handmux 0.5.0

package/public/icons/logo.svg

@@ -0,0 +1,32 @@
+<svg width="512" height="512" viewBox="0 0 512 512" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <defs>
+    <linearGradient id="bg" x1="0" y1="0" x2="0" y2="512" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#16180f"/><stop offset="1" stop-color="#080907"/></linearGradient>
+    <radialGradient id="glow" cx="230" cy="262" r="250" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#74e6a0" stop-opacity="0.26"/><stop offset="1" stop-color="#74e6a0" stop-opacity="0"/></radialGradient>
+    <linearGradient id="body" x1="150" y1="120" x2="300" y2="420" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#aef9c8"/><stop offset="1" stop-color="#46d6a2"/></linearGradient>
+    <linearGradient id="a1" x1="300" y1="190" x2="372" y2="262" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#7fe9b8" stop-opacity="0.95"/><stop offset="1" stop-color="#7fe9b8" stop-opacity="0.12"/></linearGradient>
+    <linearGradient id="a2" x1="296" y1="150" x2="406" y2="262" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#6fe2ac" stop-opacity="0.7"/><stop offset="1" stop-color="#6fe2ac" stop-opacity="0.05"/></linearGradient>
+    <linearGradient id="a3" x1="292" y1="112" x2="446" y2="262" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#62dca4" stop-opacity="0.45"/><stop offset="1" stop-color="#62dca4" stop-opacity="0"/></linearGradient>
+    <filter id="soft" x="-50%" y="-50%" width="200%" height="200%"><feGaussianBlur stdDeviation="7" result="b"/><feMerge><feMergeNode in="b"/><feMergeNode in="SourceGraphic"/></feMerge></filter>
+  </defs>
+  <rect width="512" height="512" rx="116" fill="url(#bg)"/>
+  <rect width="512" height="512" rx="116" fill="url(#glow)"/>
+  <g transform="rotate(-7 221 281)">
+    <g fill="none" stroke-linecap="round">
+      <path d="M300 190 a74 74 0 0 1 70 70"   stroke="url(#a1)" stroke-width="15"/>
+      <path d="M296 148 a118 118 0 0 1 112 112" stroke="url(#a2)" stroke-width="14"/>
+      <path d="M292 108 a160 160 0 0 1 154 154" stroke="url(#a3)" stroke-width="13"/>
+    </g>
+    <g filter="url(#soft)"><rect x="146" y="150" width="150" height="262" rx="36" fill="url(#body)"/></g>
+    <rect x="163" y="184" width="116" height="194" rx="18" fill="#0a0b09"/>
+    <rect x="194" y="146" width="30" height="6" rx="3" fill="#0a0b09" opacity="0.45"/>
+    <rect x="206" y="396" width="30" height="6" rx="3" fill="#0a0b09" opacity="0.45"/>
+    <polyline points="188,236 212,266 188,296" fill="none" stroke="#aef9c8" stroke-width="12" stroke-linecap="round" stroke-linejoin="round"/>
+    <rect x="224" y="252" width="15" height="32" rx="3" fill="#aef9c8"/>
+  </g>
+</svg>

