github-router 0.3.31 → 0.3.33

package/dist/paths-Cf3OVCaJ.js

@@ -0,0 +1,3 @@
+import { a as sweepStaleClaudeConfigMirrors, c as writeRuntimeFileSecure, i as removeOwnClaudeConfigMirror, n as ensureClaudeConfigMirror, o as sweepStalePeerAgentMdFiles, r as ensurePaths, s as sweepStaleRuntimeFiles, t as PATHS } from "./paths-Cr2gfGiA.js";
+
+export { PATHS, ensureClaudeConfigMirror, ensurePaths, removeOwnClaudeConfigMirror, sweepStaleClaudeConfigMirrors, sweepStalePeerAgentMdFiles, sweepStaleRuntimeFiles, writeRuntimeFileSecure };

package/dist/{lifecycle-BrNqqJZH.js → paths-Cr2gfGiA.js}

@@ -1,10 +1,8 @@
 import consola from "consola";
-import { randomBytes, randomUUID } from "node:crypto";
+import { randomBytes } from "node:crypto";
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import process$1 from "node:process";
-import { execFileSync } from "node:child_process";
 
 //#region src/lib/paths.ts
 function appDir() {
@@ -67,7 +65,7 @@ async function ensurePaths() {
 		consola.debug("Peer-agent .md sweep skipped:", err);
 	});
 	await (async () => {
-		await (await import("./lifecycle-De6QsSv8.js")).sweepStaleWorktreesAtBoot();
+		await (await import("./lifecycle-DxRKANCV.js")).sweepStaleWorktreesAtBoot();
 	})().catch((err) => {
 		consola.debug("Worker worktree boot sweep skipped:", err);
 	});
@@ -459,11 +457,11 @@ async function sweepStaleRuntimeFiles() {
 		if (!match) continue;
 		const pid = Number.parseInt(match[1], 10);
 		const filePath = path.join(dir, name);
-		if (isPidAlive$1(pid)) continue;
+		if (isPidAlive(pid)) continue;
 		await fs.unlink(filePath).catch(() => {});
 	}
 }
-function isPidAlive$1(pid) {
+function isPidAlive(pid) {
 	if (!Number.isInteger(pid) || pid <= 0) return false;
 	try {
 		process.kill(pid, 0);
@@ -509,7 +507,7 @@ async function sweepStalePeerAgentMdFiles() {
 	for (const name of entries) {
 		const match = PEER_AGENT_MD_FILENAME.exec(name);
 		if (!match) continue;
-		if (isPidAlive$1(Number.parseInt(match[1], 10))) continue;
+		if (isPidAlive(Number.parseInt(match[1], 10))) continue;
 		await fs.unlink(path.join(dir, name)).catch(() => {});
 	}
 }
@@ -559,7 +557,7 @@ async function sweepStaleClaudeConfigMirrors() {
 	for (const name of entries) {
 		const match = CLAUDE_CONFIG_MIRROR_DIR.exec(name);
 		if (!match) continue;
-		if (isPidAlive$1(Number.parseInt(match[1], 10))) continue;
+		if (isPidAlive(Number.parseInt(match[1], 10))) continue;
 		await fs.rm(path.join(parent, name), {
 			recursive: true,
 			force: true
@@ -591,288 +589,5 @@ async function removeOwnClaudeConfigMirror() {
 }
 
 //#endregion
-//#region src/lib/worker-agent/lifecycle.ts
-/**
-* Same regex worktree.ts uses for its per-call age sweep — kept in
-* sync intentionally. `<pid>-<uuid>-<8hex>` strictly.
-*/
-const WORKTREE_DIR_NAME_RE = /^(\d+)-([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})-([0-9a-f]{8})$/;
-/**
-* Cap on the ledger: how many repos we remember across boots, and how
-* old an entry may be before it's pruned. Both are belt-and-suspenders
-* — the per-call age sweep is the primary guard against accumulation
-* inside any single repo.
-*/
-const LEDGER_MAX_ENTRIES = 100;
-const LEDGER_MAX_AGE_MS = 720 * 60 * 60 * 1e3;
-/**
-* Set-like in-memory registry of worktrees this proxy created. Engine
-* passes it to `createWorktree` so per-call cleanup deletes the entry
-* on success; the signal handlers walk what's left at shutdown.
-*
-* Not a bare `Set` because we want to expose only the operations we
-* actually use, and we want a stable testable surface.
-*/
-var WorktreeRegistry = class {
-	entries = /* @__PURE__ */ new Set();
-	add(entry) {
-		this.entries.add(entry);
-	}
-	delete(entry) {
-		this.entries.delete(entry);
-	}
-	has(entry) {
-		return this.entries.has(entry);
-	}
-	values() {
-		return this.entries.values();
-	}
-	get size() {
-		return this.entries.size;
-	}
-	clear() {
-		this.entries.clear();
-	}
-};
-let _instanceUuid = null;
-/**
-* Stable UUID4 generated once per proxy process. Used in worktree
-* dir/branch names so the boot sweep can reliably distinguish "this
-* proxy's still-live worktrees" from "stranded dirs from a prior
-* proxy that happens to have a recycled PID" — Docker PID-1 across
-* container restarts is the classic case (peer-review HIGH finding).
-*/
-function getInstanceUuid() {
-	if (_instanceUuid === null) _instanceUuid = randomUUID();
-	return _instanceUuid;
-}
-let _registered = false;
-let _activeRegistry = null;
-let _exitHandler = null;
-let _sigintHandler = null;
-let _sigtermHandler = null;
-/**
-* Synchronous cleanup of every registry entry. Best-effort:
-* `execFileSync` failures are swallowed (the dir may have been
-* removed already, or git may not be on PATH any more in some
-* environments). After a successful removal we drop the entry from
-* the registry so a second call is a true no-op.
-*
-* Synchronous on purpose — exit handlers can't reliably await async
-* work; the process would die before the promise settled.
-*/
-function sweepRegistry() {
-	if (!_activeRegistry) return;
-	const snapshot = [..._activeRegistry.values()];
-	for (const entry of snapshot) {
-		try {
-			execFileSync("git", [
-				"-C",
-				entry.repoRoot,
-				"worktree",
-				"remove",
-				"--force",
-				entry.dir
-			], {
-				stdio: "ignore",
-				timeout: 1e4,
-				windowsHide: true
-			});
-		} catch {}
-		try {
-			execFileSync("git", [
-				"-C",
-				entry.repoRoot,
-				"branch",
-				"-D",
-				entry.branch
-			], {
-				stdio: "ignore",
-				timeout: 5e3,
-				windowsHide: true
-			});
-		} catch {}
-		_activeRegistry.delete(entry);
-	}
-}
-/**
-* Wire up SIGINT/SIGTERM/exit handlers that walk the registry and
-* remove every entry. Idempotent: subsequent calls swap the registry
-* pointer but do NOT register additional process listeners (otherwise
-* we'd leak listeners on every `runWorkerAgent`).
-*
-* Signal handlers re-raise the signal after sweeping. Naively running
-* the sweep on SIGINT/SIGTERM and returning would *suppress* the
-* signal: Node defaults to terminating the process on these, but only
-* if no user listener is attached. Once we attach a listener, the
-* default action is cancelled and the process keeps running — which
-* means Ctrl-C would clean worktrees but not actually exit, leaving
-* orphan processes in dev. The `process.kill(pid, sig)` re-raise
-* after removing our own listener restores the default behaviour
-* (the second delivery now hits an empty listener list, so Node
-* terminates with the conventional `128 + signum` exit code).
-*/
-function registerExitHandlers(registry) {
-	_activeRegistry = registry;
-	if (_registered) return;
-	_registered = true;
-	_exitHandler = () => sweepRegistry();
-	_sigintHandler = () => {
-		sweepRegistry();
-		if (_sigintHandler) process$1.off("SIGINT", _sigintHandler);
-		process$1.kill(process$1.pid, "SIGINT");
-	};
-	_sigtermHandler = () => {
-		sweepRegistry();
-		if (_sigtermHandler) process$1.off("SIGTERM", _sigtermHandler);
-		process$1.kill(process$1.pid, "SIGTERM");
-	};
-	process$1.on("SIGINT", _sigintHandler);
-	process$1.on("SIGTERM", _sigtermHandler);
-	process$1.on("exit", _exitHandler);
-}
-function ledgerPath() {
-	return path.join(PATHS.APP_DIR, "worker-repos.json");
-}
-async function readLedger() {
-	let raw;
-	try {
-		raw = await fs.readFile(ledgerPath(), "utf8");
-	} catch (err) {
-		if (err.code === "ENOENT") return { entries: [] };
-		return { entries: [] };
-	}
-	try {
-		const parsed = JSON.parse(raw);
-		if (!parsed || !Array.isArray(parsed.entries)) return { entries: [] };
-		const cleaned = [];
-		for (const e of parsed.entries) if (e && typeof e === "object" && typeof e.repoRoot === "string" && typeof e.lastSeenMs === "number") cleaned.push({
-			repoRoot: e.repoRoot,
-			lastSeenMs: e.lastSeenMs
-		});
-		return { entries: cleaned };
-	} catch {
-		return { entries: [] };
-	}
-}
-/**
-* Per-process serializer for ledger writes. Multiple concurrent
-* `recordWorkerRepo` calls (legitimate: several workers may start at
-* once) would otherwise race read-modify-write on the JSON file. Each
-* call chains onto the previous so the on-disk sequence is
-* deterministic from this process's perspective.
-*
-* Cross-process safety is provided by the atomic temp+rename below,
-* which makes the final state of the file always be a well-formed
-* full snapshot from ONE writer — never a partial write or
-* interleaved JSON.
-*/
-let _ledgerChain = Promise.resolve();
-/**
-* Append `repoRoot` to the ledger (or update its `lastSeenMs`).
-* Atomic temp+rename per peer review.
