glassbox 0.6.0 → 0.7.1

package/dist/cli.js

@@ -391,11 +391,11 @@ var init_queries = __esm({
 });
 
 // src/cli.ts
-init_queries();
 init_connection();
-import { mkdirSync as mkdirSync7 } from "fs";
+init_queries();
+import { mkdirSync as mkdirSync8 } from "fs";
 import { tmpdir } from "os";
-import { join as join10, resolve as resolve5 } from "path";
+import { join as join11, resolve as resolve5 } from "path";
 
 // src/debug.ts
 var debugEnabled = false;
@@ -426,70 +426,15 @@ function debugLog(...args) {
 }
 
 // src/ai/config.ts
-import { spawnSync } from "child_process";
 import { chmodSync, existsSync, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "fs";
 import { homedir } from "os";
 import { join as join2 } from "path";
 
-// src/ai/models.ts
-var PLATFORMS = {
-  anthropic: "Anthropic",
-  openai: "OpenAI",
-  google: "Google"
-};
-var MODELS = {
-  anthropic: [
-    { id: "claude-sonnet-4-20250514", name: "Claude Sonnet 4", contextWindow: 2e5, isDefault: true },
-    { id: "claude-haiku-4-20250514", name: "Claude Haiku 4", contextWindow: 2e5, isDefault: false }
-  ],
-  openai: [
-    { id: "gpt-4o", name: "GPT-4o", contextWindow: 128e3, isDefault: true },
-    { id: "gpt-4o-mini", name: "GPT-4o Mini", contextWindow: 128e3, isDefault: false }
-  ],
-  google: [
-    { id: "gemini-2.5-flash", name: "Gemini 2.5 Flash", contextWindow: 1e6, isDefault: true },
-    { id: "gemini-2.5-pro", name: "Gemini 2.5 Pro", contextWindow: 1e6, isDefault: false }
-  ]
-};
-var ENV_KEY_NAMES = {
-  anthropic: "ANTHROPIC_API_KEY",
-  openai: "OPENAI_API_KEY",
-  google: "GEMINI_API_KEY"
-};
-function getDefaultModel(platform) {
-  const models = MODELS[platform];
-  const def = models.find((m) => m.isDefault);
-  return def ? def.id : models[0].id;
-}
-function getModelContextWindow(platform, modelId) {
-  const model = MODELS[platform].find((m) => m.id === modelId);
-  return model ? model.contextWindow : 128e3;
-}
+// src/ai/api-keys.ts
+import { spawnSync as spawnSync2 } from "child_process";
 
-// src/ai/config.ts
-var CONFIG_DIR = join2(homedir(), ".glassbox");
-var CONFIG_PATH = join2(CONFIG_DIR, "config.json");
-function readConfigFile() {
-  try {
-    if (existsSync(CONFIG_PATH)) {
-      return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
-    }
-  } catch {
-  }
-  return {};
-}
-function writeConfigFile(config) {
-  mkdirSync2(CONFIG_DIR, { recursive: true });
-  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
-  try {
-    chmodSync(CONFIG_PATH, 384);
-  } catch {
-  }
-}
-function getKeyFromEnv(platform) {
-  const envName = ENV_KEY_NAMES[platform];
-  return process.env[envName] ?? null;
-}
+// src/ai/keychain.ts
+import { spawnSync } from "child_process";
 var WIN_CRED_READ_PS = `
 Add-Type -TypeDefinition @'
 using System;
@@ -526,19 +471,19 @@ function getKeyFromKeychain(platform) {
   try {
     if (os === "darwin") {
       const r = spawnSync("security", ["find-generic-password", "-s", "glassbox", "-a", account, "-w"], { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
-      const result = (r.stdout ?? "").trim();
+      const result = r.stdout.trim();
       return r.status === 0 && result !== "" ? result : null;
     }
     if (os === "linux") {
       const r = spawnSync("secret-tool", ["lookup", "service", "glassbox", "account", account], { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
-      const result = (r.stdout ?? "").trim();
+      const result = r.stdout.trim();
       return r.status === 0 && result !== "" ? result : null;
     }
     if (os === "win32") {
       const target = winCredTarget(platform);
       const script = WIN_CRED_READ_PS + `Write-Output ([CredHelper]::Read('${target}'))`;
       const r = spawnSync("powershell", ["-NoProfile", "-Command", "-"], { input: script, encoding: "utf-8" });
-      const result = (r.stdout ?? "").trim();
+      const result = r.stdout.trim();
       return r.status === 0 && result !== "" ? result : null;
     }
   } catch {
@@ -546,6 +491,81 @@ function getKeyFromKeychain(platform) {
   }
   return null;
 }
+function saveKeyToKeychain(platform, key) {
+  const os = process.platform;
+  const account = `${platform}-api-key`;
+  if (os === "darwin") {
+    spawnSync("security", ["delete-generic-password", "-s", "glassbox", "-a", account], { stdio: "pipe" });
+    spawnSync("security", ["add-generic-password", "-s", "glassbox", "-a", account, "-w", key]);
+    return;
+  }
+  if (os === "linux") {
+    spawnSync("secret-tool", ["store", "--label=Glassbox API Key", "service", "glassbox", "account", account], { input: key, encoding: "utf-8" });
+    return;
+  }
+  if (os === "win32") {
+    const target = winCredTarget(platform);
+    const escapedKey = key.replace(/'/g, "''");
+    const script = `cmdkey /generic:'${target}' /user:'glassbox' /pass:'${escapedKey}'`;
+    spawnSync("powershell", ["-NoProfile", "-Command", "-"], { input: script, encoding: "utf-8" });
+  }
+}
+function isKeychainAvailable() {
+  const os = process.platform;
+  if (os === "darwin" || os === "win32") return true;
+  if (os === "linux") {
+    return spawnSync("which", ["secret-tool"], { stdio: "pipe" }).status === 0;
+  }
+  return false;
+}
+function getKeychainLabel() {
+  const os = process.platform;
+  if (os === "darwin") return "Keychain";
+  if (os === "linux") return "System Keyring";
+  if (os === "win32") return "Credential Manager";
+  return "System Keychain";
+}
+
+// src/ai/models.ts
+var PLATFORMS = {
+  anthropic: "Anthropic",
+  openai: "OpenAI",
+  google: "Google"
+};
+var MODELS = {
+  anthropic: [
+    { id: "claude-sonnet-4-20250514", name: "Claude Sonnet 4", contextWindow: 2e5, isDefault: true },
+    { id: "claude-haiku-4-20250514", name: "Claude Haiku 4", contextWindow: 2e5, isDefault: false }
+  ],
+  openai: [
+    { id: "gpt-4o", name: "GPT-4o", contextWindow: 128e3, isDefault: true },
+    { id: "gpt-4o-mini", name: "GPT-4o Mini", contextWindow: 128e3, isDefault: false }
+  ],
+  google: [
+    { id: "gemini-2.5-flash", name: "Gemini 2.5 Flash", contextWindow: 1e6, isDefault: true },
+    { id: "gemini-2.5-pro", name: "Gemini 2.5 Pro", contextWindow: 1e6, isDefault: false }
+  ]
+};
+var ENV_KEY_NAMES = {
+  anthropic: "ANTHROPIC_API_KEY",
+  openai: "OPENAI_API_KEY",
+  google: "GEMINI_API_KEY"
+};
+function getDefaultModel(platform) {
+  const models = MODELS[platform];
+  const def = models.find((m) => m.isDefault);
+  return def ? def.id : models[0].id;
+}
+function getModelContextWindow(platform, modelId) {
+  const model = MODELS[platform].find((m) => m.id === modelId);
+  return model ? model.contextWindow : 128e3;
+}
+
+// src/ai/api-keys.ts
+function getKeyFromEnv(platform) {
+  const envName = ENV_KEY_NAMES[platform];
+  return process.env[envName] ?? null;
+}
 function getKeyFromConfig(platform) {
   const config = readConfigFile();
   const encoded = config.ai?.keys?.[platform];
@@ -565,20 +585,6 @@ function resolveAPIKey(platform) {
   if (configKey !== null) return { key: configKey, source: "config" };
   return { key: null, source: null };
 }
-function loadAIConfig() {
-  const config = readConfigFile();
-  const platform = config.ai?.platform ?? "anthropic";
-  const model = config.ai?.model ?? getDefaultModel(platform);
-  const { key, source } = resolveAPIKey(platform);
-  return { platform, model, apiKey: key, keySource: source };
-}
-function saveAIConfigPreferences(platform, model) {
-  const config = readConfigFile();
-  if (config.ai === void 0) config.ai = {};
-  config.ai.platform = platform;
-  config.ai.model = model;
-  writeConfigFile(config);
-}
 function saveAPIKey(platform, key, storage) {
   if (storage === "keychain") {
     saveKeyToKeychain(platform, key);
@@ -590,36 +596,17 @@ function saveAPIKey(platform, key, storage) {
     writeConfigFile(config);
   }
 }
-function saveKeyToKeychain(platform, key) {
-  const os = process.platform;
-  const account = `${platform}-api-key`;
-  if (os === "darwin") {
-    spawnSync("security", ["delete-generic-password", "-s", "glassbox", "-a", account], { stdio: "pipe" });
-    spawnSync("security", ["add-generic-password", "-s", "glassbox", "-a", account, "-w", key]);
-    return;
-  }
-  if (os === "linux") {
-    spawnSync("secret-tool", ["store", "--label=Glassbox API Key", "service", "glassbox", "account", account], { input: key, encoding: "utf-8" });
-    return;
-  }
-  if (os === "win32") {
-    const target = winCredTarget(platform);
-    const escapedKey = key.replace(/'/g, "''");
-    const script = `cmdkey /generic:'${target}' /user:'glassbox' /pass:'${escapedKey}'`;
-    spawnSync("powershell", ["-NoProfile", "-Command", "-"], { input: script, encoding: "utf-8" });
-  }
-}
 function deleteAPIKey(platform) {
   const os = process.platform;
   const account = `${platform}-api-key`;
   try {
     if (os === "darwin") {
-      spawnSync("security", ["delete-generic-password", "-s", "glassbox", "-a", account], { stdio: "pipe" });
+      spawnSync2("security", ["delete-generic-password", "-s", "glassbox", "-a", account], { stdio: "pipe" });
     } else if (os === "linux") {
-      spawnSync("secret-tool", ["clear", "service", "glassbox", "account", account], { stdio: "pipe" });
+      spawnSync2("secret-tool", ["clear", "service", "glassbox", "account", account], { stdio: "pipe" });
     } else if (os === "win32") {
       const target = winCredTarget(platform);
-      spawnSync("powershell", ["-NoProfile", "-Command", "-"], { input: `cmdkey /delete:'${target}'`, encoding: "utf-8" });
+      spawnSync2("powershell", ["-NoProfile", "-Command", "-"], { input: `cmdkey /delete:'${target}'`, encoding: "utf-8" });
     }
   } catch {
   }
@@ -639,20 +626,40 @@ function detectAvailablePlatforms() {
   }
   return results;
 }
-function isKeychainAvailable() {
-  const os = process.platform;
-  if (os === "darwin" || os === "win32") return true;
-  if (os === "linux") {
-    return spawnSync("which", ["secret-tool"], { stdio: "pipe" }).status === 0;
+
+// src/ai/config.ts
+var CONFIG_DIR = join2(homedir(), ".glassbox");
+var CONFIG_PATH = join2(CONFIG_DIR, "config.json");
+function readConfigFile() {
+  try {
+    if (existsSync(CONFIG_PATH)) {
+      return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+    }
+  } catch {
   }
-  return false;
+  return {};
 }
-function getKeychainLabel() {
-  const os = process.platform;
-  if (os === "darwin") return "Keychain";
-  if (os === "linux") return "System Keyring";
-  if (os === "win32") return "Credential Manager";
-  return "System Keychain";
+function writeConfigFile(config) {
+  mkdirSync2(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
+  try {
+    chmodSync(CONFIG_PATH, 384);
+  } catch {
+  }
+}
+function loadAIConfig() {
+  const config = readConfigFile();
+  const platform = config.ai?.platform ?? "anthropic";
+  const model = config.ai?.model ?? getDefaultModel(platform);
+  const { key, source } = resolveAPIKey(platform);
+  return { platform, model, apiKey: key, keySource: source };
+}
+function saveAIConfigPreferences(platform, model) {
+  const config = readConfigFile();
+  if (config.ai === void 0) config.ai = {};
+  config.ai.platform = platform;
+  config.ai.model = model;
+  writeConfigFile(config);
 }
 function loadGuidedReviewConfig() {
   const config = readConfigFile();
@@ -1266,11 +1273,14 @@ async function setupAnnotations(fileIdMap) {
 }
 
