hammoc 1.0.3 → 1.1.0

package/packages/server/dist/services/webPushService.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Web Push Service — VAPID key management, subscription storage, push delivery
+ * Stores VAPID keys and push subscriptions in ~/.hammoc/ as JSON files.
+ * Uses the web-push library for VAPID signing and push message delivery.
+ */
+export interface WebPushPayload {
+    title: string;
+    body: string;
+    icon?: string;
+    badge?: string;
+    tag?: string;
+    url?: string;
+}
+declare class WebPushService {
+    private vapidKeys;
+    private subscriptions;
+    private loaded;
+    /** Single-flight guard for initial load */
+    private loadPromise;
+    /** Async mutex: queued operations wait for the previous one to finish */
+    private mutationQueue;
+    private getDataDir;
+    private getVapidPath;
+    private getSubscriptionsPath;
+    /** Serialize subscription mutations to prevent concurrent read-modify-write races */
+    private enqueue;
+    /** Single-flight subscription load — safe to call from anywhere without mutex */
+    private ensureLoaded;
+    /** Ensure VAPID keys exist; generate only if file does not exist */
+    private ensureVapidKeys;
+    /** Load subscriptions from disk (only ENOENT is treated as empty) */
+    private loadSubscriptions;
+    /** Persist subscriptions to disk */
+    private saveSubscriptions;
+    /** Initialize: load VAPID keys and subscriptions */
+    init(): Promise<void>;
+    /** Get the VAPID public key (needed by client for PushManager.subscribe) */
+    getVapidPublicKey(): Promise<string>;
+    /** Get number of stored subscriptions */
+    getSubscriptionCount(): number;
+    /** Validate and add a push subscription (deduplicate by endpoint) */
+    subscribe(sub: {
+        endpoint: string;
+        keys: {
+            p256dh: string;
+            auth: string;
+        };
+    }, userAgent?: string): Promise<void>;
+    /** Remove a push subscription by endpoint */
+    unsubscribe(endpoint: string): Promise<boolean>;
+    /** Send a push notification to all subscriptions */
+    sendPush(payload: WebPushPayload): Promise<void>;
+    /** Send a test push notification */
+    sendTest(): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+}
+export declare const webPushService: WebPushService;
+export {};
+//# sourceMappingURL=webPushService.d.ts.map

package/packages/server/dist/services/webPushService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webPushService.d.ts","sourceRoot":"","sources":["../../src/services/webPushService.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAuBH,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAuBD,cAAM,cAAc;IAClB,OAAO,CAAC,SAAS,CAA0B;IAC3C,OAAO,CAAC,aAAa,CAA4B;IACjD,OAAO,CAAC,MAAM,CAAS;IACvB,2CAA2C;IAC3C,OAAO,CAAC,WAAW,CAA8B;IACjD,yEAAyE;IACzE,OAAO,CAAC,aAAa,CAAoC;IAEzD,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,oBAAoB;IAI5B,qFAAqF;IACrF,OAAO,CAAC,OAAO;IAKf,iFAAiF;IACjF,OAAO,CAAC,YAAY;IAUpB,oEAAoE;YACtD,eAAe;IA8B7B,qEAAqE;YACvD,iBAAiB;IAgB/B,oCAAoC;YACtB,iBAAiB;IAM/B,oDAAoD;IAC9C,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAK3B,4EAA4E;IACtE,iBAAiB,IAAI,OAAO,CAAC,MAAM,CAAC;IAK1C,yCAAyC;IACzC,oBAAoB,IAAI,MAAM;IAI9B,qEAAqE;IAC/D,SAAS,CAAC,GAAG,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA4BrH,6CAA6C;IACvC,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAqBrD,oDAAoD;IAC9C,QAAQ,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAsDtD,oCAAoC;IAC9B,QAAQ,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAyBhE;AAED,eAAO,MAAM,cAAc,gBAAuB,CAAC"}

