heyhank 0.1.0

package/server/routes/prompt-routes.ts

@@ -0,0 +1,67 @@
+import type { Hono } from "hono";
+import * as promptManager from "../prompt-manager.js";
+
+function sanitizePaths(value: unknown): string[] | undefined {
+  if (!Array.isArray(value)) return undefined;
+  return value.filter((p): p is string => typeof p === "string");
+}
+
+export function registerPromptRoutes(api: Hono): void {
+  api.get("/prompts", (c) => {
+    try {
+      const cwd = c.req.query("cwd");
+      const scope = c.req.query("scope");
+      const normalizedScope =
+        scope === "global" || scope === "project" || scope === "all"
+          ? scope
+          : undefined;
+      return c.json(promptManager.listPrompts({ cwd, scope: normalizedScope }));
+    } catch (e: unknown) {
+      return c.json({ error: e instanceof Error ? e.message : String(e) }, 500);
+    }
+  });
+
+  api.get("/prompts/:id", (c) => {
+    const prompt = promptManager.getPrompt(c.req.param("id"));
+    if (!prompt) return c.json({ error: "Prompt not found" }, 404);
+    return c.json(prompt);
+  });
+
+  api.post("/prompts", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const prompt = promptManager.createPrompt(
+        String(body.title || body.name || ""),
+        String(body.content || ""),
+        body.scope,
+        body.cwd ?? body.projectPath,
+        sanitizePaths(body.projectPaths),
+      );
+      return c.json(prompt, 201);
+    } catch (e: unknown) {
+      return c.json({ error: e instanceof Error ? e.message : String(e) }, 400);
+    }
+  });
+
+  api.put("/prompts/:id", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const prompt = promptManager.updatePrompt(c.req.param("id"), {
+        name: body.title ?? body.name,
+        content: body.content,
+        scope: body.scope,
+        projectPaths: sanitizePaths(body.projectPaths),
+      });
+      if (!prompt) return c.json({ error: "Prompt not found" }, 404);
+      return c.json(prompt);
+    } catch (e: unknown) {
+      return c.json({ error: e instanceof Error ? e.message : String(e) }, 400);
+    }
+  });
+
+  api.delete("/prompts/:id", (c) => {
+    const deleted = promptManager.deletePrompt(c.req.param("id"));
+    if (!deleted) return c.json({ error: "Prompt not found" }, 404);
+    return c.json({ ok: true });
+  });
+}

package/server/routes/provider-routes.ts

@@ -0,0 +1,109 @@
+/**
+ * REST API routes for provider management
+ */
+import type { Hono } from "hono";
+import { getAllProviders, getProviderById } from "../provider-registry.js";
+import {
+  listProviderConfigs,
+  getProviderConfig,
+  upsertProviderConfig,
+  deleteProviderConfig,
+} from "../provider-manager.js";
+
+export function registerProviderRoutes(app: Hono): void {
+  // Static registry — all known providers with their metadata
+  app.get("/providers/registry", (c) => {
+    return c.json(getAllProviders());
+  });
+
+  // User's configured providers — merged with registry metadata, secrets masked
+  app.get("/providers", (c) => {
+    const registry = getAllProviders();
+    const configs = listProviderConfigs();
+    const configMap = new Map(configs.map((cfg) => [cfg.providerId, cfg]));
+
+    const merged = registry.map((def) => {
+      const cfg = configMap.get(def.id);
+      const envConfigured: Record<string, boolean> = {};
+      for (const field of def.envFields) {
+        envConfigured[field.key] = !!(cfg?.envValues[field.key]);
+      }
+      return {
+        ...def,
+        configured: !!cfg,
+        enabled: cfg?.enabled ?? false,
+        envConfigured,
+        customModel: cfg?.customModel ?? undefined,
+      };
+    });
+
+    return c.json(merged);
+  });
+
+  // Single provider detail
+  app.get("/providers/:id", (c) => {
+    const id = c.req.param("id");
+    const def = getProviderById(id);
+    if (!def) return c.json({ error: "Unknown provider" }, 404);
+
+    const cfg = getProviderConfig(id);
+    const envConfigured: Record<string, boolean> = {};