-*/
-function recordWorkerRepo(repoRoot) {
-	const next = _ledgerChain.then(async () => {
-		await fs.mkdir(PATHS.APP_DIR, { recursive: true });
-		const filtered = (await readLedger()).entries.filter((e) => e.repoRoot !== repoRoot);
-		filtered.push({
-			repoRoot,
-			lastSeenMs: Date.now()
-		});
-		const now = Date.now();
-		const ledger = { entries: filtered.filter((e) => now - e.lastSeenMs < LEDGER_MAX_AGE_MS).slice(-LEDGER_MAX_ENTRIES) };
-		const tmp = `${ledgerPath()}.tmp.${process$1.pid}.${randomBytes(4).toString("hex")}`;
-		try {
-			await writeRuntimeFileSecure(tmp, JSON.stringify(ledger, null, 2));
-			await fs.rename(tmp, ledgerPath());
-		} catch (err) {
-			await fs.unlink(tmp).catch(() => {});
-			throw err;
-		}
-	});
-	_ledgerChain = next.catch(() => void 0);
-	return next;
-}
-function isPidAlive(pid) {
-	if (!Number.isInteger(pid) || pid <= 0) return false;
-	try {
-		process$1.kill(pid, 0);
-		return true;
-	} catch (err) {
-		if (err.code === "EPERM") return true;
-		return false;
-	}
-}
-/**
-* Boot-time sweep. For every repo we recorded in the ledger,
-* enumerate `<repoRoot>/.git/worker-worktrees/` (the conventional
-* location — for repos already inside a worktree, the actual
-* `git-common-dir` may differ, in which case we'll miss this batch
-* and the per-call age sweep will catch them within 7 days) and
-* remove dirs that aren't owned by THIS proxy.
-*
-* Ownership rule: dir is "ours" iff its embedded PID is alive AND
-* its embedded UUID equals `getInstanceUuid()`. Either condition
-* failing → remove.
-*/
-async function sweepStaleWorktreesAtBoot() {
-	const ledger = await readLedger();
-	if (ledger.entries.length === 0) return;
-	const currentUuid = getInstanceUuid();
-	for (const entry of ledger.entries) {
-		const parent = path.join(entry.repoRoot, ".git", "worker-worktrees");
-		let names;
-		try {
-			names = await fs.readdir(parent);
-		} catch {
-			continue;
-		}
-		for (const name of names) {
-			const m = WORKTREE_DIR_NAME_RE.exec(name);
-			if (!m) continue;
-			const pid = Number.parseInt(m[1], 10);
-			const uuid = m[2];
-			if (isPidAlive(pid) && uuid === currentUuid) continue;
-			const fullDir = path.join(parent, name);
-			const branch = `worker/${pid}-${uuid}-${m[3]}`;
-			try {
-				execFileSync("git", [
-					"-C",
-					entry.repoRoot,
-					"worktree",
-					"remove",
-					"--force",
-					fullDir
-				], {
-					stdio: "ignore",
-					timeout: 1e4,
-					windowsHide: true
-				});
-			} catch {}
-			try {
-				execFileSync("git", [
-					"-C",
-					entry.repoRoot,
-					"branch",
-					"-D",
-					branch
-				], {
-					stdio: "ignore",
-					timeout: 5e3,
-					windowsHide: true
-				});
-			} catch {}
-			try {
-				await fs.rm(fullDir, {
-					recursive: true,
-					force: true
-				});
-			} catch {}
-		}
-	}
-}
-
-//#endregion
-export { sweepRegistry as a, ensureClaudeConfigMirror as c, writeRuntimeFileSecure as d, registerExitHandlers as i, ensurePaths as l, getInstanceUuid as n, sweepStaleWorktreesAtBoot as o, recordWorkerRepo as r, PATHS as s, WorktreeRegistry as t, removeOwnClaudeConfigMirror as u };
-//# sourceMappingURL=lifecycle-BrNqqJZH.js.map
+export { sweepStaleClaudeConfigMirrors as a, writeRuntimeFileSecure as c, removeOwnClaudeConfigMirror as i, ensureClaudeConfigMirror as n, sweepStalePeerAgentMdFiles as o, ensurePaths as r, sweepStaleRuntimeFiles as s, PATHS as t };
+//# sourceMappingURL=paths-Cr2gfGiA.js.map

package/dist/paths-Cr2gfGiA.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths-Cr2gfGiA.js","names":["_claudeConfigDirSuffix: string | undefined","CLAUDE_HOME_POLICY: ReadonlyMap<string, MirrorPolicy>","SHARED_TOPLEVEL_NAMES: ReadonlyArray<string>","entries: Array<string>","stats: Awaited<ReturnType<typeof fs.lstat>>","existing: Awaited<ReturnType<typeof fs.lstat>> | null"],"sources":["../src/lib/paths.ts"],"sourcesContent":["import { randomBytes } from \"node:crypto\"\nimport fs from \"node:fs/promises\"\nimport os from \"node:os\"\nimport path from \"node:path\"\n\nimport consola from \"consola\"\n\nfunction appDir(): string {\n  return path.join(os.homedir(), \".local\", \"share\", \"github-router\")\n}\n\nexport const PATHS = {\n  get APP_DIR() {\n    return appDir()\n  },\n  get GITHUB_TOKEN_PATH() {\n    return path.join(appDir(), \"github_token\")\n  },\n  get ERROR_LOG_PATH() {\n    return path.join(appDir(), \"error.log\")\n  },\n  /**\n   * Isolated CODEX_HOME for the spawned Codex CLI. Masks any cached\n   * ChatGPT subscription login (openai/codex#2733 — cached login can\n   * override OPENAI_API_KEY) so the proxy's dummy key is authoritative.\n   */\n  get CODEX_HOME() {\n    return path.join(appDir(), \"codex-isolated\")\n  },\n  /**\n   * Runtime tempfiles for the per-launch peer-MCP wiring (the\n   * `--mcp-config` JSON and `--agents` JSON written before spawning\n   * Claude Code). Mode 0o700 to match the security review's mandate;\n   * cleaned on shutdown via the per-launch `cleanup()`, plus a\n   * boot-time sweep of stale files (dead PIDs, >24h old).\n   */\n  get CLAUDE_RUNTIME_DIR() {\n    return path.join(appDir(), \"runtime\")\n  },\n  /**\n   * Router-owned CLAUDE_CONFIG_DIR. The spawned Claude Code (and any\n   * teammates it spawns via the agent-teams primitive) reads its\n   * config — including `.credentials.json` — from this dir. We\n   * snapshot-copy the user's `~/.claude/` here at startup (excluding\n   * `.credentials.json` and volatile state), then write our own\n   * synthetic Console OAuth credential. The teammate-spawn allowlist\n   * propagates `CLAUDE_CONFIG_DIR` to children, so teammates find the\n   * synthetic credential and authenticate instead of falling into the\n   * \"Not logged in · Run /login\" gate that would otherwise leave\n   * them mute. See `ensureClaudeConfigMirror` below.\n   *\n   * Per-launch dir: `<appDir>/claude-config/<pid>-<8 hex>`. Two\n   * concurrent `github-router claude` launches each get their own\n   * isolated mirror, so per-launch state (synthetic credential,\n   * snapshot copy of `~/.claude/`, future per-launch `.claude.json`\n   * mutation with the peer-MCP entry) cannot cross-talk. The\n   * per-launch suffix is cached on first access (see\n   * `claudeConfigDirSuffix()`) so all callers within a single proxy\n   * lifetime see the same value. Boot-time `sweepStaleClaudeConfigMirrors`\n   * reaps mirrors from crashed prior PIDs.\n   */\n  get CLAUDE_CONFIG_DIR() {\n    return path.join(appDir(), \"claude-config\", claudeConfigDirSuffix())\n  },\n}\n\n/**\n * Per-launch suffix for `PATHS.CLAUDE_CONFIG_DIR`. Lazily generated on\n * first access and cached for the lifetime of the process so every\n * caller (env-var injection in `getClaudeCodeEnvVars`,\n * `ensureClaudeConfigMirror` provisioning, peer-agent `.md` writes\n * under `<dir>/agents/`, the shutdown cleanup) resolves the same path.\n *\n * Shape: `<pid>-<8 hex>`. The PID prefix is what\n * `sweepStaleClaudeConfigMirrors` keys off to drop orphans from\n * crashed prior sessions; the 8-hex random suffix prevents collision\n * if a future caller (tests, internal relaunch) ever clears the cache\n * within a single PID lifetime.\n *\n * NOT exported — every consumer should go through `PATHS.CLAUDE_CONFIG_DIR`\n * so the homedir-mock pattern used in the test suite keeps working.\n */\nlet _claudeConfigDirSuffix: string | undefined\nfunction claudeConfigDirSuffix(): string {\n  if (_claudeConfigDirSuffix === undefined) {\n    _claudeConfigDirSuffix = `${process.pid}-${randomBytes(4).toString(\"hex\")}`\n  }\n  return _claudeConfigDirSuffix\n}\n\nexport async function ensurePaths(): Promise<void> {\n  await fs.mkdir(PATHS.APP_DIR, { recursive: true })\n  await fs.mkdir(PATHS.CODEX_HOME, { recursive: true })\n  await fs.mkdir(PATHS.CLAUDE_RUNTIME_DIR, { recursive: true })\n  // mkdir({recursive: true}) does NOT chmod an existing directory, so\n  // explicitly tighten in case the dir was created by an older version.