npm - deepdebug-local-agent - Versions diffs - 1.0.19 → 1.0.20 - Mend

deepdebug-local-agent 1.0.19 → 1.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/Dockerfile CHANGED Viewed

@@ -2,7 +2,7 @@
 # ║          DeepDebug Local Agent - Enterprise Docker           ║
 # ║                                                              ║
 # ║  Security-hardened container for enterprise deployments      ║
-# ║  Supports: Kubernetes, OpenShift, Docker Compose             ║
+# ║  Supports: Cloud Run with NFS (GCP Filestore)                ║
 # ╚══════════════════════════════════════════════════════════════╝
 # ===========================================
@@ -12,14 +12,9 @@ FROM node:20-alpine AS builder
 WORKDIR /build
-# Copy package files first (better cache)
 COPY package*.json ./
-# Install dependencies (production only)
-# Using npm install instead of npm ci for repos without package-lock.json
 RUN npm install --omit=dev && npm cache clean --force
-# Copy source code
 COPY src/ ./src/
 # ===========================================
@@ -27,48 +22,69 @@ COPY src/ ./src/
 # ===========================================
 FROM node:20-alpine AS production
-# Security: Add labels for compliance
 LABEL org.opencontainers.image.title="DeepDebug Local Agent"
 LABEL org.opencontainers.image.description="Enterprise debugging agent for code analysis"
 LABEL org.opencontainers.image.vendor="InspTech AI"
-LABEL org.opencontainers.image.version="1.0.0"
+LABEL org.opencontainers.image.version="1.2.0"
 LABEL org.opencontainers.image.licenses="Proprietary"
 LABEL security.scan.required="true"
-# Security: Create non-root user
+# Create non-root user
 RUN addgroup -g 1001 -S deepdebug && \
     adduser -u 1001 -S deepdebug -G deepdebug
-# Security: Install security updates
+# Install dependencies including Java 17 for Maven wrapper support
 RUN apk update && \
     apk upgrade --no-cache && \
     apk add --no-cache \
         dumb-init \
         git \
         curl \
+        nfs-utils \
+        openjdk17-jdk \
     && rm -rf /var/cache/apk/*
+# Set JAVA_HOME so ./mvnw can find Java
+# Alpine stores JVM under java-17-openjdk with arch suffix - use readlink to resolve
+RUN ln -sf $(dirname $(dirname $(readlink -f $(which java)))) /usr/local/java-home
+ENV JAVA_HOME=/usr/local/java-home
+ENV PATH="$JAVA_HOME/bin:$PATH"
+# Create NFS mount point with correct ownership
+RUN mkdir -p /mnt/workspaces && \
+    chown deepdebug:deepdebug /mnt/workspaces
+# Install cloudflared for tunnel support (Vibe preview)
+RUN wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 \
+    -O /usr/local/bin/cloudflared && \
+    chmod +x /usr/local/bin/cloudflared && \
+    cloudflared --version
+# Install GitHub CLI (gh) for PR creation
+RUN wget -q https://github.com/cli/cli/releases/download/v2.63.2/gh_2.63.2_linux_amd64.tar.gz \
+    -O /tmp/gh.tar.gz && \
+    tar -xzf /tmp/gh.tar.gz -C /tmp && \
+    mv /tmp/gh_2.63.2_linux_amd64/bin/gh /usr/local/bin/gh && \
+    chmod +x /usr/local/bin/gh && \
+    rm -rf /tmp/gh* && \
+    gh --version
 WORKDIR /app
-# Copy from builder with correct ownership
 COPY --from=builder --chown=deepdebug:deepdebug /build/node_modules ./node_modules
 COPY --from=builder --chown=deepdebug:deepdebug /build/src ./src
 COPY --chown=deepdebug:deepdebug package*.json ./
-# Security: Switch to non-root user
 USER deepdebug
-# Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
     CMD curl -f http://localhost:5055/health || exit 1
-# Environment
 ENV NODE_ENV=production
 ENV PORT=5055
+ENV WORKSPACES_MOUNT=/mnt/workspaces
-# Expose port
 EXPOSE 5055
-# Security: Use dumb-init to handle signals properly
 ENTRYPOINT ["dumb-init", "--"]
 CMD ["node", "src/server.js"]

package/cloudbuild-agent-qa.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+steps:
+  # Step 1: Build Docker image
+  - name: 'gcr.io/cloud-builders/docker'
+    args:
+      - 'build'
+      - '--platform=linux/amd64'
+      - '-t'
+      - 'us-central1-docker.pkg.dev/insptechai/deepdebug-docker/local-agent-qa:latest'
+      - '.'
+    timeout: '600s'
+  # Step 2: Push to Artifact Registry
+  - name: 'gcr.io/cloud-builders/docker'
+    args:
+      - 'push'
+      - 'us-central1-docker.pkg.dev/insptechai/deepdebug-docker/local-agent-qa:latest'
+  # Step 3: Deploy to Cloud Run QA
+  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
+    entrypoint: 'gcloud'
+    args:
+      - 'run'
+      - 'deploy'
+      - 'deepdebug-local-agent-qa'
+      - '--image=us-central1-docker.pkg.dev/insptechai/deepdebug-docker/local-agent-qa:latest'
+      - '--region=us-central1'
+      - '--platform=managed'
+      - '--allow-unauthenticated'
+      - '--memory=1Gi'
+      - '--cpu=1'
+      - '--min-instances=1'
+      - '--max-instances=3'
+      - '--port=5055'
+      - '--timeout=300'
+      - '--update-env-vars=NODE_ENV=qa'
+images:
+  - 'us-central1-docker.pkg.dev/insptechai/deepdebug-docker/local-agent-qa:latest'
+options:
+  logging: CLOUD_LOGGING_ONLY
+timeout: '1200s'

package/docker-compose.yml CHANGED Viewed

@@ -52,8 +52,8 @@ services:
     # Volumes
     # ─────────────────────────────────────────
     volumes:
-      # Project source code (read-only for security)
-      - ${PROJECT_PATH:-/path/to/projects}:/workspace:ro
+      # Project source code - writable so agent can apply patches
+      - /Users/macintosh/IdeaProjects:/workspace
       # Temp directory for container writes
       - agent-tmp:/tmp

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "deepdebug-local-agent",
-  "version": "1.0.19",
+  "version": "1.0.20",
   "description": "DeepDebug Local Agent - AI-powered code debugging assistant",
   "private": false,
   "type": "module",

package/src/exec-utils.js CHANGED Viewed

@@ -1,10 +1,12 @@
 import { spawn } from "child_process";
 import stripAnsi from "strip-ansi";
-export function run(cmd, args, cwd, timeoutMs = 10 * 60 * 1000) {
+export function run(cmd, args, cwd, timeoutMs = 10 * 60 * 1000, env = null) {
     return new Promise((resolve) => {
         const start = Date.now();
-        const child = spawn(cmd, args, { cwd, shell: true });
+        const spawnOpts = { cwd, shell: true };
+        if (env) spawnOpts.env = env;
+        const child = spawn(cmd, args, spawnOpts);
         let stdout = "";
         let stderr = "";
         const timer = setTimeout(() => {
@@ -73,12 +75,95 @@ export async function compileAndTest({ language, buildTool, cwd, skipTests = fal
                 }
             }
+            // Fix for maven-compiler-plugin 3.8.1 + Java 17:
+            // plexus-compiler-javac 2.8.4 does not support --release 17.