package/packages/server/dist/services/webPushService.js

@@ -0,0 +1,258 @@
+/**
+ * Web Push Service — VAPID key management, subscription storage, push delivery
+ * Stores VAPID keys and push subscriptions in ~/.hammoc/ as JSON files.
+ * Uses the web-push library for VAPID signing and push message delivery.
+ */
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import webpush from 'web-push';
+import { preferencesService } from './preferencesService.js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('webPushService');
+/** Known push service hostnames (strict matching for SSRF prevention) */
+const PUSH_SERVICE_PATTERNS = [
+    /^fcm\.googleapis\.com$/,
+    /^updates\.push\.services\.mozilla\.com$/,
+    /^push\.services\.mozilla\.com$/,
+    /^web\.push\.apple\.com$/,
+    /\.notify\.windows\.com$/,
+    /\.push\.samsung\.com$/,
+];
+/** Validate that an endpoint URL is a legitimate push service */
+function isValidPushEndpoint(endpoint) {
+    try {
+        const url = new URL(endpoint);
+        if (url.protocol !== 'https:')
+            return false;
+        return PUSH_SERVICE_PATTERNS.some(pattern => pattern.test(url.hostname));
+    }
+    catch {
+        return false;
+    }
+}
+class WebPushService {
+    vapidKeys = null;
+    subscriptions = [];
+    loaded = false;
+    /** Single-flight guard for initial load */
+    loadPromise = null;
+    /** Async mutex: queued operations wait for the previous one to finish */
+    mutationQueue = Promise.resolve();
+    getDataDir() {
+        return path.join(os.homedir(), '.hammoc');
+    }
+    getVapidPath() {
+        return path.join(this.getDataDir(), 'vapid-keys.json');
+    }
+    getSubscriptionsPath() {
+        return path.join(this.getDataDir(), 'push-subscriptions.json');
+    }
+    /** Serialize subscription mutations to prevent concurrent read-modify-write races */
+    enqueue(fn) {
+        this.mutationQueue = this.mutationQueue.then(fn, fn);
+        return this.mutationQueue;
+    }
+    /** Single-flight subscription load — safe to call from anywhere without mutex */
+    ensureLoaded() {
+        if (this.loaded)
+            return Promise.resolve();
+        if (!this.loadPromise) {
+            this.loadPromise = this.loadSubscriptions().finally(() => {
+                this.loadPromise = null;
+            });
+        }
+        return this.loadPromise;
+    }
+    /** Ensure VAPID keys exist; generate only if file does not exist */
+    async ensureVapidKeys() {
+        if (this.vapidKeys)
+            return this.vapidKeys;
+        const vapidPath = this.getVapidPath();
+        try {
+            const content = await fs.readFile(vapidPath, 'utf-8');
+            this.vapidKeys = JSON.parse(content);
+            if (!this.vapidKeys.publicKey || !this.vapidKeys.privateKey) {
+                throw new Error('Invalid VAPID keys file: missing publicKey or privateKey');
+            }
+        }
+        catch (err) {
+            const code = err.code;
+            if (code === 'ENOENT') {
+                // First run — generate new keys
+                const keys = webpush.generateVAPIDKeys();
+                this.vapidKeys = { publicKey: keys.publicKey, privateKey: keys.privateKey };
+                const dataDir = this.getDataDir();
+                await fs.mkdir(dataDir, { recursive: true });
+                await fs.writeFile(vapidPath, JSON.stringify(this.vapidKeys, null, 2), 'utf-8');
+                logger.info('[WebPush] Generated new VAPID keys');
+            }
+            else {
+                // Parse/permission error — don't silently regenerate, fail fast
+                logger.error(`[WebPush] Failed to read VAPID keys: ${err.message}`);
+                throw err;
+            }
+        }
+        return this.vapidKeys;
+    }
+    /** Load subscriptions from disk (only ENOENT is treated as empty) */
+    async loadSubscriptions() {
+        try {
+            const content = await fs.readFile(this.getSubscriptionsPath(), 'utf-8');
+            this.subscriptions = JSON.parse(content);
+        }
+        catch (err) {
+            const code = err.code;
+            if (code === 'ENOENT') {
+                this.subscriptions = [];
+            }
+            else {
+                logger.error(`[WebPush] Failed to load subscriptions: ${err.message}`);
+                throw err;
+            }
+        }
+        this.loaded = true;
+    }
+    /** Persist subscriptions to disk */
+    async saveSubscriptions() {
+        const dataDir = this.getDataDir();
+        await fs.mkdir(dataDir, { recursive: true });
+        await fs.writeFile(this.getSubscriptionsPath(), JSON.stringify(this.subscriptions, null, 2), 'utf-8');
+    }
+    /** Initialize: load VAPID keys and subscriptions */
+    async init() {
+        await this.ensureVapidKeys();
+        await this.loadSubscriptions();
+    }
+    /** Get the VAPID public key (needed by client for PushManager.subscribe) */
+    async getVapidPublicKey() {
+        const keys = await this.ensureVapidKeys();
+        return keys.publicKey;
+    }
+    /** Get number of stored subscriptions */
+    getSubscriptionCount() {
+        return this.subscriptions.length;
+    }
+    /** Validate and add a push subscription (deduplicate by endpoint) */
+    async subscribe(sub, userAgent) {
+        if (!isValidPushEndpoint(sub.endpoint)) {
+            throw new Error('Invalid push endpoint: must be HTTPS from a known push service');
+        }
+        return this.enqueue(async () => {
+            await this.ensureLoaded();
+            // Copy-on-write: build new list, persist, then assign
+            const next = this.subscriptions.filter(s => s.endpoint !== sub.endpoint);
+            next.push({
+                endpoint: sub.endpoint,
+                keys: sub.keys,
+                userAgent,
+                createdAt: new Date().toISOString(),
+            });
+            const prev = this.subscriptions;
+            this.subscriptions = next;
+            try {
+                await this.saveSubscriptions();
+            }
+            catch (err) {
+                this.subscriptions = prev; // rollback on write failure
+                throw err;
+            }
+            logger.info(`[WebPush] Subscription added (total: ${this.subscriptions.length})`);
+        });
+    }
+    /** Remove a push subscription by endpoint */
+    async unsubscribe(endpoint) {
+        let removed = false;
+        await this.enqueue(async () => {
+            await this.ensureLoaded();
+            const next = this.subscriptions.filter(s => s.endpoint !== endpoint);
+            if (next.length < this.subscriptions.length) {
+                const prev = this.subscriptions;
+                this.subscriptions = next;
+                try {
+                    await this.saveSubscriptions();
+                }
+                catch (err) {
+                    this.subscriptions = prev; // rollback on write failure
+                    throw err;
+                }
+                logger.info(`[WebPush] Subscription removed (total: ${this.subscriptions.length})`);
+                removed = true;
+            }
+        });
+        return removed;
+    }
+    /** Send a push notification to all subscriptions */
+    async sendPush(payload) {
+        await this.ensureLoaded();
+        if (this.subscriptions.length === 0)
+            return;
+        const keys = await this.ensureVapidKeys();
+        const vapidSubject = process.env.VAPID_SUBJECT || 'mailto:hammoc@localhost';
+        webpush.setVapidDetails(vapidSubject, keys.publicKey, keys.privateKey);
+        const body = JSON.stringify({
+            ...payload,
+            icon: payload.icon || '/favicon-192.png',
+            badge: payload.badge || '/favicon-192.png',
+        });
+        const expiredEndpoints = [];
+        await Promise.allSettled(this.subscriptions.map(async (sub) => {
+            try {
+                await webpush.sendNotification({ endpoint: sub.endpoint, keys: sub.keys }, body, { TTL: 60 * 60 });
+            }
+            catch (err) {
+                const statusCode = err.statusCode;
+                if (statusCode === 410 || statusCode === 404) {
+                    // Subscription expired or invalid — mark for removal
+                    expiredEndpoints.push(sub.endpoint);
+                    logger.debug(`[WebPush] Subscription expired (${statusCode}): ${sub.endpoint.slice(0, 60)}...`);
+                }
+                else {
+                    logger.warn(`[WebPush] Send failed: ${err.message || err}`);
+                }
+            }
+        }));
+        // Clean up expired subscriptions (serialized, with rollback)
+        if (expiredEndpoints.length > 0) {
+            await this.enqueue(async () => {
+                const next = this.subscriptions.filter(s => !expiredEndpoints.includes(s.endpoint));
+                const prev = this.subscriptions;
+                this.subscriptions = next;
+                try {
+                    await this.saveSubscriptions();
+                }
+                catch (err) {
+                    this.subscriptions = prev;
+                    throw err;
+                }
+                logger.info(`[WebPush] Removed ${expiredEndpoints.length} expired subscription(s)`);
+            });
+        }
+    }
+    /** Send a test push notification */
+    async sendTest() {
+        try {
+            await this.ensureLoaded();
+            const prefs = await preferencesService.readPreferences();
+            if (!prefs.webPush?.enabled) {
+                return { success: false, error: 'Web Push is not enabled' };
+            }
+            if (this.subscriptions.length === 0) {
+                return { success: false, error: 'No subscriptions registered' };
+            }
+            await this.sendPush({
+                title: 'Hammoc',
+                body: '🔔 Test push notification from Hammoc',
+                tag: 'test',
+                url: '/',
+            });
+            return { success: true };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : 'Unknown error';
+            return { success: false, error: message };
+        }
+    }
+}
+export const webPushService = new WebPushService();
+//# sourceMappingURL=webPushService.js.map

