hyperclaw 5.2.0 → 5.2.2

package/dist/server-PCtHMXe2.js

@@ -0,0 +1,1292 @@
+const require_chunk = require('./chunk-jS-bbMI5.js');
+const chalk = require_chunk.__toESM(require("chalk"));
+const fs_extra = require_chunk.__toESM(require("fs-extra"));
+const path = require_chunk.__toESM(require("path"));
+const crypto = require_chunk.__toESM(require("crypto"));
+const ws = require_chunk.__toESM(require("ws"));
+const child_process = require_chunk.__toESM(require("child_process"));
+const http = require_chunk.__toESM(require("http"));
+
+//#region packages/gateway/src/server.ts
+let activeServer = null;
+/**
+
+* Thrown when the gateway cannot bind its WebSocket port.
+
+*
+
+* Most common cause: another gateway instance is already running on the same
+
+* port (EADDRINUSE). The OS releases the port automatically on any exit,
+
+* including crashes and SIGKILL — no separate lock file or cleanup is needed.
+
+*
+
+* To run a second gateway on the same host, use an isolated profile and a
+
+* unique port (leave at least 20 ports between base ports):
+
+*   hyperclaw --profile rescue gateway --port 19001
+
+*/
+var GatewayLockError = class extends Error {
+	code;
+	constructor(message, code = "GATEWAY_LOCK") {
+		super(message);
+		this.name = "GatewayLockError";
+		this.code = code;
+	}
+};
+var GatewayServer = class {
+	wss = null;
+	httpServer = null;
+	sessions = /* @__PURE__ */ new Map();
+	transcripts = /* @__PURE__ */ new Map();
+	sessionStore = null;
+	config;
+	startedAt = "";
+	stopCron = null;
+	channelRunner = null;
+	configWatcher = null;
+	configReloadDebounce = null;
+	constructor(config) {
+		this.config = config;
+	}
+	/** Start watching the config file for changes and hot-apply safe settings. */
+	startConfigWatcher() {
+		const mode = this.config.reloadMode ?? "hybrid";
+		if (mode === "off") return;
+		const configPath = this.config.deps.getConfigPath?.() ?? "";
+		if (!configPath) return;
+		const fsNode = require("fs");
+		const debounceMs = this.config.reloadDebounceMs ?? 300;
+		const tryWatch = () => {
+			try {
+				const watcher = fsNode.watch(configPath, { persistent: false }, (_event) => {
+					if (this.configReloadDebounce) clearTimeout(this.configReloadDebounce);
+					this.configReloadDebounce = setTimeout(() => void this.hotReloadConfig(), debounceMs);
+				});
+				this.configWatcher = watcher;
+				console.log(chalk.default.gray(`  ⚙  Config watcher active (mode: ${mode}) — ${configPath}`));
+			} catch {
+				const dir = require("path").dirname(configPath);
+				try {
+					const dirWatcher = fsNode.watch(dir, { persistent: false }, (_event, filename) => {
+						if (filename && configPath.endsWith(filename) && fsNode.existsSync(configPath)) {
+							dirWatcher.close();
+							tryWatch();
+						}
+					});
+				} catch {}
+			}
+		};
+		tryWatch();
+	}
+	/** Hot-apply safe config changes without restarting. */
+	async hotReloadConfig() {
+		try {
+			const fs$1 = require("fs-extra");
+			const configPath = this.config.deps.getConfigPath?.() ?? "";
+			if (!configPath) return;
+			const raw = await fs$1.readJson(configPath).catch(() => null);
+			if (!raw) return;
+			const restartRequired = raw.gateway?.port !== this.config.port || raw.gateway?.bind !== this.config.bind;
+			if (restartRequired) {
+				console.log(chalk.default.yellow("\n  ⚙  Config change requires gateway restart — restarting...\n"));
+				for (const s of this.sessions.values()) if (s.socket.readyState === 1) s.socket.send(JSON.stringify({
+					type: "gateway:reloading",
+					reason: "config-change"
+				}));
+				if (typeof this.config.deps.restartDaemon === "function") try {
+					await this.config.deps.restartDaemon();
+				} catch {}
+				else console.log(chalk.default.yellow("  ⚠  restartDaemon not available — restart manually: hyperclaw daemon restart\n"));
+				return;
+			}
+			if (raw.gateway?.hooks !== void 0) this.config.hooks = raw.gateway.hooks;
+			if (raw.gateway?.enabledChannels !== void 0) this.config.enabledChannels = raw.gateway.enabledChannels;
+			const newDm = raw.gateway?.dmScope ?? raw.session?.dmScope;
+			if (newDm !== void 0) this.config.dmScope = newDm === "main" ? "global" : newDm === "per-peer" ? "per-channel" : newDm;
+			if (typeof this.config.deps.onConfigReloaded === "function") this.config.deps.onConfigReloaded(raw);
+			const reloadMsg = JSON.stringify({
+				type: "gateway:config-reloaded",
+				ts: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			for (const s of this.sessions.values()) if (s.socket.readyState === 1) s.socket.send(reloadMsg);
+			console.log(chalk.default.green("  ⚙  Config hot-reloaded (no restart needed)"));
+		} catch (e) {
+			console.log(chalk.default.yellow(`  ⚙  Config reload failed: ${e.message}`));
+		}
+	}
+	async start() {
+		this.httpServer = http.default.createServer((req, res) => {
+			this.handleHttp(req, res);
+		});
+		this.wss = new ws.WebSocketServer({ server: this.httpServer });
+		this.wss.on("connection", this.handleConnection.bind(this));
+		await new Promise((resolve, reject) => {
+			this.httpServer.on("error", (err) => {
+				if (err.code === "EADDRINUSE") reject(new GatewayLockError(`another gateway instance is already listening on ws://${this.config.bind}:${this.config.port}`, "EADDRINUSE"));