+            // Workaround: disable the --release flag entirely and use -source/-target instead.
+            // Also pass JAVA_HOME explicitly so mvnw uses the correct JDK.
+            // Dynamically prepare Maven environment and fix common Java version issues
+            const fs2 = await import("fs");
+            const path2 = await import("path");
+            // 1. Detect Java version available
+            const javaHome = process.env.JAVA_HOME || "/usr/local/java-home";
+            const javacPath = `${javaHome}/bin/javac`;
+            const hasJavac = fs2.existsSync(javacPath);
+            const mavenEnv = {
+                ...process.env,
+                JAVA_HOME: javaHome,
+                PATH: `${javaHome}/bin:${process.env.PATH}`
+            };
+            console.log(`[BUILD] JAVA_HOME=${javaHome}, javac available=${hasJavac}`);
+            // 2. Detect Java version from javac
+            let javaVersion = 11; // default fallback
+            try {
+                const versionResult = await run(`${javaHome}/bin/java`, ["-version"], cwd, 5000, mavenEnv);
+                const versionOutput = versionResult.stdout + versionResult.stderr;
+                const match = versionOutput.match(/version "(\d+)/);
+                if (match) javaVersion = parseInt(match[1]);
+                console.log(`[BUILD] Detected Java version: ${javaVersion}`);
+            } catch {}
+            // 3. Patch pom.xml dynamically based on what's in it
+            const pomPath = path2.join(cwd, "pom.xml");
+            const javaCompatFlags = [];
+            if (fs2.existsSync(pomPath)) {
+                try {
+                    let pomContent = fs2.readFileSync(pomPath, "utf8");
+                    let patched = pomContent;
+                    // Detect configured java version in pom
+                    const javaVersionMatch = pomContent.match(/<java\.version>(\d+)<\/java\.version>/);
+                    const pomJavaVersion = javaVersionMatch ? parseInt(javaVersionMatch[1]) : javaVersion;
+                    console.log(`[BUILD] pom.xml java.version=${pomJavaVersion}`);
+                    // Detect maven-compiler-plugin version
+                    const compilerVersionMatch = pomContent.match(/<artifactId>maven-compiler-plugin<\/artifactId>\s*<version>([^<]+)<\/version>/);
+                    const compilerVersion = compilerVersionMatch ? compilerVersionMatch[1] : "unknown";
+                    console.log(`[BUILD] maven-compiler-plugin version=${compilerVersion}`);
+                    // If compiler plugin < 3.10 and java >= 17: upgrade to 3.11.0
+                    // (3.8.x uses plexus-compiler-javac 2.8.4 which doesn't support --release 17)
+                    const [compMajor, compMinor] = compilerVersion.split(".").map(Number);
+                    if (!isNaN(compMajor) && (compMajor < 3 || (compMajor === 3 && compMinor < 10)) && pomJavaVersion >= 17) {
+                        patched = patched.replace(
+                            new RegExp("(<artifactId>maven-compiler-plugin<\/artifactId>\\s*<version>)[^<]+(<\/version>)"),
+                            "$1" + "3.11.0" + "$2"
+                        );
+                        console.log(`[BUILD] Patched: maven-compiler-plugin ${compilerVersion} -> 3.11.0`);
+                    }
+                    // If pom uses <release> tag that might fail, replace with <source>/<target>
+                    if (pomContent.includes("<release>") && pomJavaVersion >= 17) {
+                        patched = patched.replace(
+                            /<release>\d+<\/release>/g,
+                            `<source>${pomJavaVersion}</source>
+					<target>${pomJavaVersion}</target>`
+                        );
+                        console.log(`[BUILD] Patched: replaced <release> with <source>/<target> for Java ${pomJavaVersion}`);
+                    }
+                    if (patched !== pomContent) {
+                        fs2.writeFileSync(pomPath, patched, "utf8");
+                        console.log("[BUILD] pom.xml patched successfully");
+                    } else {
+                        console.log("[BUILD] pom.xml no patches needed");
+                    }
+                } catch (patchErr) {
+                    console.warn("[BUILD] Could not patch pom.xml:", patchErr.message);
+                }
+            }
             const args = skipTests
-                ? ["compile", "-q", "-DskipTests"]
-                : ["test", "-q"];
+                ? ["compile", "-DskipTests", ...javaCompatFlags]
+                : ["test", ...javaCompatFlags];
             console.log(`[BUILD] [COMPILE] Running: ${mvnCmd} ${args.join(" ")}`);
-            result = await run(mvnCmd, args, cwd);
+            result = await run(mvnCmd, args, cwd, 10 * 60 * 1000, mavenEnv);
+            if (result.code !== 0) {
+                console.error("[ERR] [COMPILE] stdout:", result.stdout.substring(0, 2000));
+                console.error("[ERR] [COMPILE] stderr:", result.stderr.substring(0, 2000));