 // src/git/diff.ts
-import { spawnSync as spawnSync2 } from "child_process";
+import { spawnSync as spawnSync4 } from "child_process";
 import { readFileSync as readFileSync2 } from "fs";
 import { resolve } from "path";
+
+// src/git/repo.ts
+import { spawnSync as spawnSync3 } from "child_process";
 function git(args, cwd) {
-  const result = spawnSync2("git", args, { cwd, encoding: "utf-8", maxBuffer: 50 * 1024 * 1024 });
+  const result = spawnSync3("git", args, { cwd, encoding: "utf-8", maxBuffer: 50 * 1024 * 1024 });
   if (result.status === 0) return result.stdout;
   if (result.stdout !== "") return result.stdout;
   const err = new Error(result.stderr);
@@ -1294,6 +1304,21 @@ function isGitRepo(cwd) {
     return false;
   }
 }
+function getHeadCommit(cwd) {
+  return spawnSync3("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf-8" }).stdout.trim();
+}
+
+// src/git/diff.ts
+function git2(args, cwd) {
+  const result = spawnSync4("git", args, { cwd, encoding: "utf-8", maxBuffer: 50 * 1024 * 1024 });
+  if (result.status === 0) return result.stdout;
+  if (result.stdout !== "") return result.stdout;
+  const err = new Error(result.stderr);
+  err.stdout = result.stdout;
+  err.stderr = result.stderr;
+  err.status = result.status;
+  throw err;
+}
 function getDiffArgs(mode) {
   switch (mode.type) {
     case "uncommitted":
@@ -1322,13 +1347,13 @@ function getFileDiffs(mode, cwd) {
   const diffArgs = getDiffArgs(mode);
   let rawDiff;
   try {
-    rawDiff = git([...diffArgs, "-U3"], repoRoot);
+    rawDiff = git2([...diffArgs, "-U3"], repoRoot);
   } catch {
     rawDiff = "";
   }
   const diffs = parseDiff(rawDiff);
   if (mode.type === "uncommitted") {
-    const untracked = git(["ls-files", "--others", "--exclude-standard"], repoRoot).trim();
+    const untracked = git2(["ls-files", "--others", "--exclude-standard"], repoRoot).trim();
     if (untracked) {
       for (const file of untracked.split("\n").filter(Boolean)) {
         if (!diffs.some((d) => d.filePath === file)) {
@@ -1340,7 +1365,7 @@ function getFileDiffs(mode, cwd) {
   return diffs;
 }
 function getAllFiles(repoRoot) {
-  const files = git(["ls-files"], repoRoot).trim().split("\n").filter(Boolean);
+  const files = git2(["ls-files"], repoRoot).trim().split("\n").filter(Boolean);
   return files.map((file) => createNewFileDiff(file, repoRoot));
 }
 function createNewFileDiff(filePath, repoRoot) {
@@ -1469,14 +1494,11 @@ function getFileContent(filePath, ref, cwd) {
     if (ref === "working") {
       return readFileSync2(resolve(repoRoot, filePath), "utf-8");
     }
-    return git(["show", `${ref}:${filePath}`], repoRoot);
+    return git2(["show", `${ref}:${filePath}`], repoRoot);
   } catch {
     return "";
   }
 }
-function getHeadCommit(cwd) {
-  return spawnSync2("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf-8" }).stdout.trim();
-}
 function parseModeString(modeStr) {
   if (modeStr === "uncommitted") return { type: "uncommitted" };
   if (modeStr === "staged") return { type: "staged" };
@@ -1501,7 +1523,7 @@ function getSingleFileDiff(mode, filePath, repoRoot, extraFlags = "") {
   args.push("--", filePath);
   let rawDiff;
   try {
-    rawDiff = git(args, repoRoot);
+    rawDiff = git2(args, repoRoot);
   } catch {
     rawDiff = "";
   }
@@ -1573,7 +1595,9 @@ function acquireLock(dataDir) {
     }
   }
   writeFileSync2(lockPath, JSON.stringify({ pid: process.pid, startedAt: (/* @__PURE__ */ new Date()).toISOString() }));
-  const cleanup = () => releaseLock();
+  const cleanup = () => {
+    releaseLock();
+  };
   process.on("exit", cleanup);
   process.on("SIGINT", () => {
     cleanup();
@@ -1585,7 +1609,7 @@ function acquireLock(dataDir) {
   });
 }
 function releaseLock() {
-  if (lockPath) {
+  if (lockPath !== null) {
     try {
       rmSync2(lockPath, { force: true });
     } catch {
@@ -1701,12 +1725,15 @@ async function updateReviewDiffs(reviewId, newDiffs, headCommit) {
 // src/server.ts
 import { serve } from "@hono/node-server";
 import { exec } from "child_process";
-import { existsSync as existsSync6, readFileSync as readFileSync9 } from "fs";
-import { Hono as Hono4 } from "hono";
-import { dirname, join as join7 } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync10 } from "fs";
+import { Hono as Hono7 } from "hono";
+import { dirname, join as join8 } from "path";
 import { fileURLToPath } from "url";
 
 // src/routes/ai-api.ts
+import { Hono as Hono3 } from "hono";
+
+// src/routes/ai-analysis.ts
 import { Hono } from "hono";
 
 // src/ai/client.ts
@@ -2536,71 +2563,24 @@ async function mockGuidedAnalysisBatch(files) {
   }));
 }
 
-// src/routes/ai-api.ts
+// src/routes/ai-analysis.ts
 init_queries();
-var aiApiRoutes = new Hono();
+var aiAnalysisRoutes = new Hono();
+var VALID_SORT_MODES = ["folder", "risk", "narrative", "guided"];
+var VALID_RISK_DIMENSIONS = ["aggregate", "security", "correctness", "error-handling", "maintainability", "architecture", "performance"];
+var VALID_SVG_VIEW_MODES = ["code", "rendered"];
+var VALID_IMAGE_MODES = ["metadata", "side-by-side", "difference", "slice"];
+var VALID_ANALYSIS_TYPES = ["risk", "narrative", "guided"];
 var cancelledAnalyses = /* @__PURE__ */ new Set();
-aiApiRoutes.get("/config", (c) => {
-  const config = loadAIConfig();
-  return c.json({
-    platform: config.platform,
-    model: config.model,
-    keyConfigured: config.apiKey !== null || isAIServiceTest() || getDemoMode() !== null,
-    keySource: config.keySource,
-    guidedReview: loadGuidedReviewConfig()
-  });
-});
-aiApiRoutes.post("/config", async (c) => {
-  const body = await c.req.json();
-  saveAIConfigPreferences(body.platform, body.model);
-  if (body.guidedReview !== void 0) {
-    saveGuidedReviewConfig(body.guidedReview);
-  }
-  return c.json({ ok: true });
-});
-aiApiRoutes.get("/models", (c) => {
-  return c.json({
-    platforms: PLATFORMS,
-    models: MODELS
-  });
-});
-aiApiRoutes.get("/key-status", (c) => {
-  const platforms = ["anthropic", "openai", "google"];
-  const status = {};
-  for (const platform of platforms) {
-    const { source } = resolveAPIKey(platform);
-    status[platform] = { configured: source !== null, source };
-  }
-  return c.json({
-    status,
-    keychainAvailable: isKeychainAvailable(),
-    keychainLabel: getKeychainLabel(),
-    availablePlatforms: detectAvailablePlatforms()
-  });
-});
-aiApiRoutes.post("/key", async (c) => {
-  const body = await c.req.json();
-  saveAPIKey(
-    body.platform,
-    body.key,
-    body.storage
-  );
-  return c.json({ ok: true });
-});
-aiApiRoutes.delete("/key", (c) => {
-  const platform = c.req.query("platform") ?? "anthropic";
-  deleteAPIKey(platform);
-  return c.json({ ok: true });
-});
-aiApiRoutes.post("/analyze", async (c) => {
+aiAnalysisRoutes.post("/analyze", async (c) => {
   const reviewId = c.req.query("reviewId") ?? "";
   const repoRoot = c.get("repoRoot");
   const body = await c.req.json();
   const analysisType = body.type;
   const invalidateCache = body.invalidateCache === true;
   debugLog(`POST /analyze: type=${analysisType}, reviewId=${reviewId}`);
-  if (analysisType !== "risk" && analysisType !== "narrative" && analysisType !== "guided") {
-    return c.json({ error: "Invalid analysis type" }, 400);
+  if (!VALID_ANALYSIS_TYPES.includes(analysisType)) {
+    return c.json({ error: `type must be one of: ${VALID_ANALYSIS_TYPES.join(", ")}` }, 400);
   }
   const testMode = isAIServiceTest();
   const config = loadAIConfig();
@@ -2844,9 +2824,12 @@ async function runBatchedGuidedAnalysis(analysisId, batches, allFiles, config, r
     "guided"
   );
 }
-aiApiRoutes.get("/analysis/:type", async (c) => {
+aiAnalysisRoutes.get("/analysis/:type", async (c) => {
   const reviewId = c.req.query("reviewId") ?? "";
   const analysisType = c.req.param("type");
+  if (!VALID_ANALYSIS_TYPES.includes(analysisType)) {
+    return c.json({ error: `type must be one of: ${VALID_ANALYSIS_TYPES.join(", ")}` }, 400);
+  }
   const analysis = await getLatestAnalysis(reviewId, analysisType);
   if (analysis === void 0) {
     debugLog(`GET /analysis/${analysisType}: no analysis found`);
@@ -2876,9 +2859,12 @@ aiApiRoutes.get("/analysis/:type", async (c) => {
     }))
   });
 });
-aiApiRoutes.get("/analysis/:type/status", async (c) => {
+aiAnalysisRoutes.get("/analysis/:type/status", async (c) => {
   const reviewId = c.req.query("reviewId") ?? "";
   const analysisType = c.req.param("type");
+  if (!VALID_ANALYSIS_TYPES.includes(analysisType)) {
+    return c.json({ error: `type must be one of: ${VALID_ANALYSIS_TYPES.join(", ")}` }, 400);
+  }
   const analysis = await getLatestAnalysis(reviewId, analysisType);
   if (analysis === void 0) {
     debugLog(`GET /analysis/${analysisType}/status: no analysis found`);
@@ -2900,35 +2886,150 @@ aiApiRoutes.get("/analysis/:type/status", async (c) => {
     progressTotal: analysis.progress_total
   });
 });
-aiApiRoutes.get("/debug-status", (c) => {
+aiAnalysisRoutes.get("/debug-status", (c) => {
   return c.json({ enabled: isDebug() });
 });
-aiApiRoutes.post("/debug-log", async (c) => {
+aiAnalysisRoutes.post("/debug-log", async (c) => {
   if (!isDebug()) return c.json({ ok: true });
   const body = await c.req.json();
+  if (typeof body.message !== "string") {
+    return c.json({ error: "message must be a string" }, 400);
+  }
   debugLog(`[client] ${body.message}`);
   return c.json({ ok: true });
 });
-aiApiRoutes.get("/preferences", async (c) => {
+aiAnalysisRoutes.get("/preferences", async (c) => {
   const prefs = await getUserPreferences();
   return c.json(prefs);
 });
-aiApiRoutes.post("/preferences", async (c) => {
+aiAnalysisRoutes.post("/preferences", async (c) => {
   const body = await c.req.json();
+  if (body.sort_mode !== void 0 && !VALID_SORT_MODES.includes(body.sort_mode)) {
+    return c.json({ error: `sort_mode must be one of: ${VALID_SORT_MODES.join(", ")}` }, 400);
+  }
+  if (body.risk_sort_dimension !== void 0 && !VALID_RISK_DIMENSIONS.includes(body.risk_sort_dimension)) {
+    return c.json({ error: `risk_sort_dimension must be one of: ${VALID_RISK_DIMENSIONS.join(", ")}` }, 400);
+  }
+  if (body.show_risk_scores !== void 0 && typeof body.show_risk_scores !== "boolean") {
+    return c.json({ error: "show_risk_scores must be a boolean" }, 400);
+  }
+  if (body.ignore_whitespace !== void 0 && typeof body.ignore_whitespace !== "boolean") {
+    return c.json({ error: "ignore_whitespace must be a boolean" }, 400);
+  }
+  if (body.svg_view_mode !== void 0 && !VALID_SVG_VIEW_MODES.includes(body.svg_view_mode)) {
+    return c.json({ error: `svg_view_mode must be one of: ${VALID_SVG_VIEW_MODES.join(", ")}` }, 400);
+  }
+  if (body.last_image_mode !== void 0 && !VALID_IMAGE_MODES.includes(body.last_image_mode)) {
+    return c.json({ error: `last_image_mode must be one of: ${VALID_IMAGE_MODES.join(", ")}` }, 400);
+  }
   await saveUserPreferences(body);
   return c.json({ ok: true });
 });
 