\n  await chmodIfPossible(PATHS.CLAUDE_RUNTIME_DIR, 0o700)\n  await ensureFile(PATHS.GITHUB_TOKEN_PATH)\n  await sweepStaleRuntimeFiles().catch((err) => {\n    consola.debug(\"Runtime sweep skipped:\", err)\n  })\n  // Sweep stale per-launch CLAUDE_CONFIG_DIR mirrors left behind by\n  // crashed prior proxy sessions BEFORE peer-agent .md sweep, since\n  // the .md sweep is scoped to THIS launch's mirror and the per-launch\n  // dir sweep is the parent cleanup for the same orphan class.\n  await sweepStaleClaudeConfigMirrors().catch((err) => {\n    consola.debug(\"Per-launch claude-config sweep skipped:\", err)\n  })\n  // Phase 2.5: also sweep stale peer-* subagent .md files from this\n  // launch's CLAUDE_CONFIG_DIR/agents/ (defense-in-depth — should be\n  // a no-op since the per-launch dir didn't exist before this PID\n  // started; keeps the safety net in case a future change ever shares\n  // an agents/ dir across launches).\n  await sweepStalePeerAgentMdFiles().catch((err) => {\n    consola.debug(\"Peer-agent .md sweep skipped:\", err)\n  })\n  // Worker-agent boot-time PID+instance safety net. Walks the\n  // worker-repos.json ledger and removes any worktree dir whose\n  // <pid> is dead OR whose <instance> UUID doesn't match this proxy.\n  // Catches SIGKILL/OOM/host-crash escapees from prior sessions.\n  // Lazy-imported so the worker-agent module doesn't get loaded by\n  // every consumer of `paths.ts`.\n  await (async () => {\n    const mod = await import(\"./worker-agent/lifecycle\")\n    await mod.sweepStaleWorktreesAtBoot()\n  })().catch((err) => {\n    consola.debug(\"Worker worktree boot sweep skipped:\", err)\n  })\n}\n\n/**\n * Per-entry mirror policy. Every top-level entry under `~/.claude/` falls\n * into exactly one bucket; unlisted names default to `MIRRORED` so a future\n * Claude-Code-side addition flows through as a snapshot copy rather than\n * being silently lost.\n *\n * Three policies:\n *\n *   - `ISOLATED` — not present in the mirror at all. The proxy owns its\n *     own copy (synthetic `.credentials.json`, the `.github-router-managed`\n *     marker) or the entry has no place in a proxy session\n *     (`.credentials.json.lock`, `.oauth_refresh.lock` couple refresh loops\n *     across sessions; `statsig/` is write-heavy and would constantly\n *     re-copy; `cache/` and `logs/` are ephemeral; `paste-cache/` holds\n *     sensitive clipboard extracts and shouldn't leak across sessions —\n *     gemini-critic finding).\n *\n *   - `SHARED` — symlink `<mirror>/<X>` → `~/.claude/<X>` so writes made\n *     during the proxy session land in the user's real `~/.claude/` and\n *     chat history is visible in both proxy and plain-`claude` sessions.\n *     **Directories only.** Never use this for individual files: Claude\n *     Code's atomic-write pattern (`fs.writeFile(temp); fs.rename(temp,\n *     target)`) does NOT follow symlinks — a `rename` over the symlink\n *     replaces it with a regular file, silently severing the connection\n *     to `~/.claude/<X>`. Gemini-critic finding from the 3-lab review.\n *\n *   - `MIRRORED` (default) — snapshot-copy with mtime skip. Use for static\n *     or settings-shaped state where proxy-session writes should NOT flow\n *     back to `~/.claude/` (e.g. `settings.json`, `.claude.json`,\n *     `teams/`, `session-env/`) and for `agents/` — the proxy itself\n *     writes per-launch `peer-<pid>-*.md` files into the mirror's `agents/`\n *     and `sweepStalePeerAgentMdFiles` deletes them; a symlink would route\n *     those writes/deletes into the user's real `~/.claude/agents/` and\n *     destroy the user's own subagent files. **Hard regression test**:\n *     `policyFor(\"agents\") === \"MIRRORED\"` is asserted in\n *     `tests/lib-paths.test.ts` to prevent accidental reclassification.\n *\n * Sub-paths within MIRRORED dirs cascade recursively (existing behavior).\n */\ntype MirrorPolicy = \"ISOLATED\" | \"SHARED\" | \"MIRRORED\"\n\nconst CLAUDE_HOME_POLICY: ReadonlyMap<string, MirrorPolicy> = new Map<\n  string,\n  MirrorPolicy\n>([\n  // ISOLATED\n  [\".credentials.json\", \"ISOLATED\"],\n  [\".credentials.json.lock\", \"ISOLATED\"],\n  [\".oauth_refresh.lock\", \"ISOLATED\"],\n  // Defense-in-depth: don't let a user-side file/symlink with the same\n  // name as our marker collide with what we write. The marker write\n  // logic also lstat-checks before writing (refuses if a non-regular\n  // file exists at the path), but excluding it here removes the\n  // attack vector entirely.\n  [\".github-router-managed\", \"ISOLATED\"],\n  [\"statsig\", \"ISOLATED\"],\n  [\"cache\", \"ISOLATED\"],\n  [\"logs\", \"ISOLATED\"],\n  [\"paste-cache\", \"ISOLATED\"],\n  [\"jobs\", \"ISOLATED\"],\n  [\"daemon\", \"ISOLATED\"],\n  [\"daemon.log\", \"ISOLATED\"],\n  // SHARED — directories only (see policy doc above)\n  [\"projects\", \"SHARED\"],\n  [\"sessions\", \"SHARED\"],\n  [\"tasks\", \"SHARED\"],\n  [\"todos\", \"SHARED\"],\n  [\"transcripts\", \"SHARED\"],\n  [\"shell-snapshots\", \"SHARED\"],\n  // The underscored variant is the historical exclude-list name; some\n  // Claude Code versions may still use it. Classify SHARED so either\n  // spelling resolves correctly.\n  [\"shell_snapshots\", \"SHARED\"],\n  [\"plans\", \"SHARED\"],\n  [\"file-history\", \"SHARED\"],\n  [\"backups\", \"SHARED\"],\n])\n\nfunction policyFor(name: string): MirrorPolicy {\n  return CLAUDE_HOME_POLICY.get(name) ?? \"MIRRORED\"\n}\n\n/**\n * Test-only export: lets the test suite assert hard regression guards\n * such as `policyFor(\"agents\") === \"MIRRORED\"` (preventing accidental\n * reclassification that would let `sweepStalePeerAgentMdFiles` delete\n * files in the user's real `~/.claude/agents/`).\n */\nexport const __testing = { policyFor, ensureSharedSymlink }\n\n/**\n * Names with `SHARED` policy, materialized once for iteration in\n * `ensureClaudeConfigMirror`'s post-copy phase.\n */\nconst SHARED_TOPLEVEL_NAMES: ReadonlyArray<string> = Array.from(\n  CLAUDE_HOME_POLICY.entries(),\n)\n  .filter(([, kind]) => kind === \"SHARED\")\n  .map(([name]) => name)\n\n/**\n * Marker file written into the router-owned CLAUDE_CONFIG_DIR so users\n * (and our own future sweeps) can identify that the dir is managed by\n * github-router. Content is informational only; no logic depends on\n * its presence.\n */\nconst MANAGED_MARKER_FILENAME = \".github-router-managed\"\n\n/**\n * Synthetic Console OAuth credential the router writes into its own\n * `CLAUDE_CONFIG_DIR/.credentials.json` so spawned Claude Code (and\n * any teammates it spawns) can authenticate without a real user\n * `/login`.\n *\n * Schema verified verbatim from `claude` v2.1.140 binary, function\n * `guH` (the credentials-save mutation). Fields:\n *   - `accessToken` — sent as `Authorization: Bearer ...` to the\n *     proxy. Proxy accepts any bearer (per CLAUDE.md \"doesn't enforce\n *     auth\").\n *   - `refreshToken` — only used by Claude Code's reactive refresh\n *     path (function `nH8`), which fires on 401 from upstream. The\n *     proxy maintains the no-401 invariant on the Anthropic-shape\n *     boundary, so this is never invoked. Synthetic value is fine.\n *   - `expiresAt` — far-future (2099-01-01 ms epoch). Sidesteps the\n *     proactive refresh path (`R8H(expiresAt)` returns false).\n *   - `scopes` — claude-ai-shaped so `tB(scopes)` returns true,\n *     making `Hq()` true (full feature surface, not \"inference only\").\n *   - `subscriptionType` — `\"max\"`. Pure client-side label\n *     (`e7()` / `Zc_()` / `CZ1()`); no server validation since\n *     `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1` suppresses\n *     subscription-validation calls. Picks the most-permissive gating.