+            }
         }
         else if (language === "java" && buildTool === "gradle") {
             // Gradle: clean build

package/src/server.js CHANGED Viewed

@@ -5,7 +5,7 @@ import path from "path";
 import os from "os";
 import fs from "fs";
 const fsPromises = fs.promises;
-import { exec } from "child_process";
+import { exec, spawn } from "child_process";
 import { promisify } from "util";
 import { EventEmitter } from "events";
 import { exists, listRecursive, readFile, writeFile } from "./fs-utils.js";
@@ -24,6 +24,7 @@ import { DTOAnalyzer } from "./analyzers/dto-analyzer.js";
 import { ConfigAnalyzer } from "./analyzers/config-analyzer.js";
 import { WorkspaceManager } from "./workspace-manager.js";
 import { startMCPHttpServer } from "./mcp-http-server.js";
+import { registerVercelRoutes } from "./vercel-proxy.js";
 const execAsync = promisify(exec);
@@ -545,24 +546,49 @@ const app = express();
 //  FIXED: Support Cloud Run PORT environment variable (GCP uses PORT)
 const PORT = process.env.PORT || process.env.LOCAL_AGENT_PORT || 5055;
-//  FIXED: Allow CORS from Cloud Run and local development
+// CORS - Allow from Cloud Run, local dev, and Lovable frontend domains
 app.use(cors({
-    origin: [
-        "http://localhost:3010",
-        "http://localhost:3000",
-        "http://localhost:8085",
-        "http://127.0.0.1:3010",
-        "http://127.0.0.1:3000",
-        "http://127.0.0.1:8085",
-        // Cloud Run URLs (regex patterns)
-        /https:\/\/.*\.run\.app$/,
-        /https:\/\/.*\.web\.app$/,
-        // Production frontend
-        "https://deepdebug.ai",
-        "https://www.deepdebug.ai"
-    ],
+    origin: function(origin, callback) {
+        // Allow requests with no origin (curl, mobile apps, server-to-server)
+        if (!origin) return callback(null, true);
+        const allowed = [
+            // Local development
+            "http://localhost:3010",
+            "http://localhost:3000",
+            "http://localhost:8085",
+            "http://127.0.0.1:3010",
+            "http://127.0.0.1:3000",
+            "http://127.0.0.1:8085",
+        ];
+        const allowedPatterns = [
+            /https:\/\/.*\.run\.app$/,          // Cloud Run
+            /https:\/\/.*\.web\.app$/,           // Firebase hosting
+            /https:\/\/.*\.lovable\.app$/,       // Lovable preview
+            /https:\/\/.*\.lovableproject\.com$/, // Lovable project domains
+            /https:\/\/.*\.netlify\.app$/,       // Netlify
+            /https:\/\/.*\.vercel\.app$/,        // Vercel
+            /https:\/\/deepdebug\.ai$/,           // Production
+            /https:\/\/.*\.deepdebug\.ai$/,      // Production subdomains
+        ];
+        if (allowed.includes(origin) || allowedPatterns.some(p => p.test(origin))) {
+            return callback(null, true);
+        }
+        // In development/QA, log and allow unknown origins instead of blocking
+        const env = process.env.NODE_ENV || 'development';
+        if (env !== 'production') {
+            console.warn(`CORS: allowing unknown origin in non-prod: ${origin}`);
+            return callback(null, true);
+        }
+        console.warn(`CORS: blocked origin: ${origin}`);
+        return callback(new Error(`CORS: origin ${origin} not allowed`));
+    },
     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
-    allowedHeaders: ["Content-Type", "Authorization", "X-Tenant-ID"],
+    allowedHeaders: ["Content-Type", "Authorization", "X-Tenant-ID", "X-User-ID"],
     credentials: true
 }));
@@ -573,7 +599,9 @@ app.use(bodyParser.json({ limit: "50mb" }));
 //  DEFAULT WORKSPACE - Define o workspace padro
 // Pode ser sobrescrito via varivel de ambiente ou POST /workspace/open
-const DEFAULT_WORKSPACE = process.env.DEFAULT_WORKSPACE || '/Users/macintosh/IdeaProjects/pure-core-ms';
+const DEFAULT_WORKSPACE = process.env.WORKSPACE_ROOT
+    || process.env.DEFAULT_WORKSPACE
+    || '/Users/macintosh/IdeaProjects/pure-core-ms';
 let WORKSPACE_ROOT = fs.existsSync(DEFAULT_WORKSPACE) ? DEFAULT_WORKSPACE : null;
 if (WORKSPACE_ROOT) {
@@ -622,7 +650,19 @@ aiEngine = new AIVibeCodingEngine(processManager, () => WORKSPACE_ROOT);
 // ============================================
 const BACKUPS = new Map();
 const MAX_BACKUPS = 50;
-const BACKUP_INDEX_PATH = path.join(os.tmpdir(), 'deepdebug-backups-index.json');
+// Store backup index on NFS Filestore so it survives container restarts
+// Falls back to /tmp if NFS is not mounted (local dev)
+const NFS_BACKUPS_DIR = process.env.WORKSPACE_MOUNT || '/mnt/workspaces';
+const NFS_BACKUP_INDEX = path.join(NFS_BACKUPS_DIR, '.deepdebug-backups-index.json');
+const BACKUP_INDEX_PATH = (() => {
+    try {
+        if (fs.existsSync(NFS_BACKUPS_DIR)) {
+            return NFS_BACKUP_INDEX;
+        }
+    } catch {}
+    return path.join(os.tmpdir(), 'deepdebug-backups-index.json');
+})();
+console.log(`[BACKUPS] Index path: ${BACKUP_INDEX_PATH}`);
 /**
  * Persist backup index to disk so diffs survive server restarts.