+    // For non-secret fields, also return the actual value
+    const envValues: Record<string, string> = {};
+    for (const field of def.envFields) {
+      envConfigured[field.key] = !!(cfg?.envValues[field.key]);
+      if (!field.secret && cfg?.envValues[field.key]) {
+        envValues[field.key] = cfg.envValues[field.key];
+      }
+    }
+
+    return c.json({
+      ...def,
+      configured: !!cfg,
+      enabled: cfg?.enabled ?? false,
+      envConfigured,
+      envValues,
+      customModel: cfg?.customModel ?? undefined,
+    });
+  });
+
+  // Create or update a provider config
+  app.put("/providers/:id", async (c) => {
+    const id = c.req.param("id");
+    const def = getProviderById(id);
+    if (!def) return c.json({ error: "Unknown provider" }, 404);
+
+    const body = await c.req.json();
+    const config = upsertProviderConfig(id, {
+      enabled: body.enabled,
+      envValues: body.envValues,
+      customModel: body.customModel,
+    });
+
+    // Return masked response
+    const envConfigured: Record<string, boolean> = {};
+    const envValues: Record<string, string> = {};
+    for (const field of def.envFields) {
+      envConfigured[field.key] = !!(config.envValues[field.key]);
+      if (!field.secret && config.envValues[field.key]) {
+        envValues[field.key] = config.envValues[field.key];
+      }
+    }
+
+    return c.json({
+      ...def,
+      configured: true,
+      enabled: config.enabled,
+      envConfigured,
+      envValues,
+      customModel: config.customModel ?? undefined,
+    });
+  });
+
+  // Delete a provider config
+  app.delete("/providers/:id", (c) => {
+    const id = c.req.param("id");
+    const deleted = deleteProviderConfig(id);
+    return c.json({ ok: deleted });
+  });
+}

package/server/routes/sandbox-routes.ts

@@ -0,0 +1,127 @@
+import { resolve } from "node:path";
+import type { Hono } from "hono";
+import * as sandboxManager from "../sandbox-manager.js";
+import { containerManager, type ContainerConfig } from "../container-manager.js";
+import { imagePullManager } from "../image-pull-manager.js";
+
+export function registerSandboxRoutes(
+  api: Hono,
+): void {
+  api.get("/sandboxes", (c) => {
+    try {
+      return c.json(sandboxManager.listSandboxes());
+    } catch (e: unknown) {
+      return c.json({ error: e instanceof Error ? e.message : String(e) }, 500);
+    }
+  });
+
+  api.get("/sandboxes/:slug", (c) => {
+    const sandbox = sandboxManager.getSandbox(c.req.param("slug"));
+    if (!sandbox) return c.json({ error: "Sandbox not found" }, 404);
+    return c.json(sandbox);
+  });
+
+  api.post("/sandboxes", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const sandbox = sandboxManager.createSandbox(body.name, {
+        initScript: body.initScript,
+      });
+      return c.json(sandbox, 201);
+    } catch (e: unknown) {
+      return c.json({ error: e instanceof Error ? e.message : String(e) }, 400);
+    }
+  });
+
+  api.put("/sandboxes/:slug", async (c) => {
+    const slug = c.req.param("slug");
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const sandbox = sandboxManager.updateSandbox(slug, {
+        name: body.name,
+        initScript: body.initScript,
+      });
+      if (!sandbox) return c.json({ error: "Sandbox not found" }, 404);
+      return c.json(sandbox);
+    } catch (e: unknown) {
+      return c.json({ error: e instanceof Error ? e.message : String(e) }, 400);
+    }
+  });
+
+  api.delete("/sandboxes/:slug", (c) => {
+    try {
+      const deleted = sandboxManager.deleteSandbox(c.req.param("slug"));
+      if (!deleted) return c.json({ error: "Sandbox not found" }, 404);
+      return c.json({ ok: true });
+    } catch (e: unknown) {
+      return c.json({ error: e instanceof Error ? e.message : String(e) }, 400);
+    }
+  });
+
+  // Test the init script of a sandbox in an ephemeral container.
+  // Accepts an optional `initScript` body param to test unsaved content
+  // without persisting it first. Falls back to the stored script.