\n */\nconst SYNTHETIC_CREDENTIAL = {\n  claudeAiOauth: {\n    accessToken: \"github-router-synthetic\",\n    refreshToken: \"github-router-synthetic\",\n    expiresAt: 4_070_908_800_000,\n    scopes: [\"user:inference\", \"user:profile\"],\n    subscriptionType: \"max\",\n    rateLimitTier: null,\n    clientId: \"github-router\",\n  },\n} as const\n\n/**\n * Snapshot-copy the user's `~/.claude/` into the router-owned\n * CLAUDE_CONFIG_DIR (real files, not symlinks — symlinks don't isolate\n * writes), classifying each top-level entry per `CLAUDE_HOME_POLICY`:\n * ISOLATED entries are skipped, MIRRORED entries are copied, and\n * SHARED entries become directory symlinks back to `~/.claude/<X>` so\n * chat history (in `projects/<cwd-hash>/<session-uuid>.jsonl`) and\n * other durable user state flow between proxy and plain-`claude`\n * sessions. Then writes the synthetic `.credentials.json` so spawned\n * Claude Code (and teammates that inherit `CLAUDE_CONFIG_DIR`)\n * authenticate.\n *\n * Idempotent: only re-copies files whose source `mtime` is newer than\n * target; SHARED-symlink creation no-ops when the symlink already\n * points at the right target. Concurrent-safe: `mkdir({recursive:true})`\n * is idempotent; symlinks are created via atomic temp+rename so two\n * parallel github-router-claude startups can't race to EEXIST; the\n * credentials write uses temp-file + atomic rename so Claude Code's\n * `EZ1()` mtime watcher never sees a partial write.\n *\n * Walks with `lstat` (does NOT follow symlinks during traversal — a\n * symlink-into-`/` would otherwise let the walk escape). Symlink leaves\n * in the source tree are skipped during the MIRRORED copy walk (per the\n * symlink-confused-deputy security finding); SHARED symlinks are\n * created on the mirror side only, pointing at predetermined targets\n * inside the user's real `~/.claude/`.\n *\n * Caller is expected to invoke this after `ensurePaths()` and before\n * spawning Claude Code (`launchChild`). The mirror must exist before\n * the child reads it. Currently called from the `claude` subcommand\n * entry point only; `start` and `codex` subcommands don't need it.\n */\nexport async function ensureClaudeConfigMirror(opts: {\n  realHome?: string\n} = {}): Promise<void> {\n  const realHome = opts.realHome ?? os.homedir()\n  const sourceDir = path.join(realHome, \".claude\")\n  const targetDir = PATHS.CLAUDE_CONFIG_DIR\n\n  // 1. Create our config dir (idempotent, mode 0o700)\n  await fs.mkdir(targetDir, { recursive: true, mode: 0o700 })\n  await chmodIfPossible(targetDir, 0o700)\n\n  // 2. Snapshot-copy from ~/.claude if it exists. Only MIRRORED entries\n  //    flow through this walk; ISOLATED and SHARED entries are filtered\n  //    in `mirrorDirRecursive` and handled separately.\n  let sourceExists = false\n  try {\n    const sourceStat = await fs.stat(sourceDir)\n    sourceExists = sourceStat.isDirectory()\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n      consola.debug(`ensureClaudeConfigMirror: cannot stat ${sourceDir}:`, err)\n    }\n  }\n  if (sourceExists) {\n    await mirrorDirRecursive(sourceDir, targetDir, \"\")\n  }\n\n  // 3. Always ensure agents/ exists (even if user has none) so the\n  //    peer-agent .md emission has a place to write. Empty dir is fine.\n  //    agents/ is MIRRORED, not SHARED — the proxy writes per-launch\n  //    `peer-<pid>-*.md` files here and `sweepStalePeerAgentMdFiles`\n  //    deletes them; routing those operations into the user's real\n  //    `~/.claude/agents/` would destroy their custom subagent files.\n  await fs.mkdir(path.join(targetDir, \"agents\"), { recursive: true })\n\n  // 4. Create symlinks for SHARED entries so chat history (and other\n  //    durable user state) is visible in both proxy and plain-`claude`.\n  for (const name of SHARED_TOPLEVEL_NAMES) {\n    await ensureSharedSymlink(name, sourceDir, targetDir).catch((err) => {\n      consola.debug(\n        `ensureClaudeConfigMirror: SHARED symlink for ${name} skipped:`,\n        err,\n      )\n    })\n  }\n\n  // 5. Write synthetic .credentials.json (only if content differs)\n  const credentialsPath = path.join(targetDir, \".credentials.json\")\n  const desiredJson = JSON.stringify(SYNTHETIC_CREDENTIAL, null, 2)\n  let needsWrite = true\n  try {\n    const existing = await fs.readFile(credentialsPath, \"utf8\")\n    needsWrite = existing.trim() !== desiredJson.trim()\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n      consola.debug(`ensureClaudeConfigMirror: cannot read existing credentials:`, err)\n    }\n  }\n  if (needsWrite) {\n    // Atomic temp-file + rename so EZ1()'s mtime watcher doesn't see\n    // a partial write. wx flag ensures we don't clobber a concurrent\n    // writer's tempfile.\n    const tempPath = `${credentialsPath}.${process.pid}.tmp`\n    try {\n      await fs.writeFile(tempPath, desiredJson + \"\\n\", { mode: 0o600, flag: \"wx\" })\n      await fs.rename(tempPath, credentialsPath)\n    } catch (err) {\n      // EEXIST on the tempfile means another concurrent startup is\n      // mid-write. Best-effort: skip — the other writer will produce\n      // identical content (deterministic constant blob).\n      if ((err as NodeJS.ErrnoException).code === \"EEXIST\") {\n        consola.debug(\n          \"ensureClaudeConfigMirror: concurrent credentials-write detected, skipping\",\n        )\n      } else {\n        await fs.unlink(tempPath).catch(() => {})\n        throw err\n      }\n    }\n  }\n  await chmodIfPossible(credentialsPath, 0o600)\n\n  // 6. Write/refresh marker file. Use lstat (not access) to detect\n  //    symlinks at the marker path — a previously-mirrored or\n  //    user-placed symlink could otherwise let our `fs.writeFile`\n  //    follow through to an arbitrary target. With the symlink-skip\n  //    policy in `mirrorDirRecursive` this is defense-in-depth, but\n  //    cheap and definitive.\n  const markerPath = path.join(targetDir, MANAGED_MARKER_FILENAME)\n  let markerExists = false\n  try {\n    const markerStat = await fs.lstat(markerPath)\n    if (markerStat.isFile()) {\n      markerExists = true\n    } else {\n      // Anything non-regular (symlink, dir, special file) is a red flag —\n      // refuse to overwrite, log loudly. The user can investigate.\n      consola.warn(\n        `ensureClaudeConfigMirror: ${markerPath} exists but is not a regular file (mode=${markerStat.mode.toString(8)}); refusing to overwrite. Inspect and remove manually if safe.`,\n      )\n      markerExists = true\n    }\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n      consola.debug(`ensureClaudeConfigMirror: cannot lstat marker:`, err)\n      markerExists = true\n    }\n  }\n  if (!markerExists) {\n    const body = `Managed by github-router. Created ${new Date().toISOString()}. Safe to delete (will be recreated).\\n`\n    // wx flag (O_CREAT | O_EXCL) refuses to clobber an existing\n    // file or symlink (POSIX O_EXCL behavior) — additional protection\n    // against the marker-symlink confused-deputy vector.\n    await fs\n      .writeFile(markerPath, body, { mode: 0o600, flag: \"wx\" })\n      .catch((err) => {\n        consola.debug(`ensureClaudeConfigMirror: marker write skipped:`, err)\n      })\n  }\n}\n\n/**\n * Recursive snapshot-copy helper for `ensureClaudeConfigMirror`. Walks\n * `sourceDir/relPath` and mirrors each entry into `targetDir/relPath`.\n * - Top-level entries are dispatched on `policyFor(name)`:\n *     - `ISOLATED` → skipped entirely (no presence in mirror).\n *     - `SHARED`   → skipped from the copy walk; handled by\n *                    `ensureSharedSymlink` in the post-copy phase.\n *     - `MIRRORED` → copied as today.\n * - Symlinks are skipped (not recreated) so the walk never follows out\n *   of `sourceDir` and we don't reintroduce a confused-deputy vector.\n * - Files copy only if source mtime > target mtime (idempotent).\n */\nasync function mirrorDirRecursive(\n  sourceDir: string,\n  targetDir: string,\n  relPath: string,\n): Promise<void> {\n  const sourcePath = path.join(sourceDir, relPath)\n  let entries: Array<string>\n  try {\n    entries = await fs.readdir(sourcePath)\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"ENOENT\") return\n    consola.debug(`mirrorDirRecursive: cannot readdir ${sourcePath}:`, err)\n    return\n  }\n  for (const name of entries) {\n    // Policy dispatch at top-level only. Sub-paths within MIRRORED\n    // dirs always cascade as MIRRORED.