package/public/index.html

@@ -0,0 +1,105 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
+    <title>handmux</title>
+
+    <!-- Installable PWA: "Add to Home Screen" + standalone (no browser address bar). -->
+    <link rel="manifest" href="/manifest.webmanifest" />
+    <meta name="theme-color" content="#1a1b1e" />
+    <link rel="icon" type="image/png" href="/icons/icon-192.png" />
+    <!-- iOS Safari ignores the manifest's display mode, so these drive standalone + the
+         home-screen icon/label. "black" keeps the white status-bar text readable on the dark topbar. -->
+    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="mobile-web-app-capable" content="yes" />
+    <meta name="apple-mobile-web-app-status-bar-style" content="black" />
+    <meta name="apple-mobile-web-app-title" content="handmux" />
+    <link rel="apple-touch-icon" href="/icons/apple-touch-icon.png" />
+
+    <!-- Inline boot splash: paints instantly (before the JS bundle loads) so a cold launch shows the
+         brand, not a blank dark screen. main.jsx calls window.__hideBootSplash() once React has painted;
+         a safety timer hides it even if the bundle never boots. Self-contained here — no app code. -->
+    <style>
+      html, body { margin: 0; background: #1a1b1e; } /* opaque dark from frame one — no wallpaper showing through */
+      #boot-splash { position: fixed; inset: 0; z-index: 9999; display: flex; flex-direction: column;
+        align-items: center; justify-content: center; gap: 22px; background: #1a1b1e;
+        transition: opacity .45s ease; }
+      #boot-splash.boot-hide { opacity: 0; pointer-events: none; }
+      .boot-mark { position: relative; width: 108px; height: 108px; display: flex;
+        align-items: center; justify-content: center; }
+      .boot-mark svg { width: 108px; height: 108px; border-radius: 24px; position: relative; z-index: 1; }
+      .boot-glow { position: absolute; inset: -42%; border-radius: 50%;
+        background: radial-gradient(circle, rgba(116,230,160,.42) 0%, rgba(116,230,160,0) 68%);
+        animation: bootGlow 2.4s ease-in-out infinite; }
+      @keyframes bootGlow { 0%,100% { transform: scale(.9); opacity: .5; } 50% { transform: scale(1.14); opacity: .95; } }
+      .boot-word { font: 600 22px/1 -apple-system, system-ui, sans-serif; letter-spacing: .5px; color: #e9efe9; }
+      .boot-dots { display: flex; gap: 7px; }
+      .boot-dots i { width: 6px; height: 6px; border-radius: 50%; background: #6fe2ac; opacity: .22;
+        animation: bootDot 1.3s ease-in-out infinite; }
+      .boot-dots i:nth-child(2) { animation-delay: .18s; }
+      .boot-dots i:nth-child(3) { animation-delay: .36s; }
+      @keyframes bootDot { 0%,100% { opacity: .22; transform: translateY(0); } 40% { opacity: 1; transform: translateY(-3px); } }
+      @media (prefers-reduced-motion: reduce) { .boot-glow, .boot-dots i { animation: none; opacity: .8; } }
+    </style>
+    <script type="module" crossorigin src="/assets/index-BUQ0R83h.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-BN-IwtP6.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" crossorigin href="/assets/index-BN-IwtP6.css"></noscript>
+  </head>
+  <body>
+    <div id="boot-splash" aria-hidden="true">
+      <div class="boot-mark">
+        <span class="boot-glow"></span>
+        <svg viewBox="0 0 512 512" fill="none" xmlns="http://www.w3.org/2000/svg">
+          <defs>
+            <linearGradient id="bsbg" x1="0" y1="0" x2="0" y2="512" gradientUnits="userSpaceOnUse">
+              <stop offset="0" stop-color="#16180f"/><stop offset="1" stop-color="#080907"/></linearGradient>