+				else reject(new GatewayLockError(`failed to bind gateway socket on ws://${this.config.bind}:${this.config.port}: ${err.message}`, err.code || "BIND_ERROR"));
+			});
+			this.httpServer.listen(this.config.port, this.config.bind, () => resolve());
+		});
+		this.startedAt = (/* @__PURE__ */ new Date()).toISOString();
+		activeServer = this;
+		try {
+			this.sessionStore = await this.config.deps.createSessionStore(this.config.deps.getHyperClawDir());
+		} catch (_) {
+			this.sessionStore = null;
+		}
+		const icon = this.config.daemonMode ? "🩸" : "🦅";
+		const color = this.config.daemonMode ? chalk.default.red.bind(chalk.default) : chalk.default.hex("#06b6d4");
+		console.log(color(`\n  ${icon} Gateway started: ws://${this.config.bind}:${this.config.port}\n`));
+		this.channelRunner = await this.config.deps.startChannelRunners({
+			port: this.config.port,
+			bind: this.config.bind,
+			authToken: this.config.deps.resolveGatewayToken(this.config.authToken)
+		});
+		if (this.config.hooks && this.config.deps.createHookLoader) {
+			const loader = this.config.deps.createHookLoader();
+			loader.execute("gateway:start", {}).catch(() => {});
+			this.stopCron = loader.startCronScheduler();
+		}
+		this.startConfigWatcher();
+	}
+	async stop() {
+		if (this.configWatcher) {
+			this.configWatcher.close();
+			this.configWatcher = null;
+		}
+		if (this.configReloadDebounce) clearTimeout(this.configReloadDebounce);
+		if (this.channelRunner) {
+			await this.channelRunner.stop();
+			this.channelRunner = null;
+		}
+		if (this.stopCron) {
+			this.stopCron();
+			this.stopCron = null;
+		}
+		for (const s of this.sessions.values()) s.socket.close(1001, "Gateway shutting down");
+		this.sessions.clear();
+		this.wss?.close();
+		await new Promise((resolve) => this.httpServer?.close(() => resolve()));
+		activeServer = null;
+	}
+	/** Returns false and sends 401 if auth required but missing/invalid. */
+	async requireAuth(req, res) {
+		const token = this.config.deps.resolveGatewayToken(this.config.authToken);
+		const auth = req.headers.authorization;
+		if (!token && !auth) return true;
+		if (!auth || !auth.startsWith("Bearer ")) {
+			res.writeHead(401, { "Content-Type": "application/json" });
+			res.end(JSON.stringify({
+				error: "Unauthorized",
+				hint: "Authorization: Bearer <gateway_token_or_developer_key>"
+			}));
+			return false;
+		}
+		const bearer = auth.slice(7);
+		if (token && bearer === token) return true;
+		if (this.config.deps.validateApiAuth) {
+			const ok = await this.config.deps.validateApiAuth(bearer);
+			if (ok) return true;
+		}
+		res.writeHead(401, { "Content-Type": "application/json" });
+		res.end(JSON.stringify({
+			error: "Unauthorized",
+			hint: "Authorization: Bearer <gateway_token_or_developer_key>"
+		}));
+		return false;
+	}
+	/** Resolve real client IP, honouring X-Forwarded-For only when the socket peer is a trusted proxy. */
+	resolveClientIp(req) {
+		const socketIp = req.socket.remoteAddress ?? "127.0.0.1";
+		const trusted = this.config.trustedProxies ?? [];
+		if (trusted.length === 0) return socketIp;
+		const isTrusted = trusted.some((proxy) => {
+			if (proxy === socketIp) return true;
+			if (proxy.includes("/")) try {
+				const [base, bits] = proxy.split("/");
+				const mask = ~((1 << 32 - parseInt(bits, 10)) - 1);
+				const ipToNum = (ip) => ip.split(".").reduce((acc, octet) => (acc << 8) + parseInt(octet, 10), 0);
+				return (ipToNum(socketIp) & mask) === (ipToNum(base) & mask);
+			} catch {
+				return false;
+			}
+			return false;
+		});
+		if (!isTrusted) return socketIp;
+		const xff = req.headers["x-forwarded-for"];
+		return xff ? xff.split(",")[0].trim() : socketIp;
+	}
+	configRpcRateLimit = /* @__PURE__ */ new Map();
+	CONFIG_RPC_MAX = 3;
+	CONFIG_RPC_WINDOW_MS = 6e4;
+	checkConfigRpcRateLimit(key) {
+		const now = Date.now();
+		let entry = this.configRpcRateLimit.get(key);
+		if (!entry || now - entry.windowStart > this.CONFIG_RPC_WINDOW_MS) entry = {
+			count: 0,
+			windowStart: now
+		};
+		entry.count++;
+		this.configRpcRateLimit.set(key, entry);
+		if (entry.count > this.CONFIG_RPC_MAX) {
+			const retryAfterMs = this.CONFIG_RPC_WINDOW_MS - (now - entry.windowStart);
+			return {
+				ok: false,
+				retryAfterMs
+			};
+		}
+		return { ok: true };
+	}
+	async handleHttp(req, res) {
+		const url = (req.url || "/").split("?")[0];
+		res.setHeader("Access-Control-Allow-Origin", "*");
+		res.setHeader("Content-Type", "application/json");
+		if (req.method === "OPTIONS") {
+			res.writeHead(204);
+			res.end();
+			return;
+		}
+		if (url === "/api/v1/check") {
+			res.writeHead(200);
+			res.end(JSON.stringify({
+				ok: true,
+				service: "hyperclaw",
+				version: "5.2.1"
+			}));
+			return;
+		}
+		if ((url === "/api/v1/config/apply" || url === "/api/v1/config/patch") && req.method === "POST") {
+			if (!await this.requireAuth(req, res)) return;
+			const clientIp = this.resolveClientIp(req);
+			const deviceId = req.headers["x-hyperclaw-device"] || "anon";
+			const rlKey = `${deviceId}:${clientIp}`;
+			const rl = this.checkConfigRpcRateLimit(rlKey);
+			if (!rl.ok) {
+				res.writeHead(429, { "Retry-After": String(Math.ceil((rl.retryAfterMs ?? 6e4) / 1e3)) });
+				res.end(JSON.stringify({
+					error: "UNAVAILABLE",
+					retryAfterMs: rl.retryAfterMs,
+					hint: "Config RPC is rate-limited to 3 requests per 60 seconds."
