+var HttpError = class extends Error {
+  statusCode;
+  constructor(statusCode, message) {
+    super(message);
+    this.statusCode = statusCode;
+  }
+};
+var AdminServer = class {
+  config;
+  logger;
+  stateStore;
+  configService;
+  host;
+  port;
+  adminToken;
+  adminIpAllowlist;
+  adminAllowedOrigins;
+  cwd;
+  checkCodex;
+  checkMatrix;
+  restartServices;
+  server = null;
+  address = null;
+  constructor(config, logger, stateStore, configService, options) {
+    this.config = config;
+    this.logger = logger;
+    this.stateStore = stateStore;
+    this.configService = configService;
+    this.host = options.host;
+    this.port = options.port;
+    this.adminToken = options.adminToken;
+    this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
+    this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
+    this.cwd = options.cwd ?? process.cwd();
+    this.checkCodex = options.checkCodex ?? defaultCheckCodex;
+    this.checkMatrix = options.checkMatrix ?? defaultCheckMatrix;
+    this.restartServices = options.restartServices ?? defaultRestartServices;
+  }
+  getAddress() {
+    return this.address;
+  }
+  async start() {
+    if (this.server) {
+      return;
+    }
+    this.server = import_node_http.default.createServer((req, res) => {
+      void this.handleRequest(req, res);
+    });
+    await new Promise((resolve, reject) => {
+      if (!this.server) {
+        reject(new Error("admin server is not initialized"));
+        return;
+      }
+      this.server.once("error", reject);
+      this.server.listen(this.port, this.host, () => {
+        this.server?.removeListener("error", reject);
+        const address = this.server?.address();
+        if (!address || typeof address === "string") {
+          reject(new Error("failed to resolve admin server address"));
+          return;
+        }
+        this.address = {
+          host: address.address,
+          port: address.port
+        };
+        resolve();
+      });
+    });
+  }
+  async stop() {
+    if (!this.server) {
+      return;
+    }
+    const server = this.server;
+    this.server = null;
+    this.address = null;
+    await new Promise((resolve, reject) => {
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolve();
+      });
+    });
+  }
+  async handleRequest(req, res) {
+    try {
+      const url = new URL(req.url ?? "/", "http://localhost");
+      this.setSecurityHeaders(res);
+      const corsDecision = this.resolveCors(req);
+      this.setCorsHeaders(res, corsDecision);
+      if (!this.isClientAllowed(req)) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden by ADMIN_IP_ALLOWLIST."
+        });
+        return;
+      }
+      if (url.pathname.startsWith("/api/admin/") && corsDecision.origin && !corsDecision.allowed) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
+        });
+        return;
+      }
+      if (req.method === "OPTIONS") {
+        if (corsDecision.origin && !corsDecision.allowed) {
+          this.sendJson(res, 403, {
+            ok: false,
+            error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
           });
           return;
         }
@@ -420,6 +716,33 @@ var AdminServer = class {
         });
         return;
       }
+      if (req.method === "POST" && url.pathname === "/api/admin/service/restart") {
+        const body = asObject(await readJsonBody(req), "service restart payload");
+        const restartAdmin = normalizeBoolean(body.withAdmin, false);
+        const actor = readActor(req);
+        try {
+          const result = await this.restartServices(restartAdmin);
+          this.stateStore.appendConfigRevision(
+            actor,
+            restartAdmin ? "restart services (main + admin)" : "restart service (main)",
+            JSON.stringify({
+              type: "service_restart",
+              restartAdmin,
+              restarted: result.restarted
+            })
+          );
+          this.sendJson(res, 200, {
+            ok: true,
+            restarted: result.restarted
+          });
+          return;
+        } catch (error) {
+          throw new HttpError(
+            500,
+            `Service restart failed: ${formatError(error)}. Ensure service has root privileges or run CLI command manually.`
+          );
+        }
+      }
       this.sendJson(res, 404, {
         ok: false,
         error: `Not found: ${req.method ?? "GET"} ${url.pathname}`
@@ -450,7 +773,7 @@ var AdminServer = class {
       updatedKeys.push("matrixCommandPrefix");
     }
     if ("codexWorkdir" in body) {
-      const workdir = import_node_path2.default.resolve(String(body.codexWorkdir ?? "").trim());
+      const workdir = import_node_path4.default.resolve(String(body.codexWorkdir ?? "").trim());
       ensureDirectory(workdir, "codexWorkdir");
       this.config.codexWorkdir = workdir;
       envUpdates.CODEX_WORKDIR = workdir;