\n    if (relPath === \"\") {\n      const policy = policyFor(name)\n      if (policy === \"ISOLATED\" || policy === \"SHARED\") continue\n    }\n    const childRel = relPath === \"\" ? name : path.join(relPath, name)\n    const childSource = path.join(sourceDir, childRel)\n    const childTarget = path.join(targetDir, childRel)\n    let stats: Awaited<ReturnType<typeof fs.lstat>>\n    try {\n      stats = await fs.lstat(childSource)\n    } catch (err) {\n      consola.debug(`mirrorDirRecursive: cannot lstat ${childSource}:`, err)\n      continue\n    }\n    if (stats.isSymbolicLink()) {\n      // Skip symlinks during mirror copy. gemini-critic security finding:\n      // recreating user symlinks in our mirror creates a confused-deputy\n      // vector — a previously prompt-injected process could place\n      // `~/.claude/<X>` → `/some/sensitive/file`, our walker would mirror\n      // it, and any subsequent write to `<mirror>/<X>` (by us or by\n      // Claude Code) would follow the symlink and overwrite the target.\n      // Snapshot-copy semantics make symlink preservation moot anyway:\n      // a snapshot is a point-in-time content copy, and a symlink\n      // recreated in the mirror points at exactly the same target as\n      // the original would have — the user-side symlink is sufficient.\n      // If a user has a legitimate need for a symlink to be visible\n      // through the proxy session, they can create the equivalent\n      // symlink in their `~/.claude/` directly and it'll be reachable\n      // — they just won't see it in our mirror dir.\n      consola.debug(`mirrorDirRecursive: skipping symlink ${childSource} (security policy)`)\n      continue\n    }\n    if (stats.isDirectory()) {\n      await fs.mkdir(childTarget, { recursive: true })\n      await mirrorDirRecursive(sourceDir, targetDir, childRel)\n      continue\n    }\n    if (stats.isFile()) {\n      // mtime-based skip — only copy if source is newer than target.\n      let needsCopy = true\n      try {\n        const targetStat = await fs.lstat(childTarget)\n        if (targetStat.isFile() && targetStat.mtimeMs >= stats.mtimeMs) {\n          needsCopy = false\n        }\n      } catch (err) {\n        if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n          consola.debug(`mirrorDirRecursive: lstat target ${childTarget}:`, err)\n        }\n      }\n      if (!needsCopy) continue\n      try {\n        await fs.copyFile(childSource, childTarget, fs.constants.COPYFILE_FICLONE)\n      } catch (err) {\n        consola.debug(`mirrorDirRecursive: copy ${childSource} → ${childTarget}:`, err)\n      }\n      continue\n    }\n    // Skip other inode types (sockets, devices, fifos) silently.\n  }\n}\n\n/**\n * Create or refresh a directory symlink `<mirrorDir>/<name>` →\n * `<sourceDir>/<name>` (i.e. `~/.local/share/github-router/claude-config/<X>`\n * → `~/.claude/<X>`). Idempotent and concurrent-safe.\n *\n * Behavior depending on what's already at `<mirrorDir>/<name>`:\n *   - Symlink with the correct target → no-op.\n *   - Symlink with the wrong target → replace atomically.\n *   - Empty real directory (legacy mirror leftover with no proxy-session\n *     writes accumulated yet) → `rmdir` and replace with the symlink.\n *     Safe by definition: `fs.rmdir` only succeeds on empty dirs (POSIX),\n *     so there is nothing to lose. Smooths the upgrade path for users\n *     whose legacy mirror dirs were never written to.\n *   - Non-empty real directory or regular file → loud-warn and skip.\n *     Auto-deleting would destroy proxy-session writes from the prior\n *     version. The user is told the exact path and remediation.\n *   - ENOENT → create symlink atomically.\n *\n * Atomic-creation: symlinks are first written at a unique side-path\n * (`<mirrorDir>/<name>.tmp.<pid>.<8 hex>`) and then `fs.rename()`d into\n * place. POSIX `rename` is atomic and replaces an existing symlink in\n * a single step, so two concurrent `github-router claude` startups can't\n * race to `EEXIST` — the loser's rename just overwrites the winner's\n * symlink with an identical one. Gemini-critic 3-lab-review finding.\n *\n * Pre-creates `~/.claude/<name>/` as a real directory if missing so\n * Claude Code's writes through the symlink don't fail with ENOENT.\n */\nasync function ensureSharedSymlink(\n  name: string,\n  sourceDir: string,\n  mirrorDir: string,\n): Promise<void> {\n  const sourcePath = path.join(sourceDir, name)\n  const mirrorPath = path.join(mirrorDir, name)\n\n  // 1. Ensure the source directory exists. Without this, Claude Code's\n  //    writes through the symlink (e.g. `projects/<hash>/foo.jsonl`)\n  //    fail with ENOENT on the parent dir.\n  try {\n    await fs.mkdir(sourcePath, { recursive: true })\n  } catch (err) {\n    // Escalated from debug → warn per the CLAUDE.md \"smoking gun\"\n    // rule (consistent with the symlink and rename catches below):\n    // if the source dir cannot be created (e.g. a stray regular file\n    // sitting at `~/.claude/projects`, perms blocking mkdir on a\n    // corp-managed Windows box, OneDrive cloud-only reparse point),\n    // ensureSharedSymlink returns without creating a junction. The\n    // spawned Claude Code child then writes to the REAL `~/.claude`\n    // while the proxy reads from the mirror — exactly the split-brain\n    // pattern this whole function exists to prevent. Silent debug-log\n    // hid this from us once already; warn so the user sees the cause.\n    consola.warn(\n      `ensureSharedSymlink(${name}): cannot mkdir source ${sourcePath}:`,\n      err,\n    )\n    return\n  }\n\n  // 2. Inspect the mirror-side slot.\n  let existing: Awaited<ReturnType<typeof fs.lstat>> | null = null\n  try {\n    existing = await fs.lstat(mirrorPath)\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") {\n      // Escalated from debug → warn per the CLAUDE.md \"smoking gun\"\n      // rule (consistent with the other fs catches in this function):\n      // ENOENT is the only expected-and-benign failure mode here\n      // (slot doesn't exist yet — falls through to create). Any other\n      // lstat failure (EACCES, ELOOP, EIO from a sketchy reparse\n      // point) means we bail without creating the junction, which\n      // silently leaves the proxy and child diverged. A visible warn\n      // surfaces the root cause instead of a mysteriously missing\n      // junction.\n      consola.warn(\n        `ensureSharedSymlink(${name}): cannot lstat ${mirrorPath}:`,\n        err,\n      )\n      return\n    }\n  }\n\n  if (existing?.isSymbolicLink()) {\n    // Resolve both sides to their canonical absolute paths and compare.\n    // We use `fs.realpath` rather than the raw `fs.readlink()` output\n    // because Windows junctions resolve via readlink to `\\\\?\\`-prefixed\n    // device-namespace paths (e.g. `\\\\?\\C:\\Users\\foo\\.claude\\projects`)\n    // while we wrote the plain absolute `sourcePath` (e.g.\n    // `C:\\Users\\foo\\.claude\\projects`) with `fs.symlink`. A literal\n    // `===` on the raw readlink output never matched on Windows, so\n    // the fast path silently failed and every startup tore down +\n    // recreated all 9 SHARED junctions — masked locally because NTFS\n    // File System Tunneling forges the creation timestamp for a name\n    // deleted and recreated within 15 s (the per-startup churn was\n    // real, the ctime-stable assertion was a false negative). The\n    // realpath comparison canonicalizes both forms to the same string\n    // on POSIX and Windows alike, and as a bonus handles drive-letter\n    // casing / trailing-slash differences too. The extra two syscalls\n    // per slot are negligible at proxy startup (runs once per launch).