+				}));
+				return;
+			}
+			let body = "";
+			req.on("data", (c) => body += c);
+			req.on("end", async () => {
+				try {
+					const payload = JSON.parse(body || "{}");
+					const configPath = this.config.deps.getConfigPath();
+					const current = await fs_extra.default.readJson(configPath).catch(() => ({}));
+					let next;
+					if (url.endsWith("/apply")) next = payload;
+					else next = {
+						...current,
+						...payload
+					};
+					await fs_extra.default.writeJson(configPath, next, { spaces: 2 });
+					res.writeHead(200);
+					res.end(JSON.stringify({
+						ok: true,
+						action: url.endsWith("/apply") ? "apply" : "patch"
+					}));
+				} catch (e) {
+					res.writeHead(400);
+					res.end(JSON.stringify({ error: e.message }));
+				}
+			});
+			return;
+		}
+		if (url === "/api/v1/pi" && req.method === "POST") {
+			if (!await this.requireAuth(req, res)) return;
+			let body = "";
+			req.on("data", (c) => body += c);
+			req.on("end", async () => {
+				try {
+					const handler = this.config.deps.createPiRPCHandler((msg, opts) => this.callAgent(msg, {
+						currentSessionId: opts?.currentSessionId,
+						source: opts?.source
+					}), () => this.getSessionsList());
+					const rpcReq = JSON.parse(body || "{}");
+					const rpcRes = await handler(rpcReq);
+					res.writeHead(200);
+					res.end(JSON.stringify(rpcRes));
+				} catch (e) {
+					res.writeHead(500);
+					res.end(JSON.stringify({
+						jsonrpc: "2.0",
+						error: {
+							code: -32700,
+							message: e.message || "Parse error"
+						}
+					}));
+				}
+			});
+			return;
+		}
+		if (url === "/api/status") {
+			const cfg = this.loadConfig();
+			res.writeHead(200);
+			res.end(JSON.stringify({
+				running: true,
+				port: this.config.port,
+				channels: this.config.enabledChannels,
+				model: cfg?.provider?.modelId || "unknown",
+				agentName: cfg?.identity?.agentName || "Hyper",
+				sessions: this.sessions.size,
+				uptime: this.startedAt ? `${Math.round((Date.now() - new Date(this.startedAt).getTime()) / 1e3)}s` : "0s"
+			}));
+			return;
+		}
+		if (url === "/api/traces" && req.method === "GET") {
+			if (!await this.requireAuth(req, res)) return;
+			(async () => {
+				const params = new URL(req.url || "", "http://localhost").searchParams;
+				const limit = Math.min(100, parseInt(params.get("limit") || "50", 10) || 50);
+				try {
+					const traces = this.config.deps.listTraces ? await this.config.deps.listTraces(this.config.deps.getHyperClawDir(), limit) : [];
+					res.writeHead(200);
+					res.end(JSON.stringify({ traces }));
+				} catch {
+					res.writeHead(500);
+					res.end(JSON.stringify({ error: "Failed to list traces" }));
+				}
+			})();
+			return;
+		}
+		if (url === "/api/costs" && req.method === "GET") {
+			if (!await this.requireAuth(req, res)) return;
+			(async () => {
+				const params = new URL(req.url || "", "http://localhost").searchParams;
+				const sessionId = params.get("sessionId");
+				const hcDir = this.config.deps.getHyperClawDir();
+				try {
+					if (sessionId && this.config.deps.getSessionSummary) {
+						const summary = await this.config.deps.getSessionSummary(hcDir, sessionId);
+						res.writeHead(200);
+						res.end(JSON.stringify({
+							sessionId,
+							summary
+						}));
+					} else if (this.config.deps.getGlobalSummary) {
+						const summary = await this.config.deps.getGlobalSummary(this.config.deps.getHyperClawDir());
+						res.writeHead(200);
+						res.end(JSON.stringify({ summary }));
+					}
+				} catch (e) {
+					res.writeHead(500);
+					res.end(JSON.stringify({ error: e.message }));
+				}
+			})();
+			return;
+		}
+		if (url === "/api/remote/restart" && req.method === "POST") {
+			const auth = req.headers.authorization;
+			const token = this.config.deps.resolveGatewayToken(this.config.authToken);
+			if (token && auth !== `Bearer ${token}`) {
+				res.writeHead(401);
+				res.end(JSON.stringify({ error: "Unauthorized" }));
+				return;
+			}
+			(async () => {
+				const hcDir = this.config.deps.getHyperClawDir();
+				const pidFile = path.default.join(hcDir, "gateway.pid");
+				let didSpawn = false;
+				try {
+					if (await fs_extra.default.pathExists(pidFile)) {
+						const storedPid = parseInt(await fs_extra.default.readFile(pidFile, "utf8"), 10);
+						if (storedPid === process.pid && this.config.daemonMode) {
+							const runMainPath = this.config.deps.getRunMainPath?.() || process.argv[1] || require.main?.filename || path.default.resolve(process.cwd(), "dist/run-main.js");
+							const child = (0, child_process.spawn)(process.execPath, [
+								runMainPath,
+								"daemon",
+								"restart"
+							], {
+								detached: true,
+								stdio: "ignore",
+								env: process.env,
+								cwd: process.cwd()
+							});
+							child.unref();
+							didSpawn = true;
+						}
+					}
+				} catch (e) {
+					if (process.env.DEBUG) console.error("[gateway] daemon restart spawn:", e?.message);
+				}
+				res.writeHead(200);
+				res.end(JSON.stringify({
+					accepted: true,
