hermes-web-ui 0.4.3 → 0.4.4

package/dist/server/index.js

@@ -2172,7 +2172,7 @@ var require_content_disposition = __commonJS({
     "use strict";
     module2.exports = contentDisposition;
     module2.exports.parse = parse2;
-    var basename2 = require("path").basename;
+    var basename4 = require("path").basename;
     var Buffer2 = require_safe_buffer().Buffer;
     var ENCODE_URL_ATTR_CHAR_REGEXP = /[\x00-\x20"'()*,/:;<=>?@[\\\]{}\x7f]/g;
     var HEX_ESCAPE_REGEXP = /%[0-9A-Fa-f]{2}/;
@@ -2208,9 +2208,9 @@ var require_content_disposition = __commonJS({
       if (typeof fallback === "string" && NON_LATIN1_REGEXP.test(fallback)) {
         throw new TypeError("fallback must be ISO-8859-1 string");
       }
-      var name = basename2(filename);
+      var name = basename4(filename);
       var isQuotedString = TEXT_REGEXP.test(name);
-      var fallbackName = typeof fallback !== "string" ? fallback && getlatin1(name) : basename2(fallback);
+      var fallbackName = typeof fallback !== "string" ? fallback && getlatin1(name) : basename4(fallback);
       var hasFallback = typeof fallbackName === "string" && fallbackName !== name;
       if (hasFallback || !isQuotedString || HEX_ESCAPE_REGEXP.test(name)) {
         params["filename*"] = name;
@@ -10866,7 +10866,7 @@ var require_mime_types = __commonJS({
   "node_modules/mime-types/index.js"(exports2) {
     "use strict";
     var db = require_mime_db();
-    var extname = require("path").extname;
+    var extname2 = require("path").extname;
     var EXTRACT_TYPE_REGEXP = /^\s*([^;\s]*)(?:;|\s|$)/;
     var TEXT_TYPE_REGEXP = /^text\//i;
     exports2.charset = charset;
@@ -10920,7 +10920,7 @@ var require_mime_types = __commonJS({
       if (!path || typeof path !== "string") {
         return false;
       }
-      var extension3 = extname("x." + path).toLowerCase().substr(1);
+      var extension3 = extname2("x." + path).toLowerCase().substr(1);
       if (!extension3) {
         return false;
       }
@@ -11247,7 +11247,7 @@ var require_type_is = __commonJS({
     module2.exports = typeofrequest;
     module2.exports.is = typeis2;
     module2.exports.hasBody = hasbody;
-    module2.exports.normalize = normalize;
+    module2.exports.normalize = normalize2;
     module2.exports.match = mimeMatch;
     function typeis2(value, types_) {
       var i;
@@ -11267,7 +11267,7 @@ var require_type_is = __commonJS({
       }
       var type2;
       for (i = 0; i < types2.length; i++) {
-        if (mimeMatch(normalize(type2 = types2[i]), val)) {
+        if (mimeMatch(normalize2(type2 = types2[i]), val)) {
           return type2[0] === "+" || type2.indexOf("*") !== -1 ? val : type2;
         }
       }
@@ -11290,7 +11290,7 @@ var require_type_is = __commonJS({
       var value = req.headers["content-type"];
       return typeis2(value, types2);
     }
-    function normalize(type2) {
+    function normalize2(type2) {
       if (typeof type2 !== "string") {
         return false;
       }
@@ -11420,10 +11420,10 @@ var require_statuses = __commonJS({
   "node_modules/koa/node_modules/statuses/index.js"(exports2, module2) {
     "use strict";
     var codes = require_codes();
-    module2.exports = status2;
-    status2.STATUS_CODES = codes;
-    status2.codes = populateStatusesMap(status2, codes);
-    status2.redirect = {
+    module2.exports = status3;
+    status3.STATUS_CODES = codes;
+    status3.codes = populateStatusesMap(status3, codes);
+    status3.redirect = {
       300: true,
       301: true,
       302: true,
@@ -11432,12 +11432,12 @@ var require_statuses = __commonJS({
       307: true,
       308: true
     };
-    status2.empty = {
+    status3.empty = {
       204: true,
       205: true,
       304: true
     };
-    status2.retry = {
+    status3.retry = {
       502: true,
       503: true,
       504: true
@@ -11446,17 +11446,17 @@ var require_statuses = __commonJS({
       var arr = [];
       Object.keys(codes2).forEach(function forEachCode(code) {
         var message2 = codes2[code];
-        var status3 = Number(code);
-        statuses[status3] = message2;
-        statuses[message2] = status3;
-        statuses[message2.toLowerCase()] = status3;
-        arr.push(status3);
+        var status4 = Number(code);
+        statuses[status4] = message2;
+        statuses[message2] = status4;
+        statuses[message2.toLowerCase()] = status4;
+        arr.push(status4);
       });
       return arr;
     }
-    function status2(code) {
+    function status3(code) {
       if (typeof code === "number") {
-        if (!status2[code]) throw new Error("invalid status code: " + code);
+        if (!status3[code]) throw new Error("invalid status code: " + code);
         return code;
       }
       if (typeof code !== "string") {
@@ -11464,10 +11464,10 @@ var require_statuses = __commonJS({
       }
       var n = parseInt(code, 10);
       if (!isNaN(n)) {
-        if (!status2[n]) throw new Error("invalid status code: " + n);
+        if (!status3[n]) throw new Error("invalid status code: " + n);
         return n;
       }
-      n = status2[code.toLowerCase()];
+      n = status3[code.toLowerCase()];
       if (!n) throw new Error('invalid status message: "' + code + '"');
       return n;
     }
@@ -11601,24 +11601,24 @@ var require_vary = __commonJS({
     function parse2(header) {
       var end = 0;
       var list6 = [];
-      var start3 = 0;
+      var start4 = 0;
       for (var i = 0, len = header.length; i < len; i++) {
         switch (header.charCodeAt(i)) {
           case 32:
-            if (start3 === end) {
-              start3 = end = i + 1;
+            if (start4 === end) {
+              start4 = end = i + 1;
             }
             break;
           case 44:
-            list6.push(header.substring(start3, end));
-            start3 = end = i + 1;
+            list6.push(header.substring(start4, end));
+            start4 = end = i + 1;
             break;
           default:
             end = i + 1;
             break;
         }
       }
-      list6.push(header.substring(start3, end));
+      list6.push(header.substring(start4, end));
       return list6;
     }
     function vary(res, field) {
@@ -11675,7 +11675,7 @@ var require_response = __commonJS({
     var statuses = require_statuses();
     var destroy = require_destroy();
     var assert = require("assert");
-    var extname = require("path").extname;
+    var extname2 = require("path").extname;
     var vary = require_vary();
     var only = require_only();
     var util3 = require("util");
@@ -11901,7 +11901,7 @@ var require_response = __commonJS({
        * @api public
        */
       attachment(filename, options) {
-        if (filename) this.type = extname(filename);
+        if (filename) this.type = extname2(filename);
         this.set("Content-Disposition", contentDisposition(filename, options));
       },
       /**
@@ -12693,19 +12693,19 @@ var require_http_errors = __commonJS({
     module2.exports.HttpError = createHttpErrorConstructor();
     module2.exports.isHttpError = createIsHttpErrorFunction(module2.exports.HttpError);
     populateConstructorExports(module2.exports, statuses.codes, module2.exports.HttpError);
-    function codeClass(status2) {
-      return Number(String(status2).charAt(0) + "00");
+    function codeClass(status3) {
+      return Number(String(status3).charAt(0) + "00");
     }
     function createError() {
       var err;
       var msg;
-      var status2 = 500;
+      var status3 = 500;
       var props = {};
       for (var i = 0; i < arguments.length; i++) {
         var arg = arguments[i];
         if (arg instanceof Error) {
           err = arg;
-          status2 = err.status || err.statusCode || status2;
+          status3 = err.status || err.statusCode || status3;
           continue;
         }
         switch (typeof arg) {
@@ -12713,7 +12713,7 @@ var require_http_errors = __commonJS({
             msg = arg;
             break;
           case "number":
-            status2 = arg;
+            status3 = arg;
             if (i !== 0) {
               deprecate2("non-first-argument status code; replace with createError(" + arg + ", ...)");
             }
@@ -12723,20 +12723,20 @@ var require_http_errors = __commonJS({
             break;
         }
       }
-      if (typeof status2 === "number" && (status2 < 400 || status2 >= 600)) {
+      if (typeof status3 === "number" && (status3 < 400 || status3 >= 600)) {
         deprecate2("non-error status code; use only 4xx or 5xx status codes");
       }
-      if (typeof status2 !== "number" || !statuses[status2] && (status2 < 400 || status2 >= 600)) {
-        status2 = 500;
+      if (typeof status3 !== "number" || !statuses[status3] && (status3 < 400 || status3 >= 600)) {
+        status3 = 500;
       }
-      var HttpError3 = createError[status2] || createError[codeClass(status2)];
+      var HttpError3 = createError[status3] || createError[codeClass(status3)];
       if (!err) {
-        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status2]);
+        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status3]);
         Error.captureStackTrace(err, createError);
       }
-      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status2) {
-        err.expose = status2 < 500;
-        err.status = err.statusCode = status2;
+      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status3) {
+        err.expose = status3 < 500;
+        err.status = err.statusCode = status3;
       }
       for (var key in props) {
         if (key !== "status" && key !== "statusCode") {
@@ -13357,10 +13357,10 @@ var require_statuses2 = __commonJS({
   "node_modules/http-assert/node_modules/statuses/index.js"(exports2, module2) {
     "use strict";
     var codes = require_codes2();
-    module2.exports = status2;
-    status2.STATUS_CODES = codes;
-    status2.codes = populateStatusesMap(status2, codes);
-    status2.redirect = {
+    module2.exports = status3;
+    status3.STATUS_CODES = codes;
+    status3.codes = populateStatusesMap(status3, codes);
+    status3.redirect = {
       300: true,
       301: true,
       302: true,
@@ -13369,12 +13369,12 @@ var require_statuses2 = __commonJS({
       307: true,
       308: true
     };
-    status2.empty = {
+    status3.empty = {
       204: true,
       205: true,
       304: true
     };
-    status2.retry = {
+    status3.retry = {
       502: true,
       503: true,
       504: true
@@ -13383,17 +13383,17 @@ var require_statuses2 = __commonJS({
       var arr = [];
       Object.keys(codes2).forEach(function forEachCode(code) {
         var message2 = codes2[code];
-        var status3 = Number(code);
-        statuses[status3] = message2;
-        statuses[message2] = status3;
-        statuses[message2.toLowerCase()] = status3;
-        arr.push(status3);
+        var status4 = Number(code);
+        statuses[status4] = message2;
+        statuses[message2] = status4;
+        statuses[message2.toLowerCase()] = status4;
+        arr.push(status4);
       });
       return arr;
     }
-    function status2(code) {
+    function status3(code) {
       if (typeof code === "number") {
-        if (!status2[code]) throw new Error("invalid status code: " + code);
+        if (!status3[code]) throw new Error("invalid status code: " + code);
         return code;
       }
       if (typeof code !== "string") {
@@ -13401,10 +13401,10 @@ var require_statuses2 = __commonJS({
       }
       var n = parseInt(code, 10);
       if (!isNaN(n)) {
-        if (!status2[n]) throw new Error("invalid status code: " + n);
+        if (!status3[n]) throw new Error("invalid status code: " + n);
         return n;
       }
-      n = status2[code.toLowerCase()];
+      n = status3[code.toLowerCase()];
       if (!n) throw new Error('invalid status message: "' + code + '"');
       return n;
     }
@@ -13424,19 +13424,19 @@ var require_http_errors2 = __commonJS({
     module2.exports.HttpError = createHttpErrorConstructor();
     module2.exports.isHttpError = createIsHttpErrorFunction(module2.exports.HttpError);
     populateConstructorExports(module2.exports, statuses.codes, module2.exports.HttpError);
-    function codeClass(status2) {
-      return Number(String(status2).charAt(0) + "00");
+    function codeClass(status3) {
+      return Number(String(status3).charAt(0) + "00");
     }
     function createError() {
       var err;
       var msg;
-      var status2 = 500;
+      var status3 = 500;
       var props = {};
       for (var i = 0; i < arguments.length; i++) {
         var arg = arguments[i];
         if (arg instanceof Error) {
           err = arg;
-          status2 = err.status || err.statusCode || status2;
+          status3 = err.status || err.statusCode || status3;
           continue;
         }
         switch (typeof arg) {
@@ -13444,7 +13444,7 @@ var require_http_errors2 = __commonJS({
             msg = arg;
             break;
           case "number":
-            status2 = arg;
+            status3 = arg;
             if (i !== 0) {
               deprecate2("non-first-argument status code; replace with createError(" + arg + ", ...)");
             }
@@ -13454,20 +13454,20 @@ var require_http_errors2 = __commonJS({
             break;
         }
       }
-      if (typeof status2 === "number" && (status2 < 400 || status2 >= 600)) {
+      if (typeof status3 === "number" && (status3 < 400 || status3 >= 600)) {
         deprecate2("non-error status code; use only 4xx or 5xx status codes");
       }
-      if (typeof status2 !== "number" || !statuses[status2] && (status2 < 400 || status2 >= 600)) {
-        status2 = 500;
+      if (typeof status3 !== "number" || !statuses[status3] && (status3 < 400 || status3 >= 600)) {
+        status3 = 500;
       }
-      var HttpError3 = createError[status2] || createError[codeClass(status2)];
+      var HttpError3 = createError[status3] || createError[codeClass(status3)];
       if (!err) {
-        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status2]);
+        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status3]);
         Error.captureStackTrace(err, createError);
       }
-      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status2) {
-        err.expose = status2 < 500;
-        err.status = err.statusCode = status2;
+      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status3) {
+        err.expose = status3 < 500;
+        err.status = err.statusCode = status3;
       }
       for (var key in props) {
         if (key !== "status" && key !== "statusCode") {
@@ -13698,33 +13698,33 @@ var require_http_assert = __commonJS({
     var createError = require_http_errors2();
     var eql = require_deep_equal();
     module2.exports = assert;
-    function assert(value, status2, msg, opts) {
+    function assert(value, status3, msg, opts) {
       if (value) return;
-      throw createError(status2, msg, opts);
+      throw createError(status3, msg, opts);
     }
-    assert.fail = function(status2, msg, opts) {
-      assert(false, status2, msg, opts);
+    assert.fail = function(status3, msg, opts) {
+      assert(false, status3, msg, opts);
     };
-    assert.equal = function(a, b, status2, msg, opts) {
-      assert(a == b, status2, msg, opts);
+    assert.equal = function(a, b, status3, msg, opts) {
+      assert(a == b, status3, msg, opts);
     };
-    assert.notEqual = function(a, b, status2, msg, opts) {
-      assert(a != b, status2, msg, opts);
+    assert.notEqual = function(a, b, status3, msg, opts) {
+      assert(a != b, status3, msg, opts);
     };
-    assert.ok = function(value, status2, msg, opts) {
-      assert(value, status2, msg, opts);
+    assert.ok = function(value, status3, msg, opts) {
+      assert(value, status3, msg, opts);
     };
-    assert.strictEqual = function(a, b, status2, msg, opts) {
-      assert(a === b, status2, msg, opts);
+    assert.strictEqual = function(a, b, status3, msg, opts) {
+      assert(a === b, status3, msg, opts);
     };
-    assert.notStrictEqual = function(a, b, status2, msg, opts) {
-      assert(a !== b, status2, msg, opts);
+    assert.notStrictEqual = function(a, b, status3, msg, opts) {
+      assert(a !== b, status3, msg, opts);
     };
-    assert.deepEqual = function(a, b, status2, msg, opts) {
-      assert(eql(a, b), status2, msg, opts);
+    assert.deepEqual = function(a, b, status3, msg, opts) {
+      assert(eql(a, b), status3, msg, opts);
     };
-    assert.notDeepEqual = function(a, b, status2, msg, opts) {
-      assert(!eql(a, b), status2, msg, opts);
+    assert.notDeepEqual = function(a, b, status3, msg, opts) {
+      assert(!eql(a, b), status3, msg, opts);
     };
   }
 });
@@ -15301,24 +15301,24 @@ var require_fresh = __commonJS({
     function parseTokenList(str2) {
       var end = 0;
       var list6 = [];
-      var start3 = 0;
+      var start4 = 0;
       for (var i = 0, len = str2.length; i < len; i++) {
         switch (str2.charCodeAt(i)) {
           case 32:
-            if (start3 === end) {
-              start3 = end = i + 1;
+            if (start4 === end) {
+              start4 = end = i + 1;
             }
             break;
           case 44:
-            list6.push(str2.substring(start3, end));
-            start3 = end = i + 1;
+            list6.push(str2.substring(start4, end));
+            start4 = end = i + 1;
             break;
           default:
             end = i + 1;
             break;
         }
       }
-      list6.push(str2.substring(start3, end));
+      list6.push(str2.substring(start4, end));
       return list6;
     }
   }
@@ -15958,9 +15958,9 @@ var require_co = __commonJS({
     function co(gen) {
       var ctx = this;
       var args2 = slice.call(arguments, 1);
-      return new Promise(function(resolve10, reject) {
+      return new Promise(function(resolve11, reject) {
         if (typeof gen === "function") gen = gen.apply(ctx, args2);
-        if (!gen || typeof gen.next !== "function") return resolve10(gen);
+        if (!gen || typeof gen.next !== "function") return resolve11(gen);
         onFulfilled();
         function onFulfilled(res) {
           var ret;
@@ -15981,7 +15981,7 @@ var require_co = __commonJS({
           next(ret);
         }
         function next(ret) {
-          if (ret.done) return resolve10(ret.value);
+          if (ret.done) return resolve11(ret.value);
           var value = toPromise.call(ctx, ret.value);
           if (value && isPromise(value)) return value.then(onFulfilled, onRejected);
           return onRejected(new TypeError('You may only yield a function, promise, generator, array, or object, but the following object was passed: "' + String(ret.value) + '"'));
@@ -15999,11 +15999,11 @@ var require_co = __commonJS({
     }
     function thunkToPromise(fn2) {