@@ -884,11 +924,15 @@ app.post("/workspace/clone", async (req, res) => {
     const tenantId    = body.tenantId;
     const workspaceId = body.workspaceId;
     const gitToken    = body.gitToken;
-    const branch      = body.branch;
+    // Accept gitBranch (onboarding frontend) OR branch (legacy)
+    const branch      = body.branch || body.gitBranch;
+    // Accept gitProvider (onboarding frontend) for auth URL construction
+    const gitProvider = body.gitProvider || (gitUrl && gitUrl.includes('bitbucket') ? 'bitbucket' : gitUrl && gitUrl.includes('gitlab') ? 'gitlab' : 'github');
     if (!gitUrl) return res.status(400).json({ ok: false, error: "gitUrl is required" });
-    const repoName = gitUrl.split('/').pop().replace('.git', '');
+    // Strip ALL trailing .git suffixes (handles accidental double .git.git from frontend)
+    const repoName = gitUrl.split('/').pop().replace(/\.git$/i, '').replace(/\.git$/i, '');
     const NFS_MOUNT = '/mnt/workspaces';
     let absTarget;
@@ -903,17 +947,22 @@ app.post("/workspace/clone", async (req, res) => {
         console.log(`[clone] Using fallback path: ${absTarget}`);
     }
-    let authenticatedUrl = gitUrl;
-    if (gitToken && gitUrl.startsWith('https://') && !gitUrl.includes('@')) {
-        if (gitUrl.includes('bitbucket.org')) {
-            authenticatedUrl = gitUrl.replace('https://', `https://x-token-auth:${gitToken}@`);
-        } else if (gitUrl.includes('gitlab.com')) {
-            authenticatedUrl = gitUrl.replace('https://', `https://oauth2:${gitToken}@`);
+    // Clean the gitUrl before using it (strip accidental double .git suffix)
+    const cleanGitUrl = gitUrl.replace(/\.git\.git$/i, '.git');
+    let authenticatedUrl = cleanGitUrl;
+    if (gitToken && cleanGitUrl.startsWith('https://') && !cleanGitUrl.includes('@')) {
+        const providerLower = (gitProvider || '').toLowerCase();
+        if (providerLower === 'bitbucket' || cleanGitUrl.includes('bitbucket.org')) {
+            authenticatedUrl = cleanGitUrl.replace('https://', `https://x-token-auth:${gitToken}@`);
+        } else if (providerLower === 'gitlab' || cleanGitUrl.includes('gitlab.com')) {
+            authenticatedUrl = cleanGitUrl.replace('https://', `https://oauth2:${gitToken}@`);
         } else {
-            authenticatedUrl = gitUrl.replace('https://', `https://x-access-token:${gitToken}@`);
+            // github or any other provider
+            authenticatedUrl = cleanGitUrl.replace('https://', `https://x-access-token:${gitToken}@`);
         }
     }
-    console.log(`Clone request: ${gitUrl} -> ${absTarget}`);
+    console.log(`Clone request: ${cleanGitUrl} -> ${absTarget}`);
     try {
         // Ensure parent directory exists
@@ -1049,7 +1098,7 @@ app.get("/workspace/file-content", async (req, res) => {
 /** Escreve/salva conteudo de arquivo no workspace */
 app.post("/workspace/write-file", async (req, res) => {
-    const workspaceRoot = getEffectiveRoot(req);
+    const workspaceRoot = resolveWorkspaceRoot(req);
     if (!workspaceRoot) return res.status(400).json({ error: "workspace not set" });
     const { path: relativePath, content: fileContent } = req.body || {};
@@ -1653,7 +1702,9 @@ app.post("/workspace/write", async (req, res) => {
     const { path: rel, content } = req.body || {};
     if (!rel) return res.status(400).json({ error: "path is required" });
     try {
-        await writeFile(path.join(wsRoot, rel), content ?? "", "utf8");
+        const fullPath = path.join(wsRoot, rel);
+        await fsPromises.mkdir(path.dirname(fullPath), { recursive: true });
+        await writeFile(fullPath, content ?? "", "utf8");
         res.json({ ok: true, path: rel, bytes: Buffer.byteLength(content ?? "", "utf8") });
     } catch (e) {
         res.status(400).json({ error: "write failed", details: String(e) });
@@ -1795,23 +1846,29 @@ app.post("/workspace/test-local/compile", async (req, res) => {
             skipTests: true
         });
-        if (!compileResult.success) {
-            TEST_LOCAL_STATE.status = "error";
+        // Support both formats:
+        // - new format: { success, code, steps[] } from updated exec-utils.js
+        // - legacy format: { code, stdout, stderr } from older exec-utils.js
+        const isSuccess = compileResult.success !== undefined
+            ? compileResult.success
+            : compileResult.code === 0;
+        const errorOutput = compileResult.steps
+            ? compileResult.steps.map(s => s.stderr || '').filter(Boolean).join('\n').trim()
+            : (compileResult.stderr || '');
-            const errorOutput = (compileResult.steps || [])
-                .map(s => s.stderr || '')
-                .filter(Boolean)
-                .join('\n')
-                .trim();
+        const stdoutOutput = compileResult.steps
+            ? compileResult.steps.map(s => s.stdout || '').filter(Boolean).join('\n').trim()
+            : (compileResult.stdout || '');
-            const stdoutOutput = (compileResult.steps || [])
-                .map(s => s.stdout || '')
-                .filter(Boolean)
-                .join('\n')
-                .trim();
+        const totalDuration = compileResult.steps
+            ? compileResult.steps.reduce((sum, s) => sum + (s.duration || 0), 0)
+            : (compileResult.duration || 0);
-            const totalDuration = (compileResult.steps || [])
-                .reduce((sum, s) => sum + (s.duration || 0), 0);
+        if (!isSuccess) {
+            TEST_LOCAL_STATE.status = "error";
+            console.error("[TEST-LOCAL] Compilation failed. stderr:", errorOutput.substring(0, 500));
+            console.error("[TEST-LOCAL] Compilation failed. stdout:", stdoutOutput.substring(0, 500));
             TEST_LOCAL_STATE.compilationResult = {
                 success: false,
@@ -1828,9 +1885,6 @@ app.post("/workspace/test-local/compile", async (req, res) => {
             });
         }
-        const totalDuration = (compileResult.steps || [])
-            .reduce((sum, s) => sum + (s.duration || 0), 0);
         TEST_LOCAL_STATE.status = "compiled";
         TEST_LOCAL_STATE.compilationResult = {
             success: true,
@@ -1846,7 +1900,7 @@ app.post("/workspace/test-local/compile", async (req, res) => {
             language: meta.language,
             buildTool: meta.buildTool,
             duration: totalDuration,
-            stdout: (compileResult.steps || []).map(s => s.stdout || '').filter(Boolean).join('\n').trim()
+            stdout: stdoutOutput
         });
     } catch (err) {
         console.error("[TEST-LOCAL] Compilation failed:", err.message);
@@ -2367,8 +2421,9 @@ app.post("/workspace/safe-patch", async (req, res) => {
             incidentId: incidentId || null
         });
-        // Save backup files to disk for persistence across restarts
-        const backupDir = path.join(os.tmpdir(), 'deepdebug-backups', backupId);
+        // Save backup files to NFS Filestore for persistence across container restarts
+        const backupsBase = fs.existsSync(NFS_BACKUPS_DIR) ? path.join(NFS_BACKUPS_DIR, '.deepdebug-backups') : path.join(os.tmpdir(), 'deepdebug-backups');
+        const backupDir = path.join(backupsBase, backupId);
         try {
             await fsPromises.mkdir(backupDir, { recursive: true });
             for (const file of backupFiles) {
@@ -5858,14 +5913,24 @@ app.post("/workspace/test-local/run-single", async (req, res) => {
     try {
         const meta = await detectProject(wsRoot);
+        // Build JAVA_HOME env (same fix as compile endpoint)
+        const javaHome = process.env.JAVA_HOME || "/usr/local/java-home";
+        const mavenEnv = {
+            ...process.env,
+            JAVA_HOME: javaHome,
+            PATH: `${javaHome}/bin:${process.env.PATH}`
+        };
         let result;
         if (meta.buildTool === 'maven') {
-            // mvn test -Dtest=ClassName -q (sem clean para ser mais rapido)
-            result = await run('mvn', ['test', `-Dtest=${resolvedClass}`, '-q'], wsRoot);
+            // Prefer ./mvnw wrapper, pass JAVA_HOME env
+            const hasMvnw = fs.existsSync(path.join(wsRoot, 'mvnw'));
+            const mvnCmd = hasMvnw ? './mvnw' : 'mvn';
+            result = await run(mvnCmd, ['test', `-Dtest=${resolvedClass}`, '-DskipTests=false'], wsRoot, 3 * 60 * 1000, mavenEnv);
         } else if (meta.buildTool === 'gradle') {
             const gradleCmd = fs.existsSync(path.join(wsRoot, 'gradlew')) ? './gradlew' : 'gradle';
-            result = await run(gradleCmd, ['test', '--tests', `*.${resolvedClass}`], wsRoot);
+            result = await run(gradleCmd, ['test', '--tests', `*.${resolvedClass}`], wsRoot, 3 * 60 * 1000, mavenEnv);
         } else if (meta.language === 'node') {
             result = await run('npx', ['jest', resolvedClass, '--no-coverage'], wsRoot);
         } else {
@@ -5931,6 +5996,320 @@ app.post("/workspace/test-local/run-single", async (req, res) => {
     }
 });
+// ============================================
+// SPRINT 1 - S1-T4: Session Isolation via Git Worktree
+// ============================================
+/**
+ * POST /workspace/session/create
+ *
+ * Creates an isolated git worktree for a session.