+					message: didSpawn ? "Restarting daemon..." : "Gateway does not run as daemon. Run: hyperclaw daemon start, or from remote: ssh user@host \"hyperclaw daemon restart\"",
+					restarted: didSpawn
+				}));
+			})();
+			return;
+		}
+		if (url === "/api/v1/tts" && req.method === "POST") {
+			if (!await this.requireAuth(req, res)) return;
+			let body = "";
+			req.on("data", (c) => body += c);
+			req.on("end", async () => {
+				try {
+					const { text } = JSON.parse(body || "{}");
+					const cfg = this.loadConfig();
+					const apiKey = cfg?.talkMode?.apiKey || process.env.ELEVENLABS_API_KEY;
+					if (!apiKey || !text) {
+						res.writeHead(400);
+						res.end(JSON.stringify({ error: "Missing text or ELEVENLABS_API_KEY" }));
+						return;
+					}
+					const audio = this.config.deps.textToSpeech ? await this.config.deps.textToSpeech(text.slice(0, 4e3), {
+						apiKey,
+						voiceId: cfg?.talkMode?.voiceId,
+						modelId: cfg?.talkMode?.modelId
+					}) : null;
+					if (!audio) {
+						res.writeHead(502);
+						res.end(JSON.stringify({ error: "TTS failed" }));
+						return;
+					}
+					res.writeHead(200, { "Content-Type": "application/json" });
+					res.end(JSON.stringify({
+						format: "mp3",
+						data: audio
+					}));
+				} catch (e) {
+					res.writeHead(500);
+					res.end(JSON.stringify({ error: e.message }));
+				}
+			});
+			return;
+		}
+		if (url === "/api/nodes" && req.method === "GET") {
+			if (!await this.requireAuth(req, res)) return;
+			try {
+				const NR = this.config.deps.NodeRegistry;
+				const nodes = NR ? NR.getNodes().map((n) => ({
+					nodeId: n.nodeId,
+					platform: n.platform,
+					capabilities: n.capabilities,
+					deviceName: n.deviceName,
+					connectedAt: n.connectedAt,
+					lastSeenAt: n.lastSeenAt
+				})) : [];
+				res.writeHead(200);
+				res.end(JSON.stringify({ nodes }));
+			} catch (e) {
+				res.writeHead(500);
+				res.end(JSON.stringify({ error: e.message }));
+			}
+			return;
+		}
+		if (url === "/api/chat" && req.method === "POST") {
+			if (!await this.requireAuth(req, res)) return;
+			let body = "";
+			req.on("data", (c) => body += c);
+			req.on("end", async () => {
+				try {
+					const parsed = JSON.parse(body);
+					const { message } = parsed;
+					const agentId = parsed.agentId;
+					const sessionKey = parsed.sessionKey;
+					const source = req.headers["x-hyperclaw-source"] || "unknown";
+					const response = await this.callAgent(message, {
+						source,
+						agentId,
+						sessionKey
+					});
+					res.writeHead(200);
+					res.end(JSON.stringify({ response }));
+				} catch (e) {
+					res.writeHead(500);
+					res.end(JSON.stringify({ error: e.message }));
+				}
+			});
+			return;
+		}
+		if (url === "/api/webhook/inbound" && req.method === "POST") {
+			if (!await this.requireAuth(req, res)) return;
+			let body = "";
+			req.on("data", (c) => body += c);
+			req.on("end", async () => {
+				try {
+					const parsed = typeof body === "string" ? JSON.parse(body || "{}") : {};
+					const message = parsed.message || parsed.text || parsed.prompt || String(parsed);
+					if (!message || typeof message !== "string") {
+						res.writeHead(400);
+						res.end(JSON.stringify({ error: "Body must include \"message\" or \"text\" or \"prompt\"" }));
+						return;
+					}
+					const response = await this.callAgent(message, { source: "webhook:inbound" });
+					res.writeHead(200);
+					res.end(JSON.stringify({
+						ok: true,
+						response
+					}));
+				} catch (e) {
+					res.writeHead(500);
+					res.end(JSON.stringify({ error: e.message }));
+				}
+			});
+			return;
+		}
+		if (url === "/api/canvas/state" && req.method === "GET") {
+			if (!await this.requireAuth(req, res)) return;
+			const getState = this.config.deps.getCanvasState;
+			if (getState) getState().then((canvas) => {
+				res.writeHead(200, { "Content-Type": "application/json" });
+				res.end(JSON.stringify(canvas));
+			}).catch((e) => {
+				res.writeHead(500);
+				res.end(JSON.stringify({ error: e.message }));
+			});
+			else Promise.resolve().then(() => require("./renderer-h3ar94cf.js")).then(({ CanvasRenderer }) => {
+				const renderer = new CanvasRenderer();
+				renderer.getOrCreate().then((canvas) => {
+					res.writeHead(200, { "Content-Type": "application/json" });
+					res.end(JSON.stringify(canvas));
+				}).catch((e) => {
+					res.writeHead(500);
+					res.end(JSON.stringify({ error: e.message }));
+				});
+			}).catch((e) => {
+				res.writeHead(500);
+				res.end(JSON.stringify({ error: e.message }));
+			});
+			return;
+		}
+		if (url === "/api/canvas/a2ui" && req.method === "GET") {
+			if (!await this.requireAuth(req, res)) return;
+			const getA2UI = this.config.deps.getCanvasA2UI;
+			if (getA2UI) getA2UI().then((jsonl) => {
+				res.setHeader("Content-Type", "application/x-ndjson");
+				res.setHeader("Cache-Control", "no-cache");
+				res.writeHead(200);
+				res.end(jsonl + "\n");
+			}).catch((e) => {
+				res.writeHead(500);
+				res.end(JSON.stringify({ error: e.message }));
+			});