+// src/routes/ai-config.ts
+import { Hono as Hono2 } from "hono";
+var aiConfigRoutes = new Hono2();
+var VALID_PLATFORMS = ["anthropic", "openai", "google"];
+var VALID_KEY_STORAGES = ["keychain", "config"];
+aiConfigRoutes.get("/config", (c) => {
+  const config = loadAIConfig();
+  return c.json({
+    platform: config.platform,
+    model: config.model,
+    keyConfigured: config.apiKey !== null || isAIServiceTest() || getDemoMode() !== null,
+    keySource: config.keySource,
+    guidedReview: loadGuidedReviewConfig()
+  });
+});
+aiConfigRoutes.post("/config", async (c) => {
+  const body = await c.req.json();
+  if (!VALID_PLATFORMS.includes(body.platform)) {
+    return c.json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` }, 400);
+  }
+  if (typeof body.model !== "string" || body.model.trim() === "") {
+    return c.json({ error: "model must be a non-empty string" }, 400);
+  }
+  if (body.guidedReview !== void 0) {
+    const gr = body.guidedReview;
+    if (typeof gr !== "object" || gr === null || Array.isArray(gr)) {
+      return c.json({ error: "guidedReview must be an object" }, 400);
+    }
+    const grObj = gr;
+    if (typeof grObj.enabled !== "boolean") {
+      return c.json({ error: "guidedReview.enabled must be a boolean" }, 400);
+    }
+    if (!Array.isArray(grObj.topics) || !grObj.topics.every((t) => typeof t === "string")) {
+      return c.json({ error: "guidedReview.topics must be an array of strings" }, 400);
+    }
+  }
+  saveAIConfigPreferences(body.platform, body.model);
+  if (body.guidedReview !== void 0) {
+    saveGuidedReviewConfig(body.guidedReview);
+  }
+  return c.json({ ok: true });
+});
+aiConfigRoutes.get("/models", (c) => {
+  return c.json({
+    platforms: PLATFORMS,
+    models: MODELS
+  });
+});
+aiConfigRoutes.get("/key-status", (c) => {
+  const platforms = ["anthropic", "openai", "google"];
+  const status = {};
+  for (const platform of platforms) {
+    const { source } = resolveAPIKey(platform);
+    status[platform] = { configured: source !== null, source };
+  }
+  return c.json({
+    status,
+    keychainAvailable: isKeychainAvailable(),
+    keychainLabel: getKeychainLabel(),
+    availablePlatforms: detectAvailablePlatforms()
+  });
+});
+aiConfigRoutes.post("/key", async (c) => {
+  const body = await c.req.json();
+  if (!VALID_PLATFORMS.includes(body.platform)) {
+    return c.json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` }, 400);
+  }
+  if (typeof body.key !== "string" || body.key.trim() === "") {
+    return c.json({ error: "key must be a non-empty string" }, 400);
+  }
+  if (!VALID_KEY_STORAGES.includes(body.storage)) {
+    return c.json({ error: `storage must be one of: ${VALID_KEY_STORAGES.join(", ")}` }, 400);
+  }
+  saveAPIKey(
+    body.platform,
+    body.key,
+    body.storage
+  );
+  return c.json({ ok: true });
+});
+aiConfigRoutes.delete("/key", (c) => {
+  const platform = c.req.query("platform") ?? "anthropic";
+  if (!VALID_PLATFORMS.includes(platform)) {
+    return c.json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` }, 400);
+  }
+  deleteAPIKey(platform);
+  return c.json({ ok: true });
+});
+
+// src/routes/ai-api.ts
+var aiApiRoutes = new Hono3();
+aiApiRoutes.route("/", aiConfigRoutes);
+aiApiRoutes.route("/", aiAnalysisRoutes);
+
 // src/routes/api.ts
 init_queries();
-import { execFileSync, spawnSync as spawnSync5 } from "child_process";
+import { execFileSync, spawnSync as spawnSync7 } from "child_process";
 import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync7, writeFileSync as writeFileSync4 } from "fs";
-import { Hono as Hono2 } from "hono";
+import { Hono as Hono4 } from "hono";
 import { join as join6, resolve as resolve3 } from "path";
 
 // src/export/generate.ts
 init_queries();
-import { spawnSync as spawnSync3 } from "child_process";
+import { spawnSync as spawnSync5 } from "child_process";
 import { appendFileSync, existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync4, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
 import { homedir as homedir2 } from "os";
 import { join as join4 } from "path";
@@ -2947,7 +3048,7 @@ function saveDismissals(data) {
   writeFileSync3(DISMISS_FILE, JSON.stringify(data), "utf-8");
 }
 function isGlassboxGitignored(repoRoot) {
-  const result = spawnSync3("git", ["check-ignore", "-q", ".glassbox"], { cwd: repoRoot, stdio: "pipe" });
+  const result = spawnSync5("git", ["check-ignore", "-q", ".glassbox"], { cwd: repoRoot, stdio: "pipe" });
   return result.status === 0;
 }
 function shouldPromptGitignore(repoRoot) {
@@ -3071,127 +3172,43 @@ function scheduleAutoExport(reviewId, repoRoot) {
   if (debounceTimer !== null) clearTimeout(debounceTimer);
   debounceTimer = setTimeout(() => {
     debounceTimer = null;
-    void generateReviewExport(reviewId, repoRoot, true);
-  }, DEBOUNCE_MS);
-}
-
-// src/git/image.ts
-import { spawnSync as spawnSync4 } from "child_process";
-import { readFileSync as readFileSync5 } from "fs";
-import { resolve as resolve2 } from "path";
-var IMAGE_EXTENSIONS = /* @__PURE__ */ new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg"]);
-function isImageFile(filePath) {
-  const ext = filePath.slice(filePath.lastIndexOf(".")).toLowerCase();
-  return IMAGE_EXTENSIONS.has(ext);
-}
-function isSvgFile(filePath) {
-  return filePath.slice(filePath.lastIndexOf(".")).toLowerCase() === ".svg";
-}
-function getContentType(filePath) {
-  const ext = filePath.slice(filePath.lastIndexOf(".")).toLowerCase();
-  switch (ext) {
-    case ".png":
-      return "image/png";
-    case ".jpg":
-    case ".jpeg":
-      return "image/jpeg";
-    case ".gif":
-      return "image/gif";
-    case ".webp":
-      return "image/webp";
-    case ".svg":
-      return "image/svg+xml";
-    default:
-      return "application/octet-stream";
-  }
-}
-function getOldRef(mode) {
-  switch (mode.type) {
-    case "uncommitted":
-      return "HEAD";
-    case "staged":
-      return "HEAD";
-    case "unstaged":
-      return null;
-    // old = index, use ':'
-    case "commit":
-      return `${mode.sha}~1`;
-    case "range":
-      return mode.from;
-    case "branch":
-      return mode.name;
-    case "files":
-      return "HEAD";
-    case "all":
-      return null;
-  }
-}
-function getNewRef(mode) {
-  switch (mode.type) {
-    case "uncommitted":
-      return null;
-    // working tree
-    case "staged":
-      return null;
-    // index, but git show : works
-    case "unstaged":
-      return null;
-    // working tree
-    case "commit":
-      return mode.sha;
-    case "range":
-      return mode.to;
-    case "branch":
-      return "HEAD";
-    case "files":
-      return null;
-    case "all":
-      return null;
-  }
-}
-function gitShowFile(ref, filePath, repoRoot) {
-  const spec = ref === ":" ? `:${filePath}` : `${ref}:${filePath}`;
-  const result = spawnSync4("git", ["show", spec], { cwd: repoRoot, maxBuffer: 50 * 1024 * 1024 });
-  if (result.status !== 0 || result.stdout.length === 0) return null;
-  return result.stdout;
-}
-function readWorkingFile(filePath, repoRoot) {
-  try {
-    return readFileSync5(resolve2(repoRoot, filePath));
-  } catch {
-    return null;
-  }
+    void generateReviewExport(reviewId, repoRoot, true);
+  }, DEBOUNCE_MS);
 }
-function getOldImage(mode, filePath, oldPath, repoRoot) {
-  const ref = getOldRef(mode);
-  const path = oldPath ?? filePath;
-  if (ref === null) {
-    const data2 = readWorkingFile(path, repoRoot);
-    if (!data2) return null;
-    return { data: data2, size: data2.length };
-  }
-  const actualRef = mode.type === "unstaged" ? ":" : ref;
-  const data = gitShowFile(actualRef, path, repoRoot);
-  if (!data) return null;
-  return { data, size: data.length };
+
+// src/git/image.ts
+import { spawnSync as spawnSync6 } from "child_process";
+import { readFileSync as readFileSync5 } from "fs";
+import { resolve as resolve2 } from "path";
+
+// src/git/image-metadata.ts
+var IMAGE_EXTENSIONS = /* @__PURE__ */ new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg"]);
+function isImageFile(filePath) {
+  const ext = filePath.slice(filePath.lastIndexOf(".")).toLowerCase();
+  return IMAGE_EXTENSIONS.has(ext);
 }
-function getNewImage(mode, filePath, repoRoot) {
-  const ref = getNewRef(mode);
-  if (ref === null) {
-    if (mode.type === "staged") {
-      const data3 = gitShowFile(":", filePath, repoRoot);
-      if (!data3) return null;
-      return { data: data3, size: data3.length };
-    }
-    const data2 = readWorkingFile(filePath, repoRoot);
-    if (!data2) return null;
-    return { data: data2, size: data2.length };
+function isSvgFile(filePath) {
+  return filePath.slice(filePath.lastIndexOf(".")).toLowerCase() === ".svg";
+}
+function getContentType(filePath) {
+  const ext = filePath.slice(filePath.lastIndexOf(".")).toLowerCase();
+  switch (ext) {
+    case ".png":
+      return "image/png";
+    case ".jpg":
+    case ".jpeg":
+      return "image/jpeg";
+    case ".gif":
+      return "image/gif";
+    case ".webp":
+      return "image/webp";
+    case ".svg":
+      return "image/svg+xml";
+    default:
+      return "application/octet-stream";
   }
-  const data = gitShowFile(ref, filePath, repoRoot);
-  if (!data) return null;
-  return { data, size: data.length };
 }
-async function extractMetadata(data, filePath) {
+function extractMetadata(data, filePath) {
   const ext = filePath.slice(filePath.lastIndexOf(".")).toLowerCase();
   if (ext === ".svg") {
     const text = data.toString("utf-8");
@@ -3233,9 +3250,9 @@ function formatMetadataLines(meta) {
     lines.push(`Dimensions: ${meta.width} \xD7 ${meta.height}`);
   }
   lines.push(`File size: ${formatBytes(meta.fileSize)}`);
-  if (meta.colorSpace) lines.push(`Color space: ${meta.colorSpace}`);
+  if (meta.colorSpace !== null) lines.push(`Color space: ${meta.colorSpace}`);
   if (meta.channels !== null) lines.push(`Channels: ${meta.channels}`);
-  if (meta.depth) lines.push(`Bit depth: ${meta.depth}`);
+  if (meta.depth !== null) lines.push(`Bit depth: ${meta.depth}`);
   if (meta.hasAlpha !== null) lines.push(`Alpha: ${meta.hasAlpha ? "yes" : "no"}`);
   if (meta.density !== null) lines.push(`Density: ${meta.density} DPI`);
   if (meta.exif) {
@@ -3376,7 +3393,95 @@ function parseWebp(data) {
     width = (data[24] | data[25] << 8 | data[26] << 16) + 1;
     height = (data[27] | data[28] << 8 | data[29] << 16) + 1;
   }
-  return { format: "webp", width, height, colorSpace: "srgb", channels: hasAlpha ? 4 : 3, depth: null, hasAlpha, density: null, exif: null };
+  return { format: "webp", width, height, colorSpace: "srgb", channels: hasAlpha === true ? 4 : 3, depth: null, hasAlpha, density: null, exif: null };
+}
+
+// src/git/image.ts
+function getOldRef(mode) {
+  switch (mode.type) {
+    case "uncommitted":
+      return "HEAD";
+    case "staged":
+      return "HEAD";
+    case "unstaged":
+      return null;
+    // old = index, use ':'
+    case "commit":
+      return `${mode.sha}~1`;
+    case "range":
+      return mode.from;
+    case "branch":
+      return mode.name;
+    case "files":
+      return "HEAD";
+    case "all":
+      return null;
+  }
+}
+function getNewRef(mode) {
+  switch (mode.type) {
+    case "uncommitted":
+      return null;
+    // working tree
+    case "staged":
+      return null;
+    // index, but git show : works
+    case "unstaged":
+      return null;
+    // working tree
+    case "commit":
+      return mode.sha;
+    case "range":
+      return mode.to;
+    case "branch":
+      return "HEAD";
+    case "files":
+      return null;
+    case "all":
+      return null;
+  }
+}
+function gitShowFile(ref, filePath, repoRoot) {
+  const spec = ref === ":" ? `:${filePath}` : `${ref}:${filePath}`;
+  const result = spawnSync6("git", ["show", spec], { cwd: repoRoot, maxBuffer: 50 * 1024 * 1024 });
+  if (result.status !== 0 || result.stdout.length === 0) return null;
+  return result.stdout;
+}
+function readWorkingFile(filePath, repoRoot) {
+  try {
+    return readFileSync5(resolve2(repoRoot, filePath));
+  } catch {
+    return null;
+  }
+}
+function getOldImage(mode, filePath, oldPath, repoRoot) {
+  const ref = getOldRef(mode);
+  const path = oldPath ?? filePath;
+  if (ref === null) {
+    const data2 = readWorkingFile(path, repoRoot);
+    if (!data2) return null;
+    return { data: data2, size: data2.length };
+  }
+  const actualRef = mode.type === "unstaged" ? ":" : ref;
+  const data = gitShowFile(actualRef, path, repoRoot);
+  if (!data) return null;
+  return { data, size: data.length };
+}
+function getNewImage(mode, filePath, repoRoot) {
+  const ref = getNewRef(mode);
+  if (ref === null) {
+    if (mode.type === "staged") {
+      const data3 = gitShowFile(":", filePath, repoRoot);
+      if (!data3) return null;
+      return { data: data3, size: data3.length };
+    }
+    const data2 = readWorkingFile(filePath, repoRoot);
+    if (!data2) return null;
+    return { data: data2, size: data2.length };
+  }
+  const data = gitShowFile(ref, filePath, repoRoot);
+  if (!data) return null;
+  return { data, size: data.length };
 }
 