+ * Each session gets its own directory and branch - zero collision between parallel sessions.
+ *
+ * Body: { sessionId, branchName, tenantId }
+ * Response: { ok, sessionId, worktreePath, branchName }
+ */
+app.post("/workspace/session/create", async (req, res) => {
+    const wsRoot = resolveWorkspaceRoot(req);
+    if (!wsRoot) return res.status(400).json({ ok: false, error: "workspace not set" });
+    const { sessionId, branchName, tenantId } = req.body || {};
+    if (!sessionId) return res.status(400).json({ ok: false, error: "sessionId is required" });
+    const safeBranch = (branchName || `session-${sessionId}`).replace(/[^a-zA-Z0-9/_-]/g, "-").toLowerCase();
+    const tenantPart = tenantId || path.basename(path.dirname(wsRoot));
+    // Sessions dir: /mnt/workspaces/{tenantId}/sessions/{sessionId}
+    const sessionsBase = path.join(path.dirname(wsRoot), "sessions");
+    const worktreePath = path.join(sessionsBase, sessionId);
+    console.log(`[SESSION] Creating worktree: ${worktreePath} (branch: ${safeBranch})`);
+    try {
+        await fsPromises.mkdir(sessionsBase, { recursive: true });
+        // Remove stale worktree if exists
+        if (fs.existsSync(worktreePath)) {
+            console.log(`[SESSION] Removing stale worktree: ${worktreePath}`);
+            await execAsync(`git worktree remove --force "${worktreePath}"`, { cwd: wsRoot }).catch(() => {});
+            await fsPromises.rm(worktreePath, { recursive: true, force: true }).catch(() => {});
+        }
+        // Create new worktree with new branch
+        await execAsync(`git worktree add "${worktreePath}" -b "${safeBranch}"`, { cwd: wsRoot });
+        console.log(`[SESSION] Worktree created: ${worktreePath}`);
+        return res.json({
+            ok: true,
+            sessionId,
+            worktreePath,
+            branchName: safeBranch
+        });
+    } catch (err) {
+        console.error(`[SESSION] Failed to create worktree: ${err.message}`);
+        // Fallback: return main workspace path (no isolation but no crash)
+        return res.status(500).json({
+            ok: false,
+            sessionId,
+            worktreePath: wsRoot,
+            branchName: safeBranch,
+            error: err.message,
+            fallback: true
+        });
+    }
+});
+/**
+ * DELETE /workspace/session/:sessionId
+ *
+ * Removes a session worktree and its branch.
+ * Called after PR is created or session times out.
+ *
+ * Query: ?tenantId=xxx
+ */
+app.delete("/workspace/session/:sessionId", async (req, res) => {
+    const wsRoot = resolveWorkspaceRoot(req);
+    if (!wsRoot) return res.status(400).json({ ok: false, error: "workspace not set" });
+    const { sessionId } = req.params;
+    const sessionsBase = path.join(path.dirname(wsRoot), "sessions");
+    const worktreePath = path.join(sessionsBase, sessionId);
+    console.log(`[SESSION] Removing worktree: ${worktreePath}`);
+    try {
+        if (fs.existsSync(worktreePath)) {
+            await execAsync(`git worktree remove --force "${worktreePath}"`, { cwd: wsRoot }).catch(() => {});
+            await fsPromises.rm(worktreePath, { recursive: true, force: true }).catch(() => {});
+        }
+        // Clean up branch
+        const branchName = `session-${sessionId}`;
+        await execAsync(`git branch -D "${branchName}"`, { cwd: wsRoot }).catch(() => {});
+        console.log(`[SESSION] Worktree removed: ${worktreePath}`);
+        return res.json({ ok: true, sessionId, removed: worktreePath });
+    } catch (err) {
+        console.error(`[SESSION] Failed to remove worktree: ${err.message}`);
+        return res.status(500).json({ ok: false, sessionId, error: err.message });
+    }
+});
+/**
+ * GET /workspace/session/:sessionId/status
+ *
+ * Returns status of a session worktree.
+ */
+app.get("/workspace/session/:sessionId/status", async (req, res) => {
+    const wsRoot = resolveWorkspaceRoot(req);
+    if (!wsRoot) return res.status(400).json({ ok: false, error: "workspace not set" });
+    const { sessionId } = req.params;
+    const sessionsBase = path.join(path.dirname(wsRoot), "sessions");
+    const worktreePath = path.join(sessionsBase, sessionId);
+    const exists = fs.existsSync(worktreePath);
+    return res.json({
+        ok: true,
+        sessionId,
+        worktreePath,
+        exists
+    });
+});
+// ============================================
+// FASE 5 - ENV MANAGER + PREVIEW TUNNEL
+// State: active vibe environments per sessionId
+// ============================================
+const vibeEnvs = new Map(); // sessionId -> { port, pid, serviceId, tunnelUrl, tunnelPid, worktreePath, status }
+function findFreePort(min = 9000, max = 9999) {
+    const used = new Set([...vibeEnvs.values()].map(e => e.port));
+    for (let p = min; p <= max; p++) {
+        if (!used.has(p)) return p;
+    }
+    throw new Error('No free ports available in range 9000-9999');
+}
+/**
+ * POST /workspace/vibe/env/start
+ *
+ * Compiles (if needed) and starts the service on a dynamic port.