       var ctx = this;
-      return new Promise(function(resolve10, reject) {
+      return new Promise(function(resolve11, reject) {
         fn2.call(ctx, function(err, res) {
           if (err) return reject(err);
           if (arguments.length > 2) res = slice.call(arguments, 1);
-          resolve10(res);
+          resolve11(res);
         });
       });
     }
@@ -16640,11 +16640,11 @@ var require_statuses3 = __commonJS({
   "node_modules/statuses/index.js"(exports2, module2) {
     "use strict";
     var codes = require_codes3();
-    module2.exports = status2;
-    status2.message = codes;
-    status2.code = createMessageToStatusCodeMap(codes);
-    status2.codes = createStatusCodeList(codes);
-    status2.redirect = {
+    module2.exports = status3;
+    status3.message = codes;
+    status3.code = createMessageToStatusCodeMap(codes);
+    status3.codes = createStatusCodeList(codes);
+    status3.redirect = {
       300: true,
       301: true,
       302: true,
@@ -16653,12 +16653,12 @@ var require_statuses3 = __commonJS({
       307: true,
       308: true
     };
-    status2.empty = {
+    status3.empty = {
       204: true,
       205: true,
       304: true
     };
-    status2.retry = {
+    status3.retry = {
       502: true,
       503: true,
       504: true
@@ -16667,8 +16667,8 @@ var require_statuses3 = __commonJS({
       var map2 = {};
       Object.keys(codes2).forEach(function forEachCode(code) {
         var message2 = codes2[code];
-        var status3 = Number(code);
-        map2[message2.toLowerCase()] = status3;
+        var status4 = Number(code);
+        map2[message2.toLowerCase()] = status4;
       });
       return map2;
     }
@@ -16679,18 +16679,18 @@ var require_statuses3 = __commonJS({
     }
     function getStatusCode(message2) {
       var msg = message2.toLowerCase();
-      if (!Object.prototype.hasOwnProperty.call(status2.code, msg)) {
+      if (!Object.prototype.hasOwnProperty.call(status3.code, msg)) {
         throw new Error('invalid status message: "' + message2 + '"');
       }
-      return status2.code[msg];
+      return status3.code[msg];
     }
     function getStatusMessage(code) {
-      if (!Object.prototype.hasOwnProperty.call(status2.message, code)) {
+      if (!Object.prototype.hasOwnProperty.call(status3.message, code)) {
         throw new Error("invalid status code: " + code);
       }
-      return status2.message[code];
+      return status3.message[code];
     }
-    function status2(code) {
+    function status3(code) {
       if (typeof code === "number") {
         return getStatusMessage(code);
       }
@@ -16719,22 +16719,22 @@ var require_http_errors3 = __commonJS({
     module2.exports.HttpError = createHttpErrorConstructor();
     module2.exports.isHttpError = createIsHttpErrorFunction(module2.exports.HttpError);
     populateConstructorExports(module2.exports, statuses.codes, module2.exports.HttpError);
-    function codeClass(status2) {
-      return Number(String(status2).charAt(0) + "00");
+    function codeClass(status3) {
+      return Number(String(status3).charAt(0) + "00");
     }
     function createError() {
       var err;
       var msg;
-      var status2 = 500;
+      var status3 = 500;
       var props = {};
       for (var i = 0; i < arguments.length; i++) {
         var arg = arguments[i];
         var type2 = typeof arg;
         if (type2 === "object" && arg instanceof Error) {
           err = arg;
-          status2 = err.status || err.statusCode || status2;
+          status3 = err.status || err.statusCode || status3;
         } else if (type2 === "number" && i === 0) {
-          status2 = arg;
+          status3 = arg;
         } else if (type2 === "string") {
           msg = arg;
         } else if (type2 === "object") {
@@ -16743,20 +16743,20 @@ var require_http_errors3 = __commonJS({
           throw new TypeError("argument #" + (i + 1) + " unsupported type " + type2);
         }
       }
-      if (typeof status2 === "number" && (status2 < 400 || status2 >= 600)) {
+      if (typeof status3 === "number" && (status3 < 400 || status3 >= 600)) {
         deprecate2("non-error status code; use only 4xx or 5xx status codes");
       }
-      if (typeof status2 !== "number" || !statuses.message[status2] && (status2 < 400 || status2 >= 600)) {
-        status2 = 500;
+      if (typeof status3 !== "number" || !statuses.message[status3] && (status3 < 400 || status3 >= 600)) {
+        status3 = 500;
       }
-      var HttpError3 = createError[status2] || createError[codeClass(status2)];
+      var HttpError3 = createError[status3] || createError[codeClass(status3)];
       if (!err) {
-        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses.message[status2]);
+        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses.message[status3]);
         Error.captureStackTrace(err, createError);
       }
-      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status2) {
-        err.expose = status2 < 500;
-        err.status = err.statusCode = status2;
+      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status3) {
+        err.expose = status3 < 500;
+        err.status = err.statusCode = status3;
       }
       for (var key in props) {
         if (key !== "status" && key !== "statusCode") {
@@ -20060,13 +20060,13 @@ var require_extend_node = __commonJS({
         };
         var SlowBuffer = require("buffer").SlowBuffer;
         original.SlowBufferToString = SlowBuffer.prototype.toString;
-        SlowBuffer.prototype.toString = function(encoding, start3, end) {
+        SlowBuffer.prototype.toString = function(encoding, start4, end) {
           encoding = String(encoding || "utf8").toLowerCase();
           if (Buffer2.isNativeEncoding(encoding))
-            return original.SlowBufferToString.call(this, encoding, start3, end);
-          if (typeof start3 == "undefined") start3 = 0;
+            return original.SlowBufferToString.call(this, encoding, start4, end);
+          if (typeof start4 == "undefined") start4 = 0;
           if (typeof end == "undefined") end = this.length;
-          return iconv.decode(this.slice(start3, end), encoding);
+          return iconv.decode(this.slice(start4, end), encoding);
         };
         original.SlowBufferWrite = SlowBuffer.prototype.write;
         SlowBuffer.prototype.write = function(string, offset, length, encoding) {
@@ -20113,13 +20113,13 @@ var require_extend_node = __commonJS({
           return iconv.encode(str2, encoding).length;
         };
         original.BufferToString = Buffer2.prototype.toString;
-        Buffer2.prototype.toString = function(encoding, start3, end) {
+        Buffer2.prototype.toString = function(encoding, start4, end) {
           encoding = String(encoding || "utf8").toLowerCase();
           if (Buffer2.isNativeEncoding(encoding))
-            return original.BufferToString.call(this, encoding, start3, end);
-          if (typeof start3 == "undefined") start3 = 0;
+            return original.BufferToString.call(this, encoding, start4, end);
+          if (typeof start4 == "undefined") start4 = 0;
           if (typeof end == "undefined") end = this.length;
-          return iconv.decode(this.slice(start3, end), encoding);
+          return iconv.decode(this.slice(start4, end), encoding);
         };
         original.BufferWrite = Buffer2.prototype.write;
         Buffer2.prototype.write = function(string, offset, length, encoding) {
@@ -20381,10 +20381,10 @@ var require_raw_body = __commonJS({
       if (done) {
         return readStream2(stream4, encoding, length, limit, wrap(done));
       }
-      return new Promise(function executor(resolve10, reject) {
+      return new Promise(function executor(resolve11, reject) {
         readStream2(stream4, encoding, length, limit, function onRead(err, buf) {
           if (err) return reject(err);
-          resolve10(buf);
+          resolve11(buf);
         });
       });
     }
@@ -22852,8 +22852,8 @@ var require_lodash = __commonJS({
       }
       assignMergeValue(object, key, newValue);
     }
-    function baseRest(func, start3) {
-      return setToString(overRest(func, start3, identity), func + "");
+    function baseRest(func, start4) {
+      return setToString(overRest(func, start4, identity), func + "");
     }
     var baseSetToString = !defineProperty ? identity : function(func, string) {
       return defineProperty(func, "toString", {
@@ -23002,19 +23002,19 @@ var require_lodash = __commonJS({
     function objectToString(value) {
       return nativeObjectToString.call(value);
     }
-    function overRest(func, start3, transform) {
-      start3 = nativeMax(start3 === void 0 ? func.length - 1 : start3, 0);
+    function overRest(func, start4, transform) {
+      start4 = nativeMax(start4 === void 0 ? func.length - 1 : start4, 0);
       return function() {
-        var args2 = arguments, index = -1, length = nativeMax(args2.length - start3, 0), array = Array(length);
+        var args2 = arguments, index = -1, length = nativeMax(args2.length - start4, 0), array = Array(length);
         while (++index < length) {
-          array[index] = args2[start3 + index];
+          array[index] = args2[start4 + index];
         }
         index = -1;
-        var otherArgs = Array(start3 + 1);
-        while (++index < start3) {
+        var otherArgs = Array(start4 + 1);
+        while (++index < start4) {
           otherArgs[index] = args2[index];
         }
-        otherArgs[start3] = transform(array);
+        otherArgs[start4] = transform(array);
         return apply(func, this, otherArgs);
       };
     }
@@ -24001,10 +24001,10 @@ var require_statuses4 = __commonJS({
   "node_modules/resolve-path/node_modules/statuses/index.js"(exports2, module2) {
     "use strict";
     var codes = require_codes4();
-    module2.exports = status2;
-    status2.STATUS_CODES = codes;
-    status2.codes = populateStatusesMap(status2, codes);
-    status2.redirect = {
+    module2.exports = status3;
+    status3.STATUS_CODES = codes;
+    status3.codes = populateStatusesMap(status3, codes);
+    status3.redirect = {
       300: true,
       301: true,
       302: true,
@@ -24013,12 +24013,12 @@ var require_statuses4 = __commonJS({
       307: true,
       308: true
     };
-    status2.empty = {
+    status3.empty = {
       204: true,
       205: true,
       304: true
     };
-    status2.retry = {
+    status3.retry = {
       502: true,
       503: true,
       504: true
@@ -24027,17 +24027,17 @@ var require_statuses4 = __commonJS({
       var arr = [];
       Object.keys(codes2).forEach(function forEachCode(code) {
         var message2 = codes2[code];
-        var status3 = Number(code);
-        statuses[status3] = message2;
-        statuses[message2] = status3;
-        statuses[message2.toLowerCase()] = status3;
-        arr.push(status3);
+        var status4 = Number(code);
+        statuses[status4] = message2;
+        statuses[message2] = status4;
+        statuses[message2.toLowerCase()] = status4;
+        arr.push(status4);
       });
       return arr;
     }
-    function status2(code) {
+    function status3(code) {
       if (typeof code === "number") {
-        if (!status2[code]) throw new Error("invalid status code: " + code);
+        if (!status3[code]) throw new Error("invalid status code: " + code);
         return code;
       }
       if (typeof code !== "string") {
@@ -24045,10 +24045,10 @@ var require_statuses4 = __commonJS({
       }
       var n = parseInt(code, 10);
       if (!isNaN(n)) {
-        if (!status2[n]) throw new Error("invalid status code: " + n);
+        if (!status3[n]) throw new Error("invalid status code: " + n);
         return n;
       }
-      n = status2[code.toLowerCase()];
+      n = status3[code.toLowerCase()];
       if (!n) throw new Error('invalid status message: "' + code + '"');
       return n;
     }
@@ -24108,19 +24108,19 @@ var require_http_errors4 = __commonJS({
     module2.exports = createError;
     module2.exports.HttpError = createHttpErrorConstructor();
     populateConstructorExports(module2.exports, statuses.codes, module2.exports.HttpError);
-    function codeClass(status2) {
-      return Number(String(status2).charAt(0) + "00");
+    function codeClass(status3) {
+      return Number(String(status3).charAt(0) + "00");
     }
     function createError() {
       var err;
       var msg;
-      var status2 = 500;
+      var status3 = 500;
       var props = {};
       for (var i = 0; i < arguments.length; i++) {
         var arg = arguments[i];
         if (arg instanceof Error) {
           err = arg;
-          status2 = err.status || err.statusCode || status2;
+          status3 = err.status || err.statusCode || status3;
           continue;
         }
         switch (typeof arg) {
@@ -24128,7 +24128,7 @@ var require_http_errors4 = __commonJS({
             msg = arg;
             break;
           case "number":
-            status2 = arg;
+            status3 = arg;
             if (i !== 0) {
               deprecate2("non-first-argument status code; replace with createError(" + arg + ", ...)");
             }
@@ -24138,20 +24138,20 @@ var require_http_errors4 = __commonJS({
             break;
         }
       }
-      if (typeof status2 === "number" && (status2 < 400 || status2 >= 600)) {
+      if (typeof status3 === "number" && (status3 < 400 || status3 >= 600)) {
         deprecate2("non-error status code; use only 4xx or 5xx status codes");
       }
-      if (typeof status2 !== "number" || !statuses[status2] && (status2 < 400 || status2 >= 600)) {
-        status2 = 500;
+      if (typeof status3 !== "number" || !statuses[status3] && (status3 < 400 || status3 >= 600)) {
+        status3 = 500;
       }
-      var HttpError3 = createError[status2] || createError[codeClass(status2)];
+      var HttpError3 = createError[status3] || createError[codeClass(status3)];
       if (!err) {
-        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status2]);
+        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status3]);
         Error.captureStackTrace(err, createError);
       }
-      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status2) {
-        err.expose = status2 < 500;
-        err.status = err.statusCode = status2;
+      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status3) {
+        err.expose = status3 < 500;
+        err.status = err.statusCode = status3;
       }
       for (var key in props) {
         if (key !== "status" && key !== "statusCode") {
@@ -24277,9 +24277,9 @@ var require_resolve_path = __commonJS({
     "use strict";
     var createError = require_http_errors4();
     var join14 = require("path").join;
-    var normalize = require("path").normalize;
+    var normalize2 = require("path").normalize;
     var pathIsAbsolute = require_path_is_absolute();
-    var resolve10 = require("path").resolve;
+    var resolve11 = require("path").resolve;
     var sep = require("path").sep;
     module2.exports = resolvePath;
     var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
@@ -24308,10 +24308,10 @@ var require_resolve_path = __commonJS({
       if (pathIsAbsolute.posix(path) || pathIsAbsolute.win32(path)) {
         throw createError(400, "Malicious Path");
       }
-      if (UP_PATH_REGEXP.test(normalize("." + sep + path))) {
+      if (UP_PATH_REGEXP.test(normalize2("." + sep + path))) {
         throw createError(403);
       }
-      return normalize(join14(resolve10(root), path));
+      return normalize2(join14(resolve11(root), path));
     }
   }
 });
@@ -24819,10 +24819,10 @@ var require_statuses5 = __commonJS({
   "node_modules/koa-send/node_modules/statuses/index.js"(exports2, module2) {
     "use strict";
     var codes = require_codes5();
-    module2.exports = status2;
-    status2.STATUS_CODES = codes;
-    status2.codes = populateStatusesMap(status2, codes);
-    status2.redirect = {
+    module2.exports = status3;
+    status3.STATUS_CODES = codes;
+    status3.codes = populateStatusesMap(status3, codes);
+    status3.redirect = {
       300: true,
       301: true,
       302: true,
@@ -24831,12 +24831,12 @@ var require_statuses5 = __commonJS({
       307: true,
       308: true
     };
-    status2.empty = {
+    status3.empty = {
       204: true,
       205: true,
       304: true
     };
-    status2.retry = {
+    status3.retry = {
       502: true,
       503: true,
       504: true
@@ -24845,17 +24845,17 @@ var require_statuses5 = __commonJS({
       var arr = [];
       Object.keys(codes2).forEach(function forEachCode(code) {
         var message2 = codes2[code];
-        var status3 = Number(code);
-        statuses[status3] = message2;
-        statuses[message2] = status3;
-        statuses[message2.toLowerCase()] = status3;
-        arr.push(status3);
+        var status4 = Number(code);
+        statuses[status4] = message2;
+        statuses[message2] = status4;
+        statuses[message2.toLowerCase()] = status4;
+        arr.push(status4);
       });
       return arr;
     }
-    function status2(code) {
+    function status3(code) {
       if (typeof code === "number") {
-        if (!status2[code]) throw new Error("invalid status code: " + code);
+        if (!status3[code]) throw new Error("invalid status code: " + code);
         return code;
       }
       if (typeof code !== "string") {
@@ -24863,10 +24863,10 @@ var require_statuses5 = __commonJS({
       }
       var n = parseInt(code, 10);
       if (!isNaN(n)) {
-        if (!status2[n]) throw new Error("invalid status code: " + n);
+        if (!status3[n]) throw new Error("invalid status code: " + n);
         return n;
       }
-      n = status2[code.toLowerCase()];
+      n = status3[code.toLowerCase()];
       if (!n) throw new Error('invalid status message: "' + code + '"');
       return n;
     }
@@ -24886,19 +24886,19 @@ var require_http_errors5 = __commonJS({
     module2.exports.HttpError = createHttpErrorConstructor();
     module2.exports.isHttpError = createIsHttpErrorFunction(module2.exports.HttpError);
     populateConstructorExports(module2.exports, statuses.codes, module2.exports.HttpError);
-    function codeClass(status2) {
-      return Number(String(status2).charAt(0) + "00");
+    function codeClass(status3) {
+      return Number(String(status3).charAt(0) + "00");
     }
     function createError() {
       var err;
       var msg;
-      var status2 = 500;
+      var status3 = 500;
       var props = {};
       for (var i = 0; i < arguments.length; i++) {
         var arg = arguments[i];
         if (arg instanceof Error) {
           err = arg;
-          status2 = err.status || err.statusCode || status2;
+          status3 = err.status || err.statusCode || status3;
           continue;
         }
         switch (typeof arg) {