\n    //\n    // CRITICAL: sourceReal and currentReal are NOT treated symmetrically.\n    // If `sourceReal` is null (we just mkdir'd it above, but realpath\n    // failed — OneDrive cloud-only reparse point, EACCES on parent,\n    // EXDEV mount oddity), we WARN AND RETURN rather than fall through.\n    // Falling through would do unlink+symlink+rename with the same\n    // failing realpath next launch — silent every-startup churn, the\n    // exact bug class round-3 G2 fixed in a different code path.\n    // `currentReal === null` is benign (broken/wrong slot — replace).\n    const sourceReal = await fs.realpath(sourcePath).catch(() => null)\n    if (sourceReal === null) {\n      consola.warn(\n        `ensureSharedSymlink(${name}): cannot resolve source ${sourcePath} ` +\n          `— skipping junction creation to avoid silent every-startup churn. ` +\n          `Inspect the source dir's permissions / OneDrive sync state and re-launch.`,\n      )\n      return\n    }\n    const currentReal = await fs.realpath(mirrorPath).catch(() => null)\n    if (currentReal !== null && currentReal === sourceReal) {\n      return\n    }\n    // Wrong target (or unresolvable mirror) — fall through to the\n    // atomic-rename replace path.\n  } else if (existing?.isDirectory()) {\n    // Legacy real directory at the slot. Try `fs.rmdir` — on POSIX it\n    // succeeds ONLY if the directory is empty, so there's nothing to\n    // lose. If it's non-empty (ENOTEMPTY) or any other failure occurs,\n    // fall back to the warn-and-skip path so we never auto-clobber\n    // user data.\n    try {\n      await fs.rmdir(mirrorPath)\n      // Empty dir reaped — fall through to the atomic-rename create path.\n    } catch (err) {\n      consola.warn(\n        `ensureClaudeConfigMirror: ${mirrorPath} is a non-empty real directory ` +\n          `from an older github-router version; refusing to clobber. ` +\n          `If you want chat-history continuity for \"${name}\", move its ` +\n          `contents into ${sourcePath}/ then delete ${mirrorPath}; the ` +\n          `mirror will create a symlink (junction on Windows) on next launch. ` +\n          `(rmdir error: ${(err as NodeJS.ErrnoException).code ?? \"unknown\"})`,\n      )\n      return\n    }\n  } else if (existing) {\n    // Regular file (or special inode like a socket) — never auto-clobber.\n    consola.warn(\n      `ensureClaudeConfigMirror: ${mirrorPath} is a regular file at a ` +\n        `SHARED symlink slot; refusing to clobber. Inspect and remove ` +\n        `manually if safe; the mirror will create a symlink on next launch.`,\n    )\n    return\n  }\n\n  // 3. Atomic-rename creation: symlink to a unique temp path, then\n  //    rename over the slot. `fs.rename` replaces existing symlinks\n  //    atomically on POSIX and is safe against concurrent racers.\n  //    On Windows, MoveFileEx with MOVEFILE_REPLACE_EXISTING does NOT\n  //    replace an existing directory or junction destination\n  //    (npm/cli#9021), so when the slot already holds a wrong-target\n  //    junction we must explicitly unlink it first. The sub-millisecond\n  //    window of no-link is acceptable: ensureClaudeConfigMirror is\n  //    idempotent under concurrency and only runs at proxy startup,\n  //    before any spawned Claude Code child has been launched.\n  const tempPath = `${mirrorPath}.tmp.${process.pid}.${randomBytes(4).toString(\"hex\")}`\n  try {\n    await fs.symlink(\n      sourcePath,\n      tempPath,\n      process.platform === \"win32\" ? \"junction\" : \"dir\",\n    )\n  } catch (err) {\n    // Escalated from debug → warn per the CLAUDE.md \"smoking gun\" rule:\n    // the rule applies to ALL fs catches in this function, not just the\n    // rename one. The temp path is per-pid + 8-hex random so EEXIST is\n    // essentially impossible — any failure here (EPERM on Windows\n    // without DevMode, EXDEV cross-volume, ENOSPC, …) is a real\n    // operational problem the user needs to see.\n    consola.warn(\n      `ensureSharedSymlink(${name}): symlink ${tempPath} failed:`,\n      err,\n    )\n    return\n  }\n  if (process.platform === \"win32\" && existing?.isSymbolicLink()) {\n    // Windows-only: clear the wrong-target junction so the rename\n    // below can land. Best-effort — if a concurrent racer already\n    // unlinked it, the rename succeeds as a CREATE; if a concurrent\n    // racer already replaced it with a fresh junction, the rename\n    // hits the catch below and we surface a warn.\n    await fs.unlink(mirrorPath).catch(() => {})\n  }\n  try {\n    await fs.rename(tempPath, mirrorPath)\n  } catch (err) {\n    // Escalated from debug → warn per the CLAUDE.md \"smoking gun\"\n    // rule (consistent with the fs.symlink catch above): a silent\n    // debug log here previously hid the Windows rename-replace bug\n    // (junction-over-junction MoveFileEx EPERM). Post-fix, rename\n    // failures should be rare and visible.\n    consola.warn(\n      `ensureSharedSymlink(${name}): rename ${tempPath} → ${mirrorPath} failed:`,\n      err,\n    )\n    await fs.unlink(tempPath).catch(() => {})\n  }\n}\n\nasync function ensureFile(filePath: string): Promise<void> {\n  try {\n    await fs.access(filePath, fs.constants.W_OK)\n  } catch {\n    await fs.writeFile(filePath, \"\")\n    await fs.chmod(filePath, 0o600)\n  }\n}\n\nasync function chmodIfPossible(target: string, mode: number): Promise<void> {\n  if (process.platform === \"win32\") return // Windows chmod is no-op-ish\n  try {\n    await fs.chmod(target, mode)\n  } catch (err) {\n    consola.debug(`chmod ${target} ${mode.toString(8)} failed:`, err)\n  }\n}\n\n/**\n * Write a runtime tempfile securely.\n *\n *   - Mode `0o600` so other local users (multi-tenant boxes, shared\n *     dev containers) can't read the per-launch nonce or runtime URL.\n *   - `flag: \"wx\"` (O_CREAT | O_EXCL | O_WRONLY) refuses to overwrite\n *     an existing path. POSIX open(2) with O_EXCL also rejects\n *     pre-placed symlinks, killing the symlink-clobber attack vector.\n *   - The caller's responsibility to pick a path NOT yet in use.\n *     We intentionally do NOT pre-unlink: an `lstat` + `unlink` +\n *     `open(O_EXCL)` sequence still has a TOCTOU window where an\n *     attacker can drop a symlink between unlink and open. Letting\n *     `wx` fail is the safer behavior — surfaces the conflict\n *     instead of silently following.\n */\nexport async function writeRuntimeFileSecure(\n  filePath: string,\n  content: string,\n): Promise<void> {\n  await fs.writeFile(filePath, content, { mode: 0o600, flag: \"wx\" })\n}\n\n/**\n * Sweep stale runtime tempfiles. Removes files whose embedded PID is no\n * longer a live process. A proxy crash (`kill -9`, OS reboot) leaves\n * orphans that would otherwise accumulate forever — and worse, a stale\n * config pointing at a now-recycled port could route MCP traffic to\n * whatever process bound that port next.\n *\n * Naming convention: `peer-mcp-<pid>.json` and `peer-agents-<pid>.json`.\n * Files not matching either pattern are left alone — this directory\n * is shared with future runtime artifacts.\n *\n * We deliberately do NOT age-prune files whose PID is alive. A\n * legitimately long-running proxy can have a tempfile older than any\n * arbitrary threshold; deleting it out from under the live process\n * breaks the spawned Claude Code child's MCP/agent wiring with no clean\n * recovery. PID-wraparound risk is mitigated by (a) PID reuse on Linux\n * being slow under typical loads, and (b) the file is only consulted by\n * github-router itself — an unrelated process that inherits the PID\n * never reads it.\n */\nexport async function sweepStaleRuntimeFiles(): Promise<void> {\n  const dir = PATHS.CLAUDE_RUNTIME_DIR\n  let entries: Array<string>\n  try {\n    entries = await fs.readdir(dir)\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"ENOENT\") return\n    throw err\n  }\n\n  for (const name of entries) {\n    // Match both legacy `peer-mcp-<pid>.json` and current\n    // `peer-mcp-<pid>-<rand>.json` filenames so we can clean up either.