+  api.post("/sandboxes/:slug/test-init", async (c) => {
+    const slug = c.req.param("slug");
+    const body = await c.req.json().catch(() => ({}));
+    const rawCwd = body.cwd;
+
+    const sandbox = sandboxManager.getSandbox(slug);
+    if (!sandbox) return c.json({ error: "Sandbox not found" }, 404);
+
+    // Prefer body initScript (unsaved draft) over stored value
+    const initScript = (typeof body.initScript === "string" ? body.initScript : sandbox.initScript ?? "").trim();
+    if (!initScript) return c.json({ error: "No init script configured for this sandbox" }, 400);
+    if (!rawCwd) return c.json({ error: "Working directory (cwd) is required" }, 400);
+
+    // Require an absolute path from the caller, then normalize
+    const cwdStr = String(rawCwd);
+    if (!cwdStr.startsWith("/")) return c.json({ error: "Working directory must be an absolute path" }, 400);
+    const cwd = resolve(cwdStr);
+
+    if (!containerManager.checkDocker()) return c.json({ error: "Docker is not available" }, 503);
+
+    const effectiveImage = "the-companion:latest";
+    if (!imagePullManager.isReady(effectiveImage)) {
+      return c.json({ error: `Docker image ${effectiveImage} is not available. Pull it first.` }, 503);
+    }
+
+    const tempId = `t${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+    let containerId: string | undefined;
+
+    try {
+      const config: ContainerConfig = {
+        image: effectiveImage,
+        ports: [],
+      };
+      const containerInfo = containerManager.createContainer(tempId, cwd, config);
+      containerId = containerInfo.containerId;
+
+      await containerManager.copyWorkspaceToContainer(containerId, cwd);
+
+      const initTimeout = Number(process.env.HEYHANK_INIT_SCRIPT_TIMEOUT || process.env.COMPANION_INIT_SCRIPT_TIMEOUT) || 120_000;
+      const result = await containerManager.execInContainerAsync(
+        containerId,
+        ["sh", "-lc", initScript],
+        { timeout: initTimeout },
+      );
+
+      const output = result.output.length > 2000
+        ? result.output.slice(0, 500) + "\n...[truncated]...\n" + result.output.slice(-1500)
+        : result.output;
+
+      return c.json({
+        success: result.exitCode === 0,
+        exitCode: result.exitCode,
+        output,
+      });
+    } catch (e: unknown) {
+      const msg = e instanceof Error ? e.message : String(e);
+      return c.json({ success: false, exitCode: -1, output: msg }, 500);
+    } finally {
+      if (containerId) {
+        try { containerManager.removeContainer(tempId); } catch { /* best effort cleanup */ }
+      }
+    }
+  });
+}

package/server/routes/settings-routes.ts

@@ -0,0 +1,285 @@
+import type { Hono } from "hono";
+import { DEFAULT_ANTHROPIC_MODEL, getSettings, updateSettings, type UpdateChannel } from "../settings-manager.js";
+import { hasContainerCodexAuth } from "../codex-container-auth.js";
+import { hasContainerClaudeAuth } from "../claude-container-auth.js";
+import { existsSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { execSync } from "node:child_process";
+
+/** Detect Claude CLI auth method */
+function detectClaudeAuthStatus(): { authenticated: boolean; method: string } {
+  const home = process.env.HOME || process.env.USERPROFILE || homedir();
+
+  // Check for credentials file (claude login)
+  const credFiles = [
+    join(home, ".claude", ".credentials.json"),
+    join(home, ".claude", "auth.json"),
+    join(home, ".claude", ".auth.json"),
+    join(home, ".claude", "credentials.json"),
+  ];
+  if (credFiles.some((p) => existsSync(p))) {
+    return { authenticated: true, method: "cli_login" };
+  }
+
+  // Check env vars
+  if (process.env.ANTHROPIC_API_KEY) return { authenticated: true, method: "env_api_key" };
+  if (process.env.CLAUDE_CODE_OAUTH_TOKEN) return { authenticated: true, method: "env_oauth" };