@@ -24906,7 +24906,7 @@ var require_http_errors5 = __commonJS({
             msg = arg;
             break;
           case "number":
-            status2 = arg;
+            status3 = arg;
             if (i !== 0) {
               deprecate2("non-first-argument status code; replace with createError(" + arg + ", ...)");
             }
@@ -24916,20 +24916,20 @@ var require_http_errors5 = __commonJS({
             break;
         }
       }
-      if (typeof status2 === "number" && (status2 < 400 || status2 >= 600)) {
+      if (typeof status3 === "number" && (status3 < 400 || status3 >= 600)) {
         deprecate2("non-error status code; use only 4xx or 5xx status codes");
       }
-      if (typeof status2 !== "number" || !statuses[status2] && (status2 < 400 || status2 >= 600)) {
-        status2 = 500;
+      if (typeof status3 !== "number" || !statuses[status3] && (status3 < 400 || status3 >= 600)) {
+        status3 = 500;
       }
-      var HttpError3 = createError[status2] || createError[codeClass(status2)];
+      var HttpError3 = createError[status3] || createError[codeClass(status3)];
       if (!err) {
-        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status2]);
+        err = HttpError3 ? new HttpError3(msg) : new Error(msg || statuses[status3]);
         Error.captureStackTrace(err, createError);
       }
-      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status2) {
-        err.expose = status2 < 500;
-        err.status = err.statusCode = status2;
+      if (!HttpError3 || !(err instanceof HttpError3) || err.status !== status3) {
+        err.expose = status3 < 500;
+        err.status = err.statusCode = status3;
       }
       for (var key in props) {
         if (key !== "status" && key !== "statusCode") {
@@ -25067,10 +25067,10 @@ var require_koa_send = __commonJS({
       }
     }
     var {
-      normalize,
-      basename: basename2,
-      extname,
-      resolve: resolve10,
+      normalize: normalize2,
+      basename: basename4,
+      extname: extname2,
+      resolve: resolve11,
       parse: parse2,
       sep
     } = require("path");
@@ -25079,7 +25079,7 @@ var require_koa_send = __commonJS({
       assert(ctx, "koa context required");
       assert(path, "pathname required");
       debug2('send "%s" %j', path, opts);
-      const root = opts.root ? normalize(resolve10(opts.root)) : "";
+      const root = opts.root ? normalize2(resolve11(opts.root)) : "";
       const trailingSlash = path[path.length - 1] === "/";
       path = path.substr(parse2(path).root.length);
       const index = opts.index;
@@ -25111,7 +25111,7 @@ var require_koa_send = __commonJS({
         ctx.res.removeHeader("Content-Length");
         encodingExt = ".gz";
       }
-      if (extensions && !/\./.exec(basename2(path))) {
+      if (extensions && !/\./.exec(basename4(path))) {
         const list6 = [].concat(extensions);
         for (let i = 0; i < list6.length; i++) {
           let ext = list6[i];
@@ -25166,7 +25166,7 @@ var require_koa_send = __commonJS({
       return false;
     }
     function type2(file, ext) {
-      return ext !== "" ? extname(basename2(file, ext)) : extname(file);
+      return ext !== "" ? extname2(basename4(file, ext)) : extname2(file);
     }
     function decode(path) {
       try {
@@ -25183,7 +25183,7 @@ var require_koa_static = __commonJS({
   "node_modules/koa-static/index.js"(exports2, module2) {
     "use strict";
     var debug2 = require_src2()("koa-static");
-    var { resolve: resolve10 } = require("path");
+    var { resolve: resolve11 } = require("path");
     var assert = require("assert");
     var send2 = require_koa_send();
     module2.exports = serve2;
@@ -25191,7 +25191,7 @@ var require_koa_static = __commonJS({
       opts = Object.assign({}, opts);
       assert(root, "root directory is required to serve files");
       debug2('static "%s" %j', root, opts);
-      opts.root = resolve10(root);
+      opts.root = resolve11(root);
       if (opts.index !== false) opts.index = opts.index || "index.html";
       if (!opts.defer) {
         return async function serve3(ctx, next) {
@@ -25877,10 +25877,10 @@ function throwWarning(state, message2) {
     state.onWarning.call(null, generateError(state, message2));
   }
 }
-function captureSegment(state, start3, end, checkJson) {
+function captureSegment(state, start4, end, checkJson) {
   var _position, _length, _character, _result;
-  if (start3 < end) {
-    _result = state.input.slice(start3, end);
+  if (start4 < end) {
+    _result = state.input.slice(start4, end);
     if (checkJson) {
       for (_position = 0, _length = _result.length; _position < _length; _position += 1) {
         _character = _result.charCodeAt(_position);
@@ -27105,22 +27105,22 @@ function foldLine(line, width) {
   if (line === "" || line[0] === " ") return line;
   var breakRe = / [^ ]/g;
   var match;
-  var start3 = 0, end, curr = 0, next = 0;
+  var start4 = 0, end, curr = 0, next = 0;
   var result = "";
   while (match = breakRe.exec(line)) {
     next = match.index;
-    if (next - start3 > width) {
-      end = curr > start3 ? curr : next;
-      result += "\n" + line.slice(start3, end);
-      start3 = end + 1;
+    if (next - start4 > width) {
+      end = curr > start4 ? curr : next;
+      result += "\n" + line.slice(start4, end);
+      start4 = end + 1;
     }
     curr = next;
   }
   result += "\n";
-  if (line.length - start3 > width && curr > start3) {
-    result += line.slice(start3, curr) + "\n" + line.slice(curr + 1);
+  if (line.length - start4 > width && curr > start4) {
+    result += line.slice(start4, curr) + "\n" + line.slice(curr + 1);
   } else {
-    result += line.slice(start3);
+    result += line.slice(start4);
   }
   return result.slice(1);
 }
@@ -28593,7 +28593,7 @@ var require_redact = __commonJS({
       }
       return cloneSelectively(obj, pathStructure);
     }
-    function validatePath(path) {
+    function validatePath2(path) {
       if (typeof path !== "string") {
         throw new Error("Paths must be (non-empty) strings");
       }
@@ -28637,7 +28637,7 @@ var require_redact = __commonJS({
         throw new TypeError("paths must be an array");
       }
       for (const path of paths) {
-        validatePath(path);
+        validatePath2(path);
       }
     }
     function slowRedact(options = {}) {
@@ -29101,7 +29101,7 @@ var require_sonic_boom = __commonJS({
       if (!(this instanceof SonicBoom)) {
         return new SonicBoom(opts);
       }
-      let { fd, dest, minLength, maxLength, maxWrite, periodicFlush, sync, append: append2 = true, mkdir: mkdir5, retryEAGAIN, fsync, contentMode, mode } = opts || {};
+      let { fd, dest, minLength, maxLength, maxWrite, periodicFlush, sync, append: append2 = true, mkdir: mkdir6, retryEAGAIN, fsync, contentMode, mode } = opts || {};
       fd = fd || dest;
       this._len = 0;
       this.fd = -1;
@@ -29126,7 +29126,7 @@ var require_sonic_boom = __commonJS({
       this.append = append2 || false;
       this.mode = mode;
       this.retryEAGAIN = retryEAGAIN || (() => true);
-      this.mkdir = mkdir5 || false;
+      this.mkdir = mkdir6 || false;
       let fsWriteSync;
       let fsWrite;
       if (contentMode === kContentModeBuffer) {
@@ -30257,9 +30257,9 @@ var require_transport = __commonJS({
   "node_modules/pino/lib/transport.js"(exports2, module2) {
     "use strict";
     var { createRequire } = require("module");
-    var { existsSync: existsSync14 } = require("node:fs");
+    var { existsSync: existsSync16 } = require("node:fs");
     var getCallers = require_caller();
-    var { join: join14, isAbsolute, sep } = require("node:path");
+    var { join: join14, isAbsolute: isAbsolute2, sep } = require("node:path");
     var { fileURLToPath } = require("node:url");
     var sleep = require_atomic_sleep();
     var onExit = require_on_exit_leak_free();
@@ -30331,7 +30331,7 @@ var require_transport = __commonJS({
           return false;
         }
       }
-      return isAbsolute(path) && !existsSync14(path);
+      return isAbsolute2(path) && !existsSync16(path);
     }
     function stripQuotes(value) {
       const first = value[0];
@@ -30449,7 +30449,7 @@ var require_transport = __commonJS({
       return buildStream(fixTarget(target), options, worker, sync, name);
       function fixTarget(origin2) {
         origin2 = bundlerOverrides[origin2] || origin2;
-        if (isAbsolute(origin2) || origin2.indexOf("file://") === 0) {
+        if (isAbsolute2(origin2) || origin2.indexOf("file://") === 0) {
           return origin2;
         }
         if (origin2 === "pino/file") {
@@ -32106,11 +32106,11 @@ var require_pino = __commonJS({
       depthLimit: 5,
       edgeLimit: 100
     };
-    var normalize = createArgsNormalizer(defaultOptions);
+    var normalize2 = createArgsNormalizer(defaultOptions);
     var serializers = Object.assign(/* @__PURE__ */ Object.create(null), stdSerializers);
     function pino2(...args2) {
       const instance = {};
-      const { opts, stream: stream4 } = normalize(instance, caller(), ...args2);
+      const { opts, stream: stream4 } = normalize2(instance, caller(), ...args2);
       if (opts.level && typeof opts.level === "string" && DEFAULT_LEVELS[opts.level.toLowerCase()] !== void 0) opts.level = opts.level.toLowerCase();
       const {
         redact,
@@ -32365,22 +32365,22 @@ var init_gateway_manager = __esm({
       /** 尝试绑定端口，检测端口是否被系统级进程占用 */
       checkPortAvailable(port, host) {
         if (port < 0 || port > 65535) return Promise.resolve(false);
-        return new Promise((resolve10) => {
+        return new Promise((resolve11) => {
           const server2 = (0, import_net.createServer)();
           server2.once("error", () => {
             server2.close();
-            resolve10(false);
+            resolve11(false);
           });
           server2.once("listening", () => {
             server2.close();
-            resolve10(true);
+            resolve11(true);
           });
           server2.listen(port, host);
         });
       }
       /** 从 base 端口开始递增查找空闲端口（上限 65535） */
       findFreePort(base, host = "127.0.0.1") {
-        return new Promise((resolve10, reject) => {
+        return new Promise((resolve11, reject) => {
           const tryPort = (port) => {
             if (port > 65535) {
               reject(new Error(`No free port found in range ${base}-65535`));
@@ -32393,7 +32393,7 @@ var init_gateway_manager = __esm({
             });
             server2.once("listening", () => {
               server2.close();
-              resolve10(port);
+              resolve11(port);
             });
             server2.listen(port, host);
           };
@@ -32574,7 +32574,7 @@ var init_gateway_manager = __esm({
         const hermesHome = this.profileDir(name);
         const url2 = `http://${host}:${port}`;
         if (needsRunMode) {
-          return new Promise((resolve10, reject) => {
+          return new Promise((resolve11, reject) => {
             const env2 = { ...process.env, HERMES_HOME: hermesHome };
             const child = (0, import_child_process.spawn)(HERMES_BIN, ["gateway", "run", "--replace"], {
               detached: true,
@@ -32585,7 +32585,7 @@ var init_gateway_manager = __esm({
             child.unref();
             const pid = child.pid ?? 0;
             logger.info('Starting gateway for profile "%s" (run mode, PID: %d, port: %d)', name, pid, port);
-            this.waitForReady(name, pid, port, host, url2).then(resolve10).catch(reject);
+            this.waitForReady(name, pid, port, host, url2).then(resolve11).catch(reject);
           });
         }
         logger.info('Starting gateway for profile "%s" (start mode, port: %d)', name, port);
@@ -32690,9 +32690,9 @@ var init_gateway_manager = __esm({
         logger.info("Scanning profiles for running gateways...");
         const profiles = await this.listProfiles();
         for (const name of profiles) {
-          const status2 = await this.detectStatus(name);
-          if (status2.running) {
-            logger.info("%s: running (PID: %s, port: %d)", name, status2.pid, status2.port);
+          const status3 = await this.detectStatus(name);
+          if (status3.running) {
+            logger.info("%s: running (PID: %s, port: %d)", name, status3.pid, status3.port);
           } else {
             logger.debug("%s: stopped", name);
           }
@@ -34852,7 +34852,7 @@ var require_extension = __commonJS({
       let inQuotes = false;
       let extensionName;
       let paramName;
-      let start3 = -1;
+      let start4 = -1;
       let code = -1;
       let end = -1;
       let i = 0;
@@ -34860,45 +34860,45 @@ var require_extension = __commonJS({
         code = header.charCodeAt(i);
         if (extensionName === void 0) {
           if (end === -1 && tokenChars[code] === 1) {
-            if (start3 === -1) start3 = i;
+            if (start4 === -1) start4 = i;
           } else if (i !== 0 && (code === 32 || code === 9)) {
-            if (end === -1 && start3 !== -1) end = i;
+            if (end === -1 && start4 !== -1) end = i;
           } else if (code === 59 || code === 44) {
-            if (start3 === -1) {
+            if (start4 === -1) {
               throw new SyntaxError(`Unexpected character at index ${i}`);
             }
             if (end === -1) end = i;
-            const name = header.slice(start3, end);
+            const name = header.slice(start4, end);
             if (code === 44) {
               push(offers, name, params);
               params = /* @__PURE__ */ Object.create(null);
             } else {
               extensionName = name;
             }
-            start3 = end = -1;
+            start4 = end = -1;
           } else {
             throw new SyntaxError(`Unexpected character at index ${i}`);
           }
         } else if (paramName === void 0) {
           if (end === -1 && tokenChars[code] === 1) {
-            if (start3 === -1) start3 = i;
+            if (start4 === -1) start4 = i;
           } else if (code === 32 || code === 9) {
-            if (end === -1 && start3 !== -1) end = i;
+            if (end === -1 && start4 !== -1) end = i;
           } else if (code === 59 || code === 44) {
-            if (start3 === -1) {
+            if (start4 === -1) {
               throw new SyntaxError(`Unexpected character at index ${i}`);
             }
             if (end === -1) end = i;
-            push(params, header.slice(start3, end), true);
+            push(params, header.slice(start4, end), true);
             if (code === 44) {
               push(offers, extensionName, params);
               params = /* @__PURE__ */ Object.create(null);
               extensionName = void 0;
             }
-            start3 = end = -1;
-          } else if (code === 61 && start3 !== -1 && end === -1) {
-            paramName = header.slice(start3, i);
-            start3 = end = -1;
+            start4 = end = -1;
+          } else if (code === 61 && start4 !== -1 && end === -1) {
+            paramName = header.slice(start4, i);
+            start4 = end = -1;
           } else {
             throw new SyntaxError(`Unexpected character at index ${i}`);
           }
@@ -34907,13 +34907,13 @@ var require_extension = __commonJS({
             if (tokenChars[code] !== 1) {
               throw new SyntaxError(`Unexpected character at index ${i}`);
             }
-            if (start3 === -1) start3 = i;
+            if (start4 === -1) start4 = i;
             else if (!mustUnescape) mustUnescape = true;
             isEscaping = false;
           } else if (inQuotes) {
             if (tokenChars[code] === 1) {
-              if (start3 === -1) start3 = i;
-            } else if (code === 34 && start3 !== -1) {
+              if (start4 === -1) start4 = i;
+            } else if (code === 34 && start4 !== -1) {
               inQuotes = false;
               end = i;
             } else if (code === 92) {
@@ -34924,15 +34924,15 @@ var require_extension = __commonJS({
           } else if (code === 34 && header.charCodeAt(i - 1) === 61) {
             inQuotes = true;
           } else if (end === -1 && tokenChars[code] === 1) {
-            if (start3 === -1) start3 = i;
-          } else if (start3 !== -1 && (code === 32 || code === 9)) {
+            if (start4 === -1) start4 = i;
+          } else if (start4 !== -1 && (code === 32 || code === 9)) {
             if (end === -1) end = i;
           } else if (code === 59 || code === 44) {
-            if (start3 === -1) {
+            if (start4 === -1) {
               throw new SyntaxError(`Unexpected character at index ${i}`);
             }
             if (end === -1) end = i;
-            let value = header.slice(start3, end);
+            let value = header.slice(start4, end);
             if (mustUnescape) {
               value = value.replace(/\\/g, "");
               mustUnescape = false;
@@ -34944,17 +34944,17 @@ var require_extension = __commonJS({
               extensionName = void 0;
             }
             paramName = void 0;
-            start3 = end = -1;
+            start4 = end = -1;
           } else {
             throw new SyntaxError(`Unexpected character at index ${i}`);
           }
         }
       }
-      if (start3 === -1 || inQuotes || code === 32 || code === 9) {
+      if (start4 === -1 || inQuotes || code === 32 || code === 9) {
         throw new SyntaxError("Unexpected end of input");
       }
       if (end === -1) end = i;
-      const token = header.slice(start3, end);
+      const token = header.slice(start4, end);
       if (extensionName === void 0) {
         push(offers, token, params);
       } else {
@@ -35979,34 +35979,34 @@ var require_subprotocol = __commonJS({
     var { tokenChars } = require_validation();
     function parse2(header) {
       const protocols = /* @__PURE__ */ new Set();
-      let start3 = -1;
+      let start4 = -1;
       let end = -1;
       let i = 0;
       for (i; i < header.length; i++) {
         const code = header.charCodeAt(i);
         if (end === -1 && tokenChars[code] === 1) {
-          if (start3 === -1) start3 = i;
+          if (start4 === -1) start4 = i;
         } else if (i !== 0 && (code === 32 || code === 9)) {
-          if (end === -1 && start3 !== -1) end = i;
+          if (end === -1 && start4 !== -1) end = i;
         } else if (code === 44) {
-          if (start3 === -1) {
+          if (start4 === -1) {
             throw new SyntaxError(`Unexpected character at index ${i}`);
           }
           if (end === -1) end = i;
-          const protocol2 = header.slice(start3, end);
+          const protocol2 = header.slice(start4, end);
           if (protocols.has(protocol2)) {
             throw new SyntaxError(`The "${protocol2}" subprotocol is duplicated`);