@@ -674,11 +997,11 @@ var AdminServer = class {
     return this.adminIpAllowlist.includes(normalizedRemote);
   }
   persistEnvUpdates(updates) {
-    const envPath = import_node_path2.default.resolve(this.cwd, ".env");
-    const examplePath = import_node_path2.default.resolve(this.cwd, ".env.example");
-    const template = import_node_fs2.default.existsSync(envPath) ? import_node_fs2.default.readFileSync(envPath, "utf8") : import_node_fs2.default.existsSync(examplePath) ? import_node_fs2.default.readFileSync(examplePath, "utf8") : "";
+    const envPath = import_node_path4.default.resolve(this.cwd, ".env");
+    const examplePath = import_node_path4.default.resolve(this.cwd, ".env.example");
+    const template = import_node_fs4.default.existsSync(envPath) ? import_node_fs4.default.readFileSync(envPath, "utf8") : import_node_fs4.default.existsSync(examplePath) ? import_node_fs4.default.readFileSync(examplePath, "utf8") : "";
     const next = applyEnvOverrides(template, updates);
-    import_node_fs2.default.writeFileSync(envPath, next, "utf8");
+    import_node_fs4.default.writeFileSync(envPath, next, "utf8");
   }
   resolveCors(req) {
     const origin = normalizeOriginHeader(req.headers.origin);
@@ -705,7 +1028,7 @@ var AdminServer = class {
     }
     res.setHeader("Access-Control-Allow-Origin", corsDecision.origin);
     res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Admin-Token, X-Admin-Actor");
-    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, DELETE, OPTIONS");
+    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
     appendVaryHeader(res, "Origin");
   }
   setSecurityHeaders(res) {
@@ -776,6 +1099,22 @@ function parseJsonLoose(raw) {
     return raw;
   }
 }
+async function defaultRestartServices(restartAdmin) {
+  const outputChunks = [];
+  const output = {
+    write: (chunk) => {
+      outputChunks.push(typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8"));
+      return true;
+    }
+  };
+  restartSystemdServices({
+    restartAdmin,
+    output
+  });
+  return {
+    restarted: restartAdmin ? ["codeharbor", "codeharbor-admin"] : ["codeharbor"]
+  };
+}
 function isUiPath(pathname) {
   return pathname === "/" || pathname === "/index.html" || pathname === "/settings/global" || pathname === "/settings/rooms" || pathname === "/health" || pathname === "/audit";
 }
@@ -924,7 +1263,7 @@ function normalizeNonNegativeInt(value, fallback) {
   return normalizePositiveInt(value, fallback, 0, Number.MAX_SAFE_INTEGER);
 }
 function ensureDirectory(targetPath, fieldName) {
-  if (!import_node_fs2.default.existsSync(targetPath) || !import_node_fs2.default.statSync(targetPath).isDirectory()) {
+  if (!import_node_fs4.default.existsSync(targetPath) || !import_node_fs4.default.statSync(targetPath).isDirectory()) {
     throw new HttpError(400, `${fieldName} must be an existing directory: ${targetPath}`);
   }
 }
@@ -1266,6 +1605,8 @@ var ADMIN_CONSOLE_HTML = `<!doctype html>
         <div class="actions">
           <button id="global-save-btn" type="button">Save Global Config</button>
           <button id="global-reload-btn" type="button" class="secondary">Reload</button>
+          <button id="global-restart-main-btn" type="button" class="secondary">Restart Main Service</button>
+          <button id="global-restart-all-btn" type="button" class="secondary">Restart Main + Admin</button>
         </div>
         <p class="muted">Saving global config updates .env and requires restart to fully take effect.</p>
       </section>
@@ -1408,6 +1749,12 @@ var ADMIN_CONSOLE_HTML = `<!doctype html>
         document.getElementById("global-save-btn").addEventListener("click", saveGlobal);
         document.getElementById("global-reload-btn").addEventListener("click", loadGlobal);
+        document.getElementById("global-restart-main-btn").addEventListener("click", function () {
+          restartManagedServices(false);
+        });
+        document.getElementById("global-restart-all-btn").addEventListener("click", function () {
+          restartManagedServices(true);
+        });
         document.getElementById("room-load-btn").addEventListener("click", loadRoom);
         document.getElementById("room-save-btn").addEventListener("click", saveRoom);
         document.getElementById("room-delete-btn").addEventListener("click", deleteRoom);
@@ -1611,6 +1958,19 @@ var ADMIN_CONSOLE_HTML = `<!doctype html>
           }
         }
+        async function restartManagedServices(withAdmin) {
+          try {
+            var response = await apiRequest("/api/admin/service/restart", "POST", {
+              withAdmin: Boolean(withAdmin)
+            });
+            var restarted = Array.isArray(response.restarted) ? response.restarted.join(", ") : "codeharbor";
+            var suffix = withAdmin ? " Admin page may reconnect during restart." : "";