package/packages/server/dist/services/webPushService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webPushService.js","sourceRoot":"","sources":["../../src/services/webPushService.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,OAAO,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,MAAM,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAC;AAuB9C,yEAAyE;AACzE,MAAM,qBAAqB,GAAG;IAC5B,wBAAwB;IACxB,yCAAyC;IACzC,gCAAgC;IAChC,yBAAyB;IACzB,yBAAyB;IACzB,uBAAuB;CACxB,CAAC;AAEF,iEAAiE;AACjE,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9B,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5C,OAAO,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,cAAc;IACV,SAAS,GAAqB,IAAI,CAAC;IACnC,aAAa,GAAyB,EAAE,CAAC;IACzC,MAAM,GAAG,KAAK,CAAC;IACvB,2CAA2C;IACnC,WAAW,GAAyB,IAAI,CAAC;IACjD,yEAAyE;IACjE,aAAa,GAAkB,OAAO,CAAC,OAAO,EAAE,CAAC;IAEjD,UAAU;QAChB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;IAC5C,CAAC;IAEO,YAAY;QAClB,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,iBAAiB,CAAC,CAAC;IACzD,CAAC;IAEO,oBAAoB;QAC1B,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,yBAAyB,CAAC,CAAC;IACjE,CAAC;IAED,qFAAqF;IAC7E,OAAO,CAAC,EAAuB;QACrC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED,iFAAiF;IACzE,YAAY;QAClB,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;gBACvD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YAC1B,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,oEAAoE;IAC5D,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QAE1C,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACtD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAc,CAAC;YAClD,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;gBAC5D,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;YAC9E,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;YACjD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtB,gCAAgC;gBAChC,MAAM,IAAI,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;gBACzC,IAAI,CAAC,SAAS,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC5E,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAClC,MAAM,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC7C,MAAM,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;gBAChF,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,gEAAgE;gBAChE,MAAM,CAAC,KAAK,CAAC,wCAAyC,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC/E,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,qEAAqE;IAC7D,KAAK,CAAC,iBAAiB;QAC7B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,OAAO,CAAC,CAAC;YACxE,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAyB,CAAC;QACnE,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;YACjD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtB,IAAI,CAAC,aAAa,GAAG,EAAE,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,CAAC,2CAA4C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClF,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACrB,CAAC;IAED,oCAAoC;IAC5B,KAAK,CAAC,iBAAiB;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAClC,MAAM,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACxG,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC7B,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;IACjC,CAAC;IAED,4EAA4E;IAC5E,KAAK,CAAC,iBAAiB;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,yCAAyC;IACzC,oBAAoB;QAClB,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;IACnC,CAAC;IAED,qEAAqE;IACrE,KAAK,CAAC,SAAS,CAAC,GAAiE,EAAE,SAAkB;QACnG,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;QACpF,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE;YAC7B,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAE1B,sDAAsD;YACtD,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,CAAC,CAAC;YACzE,IAAI,CAAC,IAAI,CAAC;gBACR,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC;YAChC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC1B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC,4BAA4B;gBACvD,MAAM,GAAG,CAAC;YACZ,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,wCAAwC,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;QACpF,CAAC,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,WAAW,CAAC,QAAgB;QAChC,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE;YAC5B,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;YACrE,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC;gBAChC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACjC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC,4BAA4B;oBACvD,MAAM,GAAG,CAAC;gBACZ,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,0CAA0C,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;gBACpF,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,QAAQ,CAAC,OAAuB;QACpC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAE5C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,yBAAyB,CAAC;QAC5E,OAAO,CAAC,eAAe,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAEvE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC;YAC1B,GAAG,OAAO;YACV,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,kBAAkB;YACxC,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,kBAAkB;SAC3C,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAa,EAAE,CAAC;QAEtC,MAAM,OAAO,CAAC,UAAU,CACtB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACnC,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,gBAAgB,CAC5B,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAC1C,IAAI,EACJ,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,CACjB,CAAC;YACJ,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,MAAM,UAAU,GAAI,GAA+B,CAAC,UAAU,CAAC;gBAC/D,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;oBAC7C,qDAAqD;oBACrD,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBACpC,MAAM,CAAC,KAAK,CAAC,mCAAmC,UAAU,MAAM,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;gBAClG,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CAAC,0BAA2B,GAAa,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC,CAAC;gBACzE,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CACH,CAAC;QAEF,6DAA6D;QAC7D,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE;gBAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;gBACpF,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC;gBAChC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACjC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;oBAC1B,MAAM,GAAG,CAAC;gBACZ,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,qBAAqB,gBAAgB,CAAC,MAAM,0BAA0B,CAAC,CAAC;YACtF,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAE1B,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,eAAe,EAAE,CAAC;YACzD,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;gBAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;YAC9D,CAAC;YACD,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC;YAClE,CAAC;YAED,MAAM,IAAI,CAAC,QAAQ,CAAC;gBAClB,KAAK,EAAE,QAAQ;gBACf,IAAI,EAAE,uCAAuC;gBAC7C,GAAG,EAAE,MAAM;gBACX,GAAG,EAAE,GAAG;aACT,CAAC,CAAC;YAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YACrE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5C,CAAC;IACH,CAAC;CACF;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC"}