           }
           protocols.add(protocol2);
-          start3 = end = -1;
+          start4 = end = -1;
         } else {
           throw new SyntaxError(`Unexpected character at index ${i}`);
         }
       }
-      if (start3 === -1 || end !== -1) {
+      if (start4 === -1 || end !== -1) {
         throw new SyntaxError("Unexpected end of input");
       }
-      const protocol = header.slice(start3, i);
+      const protocol = header.slice(start4, i);
       if (protocols.has(protocol)) {
         throw new SyntaxError(`The "${protocol}" subprotocol is duplicated`);
       }
@@ -38365,10 +38365,10 @@ function bindShutdown(server2) {
     logger.info("Shutting down (%s)...", signal);
     try {
       if (server2) {
-        await new Promise((resolve10) => {
+        await new Promise((resolve11) => {
           server2.close(() => {
             logger.info("HTTP server closed");
-            resolve10();
+            resolve11();
           });
         });
       }
@@ -40217,15 +40217,15 @@ function resolveHermesBin() {
 var HERMES_BIN2 = resolveHermesBin();
 function parseSessionExport(stdout) {
   const lines = stdout.trim().split("\n").filter(Boolean);
-  const sessions2 = [];
+  const sessions3 = [];
   for (const line of lines) {
     try {
       const raw = JSON.parse(line);
-      sessions2.push(raw);
+      sessions3.push(raw);
     } catch {
     }
   }
-  return sessions2;
+  return sessions3;
 }
 async function exportSessionsRaw(source) {
   const args2 = ["sessions", "export", "-"];
@@ -40245,7 +40245,7 @@ async function exportSessionsRaw(source) {
 }
 async function listSessions(source, limit) {
   const raws = await exportSessionsRaw(source);
-  const sessions2 = [];
+  const sessions3 = [];
   for (const raw of raws) {
     let title = raw.title;
     if (!title && raw.messages) {
@@ -40255,7 +40255,7 @@ async function listSessions(source, limit) {
         title = t + (String(firstUser.content).length > 40 ? "..." : "");
       }
     }
-    sessions2.push({
+    sessions3.push({
       id: raw.id,
       source: raw.source,
       user_id: raw.user_id,
@@ -40277,11 +40277,11 @@ async function listSessions(source, limit) {
       cost_status: raw.cost_status || ""
     });
   }
-  sessions2.sort((a, b) => b.started_at - a.started_at);
+  sessions3.sort((a, b) => b.started_at - a.started_at);
   if (limit && limit > 0) {
-    return sessions2.slice(0, limit);
+    return sessions3.slice(0, limit);
   }
-  return sessions2;
+  return sessions3;
 }
 async function getSession(id) {
   const args2 = ["sessions", "export", "-", "--session-id", id];
@@ -40590,11 +40590,11 @@ async function importProfile(archivePath, name) {
 }
 
 // packages/server/src/controllers/health.ts
-var LOCAL_VERSION = true ? "0.4.3" : (() => {
+var LOCAL_VERSION = true ? "0.4.4" : (() => {
   try {
-    const { readFileSync: readFileSync10 } = null;
-    const { resolve: resolve10 } = null;
-    return JSON.parse(readFileSync10(resolve10(__dirname, "../../package.json"), "utf-8")).version;
+    const { readFileSync: readFileSync12 } = null;
+    const { resolve: resolve11 } = null;
+    return JSON.parse(readFileSync12(resolve11(__dirname, "../../package.json"), "utf-8")).version;
   } catch {
     return "0.0.0";
   }
@@ -40602,8 +40602,8 @@ var LOCAL_VERSION = true ? "0.4.3" : (() => {
 var cachedLatestVersion = "";
 async function checkLatestVersion() {
   try {
-    const { readFileSync: readFileSync10 } = require("fs");
-    const pkg = JSON.parse(readFileSync10(resolve6(require("path").join(__dirname, "../../package.json")), "utf-8"));
+    const { readFileSync: readFileSync12 } = require("fs");
+    const pkg = JSON.parse(readFileSync12(resolve6(require("path").join(__dirname, "../../package.json")), "utf-8"));
     const name = pkg.name;
     const res = await fetch(`https://registry.npmjs.org/${name}/latest`, { signal: AbortSignal.timeout(1e4) });
     if (res.ok) {
@@ -40638,7 +40638,8 @@ async function healthCheck(ctx) {
     gateway: gatewayOk ? "running" : "stopped",
     webui_version: LOCAL_VERSION,
     webui_latest: cachedLatestVersion,
-    webui_update_available: cachedLatestVersion && cachedLatestVersion !== LOCAL_VERSION
+    webui_update_available: cachedLatestVersion && cachedLatestVersion !== LOCAL_VERSION,
+    node_version: process.versions.node
   };
 }
 function resolve6(p) {
@@ -40813,14 +40814,14 @@ async function handleUpload(ctx) {
 }
 function splitMultipart(raw, boundary) {
   const parts = [];
-  let start3 = 0;
+  let start4 = 0;
   while (true) {
-    const idx = raw.indexOf(boundary, start3);
+    const idx = raw.indexOf(boundary, start4);
     if (idx === -1) break;
-    if (start3 > 0) {
-      parts.push(raw.subarray(start3 + 2, idx));
+    if (start4 > 0) {
+      parts.push(raw.subarray(start4 + 2, idx));
     }
-    start3 = idx + boundary.length;
+    start4 = idx + boundary.length;
   }
   return parts;
 }
@@ -41223,14 +41224,14 @@ function normalizeVisibleMessage(message2, session, index) {
     timestamp: timestamp2
   };
 }
-function visibleMessagesForSessions(sessions2) {
-  return sessions2.flatMap((session) => sessionMessages(session).map((message2, index) => normalizeVisibleMessage({ ...message2, session_id: safeText(message2.session_id || session.id) }, session, index))).filter((message2) => !!message2).sort((a, b) => {
+function visibleMessagesForSessions(sessions3) {
+  return sessions3.flatMap((session) => sessionMessages(session).map((message2, index) => normalizeVisibleMessage({ ...message2, session_id: safeText(message2.session_id || session.id) }, session, index))).filter((message2) => !!message2).sort((a, b) => {
     if (a.timestamp !== b.timestamp) return a.timestamp - b.timestamp;
     return String(a.id).localeCompare(String(b.id));
   });
 }
-function hasVisibleHumanMessages(sessions2) {
-  return visibleMessagesForSessions(sessions2).length > 0;
+function hasVisibleHumanMessages(sessions3) {
+  return visibleMessagesForSessions(sessions3).length > 0;
 }
 function toSummary(session) {
   return {
@@ -41308,10 +41309,10 @@ async function loadSessions(source) {
 async function listConversationSummaries(options = {}) {
   const humanOnly = options.humanOnly !== false;
   const limit = options.limit && options.limit > 0 ? options.limit : DEFAULT_CONVERSATION_LIMIT;
-  const sessions2 = await loadSessions(options.source);
-  const byId = new Map(sessions2.map((session) => [session.id, session]));
+  const sessions3 = await loadSessions(options.source);
+  const byId = new Map(sessions3.map((session) => [session.id, session]));
   const childrenByParent = /* @__PURE__ */ new Map();
-  for (const session of sessions2) {
+  for (const session of sessions3) {
     const key = session.parent_session_id ?? null;
     const siblings = childrenByParent.get(key) || [];
     siblings.push(session.id);
@@ -41319,18 +41320,18 @@ async function listConversationSummaries(options = {}) {
   }
   if (!humanOnly) {
     return sortByRecency(
-      sessions2.filter((session) => session.source !== "tool").map(toSummary)
+      sessions3.filter((session) => session.source !== "tool").map(toSummary)
     ).slice(0, limit);
   }
-  const summaries = sessions2.filter((session) => isVisibleRoot(session, byId)).map((session) => aggregateSummary(session.id, byId, childrenByParent)).filter((summary) => !!summary);
+  const summaries = sessions3.filter((session) => isVisibleRoot(session, byId)).map((session) => aggregateSummary(session.id, byId, childrenByParent)).filter((summary) => !!summary);
   return sortByRecency(summaries).slice(0, limit);
 }
 async function getConversationDetail(sessionId, options = {}) {
   const humanOnly = options.humanOnly !== false;
-  const sessions2 = await loadSessions(options.source);
-  const byId = new Map(sessions2.map((session) => [session.id, session]));
+  const sessions3 = await loadSessions(options.source);
+  const byId = new Map(sessions3.map((session) => [session.id, session]));
   const childrenByParent = /* @__PURE__ */ new Map();
-  for (const session of sessions2) {
+  for (const session of sessions3) {
     const key = session.parent_session_id ?? null;
     const siblings = childrenByParent.get(key) || [];
     siblings.push(session.id);
@@ -41360,13 +41361,34 @@ async function getConversationDetail(sessionId, options = {}) {
   };
 }
 
-// packages/server/src/db/hermes/sessions-db.ts
+// packages/server/src/db/hermes/conversations-db.ts
 init_hermes_profile();
 var SQLITE_AVAILABLE2 = (() => {
   const [major, minor] = process.versions.node.split(".").map(Number);
   return major > 22 || major === 22 && minor >= 5;
 })();
-function sessionDbPath() {
+var LINEAGE_TOLERANCE_SECONDS2 = 3;
+var LIVE_WINDOW_SECONDS2 = 300;
+var DEFAULT_CONVERSATION_LIMIT2 = 200;
+var SYNTHETIC_USER_PREFIXES2 = [
+  "[system:",
+  "you've reached the maximum number of tool-calling iterations allowed.",
+  "you have reached the maximum number of tool-calling iterations allowed."
+];
+var VISIBLE_HUMAN_MESSAGE_SQL = `
+  m.content IS NOT NULL
+  AND m.content != ''
+  AND (
+    m.role = 'assistant'
+    OR (
+      m.role = 'user'
+      AND LOWER(m.content) NOT LIKE '[system:%'
+      AND LOWER(m.content) NOT LIKE 'you''ve reached the maximum number of tool-calling iterations allowed.%'
+      AND LOWER(m.content) NOT LIKE 'you have reached the maximum number of tool-calling iterations allowed.%'
+    )
+  )
+`;
+function conversationDbPath() {
   return `${getActiveProfileDir()}/state.db`;
 }
 function normalizeNumber(value, fallback = 0) {
@@ -41383,19 +41405,80 @@ function normalizeNullableString(value) {
   if (value == null || value === "") return null;
   return String(value);
 }
-function mapRow(row) {
+function safeText2(value) {
+  if (typeof value === "string") return value;
+  if (typeof value === "number" || typeof value === "boolean") return String(value);
+  return "";
+}
+function textFromContent2(value) {
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed && (trimmed.startsWith("{") || trimmed.startsWith("["))) {
+      try {
+        const parsed = JSON.parse(trimmed);
+        const nested = textFromContent2(parsed);
+        if (nested) return nested;
+      } catch {
+      }
+    }
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean") return String(value);
+  if (Array.isArray(value)) {
+    return value.map((item) => textFromContent2(item).trim()).filter(Boolean).join("\n");
+  }
+  if (!value || typeof value !== "object") return "";
+  const record = value;
+  for (const key of ["text", "content", "value"]) {
+    const direct = record[key];
+    if (typeof direct === "string") return direct;
+    if (Array.isArray(direct)) {
+      const nested = textFromContent2(direct);
+      if (nested) return nested;
+    }
+  }
+  for (const key of ["parts", "children", "items"]) {
+    if (Array.isArray(record[key])) {
+      const nested = textFromContent2(record[key]);
+      if (nested) return nested;
+    }
+  }
+  const flattened = Object.values(record).map((entry) => textFromContent2(entry).trim()).filter(Boolean).join("\n");
+  if (flattened) return flattened;
+  try {
+    return JSON.stringify(record);
+  } catch {
+    return "";
+  }
+}
+function normalizeText2(value) {
+  return textFromContent2(value).replace(/\s+/g, " ").trim().toLowerCase();
+}
+function excerpt2(value, width = 80) {
+  const text = textFromContent2(value).replace(/\s+/g, " ").trim();
+  if (!text) return "";
+  return text.length > width ? `${text.slice(0, width)}\u2026` : text;
+}
+function isSyntheticUserText2(content) {
+  const text = normalizeText2(content);
+  return SYNTHETIC_USER_PREFIXES2.some((prefix) => text.startsWith(prefix));
+}
+function mapSessionRow(row, nowSeconds) {
   const startedAt = normalizeNumber(row.started_at);
+  const endedAt = normalizeNullableNumber(row.ended_at);
+  const preview = excerpt2(row.preview || "");
   const rawTitle = normalizeNullableString(row.title);
-  const preview = String(row.preview || "");
-  const title = rawTitle || (preview ? preview.length > 40 ? preview.slice(0, 40) + "..." : preview : null);
+  const title = rawTitle || (preview ? preview.length > 40 ? `${preview.slice(0, 40)}...` : preview : null);
+  const lastActive = normalizeNumber(row.last_active, startedAt);
   return {
     id: String(row.id || ""),
     source: String(row.source || ""),
     user_id: normalizeNullableString(row.user_id),
     model: String(row.model || ""),
     title,
+    parent_session_id: normalizeNullableString(row.parent_session_id),
     started_at: startedAt,
-    ended_at: normalizeNullableNumber(row.ended_at),
+    ended_at: endedAt,
     end_reason: normalizeNullableString(row.end_reason),
     message_count: normalizeNumber(row.message_count),
     tool_call_count: normalizeNumber(row.tool_call_count),
@@ -41408,8 +41491,338 @@ function mapRow(row) {
     estimated_cost_usd: normalizeNumber(row.estimated_cost_usd),
     actual_cost_usd: normalizeNullableNumber(row.actual_cost_usd),
     cost_status: String(row.cost_status || ""),
+    preview,
+    last_active: lastActive,
+    has_visible_messages: !!normalizeNumber(row.has_visible_messages),
+    is_active: endedAt == null && nowSeconds - lastActive <= LIVE_WINDOW_SECONDS2
+  };
+}
+function sortByRecency2(items) {
+  return [...items].sort((a, b) => {
+    if (b.last_active !== a.last_active) return b.last_active - a.last_active;
+    if (b.started_at !== a.started_at) return b.started_at - a.started_at;
+    return a.id.localeCompare(b.id);
+  });
+}
+function timingMatchesParent2(parent, child) {
+  if (!parent || !child || parent.ended_at == null) return false;
+  return Math.abs(Number(child.started_at || 0) - Number(parent.ended_at || 0)) <= LINEAGE_TOLERANCE_SECONDS2;
+}
+function isBranchRoot2(session, byId) {
+  if (!session?.parent_session_id) return false;
+  const parent = byId.get(session.parent_session_id);
+  return !!parent && parent.end_reason === "branched" && timingMatchesParent2(parent, session);
+}
+function isVisibleRoot2(session, byId) {
+  if (!session || session.source === "tool") return false;
+  return session.parent_session_id == null || isBranchRoot2(session, byId);
+}
+function continuationCandidates2(parent, byId, childrenByParent) {
+  const childIds = childrenByParent.get(parent.id) || [];
+  return childIds.map((childId) => byId.get(childId)).filter((child) => !!child).filter((child) => child.source !== "tool").filter((child) => child.source === parent.source).filter((child) => timingMatchesParent2(parent, child)).sort((a, b) => {
+    const aDelta = Math.abs(Number(a.started_at || 0) - Number(parent.ended_at || 0));
+    const bDelta = Math.abs(Number(b.started_at || 0) - Number(parent.ended_at || 0));
+    if (aDelta !== bDelta) return aDelta - bDelta;
+    return a.id.localeCompare(b.id);
+  });
+}
+function nextContinuationChild2(parent, byId, childrenByParent) {
+  if (parent.end_reason !== "compression") return null;
+  const candidates = continuationCandidates2(parent, byId, childrenByParent);
+  if (candidates.length === 1) return candidates[0];
+  const exactPreviewMatches = candidates.filter((child) => {
+    const childPreview = normalizeText2(child.preview);
+    const parentPreview = normalizeText2(parent.preview);
+    return !!childPreview && childPreview === parentPreview;
+  });
+  if (exactPreviewMatches.length === 1) return exactPreviewMatches[0];
+  return null;
+}
+function collectConversationChain2(rootId, byId, childrenByParent) {
+  const chain = [];
+  const seen = /* @__PURE__ */ new Set();
+  let current = byId.get(rootId) || null;
+  while (current && !seen.has(current.id)) {
+    chain.push(current);
+    seen.add(current.id);
+    current = nextContinuationChild2(current, byId, childrenByParent);
+  }
+  return chain;
+}
+function toSummary2(session) {
+  return {
+    id: session.id,
+    source: safeText2(session.source),
+    model: safeText2(session.model),
+    title: session.title ?? null,
+    started_at: Number(session.started_at || 0),
+    ended_at: session.ended_at ?? null,
+    last_active: session.last_active,
+    message_count: Number(session.message_count || 0),
+    tool_call_count: Number(session.tool_call_count || 0),
+    input_tokens: Number(session.input_tokens || 0),
+    output_tokens: Number(session.output_tokens || 0),
+    cache_read_tokens: Number(session.cache_read_tokens || 0),
+    cache_write_tokens: Number(session.cache_write_tokens || 0),
+    reasoning_tokens: Number(session.reasoning_tokens || 0),
+    billing_provider: session.billing_provider ?? null,
+    estimated_cost_usd: Number(session.estimated_cost_usd || 0),
+    actual_cost_usd: session.actual_cost_usd ?? null,
+    cost_status: safeText2(session.cost_status),
+    preview: session.preview,
+    is_active: session.is_active,
+    thread_session_count: 1
+  };
+}
+function aggregateSummary2(rootId, byId, childrenByParent) {
+  const chain = collectConversationChain2(rootId, byId, childrenByParent);
+  if (!chain.length || !chain.some((session) => session.has_visible_messages)) return null;
+  const root = chain[0];
+  const last = chain[chain.length - 1];
+  const firstPreview = chain.map((session) => session.preview).find(Boolean) || "";
+  const costStatuses = Array.from(new Set(chain.map((session) => safeText2(session.cost_status)).filter(Boolean)));
+  return {
+    ...toSummary2(root),
+    title: root.title || firstPreview || null,
+    preview: root.preview || firstPreview,
+    model: safeText2(last?.model || root.model),
+    ended_at: last?.ended_at ?? null,
+    last_active: Math.max(...chain.map((session) => session.last_active)),
+    is_active: chain.some((session) => session.is_active),
+    billing_provider: last?.billing_provider ?? root.billing_provider ?? null,
+    cost_status: costStatuses.length === 1 ? costStatuses[0] : "mixed",
+    thread_session_count: chain.length,
+    message_count: chain.reduce((sum, session) => sum + Number(session.message_count || 0), 0),
+    tool_call_count: chain.reduce((sum, session) => sum + Number(session.tool_call_count || 0), 0),
+    input_tokens: chain.reduce((sum, session) => sum + Number(session.input_tokens || 0), 0),
+    output_tokens: chain.reduce((sum, session) => sum + Number(session.output_tokens || 0), 0),
+    cache_read_tokens: chain.reduce((sum, session) => sum + Number(session.cache_read_tokens || 0), 0),
+    cache_write_tokens: chain.reduce((sum, session) => sum + Number(session.cache_write_tokens || 0), 0),
+    reasoning_tokens: chain.reduce((sum, session) => sum + Number(session.reasoning_tokens || 0), 0),
+    estimated_cost_usd: chain.reduce((sum, session) => sum + Number(session.estimated_cost_usd || 0), 0),
+    actual_cost_usd: chain.reduce((sum, session) => {
+      const actual = session.actual_cost_usd;