+ * Body: { sessionId, worktreePath }
+ * Response: { ok, port, serviceId, readyUrl }
+ */
+app.post("/workspace/vibe/env/start", async (req, res) => {
+    const { sessionId, worktreePath } = req.body || {};
+    if (!sessionId || !worktreePath) {
+        return res.status(400).json({ ok: false, error: "sessionId and worktreePath required" });
+    }
+    if (vibeEnvs.has(sessionId)) {
+        const env = vibeEnvs.get(sessionId);
+        return res.json({ ok: true, port: env.port, serviceId: env.serviceId, readyUrl: `http://localhost:${env.port}`, alreadyRunning: true });
+    }
+    try {
+        const port = findFreePort();
+        const serviceId = `vibe-${sessionId}`;
+        const meta = await detectProject(worktreePath);
+        let startConfig;
+        if (meta.language === 'java') {
+            const targetDir = path.join(worktreePath, 'target');
+            let jarPath = null;
+            if (fs.existsSync(targetDir)) {
+                const jars = fs.readdirSync(targetDir).filter(f =>
+                    f.endsWith('.jar') && !f.endsWith('.original') &&
+                    !f.includes('-sources') && !f.includes('-javadoc'));
+                if (jars.length > 0) jarPath = path.join(targetDir, jars[0]);
+            }
+            if (!jarPath) {
+                return res.status(400).json({ ok: false, error: "No JAR found. Run compile_project first." });
+            }
+            const cleanEnv = { ...process.env };
+            Object.keys(cleanEnv).forEach(k => { if (k.startsWith('SPRING_')) delete cleanEnv[k]; });
+            cleanEnv.SERVER_PORT = String(port);
+            cleanEnv.PORT = String(port);
+            startConfig = { command: 'java', args: ['-jar', jarPath, `--server.port=${port}`], cwd: worktreePath, port, env: cleanEnv };
+        } else if (meta.language === 'node' || meta.language === 'javascript') {
+            startConfig = { command: 'node', args: ['index.js'], cwd: worktreePath, port, env: { ...process.env, PORT: String(port) } };
+        } else {
+            return res.status(400).json({ ok: false, error: `Unsupported language: ${meta.language}` });
+        }
+        vibeEnvs.set(sessionId, { port, serviceId, tunnelUrl: null, tunnelPid: null, worktreePath, status: 'starting' });
+        await processManager.start(serviceId, startConfig);
+        vibeEnvs.get(sessionId).status = 'running';
+        console.log(`[VIBE-ENV] Started ${serviceId} on port ${port}`);
+        return res.json({ ok: true, port, serviceId, readyUrl: `http://localhost:${port}` });
+    } catch (err) {
+        console.error(`[VIBE-ENV] Start failed: ${err.message}`);
+        vibeEnvs.delete(sessionId);
+        return res.status(500).json({ ok: false, error: err.message });
+    }
+});
+/**
+ * POST /workspace/vibe/env/stop
+ *
+ * Stops the service and tunnel for a session.
+ * Body: { sessionId }
+ */
+app.post("/workspace/vibe/env/stop", async (req, res) => {
+    const { sessionId } = req.body || {};
+    if (!sessionId) return res.status(400).json({ ok: false, error: "sessionId required" });
+    const env = vibeEnvs.get(sessionId);
+    if (!env) return res.json({ ok: true, message: "Not running" });
+    try {
+        await processManager.stop(env.serviceId);
+        if (env.tunnelPid) {
+            try { process.kill(env.tunnelPid, 'SIGTERM'); } catch (_) {}
+        }
+        vibeEnvs.delete(sessionId);
+        console.log(`[VIBE-ENV] Stopped ${env.serviceId}`);
+        return res.json({ ok: true });
+    } catch (err) {
+        return res.status(500).json({ ok: false, error: err.message });
+    }
+});
+/**
+ * GET /workspace/vibe/env/status/:sessionId
+ *
+ * Returns current status of a vibe environment.
+ */
+app.get("/workspace/vibe/env/status/:sessionId", async (req, res) => {
+    const { sessionId } = req.params;
+    const env = vibeEnvs.get(sessionId);
+    if (!env) return res.json({ ok: true, status: 'stopped', sessionId });
+    return res.json({ ok: true, sessionId, status: env.status, port: env.port, serviceId: env.serviceId, tunnelUrl: env.tunnelUrl, readyUrl: `http://localhost:${env.port}` });
+});
+/**
+ * POST /workspace/vibe/tunnel/start
+ *
+ * Starts a cloudflared tunnel for a vibe environment.
+ * Body: { sessionId }
+ * Response: { ok, tunnelUrl }
+ *
+ * Downloads cloudflared binary automatically if not present.