package/packages/server/dist/utils/networkUtils.d.ts

@@ -3,6 +3,7 @@
  * Story 17.5: Terminal Security - IP-based access control
  */
 import type { Socket } from 'socket.io';
+import type { Request } from 'express';
 /**
  * Check if an IP address belongs to a local/private network range.
  * Supports IPv4, IPv6 loopback, and IPv4-mapped IPv6 addresses.
@@ -12,12 +13,26 @@ import type { Socket } from 'socket.io';
  *   ::ffff:<ipv4> variants of the above
  */
 export declare function isLocalIP(ip: string): boolean;
+/**
+ * Check if an IP is strictly a loopback address (127.0.0.0/8 or ::1).
+ * Use this for privileged operations (server restart/update) where
+ * even private network IPs should NOT be trusted.
+ */
+export declare function isLoopbackIP(ip: string): boolean;
 /**
  * Extract client IP address from a Socket.io socket.
- * Uses socket.handshake.address directly.
- * X-Forwarded-For and other proxy headers are intentionally ignored for security.
+ * When TRUST_PROXY is enabled AND the direct peer is loopback,
+ * reads proxy headers to get the real client IP.
+ * Otherwise uses socket.handshake.address directly (safe for direct connections).
  */
 export declare function extractClientIP(socket: Socket): string;
+/**
+ * Extract client IP address from an Express request.
+ * When TRUST_PROXY is enabled AND the direct peer is loopback,
+ * reads proxy headers to get the real client IP.
+ * Otherwise uses req.socket.remoteAddress directly.
+ */
+export declare function extractRequestIP(req: Request): string;
 /**
  * Check if the server binding address is an external interface.
  * Returns true for 0.0.0.0, ::, or non-loopback/non-localhost addresses.

package/packages/server/dist/utils/networkUtils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"networkUtils.d.ts","sourceRoot":"","sources":["../../src/utils/networkUtils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAExC;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAkC7C;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAWvD"}
+{"version":3,"file":"networkUtils.d.ts","sourceRoot":"","sources":["../../src/utils/networkUtils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AACxC,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AASvC;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAgC7C;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAUhD;AAkED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAOtD;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAOrD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAWvD"}