 // src/git/svg-rasterize.ts
@@ -3411,63 +3516,62 @@ function loadSystemFonts() {
   return buffers;
 }
 function getFontCandidates() {
-  switch (process.platform) {
-    case "darwin": {
-      const sys = "/System/Library/Fonts";
-      const sup = "/System/Library/Fonts/Supplemental";
-      return [
-        // Core system fonts (serif, sans-serif, monospace)
-        join5(sys, "Helvetica.ttc"),
-        join5(sys, "Times.ttc"),
-        join5(sys, "Courier.ttc"),
-        join5(sys, "Menlo.ttc"),
-        join5(sys, "SFPro.ttf"),
-        join5(sys, "SFNS.ttf"),
-        join5(sys, "SFNSMono.ttf"),
-        // Supplemental (common named fonts in SVGs)
-        join5(sup, "Arial.ttf"),
-        join5(sup, "Arial Bold.ttf"),
-        join5(sup, "Georgia.ttf"),
-        join5(sup, "Verdana.ttf"),
-        join5(sup, "Tahoma.ttf"),
-        join5(sup, "Trebuchet MS.ttf"),
-        join5(sup, "Impact.ttf"),
-        join5(sup, "Comic Sans MS.ttf"),
-        join5(sup, "Courier New.ttf"),
-        join5(sup, "Times New Roman.ttf")
-      ];
-    }
-    case "linux":
-      return [
-        // DejaVu (most common Linux fallback)
-        "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf",
-        "/usr/share/fonts/truetype/dejavu/DejaVuSans-Bold.ttf",
-        "/usr/share/fonts/truetype/dejavu/DejaVuSerif.ttf",
-        "/usr/share/fonts/truetype/dejavu/DejaVuSansMono.ttf",
-        // Liberation (metric-compatible with Arial/Times/Courier)
-        "/usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf",
-        "/usr/share/fonts/truetype/liberation/LiberationSerif-Regular.ttf",
-        "/usr/share/fonts/truetype/liberation/LiberationMono-Regular.ttf",
-        // Noto (common on modern distros)
-        "/usr/share/fonts/truetype/noto/NotoSans-Regular.ttf"
-      ];
-    case "win32": {
-      const winFonts = join5(process.env.WINDIR ?? "C:\\Windows", "Fonts");
-      return [
-        join5(winFonts, "arial.ttf"),
-        join5(winFonts, "arialbd.ttf"),
-        join5(winFonts, "times.ttf"),
-        join5(winFonts, "cour.ttf"),
-        join5(winFonts, "verdana.ttf"),
-        join5(winFonts, "tahoma.ttf"),
-        join5(winFonts, "georgia.ttf"),
-        join5(winFonts, "consola.ttf"),
-        join5(winFonts, "segoeui.ttf")
-      ];
-    }
-    default:
-      return [];
+  const os = process.platform;
+  if (os === "darwin") {
+    const sys = "/System/Library/Fonts";
+    const sup = "/System/Library/Fonts/Supplemental";
+    return [
+      // Core system fonts (serif, sans-serif, monospace)
+      join5(sys, "Helvetica.ttc"),
+      join5(sys, "Times.ttc"),
+      join5(sys, "Courier.ttc"),
+      join5(sys, "Menlo.ttc"),
+      join5(sys, "SFPro.ttf"),
+      join5(sys, "SFNS.ttf"),
+      join5(sys, "SFNSMono.ttf"),
+      // Supplemental (common named fonts in SVGs)
+      join5(sup, "Arial.ttf"),
+      join5(sup, "Arial Bold.ttf"),
+      join5(sup, "Georgia.ttf"),
+      join5(sup, "Verdana.ttf"),
+      join5(sup, "Tahoma.ttf"),
+      join5(sup, "Trebuchet MS.ttf"),
+      join5(sup, "Impact.ttf"),
+      join5(sup, "Comic Sans MS.ttf"),
+      join5(sup, "Courier New.ttf"),
+      join5(sup, "Times New Roman.ttf")
+    ];
+  }
+  if (os === "linux") {
+    return [
+      // DejaVu (most common Linux fallback)
+      "/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf",
+      "/usr/share/fonts/truetype/dejavu/DejaVuSans-Bold.ttf",
+      "/usr/share/fonts/truetype/dejavu/DejaVuSerif.ttf",
+      "/usr/share/fonts/truetype/dejavu/DejaVuSansMono.ttf",
+      // Liberation (metric-compatible with Arial/Times/Courier)
+      "/usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf",
+      "/usr/share/fonts/truetype/liberation/LiberationSerif-Regular.ttf",
+      "/usr/share/fonts/truetype/liberation/LiberationMono-Regular.ttf",
+      // Noto (common on modern distros)
+      "/usr/share/fonts/truetype/noto/NotoSans-Regular.ttf"
+    ];
   }
+  if (os === "win32") {
+    const winFonts = join5(process.env.WINDIR ?? "C:\\Windows", "Fonts");
+    return [
+      join5(winFonts, "arial.ttf"),
+      join5(winFonts, "arialbd.ttf"),
+      join5(winFonts, "times.ttf"),
+      join5(winFonts, "cour.ttf"),
+      join5(winFonts, "verdana.ttf"),
+      join5(winFonts, "tahoma.ttf"),
+      join5(winFonts, "georgia.ttf"),
+      join5(winFonts, "consola.ttf"),
+      join5(winFonts, "segoeui.ttf")
+    ];
+  }
+  return [];
 }
 function parseSvgDimensions(svg) {
   const widthMatch = svg.match(/\bwidth\s*=\s*["']([^"']+)["']/);
@@ -3831,7 +3935,10 @@ function pushIndentSymbol(root, stack, sym, indent, lines, lineIdx) {
 }
 