\n    const match = /^peer-(?:mcp|agents)-(\\d+)(?:-[0-9a-f]+)?\\.json$/.exec(name)\n    if (!match) continue\n    const pid = Number.parseInt(match[1], 10)\n    const filePath = path.join(dir, name)\n\n    if (isPidAlive(pid)) continue\n\n    await fs.unlink(filePath).catch(() => {\n      // already gone or unreadable, fine\n    })\n  }\n}\n\nfunction isPidAlive(pid: number): boolean {\n  if (!Number.isInteger(pid) || pid <= 0) return false\n  try {\n    // signal 0 = check existence without delivering a signal. EPERM\n    // means the process exists but we can't signal it (which is still\n    // \"alive\" for our purposes); ESRCH means it's gone.\n    process.kill(pid, 0)\n    return true\n  } catch (err) {\n    const code = (err as NodeJS.ErrnoException).code\n    if (code === \"EPERM\") return true\n    return false\n  }\n}\n\n/**\n * Sweep stale peer-* subagent .md files from the router-owned\n * `CLAUDE_CONFIG_DIR/agents/`. Phase 2.5 writes one .md per peer agent\n * into Claude Code's agents directory (now our config dir's `agents/`\n * subdir, since `getClaudeCodeEnvVars` points `CLAUDE_CONFIG_DIR` at\n * `PATHS.CLAUDE_CONFIG_DIR`) so they appear in Claude Code's Task\n * `subagent_type` enum. Files are named `peer-<pid>-<rand>-<agentName>.md`\n * so this sweep can drop orphans from crashed prior proxy sessions\n * without touching the user's own .md files (which were copied into\n * the same dir during `ensureClaudeConfigMirror`).\n *\n * Same liveness rule as `sweepStaleRuntimeFiles`: only delete when the\n * file's embedded PID is no longer alive. Live PIDs keep their files —\n * a long-running proxy doesn't lose its agent registrations.\n *\n * Regex tightening (Phase 2.6, codex-critic + gemini-critic 2-lab finding):\n * the original sweep regex `^peer-(\\d+)(?:-[0-9a-f]+)?-.+\\.md$` was too\n * permissive — a user-authored `peer-12345-meeting-notes.md` matches\n * (`12345` = \"PID\", `-meeting-notes` = trailing `.+`) and would be\n * silently unlinked when 12345 happens to be a dead PID (overwhelmingly\n * likely). Tightened to require BOTH the 8-hex-char random suffix AND\n * an exact-match persona name suffix, eliminating the risk for any\n * realistic user filename.\n */\nexport async function sweepStalePeerAgentMdFiles(): Promise<void> {\n  const dir = path.join(PATHS.CLAUDE_CONFIG_DIR, \"agents\")\n  let entries: Array<string>\n  try {\n    entries = await fs.readdir(dir)\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"ENOENT\") return\n    throw err\n  }\n  for (const name of entries) {\n    const match = PEER_AGENT_MD_FILENAME.exec(name)\n    if (!match) continue\n    const pid = Number.parseInt(match[1], 10)\n    if (isPidAlive(pid)) continue\n    await fs.unlink(path.join(dir, name)).catch(() => {\n      // already gone or unreadable, fine\n    })\n  }\n}\n\n/**\n * Strict regex matching only files this proxy writes:\n *   peer-<pid>-<8 hex>-<exact persona/coordinator name>.md\n * The persona-name allowlist is the load-bearing protection against\n * deleting user files. Update this list whenever a new persona is added\n * to `PERSONAS_READ` / `PERSONAS_WRITE` in `peer-mcp-personas.ts` or a\n * new coordinator-style agent is added in `codex-mcp-config.ts`.\n */\nconst PEER_AGENT_MD_FILENAME =\n  /^peer-(\\d+)-[0-9a-f]{8}-(?:codex-critic|codex-reviewer|gemini-critic|codex-implementer|peer-review-coordinator)\\.md$/\n\n/**\n * Strict regex matching only per-launch claude-config mirror dirs this\n * proxy creates: `<pid>-<8 hex>`. Anchored to the entire entry name so\n * user-authored siblings under `<appDir>/claude-config/` (if any) are\n * untouchable. The PID prefix is what `sweepStaleClaudeConfigMirrors`\n * keys off; the 8-hex random suffix matches `randomBytes(4)` exactly\n * (no `?` — files created by a different shape are not ours).\n */\nconst CLAUDE_CONFIG_MIRROR_DIR = /^(\\d+)-[0-9a-f]{8}$/\n\n/**\n * Sweep stale per-launch CLAUDE_CONFIG_DIR mirrors left behind by\n * crashed prior proxy sessions. Symmetric to `sweepStalePeerAgentMdFiles`\n * — same liveness rule (only delete when the embedded PID is dead),\n * same strict regex (the dir-name allowlist is the load-bearing\n * protection against deleting user-authored siblings).\n *\n * Scans `<appDir>/claude-config/` (the parent of the per-launch dirs).\n * Each entry whose name matches `<pid>-<8 hex>` AND whose PID is no\n * longer alive is removed recursively. `fs.rm({recursive: true})`\n * walks the tree calling `unlink` on symlinks/junctions rather than\n * following them, so the SHARED junctions back to `~/.claude/<X>`\n * are removed without touching their targets.\n *\n * Tolerates missing parent dir (first-ever launch, or user wiped it).\n */\nexport async function sweepStaleClaudeConfigMirrors(): Promise<void> {\n  const parent = path.join(appDir(), \"claude-config\")\n  let entries: Array<string>\n  try {\n    entries = await fs.readdir(parent)\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"ENOENT\") return\n    throw err\n  }\n  for (const name of entries) {\n    const match = CLAUDE_CONFIG_MIRROR_DIR.exec(name)\n    if (!match) continue\n    const pid = Number.parseInt(match[1], 10)\n    if (isPidAlive(pid)) continue\n    await fs\n      .rm(path.join(parent, name), { recursive: true, force: true })\n      .catch((err) => {\n        // Best-effort: stale-dir cleanup must never block startup.\n        // Common failure modes (worth surviving silently): an EBUSY/EPERM\n        // on Windows if a leftover handle is still open, or a stray\n        // root-owned file inside the dir from a previous run with\n        // different permissions.\n        consola.debug(\n          `sweepStaleClaudeConfigMirrors: cannot rm ${name}:`,\n          err,\n        )\n      })\n  }\n}\n\n/**\n * Remove THIS launch's per-launch CLAUDE_CONFIG_DIR on shutdown.\n * Best-effort: a failure here must not block process exit (the caller\n * wraps this in a `.catch`-equivalent via `launchChild`'s onShutdown\n * try/catch). Symmetric to `writePeerMcpRuntimeFiles`'s `cleanup()`:\n * we own this dir for the lifetime of the proxy, so removing it on\n * normal shutdown is correct; the boot-time sweep handles the\n * abnormal-exit case.\n *\n * `fs.rm({recursive: true})` removes SHARED junctions via unlink\n * (does NOT follow them into the user's real `~/.claude/<X>`).\n */\nexport async function removeOwnClaudeConfigMirror(): Promise<void> {\n  const dir = PATHS.CLAUDE_CONFIG_DIR\n  await fs.rm(dir, { recursive: true, force: true }).catch((err) => {\n    consola.debug(`removeOwnClaudeConfigMirror: rm ${dir} skipped:`, err)\n  })\n}\n"],"mappings":";;;;;;;AAOA,SAAS,SAAiB;AACxB,QAAO,KAAK,KAAK,GAAG,SAAS,EAAE,UAAU,SAAS,gBAAgB;;AAGpE,MAAa,QAAQ;CACnB,IAAI,UAAU;AACZ,SAAO,QAAQ;;CAEjB,IAAI,oBAAoB;AACtB,SAAO,KAAK,KAAK,QAAQ,EAAE,eAAe;;CAE5C,IAAI,iBAAiB;AACnB,SAAO,KAAK,KAAK,QAAQ,EAAE,YAAY;;CAOzC,IAAI,aAAa;AACf,SAAO,KAAK,KAAK,QAAQ,EAAE,iBAAiB;;CAS9C,IAAI,qBAAqB;AACvB,SAAO,KAAK,KAAK,QAAQ,EAAE,UAAU;;CAwBvC,IAAI,oBAAoB;AACtB,SAAO,KAAK,KAAK,QAAQ,EAAE,iBAAiB,uBAAuB,CAAC;;CAEvE;;;;;;;;;;;;;;;;;AAkBD,IAAIA;AACJ,SAAS,wBAAgC;AACvC,KAAI,2BAA2B,OAC7B,0BAAyB,GAAG,QAAQ,IAAI,GAAG,YAAY,EAAE,CAAC,SAAS,MAAM;AAE3E,QAAO;;AAGT,eAAsB,cAA6B;AACjD,OAAM,GAAG,MAAM,MAAM,SAAS,EAAE,WAAW,MAAM,CAAC;AAClD,OAAM,GAAG,MAAM,MAAM,YAAY,EAAE,WAAW,MAAM,CAAC;AACrD,OAAM,GAAG,MAAM,MAAM,oBAAoB,EAAE,WAAW,MAAM,CAAC;AAG7D,OAAM,gBAAgB,MAAM,oBAAoB,IAAM;AACtD,OAAM,WAAW,MAAM,kBAAkB;AACzC,OAAM,wBAAwB,CAAC,OAAO,QAAQ;AAC5C,UAAQ,MAAM,0BAA0B,IAAI;GAC5C;AAKF,OAAM,+BAA+B,CAAC,OAAO,QAAQ;AACnD,UAAQ,MAAM,2CAA2C,IAAI;GAC7D;AAMF,OAAM,4BAA4B,CAAC,OAAO,QAAQ;AAChD,UAAQ,MAAM,iCAAiC,IAAI;GACnD;AAOF,QAAO,YAAY;AAEjB,SADY,MAAM,OAAO,4BACf,2BAA2B;KACnC,CAAC,OAAO,QAAQ;AAClB,UAAQ,MAAM,uCAAuC,IAAI;GACzD;;AA4CJ,MAAMC,qBAAwD,IAAI,IAGhE;CAEA,CAAC,qBAAqB,WAAW;CACjC,CAAC,0BAA0B,WAAW;CACtC,CAAC,uBAAuB,WAAW;CAMnC,CAAC,0BAA0B,