+            showNotice("warn", "Restart requested: " + restarted + "." + suffix);
+          } catch (error) {
+            showNotice("error", "Failed to restart service(s): " + error.message);
+          }
+        }
         async function refreshRoomList() {
           try {
             var response = await apiRequest("/api/admin/config/rooms", "GET");
@@ -1836,8 +2196,8 @@ async function defaultCheckMatrix(homeserver, timeoutMs) {
 // src/channels/matrix-channel.ts
 var import_promises2 = __toESM(require("fs/promises"));
-var import_node_os = __toESM(require("os"));
-var import_node_path3 = __toESM(require("path"));
+var import_node_os3 = __toESM(require("os"));
+var import_node_path5 = __toESM(require("path"));
 var import_matrix_js_sdk = require("matrix-js-sdk");
 // src/utils/message.ts
@@ -2260,10 +2620,10 @@ var MatrixChannel = class {
     }
     const bytes = Buffer.from(await response.arrayBuffer());
     const extension = resolveFileExtension(fileName, mimeType);
-    const directory = import_node_path3.default.join(import_node_os.default.tmpdir(), "codeharbor-media");
+    const directory = import_node_path5.default.join(import_node_os3.default.tmpdir(), "codeharbor-media");
     await import_promises2.default.mkdir(directory, { recursive: true });
     const safeEventId = sanitizeFilename(eventId);
-    const targetPath = import_node_path3.default.join(directory, `${safeEventId}-${index}${extension}`);
+    const targetPath = import_node_path5.default.join(directory, `${safeEventId}-${index}${extension}`);
     await import_promises2.default.writeFile(targetPath, bytes);
     return targetPath;
   }
@@ -2348,7 +2708,7 @@ function sanitizeFilename(value) {
   return value.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 80);
 }
 function resolveFileExtension(fileName, mimeType) {
-  const ext = import_node_path3.default.extname(fileName).trim();
+  const ext = import_node_path5.default.extname(fileName).trim();
   if (ext) {
     return ext;
   }
@@ -2365,14 +2725,14 @@ function resolveFileExtension(fileName, mimeType) {
 }
 // src/config-service.ts
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_path4 = __toESM(require("path"));
+var import_node_fs5 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
 var ConfigService = class {
   stateStore;
   defaultWorkdir;
   constructor(stateStore, defaultWorkdir) {
     this.stateStore = stateStore;
-    this.defaultWorkdir = import_node_path4.default.resolve(defaultWorkdir);
+    this.defaultWorkdir = import_node_path6.default.resolve(defaultWorkdir);
   }
   resolveRoomConfig(roomId, fallbackPolicy) {
     const room = this.stateStore.getRoomSettings(roomId);
@@ -2443,8 +2803,8 @@ function normalizeRoomSettingsInput(input) {
   if (!roomId) {
     throw new Error("roomId is required.");
   }
-  const workdir = import_node_path4.default.resolve(input.workdir);
-  if (!import_node_fs3.default.existsSync(workdir) || !import_node_fs3.default.statSync(workdir).isDirectory()) {
+  const workdir = import_node_path6.default.resolve(input.workdir);
+  if (!import_node_fs5.default.existsSync(workdir) || !import_node_fs5.default.statSync(workdir).isDirectory()) {
     throw new Error(`workdir does not exist or is not a directory: ${workdir}`);
   }
   return {
@@ -2459,7 +2819,7 @@ function normalizeRoomSettingsInput(input) {
 }
 // src/executor/codex-executor.ts
-var import_node_child_process2 = require("child_process");
+var import_node_child_process3 = require("child_process");
 var import_node_readline = __toESM(require("readline"));
 var CodexExecutionCancelledError = class extends Error {
   constructor(message = "codex execution cancelled") {
@@ -2477,7 +2837,7 @@ var CodexExecutor = class {
   }
   startExecution(prompt, sessionId, onProgress, startOptions) {
     const args = buildCodexArgs(prompt, sessionId, this.options, startOptions);
-    const child = (0, import_node_child_process2.spawn)(this.options.bin, args, {
+    const child = (0, import_node_child_process3.spawn)(this.options.bin, args, {
       cwd: startOptions?.workdir ?? this.options.workdir,
       env: {
         ...process.env,
@@ -2713,20 +3073,20 @@ var import_async_mutex = require("async-mutex");
 var import_promises3 = __toESM(require("fs/promises"));
 // src/compat/cli-compat-recorder.ts
-var import_node_fs4 = __toESM(require("fs"));
-var import_node_path5 = __toESM(require("path"));
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
 var CliCompatRecorder = class {
   filePath;
   chain = Promise.resolve();
   constructor(filePath) {
-    this.filePath = import_node_path5.default.resolve(filePath);
-    import_node_fs4.default.mkdirSync(import_node_path5.default.dirname(this.filePath), { recursive: true });
+    this.filePath = import_node_path7.default.resolve(filePath);
+    import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(this.filePath), { recursive: true });
   }
   append(entry) {