 // src/routes/api.ts
-var apiRoutes = new Hono2();
+var apiRoutes = new Hono4();
+var VALID_CATEGORIES = ["bug", "fix", "style", "pattern-follow", "pattern-avoid", "note", "remember"];
+var VALID_SIDES = ["old", "new"];
+var VALID_FILE_STATUSES = ["pending", "reviewed"];
 function resolveReviewId(c) {
   return c.req.query("reviewId") ?? c.get("reviewId");
 }
@@ -3938,6 +4045,9 @@ apiRoutes.get("/files/:fileId", async (c) => {
 });
 apiRoutes.patch("/files/:fileId/status", async (c) => {
   const { status } = await c.req.json();
+  if (!VALID_FILE_STATUSES.includes(status)) {
+    return c.json({ error: `status must be one of: ${VALID_FILE_STATUSES.join(", ")}` }, 400);
+  }
   await updateFileStatus(c.req.param("fileId"), status);
   return c.json({ ok: true });
 });
@@ -3963,6 +4073,21 @@ function autoExport(c) {
 }
 apiRoutes.post("/annotations", async (c) => {
   const body = await c.req.json();
+  if (typeof body.reviewFileId !== "string" || body.reviewFileId === "") {
+    return c.json({ error: "reviewFileId must be a non-empty string" }, 400);
+  }
+  if (typeof body.lineNumber !== "number" || !Number.isInteger(body.lineNumber) || body.lineNumber < 1) {
+    return c.json({ error: "lineNumber must be a positive integer" }, 400);
+  }
+  if (!VALID_SIDES.includes(body.side)) {
+    return c.json({ error: `side must be one of: ${VALID_SIDES.join(", ")}` }, 400);
+  }
+  if (!VALID_CATEGORIES.includes(body.category)) {
+    return c.json({ error: `category must be one of: ${VALID_CATEGORIES.join(", ")}` }, 400);
+  }
+  if (typeof body.content !== "string" || body.content.trim() === "") {
+    return c.json({ error: "content must be a non-empty string" }, 400);
+  }
   const annotation = await addAnnotation(
     body.reviewFileId,
     body.lineNumber,
@@ -3975,6 +4100,12 @@ apiRoutes.post("/annotations", async (c) => {
 });
 apiRoutes.patch("/annotations/:id", async (c) => {
   const { content, category } = await c.req.json();
+  if (typeof content !== "string" || content.trim() === "") {
+    return c.json({ error: "content must be a non-empty string" }, 400);
+  }
+  if (!VALID_CATEGORIES.includes(category)) {
+    return c.json({ error: `category must be one of: ${VALID_CATEGORIES.join(", ")}` }, 400);
+  }
   await updateAnnotation(c.req.param("id"), content, category);
   autoExport(c);
   return c.json({ ok: true });
@@ -3986,6 +4117,12 @@ apiRoutes.delete("/annotations/:id", async (c) => {
 });
 apiRoutes.patch("/annotations/:id/move", async (c) => {
   const { lineNumber, side } = await c.req.json();
+  if (typeof lineNumber !== "number" || !Number.isInteger(lineNumber) || lineNumber < 1) {
+    return c.json({ error: "lineNumber must be a positive integer" }, 400);
+  }
+  if (!VALID_SIDES.includes(side)) {
+    return c.json({ error: `side must be one of: ${VALID_SIDES.join(", ")}` }, 400);
+  }
   await moveAnnotation(c.req.param("id"), lineNumber, side);
   autoExport(c);
   return c.json({ ok: true });
@@ -4034,7 +4171,7 @@ apiRoutes.get("/outline/:fileId", async (c) => {
 apiRoutes.get("/symbol-definition", async (c) => {
   const name = c.req.query("name");
   const currentFileId = c.req.query("currentFileId");
-  if (!name) return c.json({ definitions: [] });
+  if (name === void 0 || name === "") return c.json({ definitions: [] });
   const reviewId = resolveReviewId(c);
   const repoRoot = c.get("repoRoot");
   const definitions = [];
@@ -4056,7 +4193,7 @@ apiRoutes.get("/symbol-definition", async (c) => {
   }
   if (definitions.length === 0) {
     try {
-      const allFiles = spawnSync5("git", ["ls-files"], { cwd: repoRoot, encoding: "utf-8" }).stdout.trim().split("\n").filter(Boolean);
+      const allFiles = spawnSync7("git", ["ls-files"], { cwd: repoRoot, encoding: "utf-8" }).stdout.trim().split("\n").filter(Boolean);
       for (const filePath of allFiles) {
         if (searchedPaths.has(filePath)) continue;
         const ext = filePath.slice(filePath.lastIndexOf("."));
@@ -4091,7 +4228,7 @@ function collectDefinitions(symbols, targetName, fileId, filePath, out) {
     if (sym.name === targetName) {
       out.push({ fileId, filePath, name: sym.name, kind: sym.kind, line: sym.line });
     }
-    if (sym.children?.length > 0) {
+    if (sym.children.length > 0) {
       collectDefinitions(sym.children, targetName, fileId, filePath, out);
     }
   }
@@ -4134,6 +4271,9 @@ apiRoutes.get("/project-settings", (c) => {
 apiRoutes.patch("/project-settings", async (c) => {
   const repoRoot = c.get("repoRoot");
   const body = await c.req.json();
+  if (body.appName !== void 0 && typeof body.appName !== "string") {
+    return c.json({ error: "appName must be a string" }, 400);
+  }
   const current = readProjectSettings(repoRoot);
   if (body.appName !== void 0) current.appName = body.appName || void 0;
   writeProjectSettings(repoRoot, current);
@@ -4152,10 +4292,8 @@ apiRoutes.get("/image/:fileId/metadata", async (c) => {
   const status = diff.status ?? "modified";
   const oldImage = status !== "added" ? getOldImage(mode, file.file_path, oldPath, repoRoot) : null;
   const newImage = status !== "deleted" ? getNewImage(mode, file.file_path, repoRoot) : null;
-  const [oldMeta, newMeta] = await Promise.all([
-    oldImage ? extractMetadata(oldImage.data, oldPath ?? file.file_path) : null,
-    newImage ? extractMetadata(newImage.data, file.file_path) : null
-  ]);
+  const oldMeta = oldImage !== null ? extractMetadata(oldImage.data, oldPath ?? file.file_path) : null;
+  const newMeta = newImage !== null ? extractMetadata(newImage.data, file.file_path) : null;
   return c.json({
     old: oldMeta ? formatMetadataLines(oldMeta) : null,
     new: newMeta ? formatMetadataLines(newMeta) : null
@@ -4178,7 +4316,7 @@ apiRoutes.get("/image/:fileId/:side", async (c) => {
   if (isSvgFile(file.file_path)) {
     try {
       const png = await rasterizeSvg(image.data);
-      return new Response(png, {
+      return new Response(new Uint8Array(png), {
         headers: { "Content-Type": "image/png", "Cache-Control": "no-cache" }
       });
     } catch {
@@ -4186,14 +4324,14 @@ apiRoutes.get("/image/:fileId/:side", async (c) => {
     }
   }
   const contentType = getContentType(file.file_path);
-  return new Response(image.data, {
+  return new Response(new Uint8Array(image.data), {
     headers: { "Content-Type": contentType, "Cache-Control": "no-cache" }
   });
 });
 
 // src/routes/pages.tsx
-import { readFileSync as readFileSync8 } from "fs";
-import { Hono as Hono3 } from "hono";
+import { readFileSync as readFileSync9 } from "fs";
+import { Hono as Hono5 } from "hono";
 import { resolve as resolve4 } from "path";
 
 // src/utils/escapeHtml.ts
@@ -4508,10 +4646,10 @@ function ImageDiff({ file, diff, fontWarning, baseWidth, baseHeight }) {
       "data-file-path": file.file_path,
       "data-has-old": String(hasOld),
       "data-has-new": String(hasNew),
-      ...baseWidth ? { "data-base-width": String(baseWidth) } : {},
-      ...baseHeight ? { "data-base-height": String(baseHeight) } : {},
+      ...baseWidth !== void 0 ? { "data-base-width": String(baseWidth) } : {},
+      ...baseHeight !== void 0 ? { "data-base-height": String(baseHeight) } : {},
       children: [
-        fontWarning && /* @__PURE__ */ jsx("div", { className: "image-font-warning", children: "This SVG uses text that may render differently depending on locally installed fonts." }),
+        fontWarning === true && /* @__PURE__ */ jsx("div", { className: "image-font-warning", children: "This SVG uses text that may render differently depending on locally installed fonts." }),
         /* @__PURE__ */ jsx("div", { className: "image-diff-panel image-diff-metadata", "data-panel": "metadata", children: /* @__PURE__ */ jsx("div", { className: "image-metadata-loading", children: "Loading metadata..." }) }),
         hasComparison && /* @__PURE__ */ jsx("div", { className: "image-diff-panel image-diff-visual", "data-panel": "difference", children: /* @__PURE__ */ jsx("div", { className: "image-visual-canvas", "data-zoomable": "true", children: /* @__PURE__ */ jsx("div", { className: "image-zoom-wrap", children: [
           /* @__PURE__ */ jsx("img", { className: "image-layer image-layer-old", src: `/api/image/${fileId}/old`, alt: "Old version" }),
@@ -4970,9 +5108,570 @@ function FileList({ files, annotationCounts, staleCounts }) {
   return /* @__PURE__ */ jsx("div", { className: "file-list", children: /* @__PURE__ */ jsx("div", { className: "file-list-items", children: /* @__PURE__ */ jsx(TreeView, { node: tree, depth: 0, annotationCounts, staleCounts }) }) });
 }
 