+      if (actual == null) return sum;
+      return (sum || 0) + Number(actual);
+    }, null)
+  };
+}
+function normalizeVisibleMessage2(message2, fallbackTimestamp) {
+  const role = safeText2(message2.role);
+  const content = textFromContent2(message2.content).trim();
+  if (!content) return null;
+  if (role !== "user" && role !== "assistant") return null;
+  if (role === "user" && isSyntheticUserText2(content)) return null;
+  return {
+    id: message2.id,
+    session_id: message2.session_id,
+    role,
+    content,
+    timestamp: Number.isFinite(Number(message2.timestamp)) && Number(message2.timestamp) > 0 ? Number(message2.timestamp) : fallbackTimestamp
+  };
+}
+async function openConversationDb() {
+  if (!SQLITE_AVAILABLE2) {
+    throw new Error(`node:sqlite requires Node >= 22.5, current: ${process.versions.node}`);
+  }
+  const { DatabaseSync: DatabaseSync2 } = await import("node:sqlite");
+  return new DatabaseSync2(conversationDbPath(), { open: true, readOnly: true });
+}
+function buildConversationSessionSql(source) {
+  const sql = `
+    SELECT
+      s.id,
+      s.source,
+      COALESCE(s.user_id, '') AS user_id,
+      COALESCE(s.model, '') AS model,
+      COALESCE(s.title, '') AS title,
+      s.parent_session_id AS parent_session_id,
+      COALESCE(s.started_at, 0) AS started_at,
+      s.ended_at AS ended_at,
+      COALESCE(s.end_reason, '') AS end_reason,
+      COALESCE(s.message_count, 0) AS message_count,
+      COALESCE(s.tool_call_count, 0) AS tool_call_count,
+      COALESCE(s.input_tokens, 0) AS input_tokens,
+      COALESCE(s.output_tokens, 0) AS output_tokens,
+      COALESCE(s.cache_read_tokens, 0) AS cache_read_tokens,
+      COALESCE(s.cache_write_tokens, 0) AS cache_write_tokens,
+      COALESCE(s.reasoning_tokens, 0) AS reasoning_tokens,
+      COALESCE(s.billing_provider, '') AS billing_provider,
+      COALESCE(s.estimated_cost_usd, 0) AS estimated_cost_usd,
+      s.actual_cost_usd AS actual_cost_usd,
+      COALESCE(s.cost_status, '') AS cost_status,
+      COALESCE(
+        (
+          SELECT SUBSTR(REPLACE(REPLACE(m.content, CHAR(10), ' '), CHAR(13), ' '), 1, 80)
+          FROM messages m
+          WHERE m.session_id = s.id
+            AND ${VISIBLE_HUMAN_MESSAGE_SQL}
+          ORDER BY m.timestamp, m.id
+          LIMIT 1
+        ),
+        ''
+      ) AS preview,
+      COALESCE((SELECT MAX(m2.timestamp) FROM messages m2 WHERE m2.session_id = s.id), s.started_at) AS last_active,
+      CASE WHEN EXISTS (
+        SELECT 1
+        FROM messages m
+        WHERE m.session_id = s.id
+          AND ${VISIBLE_HUMAN_MESSAGE_SQL}
+      ) THEN 1 ELSE 0 END AS has_visible_messages
+    FROM sessions s
+    WHERE s.source != 'tool'
+      ${source ? "AND s.source = ?" : ""}
+    ORDER BY s.started_at DESC
+  `;
+  return { sql, params: source ? [source] : [] };
+}
+async function loadConversationSessions(source) {
+  const db = await openConversationDb();
+  try {
+    const { sql, params } = buildConversationSessionSql(source);
+    const rows = db.prepare(sql).all(...params);
+    const nowSeconds = Date.now() / 1e3;
+    return rows.map((row) => mapSessionRow(row, nowSeconds));
+  } finally {
+    db.close();
+  }
+}
+async function listConversationSummariesFromDb(options = {}) {
+  const humanOnly = options.humanOnly !== false;
+  const limit = options.limit && options.limit > 0 ? options.limit : DEFAULT_CONVERSATION_LIMIT2;
+  const sessions3 = await loadConversationSessions(options.source);
+  const byId = new Map(sessions3.map((session) => [session.id, session]));
+  const childrenByParent = /* @__PURE__ */ new Map();
+  for (const session of sessions3) {
+    const key = session.parent_session_id ?? null;
+    const siblings = childrenByParent.get(key) || [];
+    siblings.push(session.id);
+    childrenByParent.set(key, siblings);
+  }
+  if (!humanOnly) {
+    return sortByRecency2(sessions3.map(toSummary2)).slice(0, limit);
+  }
+  const summaries = sessions3.filter((session) => isVisibleRoot2(session, byId)).map((session) => aggregateSummary2(session.id, byId, childrenByParent)).filter((summary) => !!summary);
+  return sortByRecency2(summaries).slice(0, limit);
+}
+async function getConversationDetailFromDb(sessionId, options = {}) {
+  const humanOnly = options.humanOnly !== false;
+  const sessions3 = await loadConversationSessions(options.source);
+  const byId = new Map(sessions3.map((session) => [session.id, session]));
+  const childrenByParent = /* @__PURE__ */ new Map();
+  for (const session of sessions3) {
+    const key = session.parent_session_id ?? null;
+    const siblings = childrenByParent.get(key) || [];
+    siblings.push(session.id);
+    childrenByParent.set(key, siblings);
+  }
+  let chain = [];
+  if (!humanOnly) {
+    const session = byId.get(sessionId);
+    if (!session || session.source === "tool") return null;
+    chain = [session];
+  } else {
+    const root = byId.get(sessionId);
+    if (!isVisibleRoot2(root, byId)) return null;
+    chain = collectConversationChain2(sessionId, byId, childrenByParent);
+  }
+  if (!chain.length) return null;
+  const db = await openConversationDb();
+  try {
+    const ids = chain.map((session) => session.id);
+    const placeholders = ids.map(() => "?").join(", ");
+    const rows = db.prepare(`
+      SELECT id, session_id, role, content, timestamp
+      FROM messages
+      WHERE session_id IN (${placeholders})
+        AND role IN ('user', 'assistant')
+        AND content IS NOT NULL
+        AND content != ''
+      ORDER BY timestamp, id
+    `).all(...ids);
+    const sessionById = new Map(chain.map((session) => [session.id, session]));
+    const messages = rows.map((row) => {
+      const session = sessionById.get(String(row.session_id || ""));
+      return normalizeVisibleMessage2({
+        id: row.id,
+        session_id: String(row.session_id || ""),
+        role: String(row.role || ""),
+        content: row.content,
+        timestamp: normalizeNumber(row.timestamp)
+      }, session?.last_active || session?.started_at || 0);
+    }).filter((message2) => !!message2).sort((a, b) => {
+      if (a.timestamp !== b.timestamp) return a.timestamp - b.timestamp;
+      return String(a.id).localeCompare(String(b.id));
+    });
+    if (!messages.length) {
+      return humanOnly ? null : {
+        session_id: sessionId,
+        messages: [],
+        visible_count: 0,
+        thread_session_count: chain.length
+      };
+    }
+    return {
+      session_id: sessionId,
+      messages,
+      visible_count: messages.length,
+      thread_session_count: chain.length
+    };
+  } finally {
+    db.close();
+  }
+}
+
+// packages/server/src/db/hermes/sessions-db.ts
+init_hermes_profile();
+var SQLITE_AVAILABLE3 = (() => {
+  const [major, minor] = process.versions.node.split(".").map(Number);
+  return major > 22 || major === 22 && minor >= 5;
+})();
+function sessionDbPath() {
+  return `${getActiveProfileDir()}/state.db`;
+}
+function normalizeNumber2(value, fallback = 0) {
+  if (value == null || value === "") return fallback;
+  const num = Number(value);
+  return Number.isFinite(num) ? num : fallback;
+}
+function normalizeNullableNumber2(value) {
+  if (value == null || value === "") return null;
+  const num = Number(value);
+  return Number.isFinite(num) ? num : null;
+}
+function normalizeNullableString2(value) {
+  if (value == null || value === "") return null;
+  return String(value);
+}
+function mapRow(row) {
+  const startedAt = normalizeNumber2(row.started_at);
+  const rawTitle = normalizeNullableString2(row.title);
+  const preview = String(row.preview || "");
+  const title = rawTitle || (preview ? preview.length > 40 ? preview.slice(0, 40) + "..." : preview : null);
+  return {
+    id: String(row.id || ""),
+    source: String(row.source || ""),
+    user_id: normalizeNullableString2(row.user_id),
+    model: String(row.model || ""),
+    title,
+    started_at: startedAt,
+    ended_at: normalizeNullableNumber2(row.ended_at),
+    end_reason: normalizeNullableString2(row.end_reason),
+    message_count: normalizeNumber2(row.message_count),
+    tool_call_count: normalizeNumber2(row.tool_call_count),
+    input_tokens: normalizeNumber2(row.input_tokens),
+    output_tokens: normalizeNumber2(row.output_tokens),
+    cache_read_tokens: normalizeNumber2(row.cache_read_tokens),
+    cache_write_tokens: normalizeNumber2(row.cache_write_tokens),
+    reasoning_tokens: normalizeNumber2(row.reasoning_tokens),
+    billing_provider: normalizeNullableString2(row.billing_provider),
+    estimated_cost_usd: normalizeNumber2(row.estimated_cost_usd),
+    actual_cost_usd: normalizeNullableNumber2(row.actual_cost_usd),
+    cost_status: String(row.cost_status || ""),
     preview: String(row.preview || ""),
-    last_active: normalizeNumber(row.last_active, startedAt)
+    last_active: normalizeNumber2(row.last_active, startedAt)
   };
 }
 var SESSION_SELECT = `
@@ -41472,6 +41885,35 @@ function containsCjk(text) {
   }
   return false;
 }
+function isNumericQuery(text) {
+  return /^\d+(?:\s+\d+)*$/.test(text.trim());
+}
+function hasUnsafeChars(text) {
+  return /[^\w\s\u4e00-\u9fff\u3400-\u4dbf\u3000-\u303f\u3040-\u309f\u30a0-\u30ff\uac00-\ud7af]/.test(text);
+}
+function runLikeContentSearch(db, source, query) {
+  const likeBase = buildBaseSessionSql(source);
+  const likeSql = `
+    WITH base AS (
+      ${likeBase.sql}
+    )
+    SELECT
+      base.*,
+      m.id AS matched_message_id,
+      substr(
+        m.content,
+        max(1, instr(m.content, ?) - 40),
+        120
+      ) AS snippet,
+      0 AS rank
+    FROM base
+    JOIN messages m ON m.session_id = base.id
+    WHERE m.content LIKE ?
+    ORDER BY base.last_active DESC, m.timestamp DESC
+  `;
+  const likeStatement = db.prepare(likeSql);
+  return likeStatement.all(...likeBase.params, query, `%${query}%`);
+}
 function sanitizeFtsQuery(query) {
   const quotedParts = [];
   const preserved = query.replace(/"[^"]*"/g, (match) => {
@@ -41502,13 +41944,13 @@ function toPrefixQuery(query) {
 function mapSearchRow(row) {
   return {
     ...mapRow(row),
-    matched_message_id: normalizeNullableNumber(row.matched_message_id),
+    matched_message_id: normalizeNullableNumber2(row.matched_message_id),
     snippet: String(row.snippet || row.preview || ""),
     rank: Number.isFinite(Number(row.rank)) ? Number(row.rank) : 0
   };
 }
 async function listSessionSummaries(source, limit = 2e3) {
-  if (!SQLITE_AVAILABLE2) {
+  if (!SQLITE_AVAILABLE3) {
     throw new Error(`node:sqlite requires Node >= 22.5, current: ${process.versions.node}`);
   }
   const { DatabaseSync: DatabaseSync2 } = await import("node:sqlite");
@@ -41523,7 +41965,7 @@ async function listSessionSummaries(source, limit = 2e3) {
   }
 }
 async function searchSessionSummaries(query, source, limit = 20) {
-  if (!SQLITE_AVAILABLE2) {
+  if (!SQLITE_AVAILABLE3) {
     throw new Error(`node:sqlite requires Node >= 22.5, current: ${process.versions.node}`);
   }
   const trimmed = query.trim();
@@ -41540,6 +41982,7 @@ async function searchSessionSummaries(query, source, limit = 20) {
   const db = new DatabaseSync2(sessionDbPath(), { open: true, readOnly: true });
   const normalized = sanitizeFtsQuery(trimmed);
   const prefixQuery = toPrefixQuery(normalized);
+  let titleRows = [];
   try {
     const titleBase = buildBaseSessionSql(source);
     const contentBase = buildBaseSessionSql(source);
@@ -41561,7 +42004,7 @@ async function searchSessionSummaries(query, source, limit = 20) {
       LIMIT ?
     `;
     const titleStatement = db.prepare(titleSql);
-    const titleRows = titleStatement.all(...titleBase.params, `%${trimmed.toLowerCase()}%`, limit);
+    titleRows = titleStatement.all(...titleBase.params, `%${trimmed.toLowerCase()}%`, limit);
     const contentSql = `
       WITH base AS (
         ${contentBase.sql}
@@ -41597,28 +42040,9 @@ async function searchSessionSummaries(query, source, limit = 20) {
     });
     return items.slice(0, limit);
   } catch (err) {
+    const message2 = err instanceof Error ? err.message : String(err);
     if (containsCjk(normalized)) {
-      const likeBase = buildBaseSessionSql(source);
-      const likeSql = `
-        WITH base AS (
-          ${likeBase.sql}
-        )
-        SELECT
-          base.*,
-          m.id AS matched_message_id,
-          substr(
-            m.content,
-            max(1, instr(m.content, ?) - 40),
-            120
-          ) AS snippet,
-          0 AS rank
-        FROM base
-        JOIN messages m ON m.session_id = base.id
-        WHERE m.content LIKE ?
-        ORDER BY base.last_active DESC, m.timestamp DESC
-      `;
-      const likeStatement = db.prepare(likeSql);
-      const likeRows = likeStatement.all(...likeBase.params, trimmed, `%${trimmed}%`);
+      const likeRows = runLikeContentSearch(db, source, trimmed);
       const merged = /* @__PURE__ */ new Map();
       for (const row of likeRows) {
         const mapped = mapSearchRow(row);
@@ -41628,7 +42052,21 @@ async function searchSessionSummaries(query, source, limit = 20) {
       }
       return [...merged.values()].slice(0, limit);
     }
-    const message2 = err instanceof Error ? err.message : String(err);
+    if (isNumericQuery(trimmed) || hasUnsafeChars(trimmed)) {
+      const likeRows = runLikeContentSearch(db, source, trimmed);
+      const merged = /* @__PURE__ */ new Map();
+      for (const row of titleRows) {
+        const mapped = mapSearchRow(row);
+        merged.set(mapped.id, mapped);
+      }
+      for (const row of likeRows) {
+        const mapped = mapSearchRow(row);
+        if (!merged.has(mapped.id)) {
+          merged.set(mapped.id, mapped);
+        }
+      }
+      return [...merged.values()].slice(0, limit);
+    }
     throw new Error(`Failed to search sessions: ${message2}`);
   } finally {
     db.close();
@@ -41721,12 +42159,31 @@ async function listConversations(ctx) {
   const source = ctx.query.source || void 0;
   const humanOnly = parseHumanOnly(ctx.query.humanOnly);
   const limit = parseLimit(ctx.query.limit);
-  const sessions2 = await listConversationSummaries({ source, humanOnly, limit });
-  ctx.body = { sessions: sessions2 };
+  try {
+    const sessions4 = await listConversationSummariesFromDb({ source, humanOnly, limit });
+    ctx.body = { sessions: sessions4 };
+    return;
+  } catch (err) {
+    logger.warn(err, "Hermes Conversation DB: summary query failed, falling back to CLI export");
+  }
+  const sessions3 = await listConversationSummaries({ source, humanOnly, limit });
+  ctx.body = { sessions: sessions3 };
 }
 async function getConversationMessages(ctx) {
   const source = ctx.query.source || void 0;
   const humanOnly = parseHumanOnly(ctx.query.humanOnly);
+  try {
+    const detail2 = await getConversationDetailFromDb(ctx.params.id, { source, humanOnly });
+    if (!detail2) {
+      ctx.status = 404;
+      ctx.body = { error: "Conversation not found" };
+      return;
+    }
+    ctx.body = detail2;
+    return;
+  } catch (err) {
+    logger.warn(err, "Hermes Conversation DB: detail query failed, falling back to CLI export");
+  }
   const detail = await getConversationDetail(ctx.params.id, { source, humanOnly });
   if (!detail) {
     ctx.status = 404;
@@ -41739,14 +42196,14 @@ async function list(ctx) {
   const source = ctx.query.source || void 0;
   const limit = ctx.query.limit ? parseInt(ctx.query.limit, 10) : void 0;
   try {
-    const sessions3 = await listSessionSummaries(source, limit && limit > 0 ? limit : 2e3);
-    ctx.body = { sessions: sessions3 };
+    const sessions4 = await listSessionSummaries(source, limit && limit > 0 ? limit : 2e3);
+    ctx.body = { sessions: sessions4 };
     return;
   } catch (err) {
     logger.warn(err, "Hermes Session DB: summary query failed, falling back to CLI");
   }
-  const sessions2 = await listSessions(source, limit);
-  ctx.body = { sessions: sessions2 };
+  const sessions3 = await listSessions(source, limit);
+  ctx.body = { sessions: sessions3 };
 }
 async function search(ctx) {
   const q = typeof ctx.query.q === "string" ? ctx.query.q : "";
@@ -42081,6 +42538,8 @@ var PROVIDER_ENV_MAP = {
   "opencode-go": { api_key_env: "OPENCODE_API_KEY", base_url_env: "" },
   huggingface: { api_key_env: "HF_TOKEN", base_url_env: "" },
   arcee: { api_key_env: "ARCEE_API_KEY", base_url_env: "" },
+  stepfun: { api_key_env: "STEPFUN_API_KEY", base_url_env: "" },
+  nous: { api_key_env: "", base_url_env: "" },
   "openai-codex": { api_key_env: "", base_url_env: "" }
 };
 var configPath = () => getActiveConfigPath();
@@ -42193,7 +42652,7 @@ async function listFilesRecursive(dir, prefix) {
 }
 async function fetchProviderModels(baseUrl, apiKey) {
   const base = baseUrl.replace(/\/+$/, "");
-  const modelsUrl = base.endsWith("/v1") ? `${base}/models` : `${base}/v1/models`;
+  const modelsUrl = /\/v\d+\/?$/.test(base) ? `${base}/models` : `${base}/v1/models`;
   try {
     const res = await fetch(modelsUrl, {
       headers: { Authorization: `Bearer ${apiKey}` },
@@ -42463,6 +42922,7 @@ var PROVIDER_PRESETS = [
     base_url: "https://api.kimi.com/coding/v1",
     models: [
       "kimi-for-coding",
+      "kimi-k2.6",
       "kimi-k2.5",
       "kimi-k2-thinking",
       "kimi-k2-turbo-preview",
@@ -42475,6 +42935,7 @@ var PROVIDER_PRESETS = [
     builtin: true,
     base_url: "https://api.moonshot.cn/v1",
     models: [
+      "kimi-k2.6",
       "kimi-k2.5",
       "kimi-k2-thinking",
       "kimi-k2-turbo-preview",
@@ -42638,6 +43099,50 @@ var PROVIDER_PRESETS = [
     base_url: "https://api.arcee.ai/v1",
     models: ["trinity-large-thinking", "trinity-large-preview", "trinity-mini"]
   },
+  {
+    label: "Nous Portal",
+    value: "nous",
+    builtin: true,
+    base_url: "https://inference-api.nousresearch.com/v1",
+    models: [
+      "moonshotai/kimi-k2.6",
+      "xiaomi/mimo-v2.5-pro",
+      "xiaomi/mimo-v2.5",
+      "anthropic/claude-opus-4.7",
+      "anthropic/claude-opus-4.6",
+      "anthropic/claude-sonnet-4.6",
+      "anthropic/claude-sonnet-4.5",
+      "anthropic/claude-haiku-4.5",
+      "openai/gpt-5.4",
+      "openai/gpt-5.4-mini",
+      "openai/gpt-5.3-codex",
+      "google/gemini-3-pro-preview",
+      "google/gemini-3-flash-preview",
+      "google/gemini-3.1-pro-preview",
+      "google/gemini-3.1-flash-lite-preview",
+      "qwen/qwen3.5-plus-02-15",
+      "qwen/qwen3.5-35b-a3b",
+      "stepfun/step-3.5-flash",
+      "minimax/minimax-m2.7",
+      "minimax/minimax-m2.5",
+      "minimax/minimax-m2.5:free",
+      "z-ai/glm-5.1",
+      "z-ai/glm-5v-turbo",
+      "z-ai/glm-5-turbo",
+      "x-ai/grok-4.20-beta",
+      "nvidia/nemotron-3-super-120b-a12b",
+      "arcee-ai/trinity-large-thinking",
+      "openai/gpt-5.4-pro",