     const payload = `${JSON.stringify(entry)}
 `;
     this.chain = this.chain.then(async () => {
-      await import_node_fs4.default.promises.appendFile(this.filePath, payload, "utf8");
+      await import_node_fs6.default.promises.appendFile(this.filePath, payload, "utf8");
     });
     return this.chain;
   }
@@ -4114,8 +4474,8 @@ ${result.review}
 }
 // src/store/state-store.ts
-var import_node_fs5 = __toESM(require("fs"));
-var import_node_path6 = __toESM(require("path"));
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path8 = __toESM(require("path"));
 var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
 var PRUNE_INTERVAL_MS = 5 * 60 * 1e3;
 var SQLITE_MODULE_ID = `node:${"sqlite"}`;
@@ -4141,7 +4501,7 @@ var StateStore = class {
     this.maxProcessedEventsPerSession = maxProcessedEventsPerSession;
     this.maxSessionAgeMs = maxSessionAgeDays * ONE_DAY_MS;
     this.maxSessions = maxSessions;
-    import_node_fs5.default.mkdirSync(import_node_path6.default.dirname(this.dbPath), { recursive: true });
+    import_node_fs7.default.mkdirSync(import_node_path8.default.dirname(this.dbPath), { recursive: true });
     this.db = new DatabaseSync(this.dbPath);
     this.initializeSchema();
     this.importLegacyStateIfNeeded();
@@ -4386,7 +4746,7 @@ var StateStore = class {
     `);
   }
   importLegacyStateIfNeeded() {
-    if (!this.legacyJsonPath || !import_node_fs5.default.existsSync(this.legacyJsonPath)) {
+    if (!this.legacyJsonPath || !import_node_fs7.default.existsSync(this.legacyJsonPath)) {
       return;
     }
     const countRow = this.db.prepare("SELECT COUNT(*) AS count FROM sessions").get();
@@ -4469,7 +4829,7 @@ var StateStore = class {
 };
 function loadLegacyState(filePath) {
   try {
-    const raw = import_node_fs5.default.readFileSync(filePath, "utf8");
+    const raw = import_node_fs7.default.readFileSync(filePath, "utf8");
     const parsed = JSON.parse(raw);
     if (!parsed.sessions || typeof parsed.sessions !== "object") {
       return null;
@@ -4512,7 +4872,7 @@ function boolToInt(value) {
 }
 // src/app.ts
-var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.execFile);
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process4.execFile);
 var CodeHarborApp = class {
   config;
   logger;
@@ -4661,8 +5021,8 @@ function isNonLoopbackHost(host) {
 }
 // src/config.ts
-var import_node_fs6 = __toESM(require("fs"));
-var import_node_path7 = __toESM(require("path"));
+var import_node_fs8 = __toESM(require("fs"));
+var import_node_path9 = __toESM(require("path"));
 var import_dotenv2 = __toESM(require("dotenv"));
 var import_zod = require("zod");
 var configSchema = import_zod.z.object({
@@ -4723,7 +5083,7 @@ var configSchema = import_zod.z.object({
   matrixCommandPrefix: v.MATRIX_COMMAND_PREFIX,
   codexBin: v.CODEX_BIN,
   codexModel: v.CODEX_MODEL?.trim() || null,
-  codexWorkdir: import_node_path7.default.resolve(v.CODEX_WORKDIR),
+  codexWorkdir: import_node_path9.default.resolve(v.CODEX_WORKDIR),
   codexDangerousBypass: v.CODEX_DANGEROUS_BYPASS,
   codexExecTimeoutMs: v.CODEX_EXEC_TIMEOUT_MS,
   codexSandboxMode: v.CODEX_SANDBOX_MODE?.trim() || null,
@@ -4734,8 +5094,8 @@ var configSchema = import_zod.z.object({
     enabled: v.AGENT_WORKFLOW_ENABLED,
     autoRepairMaxRounds: v.AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS
   },
-  stateDbPath: import_node_path7.default.resolve(v.STATE_DB_PATH),
-  legacyStateJsonPath: v.STATE_PATH.trim() ? import_node_path7.default.resolve(v.STATE_PATH) : null,
+  stateDbPath: import_node_path9.default.resolve(v.STATE_DB_PATH),
+  legacyStateJsonPath: v.STATE_PATH.trim() ? import_node_path9.default.resolve(v.STATE_PATH) : null,
   maxProcessedEventsPerSession: v.MAX_PROCESSED_EVENTS_PER_SESSION,
   maxSessionAgeDays: v.MAX_SESSION_AGE_DAYS,
   maxSessions: v.MAX_SESSIONS,
@@ -4766,7 +5126,7 @@ var configSchema = import_zod.z.object({
     disableReplyChunkSplit: v.CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT,
     progressThrottleMs: v.CLI_COMPAT_PROGRESS_THROTTLE_MS,
     fetchMedia: v.CLI_COMPAT_FETCH_MEDIA,
-    recordPath: v.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path7.default.resolve(v.CLI_COMPAT_RECORD_PATH) : null
+    recordPath: v.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path9.default.resolve(v.CLI_COMPAT_RECORD_PATH) : null
   },
   doctorHttpTimeoutMs: v.DOCTOR_HTTP_TIMEOUT_MS,
   adminBindHost: v.ADMIN_BIND_HOST.trim() || "127.0.0.1",
@@ -4776,7 +5136,7 @@ var configSchema = import_zod.z.object({
   adminAllowedOrigins: parseCsvList(v.ADMIN_ALLOWED_ORIGINS),
   logLevel: v.LOG_LEVEL
 }));
-function loadEnvFromFile(filePath = import_node_path7.default.resolve(process.cwd(), ".env"), env = process.env) {
+function loadEnvFromFile(filePath = import_node_path9.default.resolve(process.cwd(), ".env"), env = process.env) {
   import_dotenv2.default.config({
     path: filePath,