+			else Promise.resolve().then(() => require("./renderer-h3ar94cf.js")).then(({ CanvasRenderer }) => {
+				Promise.resolve().then(() => require("./a2ui-protocol-A2xow5Ch.js")).then(({ toBeginRendering, toJSONL }) => {
+					const renderer = new CanvasRenderer();
+					renderer.getOrCreate().then((canvas) => {
+						const msg = toBeginRendering(canvas);
+						res.setHeader("Content-Type", "application/x-ndjson");
+						res.setHeader("Cache-Control", "no-cache");
+						res.writeHead(200);
+						res.end(toJSONL([msg]) + "\n");
+					}).catch((e) => {
+						res.writeHead(500);
+						res.end(JSON.stringify({ error: e.message }));
+					});
+				});
+			}).catch((e) => {
+				res.writeHead(500);
+				res.end(JSON.stringify({ error: e.message }));
+			});
+			return;
+		}
+		if (url === "/chat" || url === "/chat/") {
+			res.setHeader("Content-Type", "text/html");
+			const fp = path.default.join(process.cwd(), "static", "chat.html");
+			if (fs_extra.default.pathExistsSync(fp)) res.end(fs_extra.default.readFileSync(fp, "utf8"));
+			else res.end("<!DOCTYPE html><html><body><p>Chat UI: <a href=\"/\">apps/web</a></p></body></html>");
+			return;
+		}
+		if (url === "/dashboard" || url === "/dashboard/") {
+			res.setHeader("Content-Type", "text/html");
+			const fp = path.default.join(process.cwd(), "static", "dashboard.html");
+			if (fs_extra.default.pathExistsSync(fp)) res.end(fs_extra.default.readFileSync(fp, "utf8"));
+			else res.end("<!DOCTYPE html><html><body><p>Dashboard: <a href=\"/api/status\">status</a></p></body></html>");
+			return;
+		}
+		if (url === "/" || url === "") {
+			res.writeHead(302, { Location: "/dashboard" });
+			res.end();
+			return;
+		}
+		if (url.startsWith("/webhook/")) {
+			const channelId = url.split("/")[2];
+			if (req.method === "GET") {
+				const params = new URL(url, "http://x").searchParams;
+				if (channelId === "twitter") {
+					const crcToken = params.get("crc_token");
+					if (crcToken) {
+						const verified$1 = this.channelRunner?.verifyWebhook?.(channelId, "crc", crcToken, "");
+						if (verified$1) {
+							res.writeHead(200, { "Content-Type": "application/json" });
+							res.end(verified$1);
+							return;
+						}
+					}
+				}
+				const mode = params.get("hub.mode") || "";
+				const token = params.get("hub.verify_token") || "";
+				const challenge = params.get("hub.challenge") || "";
+				const verified = this.channelRunner?.verifyWebhook?.(channelId, mode, token, challenge);
+				if (verified !== null && verified !== void 0) {
+					res.writeHead(200, { "Content-Type": "text/plain" });
+					res.end(verified);
+				} else {
+					res.writeHead(200);
+					res.end(JSON.stringify({ ok: true }));
+				}
+				return;
+			}
+			if (req.method === "POST") {
+				let body = "";
+				req.on("data", (c) => body += c);
+				req.on("end", async () => {
+					const host = req.headers["host"] || "localhost";
+					const baseUrl = `${req.headers["x-forwarded-proto"] === "https" ? "https" : "http"}://${host}`;
+					let opts;
+					if (channelId === "slack") opts = {
+						signature: req.headers["x-slack-signature"] || "",
+						timestamp: req.headers["x-slack-request-timestamp"] || ""
+					};
+					else if (channelId === "line") opts = { signature: req.headers["x-line-signature"] || "" };
+					else if (channelId === "sms") opts = {
+						twilioSignature: req.headers["x-twilio-signature"] || "",
+						webhookUrl: `${baseUrl}${req.url}`
+					};
+					else if (channelId === "instagram" || channelId === "messenger") opts = { signature: req.headers["x-hub-signature-256"] || "" };
+					else if (channelId === "viber") opts = { signature: req.headers["x-viber-signature"] || "" };
+					let challenge = void 0;
+					if (this.channelRunner?.handleWebhook) challenge = await this.channelRunner.handleWebhook(channelId, body, opts).catch(() => void 0);
+					this.broadcast({
+						type: "webhook:received",
+						channelId,
+						payload: body
+					});
+					if (typeof challenge === "string") {
+						const contentType = challenge.trim().startsWith("{") ? "application/json" : "text/plain";
+						res.writeHead(200, { "Content-Type": contentType });
+						res.end(challenge);
+					} else {
+						res.writeHead(200);
+						res.end(JSON.stringify({ ok: true }));
+					}
+				});
+				return;
+			}
+		}
+		res.writeHead(404);
+		res.end(JSON.stringify({ error: "Not found" }));
+	}
+	handleConnection(ws$1, req) {
+		const id = crypto.default.randomBytes(8).toString("hex");
+		const source = req.headers["x-hyperclaw-source"] || "unknown";
+		const authToken = this.config.deps.resolveGatewayToken(this.config.authToken);
+		const session = {
+			id,
+			socket: ws$1,
+			authenticated: !authToken,
+			source,
+			connectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			lastActiveAt: (/* @__PURE__ */ new Date()).toISOString()
+		};
+		this.sessions.set(id, session);
+		this.broadcast({
+			type: "presence:join",
+			sessionId: id,
+			source
+		}, id);
+		console.log(chalk.default.gray(`  [gateway] +connect ${source} ${id}`));