+  if (process.env.ANTHROPIC_AUTH_TOKEN) return { authenticated: true, method: "env_auth_token" };
+
+  return { authenticated: false, method: "none" };
+}
+
+/** Detect Codex CLI auth method */
+function detectCodexAuthStatus(): { authenticated: boolean; method: string } {
+  const home = process.env.HOME || process.env.USERPROFILE || homedir();
+
+  // Check for codex auth file
+  const codexAuth = join(home, ".codex", "auth.json");
+  if (existsSync(codexAuth)) {
+    return { authenticated: true, method: "cli_login" };
+  }
+
+  // Check env var
+  if (process.env.OPENAI_API_KEY) return { authenticated: true, method: "env_api_key" };
+
+  return { authenticated: false, method: "none" };
+}
+
+/** Detect Claude CLI version */
+function detectClaudeVersion(): string | null {
+  try {
+    return execSync("claude --version 2>/dev/null", { timeout: 3000 }).toString().trim().split("\n")[0] || null;
+  } catch { return null; }
+}
+
+/** Detect Codex CLI version */
+function detectCodexVersion(): string | null {
+  try {
+    return execSync("codex --version 2>/dev/null", { timeout: 3000 }).toString().trim().split("\n")[0] || null;
+  } catch { return null; }
+}
+
+export function registerSettingsRoutes(api: Hono): void {
+  api.get("/settings", (c) => {
+    const settings = getSettings();
+    const claudeAuth = detectClaudeAuthStatus();
+    const codexAuth = detectCodexAuthStatus();
+    return c.json({
+      anthropicApiKeyConfigured: !!settings.anthropicApiKey.trim(),
+      anthropicModel: settings.anthropicModel || DEFAULT_ANTHROPIC_MODEL,
+      claudeCodeOAuthTokenConfigured: !!settings.claudeCodeOAuthToken.trim(),
+      openaiApiKeyConfigured: !!settings.openaiApiKey.trim(),
+      codexDeviceAuthConfigured: hasContainerCodexAuth(),
+      // Enhanced auth detection
+      claudeCliAuth: { ...claudeAuth, oauthTokenConfigured: !!settings.claudeCodeOAuthToken.trim(), cliVersion: detectClaudeVersion() },
+      codexCliAuth: { ...codexAuth, apiKeyConfigured: !!settings.openaiApiKey.trim(), cliVersion: detectCodexVersion() },
+      onboardingCompleted: settings.onboardingCompleted,
+      geminiApiKeyConfigured: !!settings.geminiApiKey.trim(),
+      geminiVoice: settings.geminiVoice || "Kore",
+      assistantName: settings.assistantName || "",
+      userName: settings.userName || "",
+      editorTabEnabled: settings.editorTabEnabled,
+      internalAiProvider: settings.internalAiProvider || "",
+      aiValidationEnabled: settings.aiValidationEnabled,
+      aiValidationAutoApprove: settings.aiValidationAutoApprove,
+      aiValidationAutoDeny: settings.aiValidationAutoDeny,
+      publicUrl: settings.publicUrl,
+      updateChannel: settings.updateChannel,
+      dockerAutoUpdate: settings.dockerAutoUpdate,
+    });
+  });
+
+  api.put("/settings", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    if (body.anthropicApiKey !== undefined && typeof body.anthropicApiKey !== "string") {
+      return c.json({ error: "anthropicApiKey must be a string" }, 400);
+    }
+    if (body.anthropicModel !== undefined && typeof body.anthropicModel !== "string") {
+      return c.json({ error: "anthropicModel must be a string" }, 400);
+    }
+    if (body.geminiApiKey !== undefined && typeof body.geminiApiKey !== "string") {
+      return c.json({ error: "geminiApiKey must be a string" }, 400);
+    }
+    if (body.geminiVoice !== undefined && typeof body.geminiVoice !== "string") {
+      return c.json({ error: "geminiVoice must be a string" }, 400);
+    }
+    if (body.editorTabEnabled !== undefined && typeof body.editorTabEnabled !== "boolean") {
+      return c.json({ error: "editorTabEnabled must be a boolean" }, 400);
+    }
+    if (body.aiValidationEnabled !== undefined && typeof body.aiValidationEnabled !== "boolean") {
+      return c.json({ error: "aiValidationEnabled must be a boolean" }, 400);
+    }