     processEnv: env,
@@ -4789,9 +5149,9 @@ function loadConfig(env = process.env) {
     const message = parsed.error.issues.map((issue) => `${issue.path.join(".") || "config"}: ${issue.message}`).join("; ");
     throw new Error(`Invalid configuration: ${message}`);
   }
-  import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(parsed.data.stateDbPath), { recursive: true });
+  import_node_fs8.default.mkdirSync(import_node_path9.default.dirname(parsed.data.stateDbPath), { recursive: true });
   if (parsed.data.legacyStateJsonPath) {
-    import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(parsed.data.legacyStateJsonPath), { recursive: true });
+    import_node_fs8.default.mkdirSync(import_node_path9.default.dirname(parsed.data.legacyStateJsonPath), { recursive: true });
   }
   return parsed.data;
 }
@@ -4864,8 +5224,8 @@ function parseCsvList(raw) {
 }
 // src/config-snapshot.ts
-var import_node_fs7 = __toESM(require("fs"));
-var import_node_path8 = __toESM(require("path"));
+var import_node_fs9 = __toESM(require("fs"));
+var import_node_path10 = __toESM(require("path"));
 var import_zod2 = require("zod");
 var CONFIG_SNAPSHOT_SCHEMA_VERSION = 1;
 var CONFIG_SNAPSHOT_ENV_KEYS = [
@@ -5052,9 +5412,9 @@ async function runConfigExportCommand(options = {}) {
     const snapshot = buildConfigSnapshot(config, stateStore.listRoomSettings(), options.now ?? /* @__PURE__ */ new Date());
     const serialized = serializeConfigSnapshot(snapshot);
     if (options.outputPath) {
-      const targetPath = import_node_path8.default.resolve(cwd, options.outputPath);
-      import_node_fs7.default.mkdirSync(import_node_path8.default.dirname(targetPath), { recursive: true });
-      import_node_fs7.default.writeFileSync(targetPath, serialized, "utf8");
+      const targetPath = import_node_path10.default.resolve(cwd, options.outputPath);
+      import_node_fs9.default.mkdirSync(import_node_path10.default.dirname(targetPath), { recursive: true });
+      import_node_fs9.default.writeFileSync(targetPath, serialized, "utf8");
       output.write(`Exported config snapshot to ${targetPath}
 `);
       return;
@@ -5068,8 +5428,8 @@ async function runConfigImportCommand(options) {
   const cwd = options.cwd ?? process.cwd();
   const output = options.output ?? process.stdout;
   const actor = options.actor?.trim() || "cli:config-import";
-  const sourcePath = import_node_path8.default.resolve(cwd, options.filePath);
-  if (!import_node_fs7.default.existsSync(sourcePath)) {
+  const sourcePath = import_node_path10.default.resolve(cwd, options.filePath);
+  if (!import_node_fs9.default.existsSync(sourcePath)) {
     throw new Error(`Config snapshot file not found: ${sourcePath}`);
   }
   const snapshot = parseConfigSnapshot(parseJsonFile(sourcePath));
@@ -5099,7 +5459,7 @@ async function runConfigImportCommand(options) {
     synchronizeRoomSettings(stateStore, normalizedRooms);
     stateStore.appendConfigRevision(
       actor,
-      `import config snapshot from ${import_node_path8.default.basename(sourcePath)}`,
+      `import config snapshot from ${import_node_path10.default.basename(sourcePath)}`,
       JSON.stringify({
         type: "config_snapshot_import",
         sourcePath,
@@ -5113,7 +5473,7 @@ async function runConfigImportCommand(options) {
   output.write(
     [
       `Imported config snapshot from ${sourcePath}`,
-      `- updated .env in ${import_node_path8.default.resolve(cwd, ".env")}`,
+      `- updated .env in ${import_node_path10.default.resolve(cwd, ".env")}`,
       `- synchronized room settings: ${normalizedRooms.length}`,
       "- restart required: yes (global env settings are restart-scoped)"
     ].join("\n") + "\n"
@@ -5175,7 +5535,7 @@ function buildSnapshotEnv(config) {
 }
 function parseJsonFile(filePath) {
   try {
-    const raw = import_node_fs7.default.readFileSync(filePath, "utf8");
+    const raw = import_node_fs9.default.readFileSync(filePath, "utf8");
     return JSON.parse(raw);
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
@@ -5187,10 +5547,10 @@ function parseJsonFile(filePath) {
 function normalizeSnapshotEnv(env, cwd) {
   return {
     ...env,
-    CODEX_WORKDIR: import_node_path8.default.resolve(cwd, env.CODEX_WORKDIR),
-    STATE_DB_PATH: import_node_path8.default.resolve(cwd, env.STATE_DB_PATH),
-    STATE_PATH: env.STATE_PATH.trim() ? import_node_path8.default.resolve(cwd, env.STATE_PATH) : "",
-    CLI_COMPAT_RECORD_PATH: env.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path8.default.resolve(cwd, env.CLI_COMPAT_RECORD_PATH) : ""
+    CODEX_WORKDIR: import_node_path10.default.resolve(cwd, env.CODEX_WORKDIR),
+    STATE_DB_PATH: import_node_path10.default.resolve(cwd, env.STATE_DB_PATH),
+    STATE_PATH: env.STATE_PATH.trim() ? import_node_path10.default.resolve(cwd, env.STATE_PATH) : "",