+      "openai/gpt-5.4-nano"
+    ]
+  },
+  {
+    label: "StepFun",
+    value: "stepfun",
+    builtin: true,
+    base_url: "https://api.stepfun.ai/step_plan/v1",
+    models: ["step-3.5-flash", "step-3.5-flash-2603"]
+  },
   {
     label: "OpenRouter",
     value: "openrouter",
@@ -42700,7 +43205,9 @@ async function getAvailable(ctx) {
         const authPath = getActiveAuthPath();
         if (!(0, import_fs11.existsSync)(authPath)) return false;
         const auth = JSON.parse((0, import_fs11.readFileSync)(authPath, "utf-8"));
-        return !!auth.providers?.[providerKey]?.tokens?.access_token;
+        const provider = auth.providers?.[providerKey];
+        if (!provider) return false;
+        return !!(provider.tokens?.access_token || provider.access_token);
       } catch {
         return false;
       }
@@ -43372,7 +43879,7 @@ async function codexLoginWorker(session, authPath) {
   const startTime = Date.now();
   const interval = POLL_DEFAULT_INTERVAL;
   while (Date.now() - startTime < POLL_MAX_DURATION) {
-    await new Promise((resolve10) => setTimeout(resolve10, interval));
+    await new Promise((resolve11) => setTimeout(resolve11, interval));
     if (session.status !== "pending") return;
     try {
       const pollRes = await fetch(CODEX_DEVICE_TOKEN_URL, {
@@ -43533,6 +44040,232 @@ codexAuthRoutes.post("/api/hermes/auth/codex/start", start);
 codexAuthRoutes.get("/api/hermes/auth/codex/poll/:sessionId", poll);
 codexAuthRoutes.get("/api/hermes/auth/codex/status", status);
 
+// packages/server/src/controllers/hermes/nous-auth.ts
+var import_crypto4 = require("crypto");
+var import_fs15 = require("fs");
+init_hermes_profile();
+init_logger();
+var NOUS_PORTAL_URL = "https://portal.nousresearch.com";
+var NOUS_CLIENT_ID = "hermes-cli";
+var NOUS_SCOPE = "inference:mint_agent_key";
+var POLL_MAX_DURATION2 = 15 * 60 * 1e3;
+var POLL_DEFAULT_INTERVAL2 = 5e3;
+var sessions2 = /* @__PURE__ */ new Map();
+function cleanupExpiredSessions2() {
+  const now = Date.now();
+  sessions2.forEach((s, id) => {
+    if (now - s.createdAt > POLL_MAX_DURATION2 + 6e4) sessions2.delete(id);
+  });
+}
+function loadAuthJson2(authPath) {
+  try {
+    return JSON.parse((0, import_fs15.readFileSync)(authPath, "utf-8"));
+  } catch {
+    return { version: 1 };
+  }
+}
+function saveAuthJson2(authPath, data) {
+  data.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+  const dir = authPath.substring(0, authPath.lastIndexOf("/"));
+  if (!(0, import_fs15.existsSync)(dir)) (0, import_fs15.mkdirSync)(dir, { recursive: true });
+  (0, import_fs15.writeFileSync)(authPath, JSON.stringify(data, null, 2) + "\n", { mode: 384 });
+}
+async function nousLoginWorker(session, authPath) {
+  const startTime = Date.now();
+  let interval = session.interval || POLL_DEFAULT_INTERVAL2;
+  while (Date.now() - startTime < POLL_MAX_DURATION2) {
+    await new Promise((resolve11) => setTimeout(resolve11, interval));
+    if (session.status !== "pending") return;
+    try {
+      const res = await fetch(`${NOUS_PORTAL_URL}/api/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+          client_id: NOUS_CLIENT_ID,
+          device_code: session.deviceCode
+        }).toString(),
+        signal: AbortSignal.timeout(15e3)
+      });
+      if (res.ok) {
+        const tokenData = await res.json();
+        const inferenceBaseUrl = tokenData.inference_base_url || "https://inference-api.nousresearch.com/v1";
+        let agentKey = "";
+        let agentKeyExpiresAt = "";
+        try {
+          const mintRes = await fetch(`${NOUS_PORTAL_URL}/api/oauth/agent-key`, {
+            method: "POST",
+            headers: {
+              "Authorization": `Bearer ${tokenData.access_token}`,
+              "Content-Type": "application/json"
+            },
+            body: JSON.stringify({ min_ttl_seconds: 1800 }),
+            signal: AbortSignal.timeout(15e3)
+          });
+          if (mintRes.ok) {
+            const mintData = await mintRes.json();
+            agentKey = mintData.api_key;
+            agentKeyExpiresAt = mintData.expires_at;
+            if (mintData.inference_base_url) {
+              void mintData.inference_base_url;
+            }
+          }
+        } catch (err) {
+          logger.warn(err, "Nous agent key minting failed, proceeding without");
+        }
+        const auth = loadAuthJson2(authPath);
+        if (!auth.providers) auth.providers = {};
+        const now = /* @__PURE__ */ new Date();
+        auth.providers["nous"] = {
+          portal_base_url: NOUS_PORTAL_URL,
+          inference_base_url: inferenceBaseUrl,
+          client_id: NOUS_CLIENT_ID,
+          scope: NOUS_SCOPE,
+          token_type: "Bearer",
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token || null,
+          obtained_at: now.toISOString(),
+          expires_at: tokenData.expires_in ? new Date(now.getTime() + tokenData.expires_in * 1e3).toISOString() : null,
+          agent_key: agentKey || null,
+          agent_key_expires_at: agentKeyExpiresAt || null,
+          agent_key_obtained_at: agentKey ? now.toISOString() : null
+        };
+        if (!auth.credential_pool) auth.credential_pool = {};
+        auth.credential_pool["nous"] = [{
+          id: `nous-${Date.now()}`,
+          label: "Nous Portal",
+          auth_type: "oauth",
+          source: "device_code",
+          priority: 0,
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token || null,
+          portal_base_url: NOUS_PORTAL_URL,
+          inference_base_url: inferenceBaseUrl,
+          agent_key: agentKey || null,
+          agent_key_expires_at: agentKeyExpiresAt || null,
+          base_url: inferenceBaseUrl
+        }];
+        saveAuthJson2(authPath, auth);
+        session.status = "approved";
+        logger.info("Nous login successful");
+        return;
+      }
+      const errData = await res.json().catch(() => ({}));
+      const errorCode = errData.error;
+      if (errorCode === "authorization_pending") {
+        continue;
+      }
+      if (errorCode === "slow_down") {
+        interval = Math.min(interval + 1e3, 3e4);
+        continue;
+      }
+      if (errorCode === "access_denied" || errorCode === "expired_token") {
+        session.status = errorCode === "access_denied" ? "denied" : "expired";
+        return;
+      }
+      logger.error("Nous poll error: %s %s", res.status, errorCode);
+      session.status = "error";
+      session.error = `OAuth error: ${errorCode}`;
+      return;
+    } catch (err) {
+      if (err.name === "TimeoutError" || err.name === "AbortError") continue;
+      logger.error(err, "Nous poll error");
+      session.status = "error";
+      session.error = err.message;
+      return;
+    }
+  }
+  session.status = "expired";
+}
+async function start2(ctx) {
+  try {
+    cleanupExpiredSessions2();
+    const res = await fetch(`${NOUS_PORTAL_URL}/api/oauth/device/code`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" },
+      body: new URLSearchParams({
+        client_id: NOUS_CLIENT_ID,
+        scope: NOUS_SCOPE
+      }).toString(),
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (!res.ok) {
+      let errorBody = null;
+      try {
+        errorBody = await res.json();
+      } catch {
+      }
+      logger.error("Nous device code request failed: %d %s", res.status, errorBody);
+      ctx.status = 502;
+      ctx.body = { error: `Nous Portal error: ${res.status}` };
+      return;
+    }
+    const data = await res.json();
+    const sessionId = (0, import_crypto4.randomUUID)();
+    const session = {
+      id: sessionId,
+      deviceCode: data.device_code,
+      userCode: data.user_code,
+      verificationUrl: data.verification_uri,
+      verificationUrlComplete: data.verification_uri_complete,
+      expiresIn: data.expires_in,
+      interval: data.interval,
+      status: "pending",
+      createdAt: Date.now()
+    };
+    sessions2.set(sessionId, session);
+    const authPath = getActiveAuthPath();
+    nousLoginWorker(session, authPath).catch((err) => {
+      logger.error(err, "Nous login worker error");
+      session.status = "error";
+      session.error = err.message;
+    });
+    ctx.body = {
+      session_id: sessionId,
+      user_code: data.user_code,
+      verification_url: data.verification_uri_complete,
+      expires_in: data.expires_in
+    };
+  } catch (err) {
+    if (err.name === "TimeoutError" || err.name === "AbortError") {
+      ctx.status = 504;
+      ctx.body = { error: "Nous Portal timeout" };
+      return;
+    }
+    ctx.status = 500;
+    ctx.body = { error: err.message };
+  }
+}
+async function poll2(ctx) {
+  const session = sessions2.get(ctx.params.sessionId);
+  if (!session) {
+    ctx.status = 404;
+    ctx.body = { error: "Session not found" };
+    return;
+  }
+  ctx.body = { status: session.status, error: session.error || null };
+}
+async function status2(ctx) {
+  try {
+    const authPath = getActiveAuthPath();
+    const auth = loadAuthJson2(authPath);
+    const nousProvider = auth.providers?.["nous"];
+    if (!nousProvider?.access_token) {
+      ctx.body = { authenticated: false };
+      return;
+    }
+    ctx.body = { authenticated: true };
+  } catch {
+    ctx.body = { authenticated: false };
+  }
+}
+
+// packages/server/src/routes/hermes/nous-auth.ts
+var nousAuthRoutes = new router_default();
+nousAuthRoutes.post("/api/hermes/auth/nous/start", start2);
+nousAuthRoutes.get("/api/hermes/auth/nous/poll/:sessionId", poll2);
+nousAuthRoutes.get("/api/hermes/auth/nous/status", status2);
+
 // packages/server/src/controllers/hermes/gateways.ts
 async function list5(ctx) {
   const mgr = getGatewayManagerInstance();
@@ -43544,7 +44277,7 @@ async function list5(ctx) {
   const gateways = await mgr.listAll();
   ctx.body = { gateways };
 }
-async function start2(ctx) {
+async function start3(ctx) {
   const mgr = getGatewayManagerInstance();
   if (!mgr) {
     ctx.status = 503;
@@ -43552,8 +44285,8 @@ async function start2(ctx) {
     return;
   }
   try {
-    const status2 = await mgr.start(ctx.params.name);
-    ctx.body = { success: true, gateway: status2 };
+    const status3 = await mgr.start(ctx.params.name);
+    ctx.body = { success: true, gateway: status3 };
   } catch (err) {
     ctx.status = 500;
     ctx.body = { error: err.message };
@@ -43581,14 +44314,14 @@ async function health(ctx) {
     ctx.body = { error: "GatewayManager not initialized" };
     return;
   }
-  const status2 = await mgr.detectStatus(ctx.params.name);
-  ctx.body = { gateway: status2 };
+  const status3 = await mgr.detectStatus(ctx.params.name);
+  ctx.body = { gateway: status3 };
 }
 
 // packages/server/src/routes/hermes/gateways.ts
 var gatewayRoutes = new router_default();
 gatewayRoutes.get("/api/hermes/gateways", list5);
-gatewayRoutes.post("/api/hermes/gateways/:name/start", start2);
+gatewayRoutes.post("/api/hermes/gateways/:name/start", start3);
 gatewayRoutes.post("/api/hermes/gateways/:name/stop", stop);
 gatewayRoutes.get("/api/hermes/gateways/:name/health", health);
 
@@ -44363,7 +45096,7 @@ var import_url2 = __toESM(require("url"), 1);
 var URLSearchParams_default = import_url2.default.URLSearchParams;
 
 // node_modules/axios/lib/platform/node/index.js
-var import_crypto4 = __toESM(require("crypto"), 1);
+var import_crypto5 = __toESM(require("crypto"), 1);
 var ALPHA = "abcdefghijklmnopqrstuvwxyz";
 var DIGIT = "0123456789";
 var ALPHABET = {
@@ -44375,7 +45108,7 @@ var generateString = (size = 16, alphabet = ALPHABET.ALPHA_DIGIT) => {
   let str2 = "";
   const { length } = alphabet;
   const randomValues = new Uint32Array(size);
-  import_crypto4.default.randomFillSync(randomValues);
+  import_crypto5.default.randomFillSync(randomValues);
   for (let i = 0; i < size; i++) {
     str2 += alphabet[randomValues[i] % length];
   }
@@ -44582,8 +45315,8 @@ var defaults = {
     FormData: platform_default.classes.FormData,
     Blob: platform_default.classes.Blob
   },
-  validateStatus: function validateStatus(status2) {
-    return status2 >= 200 && status2 < 300;
+  validateStatus: function validateStatus(status3) {
+    return status3 >= 200 && status3 < 300;
   },
   headers: {
     common: {
@@ -44941,10 +45674,10 @@ var CanceledError = class extends AxiosError_default {
 var CanceledError_default = CanceledError;
 
 // node_modules/axios/lib/core/settle.js
-function settle(resolve10, reject, response) {
+function settle(resolve11, reject, response) {
   const validateStatus2 = response.config.validateStatus;
   if (!response.status || !validateStatus2 || validateStatus2(response.status)) {
-    resolve10(response);
+    resolve11(response);
   } else {
     reject(
       new AxiosError_default(
@@ -45731,7 +46464,7 @@ function setProxy(options, configProxy, location) {
 }
 var isHttpAdapterSupported = typeof process !== "undefined" && utils_default.kindOf(process) === "process";
 var wrapAsync = (asyncExecutor) => {
-  return new Promise((resolve10, reject) => {
+  return new Promise((resolve11, reject) => {
     let onDone;
     let isDone;
     const done = (value, isRejected) => {
@@ -45741,7 +46474,7 @@ var wrapAsync = (asyncExecutor) => {
     };
     const _resolve = (value) => {
       done(value);
-      resolve10(value);
+      resolve11(value);
     };
     const _reject = (reason) => {
       done(reason, true);
@@ -45778,17 +46511,17 @@ var http2Transport = {
     req.once("response", (responseHeaders) => {
       const response = req;
       responseHeaders = Object.assign({}, responseHeaders);
-      const status2 = responseHeaders[HTTP2_HEADER_STATUS];
+      const status3 = responseHeaders[HTTP2_HEADER_STATUS];
       delete responseHeaders[HTTP2_HEADER_STATUS];
       response.headers = responseHeaders;
-      response.statusCode = +status2;
+      response.statusCode = +status3;
       cb(response);
     });
     return req;
   }
 };
 var http_default = isHttpAdapterSupported && function httpAdapter(config2) {
-  return wrapAsync(async function dispatchHttpRequest(resolve10, reject, onDone) {
+  return wrapAsync(async function dispatchHttpRequest(resolve11, reject, onDone) {
     let { data, lookup, family, httpVersion = 1, http2Options } = config2;
     const { responseType, responseEncoding } = config2;
     const method = config2.method.toUpperCase();
@@ -45878,7 +46611,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config2) {
       }
       let convertedData;
       if (method !== "GET") {
-        return settle(resolve10, reject, {
+        return settle(resolve11, reject, {
           status: 405,
           statusText: "method not allowed",
           headers: {},
@@ -45900,7 +46633,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config2) {
       } else if (responseType === "stream") {
         convertedData = import_stream5.default.Readable.from(convertedData);
       }
-      return settle(resolve10, reject, {
+      return settle(resolve11, reject, {
         data: convertedData,
         status: 200,
         statusText: "OK",
@@ -46141,7 +46874,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config2) {
       };
       if (responseType === "stream") {
         response.data = responseStream;
-        settle(resolve10, reject, response);
+        settle(resolve11, reject, response);
       } else {
         const responseBuffer = [];
         let totalResponseBytes = 0;
@@ -46191,7 +46924,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config2) {
           } catch (err) {
             return reject(AxiosError_default.from(err, null, config2, response.request, response));
           }
-          settle(resolve10, reject, response);
+          settle(resolve11, reject, response);
         });
       }
       abortEmitter.once("abort", (err) => {
@@ -46452,7 +47185,7 @@ var resolveConfig_default = (config2) => {
 // node_modules/axios/lib/adapters/xhr.js
 var isXHRAdapterSupported = typeof XMLHttpRequest !== "undefined";
 var xhr_default = isXHRAdapterSupported && function(config2) {
-  return new Promise(function dispatchXhrRequest(resolve10, reject) {
+  return new Promise(function dispatchXhrRequest(resolve11, reject) {
     const _config = resolveConfig_default(config2);
     let requestData = _config.data;
     const requestHeaders = AxiosHeaders_default.from(_config.headers).normalize();
@@ -46487,7 +47220,7 @@ var xhr_default = isXHRAdapterSupported && function(config2) {
       };
       settle(
         function _resolve(value) {
-          resolve10(value);
+          resolve11(value);
           done();
         },
         function _reject(err) {
@@ -46518,7 +47251,7 @@ var xhr_default = isXHRAdapterSupported && function(config2) {
       reject(new AxiosError_default("Request aborted", AxiosError_default.ECONNABORTED, config2, request));
       request = null;
     };
-    request.onerror = function handleError(event) {
+    request.onerror = function handleError2(event) {
       const msg = event && event.message ? event.message : "Network Error";
       const err = new AxiosError_default(msg, AxiosError_default.ERR_NETWORK, config2, request);
       err.event = event || null;
@@ -46887,8 +47620,8 @@ var factory = (env) => {
         config2
       );
       !isStreamResponse && unsubscribe && unsubscribe();
-      return await new Promise((resolve10, reject) => {
-        settle(resolve10, reject, {
+      return await new Promise((resolve11, reject) => {
+        settle(resolve11, reject, {
           data: responseData,
           headers: AxiosHeaders_default.from(response.headers),
           status: response.status,
@@ -47314,8 +48047,8 @@ var CancelToken = class _CancelToken {
       throw new TypeError("executor must be a function.");
     }
     let resolvePromise;
-    this.promise = new Promise(function promiseExecutor(resolve10) {
-      resolvePromise = resolve10;
+    this.promise = new Promise(function promiseExecutor(resolve11) {
+      resolvePromise = resolve11;
     });
     const token = this;
     this.promise.then((cancel) => {
@@ -47328,9 +48061,9 @@ var CancelToken = class _CancelToken {
     });
     this.promise.then = (onfulfilled) => {
       let _resolve;
-      const promise = new Promise((resolve10) => {
-        token.subscribe(resolve10);
-        _resolve = resolve10;
+      const promise = new Promise((resolve11) => {
+        token.subscribe(resolve11);
+        _resolve = resolve11;
       }).then(onfulfilled);
       promise.cancel = function reject() {
         token.unsubscribe(_resolve);
@@ -47577,11 +48310,11 @@ async function pollStatus(ctx) {
   try {
     const res = await axios_default.get(`${ILINK_BASE}/ilink/bot/get_qrcode_status`, { params: { qrcode }, timeout: 35e3 });
     const data = res.data;
-    const status2 = data?.status || "wait";
-    if (status2 === "confirmed") {
+    const status3 = data?.status || "wait";