+            <radialGradient id="bsglow" cx="230" cy="262" r="250" gradientUnits="userSpaceOnUse">
+              <stop offset="0" stop-color="#74e6a0" stop-opacity="0.26"/><stop offset="1" stop-color="#74e6a0" stop-opacity="0"/></radialGradient>
+            <linearGradient id="bsbody" x1="150" y1="120" x2="300" y2="420" gradientUnits="userSpaceOnUse">
+              <stop offset="0" stop-color="#aef9c8"/><stop offset="1" stop-color="#46d6a2"/></linearGradient>
+            <linearGradient id="bsa1" x1="300" y1="190" x2="372" y2="262" gradientUnits="userSpaceOnUse">
+              <stop offset="0" stop-color="#7fe9b8" stop-opacity="0.95"/><stop offset="1" stop-color="#7fe9b8" stop-opacity="0.12"/></linearGradient>
+            <linearGradient id="bsa2" x1="296" y1="150" x2="406" y2="262" gradientUnits="userSpaceOnUse">
+              <stop offset="0" stop-color="#6fe2ac" stop-opacity="0.7"/><stop offset="1" stop-color="#6fe2ac" stop-opacity="0.05"/></linearGradient>
+            <linearGradient id="bsa3" x1="292" y1="112" x2="446" y2="262" gradientUnits="userSpaceOnUse">
+              <stop offset="0" stop-color="#62dca4" stop-opacity="0.45"/><stop offset="1" stop-color="#62dca4" stop-opacity="0"/></linearGradient>
+            <filter id="bssoft" x="-50%" y="-50%" width="200%" height="200%"><feGaussianBlur stdDeviation="7" result="b"/><feMerge><feMergeNode in="b"/><feMergeNode in="SourceGraphic"/></feMerge></filter>
+          </defs>
+          <rect width="512" height="512" rx="116" fill="url(#bsbg)"/>
+          <rect width="512" height="512" rx="116" fill="url(#bsglow)"/>
+          <g transform="rotate(-7 221 281)">
+            <g fill="none" stroke-linecap="round">
+              <path d="M300 190 a74 74 0 0 1 70 70" stroke="url(#bsa1)" stroke-width="15"/>
+              <path d="M296 148 a118 118 0 0 1 112 112" stroke="url(#bsa2)" stroke-width="14"/>
+              <path d="M292 108 a160 160 0 0 1 154 154" stroke="url(#bsa3)" stroke-width="13"/>
+            </g>
+            <g filter="url(#bssoft)"><rect x="146" y="150" width="150" height="262" rx="36" fill="url(#bsbody)"/></g>
+            <rect x="163" y="184" width="116" height="194" rx="18" fill="#0a0b09"/>
+            <rect x="194" y="146" width="30" height="6" rx="3" fill="#0a0b09" opacity="0.45"/>
+            <rect x="206" y="396" width="30" height="6" rx="3" fill="#0a0b09" opacity="0.45"/>
+            <polyline points="188,236 212,266 188,296" fill="none" stroke="#aef9c8" stroke-width="12" stroke-linecap="round" stroke-linejoin="round"/>
+            <rect x="224" y="252" width="15" height="32" rx="3" fill="#aef9c8"/>
+          </g>
+        </svg>
+      </div>
+      <div class="boot-word">handmux</div>
+      <div class="boot-dots"><i></i><i></i><i></i></div>
+    </div>
+    <div id="root"></div>
+    <script>
+      // Hide the splash once the app has painted (main.jsx), but keep it up at least ~650ms so the glow
+      // is actually seen, not a flicker. Safety: hide after 8s no matter what, so a failed boot never traps it.
+      window.__bootStart = Date.now();
+      window.__hideBootSplash = function () {
+        var el = document.getElementById('boot-splash');
+        if (!el || el.classList.contains('boot-hide')) return;
+        var wait = Math.max(0, 650 - (Date.now() - (window.__bootStart || 0)));
+        setTimeout(function () {
+          el.classList.add('boot-hide');
+          setTimeout(function () { if (el.parentNode) el.parentNode.removeChild(el); }, 500);
+        }, wait);
+      };
+      setTimeout(function () { window.__hideBootSplash(); }, 8000);
+    </script>
+  </body>
+</html>