+    CLI_COMPAT_RECORD_PATH: env.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path10.default.resolve(cwd, env.CLI_COMPAT_RECORD_PATH) : ""
   };
 }
 function normalizeSnapshotRooms(rooms, cwd) {
@@ -5205,7 +5565,7 @@ function normalizeSnapshotRooms(rooms, cwd) {
       throw new Error(`Duplicate roomId in snapshot: ${roomId}`);
     }
     seen.add(roomId);
-    const workdir = import_node_path8.default.resolve(cwd, room.workdir);
+    const workdir = import_node_path10.default.resolve(cwd, room.workdir);
     ensureDirectory2(workdir, `room workdir (${roomId})`);
     normalized.push({
       roomId,
@@ -5232,18 +5592,18 @@ function synchronizeRoomSettings(stateStore, rooms) {
   }
 }
 function persistEnvSnapshot(cwd, env) {
-  const envPath = import_node_path8.default.resolve(cwd, ".env");
-  const examplePath = import_node_path8.default.resolve(cwd, ".env.example");
-  const template = import_node_fs7.default.existsSync(envPath) ? import_node_fs7.default.readFileSync(envPath, "utf8") : import_node_fs7.default.existsSync(examplePath) ? import_node_fs7.default.readFileSync(examplePath, "utf8") : "";
+  const envPath = import_node_path10.default.resolve(cwd, ".env");
+  const examplePath = import_node_path10.default.resolve(cwd, ".env.example");
+  const template = import_node_fs9.default.existsSync(envPath) ? import_node_fs9.default.readFileSync(envPath, "utf8") : import_node_fs9.default.existsSync(examplePath) ? import_node_fs9.default.readFileSync(examplePath, "utf8") : "";
   const overrides = {};
   for (const key of CONFIG_SNAPSHOT_ENV_KEYS) {
     overrides[key] = env[key];
   }
   const next = applyEnvOverrides(template, overrides);
-  import_node_fs7.default.writeFileSync(envPath, next, "utf8");
+  import_node_fs9.default.writeFileSync(envPath, next, "utf8");
 }
 function ensureDirectory2(dirPath, label) {
-  if (!import_node_fs7.default.existsSync(dirPath) || !import_node_fs7.default.statSync(dirPath).isDirectory()) {
+  if (!import_node_fs9.default.existsSync(dirPath) || !import_node_fs9.default.statSync(dirPath).isDirectory()) {
     throw new Error(`${label} does not exist or is not a directory: ${dirPath}`);
   }
 }
@@ -5296,20 +5656,20 @@ function jsonObjectStringSchema(key, allowEmpty) {
 }
 // src/preflight.ts
-var import_node_child_process4 = require("child_process");
-var import_node_fs8 = __toESM(require("fs"));
-var import_node_path9 = __toESM(require("path"));
+var import_node_child_process5 = require("child_process");
+var import_node_fs10 = __toESM(require("fs"));
+var import_node_path11 = __toESM(require("path"));
 var import_node_util3 = require("util");
-var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process4.execFile);
+var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process5.execFile);
 var REQUIRED_ENV_KEYS = ["MATRIX_HOMESERVER", "MATRIX_USER_ID", "MATRIX_ACCESS_TOKEN"];
 async function runStartupPreflight(options = {}) {
   const env = options.env ?? process.env;
   const cwd = options.cwd ?? process.cwd();
   const checkCodexBinary = options.checkCodexBinary ?? defaultCheckCodexBinary;
-  const fileExists = options.fileExists ?? import_node_fs8.default.existsSync;
+  const fileExists = options.fileExists ?? import_node_fs10.default.existsSync;
   const isDirectory = options.isDirectory ?? defaultIsDirectory;
   const issues = [];
-  const envPath = import_node_path9.default.resolve(cwd, ".env");
+  const envPath = import_node_path11.default.resolve(cwd, ".env");
   if (!fileExists(envPath)) {
     issues.push({
       level: "warn",
@@ -5368,7 +5728,7 @@ async function runStartupPreflight(options = {}) {
     });
   }
   const configuredWorkdir = readEnv(env, "CODEX_WORKDIR");
-  const workdir = import_node_path9.default.resolve(cwd, configuredWorkdir || cwd);
+  const workdir = import_node_path11.default.resolve(cwd, configuredWorkdir || cwd);
   if (!fileExists(workdir) || !isDirectory(workdir)) {
     issues.push({
       level: "error",
@@ -5407,7 +5767,7 @@ async function defaultCheckCodexBinary(bin) {
 }
 function defaultIsDirectory(targetPath) {
   try {
-    return import_node_fs8.default.statSync(targetPath).isDirectory();
+    return import_node_fs10.default.statSync(targetPath).isDirectory();
   } catch {
     return false;
   }
@@ -5416,298 +5776,6 @@ function readEnv(env, key) {
   return env[key]?.trim() ?? "";
 }
-// src/runtime-home.ts
-var import_node_fs9 = __toESM(require("fs"));
-var import_node_os2 = __toESM(require("os"));
-var import_node_path10 = __toESM(require("path"));
-var LEGACY_RUNTIME_HOME = "/opt/codeharbor";
-var USER_RUNTIME_HOME_DIR = ".codeharbor";
-var DEFAULT_RUNTIME_HOME = import_node_path10.default.resolve(import_node_os2.default.homedir(), USER_RUNTIME_HOME_DIR);
-var RUNTIME_HOME_ENV_KEY = "CODEHARBOR_HOME";
-function resolveRuntimeHome(env = process.env) {
-  const configured = env[RUNTIME_HOME_ENV_KEY]?.trim();
-  if (configured) {
-    return import_node_path10.default.resolve(configured);