+    if (status3 === "confirmed") {
       ctx.body = { status: "confirmed", account_id: data.ilink_bot_id, token: data.bot_token, base_url: data.baseurl };
     } else {
-      ctx.body = { status: status2 };
+      ctx.body = { status: status3 };
     }
   } catch (err) {
     ctx.status = 500;
@@ -47650,6 +48383,1073 @@ weixinRoutes.get("/api/hermes/weixin/qrcode", getQrcode);
 weixinRoutes.get("/api/hermes/weixin/qrcode/status", pollStatus);
 weixinRoutes.post("/api/hermes/weixin/save", save2);
 
+// packages/server/src/services/hermes/file-provider.ts
+var import_promises14 = require("fs/promises");
+var import_path17 = require("path");
+var import_child_process5 = require("child_process");
+var import_util5 = require("util");
+var import_fs16 = require("fs");
+init_js_yaml();
+init_hermes_profile();
+var execFileAsync3 = (0, import_util5.promisify)(import_child_process5.execFile);
+var MAX_DOWNLOAD_SIZE = parseInt(process.env.MAX_DOWNLOAD_SIZE || "", 10) || 100 * 1024 * 1024;
+var BACKEND_TIMEOUT = 3e4;
+var MAX_EDIT_SIZE = parseInt(process.env.MAX_EDIT_SIZE || "", 10) || 10 * 1024 * 1024;
+var SENSITIVE_FILES = /* @__PURE__ */ new Set([".env", "auth.json"]);
+function validatePath(filePath) {
+  if (!filePath) throw Object.assign(new Error("Missing file path"), { code: "missing_path" });
+  const resolved = (0, import_path17.resolve)(filePath);
+  const normalized = (0, import_path17.normalize)(resolved);
+  if (normalized.includes("..")) {
+    throw Object.assign(new Error("Invalid file path"), { code: "invalid_path" });
+  }
+  if (!(0, import_path17.isAbsolute)(normalized)) {
+    throw Object.assign(new Error("Path must be absolute"), { code: "invalid_path" });
+  }
+  return normalized;
+}
+function isInUploadDir(filePath) {
+  const normalized = (0, import_path17.normalize)((0, import_path17.resolve)(filePath));
+  const uploadNormalized = (0, import_path17.normalize)((0, import_path17.resolve)(config.uploadDir));
+  return normalized.startsWith(uploadNormalized + "/") || normalized.startsWith(uploadNormalized + "\\") || normalized === uploadNormalized;
+}
+function isSensitivePath(relativePath) {
+  const parts = relativePath.replace(/\\/g, "/").split("/");
+  const fileName = parts[parts.length - 1];
+  return SENSITIVE_FILES.has(fileName);
+}
+function resolveHermesPath(relativePath) {
+  const homeDir = getActiveProfileDir();
+  if (!relativePath || relativePath === "." || relativePath === "/") {
+    return homeDir;
+  }
+  const normalized = (0, import_path17.normalize)(relativePath).replace(/\\/g, "/");
+  if (normalized.startsWith("..") || normalized.includes("/../") || normalized.startsWith("/")) {
+    throw Object.assign(new Error("Invalid file path"), { code: "invalid_path" });
+  }
+  const resolved = (0, import_path17.resolve)(homeDir, normalized);
+  if (!resolved.startsWith(homeDir)) {
+    throw Object.assign(new Error("Path traversal detected"), { code: "invalid_path" });
+  }
+  return resolved;
+}
+var LocalFileProvider = class {
+  type = "local";
+  async readFile(filePath) {
+    const p = validatePath(filePath);
+    const s = await (0, import_promises14.stat)(p);
+    if (!s.isFile()) throw Object.assign(new Error("Not a file"), { code: "not_found" });
+    if (s.size > MAX_DOWNLOAD_SIZE) {
+      throw Object.assign(new Error(`File too large: ${s.size} bytes`), { code: "file_too_large" });
+    }
+    return (0, import_promises14.readFile)(p);
+  }
+  async exists(filePath) {
+    try {
+      const p = validatePath(filePath);
+      const s = await (0, import_promises14.stat)(p);
+      return s.isFile();
+    } catch {
+      return false;
+    }
+  }
+  async listDir(dirPath) {
+    const p = validatePath(dirPath);
+    const homeDir = getActiveProfileDir();
+    const entries = await (0, import_promises14.readdir)(p, { withFileTypes: true });
+    const results = [];
+    for (const entry of entries) {
+      try {
+        const fullPath = (0, import_path17.resolve)(p, entry.name);
+        const s = await (0, import_promises14.stat)(fullPath);
+        const relPath = fullPath.startsWith(homeDir) ? fullPath.slice(homeDir.length + 1) : entry.name;
+        results.push({
+          name: entry.name,
+          path: relPath,
+          isDir: s.isDirectory(),
+          size: s.size,
+          modTime: s.mtime.toISOString()
+        });
+      } catch {
+      }
+    }
+    return results;
+  }
+  async stat(filePath) {
+    const p = validatePath(filePath);
+    const homeDir = getActiveProfileDir();
+    const s = await (0, import_promises14.stat)(p);
+    const relPath = p.startsWith(homeDir) ? p.slice(homeDir.length + 1) : (0, import_path17.basename)(p);
+    return {
+      name: (0, import_path17.basename)(p),
+      path: relPath || (0, import_path17.basename)(p),
+      isDir: s.isDirectory(),
+      size: s.size,
+      modTime: s.mtime.toISOString()
+    };
+  }
+  async writeFile(filePath, content) {
+    const p = validatePath(filePath);
+    await (0, import_promises14.writeFile)(p, content);
+  }
+  async deleteFile(filePath) {
+    const p = validatePath(filePath);
+    const s = await (0, import_promises14.stat)(p);
+    if (!s.isFile()) throw Object.assign(new Error("Not a file"), { code: "not_found" });
+    await (0, import_promises14.rm)(p);
+  }
+  async deleteDir(dirPath) {
+    const p = validatePath(dirPath);
+    const s = await (0, import_promises14.stat)(p);
+    if (!s.isDirectory()) throw Object.assign(new Error("Not a directory"), { code: "not_found" });
+    await (0, import_promises14.rm)(p, { recursive: true });
+  }
+  async renameFile(oldPath, newPath) {
+    const op = validatePath(oldPath);
+    const np = validatePath(newPath);
+    await (0, import_promises14.rename)(op, np);
+  }
+  async mkDir(dirPath) {
+    const p = validatePath(dirPath);
+    await (0, import_promises14.mkdir)(p, { recursive: true });
+  }
+  async copyFile(srcPath, destPath) {
+    const sp = validatePath(srcPath);
+    const dp = validatePath(destPath);
+    await (0, import_promises14.copyFile)(sp, dp);
+  }
+};
+function parseLsOutput(output, parentRelPath) {
+  const entries = [];
+  for (const line of output.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("total ")) continue;
+    const parts = trimmed.split(/\s+/);
+    if (parts.length < 7) continue;
+    const permissions = parts[0];
+    const size = parseInt(parts[4], 10) || 0;
+    const modTime = parts[5];
+    const name = parts.slice(6).join(" ");
+    if (name === "." || name === "..") continue;
+    const isDir = permissions.startsWith("d");
+    const relPath = parentRelPath ? `${parentRelPath}/${name}` : name;
+    entries.push({ name, path: relPath, isDir, size, modTime: modTime.includes("T") ? modTime : new Date(modTime).toISOString() });
+  }
+  return entries;
+}
+function parseStatOutput(output, relativePath) {
+  const parts = output.trim().split("|");
+  if (parts.length < 4) throw Object.assign(new Error("Failed to parse stat output"), { code: "backend_error" });
+  const name = (0, import_path17.basename)(parts[0]);
+  const fileType = parts[1].toLowerCase();
+  const size = parseInt(parts[2], 10) || 0;
+  const modEpoch = parseInt(parts[3], 10) || 0;
+  const isDir = fileType.includes("directory");
+  return {
+    name,
+    path: relativePath,
+    isDir,
+    size,
+    modTime: new Date(modEpoch * 1e3).toISOString()
+  };
+}
+var DockerFileProvider = class {
+  type = "docker";
+  containerName;
+  constructor(containerName) {
+    this.containerName = containerName;
+  }
+  async readFile(filePath) {
+    const p = validatePath(filePath);
+    try {
+      const { stdout } = await execFileAsync3("docker", [
+        "exec",
+        this.containerName,
+        "cat",
+        p
+      ], { maxBuffer: MAX_DOWNLOAD_SIZE, timeout: BACKEND_TIMEOUT, encoding: "buffer" });
+      return stdout;
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) {
+        throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      }
+      if (err.stderr && /no such file/i.test(String(err.stderr))) {
+        throw Object.assign(new Error("File not found in container"), { code: "not_found" });
+      }
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async exists(filePath) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("docker", [
+        "exec",
+        this.containerName,
+        "test",
+        "-f",
+        p
+      ], { timeout: 5e3 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async listDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      const { stdout } = await execFileAsync3("docker", [
+        "exec",
+        this.containerName,
+        "ls",
+        "-la",
+        "--time-style=+%Y-%m-%dT%H:%M:%S",
+        p
+      ], { maxBuffer: 10 * 1024 * 1024, timeout: BACKEND_TIMEOUT });
+      const homeDir = getActiveProfileDir();
+      const relParent = p.startsWith(homeDir) ? p.slice(homeDir.length + 1).replace(/\\/g, "/") : "";
+      return parseLsOutput(stdout, relParent);
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      if (err.stderr && /no such file|not a directory/i.test(String(err.stderr)))
+        throw Object.assign(new Error("Directory not found"), { code: "not_found" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async stat(filePath) {
+    const p = validatePath(filePath);
+    try {
+      const { stdout } = await execFileAsync3("docker", [
+        "exec",
+        this.containerName,
+        "stat",
+        "-c",
+        "%n|%F|%s|%Y",
+        p
+      ], { timeout: BACKEND_TIMEOUT });
+      const homeDir = getActiveProfileDir();
+      const relPath = p.startsWith(homeDir) ? p.slice(homeDir.length + 1).replace(/\\/g, "/") : (0, import_path17.basename)(p);
+      return parseStatOutput(stdout, relPath);
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      if (err.stderr && /no such file/i.test(String(err.stderr))) throw Object.assign(new Error("Not found"), { code: "not_found" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async writeFile(filePath, content) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("docker", [
+        "exec",
+        "-i",
+        this.containerName,
+        "sh",
+        "-c",
+        `cat > '${p.replace(/'/g, "'\\''")}'`
+      ], { timeout: BACKEND_TIMEOUT, input: content });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async deleteFile(filePath) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("docker", ["exec", this.containerName, "rm", p], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async deleteDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      await execFileAsync3("docker", ["exec", this.containerName, "rm", "-rf", p], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async renameFile(oldPath, newPath) {
+    const op = validatePath(oldPath);
+    const np = validatePath(newPath);
+    try {
+      await execFileAsync3("docker", ["exec", this.containerName, "mv", op, np], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async mkDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      await execFileAsync3("docker", ["exec", this.containerName, "mkdir", "-p", p], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async copyFile(srcPath, destPath) {
+    const sp = validatePath(srcPath);
+    const dp = validatePath(destPath);
+    try {
+      await execFileAsync3("docker", ["exec", this.containerName, "cp", sp, dp], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Docker error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+};
+var SSHFileProvider = class {
+  type = "ssh";
+  host;
+  user;
+  keyPath;
+  constructor(host, user, keyPath) {
+    this.host = host;
+    this.user = user;
+    this.keyPath = keyPath;
+  }
+  sshArgs() {
+    const args2 = ["-o", "StrictHostKeyChecking=no", "-o", "BatchMode=yes"];
+    if (this.keyPath) args2.push("-i", this.keyPath);
+    args2.push(`${this.user}@${this.host}`);
+    return args2;
+  }
+  /**
+   * Shell-escape a string for safe use in a remote SSH command.
+   * Wraps in single quotes and escapes embedded single quotes.
+   */
+  shellEscape(s) {
+    return "'" + s.replace(/'/g, "'\\''") + "'";
+  }
+  async readFile(filePath) {
+    const p = validatePath(filePath);
+    try {
+      const { stdout } = await execFileAsync3("ssh", [
+        ...this.sshArgs(),
+        `cat ${this.shellEscape(p)}`
+      ], { maxBuffer: MAX_DOWNLOAD_SIZE, timeout: BACKEND_TIMEOUT, encoding: "buffer" });
+      return stdout;
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) {
+        throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      }
+      if (err.stderr && /no such file/i.test(String(err.stderr))) {
+        throw Object.assign(new Error("File not found on remote"), { code: "not_found" });
+      }
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async exists(filePath) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("ssh", [
+        ...this.sshArgs(),
+        `test -f ${this.shellEscape(p)}`
+      ], { timeout: 5e3 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async listDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      const { stdout } = await execFileAsync3("ssh", [
+        ...this.sshArgs(),
+        `ls -la --time-style=+%Y-%m-%dT%H:%M:%S ${this.shellEscape(p)}`
+      ], { maxBuffer: 10 * 1024 * 1024, timeout: BACKEND_TIMEOUT });
+      const homeDir = getActiveProfileDir();
+      const relParent = p.startsWith(homeDir) ? p.slice(homeDir.length + 1).replace(/\\/g, "/") : "";
+      return parseLsOutput(stdout, relParent);
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      if (err.stderr && /no such file|not a directory/i.test(String(err.stderr)))
+        throw Object.assign(new Error("Directory not found"), { code: "not_found" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async stat(filePath) {
+    const p = validatePath(filePath);
+    try {
+      const { stdout } = await execFileAsync3("ssh", [
+        ...this.sshArgs(),
+        `stat -c '%n|%F|%s|%Y' ${this.shellEscape(p)}`
+      ], { timeout: BACKEND_TIMEOUT });
+      const homeDir = getActiveProfileDir();
+      const relPath = p.startsWith(homeDir) ? p.slice(homeDir.length + 1).replace(/\\/g, "/") : (0, import_path17.basename)(p);
+      return parseStatOutput(stdout, relPath);
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      if (err.stderr && /no such file/i.test(String(err.stderr))) throw Object.assign(new Error("Not found"), { code: "not_found" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async writeFile(filePath, content) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("ssh", [
+        ...this.sshArgs(),
+        `cat > ${this.shellEscape(p)}`
+      ], { timeout: BACKEND_TIMEOUT, input: content });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async deleteFile(filePath) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("ssh", [...this.sshArgs(), `rm ${this.shellEscape(p)}`], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async deleteDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      await execFileAsync3("ssh", [...this.sshArgs(), `rm -rf ${this.shellEscape(p)}`], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async renameFile(oldPath, newPath) {
+    const op = validatePath(oldPath);
+    const np = validatePath(newPath);
+    try {
+      await execFileAsync3("ssh", [...this.sshArgs(), `mv ${this.shellEscape(op)} ${this.shellEscape(np)}`], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async mkDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      await execFileAsync3("ssh", [...this.sshArgs(), `mkdir -p ${this.shellEscape(p)}`], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async copyFile(srcPath, destPath) {
+    const sp = validatePath(srcPath);
+    const dp = validatePath(destPath);
+    try {
+      await execFileAsync3("ssh", [...this.sshArgs(), `cp ${this.shellEscape(sp)} ${this.shellEscape(dp)}`], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`SSH error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+};
+var SingularityFileProvider = class {
+  type = "singularity";
+  imagePath;
+  constructor(imagePath) {
+    this.imagePath = imagePath;
+  }
+  async readFile(filePath) {
+    const p = validatePath(filePath);
+    try {
+      const { stdout } = await execFileAsync3("singularity", [
+        "exec",
+        this.imagePath,
+        "cat",
+        p
+      ], { maxBuffer: MAX_DOWNLOAD_SIZE, timeout: BACKEND_TIMEOUT, encoding: "buffer" });
+      return stdout;
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) {
+        throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      }
+      if (err.stderr && /no such file/i.test(String(err.stderr))) {
+        throw Object.assign(new Error("File not found in container"), { code: "not_found" });
+      }
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async exists(filePath) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("singularity", [
+        "exec",
+        this.imagePath,
+        "test",
+        "-f",
+        p
+      ], { timeout: 5e3 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async listDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      const { stdout } = await execFileAsync3("singularity", [
+        "exec",
+        this.imagePath,
+        "ls",
+        "-la",
+        "--time-style=+%Y-%m-%dT%H:%M:%S",
+        p
+      ], { maxBuffer: 10 * 1024 * 1024, timeout: BACKEND_TIMEOUT });
+      const homeDir = getActiveProfileDir();
+      const relParent = p.startsWith(homeDir) ? p.slice(homeDir.length + 1).replace(/\\/g, "/") : "";
+      return parseLsOutput(stdout, relParent);
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      if (err.stderr && /no such file|not a directory/i.test(String(err.stderr)))
+        throw Object.assign(new Error("Directory not found"), { code: "not_found" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async stat(filePath) {
+    const p = validatePath(filePath);
+    try {
+      const { stdout } = await execFileAsync3("singularity", [
+        "exec",
+        this.imagePath,
+        "stat",
+        "-c",
+        "%n|%F|%s|%Y",
+        p
+      ], { timeout: BACKEND_TIMEOUT });
+      const homeDir = getActiveProfileDir();
+      const relPath = p.startsWith(homeDir) ? p.slice(homeDir.length + 1).replace(/\\/g, "/") : (0, import_path17.basename)(p);
+      return parseStatOutput(stdout, relPath);
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      if (err.stderr && /no such file/i.test(String(err.stderr))) throw Object.assign(new Error("Not found"), { code: "not_found" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async writeFile(filePath, content) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("singularity", [
+        "exec",
+        this.imagePath,
+        "sh",
+        "-c",