package/packages/server/dist/utils/networkUtils.js

@@ -2,6 +2,13 @@
  * Network Utilities for Terminal Security
  * Story 17.5: Terminal Security - IP-based access control
  */
+import { isIP } from 'net';
+import { config } from '../config/index.js';
+/**
+ * Strict IPv4 octet pattern — rejects leading zeros, ports, suffixes.
+ * Matches "0"-"255" only (no "01", "127.0.0.1:443", "127.0.0.1abc").
+ */
+const STRICT_IPV4_RE = /^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)$/;
 /**
  * Check if an IP address belongs to a local/private network range.
  * Supports IPv4, IPv6 loopback, and IPv4-mapped IPv6 addresses.
@@ -21,13 +28,11 @@ export function isLocalIP(ip) {
     if (normalizedIP.startsWith('::ffff:')) {
         normalizedIP = normalizedIP.slice(7);
     }
-    // Parse IPv4
-    const parts = normalizedIP.split('.');
-    if (parts.length !== 4)
+    // Strict IPv4 format check — rejects "127.0.0.1:443", "127.0.0.1abc", etc.
+    if (!STRICT_IPV4_RE.test(normalizedIP))
         return false;
+    const parts = normalizedIP.split('.');
     const octets = parts.map((p) => parseInt(p, 10));
-    if (octets.some((o) => isNaN(o) || o < 0 || o > 255))
-        return false;
     const [a, b] = octets;
     // 127.0.0.0/8 (loopback)
     if (a === 127)
@@ -43,13 +48,121 @@ export function isLocalIP(ip) {
         return true;
     return false;
 }
+/**
+ * Check if an IP is strictly a loopback address (127.0.0.0/8 or ::1).
+ * Use this for privileged operations (server restart/update) where
+ * even private network IPs should NOT be trusted.
+ */
+export function isLoopbackIP(ip) {
+    if (!ip || typeof ip !== 'string')
+        return false;
+    if (ip === '::1')
+        return true;
+    let normalizedIP = ip;
+    if (normalizedIP.startsWith('::ffff:')) {
+        normalizedIP = normalizedIP.slice(7);
+    }
+    if (!STRICT_IPV4_RE.test(normalizedIP))
+        return false;
+    const first = parseInt(normalizedIP.split('.')[0], 10);
+    return first === 127;
+}
+/**
+ * Check if the peer (direct TCP connection) is a loopback address.
+ * Used to gate whether proxy headers should be trusted — only trust
+ * forwarding headers when the immediate connection is from localhost
+ * (i.e. cloudflared or nginx running on the same machine).
+ */
+function isPeerLoopback(peerAddress) {
+    if (!peerAddress)
+        return false;
+    const addr = peerAddress.startsWith('::ffff:') ? peerAddress.slice(7) : peerAddress;
+    return addr === '127.0.0.1' || addr === '::1';
+}
+/**
+ * Validate and sanitize an IP string from a proxy header.
+ * Returns the IP if valid, empty string otherwise.
+ */
+function validateIP(value) {
+    if (!value)
+        return '';
+    const trimmed = value.trim();
+    // Use Node.js built-in net.isIP for strict validation
+    if (isIP(trimmed) === 0)
+        return '';
+    return trimmed;
+}
+/**
+ * Extract the rightmost valid IP from a comma-separated X-Forwarded-For header.
+ * The rightmost entry is the one added by the closest trusted proxy, which is
+ * the most reliable — leftmost entries can be attacker-injected.
+ *
+ * Format: "client, proxy1, proxy2" — rightmost is added by our proxy.
+ * Returns empty string if no valid IP found.
+ */
+function extractRightmostIP(headerValue) {
+    if (!headerValue)
+        return '';
+    const parts = headerValue.split(',');
+    // Walk from right to find the first valid non-private IP,
+    // or fall back to the rightmost valid IP
+    for (let i = parts.length - 1; i >= 0; i--) {
+        const candidate = parts[i].trim();
+        if (candidate && isIP(candidate) !== 0) {
+            return candidate;
+        }
+    }
+    return '';
+}
+/**
+ * Read proxy headers to determine real client IP.
+ * Priority: CF-Connecting-IP > X-Forwarded-For > X-Real-IP.
+ * Returns empty string if no valid proxy header found.
+ */
+function extractFromProxyHeaders(headers) {
+    // CF-Connecting-IP is set by Cloudflare and is a single IP (most reliable)
+    const cfIP = validateIP(headers['cf-connecting-ip']);
+    if (cfIP)
+        return cfIP;
+    // X-Forwarded-For is standard for reverse proxies
+    const forwarded = extractRightmostIP(headers['x-forwarded-for']);
+    if (forwarded)
+        return forwarded;
+    // X-Real-IP is used by nginx
+    const realIP = validateIP(headers['x-real-ip']);
+    if (realIP)
+        return realIP;
+    return '';
+}
 /**
  * Extract client IP address from a Socket.io socket.
- * Uses socket.handshake.address directly.
- * X-Forwarded-For and other proxy headers are intentionally ignored for security.
+ * When TRUST_PROXY is enabled AND the direct peer is loopback,
+ * reads proxy headers to get the real client IP.
+ * Otherwise uses socket.handshake.address directly (safe for direct connections).
  */
 export function extractClientIP(socket) {
-    return socket.handshake.address || '';
+    const peerAddress = socket.handshake.address || '';
+    if (config.server.trustProxy && isPeerLoopback(peerAddress)) {
+        const proxyIP = extractFromProxyHeaders(socket.handshake.headers);
+        if (proxyIP)
+            return proxyIP;
+    }
+    return peerAddress;
+}
+/**
+ * Extract client IP address from an Express request.
+ * When TRUST_PROXY is enabled AND the direct peer is loopback,
+ * reads proxy headers to get the real client IP.
+ * Otherwise uses req.socket.remoteAddress directly.
+ */
+export function extractRequestIP(req) {
+    const peerAddress = req.socket.remoteAddress || '';
+    if (config.server.trustProxy && isPeerLoopback(peerAddress)) {
+        const proxyIP = extractFromProxyHeaders(req.headers);
+        if (proxyIP)
+            return proxyIP;
+    }
+    return peerAddress;
 }
 /**
  * Check if the server binding address is an external interface.