-  }
-  const legacyEnvPath = import_node_path10.default.resolve(LEGACY_RUNTIME_HOME, ".env");
-  if (import_node_fs9.default.existsSync(legacyEnvPath)) {
-    return LEGACY_RUNTIME_HOME;
-  }
-  return resolveUserRuntimeHome(env);
-}
-function resolveUserRuntimeHome(env = process.env) {
-  const home = env.HOME?.trim() || import_node_os2.default.homedir();
-  return import_node_path10.default.resolve(home, USER_RUNTIME_HOME_DIR);
-}
-// src/service-manager.ts
-var import_node_child_process5 = require("child_process");
-var import_node_fs10 = __toESM(require("fs"));
-var import_node_os3 = __toESM(require("os"));
-var import_node_path11 = __toESM(require("path"));
-var SYSTEMD_DIR = "/etc/systemd/system";
-var MAIN_SERVICE_NAME = "codeharbor.service";
-var ADMIN_SERVICE_NAME = "codeharbor-admin.service";
-function resolveDefaultRunUser(env = process.env) {
-  const sudoUser = env.SUDO_USER?.trim();
-  if (sudoUser) {
-    return sudoUser;
-  }
-  const user = env.USER?.trim();
-  if (user) {
-    return user;
-  }
-  try {
-    return import_node_os3.default.userInfo().username;
-  } catch {
-    return "root";
-  }
-}
-function resolveRuntimeHomeForUser(runUser, env = process.env, explicitRuntimeHome) {
-  const configuredRuntimeHome = explicitRuntimeHome?.trim() || env[RUNTIME_HOME_ENV_KEY]?.trim();
-  if (configuredRuntimeHome) {
-    return import_node_path11.default.resolve(configuredRuntimeHome);
-  }
-  const userHome = resolveUserHome(runUser);
-  if (userHome) {
-    return import_node_path11.default.resolve(userHome, USER_RUNTIME_HOME_DIR);
-  }
-  return import_node_path11.default.resolve(import_node_os3.default.homedir(), USER_RUNTIME_HOME_DIR);
-}
-function buildMainServiceUnit(options) {
-  validateUnitOptions(options);
-  const runtimeHome2 = import_node_path11.default.resolve(options.runtimeHome);
-  return [
-    "[Unit]",
-    "Description=CodeHarbor main service",
-    "After=network-online.target",
-    "Wants=network-online.target",
-    "",
-    "[Service]",
-    "Type=simple",
-    `User=${options.runUser}`,
-    `WorkingDirectory=${runtimeHome2}`,
-    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
-    `ExecStart=${import_node_path11.default.resolve(options.nodeBinPath)} ${import_node_path11.default.resolve(options.cliScriptPath)} start`,
-    "Restart=always",
-    "RestartSec=3",
-    "NoNewPrivileges=true",
-    "PrivateTmp=true",
-    "ProtectSystem=full",
-    "ProtectHome=false",
-    `ReadWritePaths=${runtimeHome2}`,
-    "",
-    "[Install]",
-    "WantedBy=multi-user.target",
-    ""
-  ].join("\n");
-}
-function buildAdminServiceUnit(options) {
-  validateUnitOptions(options);
-  const runtimeHome2 = import_node_path11.default.resolve(options.runtimeHome);
-  return [
-    "[Unit]",
-    "Description=CodeHarbor admin service",
-    "After=network-online.target",
-    "Wants=network-online.target",
-    "",
-    "[Service]",
-    "Type=simple",
-    `User=${options.runUser}`,
-    `WorkingDirectory=${runtimeHome2}`,
-    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
-    `ExecStart=${import_node_path11.default.resolve(options.nodeBinPath)} ${import_node_path11.default.resolve(options.cliScriptPath)} admin serve`,
-    "Restart=always",
-    "RestartSec=3",
-    "NoNewPrivileges=true",
-    "PrivateTmp=true",
-    "ProtectSystem=full",
-    "ProtectHome=false",
-    `ReadWritePaths=${runtimeHome2}`,
-    "",
-    "[Install]",
-    "WantedBy=multi-user.target",
-    ""
-  ].join("\n");
-}
-function installSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  const runUser = options.runUser.trim();
-  const runtimeHome2 = import_node_path11.default.resolve(options.runtimeHome);
-  validateSimpleValue(runUser, "runUser");
-  validateSimpleValue(runtimeHome2, "runtimeHome");
-  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
-  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
-  ensureUserExists(runUser);
-  const runGroup = resolveUserGroup(runUser);
-  import_node_fs10.default.mkdirSync(runtimeHome2, { recursive: true });
-  runCommand("chown", ["-R", `${runUser}:${runGroup}`, runtimeHome2]);
-  const mainPath = import_node_path11.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
-  const adminPath = import_node_path11.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
-  const unitOptions = {
-    runUser,
-    runtimeHome: runtimeHome2,
-    nodeBinPath: options.nodeBinPath,
-    cliScriptPath: options.cliScriptPath
-  };
-  import_node_fs10.default.writeFileSync(mainPath, buildMainServiceUnit(unitOptions), "utf8");
-  if (options.installAdmin) {
-    import_node_fs10.default.writeFileSync(adminPath, buildAdminServiceUnit(unitOptions), "utf8");
-  }
-  runSystemctl(["daemon-reload"]);
-  if (options.startNow) {
-    runSystemctl(["enable", "--now", MAIN_SERVICE_NAME]);
-    if (options.installAdmin) {