+        `cat > '${p.replace(/'/g, "'\\''")}'`
+      ], { timeout: BACKEND_TIMEOUT, input: content });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async deleteFile(filePath) {
+    const p = validatePath(filePath);
+    try {
+      await execFileAsync3("singularity", ["exec", this.imagePath, "rm", p], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async deleteDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      await execFileAsync3("singularity", ["exec", this.imagePath, "rm", "-rf", p], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async renameFile(oldPath, newPath) {
+    const op = validatePath(oldPath);
+    const np = validatePath(newPath);
+    try {
+      await execFileAsync3("singularity", ["exec", this.imagePath, "mv", op, np], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async mkDir(dirPath) {
+    const p = validatePath(dirPath);
+    try {
+      await execFileAsync3("singularity", ["exec", this.imagePath, "mkdir", "-p", p], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+  async copyFile(srcPath, destPath) {
+    const sp = validatePath(srcPath);
+    const dp = validatePath(destPath);
+    try {
+      await execFileAsync3("singularity", ["exec", this.imagePath, "cp", sp, dp], { timeout: BACKEND_TIMEOUT });
+    } catch (err) {
+      if (err.code === "ETIMEDOUT" || err.killed) throw Object.assign(new Error("Backend timeout"), { code: "backend_timeout" });
+      throw Object.assign(new Error(`Singularity error: ${err.message}`), { code: "backend_error" });
+    }
+  }
+};
+function getTerminalConfig() {
+  try {
+    const configPath3 = `${getActiveProfileDir()}/config.yaml`;
+    if (!(0, import_fs16.existsSync)(configPath3)) return { backend: "local" };
+    const raw = (0, import_fs16.readFileSync)(configPath3, "utf-8");
+    const doc = jsYaml.load(raw);
+    const t = doc?.terminal || {};
+    return {
+      backend: t.backend || "local",
+      docker_image: t.docker_image,
+      docker_container_name: t.docker_container_name,
+      cwd: t.cwd,
+      singularity_image: t.singularity_image
+    };
+  } catch {
+    return { backend: "local" };
+  }
+}
+function getSSHEnvVars() {
+  try {
+    const envPath3 = getActiveEnvPath();
+    if (!(0, import_fs16.existsSync)(envPath3)) return {};
+    const raw = (0, import_fs16.readFileSync)(envPath3, "utf-8");
+    const vars = {};
+    for (const line of raw.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const eqIdx = trimmed.indexOf("=");
+      if (eqIdx === -1) continue;
+      let value = trimmed.slice(eqIdx + 1).trim();
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      }
+      vars[trimmed.slice(0, eqIdx).trim()] = value;
+    }
+    return {
+      host: vars.TERMINAL_SSH_HOST,
+      user: vars.TERMINAL_SSH_USER,
+      key: vars.TERMINAL_SSH_KEY
+    };
+  } catch {
+    return {};
+  }
+}
+async function resolveDockerContainer(cfg) {
+  if (cfg.docker_container_name) return cfg.docker_container_name;
+  if (cfg.docker_image) {
+    try {
+      const { stdout } = await execFileAsync3("docker", [
+        "ps",
+        "-q",
+        "--filter",
+        `ancestor=${cfg.docker_image}`,
+        "--latest"
+      ], { timeout: 5e3 });
+      const id = stdout.trim();
+      if (id) return id;
+    } catch {
+    }
+  }
+  throw Object.assign(
+    new Error("Cannot determine Docker container. Set terminal.docker_container_name in hermes config."),
+    { code: "backend_error" }
+  );
+}
+var cachedProvider = null;
+var cachedAt = 0;
+var CACHE_TTL = 1e4;
+function _resetFileProviderCache() {
+  cachedProvider = null;
+  cachedAt = 0;
+}
+async function createFileProvider() {
+  const now = Date.now();
+  if (cachedProvider && now - cachedAt < CACHE_TTL) return cachedProvider;
+  const cfg = getTerminalConfig();
+  let provider;
+  switch (cfg.backend) {
+    case "docker": {
+      const container = await resolveDockerContainer(cfg);
+      provider = new DockerFileProvider(container);
+      break;
+    }
+    case "ssh": {
+      const ssh = getSSHEnvVars();
+      if (!ssh.host || !ssh.user) {
+        throw Object.assign(
+          new Error("SSH backend requires TERMINAL_SSH_HOST and TERMINAL_SSH_USER in .env"),
+          { code: "backend_error" }
+        );
+      }
+      provider = new SSHFileProvider(ssh.host, ssh.user, ssh.key);
+      break;
+    }
+    case "singularity": {
+      if (!cfg.singularity_image) {
+        throw Object.assign(
+          new Error("Singularity backend requires terminal.singularity_image in config"),
+          { code: "backend_error" }
+        );
+      }
+      provider = new SingularityFileProvider(cfg.singularity_image);
+      break;
+    }
+    case "modal":
+    case "daytona":
+      throw Object.assign(
+        new Error(`File download not yet supported for '${cfg.backend}' backend`),
+        { code: "unsupported_backend" }
+      );
+    default:
+      provider = new LocalFileProvider();
+  }
+  cachedProvider = provider;
+  cachedAt = now;
+  return provider;
+}
+var localProvider = new LocalFileProvider();
+
+// packages/server/src/routes/hermes/files.ts
+var fileRoutes = new router_default();
+function handleError(ctx, err) {
+  const code = err.code || "unknown";
+  const statusMap = {
+    missing_path: 400,
+    invalid_path: 400,
+    not_found: 404,
+    ENOENT: 404,
+    already_exists: 409,
+    permission_denied: 403,
+    file_too_large: 413,
+    not_a_directory: 400,
+    not_a_file: 400,
+    unsupported_backend: 501,
+    backend_error: 502,
+    backend_timeout: 504
+  };
+  ctx.status = statusMap[code] || 500;
+  ctx.body = { error: err.message, code };
+}
+fileRoutes.get("/api/hermes/files/list", async (ctx) => {
+  const relativePath = ctx.query.path || "";
+  try {
+    const absPath = resolveHermesPath(relativePath);
+    const provider = await createFileProvider();
+    const entries = await provider.listDir(absPath);
+    entries.sort((a, b) => {
+      if (a.isDir !== b.isDir) return a.isDir ? -1 : 1;
+      return a.name.localeCompare(b.name);
+    });
+    ctx.body = { entries, path: relativePath };
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.get("/api/hermes/files/stat", async (ctx) => {
+  const relativePath = ctx.query.path;
+  if (!relativePath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing path parameter", code: "missing_path" };
+    return;
+  }
+  try {
+    const absPath = resolveHermesPath(relativePath);
+    const provider = await createFileProvider();
+    const info = await provider.stat(absPath);
+    ctx.body = info;
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.get("/api/hermes/files/read", async (ctx) => {
+  const relativePath = ctx.query.path;
+  if (!relativePath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing path parameter", code: "missing_path" };
+    return;
+  }
+  try {
+    const absPath = resolveHermesPath(relativePath);
+    const provider = await createFileProvider();
+    const data = await provider.readFile(absPath);
+    if (data.length > MAX_EDIT_SIZE) {
+      ctx.status = 413;
+      ctx.body = { error: "File too large to edit", code: "file_too_large" };
+      return;
+    }
+    ctx.body = { content: data.toString("utf-8"), path: relativePath, size: data.length };
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.put("/api/hermes/files/write", async (ctx) => {
+  const { path: relativePath, content } = ctx.request.body;
+  if (!relativePath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing path parameter", code: "missing_path" };
+    return;
+  }
+  if (isSensitivePath(relativePath)) {
+    ctx.status = 403;
+    ctx.body = { error: "Cannot modify sensitive file", code: "permission_denied" };
+    return;
+  }
+  try {
+    const buf = Buffer.from(content || "", "utf-8");
+    if (buf.length > MAX_EDIT_SIZE) {
+      ctx.status = 413;
+      ctx.body = { error: "Content too large", code: "file_too_large" };
+      return;
+    }
+    const absPath = resolveHermesPath(relativePath);
+    const provider = await createFileProvider();
+    await provider.writeFile(absPath, buf);
+    ctx.body = { ok: true, path: relativePath };
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.delete("/api/hermes/files/delete", async (ctx) => {
+  const { path: relativePath, recursive } = ctx.request.body;
+  if (!relativePath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing path parameter", code: "missing_path" };
+    return;
+  }
+  if (isSensitivePath(relativePath)) {
+    ctx.status = 403;
+    ctx.body = { error: "Cannot delete sensitive file", code: "permission_denied" };
+    return;
+  }
+  try {
+    const absPath = resolveHermesPath(relativePath);
+    const provider = await createFileProvider();
+    if (recursive) {
+      await provider.deleteDir(absPath);
+    } else {
+      await provider.deleteFile(absPath);
+    }
+    ctx.body = { ok: true };
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.post("/api/hermes/files/rename", async (ctx) => {
+  const { oldPath, newPath } = ctx.request.body;
+  if (!oldPath || !newPath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing oldPath or newPath", code: "missing_path" };
+    return;
+  }
+  if (isSensitivePath(oldPath)) {
+    ctx.status = 403;
+    ctx.body = { error: "Cannot rename sensitive file", code: "permission_denied" };
+    return;
+  }
+  try {
+    const absOld = resolveHermesPath(oldPath);
+    const absNew = resolveHermesPath(newPath);
+    const provider = await createFileProvider();
+    await provider.renameFile(absOld, absNew);
+    ctx.body = { ok: true };
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.post("/api/hermes/files/mkdir", async (ctx) => {
+  const { path: relativePath } = ctx.request.body;
+  if (!relativePath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing path parameter", code: "missing_path" };
+    return;
+  }
+  try {
+    const absPath = resolveHermesPath(relativePath);
+    const provider = await createFileProvider();
+    await provider.mkDir(absPath);
+    ctx.body = { ok: true };
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.post("/api/hermes/files/copy", async (ctx) => {
+  const { srcPath, destPath } = ctx.request.body;
+  if (!srcPath || !destPath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing srcPath or destPath", code: "missing_path" };
+    return;
+  }
+  try {
+    const absSrc = resolveHermesPath(srcPath);
+    const absDest = resolveHermesPath(destPath);
+    const provider = await createFileProvider();
+    await provider.copyFile(absSrc, absDest);
+    ctx.body = { ok: true };
+  } catch (err) {
+    handleError(ctx, err);
+  }
+});
+fileRoutes.post("/api/hermes/files/upload", async (ctx) => {
+  const targetDir = ctx.query.path || "";
+  const contentType = ctx.get("content-type") || "";
+  if (!contentType.startsWith("multipart/form-data")) {
+    ctx.status = 400;
+    ctx.body = { error: "Expected multipart/form-data", code: "invalid_request" };
+    return;
+  }
+  const boundary = "--" + contentType.split("boundary=")[1];
+  if (!boundary || boundary === "--undefined") {
+    ctx.status = 400;
+    ctx.body = { error: "Missing boundary", code: "invalid_request" };
+    return;
+  }
+  const chunks = [];
+  for await (const chunk of ctx.req) chunks.push(chunk);
+  const raw = Buffer.concat(chunks);
+  const boundaryBuf = Buffer.from(boundary);
+  const parts = splitMultipart2(raw, boundaryBuf);
+  const provider = await createFileProvider();
+  const results = [];
+  for (const part of parts) {
+    const headerEnd = part.indexOf(Buffer.from("\r\n\r\n"));
+    if (headerEnd === -1) continue;
+    const headerBuf = part.subarray(0, headerEnd);
+    const header = headerBuf.toString("utf-8");
+    const data = part.subarray(headerEnd + 4, part.length - 2);
+    let filename = "";
+    const filenameStarMatch = header.match(/filename\*=UTF-8''(.+)/i);
+    if (filenameStarMatch) {
+      filename = decodeURIComponent(filenameStarMatch[1]);
+    } else {
+      const filenameMatch = header.match(/filename="([^"]+)"/);
+      if (!filenameMatch) continue;
+      filename = filenameMatch[1];
+    }
+    if (data.length > MAX_EDIT_SIZE) {
+      ctx.status = 413;
+      ctx.body = { error: `File ${filename} too large`, code: "file_too_large" };
+      return;
+    }
+    const filePath = targetDir ? `${targetDir}/${filename}` : filename;
+    if (isSensitivePath(filePath)) {
+      ctx.status = 403;
+      ctx.body = { error: `Cannot overwrite sensitive file: ${filename}`, code: "permission_denied" };
+      return;
+    }
+    const absPath = resolveHermesPath(filePath);
+    await provider.writeFile(absPath, data);
+    results.push({ name: filename, path: filePath });
+  }
+  ctx.body = { files: results };
+});
+function splitMultipart2(raw, boundary) {
+  const parts = [];
+  let start4 = 0;
+  while (true) {
+    const idx = raw.indexOf(boundary, start4);
+    if (idx === -1) break;
+    if (start4 > 0) {
+      const partStart = start4 + 2;
+      parts.push(raw.subarray(partStart, idx));
+    }
+    start4 = idx + boundary.length;
+  }
+  return parts;
+}
+
+// packages/server/src/routes/hermes/download.ts
+var import_path18 = require("path");
+var downloadRoutes = new router_default();
+var MIME_MAP = {
+  ".txt": "text/plain",
+  ".html": "text/html",
+  ".htm": "text/html",
+  ".css": "text/css",
+  ".js": "application/javascript",
+  ".json": "application/json",
+  ".xml": "application/xml",
+  ".csv": "text/csv",
+  ".md": "text/markdown",
+  ".pdf": "application/pdf",
+  ".zip": "application/zip",
+  ".gz": "application/gzip",
+  ".tar": "application/x-tar",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".svg": "image/svg+xml",
+  ".webp": "image/webp",
+  ".mp3": "audio/mpeg",
+  ".wav": "audio/wav",
+  ".mp4": "video/mp4",
+  ".webm": "video/webm",
+  ".doc": "application/msword",
+  ".docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  ".xls": "application/vnd.ms-excel",
+  ".xlsx": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  ".ppt": "application/vnd.ms-powerpoint",
+  ".pptx": "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  ".py": "text/x-python",
+  ".ts": "text/typescript",
+  ".tsx": "text/typescript",
+  ".rs": "text/x-rust",
+  ".go": "text/x-go",
+  ".java": "text/x-java",
+  ".c": "text/x-c",
+  ".cpp": "text/x-c++",
+  ".h": "text/x-c",
+  ".sh": "text/x-shellscript",
+  ".yaml": "text/yaml",
+  ".yml": "text/yaml",
+  ".toml": "text/toml",
+  ".log": "text/plain"
+};
+function getMimeType(fileName) {
+  const ext = (0, import_path18.extname)(fileName).toLowerCase();
+  return MIME_MAP[ext] || "application/octet-stream";
+}
+downloadRoutes.get("/api/hermes/download", async (ctx) => {
+  const filePath = ctx.query.path;
+  const fileName = ctx.query.name;
+  if (!filePath) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing path parameter", code: "missing_path" };
+    return;
+  }
+  try {
+    const validPath = filePath.startsWith("/") ? validatePath(filePath) : resolveHermesPath(filePath);
+    let data;
+    if (isInUploadDir(validPath)) {
+      data = await localProvider.readFile(validPath);
+    } else {
+      const provider = await createFileProvider();
+      data = await provider.readFile(validPath);
+    }
+    const name = fileName || (0, import_path18.basename)(validPath);
+    const mime = getMimeType(name);
+    ctx.set("Content-Type", mime);
+    ctx.set("Content-Disposition", `attachment; filename="${encodeURIComponent(name)}"; filename*=UTF-8''${encodeURIComponent(name)}`);
+    ctx.set("Content-Length", String(data.length));
+    ctx.set("Cache-Control", "no-cache");
+    ctx.body = data;
+  } catch (err) {
+    const code = err.code || "unknown";
+    const statusMap = {
+      missing_path: 400,
+      invalid_path: 400,
+      not_found: 404,
+      ENOENT: 404,
+      file_too_large: 413,
+      unsupported_backend: 501,
+      backend_error: 502,
+      backend_timeout: 504
+    };
+    ctx.status = statusMap[code] || 500;
+    ctx.body = { error: err.message, code };
+  }
+});
+
 // packages/server/src/routes/hermes/proxy-handler.ts
 init_usage_store();
 function getGatewayManager() {
@@ -47680,7 +49480,7 @@ async function waitForGatewayReady(upstream, timeoutMs = 5e3) {
       if (res.ok) return true;
     } catch {
     }
-    await new Promise((resolve10) => setTimeout(resolve10, 250));
+    await new Promise((resolve11) => setTimeout(resolve11, 250));
   }
   return false;
 }
@@ -47883,8 +49683,11 @@ function registerRoutes(app, requireAuth2) {
   app.use(configRoutes.routes());
   app.use(logRoutes.routes());
   app.use(codexAuthRoutes.routes());
+  app.use(nousAuthRoutes.routes());
   app.use(gatewayRoutes.routes());
   app.use(weixinRoutes.routes());
+  app.use(fileRoutes.routes());
+  app.use(downloadRoutes.routes());
   app.use(proxyRoutes.routes());
   return proxyMiddleware;
 }
@@ -47894,13 +49697,13 @@ var import_cors = __toESM(require_cors());
 var import_koa_static = __toESM(require_koa_static());
 var import_koa_send = __toESM(require_koa_send());
 var import_os12 = __toESM(require("os"));
-var import_path17 = require("path");
-var import_promises14 = require("fs/promises");
-var import_fs15 = require("fs");
+var import_path19 = require("path");
+var import_promises15 = require("fs/promises");
+var import_fs17 = require("fs");
 init_logger();
-var APP_VERSION = true ? "0.4.3" : (() => {
+var APP_VERSION = true ? "0.4.4" : (() => {
   try {
-    return JSON.parse(readFileSync9((0, import_path17.resolve)(__dirname, "../../package.json"), "utf-8")).version;
+    return JSON.parse(readFileSync11((0, import_path19.resolve)(__dirname, "../../package.json"), "utf-8")).version;
   } catch {
     return "dev";
   }
@@ -47915,8 +49718,8 @@ process.on("unhandledRejection", (reason) => {
 var server = null;
 async function bootstrap() {
   console.log(`hermes-web-ui v${APP_VERSION} starting...`);
-  await (0, import_promises14.mkdir)(config.uploadDir, { recursive: true });
-  await (0, import_promises14.mkdir)(config.dataDir, { recursive: true });
+  await (0, import_promises15.mkdir)(config.uploadDir, { recursive: true });
+  await (0, import_promises15.mkdir)(config.dataDir, { recursive: true });
   const authToken = await getToken();
   const app = new koa_default();
   await initGatewayManager();
@@ -47934,7 +49737,7 @@ async function bootstrap() {
     console.log(`Auth enabled \u2014 token: ${authToken}`);
     logger.info("Auth enabled \u2014 token: %s", authToken);
   }
-  const distDir = (0, import_path17.resolve)(__dirname, "..", "client");
+  const distDir = (0, import_path19.resolve)(__dirname, "..", "client");
   app.use((0, import_koa_static.default)(distDir));
   app.use(async (ctx) => {
     if (!ctx.path.startsWith("/api") && ctx.path !== "/health" && ctx.path !== "/upload" && ctx.path !== "/webhook") {