package/public/manifest.webmanifest

@@ -0,0 +1,37 @@
+{
+  "name": "handmux",
+  "short_name": "handmux",
+  "description": "Mobile vibe coding — the same live tmux session on your computer and your phone.",
+  "lang": "en",
+  "start_url": ".",
+  "scope": ".",
+  "display": "standalone",
+  "background_color": "#1a1b1e",
+  "theme_color": "#1a1b1e",
+  "icons": [
+    { "src": "icons/icon-192.png", "sizes": "192x192", "type": "image/png", "purpose": "any maskable" },
+    { "src": "icons/icon-512.png", "sizes": "512x512", "type": "image/png", "purpose": "any maskable" }
+  ],
+  "share_target": {
+    "action": "/share-target",
+    "method": "POST",
+    "enctype": "multipart/form-data",
+    "params": {
+      "files": [
+        {
+          "name": "file",
+          "accept": [
+            "image/*", "text/*", "application/pdf", "application/json",
+            "application/msword",
+            "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+            "application/vnd.ms-excel",
+            "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+            "application/vnd.ms-powerpoint",
+            "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+            ".md", ".markdown", ".csv", ".log"
+          ]
+        }
+      ]
+    }
+  }
+}

package/public/offline.html

@@ -0,0 +1,50 @@
+<!doctype html>
+<html lang="zh">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
+    <title>tmux web</title>
+    <!-- Self-contained: inline CSS + inline JS, NO external resources, so this page is immutable and
+         works with no network. The service worker caches it once and serves it when a navigation
+         can't reach the network (replacing the browser's own ERR_NETWORK_CHANGED error page). -->
+    <style>
+      html, body {
+        margin: 0; height: 100%; background: #1a1b1e; color: #9aa0a6;
+        font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, monospace;
+        display: flex; align-items: center; justify-content: center;
+      }
+      .box { text-align: center; }
+      .dots { display: flex; gap: 6px; justify-content: center; }
+      .dot {
+        width: 8px; height: 8px; border-radius: 50%; background: #4a7cff;
+        opacity: 0.3; animation: blink 1.2s infinite;
+      }
+      .dot:nth-child(2) { animation-delay: 0.2s; }
+      .dot:nth-child(3) { animation-delay: 0.4s; }
+      @keyframes blink { 0%, 100% { opacity: 0.3; } 50% { opacity: 1; } }
+      p { margin-top: 16px; font-size: 14px; letter-spacing: 0.05em; }
+    </style>
+  </head>
+  <body>
+    <div class="box">
+      <div class="dots"><span class="dot"></span><span class="dot"></span><span class="dot"></span></div>
+      <p>连接中…</p>
+    </div>
+    <script>
+      // We are the SW's offline fallback. Probe connectivity and reload into the real app the moment
+      // the network is back. The probe is a normal fetch (mode !== 'navigate'), so the SW won't
+      // intercept it — it goes straight to the network. Reloading while still offline just re-shows
+      // this page (the browser never gets to show its own error page).
+      (function () {
+        function probe() {
+          fetch('/', { cache: 'no-store' })
+            .then(function (r) { if (r && r.ok) location.reload(); })
+            .catch(function () { /* still offline — keep waiting */ });
+        }
+        setInterval(probe, 2000);
+        addEventListener('online', probe);
+        probe();
+      })();
+    </script>
+  </body>
+</html>