-      runSystemctl(["enable", "--now", ADMIN_SERVICE_NAME]);
-    }
-  } else {
-    runSystemctl(["enable", MAIN_SERVICE_NAME]);
-    if (options.installAdmin) {
-      runSystemctl(["enable", ADMIN_SERVICE_NAME]);
-    }
-  }
-  output.write(`Installed systemd unit: ${mainPath}
-`);
-  if (options.installAdmin) {
-    output.write(`Installed systemd unit: ${adminPath}
-`);
-  }
-  output.write("Done. Check status with: systemctl status codeharbor --no-pager\n");
-}
-function uninstallSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  const mainPath = import_node_path11.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
-  const adminPath = import_node_path11.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
-  stopAndDisableIfPresent(MAIN_SERVICE_NAME);
-  if (import_node_fs10.default.existsSync(mainPath)) {
-    import_node_fs10.default.unlinkSync(mainPath);
-  }
-  if (options.removeAdmin) {
-    stopAndDisableIfPresent(ADMIN_SERVICE_NAME);
-    if (import_node_fs10.default.existsSync(adminPath)) {
-      import_node_fs10.default.unlinkSync(adminPath);
-    }
-  }
-  runSystemctl(["daemon-reload"]);
-  runSystemctlIgnoreFailure(["reset-failed"]);
-  output.write(`Removed systemd unit: ${mainPath}
-`);
-  if (options.removeAdmin) {
-    output.write(`Removed systemd unit: ${adminPath}
-`);
-  }
-  output.write("Done.\n");
-}
-function restartSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  runSystemctl(["restart", MAIN_SERVICE_NAME]);
-  output.write(`Restarted service: ${MAIN_SERVICE_NAME}
-`);
-  if (options.restartAdmin) {
-    runSystemctl(["restart", ADMIN_SERVICE_NAME]);
-    output.write(`Restarted service: ${ADMIN_SERVICE_NAME}
-`);
-  }
-  output.write("Done.\n");
-}
-function resolveUserHome(runUser) {
-  try {
-    const passwdRaw = import_node_fs10.default.readFileSync("/etc/passwd", "utf8");
-    const line = passwdRaw.split(/\r?\n/).find((item) => item.startsWith(`${runUser}:`));
-    if (!line) {
-      return null;
-    }
-    const fields = line.split(":");
-    return fields[5] ? fields[5].trim() : null;
-  } catch {
-    return null;
-  }
-}
-function validateUnitOptions(options) {
-  validateSimpleValue(options.runUser, "runUser");
-  validateSimpleValue(options.runtimeHome, "runtimeHome");
-  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
-  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
-}
-function validateSimpleValue(value, key) {
-  if (!value.trim()) {
-    throw new Error(`${key} cannot be empty.`);
-  }
-  if (/[\r\n]/.test(value)) {
-    throw new Error(`${key} contains invalid newline characters.`);
-  }
-}
-function assertLinuxWithSystemd() {
-  if (process.platform !== "linux") {
-    throw new Error("Systemd service install only supports Linux.");
-  }
-  try {
-    (0, import_node_child_process5.execFileSync)("systemctl", ["--version"], { stdio: "ignore" });
-  } catch {
-    throw new Error("systemctl is required but not found.");
-  }
-}
-function assertRootPrivileges() {
-  if (typeof process.getuid !== "function") {
-    return;
-  }
-  if (process.getuid() !== 0) {
-    throw new Error("Root privileges are required. Run with sudo.");
-  }
-}
-function ensureUserExists(runUser) {
-  runCommand("id", ["-u", runUser]);
-}
-function resolveUserGroup(runUser) {
-  return runCommand("id", ["-gn", runUser]).trim();
-}
-function runSystemctl(args) {
-  runCommand("systemctl", args);
-}
-function stopAndDisableIfPresent(unitName) {
-  runSystemctlIgnoreFailure(["disable", "--now", unitName]);
-}
-function runSystemctlIgnoreFailure(args) {
-  try {
-    runCommand("systemctl", args);
-  } catch {
-  }
-}
-function runCommand(file, args) {
-  try {
-    return (0, import_node_child_process5.execFileSync)(file, args, {
-      encoding: "utf8",
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-  } catch (error) {
-    throw new Error(formatCommandError(file, args, error), { cause: error });
-  }
-}
-function formatCommandError(file, args, error) {
-  const command = `${file} ${args.join(" ")}`.trim();
-  if (error && typeof error === "object") {
-    const maybeError = error;
-    const stderr = bufferToTrimmedString(maybeError.stderr);
-    const stdout = bufferToTrimmedString(maybeError.stdout);
-    const details = stderr || stdout || maybeError.message || "command failed";
-    return `Command failed: ${command}. ${details}`;
-  }
-  return `Command failed: ${command}. ${String(error)}`;
-}
-function bufferToTrimmedString(value) {
-  if (!value) {
-    return "";
-  }
-  const text = typeof value === "string" ? value : value.toString("utf8");
-  return text.trim();
-}
 // src/cli.ts
 var runtimeHome = null;
 var cliVersion = resolveCliVersion();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codeharbor",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Instant-messaging bridge for Codex CLI sessions",
   "license": "MIT",
   "main": "dist/cli.js",