+// src/themes/built-in.ts
+var THEME_VARIABLES = [
+  "bg",
+  "bg-surface",
+  "bg-hover",
+  "bg-active",
+  "text",
+  "text-dim",
+  "text-bright",
+  "accent",
+  "accent-hover",
+  "green",
+  "red",
+  "yellow",
+  "orange",
+  "blue",
+  "purple",
+  "teal",
+  "border",
+  "diff-add-bg",
+  "diff-add-border",
+  "diff-remove-bg",
+  "diff-remove-border",
+  "diff-context-bg",
+  "gutter-bg",
+  "gutter-text"
+];
+var dark = {
+  "bg": "#1e1e2e",
+  "bg-surface": "#252536",
+  "bg-hover": "#2d2d44",
+  "bg-active": "#363652",
+  "text": "#cdd6f4",
+  "text-dim": "#8888aa",
+  "text-bright": "#ffffff",
+  "accent": "#89b4fa",
+  "accent-hover": "#74a8fc",
+  "green": "#a6e3a1",
+  "red": "#f38ba8",
+  "yellow": "#f9e2af",
+  "orange": "#fab387",
+  "blue": "#89b4fa",
+  "purple": "#cba6f7",
+  "teal": "#94e2d5",
+  "border": "#363652",
+  "diff-add-bg": "rgba(166, 227, 161, 0.1)",
+  "diff-add-border": "rgba(166, 227, 161, 0.3)",
+  "diff-remove-bg": "rgba(243, 139, 168, 0.1)",
+  "diff-remove-border": "rgba(243, 139, 168, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#1a1a2e",
+  "gutter-text": "#555577"
+};
+var light = {
+  "bg": "#ffffff",
+  "bg-surface": "#f6f8fa",
+  "bg-hover": "#eaeef2",
+  "bg-active": "#dde3e9",
+  "text": "#1f2328",
+  "text-dim": "#656d76",
+  "text-bright": "#000000",
+  "accent": "#0969da",
+  "accent-hover": "#0550ae",
+  "green": "#1a7f37",
+  "red": "#cf222e",
+  "yellow": "#9a6700",
+  "orange": "#bc4c00",
+  "blue": "#0969da",
+  "purple": "#8250df",
+  "teal": "#0e7c6b",
+  "border": "#d0d7de",
+  "diff-add-bg": "rgba(26, 127, 55, 0.08)",
+  "diff-add-border": "rgba(26, 127, 55, 0.25)",
+  "diff-remove-bg": "rgba(207, 34, 46, 0.08)",
+  "diff-remove-border": "rgba(207, 34, 46, 0.25)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#f6f8fa",
+  "gutter-text": "#8b949e"
+};
+var highContrastDark = {
+  "bg": "#0a0a0a",
+  "bg-surface": "#1a1a1a",
+  "bg-hover": "#2a2a2a",
+  "bg-active": "#3a3a3a",
+  "text": "#f0f0f0",
+  "text-dim": "#b0b0b0",
+  "text-bright": "#ffffff",
+  "accent": "#6db3f2",
+  "accent-hover": "#8ec5f7",
+  "green": "#73e06e",
+  "red": "#ff6b6b",
+  "yellow": "#ffd93d",
+  "orange": "#ffab57",
+  "blue": "#6db3f2",
+  "purple": "#c59eff",
+  "teal": "#5ee6d0",
+  "border": "#555555",
+  "diff-add-bg": "rgba(115, 224, 110, 0.15)",
+  "diff-add-border": "rgba(115, 224, 110, 0.5)",
+  "diff-remove-bg": "rgba(255, 107, 107, 0.15)",
+  "diff-remove-border": "rgba(255, 107, 107, 0.5)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#111111",
+  "gutter-text": "#888888"
+};
+var highContrastLight = {
+  "bg": "#ffffff",
+  "bg-surface": "#f0f0f0",
+  "bg-hover": "#e0e0e0",
+  "bg-active": "#d0d0d0",
+  "text": "#111111",
+  "text-dim": "#444444",
+  "text-bright": "#000000",
+  "accent": "#0043a8",
+  "accent-hover": "#003080",
+  "green": "#006b1f",
+  "red": "#b80000",
+  "yellow": "#785600",
+  "orange": "#8a3400",
+  "blue": "#0043a8",
+  "purple": "#5b21b6",
+  "teal": "#005e4f",
+  "border": "#767676",
+  "diff-add-bg": "rgba(0, 107, 31, 0.1)",
+  "diff-add-border": "rgba(0, 107, 31, 0.4)",
+  "diff-remove-bg": "rgba(184, 0, 0, 0.1)",
+  "diff-remove-border": "rgba(184, 0, 0, 0.4)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#f0f0f0",
+  "gutter-text": "#555555"
+};
+var dracula = {
+  "bg": "#282a36",
+  "bg-surface": "#2d303e",
+  "bg-hover": "#343746",
+  "bg-active": "#3e4151",
+  "text": "#f8f8f2",
+  "text-dim": "#8b8da4",
+  "text-bright": "#ffffff",
+  "accent": "#bd93f9",
+  "accent-hover": "#caa5fb",
+  "green": "#50fa7b",
+  "red": "#ff5555",
+  "yellow": "#f1fa8c",
+  "orange": "#ffb86c",
+  "blue": "#8be9fd",
+  "purple": "#bd93f9",
+  "teal": "#8be9fd",
+  "border": "#44475a",
+  "diff-add-bg": "rgba(80, 250, 123, 0.1)",
+  "diff-add-border": "rgba(80, 250, 123, 0.3)",
+  "diff-remove-bg": "rgba(255, 85, 85, 0.1)",
+  "diff-remove-border": "rgba(255, 85, 85, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#21222c",
+  "gutter-text": "#6272a4"
+};
+var tokyoNight = {
+  "bg": "#1a1b26",
+  "bg-surface": "#1f2233",
+  "bg-hover": "#292d42",
+  "bg-active": "#33374e",
+  "text": "#a9b1d6",
+  "text-dim": "#565f89",
+  "text-bright": "#c0caf5",
+  "accent": "#7aa2f7",
+  "accent-hover": "#89b0fa",
+  "green": "#9ece6a",
+  "red": "#f7768e",
+  "yellow": "#e0af68",
+  "orange": "#ff9e64",
+  "blue": "#7aa2f7",
+  "purple": "#bb9af7",
+  "teal": "#73daca",
+  "border": "#2f3351",
+  "diff-add-bg": "rgba(158, 206, 106, 0.1)",
+  "diff-add-border": "rgba(158, 206, 106, 0.3)",
+  "diff-remove-bg": "rgba(247, 118, 142, 0.1)",
+  "diff-remove-border": "rgba(247, 118, 142, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#16172a",
+  "gutter-text": "#3b4261"
+};
+var oneDarkPro = {
+  "bg": "#282c34",
+  "bg-surface": "#2c313a",
+  "bg-hover": "#333842",
+  "bg-active": "#3b4048",
+  "text": "#abb2bf",
+  "text-dim": "#636d83",
+  "text-bright": "#d7dae0",
+  "accent": "#61afef",
+  "accent-hover": "#519fdf",
+  "green": "#98c379",
+  "red": "#e06c75",
+  "yellow": "#e5c07b",
+  "orange": "#d19a66",
+  "blue": "#61afef",
+  "purple": "#c678dd",
+  "teal": "#56b6c2",
+  "border": "#3b4048",
+  "diff-add-bg": "rgba(152, 195, 121, 0.1)",
+  "diff-add-border": "rgba(152, 195, 121, 0.3)",
+  "diff-remove-bg": "rgba(224, 108, 117, 0.1)",
+  "diff-remove-border": "rgba(224, 108, 117, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#23272e",
+  "gutter-text": "#495162"
+};
+var solarizedDark = {
+  "bg": "#002b36",
+  "bg-surface": "#073642",
+  "bg-hover": "#0a4050",
+  "bg-active": "#0d4d5e",
+  "text": "#839496",
+  "text-dim": "#586e75",
+  "text-bright": "#eee8d5",
+  "accent": "#268bd2",
+  "accent-hover": "#1a7cc0",
+  "green": "#859900",
+  "red": "#dc322f",
+  "yellow": "#b58900",
+  "orange": "#cb4b16",
+  "blue": "#268bd2",
+  "purple": "#6c71c4",
+  "teal": "#2aa198",
+  "border": "#0a4050",
+  "diff-add-bg": "rgba(133, 153, 0, 0.12)",
+  "diff-add-border": "rgba(133, 153, 0, 0.3)",
+  "diff-remove-bg": "rgba(220, 50, 47, 0.12)",
+  "diff-remove-border": "rgba(220, 50, 47, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#002028",
+  "gutter-text": "#4a6568"
+};
+var solarizedLight = {
+  "bg": "#fdf6e3",
+  "bg-surface": "#eee8d5",
+  "bg-hover": "#e6dfca",
+  "bg-active": "#ddd6c1",
+  "text": "#657b83",
+  "text-dim": "#93a1a1",
+  "text-bright": "#073642",
+  "accent": "#268bd2",
+  "accent-hover": "#1a7cc0",
+  "green": "#859900",
+  "red": "#dc322f",
+  "yellow": "#b58900",
+  "orange": "#cb4b16",
+  "blue": "#268bd2",
+  "purple": "#6c71c4",
+  "teal": "#2aa198",
+  "border": "#ddd6c1",
+  "diff-add-bg": "rgba(133, 153, 0, 0.1)",
+  "diff-add-border": "rgba(133, 153, 0, 0.25)",
+  "diff-remove-bg": "rgba(220, 50, 47, 0.1)",
+  "diff-remove-border": "rgba(220, 50, 47, 0.25)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#eee8d5",
+  "gutter-text": "#93a1a1"
+};
+var monokai = {
+  "bg": "#272822",
+  "bg-surface": "#2d2e27",
+  "bg-hover": "#3e3d32",
+  "bg-active": "#49483e",
+  "text": "#f8f8f2",
+  "text-dim": "#75715e",
+  "text-bright": "#ffffff",
+  "accent": "#66d9ef",
+  "accent-hover": "#55c8de",
+  "green": "#a6e22e",
+  "red": "#f92672",
+  "yellow": "#e6db74",
+  "orange": "#fd971f",
+  "blue": "#66d9ef",
+  "purple": "#ae81ff",
+  "teal": "#66d9ef",
+  "border": "#49483e",
+  "diff-add-bg": "rgba(166, 226, 46, 0.1)",
+  "diff-add-border": "rgba(166, 226, 46, 0.3)",
+  "diff-remove-bg": "rgba(249, 38, 114, 0.1)",
+  "diff-remove-border": "rgba(249, 38, 114, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#222218",
+  "gutter-text": "#575848"
+};
+var nord = {
+  "bg": "#2e3440",
+  "bg-surface": "#3b4252",
+  "bg-hover": "#434c5e",
+  "bg-active": "#4c566a",
+  "text": "#d8dee9",
+  "text-dim": "#7b88a1",
+  "text-bright": "#eceff4",
+  "accent": "#88c0d0",
+  "accent-hover": "#81a1c1",
+  "green": "#a3be8c",
+  "red": "#bf616a",
+  "yellow": "#ebcb8b",
+  "orange": "#d08770",
+  "blue": "#81a1c1",
+  "purple": "#b48ead",
+  "teal": "#8fbcbb",
+  "border": "#4c566a",
+  "diff-add-bg": "rgba(163, 190, 140, 0.1)",
+  "diff-add-border": "rgba(163, 190, 140, 0.3)",
+  "diff-remove-bg": "rgba(191, 97, 106, 0.1)",
+  "diff-remove-border": "rgba(191, 97, 106, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#2a303c",
+  "gutter-text": "#5b6578"
+};
+var gruvboxDark = {
+  "bg": "#282828",
+  "bg-surface": "#3c3836",
+  "bg-hover": "#504945",
+  "bg-active": "#665c54",
+  "text": "#ebdbb2",
+  "text-dim": "#928374",
+  "text-bright": "#fbf1c7",
+  "accent": "#83a598",
+  "accent-hover": "#76988b",
+  "green": "#b8bb26",
+  "red": "#fb4934",
+  "yellow": "#fabd2f",
+  "orange": "#fe8019",
+  "blue": "#83a598",
+  "purple": "#d3869b",
+  "teal": "#8ec07c",
+  "border": "#504945",
+  "diff-add-bg": "rgba(184, 187, 38, 0.1)",
+  "diff-add-border": "rgba(184, 187, 38, 0.3)",
+  "diff-remove-bg": "rgba(251, 73, 52, 0.1)",
+  "diff-remove-border": "rgba(251, 73, 52, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#232323",
+  "gutter-text": "#665c54"
+};
+var gruvboxLight = {
+  "bg": "#fbf1c7",
+  "bg-surface": "#f2e5bc",
+  "bg-hover": "#ebdbb2",
+  "bg-active": "#d5c4a1",
+  "text": "#3c3836",
+  "text-dim": "#7c6f64",
+  "text-bright": "#282828",
+  "accent": "#427b58",
+  "accent-hover": "#376b4c",
+  "green": "#79740e",
+  "red": "#9d0006",
+  "yellow": "#b57614",
+  "orange": "#af3a03",
+  "blue": "#076678",
+  "purple": "#8f3f71",
+  "teal": "#427b58",
+  "border": "#d5c4a1",
+  "diff-add-bg": "rgba(121, 116, 14, 0.1)",
+  "diff-add-border": "rgba(121, 116, 14, 0.25)",
+  "diff-remove-bg": "rgba(157, 0, 6, 0.1)",
+  "diff-remove-border": "rgba(157, 0, 6, 0.25)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#f2e5bc",
+  "gutter-text": "#928374"
+};
+var githubDark = {
+  "bg": "#0d1117",
+  "bg-surface": "#161b22",
+  "bg-hover": "#1c2128",
+  "bg-active": "#262c36",
+  "text": "#c9d1d9",
+  "text-dim": "#8b949e",
+  "text-bright": "#f0f6fc",
+  "accent": "#58a6ff",
+  "accent-hover": "#4090e0",
+  "green": "#3fb950",
+  "red": "#f85149",
+  "yellow": "#d29922",
+  "orange": "#db6d28",
+  "blue": "#58a6ff",
+  "purple": "#bc8cff",
+  "teal": "#39d353",
+  "border": "#30363d",
+  "diff-add-bg": "rgba(63, 185, 80, 0.1)",
+  "diff-add-border": "rgba(63, 185, 80, 0.3)",
+  "diff-remove-bg": "rgba(248, 81, 73, 0.1)",
+  "diff-remove-border": "rgba(248, 81, 73, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#0a0e14",
+  "gutter-text": "#484f58"
+};
+var rosePine = {
+  "bg": "#191724",
+  "bg-surface": "#1f1d2e",
+  "bg-hover": "#26233a",
+  "bg-active": "#2a2740",
+  "text": "#e0def4",
+  "text-dim": "#6e6a86",
+  "text-bright": "#f0efff",
+  "accent": "#c4a7e7",
+  "accent-hover": "#b498d7",
+  "green": "#31748f",
+  "red": "#eb6f92",
+  "yellow": "#f6c177",
+  "orange": "#ea9a97",
+  "blue": "#9ccfd8",
+  "purple": "#c4a7e7",
+  "teal": "#9ccfd8",
+  "border": "#2a2740",
+  "diff-add-bg": "rgba(49, 116, 143, 0.12)",
+  "diff-add-border": "rgba(49, 116, 143, 0.3)",
+  "diff-remove-bg": "rgba(235, 111, 146, 0.12)",
+  "diff-remove-border": "rgba(235, 111, 146, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#16141f",
+  "gutter-text": "#524f67"
+};
+var ayuDark = {
+  "bg": "#0b0e14",
+  "bg-surface": "#0f131a",
+  "bg-hover": "#151a23",
+  "bg-active": "#1c222d",
+  "text": "#bfbdb6",
+  "text-dim": "#636a76",
+  "text-bright": "#e6e1cf",
+  "accent": "#e6b450",
+  "accent-hover": "#d9a740",
+  "green": "#7fd962",
+  "red": "#d95757",
+  "yellow": "#e6b450",
+  "orange": "#ff8f40",
+  "blue": "#59c2ff",
+  "purple": "#d2a6ff",
+  "teal": "#95e6cb",
+  "border": "#1c222d",
+  "diff-add-bg": "rgba(127, 217, 98, 0.1)",
+  "diff-add-border": "rgba(127, 217, 98, 0.3)",
+  "diff-remove-bg": "rgba(217, 87, 87, 0.1)",
+  "diff-remove-border": "rgba(217, 87, 87, 0.3)",
+  "diff-context-bg": "transparent",
+  "gutter-bg": "#080a10",
+  "gutter-text": "#3d424d"
+};
+var BUILT_IN_THEMES = [
+  { id: "dark", name: "Dark", builtIn: true, colors: dark },
+  { id: "light", name: "Light", builtIn: true, colors: light },
+  { id: "high-contrast-dark", name: "High Contrast Dark", builtIn: true, colors: highContrastDark },
+  { id: "high-contrast-light", name: "High Contrast Light", builtIn: true, colors: highContrastLight },
+  { id: "dracula", name: "Dracula", builtIn: true, colors: dracula },
+  { id: "tokyo-night", name: "Tokyo Night", builtIn: true, colors: tokyoNight },
+  { id: "one-dark-pro", name: "One Dark Pro", builtIn: true, colors: oneDarkPro },
+  { id: "solarized-dark", name: "Solarized Dark", builtIn: true, colors: solarizedDark },
+  { id: "solarized-light", name: "Solarized Light", builtIn: true, colors: solarizedLight },
+  { id: "monokai", name: "Monokai", builtIn: true, colors: monokai },
+  { id: "nord", name: "Nord", builtIn: true, colors: nord },
+  { id: "gruvbox-dark", name: "Gruvbox Dark", builtIn: true, colors: gruvboxDark },
+  { id: "gruvbox-light", name: "Gruvbox Light", builtIn: true, colors: gruvboxLight },
+  { id: "github-dark", name: "GitHub Dark", builtIn: true, colors: githubDark },
+  { id: "rose-pine", name: "Ros\xE9 Pine", builtIn: true, colors: rosePine },
+  { id: "ayu-dark", name: "Ayu Dark", builtIn: true, colors: ayuDark }
+];
+var DEFAULT_THEME_ID = "dark";
+function getBuiltInTheme(id) {
+  return BUILT_IN_THEMES.find((t) => t.id === id);
+}
+function themeToInlineStyle(colors) {
+  return THEME_VARIABLES.map((v) => `--${v}:${colors[v]}`).join(";");
+}
+
+// src/themes/config.ts
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, readdirSync, readFileSync as readFileSync8, unlinkSync as unlinkSync2, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join7 } from "path";
+var CONFIG_DIR2 = join7(homedir3(), ".glassbox");
+var CONFIG_PATH2 = join7(CONFIG_DIR2, "config.json");
+var THEMES_DIR = join7(CONFIG_DIR2, "themes");
+function readConfigFile2() {
+  try {
+    if (existsSync6(CONFIG_PATH2)) {
+      return JSON.parse(readFileSync8(CONFIG_PATH2, "utf-8"));
+    }
+  } catch {
+  }
+  return {};
+}
+function writeConfigFile2(config) {
+  mkdirSync5(CONFIG_DIR2, { recursive: true });
+  writeFileSync5(CONFIG_PATH2, JSON.stringify(config, null, 2), "utf-8");
+}
+function getActiveThemeId() {
+  const config = readConfigFile2();
+  const theme = config.theme;
+  const active = theme?.active;
+  return active ?? DEFAULT_THEME_ID;
+}
+function setActiveThemeId(id) {
+  const config = readConfigFile2();
+  if (config.theme === void 0) config.theme = {};
+  config.theme.active = id;
+  writeConfigFile2(config);
+}
+function loadCustomThemes() {
+  if (!existsSync6(THEMES_DIR)) return [];
+  const themes = [];
+  try {
+    const files = readdirSync(THEMES_DIR).filter((f) => f.endsWith(".json"));
+    for (const file of files) {
+      try {
+        const data = JSON.parse(readFileSync8(join7(THEMES_DIR, file), "utf-8"));
+        if (data.id !== void 0 && data.id !== "" && data.name !== void 0 && data.name !== "" && data.colors !== void 0) {
+          themes.push({ id: data.id, name: data.name, colors: data.colors, builtIn: false, baseTheme: data.baseTheme ?? "" });
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return themes;
+}
+function saveCustomTheme(theme) {
+  mkdirSync5(THEMES_DIR, { recursive: true });
+  const filePath = join7(THEMES_DIR, `${theme.id}.json`);
+  writeFileSync5(filePath, JSON.stringify(theme, null, 2), "utf-8");
+}
+function deleteCustomTheme(id) {
+  const filePath = join7(THEMES_DIR, `${id}.json`);
+  if (existsSync6(filePath)) {
+    unlinkSync2(filePath);
+  }
+}
+function getCustomTheme(id) {
+  const filePath = join7(THEMES_DIR, `${id}.json`);
+  if (!existsSync6(filePath)) return void 0;
+  try {
+    const data = JSON.parse(readFileSync8(filePath, "utf-8"));
+    return { ...data, builtIn: false };
+  } catch {
+    return void 0;
+  }
+}
+function getAllThemes() {
+  return [...BUILT_IN_THEMES, ...loadCustomThemes()];
+}
+function resolveTheme(id) {
+  return getBuiltInTheme(id) ?? getCustomTheme(id);
+}
+function getActiveThemeColors() {
+  const id = getActiveThemeId();
+  const theme = resolveTheme(id);
+  if (theme) return theme.colors;
+  const fallback = getBuiltInTheme(DEFAULT_THEME_ID);
+  if (fallback === void 0) throw new Error(`Default theme '${DEFAULT_THEME_ID}' not found`);
+  return fallback.colors;
+}
+function generateThemeId() {
+  return Date.now().toString(36) + Math.random().toString(36).slice(2, 10);
+}
+
 // src/components/layout.tsx
 function Layout({ title, reviewId, children }) {
-  return /* @__PURE__ */ jsx("html", { lang: "en", children: [
+  const themeId = getActiveThemeId();
+  const themeColors = getActiveThemeColors();
+  const themeStyle = themeToInlineStyle(themeColors);
+  return /* @__PURE__ */ jsx("html", { lang: "en", style: themeStyle, "data-theme": themeId, children: [
     /* @__PURE__ */ jsx("head", { children: [
       /* @__PURE__ */ jsx("meta", { charset: "utf-8" }),
       /* @__PURE__ */ jsx("meta", { name: "viewport", content: "width=device-width, initial-scale=1" }),
@@ -5053,7 +5752,7 @@ function ReviewHistory({ reviews, currentReviewId }) {
 