+ */
+app.post("/workspace/vibe/tunnel/start", async (req, res) => {
+    const { sessionId } = req.body || {};
+    if (!sessionId) return res.status(400).json({ ok: false, error: "sessionId required" });
+    const env = vibeEnvs.get(sessionId);
+    if (!env) return res.status(404).json({ ok: false, error: "Environment not running. Call /vibe/env/start first." });
+    if (env.tunnelUrl) return res.json({ ok: true, tunnelUrl: env.tunnelUrl, alreadyRunning: true });
+    try {
+        // Resolve cloudflared binary path
+        const cfDir = path.join(process.env.HOME || '/tmp', '.deepdebug', 'bin');
+        const cfPath = path.join(cfDir, 'cloudflared');
+        // Download if missing
+        if (!fs.existsSync(cfPath)) {
+            fs.mkdirSync(cfDir, { recursive: true });
+            const arch = process.arch === 'arm64' ? 'arm64' : 'amd64';
+            const platform = process.platform === 'darwin' ? 'darwin' : 'linux';
+            const url = `https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-${platform}-${arch}`;
+            console.log(`[VIBE-TUNNEL] Downloading cloudflared from ${url}...`);
+            await execAsync(`curl -fsSL "${url}" -o "${cfPath}" && chmod +x "${cfPath}"`);
+            console.log(`[VIBE-TUNNEL] cloudflared downloaded to ${cfPath}`);
+        }
+        // Start tunnel
+        const tunnelProcess = spawn(cfPath, ['tunnel', '--url', `http://localhost:${env.port}`], {
+            stdio: ['ignore', 'pipe', 'pipe'],
+            detached: false
+        });
+        env.tunnelPid = tunnelProcess.pid;
+        env.status = 'tunneling';
+        // Capture tunnel URL from stdout/stderr
+        const tunnelUrl = await new Promise((resolve, reject) => {
+            const timeout = setTimeout(() => reject(new Error('Tunnel URL not found within 30s')), 30000);
+            const handler = (data) => {
+                const text = data.toString();
+                const match = text.match(/https:\/\/[a-zA-Z0-9-]+\.trycloudflare\.com/);
+                if (match) {
+                    clearTimeout(timeout);
+                    tunnelProcess.stdout.off('data', handler);
+                    tunnelProcess.stderr.off('data', handler);
+                    resolve(match[0]);
+                }
+            };
+            tunnelProcess.stdout.on('data', handler);
+            tunnelProcess.stderr.on('data', handler);
+            tunnelProcess.on('error', (err) => { clearTimeout(timeout); reject(err); });
+        });
+        env.tunnelUrl = tunnelUrl;
+        console.log(`[VIBE-TUNNEL] Tunnel started: ${tunnelUrl}`);
+        return res.json({ ok: true, tunnelUrl });
+    } catch (err) {
+        console.error(`[VIBE-TUNNEL] Failed: ${err.message}`);
+        return res.status(500).json({ ok: false, error: err.message });
+    }
+});
+/**
+ * DELETE /workspace/vibe/tunnel/:sessionId
+ *
+ * Stops only the tunnel (keeps service running).
+ */
+app.delete("/workspace/vibe/tunnel/:sessionId", async (req, res) => {
+    const { sessionId } = req.params;
+    const env = vibeEnvs.get(sessionId);
+    if (!env || !env.tunnelPid) return res.json({ ok: true, message: "No tunnel running" });
+    try {
+        process.kill(env.tunnelPid, 'SIGTERM');
+        env.tunnelPid = null;
+        env.tunnelUrl = null;
+        env.status = 'running';
+        return res.json({ ok: true });
+    } catch (err) {
+        return res.status(500).json({ ok: false, error: err.message });
+    }
+});
+// ============================================
+// VERCEL PROXY ROUTES
+// ============================================
+registerVercelRoutes(app);
 // ============================================
 // START SERVER

package/src/vercel-proxy.js ADDED Viewed

@@ -0,0 +1,226 @@
+/**
+ * vercel-proxy.js
+ *
+ * Proxy module for Vercel API calls from the Local Agent.
+ * The Gateway (Cloud Run) cannot reach api.vercel.com directly due to egress rules.
+ * All Vercel API calls are routed through the Agent which has unrestricted outbound access.
+ *
+ * Endpoints registered in server.js:
+ *   POST /vercel/projects/ensure   - Create project if not exists, return projectId
+ *   POST /vercel/deploy            - Trigger a deployment, return { deploymentId, previewUrl }
+ *   GET  /vercel/deploy/:id/status - Poll deployment status
+ *   GET  /vercel/projects          - List all projects
+ *
+ * All endpoints require { token } in body or query param.
+ */
+const VERCEL_API = "https://api.vercel.com";
+/**
+ * Make an authenticated request to the Vercel API.
+ */
+async function vercelRequest(method, path, token, body = null) {
+    const opts = {
+        method,
+        headers: {
+            "Authorization": `Bearer ${token}`,
+            "Content-Type": "application/json"
+        }
+    };
+    if (body) opts.body = JSON.stringify(body);
+    const res = await fetch(`${VERCEL_API}${path}`, opts);
+    const text = await res.text();
+    let data;
+    try {
+        data = JSON.parse(text);
+    } catch {
+        data = { raw: text };
+    }
+    if (!res.ok) {
+        const errMsg = data?.error?.message || data?.message || text;
+        throw new Error(`Vercel API ${method} ${path} -> ${res.status}: ${errMsg}`);
+    }
+    return data;
+}
+/**
+ * Ensure a Vercel project exists.
+ * Creates it if missing, returns the project ID.
+ */
+async function ensureProject(token, projectName, repoOwner, repoName, framework) {
+    // Try to get existing project
+    try {
+        const existing = await vercelRequest("GET", `/v9/projects/${projectName}`, token);
+        console.log(`[Vercel] Project exists: ${projectName} (${existing.id})`);
+        return existing.id;
+    } catch (err) {
+        if (!err.message.includes("404")) throw err;
+    }
+    // Create project
+    console.log(`[Vercel] Creating project: ${projectName}`);
+    const body = {
+        name: projectName,
+        gitRepository: {
+            type: "github",
+            repo: `${repoOwner}/${repoName}`
+        }
+    };
+    if (framework) body.framework = framework;
+    const created = await vercelRequest("POST", "/v9/projects", token, body);
+    console.log(`[Vercel] Project created: ${projectName} (${created.id})`);
+    return created.id;
+}
+/**
+ * Trigger a deployment for a project.
+ */
+async function triggerDeploy(token, projectId, projectName, repoId, branch) {
+    console.log(`[Vercel] Triggering deploy: project=${projectName} branch=${branch}`);
+    const body = {
+        name: projectName,
+        target: "preview",
+        gitSource: {
+            type: "github",
+            repoId: String(repoId),
+            ref: branch || "main"
+        }
+    };
+    const deployment = await vercelRequest("POST", "/v13/deployments", token, body);
+    const previewUrl = `https://${deployment.url}`;
+    console.log(`[Vercel] Deploy triggered: ${deployment.id} -> ${previewUrl}`);
+    return {
+        deploymentId: deployment.id,
+        previewUrl,
+        status: deployment.readyState || "INITIALIZING",
+        projectId,
+        projectName
+    };
+}
+/**
+ * Get deployment status.
+ */
+async function getDeployStatus(token, deploymentId) {
+    const d = await vercelRequest("GET", `/v13/deployments/${deploymentId}`, token);
+    return {
+        deploymentId: d.id,
+        status: d.readyState,
+        previewUrl: `https://${d.url}`,
+        errorMessage: d.errorMessage || null,
+        ready: d.readyState === "READY",
+        failed: d.readyState === "ERROR" || d.readyState === "CANCELED"
+    };
+}
+/**
+ * List all projects.