WAAW;CACtC,CAAC,WAAW,WAAW;CACvB,CAAC,SAAS,WAAW;CACrB,CAAC,QAAQ,WAAW;CACpB,CAAC,eAAe,WAAW;CAC3B,CAAC,QAAQ,WAAW;CACpB,CAAC,UAAU,WAAW;CACtB,CAAC,cAAc,WAAW;CAE1B,CAAC,YAAY,SAAS;CACtB,CAAC,YAAY,SAAS;CACtB,CAAC,SAAS,SAAS;CACnB,CAAC,SAAS,SAAS;CACnB,CAAC,eAAe,SAAS;CACzB,CAAC,mBAAmB,SAAS;CAI7B,CAAC,mBAAmB,SAAS;CAC7B,CAAC,SAAS,SAAS;CACnB,CAAC,gBAAgB,SAAS;CAC1B,CAAC,WAAW,SAAS;CACtB,CAAC;AAEF,SAAS,UAAU,MAA4B;AAC7C,QAAO,mBAAmB,IAAI,KAAK,IAAI;;;;;;AAezC,MAAMC,wBAA+C,MAAM,KACzD,mBAAmB,SAAS,CAC7B,CACE,QAAQ,GAAG,UAAU,SAAS,SAAS,CACvC,KAAK,CAAC,UAAU,KAAK;;;;;;;AAQxB,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;AA0BhC,MAAM,uBAAuB,EAC3B,eAAe;CACb,aAAa;CACb,cAAc;CACd,WAAW;CACX,QAAQ,CAAC,kBAAkB,eAAe;CAC1C,kBAAkB;CAClB,eAAe;CACf,UAAU;CACX,EACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCD,eAAsB,yBAAyB,OAE3C,EAAE,EAAiB;CACrB,MAAM,WAAW,KAAK,YAAY,GAAG,SAAS;CAC9C,MAAM,YAAY,KAAK,KAAK,UAAU,UAAU;CAChD,MAAM,YAAY,MAAM;AAGxB,OAAM,GAAG,MAAM,WAAW;EAAE,WAAW;EAAM,MAAM;EAAO,CAAC;AAC3D,OAAM,gBAAgB,WAAW,IAAM;CAKvC,IAAI,eAAe;AACnB,KAAI;AAEF,kBADmB,MAAM,GAAG,KAAK,UAAU,EACjB,aAAa;UAChC,KAAK;AACZ,MAAK,IAA8B,SAAS,SAC1C,SAAQ,MAAM,yCAAyC,UAAU,IAAI,IAAI;;AAG7E,KAAI,aACF,OAAM,mBAAmB,WAAW,WAAW,GAAG;AASpD,OAAM,GAAG,MAAM,KAAK,KAAK,WAAW,SAAS,EAAE,EAAE,WAAW,MAAM,CAAC;AAInE,MAAK,MAAM,QAAQ,sBACjB,OAAM,oBAAoB,MAAM,WAAW,UAAU,CAAC,OAAO,QAAQ;AACnE,UAAQ,MACN,gDAAgD,KAAK,YACrD,IACD;GACD;CAIJ,MAAM,kBAAkB,KAAK,KAAK,WAAW,oBAAoB;CACjE,MAAM,cAAc,KAAK,UAAU,sBAAsB,MAAM,EAAE;CACjE,IAAI,aAAa;AACjB,KAAI;AAEF,gBADiB,MAAM,GAAG,SAAS,iBAAiB,OAAO,EACrC,MAAM,KAAK,YAAY,MAAM;UAC5C,KAAK;AACZ,MAAK,IAA8B,SAAS,SAC1C,SAAQ,MAAM,+DAA+D,IAAI;;AAGrF,KAAI,YAAY;EAId,MAAM,WAAW,GAAG,gBAAgB,GAAG,QAAQ,IAAI;AACnD,MAAI;AACF,SAAM,GAAG,UAAU,UAAU,cAAc,MAAM;IAAE,MAAM;IAAO,MAAM;IAAM,CAAC;AAC7E,SAAM,GAAG,OAAO,UAAU,gBAAgB;WACnC,KAAK;AAIZ,OAAK,IAA8B,SAAS,SAC1C,SAAQ,MACN,4EACD;QACI;AACL,UAAM,GAAG,OAAO,SAAS,CAAC,YAAY,GAAG;AACzC,UAAM;;;;AAIZ,OAAM,gBAAgB,iBAAiB,IAAM;CAQ7C,MAAM,aAAa,KAAK,KAAK,WAAW,wBAAwB;CAChE,IAAI,eAAe;AACnB,KAAI;EACF,MAAM,aAAa,MAAM,GAAG,MAAM,WAAW;AAC7C,MAAI,WAAW,QAAQ,CACrB,gBAAe;OACV;AAGL,WAAQ,KACN,6BAA6B,WAAW,0CAA0C,WAAW,KAAK,SAAS,EAAE,CAAC,gEAC/G;AACD,kBAAe;;UAEV,KAAK;AACZ,MAAK,IAA8B,SAAS,UAAU;AACpD,WAAQ,MAAM,kDAAkD,IAAI;AACpE,kBAAe;;;AAGnB,KAAI,CAAC,cAAc;EACjB,MAAM,OAAO,sDAAqC,IAAI,MAAM,EAAC,aAAa,CAAC;AAI3E,QAAM,GACH,UAAU,YAAY,MAAM;GAAE,MAAM;GAAO,MAAM;GAAM,CAAC,CACxD,OAAO,QAAQ;AACd,WAAQ,MAAM,mDAAmD,IAAI;IACrE;;;;;;;;;;;;;;;AAgBR,eAAe,mBACb,WACA,WACA,SACe;CACf,MAAM,aAAa,KAAK,KAAK,WAAW,QAAQ;CAChD,IAAIC;AACJ,KAAI;AACF,YAAU,MAAM,GAAG,QAAQ,WAAW;UAC/B,KAAK;AACZ,MAAK,IAA8B,SAAS,SAAU;AACtD,UAAQ,MAAM,sCAAsC,WAAW,IAAI,IAAI;AACvE;;AAEF,MAAK,MAAM,QAAQ,SAAS;AAG1B,MAAI,YAAY,IAAI;GAClB,MAAM,SAAS,UAAU,KAAK;AAC9B,OAAI,WAAW,cAAc,WAAW,SAAU;;EAEpD,MAAM,WAAW,YAAY,KAAK,OAAO,KAAK,KAAK,SAAS,KAAK;EACjE,MAAM,cAAc,KAAK,KAAK,WAAW,SAAS;EAClD,MAAM,cAAc,KAAK,KAAK,WAAW,SAAS;EAClD,IAAIC;AACJ,MAAI;AACF,WAAQ,MAAM,GAAG,MAAM,YAAY;WAC5B,KAAK;AACZ,WAAQ,MAAM,oCAAoC,YAAY,IAAI,IAAI;AACtE;;AAEF,MAAI,MAAM,gBAAgB,EAAE;AAe1B,WAAQ,MAAM,wCAAwC,YAAY,oBAAoB;AACtF;;AAEF,MAAI,MAAM,aAAa,EAAE;AACvB,SAAM,GAAG,MAAM,aAAa,EAAE,WAAW,MAAM,CAAC;AAChD,SAAM,mBAAmB,WAAW,WAAW,SAAS;AACxD;;AAEF,MAAI,MAAM,QAAQ,EAAE;GAElB,IAAI,YAAY;AAChB,OAAI;IACF,MAAM,aAAa,MAAM,GAAG,MAAM,YAAY;AAC9C,QAAI,WAAW,QAAQ,IAAI,WAAW,WAAW,MAAM,QACrD,aAAY;YAEP,KAAK;AACZ,QAAK,IAA8B,SAAS,SAC1C,SAAQ,MAAM,oCAAoC,YAAY,IAAI,IAAI;;AAG1E,OAAI,CAAC,UAAW;AAChB,OAAI;AACF,UAAM,GAAG,SAAS,aAAa,aAAa,GAAG,UAAU,iBAAiB;YACnE,KAAK;AACZ,YAAQ,MAAM,4BAA4B,YAAY,KAAK,YAAY,IAAI,IAAI;;AAEjF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCN,eAAe,oBACb,MACA,WACA,WACe;CACf,MAAM,aAAa,KAAK,KAAK,WAAW,KAAK;CAC7C,MAAM,aAAa,KAAK,KAAK,WAAW,KAAK;AAK7C,KAAI;AACF,QAAM,GAAG,MAAM,YAAY,EAAE,WAAW,MAAM,CAAC;UACxC,KAAK;AAWZ,UAAQ,KACN,uBAAuB,KAAK,yBAAyB,WAAW,IAChE,IACD;AACD;;CAIF,IAAIC,WAAwD;AAC5D,KAAI;AACF,aAAW,MAAM,GAAG,MAAM,WAAW;UAC9B,KAAK;AACZ,MAAK,IAA8B,SAAS,UAAU;AAUpD,WAAQ,KACN,uBAAuB,KAAK,kBAAkB,WAAW,IACzD,IACD;AACD;;;AAIJ,KAAI,UAAU,gBAAgB,EAAE;EA0B9B,MAAM,aAAa,MAAM,GAAG,SAAS,WAAW,CAAC,YAAY,KAAK;AAClE,MAAI,eAAe,MAAM;AACvB,WAAQ,KACN,uBAAuB,KAAK,2BAA2B,WAAW,8IAGnE;AACD;;EAEF,MAAM,cAAc,MAAM,GAAG,SAAS,WAAW,CAAC,YAAY,KAAK;AACnE,MAAI,gBAAgB,QAAQ,gBAAgB,WAC1C;YAIO,UAAU,aAAa,CAMhC,KAAI;AACF,QAAM,GAAG,MAAM,WAAW;UAEnB,KAAK;AACZ,UAAQ,KACN,6BAA6B,WAAW,oIAEM,KAAK,4BAChC,WAAW,gBAAgB,WAAW,yFAErC,IAA8B,QAAQ,UAAU,GACrE;AACD;;UAEO,UAAU;AAEnB,UAAQ,KACN,6BAA6B,WAAW,yJAGzC;AACD;;CAaF,MAAM,WAAW,GAAG,WAAW,OAAO,QAAQ,IAAI,GAAG,YAAY,EAAE,CAAC,SAAS,MAAM;AACnF,KAAI;AACF,QAAM,GAAG,QACP,YACA,UACA,QAAQ,aAAa,UAAU,aAAa,MAC7C;UACM,KAAK;AAOZ,UAAQ,KACN,uBAAuB,KAAK,aAAa,SAAS,WAClD,IACD;AACD;;AAEF,KAAI,QAAQ,aAAa,WAAW,UAAU,gBAAgB,CAM5D,OAAM,GAAG,OAAO,WAAW,CAAC,YAAY,GAAG;AAE7C,KAAI;AACF,QAAM,GAAG,OAAO,UAAU,WAAW;UAC9B,KAAK;AAMZ,UAAQ,KACN,uBAAuB,KAAK,YAAY,SAAS,KAAK,WAAW,WACjE,IACD;AACD,QAAM,GAAG,OAAO,SAAS,CAAC,YAAY,GAAG;;;AAI7C,eAAe,WAAW,UAAiC;AACzD,KAAI;AACF,QAAM,GAAG,OAAO,UAAU,GAAG,UAAU,KAAK;SACtC;AACN,QAAM,GAAG,UAAU,UAAU,GAAG;AAChC,QAAM,GAAG,MAAM,UAAU,IAAM;;;AAInC,eAAe,gBAAgB,QAAgB,MAA6B;AAC1E,KAAI,QAAQ,aAAa,QAAS;AAClC,KAAI;AACF,QAAM,GAAG,MAAM,QAAQ,KAAK;UACrB,KAAK;AACZ,UAAQ,MAAM,SAAS,OAAO,GAAG,KAAK,SAAS,EAAE,CAAC,WAAW,IAAI;;;;;;;;;;;;;;;;;;AAmBrE,eAAsB,uBACpB,UACA,SACe;AACf,OAAM,GAAG,UAAU,UAAU,SAAS;EAAE,MAAM;EAAO,MAAM;EAAM,CAAC;;;;;;;;;;;;;;;;;;;;;;AAuBpE,eAAsB,yBAAwC;CAC5D,MAAM,MAAM,MAAM;CAClB,IAAIF;AACJ,KAAI;AACF,YAAU,MAAM,GAAG,QAAQ,IAAI;UACxB,KAAK;AACZ,MAAK,IAA8B,SAAS,SAAU;AACtD,QAAM;;AAGR,MAAK,MAAM,QAAQ,SAAS;EAG1B,MAAM,QAAQ,mDAAmD,KAAK,KAAK;AAC3E,MAAI,CAAC,MAAO;EACZ,MAAM,MAAM,OAAO,SAAS,MAAM,IAAI,GAAG;EACzC,MAAM,WAAW,KAAK,KAAK,KAAK,KAAK;AAErC,MAAI,WAAW,IAAI,CAAE;AAErB,QAAM,GAAG,OAAO,SAAS,CAAC,YAAY,GAEpC;;;AAIN,SAAS,WAAW,KAAsB;AACxC,KAAI,CAAC,OAAO,UAAU,IAAI,IAAI,OAAO,EAAG,QAAO;AAC/C,KAAI;AAIF,UAAQ,KAAK,KAAK,EAAE;AACpB,SAAO;UACA,KAAK;AAEZ,MADc,IAA8B,SAC/B,QAAS,QAAO;AAC7B,SAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BX,eAAsB,6BAA4C;CAChE,MAAM,MAAM,KAAK,KAAK,MAAM,mBAAmB,SAAS;CACxD,IAAIA;AACJ,KAAI;AACF,YAAU,MAAM,GAAG,QAAQ,IAAI;UACxB,KAAK;AACZ,MAAK,IAA8B,SAAS,SAAU;AACtD,QAAM;;AAER,MAAK,MAAM,QAAQ,SAAS;EAC1B,MAAM,QAAQ,uBAAuB,KAAK,KAAK;AAC/C,MAAI,CAAC,MAAO;AAEZ,MAAI,WADQ,OAAO,SAAS,MAAM,IAAI,GAAG,CACtB,CAAE;AACrB,QAAM,GAAG,OAAO,KAAK,KAAK,KAAK,KAAK,CAAC,CAAC,YAAY,GAEhD;;;;;;;;;;;AAYN,MAAM,yBACJ;;;;;;;;;AAUF,MAAM,2BAA2B;;;;;;;;;;;;;;;;;AAkBjC,eAAsB,gCAA+C;CACnE,MAAM,SAAS,KAAK,KAAK,QAAQ,EAAE,gBAAgB;CACnD,IAAIA;AACJ,KAAI;AACF,YAAU,MAAM,GAAG,QAAQ,OAAO;UAC3B,KAAK;AACZ,MAAK,IAA8B,SAAS,SAAU;AACtD,QAAM;;AAER,MAAK,MAAM,QAAQ,SAAS;EAC1B,MAAM,QAAQ,yBAAyB,KAAK,KAAK;AACjD,MAAI,CAAC,MAAO;AAEZ,MAAI,WADQ,OAAO,SAAS,MAAM,IAAI,GAAG,CACtB,CAAE;AACrB,QAAM,GACH,GAAG,KAAK,KAAK,QAAQ,KAAK,EAAE;GAAE,WAAW;GAAM,OAAO;GAAM,CAAC,CAC7D,OAAO,QAAQ;AAMd,WAAQ,MACN,4CAA4C,KAAK,IACjD,IACD;IACD;;;;;;;;;;;;;;;AAgBR,eAAsB,8BAA6C;CACjE,MAAM,MAAM,MAAM;AAClB,OAAM,GAAG,GAAG,KAAK;EAAE,WAAW;EAAM,OAAO;EAAM,CAAC,CAAC,OAAO,QAAQ;AAChE,UAAQ,MAAM,mCAAmC,IAAI,YAAY,IAAI;GACrE"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "github-router",
-  "version": "0.3.31",
+  "version": "0.3.33",
   "license": "MIT",
   "description": "A reverse proxy that exposes GitHub Copilot as OpenAI and Anthropic compatible API endpoints.",
   "keywords": [
@@ -28,7 +28,7 @@
     "dist"
   ],
   "scripts": {
-    "build": "tsdown",
+    "build": "tsdown && bun scripts/copy-browser-ext.ts",
     "dev": "bun run --watch ./src/main.ts",
     "discover:fields": "bash scripts/discover-new-fields.sh",
     "knip": "knip-bun",
@@ -67,17 +67,20 @@
     "typebox": "1.1.38",
     "undici": "^7.16.0",
     "web-tree-sitter": "0.22.6",
+    "ws": "^8.21.0",
     "yaml": "2.9.0",
     "zod": "^4.1.11"
   },
   "devDependencies": {
     "@eslint/js": "^9.37.0",
-    "eslint-config-prettier": "^10.1.0",
     "@types/bun": "^1.2.23",
     "@types/proxy-from-env": "^1.0.4",
+    "@types/ws": "^8.18.1",
     "eslint": "^9.37.0",
+    "eslint-config-prettier": "^10.1.0",
     "knip": "^5.64.1",
     "lint-staged": "^16.2.3",
+    "playwright": "^1.60.0",
     "prettier-plugin-packagejson": "^2.5.19",
     "simple-git-hooks": "^2.13.1",
     "tsdown": "^0.15.6",