package/public/sw.js

@@ -0,0 +1,117 @@
+// handmux service worker — single purpose: replace the browser's own cold-launch network-error
+// page (e.g. Chromium's ERR_NETWORK_CHANGED white screen) with our offline fallback, then let the
+// page auto-retry into the real app once the network is ready. It caches EXACTLY one immutable file
+// (offline.html) and NEVER caches app code or /api — every launch fetches the latest app from the
+// network, so deploys always take effect (no stale-shell trap).
+// See docs/superpowers/specs/2026-06-04-cold-launch-offline-shell-design.md
+const CACHE = 'tmw-offline-v1';
+const OFFLINE_URL = '/offline.html';
+// Web Share Target intake: a shared file arrives as a POST navigation to /share-target. We can't hand
+// a File to the page across the redirect, so we stash it in this cache; the page consumes it on boot
+// (see src/shareIntake.js — these two constants MUST match its SHARE_CACHE / SHARE_PREFIX).
+const SHARE_CACHE = 'tmw-share-v1';
+const SHARE_PREFIX = '/__share__/';
+const SHARE_ACTION = '/share-target';
+
+self.addEventListener('install', (event) => {
+  // skipWaiting is chained AFTER the cache write so we never activate before offline.html is cached.
+  event.waitUntil(
+    caches.open(CACHE).then((c) => c.add(OFFLINE_URL)).then(() => self.skipWaiting()),
+  );
+});
+
+self.addEventListener('activate', (event) => {
+  // Keep both our caches: the offline shell AND any pending share (a file shared just before an SW
+  // update must survive until the page consumes it). Drop everything else.
+  const KEEP = new Set([CACHE, SHARE_CACHE]);
+  event.waitUntil(
+    caches.keys()
+      .then((keys) => Promise.all(keys.filter((k) => !KEEP.has(k)).map((k) => caches.delete(k))))
+      .then(() => self.clients.claim()),
+  );
+});
+
+// Stash a shared file, then redirect into the app with ?share so it knows to pick it up. The File
+// can't ride the redirect, so we cache it under SHARE_PREFIX+name (the name rides the key; the type
+// rides the cached Response's Content-Type). Failures still redirect — the page just finds nothing.
+async function handleShareTarget(request) {
+  try {
+    const form = await request.formData();
+    const files = form.getAll('file').filter((f) => f && typeof f.name === 'string');
+    if (files.length) {
+      const cache = await caches.open(SHARE_CACHE);
+      for (const k of await cache.keys()) await cache.delete(k); // keep only the latest share
+      const f = files[0];
+      await cache.put(
+        SHARE_PREFIX + encodeURIComponent(f.name || 'shared'),
+        new Response(f, { headers: { 'Content-Type': f.type || 'application/octet-stream' } }),
+      );
+    }
+  } catch { /* fall through to the redirect; the page finds no pending file and carries on */ }
+  return Response.redirect('/?share=1', 303);
+}
+
+self.addEventListener('fetch', (event) => {
+  const req = event.request;
+  // Web Share Target POST — intercept before the navigation guard below (a share POST IS a navigate).
+  if (req.method === 'POST' && new URL(req.url).pathname === SHARE_ACTION) {
+    event.respondWith(handleShareTarget(req));
+    return;
+  }
+  // Only guard top-level navigations. Everything else (JS/CSS/fonts/icons and /api) falls through
+  // to the browser's default network handling — the SW neither caches nor intercepts it.
+  if (req.mode !== 'navigate') return;
+  // Network-first: a normal launch gets the freshest index.html; only when the fetch REJECTS (the
+  // radio-wakeup transient that makes the browser show its error page) do we serve the offline page.
+  event.respondWith(fetch(req).catch(() => caches.match(OFFLINE_URL)));
+});
+
+// --- Web Push ---------------------------------------------------------------------------------
+// Show a notification for each push. `tag` collapses repeats: a second push with the same tag
+// REPLACES the visible notification instead of stacking, so a given pane never shows a pile of
+// stale alerts. iOS requires us to actually show something on every push, which we always do.
+self.addEventListener('push', (event) => {
+  let d = {};
+  try { d = event.data ? event.data.json() : {}; }
+  catch { d = { body: event.data ? event.data.text() : '' }; }
+  event.waitUntil(self.registration.showNotification(d.title || 'handmux', {
+    body: d.body || '',
+    tag: d.tag || 'handmux',
+    renotify: false,
+    // icon = the large right-side logo. We MUST set it: HyperOS/MIUI always reserves that slot, and an
+    // empty `icon` makes it back-fill the slot with the PWA's own icon at a stray size (the `>` reads as
+    // a lone "v") plus leaves a gap. An explicit app icon fills the slot cleanly.
+    icon: '/icons/icon-192.png',
+    // badge = the small monochrome status-bar icon. Android reads only its ALPHA and tints the
+    // silhouette; an opaque image (icon-192 has no alpha) can't be used, so it falls back to the
+    // browser's own Chrome logo. badge-96.png is a white `>▮` silhouette on transparent → our mark.
+    badge: '/icons/badge-96.png',
+    data: d.data || {},
+  }));
+});
+
+// Tapping the notification deep-links to the pane: focus an open client (and tell it where to go),
+// or open a new window at the deep-link hash.
+self.addEventListener('notificationclick', (event) => {
+  event.notification.close();
+  const d = event.notification.data || {};
+  const e = encodeURIComponent;
+  const url = d.session
+    ? `/#/s/${e(d.session)}/w/${e(d.window || '')}/p/${e(d.pane || '')}`
+    : '/';
+  event.waitUntil((async () => {
+    const all = await self.clients.matchAll({ type: 'window', includeUncontrolled: true });
+    const open = all.find((c) => 'focus' in c);
+    if (open) {
+      await open.focus();
+      // Prefer navigate(): it changes the client URL, so the target survives even a backgrounded tab
+      // the browser discarded (it reloads into the deep-link hash, which the boot effect reads).
+      // postMessage is a fallback for engines without WindowClient.navigate. URL format MUST match
+      // hashRoute.readRoute()/buildDeepLink.
+      if ('navigate' in open) { try { await open.navigate(url); return; } catch { /* fall back ↓ */ } }
+      open.postMessage({ type: 'navigate', session: d.session, window: d.window, pane: d.pane });
+      return;
+    }
+    return self.clients.openWindow(url);
+  })());
+});