+		if (authToken && !session.authenticated) this.send(session, {
+			type: "connect.challenge",
+			sessionId: id
+		});
+		else {
+			this.send(session, {
+				type: "connect.ok",
+				sessionId: id,
+				version: "5.2.1",
+				heartbeatInterval: 3e4
+			});
+			if (this.config.hooks && this.config.deps.createHookLoader) this.config.deps.createHookLoader().execute("session:start", { sessionId: id }).catch(() => {});
+		}
+		ws$1.on("message", (data) => {
+			session.lastActiveAt = (/* @__PURE__ */ new Date()).toISOString();
+			try {
+				this.handleMessage(session, JSON.parse(data.toString()));
+			} catch {
+				this.send(session, {
+					type: "error",
+					message: "Invalid JSON"
+				});
+			}
+		});
+		ws$1.on("close", () => {
+			const s = this.sessions.get(id);
+			if (s?.nodeId && this.config.deps.NodeRegistry) {
+				this.config.deps.NodeRegistry.unregister(s.nodeId);
+				console.log(chalk.default.gray(`  [gateway] -node ${s.nodeId}`));
+			}
+			if (this.config.hooks && !s?.nodeId && this.config.deps.createHookLoader) {
+				const turnCount = this.transcripts.get(id)?.length ?? 0;
+				this.config.deps.createHookLoader().execute("session:end", {
+					sessionId: id,
+					turnCount
+				}).catch(() => {});
+			}
+			this.transcripts.delete(id);
+			this.sessions.delete(id);
+			this.broadcast({
+				type: "presence:leave",
+				sessionId: id
+			});
+			console.log(chalk.default.gray(`  [gateway] -disconnect ${id}`));
+		});
+		ws$1.on("error", (e) => console.log(chalk.default.yellow(`  [gateway] error ${id}: ${e.message}`)));
+	}
+	handleMessage(session, msg) {
+		if (msg.type === "node_register") {
+			const nodeId = msg.nodeId || `node-${session.id}`;
+			const platform = msg.platform === "ios" || msg.platform === "android" ? msg.platform : "ios";
+			const capabilities = msg.capabilities || {};
+			const authToken = this.config.deps.resolveGatewayToken(this.config.authToken);
+			if (authToken && msg.token !== authToken) {
+				this.send(session, {
+					type: "node:error",
+					message: "Invalid token"
+				});
+				session.socket.close(4001, "Unauthorized");
+				return;
+			}
+			const NR = this.config.deps.NodeRegistry;
+			if (!NR) {
+				this.send(session, {
+					type: "node:error",
+					message: "Node registry not available"
+				});
+				return;
+			}
+			const cmdIdToResolve = /* @__PURE__ */ new Map();
+			session._nodePending = cmdIdToResolve;
+			const node = {
+				nodeId,
+				platform,
+				capabilities,
+				deviceName: msg.deviceName,
+				connectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+				lastSeenAt: (/* @__PURE__ */ new Date()).toISOString(),
+				send: async (cmd) => {
+					return new Promise((resolve) => {
+						const timeout = setTimeout(() => {
+							cmdIdToResolve.delete(cmd.id);
+							resolve({
+								ok: false,
+								error: "Timeout"
+							});
+						}, 3e4);
+						cmdIdToResolve.set(cmd.id, { resolve: (r) => {
+							clearTimeout(timeout);
+							resolve(r);
+						} });
+						this.send(session, {
+							type: "node:command",
+							id: cmd.id,
+							command: cmd.type,
+							params: cmd.params
+						});
+					});
+				}
+			};
+			const protocolVersion = msg.protocolVersion ?? 1;
+			NR.register(node);
+			session.nodeId = nodeId;
+			session.authenticated = true;
+			session.source = `node:${platform}`;
+			this.send(session, {
+				type: "node:registered",
+				nodeId,
+				sessionId: session.id,
+				protocolVersion: Math.min(protocolVersion, 2),
+				heartbeatInterval: 3e4,
+				capabilities: Object.keys(capabilities)
+			});
+			console.log(chalk.default.gray(`  [gateway] +node ${nodeId} (${platform})`));
+			return;
+		}
+		if (msg.type === "node:unregister" && session.nodeId && this.config.deps.NodeRegistry) {
+			this.config.deps.NodeRegistry.unregister(session.nodeId);
+			session.nodeId = void 0;
+			this.send(session, { type: "node:unregistered" });
+			return;
+		}
+		if (msg.type === "node:command_response" && session._nodePending) {
+			const r = session._nodePending.get(msg.id);
+			if (r) {
+				session._nodePending.delete(msg.id);
+				r.resolve({
+					ok: msg.ok,
+					data: msg.data,
+					error: msg.error
+				});
+			}
+			return;
+		}
+		if (msg.type === "session:restore" && (msg.restoreKey ?? msg.previousSessionId)) {
+			const key = String(msg.restoreKey ?? msg.previousSessionId);
+			session.restoreKey = key;
+			if (this.sessionStore) this.sessionStore.get(key).then((state) => {
+				if (state?.transcript?.length) {
+					const arr = this.transcripts.get(session.id) || [];
+					for (const t of state.transcript) if (!arr.some((x) => x.role === t.role && x.content === t.content)) arr.push(t);
+					if (arr.length > 100) arr.splice(0, arr.length - 80);
+					this.transcripts.set(session.id, arr);
+					this.send(session, {
+						type: "session:restored",
+						transcript: state.transcript
+					});
+				}
+			}).catch(() => {});
+			return;
+		}
+		if (msg.type === "auth") {
+			const resolved = this.config.deps.resolveGatewayToken(this.config.authToken);