+    if (body.aiValidationAutoApprove !== undefined && typeof body.aiValidationAutoApprove !== "boolean") {
+      return c.json({ error: "aiValidationAutoApprove must be a boolean" }, 400);
+    }
+    if (body.aiValidationAutoDeny !== undefined && typeof body.aiValidationAutoDeny !== "boolean") {
+      return c.json({ error: "aiValidationAutoDeny must be a boolean" }, 400);
+    }
+    if (body.publicUrl !== undefined) {
+      if (typeof body.publicUrl !== "string") {
+        return c.json({ error: "publicUrl must be a string" }, 400);
+      }
+      const trimmed = body.publicUrl.trim().replace(/\/+$/, "");
+      if (trimmed !== "" && !/^https?:\/\/.+/.test(trimmed)) {
+        return c.json({ error: "publicUrl must be a valid http/https URL" }, 400);
+      }
+    }
+    if (body.updateChannel !== undefined && body.updateChannel !== "stable" && body.updateChannel !== "prerelease") {
+      return c.json({ error: "updateChannel must be 'stable' or 'prerelease'" }, 400);
+    }
+    if (body.claudeCodeOAuthToken !== undefined && typeof body.claudeCodeOAuthToken !== "string") {
+      return c.json({ error: "claudeCodeOAuthToken must be a string" }, 400);
+    }
+    if (body.openaiApiKey !== undefined && typeof body.openaiApiKey !== "string") {
+      return c.json({ error: "openaiApiKey must be a string" }, 400);
+    }
+    if (body.onboardingCompleted !== undefined && typeof body.onboardingCompleted !== "boolean") {
+      return c.json({ error: "onboardingCompleted must be a boolean" }, 400);
+    }
+    if (body.dockerAutoUpdate !== undefined && typeof body.dockerAutoUpdate !== "boolean") {
+      return c.json({ error: "dockerAutoUpdate must be a boolean" }, 400);
+    }
+    const hasAnyField = body.anthropicApiKey !== undefined || body.anthropicModel !== undefined
+      || body.claudeCodeOAuthToken !== undefined || body.openaiApiKey !== undefined
+      || body.onboardingCompleted !== undefined
+      || body.geminiApiKey !== undefined || body.geminiVoice !== undefined || body.assistantName !== undefined || body.userName !== undefined
+      || body.editorTabEnabled !== undefined
+      || body.internalAiProvider !== undefined
+      || body.aiValidationEnabled !== undefined || body.aiValidationAutoApprove !== undefined
+      || body.aiValidationAutoDeny !== undefined
+      || body.publicUrl !== undefined
+      || body.updateChannel !== undefined
+      || body.dockerAutoUpdate !== undefined;
+    if (!hasAnyField) {
+      return c.json({ error: "At least one settings field is required" }, 400);
+    }
+
+    const settings = updateSettings({
+      anthropicApiKey:
+        typeof body.anthropicApiKey === "string"
+          ? body.anthropicApiKey.trim()
+          : undefined,
+      anthropicModel:
+        typeof body.anthropicModel === "string"
+          ? (body.anthropicModel.trim() || DEFAULT_ANTHROPIC_MODEL)
+          : undefined,
+      claudeCodeOAuthToken:
+        typeof body.claudeCodeOAuthToken === "string"
+          ? body.claudeCodeOAuthToken.trim()
+          : undefined,
+      openaiApiKey:
+        typeof body.openaiApiKey === "string"
+          ? body.openaiApiKey.trim()
+          : undefined,
+      onboardingCompleted:
+        typeof body.onboardingCompleted === "boolean"
+          ? body.onboardingCompleted
+          : undefined,
+      geminiApiKey:
+        typeof body.geminiApiKey === "string"
+          ? body.geminiApiKey.trim()
+          : undefined,
+      geminiVoice:
+        typeof body.geminiVoice === "string"
+          ? body.geminiVoice.trim()
+          : undefined,
+      assistantName:
+        typeof body.assistantName === "string"
+          ? body.assistantName.trim()
+          : undefined,
+      userName:
+        typeof body.userName === "string"
+          ? body.userName.trim()
+          : undefined,
+      editorTabEnabled:
+        typeof body.editorTabEnabled === "boolean"
+          ? body.editorTabEnabled