package/packages/server/dist/utils/networkUtils.js.map

@@ -1 +1 @@
-{"version":3,"file":"networkUtils.js","sourceRoot":"","sources":["../../src/utils/networkUtils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,EAAU;IAClC,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEhD,gBAAgB;IAChB,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAE9B,iDAAiD;IACjD,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,aAAa;IACb,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjD,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEnE,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC;IAEtB,yBAAyB;IACzB,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAE3B,uBAAuB;IACvB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAE1B,2BAA2B;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,0CAA0C;IAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IAEjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,OAAO,MAAM,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAExB,+CAA+C;IAC/C,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAErD,oDAAoD;IACpD,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAEjF,8DAA8D;IAC9D,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"networkUtils.js","sourceRoot":"","sources":["../../src/utils/networkUtils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,KAAK,CAAC;AAG3B,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C;;;GAGG;AACH,MAAM,cAAc,GAAG,uFAAuF,CAAC;AAE/G;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,EAAU;IAClC,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEhD,gBAAgB;IAChB,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAE9B,iDAAiD;IACjD,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,2EAA2E;IAC3E,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC;QAAE,OAAO,KAAK,CAAC;IAErD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC;IAEtB,yBAAyB;IACzB,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAE3B,uBAAuB;IACvB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAE1B,2BAA2B;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,0CAA0C;IAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IAEjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,EAAU;IACrC,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC;QAAE,OAAO,KAAK,CAAC;IACrD,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvD,OAAO,KAAK,KAAK,GAAG,CAAC;AACvB,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,WAAmB;IACzC,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,IAAI,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IACpF,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,KAAyB;IAC3C,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,sDAAsD;IACtD,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACnC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,kBAAkB,CAAC,WAA+B;IACzD,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,CAAC;IAC5B,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrC,0DAA0D;IAC1D,yCAAyC;IACzC,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAClC,IAAI,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;YACvC,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;GAIG;AACH,SAAS,uBAAuB,CAAC,OAAsD;IACrF,2EAA2E;IAC3E,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,kBAAkB,CAAuB,CAAC,CAAC;IAC3E,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IACtB,kDAAkD;IAClD,MAAM,SAAS,GAAG,kBAAkB,CAAC,OAAO,CAAC,iBAAiB,CAAuB,CAAC,CAAC;IACvF,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,6BAA6B;IAC7B,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,WAAW,CAAuB,CAAC,CAAC;IACtE,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC;IACnD,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5D,MAAM,OAAO,GAAG,uBAAuB,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAClE,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;IAC9B,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAY;IAC3C,MAAM,WAAW,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;IACnD,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,IAAI,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5D,MAAM,OAAO,GAAG,uBAAuB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrD,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;IAC9B,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAExB,+CAA+C;IAC/C,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAErD,oDAAoD;IACpD,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAEjF,8DAA8D;IAC9D,OAAO,IAAI,CAAC;AACd,CAAC"}

package/packages/server/package.json

@@ -21,12 +21,15 @@
     "cookie-session": "^2.1.1",
     "cors": "^2.8.5",
     "express": "^4.21.0",
+    "express-rate-limit": "^8.3.1",
+    "helmet": "^8.1.0",
     "i18next": "^24.2.3",
     "js-yaml": "^4.1.1",
     "multer": "^2.1.1",
     "node-pty": "^1.0.0",
     "simple-git": "^3.27.0",
     "socket.io": "^4.8.0",
+    "web-push": "^3.6.7",
     "zod": "^4.3.6"
   },
   "devDependencies": {
@@ -39,6 +42,7 @@
     "@types/multer": "^2.1.0",
     "@types/node": "^22.0.0",
     "@types/supertest": "^6.0.3",
+    "@types/web-push": "^3.6.4",
     "@vitest/coverage-v8": "^2.0.0",
     "supertest": "^7.2.2",
     "tsx": "^4.19.0",

package/packages/shared/dist/constants/errorCodes.d.ts

@@ -26,6 +26,7 @@ export declare const ERROR_CODES: {
     readonly TIMEOUT_ERROR: "TIMEOUT_ERROR";
     /** Input validation error (e.g., invalid image) */
     readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly CHAIN_MAX_EXCEEDED: "CHAIN_MAX_EXCEEDED";
 };
 export type ErrorCode = (typeof ERROR_CODES)[keyof typeof ERROR_CODES];
 //# sourceMappingURL=errorCodes.d.ts.map

package/packages/shared/dist/constants/errorCodes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errorCodes.d.ts","sourceRoot":"","sources":["../../src/constants/errorCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW;IACtB,oCAAoC;;IAEpC,yCAAyC;;IAEzC,2BAA2B;;IAE3B,gCAAgC;;IAEhC,wBAAwB;;IAExB,+BAA+B;;IAG/B,4BAA4B;;IAE5B,sDAAsD;;IAGtD,4BAA4B;;IAG5B,mDAAmD;;CAE3C,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,OAAO,WAAW,CAAC,CAAC"}
+{"version":3,"file":"errorCodes.d.ts","sourceRoot":"","sources":["../../src/constants/errorCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW;IACtB,oCAAoC;;IAEpC,yCAAyC;;IAEzC,2BAA2B;;IAE3B,gCAAgC;;IAEhC,wBAAwB;;IAExB,+BAA+B;;IAG/B,4BAA4B;;IAE5B,sDAAsD;;IAGtD,4BAA4B;;IAG5B,mDAAmD;;;CAI3C,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,OAAO,WAAW,CAAC,CAAC"}

package/packages/shared/dist/constants/errorCodes.js

@@ -29,5 +29,7 @@ export const ERROR_CODES = {
     // Story 5.5: Image Attachment validation
     /** Input validation error (e.g., invalid image) */
     VALIDATION_ERROR: 'VALIDATION_ERROR',
+    // Story 24.1: Prompt chain max items exceeded
+    CHAIN_MAX_EXCEEDED: 'CHAIN_MAX_EXCEEDED',
 };
 //# sourceMappingURL=errorCodes.js.map