 // src/routes/pages.tsx
 init_queries();
-var pageRoutes = new Hono3();
+var pageRoutes = new Hono5();
 pageRoutes.get("/", async (c) => {
   const reviewId = c.get("reviewId");
   const review = await getReview(reviewId);
@@ -5207,11 +5906,11 @@ pageRoutes.get("/file/:fileId", async (c) => {
 });
 pageRoutes.get("/file-raw", (c) => {
   const filePath = c.req.query("path");
-  if (!filePath) return c.text("Missing path", 400);
+  if (filePath === void 0 || filePath === "") return c.text("Missing path", 400);
   const repoRoot = c.get("repoRoot");
   let content;
   try {
-    content = readFileSync8(resolve4(repoRoot, filePath), "utf-8");
+    content = readFileSync9(resolve4(repoRoot, filePath), "utf-8");
   } catch {
     return c.text("File not found", 404);
   }
@@ -5234,7 +5933,7 @@ pageRoutes.get("/file-raw", (c) => {
       }))
     }]
   };
-  const fakeFile = { id: "", review_id: "", file_path: filePath, status: "reviewed", diff_data: null };
+  const fakeFile = { id: "", review_id: "", file_path: filePath, status: "reviewed", diff_data: null, created_at: "" };
   const html = /* @__PURE__ */ jsx(DiffView, { file: fakeFile, diff, annotations: [], mode: "unified" });
   return c.html(html.toString());
 });
@@ -5337,10 +6036,144 @@ pageRoutes.get("/history", async (c) => {
   return c.html(html.toString());
 });
 
+// src/routes/theme-api.ts
+import { Hono as Hono6 } from "hono";
+var themeApiRoutes = new Hono6();
+function validateColors(colors) {
+  if (typeof colors !== "object" || colors === null || Array.isArray(colors)) {
+    return "colors must be an object";
+  }
+  const validKeys = new Set(THEME_VARIABLES);
+  for (const [key, value] of Object.entries(colors)) {
+    if (!validKeys.has(key)) {
+      return `colors contains unknown key: ${key}`;
+    }
+    if (typeof value !== "string") {
+      return `colors.${key} must be a string`;
+    }
+  }
+  return null;
+}
+themeApiRoutes.get("/", (c) => {
+  const themes = getAllThemes();
+  const activeId = getActiveThemeId();
+  return c.json({
+    themes: themes.map((t) => ({
+      id: t.id,
+      name: t.name,
+      builtIn: t.builtIn,
+      colors: t.colors
+    })),
+    activeId
+  });
+});
+themeApiRoutes.get("/active", (c) => {
+  const id = getActiveThemeId();
+  const colors = getActiveThemeColors();
+  return c.json({ id, colors });
+});
+themeApiRoutes.post("/active", async (c) => {
+  const body = await c.req.json();
+  if (typeof body.id !== "string" || body.id === "") return c.json({ error: "id must be a non-empty string" }, 400);
+  const theme = resolveTheme(body.id);
+  if (!theme) return c.json({ error: "Theme not found" }, 404);
+  setActiveThemeId(body.id);
+  return c.json({ id: body.id, colors: theme.colors });
+});
+themeApiRoutes.post("/", async (c) => {
+  const body = await c.req.json();
+  if (typeof body.sourceId !== "string" || body.sourceId === "") return c.json({ error: "sourceId must be a non-empty string" }, 400);
+  if (body.name !== void 0 && (typeof body.name !== "string" || body.name.trim() === "")) {
+    return c.json({ error: "name must be a non-empty string when provided" }, 400);
+  }
+  const source = resolveTheme(body.sourceId);
+  if (!source) return c.json({ error: "Source theme not found" }, 404);
+  const baseTheme = source.builtIn ? source.id : source.baseTheme;
+  const name = body.name ?? `${source.name} (Copy)`;
+  const newTheme = {
+    id: generateThemeId(),
+    name,
+    builtIn: false,
+    baseTheme,
+    colors: { ...source.colors }
+  };
+  saveCustomTheme(newTheme);
+  return c.json(newTheme, 201);
+});
+themeApiRoutes.post("/:id/edit", async (c) => {
+  const id = c.req.param("id");
+  const body = await c.req.json();
+  if (body.name !== void 0 && (typeof body.name !== "string" || body.name.trim() === "")) {
+    return c.json({ error: "name must be a non-empty string when provided" }, 400);
+  }
+  if (body.colors !== void 0) {
+    const colorsError = validateColors(body.colors);
+    if (colorsError !== null) return c.json({ error: colorsError }, 400);
+  }
+  const source = resolveTheme(id);
+  if (!source) return c.json({ error: "Theme not found" }, 404);
+  if (source.builtIn) {
+    const newTheme = {
+      id: generateThemeId(),
+      name: `${source.name} (Customized)`,
+      builtIn: false,
+      baseTheme: source.id,
+      colors: body.colors ? { ...source.colors, ...body.colors } : { ...source.colors }
+    };
+    if (body.name !== void 0 && body.name !== "") newTheme.name = body.name;
+    saveCustomTheme(newTheme);
+    setActiveThemeId(newTheme.id);
+    return c.json({ theme: newTheme, copied: true }, 201);
+  }
+  const updated = {
+    ...source,
+    name: body.name ?? source.name,
+    colors: body.colors ? { ...source.colors, ...body.colors } : source.colors
+  };
+  saveCustomTheme(updated);
+  return c.json({ theme: updated, copied: false });
+});
+themeApiRoutes.patch("/:id", async (c) => {
+  const id = c.req.param("id");
+  if (getBuiltInTheme(id)) {
+    return c.json({ error: "Cannot edit built-in theme" }, 400);
+  }
+  const existing = resolveTheme(id);
+  if (!existing || existing.builtIn) {
+    return c.json({ error: "Theme not found" }, 404);
+  }
+  const body = await c.req.json();
+  if (body.name !== void 0 && (typeof body.name !== "string" || body.name.trim() === "")) {
+    return c.json({ error: "name must be a non-empty string when provided" }, 400);
+  }
+  if (body.colors !== void 0) {
+    const colorsError = validateColors(body.colors);
+    if (colorsError !== null) return c.json({ error: colorsError }, 400);
+  }
+  const updated = {
+    ...existing,
+    name: body.name ?? existing.name,
+    colors: body.colors ? { ...existing.colors, ...body.colors } : existing.colors
+  };
+  saveCustomTheme(updated);
+  return c.json(updated);
+});
+themeApiRoutes.delete("/:id", (c) => {
+  const id = c.req.param("id");
+  if (getBuiltInTheme(id)) {
+    return c.json({ error: "Cannot delete built-in theme" }, 400);
+  }
+  deleteCustomTheme(id);
+  if (getActiveThemeId() === id) {
+    setActiveThemeId(BUILT_IN_THEMES[0].id);
+  }
+  return c.json({ ok: true });
+});
+
 // src/server.ts
-function tryServe(fetch2, port) {
+function tryServe(appFetch, port) {
   return new Promise((resolve6, reject) => {
-    const server = serve({ fetch: fetch2, port, hostname: "127.0.0.1" });
+    const server = serve({ fetch: appFetch, port, hostname: "127.0.0.1" });
     server.on("listening", () => {
       resolve6(port);
     });
@@ -5354,7 +6187,7 @@ function tryServe(fetch2, port) {
   });
 }
 async function startServer(port, reviewId, repoRoot, options) {
-  const app = new Hono4();
+  const app = new Hono7();
   app.use("*", async (c, next) => {
     c.set("reviewId", reviewId);
     c.set("currentReviewId", reviewId);
@@ -5362,24 +6195,25 @@ async function startServer(port, reviewId, repoRoot, options) {
     await next();
   });
   const selfDir = dirname(fileURLToPath(import.meta.url));
-  const distDir = existsSync6(join7(selfDir, "client", "styles.css")) ? join7(selfDir, "client") : join7(selfDir, "..", "dist", "client");
+  const distDir = existsSync7(join8(selfDir, "client", "styles.css")) ? join8(selfDir, "client") : join8(selfDir, "..", "dist", "client");
   app.get("/static/styles.css", (c) => {
-    const css = readFileSync9(join7(distDir, "styles.css"), "utf-8");
+    const css = readFileSync10(join8(distDir, "styles.css"), "utf-8");
     return c.text(css, 200, { "Content-Type": "text/css", "Cache-Control": "no-cache" });
   });
   app.get("/static/app.js", (c) => {
-    const js = readFileSync9(join7(distDir, "app.global.js"), "utf-8");
+    const js = readFileSync10(join8(distDir, "app.global.js"), "utf-8");
     return c.text(js, 200, { "Content-Type": "application/javascript", "Cache-Control": "no-cache" });
   });
   app.get("/static/history.js", (c) => {
-    const js = readFileSync9(join7(distDir, "history.global.js"), "utf-8");
+    const js = readFileSync10(join8(distDir, "history.global.js"), "utf-8");
     return c.text(js, 200, { "Content-Type": "application/javascript", "Cache-Control": "no-cache" });
   });
   app.route("/api", apiRoutes);
   app.route("/api/ai", aiApiRoutes);
+  app.route("/api/themes", themeApiRoutes);
   app.route("/", pageRoutes);
   let actualPort = port;
-  if (options?.strictPort) {
+  if (options?.strictPort === true) {
     actualPort = await tryServe(app.fetch, port);
   } else {
     for (let attempt = 0; attempt < 20; attempt++) {
@@ -5401,15 +6235,15 @@ async function startServer(port, reviewId, repoRoot, options) {
   console.log(`
   Glassbox running at ${url}
 `);
-  if (!options?.noOpen) {
+  if (options?.noOpen !== true) {
     const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
     exec(`${openCmd} ${url}`);
   }
 }
 