+          : undefined,
+      internalAiProvider:
+        typeof body.internalAiProvider === "string"
+          ? body.internalAiProvider.trim()
+          : undefined,
+      aiValidationEnabled:
+        typeof body.aiValidationEnabled === "boolean"
+          ? body.aiValidationEnabled
+          : undefined,
+      aiValidationAutoApprove:
+        typeof body.aiValidationAutoApprove === "boolean"
+          ? body.aiValidationAutoApprove
+          : undefined,
+      aiValidationAutoDeny:
+        typeof body.aiValidationAutoDeny === "boolean"
+          ? body.aiValidationAutoDeny
+          : undefined,
+      publicUrl:
+        typeof body.publicUrl === "string"
+          ? body.publicUrl.trim().replace(/\/+$/, "")
+          : undefined,
+      updateChannel:
+        body.updateChannel === "stable" || body.updateChannel === "prerelease"
+          ? (body.updateChannel as UpdateChannel)
+          : undefined,
+      dockerAutoUpdate:
+        typeof body.dockerAutoUpdate === "boolean"
+          ? body.dockerAutoUpdate
+          : undefined,
+    });
+
+    const claudeAuthAfter = detectClaudeAuthStatus();
+    const codexAuthAfter = detectCodexAuthStatus();
+    return c.json({
+      anthropicApiKeyConfigured: !!settings.anthropicApiKey.trim(),
+      anthropicModel: settings.anthropicModel || DEFAULT_ANTHROPIC_MODEL,
+      claudeCodeOAuthTokenConfigured: !!settings.claudeCodeOAuthToken.trim(),
+      openaiApiKeyConfigured: !!settings.openaiApiKey.trim(),
+      codexDeviceAuthConfigured: hasContainerCodexAuth(),
+      claudeCliAuth: { ...claudeAuthAfter, oauthTokenConfigured: !!settings.claudeCodeOAuthToken.trim(), cliVersion: detectClaudeVersion() },
+      codexCliAuth: { ...codexAuthAfter, apiKeyConfigured: !!settings.openaiApiKey.trim(), cliVersion: detectCodexVersion() },
+      onboardingCompleted: settings.onboardingCompleted,
+      geminiApiKeyConfigured: !!settings.geminiApiKey.trim(),
+      geminiVoice: settings.geminiVoice || "Kore",
+      assistantName: settings.assistantName || "",
+      userName: settings.userName || "",
+      editorTabEnabled: settings.editorTabEnabled,
+      internalAiProvider: settings.internalAiProvider || "",
+      aiValidationEnabled: settings.aiValidationEnabled,
+      aiValidationAutoApprove: settings.aiValidationAutoApprove,
+      aiValidationAutoDeny: settings.aiValidationAutoDeny,
+      publicUrl: settings.publicUrl,
+      updateChannel: settings.updateChannel,
+      dockerAutoUpdate: settings.dockerAutoUpdate,
+    });
+  });
+
+  api.post("/settings/anthropic/verify", async (c) => {
+    const body = await c.req.json().catch(() => ({} as { apiKey?: string }));
+    const apiKey = typeof body.apiKey === "string" ? body.apiKey.trim() : "";
+    if (!apiKey) {
+      return c.json({ valid: false, error: "API key is required" }, 400);
+    }
+
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), 10_000);
+
+    try {
+      const res = await fetch("https://api.anthropic.com/v1/models", {
+        headers: {
+          "x-api-key": apiKey,
+          "anthropic-version": "2023-06-01",
+        },
+        signal: controller.signal,
+      });
+
+      if (res.ok) {
+        return c.json({ valid: true });
+      }
+      return c.json({ valid: false, error: `API returned ${res.status}` });
+    } catch (err) {
+      const isAbort = err instanceof Error && err.name === "AbortError";
+      return c.json({ valid: false, error: isAbort ? "Request timed out" : "Request failed" });
+    } finally {
+      clearTimeout(timer);
+    }
+  });
+}

package/server/routes/skills-routes.ts

@@ -0,0 +1,100 @@
+import { existsSync } from "node:fs";
+import { readdir, readFile, writeFile, rm, mkdir } from "node:fs/promises";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import type { Hono } from "hono";
+
+const SKILLS_DIR = join(homedir(), ".claude", "skills");