package/packages/shared/dist/constants/errorCodes.js.map

@@ -1 +1 @@
-{"version":3,"file":"errorCodes.js","sourceRoot":"","sources":["../../src/constants/errorCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,oCAAoC;IACpC,UAAU,EAAE,YAAY;IACxB,yCAAyC;IACzC,oBAAoB,EAAE,sBAAsB;IAC5C,2BAA2B;IAC3B,WAAW,EAAE,aAAa;IAC1B,gCAAgC;IAChC,mBAAmB,EAAE,qBAAqB;IAC1C,wBAAwB;IACxB,iBAAiB,EAAE,mBAAmB;IACtC,+BAA+B;IAC/B,aAAa,EAAE,eAAe;IAC9B,iDAAiD;IACjD,4BAA4B;IAC5B,mBAAmB,EAAE,qBAAqB;IAC1C,sDAAsD;IACtD,YAAY,EAAE,cAAc;IAC5B,gCAAgC;IAChC,4BAA4B;IAC5B,aAAa,EAAE,eAAe;IAC9B,yCAAyC;IACzC,mDAAmD;IACnD,gBAAgB,EAAE,kBAAkB;CAC5B,CAAC"}
+{"version":3,"file":"errorCodes.js","sourceRoot":"","sources":["../../src/constants/errorCodes.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,oCAAoC;IACpC,UAAU,EAAE,YAAY;IACxB,yCAAyC;IACzC,oBAAoB,EAAE,sBAAsB;IAC5C,2BAA2B;IAC3B,WAAW,EAAE,aAAa;IAC1B,gCAAgC;IAChC,mBAAmB,EAAE,qBAAqB;IAC1C,wBAAwB;IACxB,iBAAiB,EAAE,mBAAmB;IACtC,+BAA+B;IAC/B,aAAa,EAAE,eAAe;IAC9B,iDAAiD;IACjD,4BAA4B;IAC5B,mBAAmB,EAAE,qBAAqB;IAC1C,sDAAsD;IACtD,YAAY,EAAE,cAAc;IAC5B,gCAAgC;IAChC,4BAA4B;IAC5B,aAAa,EAAE,eAAe;IAC9B,yCAAyC;IACzC,mDAAmD;IACnD,gBAAgB,EAAE,kBAAkB;IACpC,8CAA8C;IAC9C,kBAAkB,EAAE,oBAAoB;CAChC,CAAC"}

package/packages/shared/dist/index.d.ts

@@ -11,7 +11,7 @@ export { LogoutResponse, AuthStatus, AUTH_ERROR_CODES, SetupPasswordRequest, Set
 export { AUTH_ERROR_MESSAGES } from './types/auth.js';
 export { ProjectInfo, ProjectListResponse, PROJECT_ERRORS, CreateProjectRequest, CreateProjectResponse, DeleteProjectResponse, ValidatePathRequest, ValidatePathResponse, BmadVersionsResponse, ProjectSettings, UpdateProjectSettingsRequest, ProjectSettingsApiResponse, SetupBmadRequest, SetupBmadResponse, } from './types/project.js';
 export { SlashCommand, StarCommand, CommandsResponse } from './types/command.js';
-export { UserPreferences, PromptHistoryData, DEFAULT_PREFERENCES, PreferencesApiResponse, TelegramSettings, TelegramSettingsApiResponse, UpdateTelegramSettingsRequest, SupportedLanguage, SUPPORTED_LANGUAGES, } from './types/preferences.js';
+export { UserPreferences, PromptHistoryData, DEFAULT_PREFERENCES, PreferencesApiResponse, TelegramSettings, TelegramSettingsApiResponse, UpdateTelegramSettingsRequest, WebPushSettings, WebPushSettingsApiResponse, WebPushSubscribeRequest, SupportedLanguage, SUPPORTED_LANGUAGES, PermissionSyncPolicy, } from './types/preferences.js';
 export { RawJSONLMessage, HistoryMessage, PaginationInfo, HistoryMessagesResponse, PaginationOptions, ContentBlock, TextContentBlock, ThinkingContentBlock, ToolUseContentBlock, ToolResultContentBlock, ImageContentBlock, } from './types/history.js';
 export * from './types/fileSystem.js';
 export * from './types/bmadStatus.js';

package/packages/shared/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,gBAAgB,CAAC;AAG/B,cAAc,sBAAsB,CAAC;AAGrC,cAAc,sBAAsB,CAAC;AAGrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAI1C,cAAc,oBAAoB,CAAC;AAGnC,cAAc,gBAAgB,CAAC;AAG/B,OAAO,EACL,UAAU,EACV,wBAAwB,EACxB,mBAAmB,EACnB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,aAAa,EACb,sBAAsB,EACtB,YAAY,GACb,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,cAAc,EACd,UAAU,EACV,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAItD,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,EACpB,eAAe,EACf,4BAA4B,EAC5B,0BAA0B,EAC1B,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAI5B,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGjF,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,sBAAsB,EACtB,gBAAgB,EAChB,2BAA2B,EAC3B,6BAA6B,EAC7B,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,eAAe,EACf,cAAc,EACd,cAAc,EACd,uBAAuB,EACvB,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAChB,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAG5B,cAAc,uBAAuB,CAAC;AAGtC,cAAc,uBAAuB,CAAC;AAGtC,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAG/F,cAAc,gBAAgB,CAAC;AAG/B,cAAc,qBAAqB,CAAC;AAGpC,cAAc,sBAAsB,CAAC;AAGrC,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,gBAAgB,CAAC;AAG/B,cAAc,sBAAsB,CAAC;AAGrC,cAAc,sBAAsB,CAAC;AAGrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAI1C,cAAc,oBAAoB,CAAC;AAGnC,cAAc,gBAAgB,CAAC;AAG/B,OAAO,EACL,UAAU,EACV,wBAAwB,EACxB,mBAAmB,EACnB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,YAAY,EACZ,aAAa,EACb,aAAa,EACb,sBAAsB,EACtB,YAAY,GACb,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,cAAc,EACd,UAAU,EACV,gBAAgB,EAChB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAItD,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,EACpB,eAAe,EACf,4BAA4B,EAC5B,0BAA0B,EAC1B,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAI5B,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGjF,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,sBAAsB,EACtB,gBAAgB,EAChB,2BAA2B,EAC3B,6BAA6B,EAC7B,eAAe,EACf,0BAA0B,EAC1B,uBAAuB,EACvB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,eAAe,EACf,cAAc,EACd,cAAc,EACd,uBAAuB,EACvB,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAChB,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAG5B,cAAc,uBAAuB,CAAC;AAGtC,cAAc,uBAAuB,CAAC;AAGtC,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAG/F,cAAc,gBAAgB,CAAC;AAG/B,cAAc,qBAAqB,CAAC;AAGpC,cAAc,sBAAsB,CAAC;AAGrC,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC"}