 // src/skills.ts
-import { existsSync as existsSync7, mkdirSync as mkdirSync5, readFileSync as readFileSync10, writeFileSync as writeFileSync5 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync6, readFileSync as readFileSync11, writeFileSync as writeFileSync6 } from "fs";
+import { join as join9 } from "path";
 var SKILL_VERSION = 1;
 function versionHeader() {
   return `<!-- glassbox-skill-version: ${SKILL_VERSION} -->`;
@@ -5420,14 +6254,14 @@ function parseVersionHeader(content) {
   return parseInt(match[1], 10);
 }
 function updateFile(path, content) {
-  if (existsSync7(path)) {
-    const existing = readFileSync10(path, "utf-8");
+  if (existsSync8(path)) {
+    const existing = readFileSync11(path, "utf-8");
     const version = parseVersionHeader(existing);
     if (version !== null && version >= SKILL_VERSION) {
       return false;
     }
   }
-  writeFileSync5(path, content, "utf-8");
+  writeFileSync6(path, content, "utf-8");
   return true;
 }
 function skillBody() {
@@ -5447,8 +6281,8 @@ function skillBody() {
   ].join("\n");
 }
 function ensureClaudeSkills(cwd) {
-  const dir = join8(cwd, ".claude", "skills", "glassbox");
-  mkdirSync5(dir, { recursive: true });
+  const dir = join9(cwd, ".claude", "skills", "glassbox");
+  mkdirSync6(dir, { recursive: true });
   const content = [
     "---",
     "name: glassbox",
@@ -5460,11 +6294,11 @@ function ensureClaudeSkills(cwd) {
     skillBody(),
     ""
   ].join("\n");
-  return updateFile(join8(dir, "SKILL.md"), content);
+  return updateFile(join9(dir, "SKILL.md"), content);
 }
 function ensureCursorRules(cwd) {
-  const rulesDir = join8(cwd, ".cursor", "rules");
-  mkdirSync5(rulesDir, { recursive: true });
+  const rulesDir = join9(cwd, ".cursor", "rules");
+  mkdirSync6(rulesDir, { recursive: true });
   const content = [
     "---",
     "description: Read the latest Glassbox code review and apply all feedback annotations",
@@ -5475,11 +6309,11 @@ function ensureCursorRules(cwd) {
     skillBody(),
     ""
   ].join("\n");
-  return updateFile(join8(rulesDir, "glassbox.mdc"), content);
+  return updateFile(join9(rulesDir, "glassbox.mdc"), content);
 }
 function ensureCopilotPrompts(cwd) {
-  const promptsDir = join8(cwd, ".github", "prompts");
-  mkdirSync5(promptsDir, { recursive: true });
+  const promptsDir = join9(cwd, ".github", "prompts");
+  mkdirSync6(promptsDir, { recursive: true });
   const content = [
     "---",
     "description: Read the latest Glassbox code review and apply all feedback annotations",
@@ -5489,11 +6323,11 @@ function ensureCopilotPrompts(cwd) {
     skillBody(),
     ""
   ].join("\n");
-  return updateFile(join8(promptsDir, "glassbox.prompt.md"), content);
+  return updateFile(join9(promptsDir, "glassbox.prompt.md"), content);
 }
 function ensureWindsurfRules(cwd) {
-  const rulesDir = join8(cwd, ".windsurf", "rules");
-  mkdirSync5(rulesDir, { recursive: true });
+  const rulesDir = join9(cwd, ".windsurf", "rules");
+  mkdirSync6(rulesDir, { recursive: true });
   const content = [
     "---",
     "trigger: manual",
@@ -5504,39 +6338,39 @@ function ensureWindsurfRules(cwd) {
     skillBody(),
     ""
   ].join("\n");
-  return updateFile(join8(rulesDir, "glassbox.md"), content);
+  return updateFile(join9(rulesDir, "glassbox.md"), content);
 }
 function ensureSkills() {
   const cwd = process.cwd();
   const platforms = [];
-  if (existsSync7(join8(cwd, ".claude"))) {
+  if (existsSync8(join9(cwd, ".claude"))) {
     if (ensureClaudeSkills(cwd)) platforms.push("Claude Code");
   }
-  if (existsSync7(join8(cwd, ".cursor"))) {
+  if (existsSync8(join9(cwd, ".cursor"))) {
     if (ensureCursorRules(cwd)) platforms.push("Cursor");
   }
-  if (existsSync7(join8(cwd, ".github", "prompts")) || existsSync7(join8(cwd, ".github", "copilot-instructions.md"))) {
+  if (existsSync8(join9(cwd, ".github", "prompts")) || existsSync8(join9(cwd, ".github", "copilot-instructions.md"))) {
     if (ensureCopilotPrompts(cwd)) platforms.push("GitHub Copilot");
   }
-  if (existsSync7(join8(cwd, ".windsurf"))) {
+  if (existsSync8(join9(cwd, ".windsurf"))) {
     if (ensureWindsurfRules(cwd)) platforms.push("Windsurf");
   }
   return platforms;
 }
 
 // src/update-check.ts
-import { existsSync as existsSync8, mkdirSync as mkdirSync6, readFileSync as readFileSync11, writeFileSync as writeFileSync6 } from "fs";
+import { existsSync as existsSync9, mkdirSync as mkdirSync7, readFileSync as readFileSync12, writeFileSync as writeFileSync7 } from "fs";
 import { get } from "https";
-import { homedir as homedir3 } from "os";
-import { dirname as dirname2, join as join9 } from "path";
+import { homedir as homedir4 } from "os";
+import { dirname as dirname2, join as join10 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-var DATA_DIR = join9(homedir3(), ".glassbox");
-var CHECK_FILE = join9(DATA_DIR, "last-update-check");
+var DATA_DIR = join10(homedir4(), ".glassbox");
+var CHECK_FILE = join10(DATA_DIR, "last-update-check");
 var PACKAGE_NAME = "glassbox";
 function getCurrentVersion() {
   try {
     const dir = dirname2(fileURLToPath2(import.meta.url));
-    const pkg = JSON.parse(readFileSync11(join9(dir, "..", "package.json"), "utf-8"));
+    const pkg = JSON.parse(readFileSync12(join10(dir, "..", "package.json"), "utf-8"));
     return pkg.version;
   } catch {
     return "0.0.0";
@@ -5544,16 +6378,16 @@ function getCurrentVersion() {
 }
 function getLastCheckDate() {
   try {
-    if (existsSync8(CHECK_FILE)) {
-      return readFileSync11(CHECK_FILE, "utf-8").trim();
+    if (existsSync9(CHECK_FILE)) {
+      return readFileSync12(CHECK_FILE, "utf-8").trim();
     }
   } catch {
   }
   return null;
 }
 function saveCheckDate() {
-  mkdirSync6(DATA_DIR, { recursive: true });
-  writeFileSync6(CHECK_FILE, (/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "utf-8");
+  mkdirSync7(DATA_DIR, { recursive: true });
+  writeFileSync7(CHECK_FILE, (/* @__PURE__ */ new Date()).toISOString().slice(0, 10), "utf-8");
 }
 function isFirstUseToday() {
   const last = getLastCheckDate();
@@ -5636,6 +6470,7 @@ async function checkForUpdates(force) {
 }
 
 // src/cli.ts
+import { realpathSync } from "fs";
 function printUsage() {
   console.log(`
 glassbox - Review AI-generated code with annotations
@@ -5779,13 +6614,13 @@ async function main() {
     console.log("AI service test mode enabled \u2014 using mock AI responses");
   }
   if (debug) {
-    console.log(`[debug] Build timestamp: ${"2026-03-27T03:39:52.371Z"}`);
+    console.log(`[debug] Build timestamp: ${"2026-04-02T11:34:35.783Z"}`);
   }
-  if (projectDir) {
+  if (projectDir !== null) {
     process.chdir(projectDir);
   }
   if (dataDir === null) {
-    dataDir = join10(process.cwd(), ".glassbox");
+    dataDir = join11(process.cwd(), ".glassbox");
   }
   if (demo !== null) {
     const scenario = DEMO_SCENARIOS.find((s) => s.id === demo);
@@ -5797,13 +6632,13 @@ async function main() {
       }
       process.exit(1);
     }
-    dataDir = join10(tmpdir(), `glassbox-demo-${demo}-${Date.now()}`);
+    dataDir = join11(tmpdir(), `glassbox-demo-${demo}-${Date.now()}`);
     setDemoMode(demo);
     console.log(`
   DEMO MODE: ${scenario.label}
 `);
   }
-  mkdirSync7(dataDir, { recursive: true });
+  mkdirSync8(dataDir, { recursive: true });
   if (demo === null) {
     acquireLock(dataDir);
   }
@@ -5860,8 +6695,15 @@ async function main() {
   console.log(`Review ${review.id} created.`);
   await startServer(port, review.id, repoRoot, { noOpen, strictPort });
 }
-main().catch((err) => {
-  console.error(err);
-  process.exit(1);
-});
+var resolvedArg = process.argv[1] !== void 0 ? realpathSync(process.argv[1]) : "";
+var isDirectRun = resolvedArg.endsWith("cli.js") || resolvedArg.endsWith("cli.ts");
+if (isDirectRun) {
+  main().catch((err) => {
+    console.error(err);
+    process.exit(1);
+  });
+}
+export {
+  parseArgs
+};
 //# sourceMappingURL=cli.js.map