+
+export function registerSkillRoutes(api: Hono): void {
+  api.get("/skills", async (c) => {
+    try {
+      if (!existsSync(SKILLS_DIR)) return c.json([]);
+      const entries = await readdir(SKILLS_DIR, { withFileTypes: true });
+      const skills = [];
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        const skillMdPath = join(SKILLS_DIR, entry.name, "SKILL.md");
+        if (!existsSync(skillMdPath)) continue;
+        const content = await readFile(skillMdPath, "utf-8");
+        const fmMatch = content.match(/^---\n([\s\S]*?)\n---\n?([\s\S]*)$/);
+        let name = entry.name;
+        let description = "";
+        if (fmMatch) {
+          for (const line of fmMatch[1].split("\n")) {
+            const nameMatch = line.match(/^name:\s*(.+)/);
+            if (nameMatch) name = nameMatch[1].trim().replace(/^["']|["']$/g, "");
+            const descMatch = line.match(/^description:\s*["']?(.+?)["']?\s*$/);
+            if (descMatch) description = descMatch[1];
+          }
+        }
+        skills.push({ slug: entry.name, name, description, path: skillMdPath });
+      }
+      return c.json(skills);
+    } catch (e) {
+      return c.json({ error: String(e) }, 500);
+    }
+  });
+
+  api.get("/skills/:slug", async (c) => {
+    const slug = c.req.param("slug");
+    if (!slug || slug.includes("..") || slug.includes("/") || slug.includes("\\")) {
+      return c.json({ error: "Invalid slug" }, 400);
+    }
+    const skillMdPath = join(SKILLS_DIR, slug, "SKILL.md");
+    if (!existsSync(skillMdPath)) return c.json({ error: "Skill not found" }, 404);
+    const content = await readFile(skillMdPath, "utf-8");
+    return c.json({ slug, path: skillMdPath, content });
+  });
+
+  api.post("/skills", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const { name, description, content } = body;
+    if (!name || typeof name !== "string") {
+      return c.json({ error: "name is required" }, 400);
+    }
+
+    const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+    if (!slug) return c.json({ error: "Invalid name" }, 400);
+
+    const skillDir = join(SKILLS_DIR, slug);
+    const skillMdPath = join(skillDir, "SKILL.md");
+    if (existsSync(skillMdPath)) {
+      return c.json({ error: `Skill "${slug}" already exists` }, 409);
+    }
+
+    await mkdir(SKILLS_DIR, { recursive: true });
+    await mkdir(skillDir, { recursive: true });
+
+    const md = `---\nname: ${slug}\ndescription: ${JSON.stringify(description || `Skill: ${name}`)}\n---\n\n${content || `# ${name}\n\nDescribe what this skill does and how to use it.\n`}`;
+    await writeFile(skillMdPath, md, "utf-8");
+
+    return c.json({ slug, name, description: description || `Skill: ${name}`, path: skillMdPath });
+  });
+
+  api.put("/skills/:slug", async (c) => {
+    const slug = c.req.param("slug");
+    if (!slug || slug.includes("..") || slug.includes("/") || slug.includes("\\")) {
+      return c.json({ error: "Invalid slug" }, 400);
+    }
+    const skillMdPath = join(SKILLS_DIR, slug, "SKILL.md");
+    if (!existsSync(skillMdPath)) return c.json({ error: "Skill not found" }, 404);
+    const body = await c.req.json().catch(() => ({}));
+    if (typeof body.content !== "string") {
+      return c.json({ error: "content is required" }, 400);
+    }
+    await writeFile(skillMdPath, body.content, "utf-8");
+    return c.json({ ok: true, slug, path: skillMdPath });
+  });
+
+  api.delete("/skills/:slug", async (c) => {
+    const slug = c.req.param("slug");
+    if (!slug || slug.includes("..") || slug.includes("/") || slug.includes("\\")) {
+      return c.json({ error: "Invalid slug" }, 400);
+    }
+    const skillDir = join(SKILLS_DIR, slug);
+    if (!existsSync(skillDir)) return c.json({ error: "Skill not found" }, 404);
+    await rm(skillDir, { recursive: true, force: true });
+    return c.json({ ok: true, slug });
+  });
+}