package/packages/shared/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,cAAc,gBAAgB,CAAC;AAE/B,+CAA+C;AAC/C,cAAc,sBAAsB,CAAC;AAErC,2CAA2C;AAC3C,cAAc,sBAAsB,CAAC;AAErC,4DAA4D;AAC5D,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAE1C,kDAAkD;AAClD,2FAA2F;AAC3F,cAAc,oBAAoB,CAAC;AAEnC,iDAAiD;AACjD,cAAc,gBAAgB,CAAC;AAE/B,mDAAmD;AACnD,OAAO,EAGL,mBAAmB,EACnB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAEzB,yBAAyB;AACzB,OAAO,EAKL,YAAY,GACb,MAAM,iBAAiB,CAAC;AAEzB,0CAA0C;AAC1C,OAAO,EAGL,gBAAgB,GAGjB,MAAM,iBAAiB,CAAC;AAEzB,iCAAiC;AACjC,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAEtD,gDAAgD;AAChD,kDAAkD;AAClD,OAAO,EAGL,cAAc,GAYf,MAAM,oBAAoB,CAAC;AAM5B,gDAAgD;AAChD,OAAO,EAGL,mBAAmB,EAMnB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAiBhC,qEAAqE;AACrE,cAAc,uBAAuB,CAAC;AAEtC,uDAAuD;AACvD,cAAc,uBAAuB,CAAC;AAEtC,iCAAiC;AACjC,cAAc,kBAAkB,CAAC;AAEjC,kCAAkC;AAClC,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D,uCAAuC;AACvC,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE/F,kCAAkC;AAClC,cAAc,gBAAgB,CAAC;AAE/B,2CAA2C;AAC3C,cAAc,qBAAqB,CAAC;AAEpC,8BAA8B;AAC9B,cAAc,sBAAsB,CAAC;AAErC,oCAAoC;AACpC,cAAc,kBAAkB,CAAC;AAEjC,kDAAkD;AAClD,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,cAAc,gBAAgB,CAAC;AAE/B,+CAA+C;AAC/C,cAAc,sBAAsB,CAAC;AAErC,2CAA2C;AAC3C,cAAc,sBAAsB,CAAC;AAErC,4DAA4D;AAC5D,cAAc,oBAAoB,CAAC;AACnC,cAAc,2BAA2B,CAAC;AAE1C,kDAAkD;AAClD,2FAA2F;AAC3F,cAAc,oBAAoB,CAAC;AAEnC,iDAAiD;AACjD,cAAc,gBAAgB,CAAC;AAE/B,mDAAmD;AACnD,OAAO,EAGL,mBAAmB,EACnB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAEzB,yBAAyB;AACzB,OAAO,EAKL,YAAY,GACb,MAAM,iBAAiB,CAAC;AAEzB,0CAA0C;AAC1C,OAAO,EAGL,gBAAgB,GAGjB,MAAM,iBAAiB,CAAC;AAEzB,iCAAiC;AACjC,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAEtD,gDAAgD;AAChD,kDAAkD;AAClD,OAAO,EAGL,cAAc,GAYf,MAAM,oBAAoB,CAAC;AAM5B,gDAAgD;AAChD,OAAO,EAGL,mBAAmB,EASnB,mBAAmB,GAEpB,MAAM,wBAAwB,CAAC;AAiBhC,qEAAqE;AACrE,cAAc,uBAAuB,CAAC;AAEtC,uDAAuD;AACvD,cAAc,uBAAuB,CAAC;AAEtC,iCAAiC;AACjC,cAAc,kBAAkB,CAAC;AAEjC,kCAAkC;AAClC,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D,uCAAuC;AACvC,OAAO,EAAE,mBAAmB,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE/F,kCAAkC;AAClC,cAAc,gBAAgB,CAAC;AAE/B,2CAA2C;AAC3C,cAAc,qBAAqB,CAAC;AAEpC,8BAA8B;AAC9B,cAAc,sBAAsB,CAAC;AAErC,oCAAoC;AACpC,cAAc,kBAAkB,CAAC;AAEjC,kDAAkD;AAClD,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC"}

package/packages/shared/dist/types/bmadStatus.d.ts

@@ -50,6 +50,8 @@ export interface BmadStoryStatus {
     file: string;
     status: string;
     title?: string;
+    /** Latest QA gate decision: 'PASS' | 'CONCERNS' | 'FAIL' | 'WAIVED' */
+    gateResult?: string;
 }
 /** Epic with its stories */
 export interface BmadEpicStatus {