+ */
+async function listProjects(token) {
+    const data = await vercelRequest("GET", "/v9/projects?limit=20", token);
+    return (data.projects || []).map(p => ({
+        id: p.id,
+        name: p.name,
+        framework: p.framework,
+        updatedAt: p.updatedAt,
+        latestDeploy: p.latestDeployments?.[0]?.url
+            ? `https://${p.latestDeployments[0].url}`
+            : null
+    }));
+}
+/**
+ * Register Vercel proxy routes on the Express app.
+ *
+ * @param {import('express').Application} app
+ */
+export function registerVercelRoutes(app) {
+    /**
+     * POST /vercel/projects/ensure
+     * Body: { token, projectName, repoOwner, repoName, framework? }
+     * Response: { ok, projectId }
+     */
+    app.post("/vercel/projects/ensure", async (req, res) => {
+        const { token, projectName, repoOwner, repoName, framework } = req.body || {};
+        if (!token || !projectName || !repoOwner || !repoName) {
+            return res.status(400).json({ ok: false, error: "token, projectName, repoOwner, repoName required" });
+        }
+        try {
+            const projectId = await ensureProject(token, projectName, repoOwner, repoName, framework);
+            return res.json({ ok: true, projectId, projectName });
+        } catch (err) {
+            console.error(`[Vercel] ensureProject failed: ${err.message}`);
+            return res.status(500).json({ ok: false, error: err.message });
+        }
+    });
+    /**
+     * POST /vercel/deploy
+     * Body: { token, projectId, projectName, repoOwner, repoName, branch? }
+     * Note: repoId is fetched automatically from GitHub API if not provided.
+     * Response: { ok, deploymentId, previewUrl, status }
+     */
+    app.post("/vercel/deploy", async (req, res) => {
+        const { token, projectId, projectName, repoOwner, repoName, branch } = req.body || {};
+        if (!token || !projectId || !projectName || !repoOwner || !repoName) {
+            return res.status(400).json({ ok: false, error: "token, projectId, projectName, repoOwner, repoName required" });
+        }
+        try {
+            // Fetch repoId from GitHub API
+            const ghRes = await fetch(`https://api.github.com/repos/${repoOwner}/${repoName}`);
+            if (!ghRes.ok) throw new Error(`GitHub repo not found: ${repoOwner}/${repoName}`);
+            const ghData = await ghRes.json();
+            const repoId = ghData.id;
+            const result = await triggerDeploy(token, projectId, projectName, repoId, branch);
+            return res.json({ ok: true, ...result });
+        } catch (err) {
+            console.error(`[Vercel] deploy failed: ${err.message}`);
+            return res.status(500).json({ ok: false, error: err.message });
+        }
+    });
+    /**
+     * GET /vercel/deploy/:deploymentId/status?token=xxx
+     * Response: { ok, deploymentId, status, previewUrl, ready, failed }
+     */
+    app.get("/vercel/deploy/:deploymentId/status", async (req, res) => {
+        const { deploymentId } = req.params;
+        const token = req.query.token;
+        if (!token) return res.status(400).json({ ok: false, error: "token query param required" });
+        try {
+            const result = await getDeployStatus(token, deploymentId);
+            return res.json({ ok: true, ...result });
+        } catch (err) {
+            console.error(`[Vercel] status check failed: ${err.message}`);
+            return res.status(500).json({ ok: false, error: err.message });
+        }
+    });
+    /**
+     * GET /vercel/projects?token=xxx
+     * Response: { ok, projects[] }
+     */
+    app.get("/vercel/projects", async (req, res) => {
+        const token = req.query.token;
+        if (!token) return res.status(400).json({ ok: false, error: "token query param required" });
+        try {
+            const projects = await listProjects(token);
+            return res.json({ ok: true, projects });
+        } catch (err) {
+            console.error(`[Vercel] listProjects failed: ${err.message}`);
+            return res.status(500).json({ ok: false, error: err.message });
+        }
+    });
+    console.log("[Vercel] Proxy routes registered: /vercel/projects/ensure, /vercel/deploy, /vercel/deploy/:id/status, /vercel/projects");
+}

package/tunnel-manager.js ADDED Viewed

@@ -0,0 +1,70 @@
+const { spawn } = require('child_process');
+const activeTunnels = new Map();
+async function startTunnel(sessionId, port) {
+    // If tunnel already exists for this session, return existing URL
+    const existing = activeTunnels.get(sessionId);
+    if (existing && existing.url) {
+        return existing.url;
+    }
+    return new Promise((resolve, reject) => {
+        const proc = spawn('cloudflared', ['tunnel', '--url', `http://localhost:${port}`], {
+            stdio: ['ignore', 'pipe', 'pipe']
+        });
+        let tunnelUrl = null;
+        const timeout = setTimeout(() => {
+            if (!tunnelUrl) {
+                proc.kill();
+                reject(new Error('Tunnel startup timeout after 30s'));
+            }
+        }, 30000);
+        const onData = (data) => {
+            const match = data.toString().match(/https:\/\/[a-z0-9-]+\.trycloudflare\.com/);
+            if (match && !tunnelUrl) {
+                tunnelUrl = match[0];
+                clearTimeout(timeout);
+                activeTunnels.set(sessionId, { process: proc, url: tunnelUrl, port });
+                console.log(`[Tunnel] Ready: ${tunnelUrl} (session: ${sessionId})`);
+                resolve(tunnelUrl);
+            }
+        };
+        proc.stdout.on('data', onData);
+        proc.stderr.on('data', onData);
+        proc.on('exit', (code) => {
+            activeTunnels.delete(sessionId);
+            console.log(`[Tunnel] Process exited for session ${sessionId} (code: ${code})`);
+        });
+        proc.on('error', (err) => {
+            clearTimeout(timeout);
+            reject(err);
+        });
+    });
+}
+function stopTunnel(sessionId) {
+    const tunnel = activeTunnels.get(sessionId);
+    if (tunnel) {
+        tunnel.process.kill('SIGTERM');
+        activeTunnels.delete(sessionId);
+        console.log(`[Tunnel] Stopped: ${sessionId}`);
+        return true;
+    }
+    return false;
+}
+function getTunnelInfo(sessionId) {
+    return activeTunnels.get(sessionId) || null;
+}
+function getActiveTunnelCount() {
+    return activeTunnels.size;
+}
+module.exports = { startTunnel, stopTunnel, getTunnelInfo, getActiveTunnelCount };