+			if (resolved && msg.token === resolved) {
+				session.authenticated = true;
+				this.send(session, {
+					type: "auth.ok",
+					sessionId: session.id
+				});
+			} else session.socket.close(4001, "Unauthorized");
+			return;
+		}
+		if (!session.authenticated) {
+			this.send(session, {
+				type: "error",
+				message: "Not authenticated"
+			});
+			return;
+		}
+		switch (msg.type) {
+			case "ping": {
+				if (session.nodeId && this.config.deps.NodeRegistry) this.config.deps.NodeRegistry.updateLastSeen?.(session.nodeId);
+				this.send(session, {
+					type: "pong",
+					ts: Date.now()
+				});
+				break;
+			}
+			case "talk:enable":
+				session.talkMode = true;
+				this.send(session, {
+					type: "talk:ok",
+					enabled: true
+				});
+				break;
+			case "talk:disable":
+				session.talkMode = false;
+				this.send(session, {
+					type: "talk:ok",
+					enabled: false
+				});
+				break;
+			case "elevated:enable": {
+				const cfg = this.loadConfig();
+				const allowFrom = (cfg?.tools?.elevated)?.allowFrom ?? [];
+				const enabled = (cfg?.tools?.elevated)?.enabled === true;
+				if (!enabled) {
+					this.send(session, {
+						type: "error",
+						message: "Elevated mode disabled in config"
+					});
+					break;
+				}
+				if (allowFrom.length && !allowFrom.includes(session.source) && !allowFrom.includes("*")) {
+					this.send(session, {
+						type: "error",
+						message: "Source not in elevated allowFrom"
+					});
+					break;
+				}
+				session.elevated = true;
+				this.send(session, {
+					type: "elevated:ok",
+					enabled: true
+				});
+				break;
+			}
+			case "elevated:disable":
+				session.elevated = false;
+				this.send(session, {
+					type: "elevated:ok",
+					enabled: false
+				});
+				break;
+			case "chat:message": {
+				const content = typeof msg.content === "string" ? msg.content : String(msg.content ?? "");
+				if (this.config.hooks && this.config.deps.createHookLoader) this.config.deps.createHookLoader().execute("message:received", { sessionId: session.id }).catch(() => {});
+				const onDone = (response) => {
+					this.send(session, {
+						type: "chat:response",
+						content: response
+					});
+					if (session.talkMode && response) this.synthesizeAndSendAudio(session, response).catch(() => {});
+					if (this.config.hooks && this.config.deps.createHookLoader) this.config.deps.createHookLoader().execute("message:sent", {
+						sessionId: session.id,
+						message: content,
+						response
+					}).catch(() => {});
+				};
+				this.callAgent(content, {
+					currentSessionId: session.id,
+					onToken: (token) => this.send(session, {
+						type: "chat:chunk",
+						content: token
+					}),
+					onDone
+				}).catch((e) => this.send(session, {
+					type: "chat:response",
+					content: `Error: ${e.message}`
+				}));
+				break;
+			}
+			case "gateway:status":
+				this.send(session, {
+					type: "gateway:status",
+					sessions: this.sessions.size,
+					uptime: this.startedAt
+				});
+				break;
+			case "presence:list":
+				this.send(session, {
+					type: "presence:list",
+					sessions: Array.from(this.sessions.entries()).map(([sid, s]) => ({
+						id: sid,
+						source: s.source
+					}))
+				});
+				break;
+			case "config:get":
+				this.send(session, {
+					type: "config:data",
+					config: this.scrubConfig(this.loadConfig())
+				});
+				break;
+		}
+	}
+	async callAgent(message, opts) {
+		const sid = opts?.currentSessionId;
+		const sess = sid ? this.sessions.get(sid) : void 0;
+		const confirmTriggers = [
+			"confirm",
+			"yes",
+			"ok",
+			"elevate"
+		];
+		if (sid && confirmTriggers.includes(message.trim().toLowerCase())) {
+			const getPending = this.config.deps.getPending;
+			const clearPending = this.config.deps.clearPending;
+			if (getPending && clearPending) {
+				const pending = getPending(sid);
+				if (pending) {
+					clearPending(sid);
+					try {
+						const result$1 = await pending.execute();
+						opts?.onDone?.(result$1);
+						return result$1;
+					} catch (e) {
+						const err = `Error: ${e.message}`;
+						opts?.onDone?.(err);
+						return err;
+					}
+				}
+			}
+		}
+		const cfg = this.loadConfig();
+		const elevated = sess?.elevated && (cfg?.tools?.elevated)?.enabled === true;
+		const source = opts?.source || sess?.source;
+		const hcDir = this.config.deps.getHyperClawDir();
+		const effectiveKey = opts?.sessionKey || sid;
+		const runOpts = {
+			sessionId: sid,
+			source,
+			elevated,
+			onToken: opts?.onToken,
+			onDone: opts?.onDone,
+			daemonMode: this.config.daemonMode,
+			appendTranscript: (key, role, content, src) => this.appendTranscript(key, role, content, src),
+			activeServer: activeServer ?? this,
+			agentId: opts?.agentId,
+			sessionKey: opts?.sessionKey,
+			...effectiveKey && this.sessionStore ? { getTranscript: async (k) => {
+				const s = await this.sessionStore.get(k);
+				return s?.transcript ?? null;
+			} } : {}
+		};
+		if ((cfg?.observability)?.traces && this.config.deps.createRunTracer && this.config.deps.writeTraceToFile) {