package/src/appName.js

@@ -0,0 +1,23 @@
+// Runtime app-name injection. The web bundle ships prebuilt, so a user's custom name (set at
+// `handmux start --name`) can't be baked at build time — instead the server rewrites the name into
+// the shell HTML and the PWA manifest as it serves them. Pure string/object transforms so they're
+// unit-testable; the server side-effects (read file / send) live in server.js.
+
+const escAttr = (s) => String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;')
+  .replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+
+// Replace the browser-tab title and the iOS home-screen label in index.html. Matches by tag/attr,
+// not by the default text, so it survives a changed default. No-op when a tag is absent.
+export function applyAppName(html, name) {
+  if (!name) return html;
+  const e = escAttr(name);
+  return html
+    .replace(/<title>[^<]*<\/title>/, `<title>${e}</title>`)
+    .replace(/(<meta name="apple-mobile-web-app-title" content=")[^"]*(")/, `$1${e}$2`);
+}
+
+// Override the PWA install name (Android uses short_name; both set so home-screen + app list agree).
+export function applyManifestName(manifest, name) {
+  if (!name) return manifest;
+  return { ...manifest, name, short_name: name };
+}

package/src/asr/iflyConfig.js

@@ -0,0 +1,10 @@
+// server/src/asr/iflyConfig.js
+// Read iFlytek IAT credentials lazily from env (default process.env) so it's injectable in tests.
+// app_id is a public identifier (safe to hand the browser); apiKey/apiSecret never leave the server.
+export function asrConfig(env = process.env) {
+  return { appId: env.XFYUN_APPID || '', apiKey: env.XFYUN_APIKEY || '', apiSecret: env.XFYUN_APISECRET || '' };
+}
+export function isAsrConfigured(env = process.env) {
+  const c = asrConfig(env);
+  return !!(c.appId && c.apiKey && c.apiSecret);
+}

package/src/asr/iflySign.js

@@ -0,0 +1,16 @@
+import { createHmac } from 'node:crypto';
+
+// Build a fully-signed iFlytek IAT v2 WebSocket URL. The secret (apiSecret) is used only here on the
+// server — the browser receives only the resulting URL (HMAC output, not the key). `host`/`date` are
+// injectable so this is deterministic and unit-testable; production passes host='iat-api.xfyun.cn'
+// and date=new Date().toUTCString() (RFC1123 GMT, iFlytek allows ±300s skew).
+export function buildIatSignedUrl({ appId, apiKey, apiSecret, host = 'iat-api.xfyun.cn', date }) {
+  const requestLine = 'GET /v2/iat HTTP/1.1';
+  const signatureOrigin = `host: ${host}\ndate: ${date}\n${requestLine}`;
+  const signature = createHmac('sha256', apiSecret).update(signatureOrigin).digest('base64');
+  const authorizationOrigin =
+    `api_key="${apiKey}", algorithm="hmac-sha256", headers="host date request-line", signature="${signature}"`;
+  const authorization = Buffer.from(authorizationOrigin, 'utf8').toString('base64');
+  const qs = new URLSearchParams({ authorization, date, host });
+  return { url: `wss://${host}/v2/iat?${qs.toString()}`, appId };
+}

package/src/auth.js

@@ -0,0 +1,30 @@
+import crypto from 'node:crypto';
+
+export function loadToken(env = process.env) {
+  let token = env.HANDMUX_TOKEN;
+  if (!token) {
+    token = crypto.randomBytes(24).toString('base64url');
+    console.log(`[handmux] no HANDMUX_TOKEN set; generated token: ${token}`);
+  }
+  return token;
+}
+
+const sha = (s) => crypto.createHash('sha256').update(String(s)).digest();
+
+export function tokenEquals(a, b) {
+  return crypto.timingSafeEqual(sha(a), sha(b));
+}
+
+export function bearerFrom(header) {
+  if (!header) return null;
+  const m = /^Bearer (.+)$/.exec(header);
+  return m ? m[1] : null;
+}
+
+export function expressAuth(token) {
+  return (req, res, next) => {
+    const provided = bearerFrom(req.get('authorization'));
+    if (provided && tokenEquals(provided, token)) return next();
+    res.status(401).json({ error: 'unauthorized' });
+  };
+}