+			const tracer = this.config.deps.createRunTracer(sid, source);
+			runOpts.onToolCall = tracer.onToolCall;
+			runOpts.onToolResult = tracer.onToolResult;
+			runOpts.onRunEnd = (usage, err) => {
+				tracer.onRunEnd(usage, err);
+				this.config.deps.writeTraceToFile(hcDir, tracer.trace).catch(() => {});
+			};
+		}
+		const baseOnRunEnd = runOpts.onRunEnd;
+		const recordUsage = this.config.deps.recordUsage;
+		runOpts.onRunEnd = (usage, err) => {
+			baseOnRunEnd?.(usage, err);
+			const recordId = effectiveKey || sid;
+			if (recordId && usage && recordUsage) recordUsage(hcDir, recordId, usage, {
+				source,
+				model: cfg?.provider?.modelId ?? void 0
+			}).catch(() => {});
+		};
+		const result = await this.config.deps.runAgentEngine(message, runOpts);
+		return result.text;
+	}
+	appendTranscript(sessionId, role, content, sourceOverride) {
+		let arr = this.transcripts.get(sessionId);
+		if (!arr) {
+			arr = [];
+			this.transcripts.set(sessionId, arr);
+		}
+		arr.push({
+			role,
+			content
+		});
+		if (arr.length > 100) arr.splice(0, arr.length - 80);
+		const sess = this.sessions.get(sessionId);
+		const storeKey = sess?.restoreKey || sessionId;
+		const source = sourceOverride ?? sess?.source;
+		if (this.sessionStore) this.sessionStore.append(storeKey, role, content, source).catch(() => {});
+	}
+	getSessionsList() {
+		return Array.from(this.sessions.entries()).map(([id, s]) => ({
+			id,
+			source: s.source,
+			connectedAt: s.connectedAt
+		}));
+	}
+	sendToSession(sessionId, msg) {
+		const s = this.sessions.get(sessionId);
+		if (!s || s.socket.readyState !== ws.WebSocket.OPEN) return false;
+		this.send(s, msg);
+		return true;
+	}
+	getSessionHistory(sessionId, limit = 20) {
+		const arr = this.transcripts.get(sessionId) ?? [];
+		return arr.slice(-limit);
+	}
+	send(session, msg) {
+		if (session.socket.readyState === ws.WebSocket.OPEN) session.socket.send(JSON.stringify(msg));
+	}
+	broadcast(msg, excludeId) {
+		for (const [id, s] of this.sessions) if (id !== excludeId && s.authenticated) this.send(s, msg);
+	}
+	async synthesizeAndSendAudio(session, text) {
+		const cfg = this.loadConfig();
+		const talk = cfg?.talkMode;
+		const apiKey = talk?.apiKey || process.env.ELEVENLABS_API_KEY;
+		if (!apiKey) return;
+		const textToSpeech = this.config.deps.textToSpeech;
+		if (!textToSpeech) return;
+		const audio = await textToSpeech(text.slice(0, 4e3), {
+			apiKey,
+			voiceId: talk?.voiceId,
+			modelId: talk?.modelId || "eleven_multilingual_v2"
+		});
+		if (audio) this.send(session, {
+			type: "chat:audio",
+			format: "mp3",
+			data: audio
+		});
+	}
+	loadConfig() {
+		if (this.config.deps.loadConfig) return this.config.deps.loadConfig();
+		try {
+			return fs_extra.default.readJsonSync(this.config.deps.getConfigPath());
+		} catch {
+			return null;
+		}
+	}
+	scrubConfig(cfg) {
+		if (!cfg) return null;
+		const s = JSON.parse(JSON.stringify(cfg));
+		if (s.provider?.apiKey) s.provider.apiKey = "***";
+		if (s.gateway?.authToken) s.gateway.authToken = "***";
+		return s;
+	}
+	getStatus() {
+		return {
+			running: true,
+			port: this.config.port,
+			sessions: this.sessions.size,
+			startedAt: this.startedAt
+		};
+	}
+};
+const DEFAULT_PORT = 18789;
+async function startGateway(opts) {
+	const deps = opts.deps;
+	let base;
+	let fullCfg = {};
+	try {
+		fullCfg = fs_extra.default.readJsonSync(deps.getConfigPath());
+		base = fullCfg.gateway ?? {};
+	} catch {
+		base = {
+			port: DEFAULT_PORT,
+			bind: "127.0.0.1",
+			authToken: "",
+			runtime: "node",
+			enabledChannels: [],
+			hooks: true
+		};
+	}
+	const portEnv = process.env.PORT || process.env.HYPERCLAW_PORT;
+	const port = portEnv ? parseInt(portEnv, 10) || base.port : base.port;
+	const sessionDm = fullCfg?.session?.dmScope;
+	const gwDm = base.dmScope ?? sessionDm;
+	const dmScope = gwDm === "main" ? "global" : gwDm === "per-peer" ? "per-channel" : gwDm;
+	const cfg = {
+		...base,
+		port: port ?? DEFAULT_PORT,
+		bind: base.bind ?? "127.0.0.1",
+		authToken: deps.resolveGatewayToken(base.authToken ?? "") ?? base.authToken ?? "",
+		runtime: base.runtime ?? "node",
+		enabledChannels: base.enabledChannels ?? [],
+		hooks: base.hooks ?? true,
+		dmScope: dmScope ?? base.dmScope,
+		daemonMode: opts.daemonMode,
+		deps
+	};
+	const server = new GatewayServer(cfg);
+	await server.start();
+	return server;
+}
+function getActiveServer() {
+	return activeServer;
+}
+GatewayServer.prototype.getSessionsList = function() {
+	const out = [];
+	for (const [id, s] of this.sessions) out.push({
+		id,
+		source: s.source,
+		connectedAt: s.connectedAt,
+		lastActiveAt: s.lastActiveAt,
+		talkMode: s.talkMode ?? false,
+		nodeId: s.nodeId ?? null
+	});
+	return out;
+};
+GatewayServer.prototype.sendToSession = function(id, msg) {
+	const session = this.sessions.get(id);
+	if (!session || session.socket.readyState !== 1) return false;
+	try {
+		session.socket.send(JSON.stringify(msg));
+		return true;
+	} catch {
+		return false;
+	}
+};
+GatewayServer.prototype.getSessionHistory = function(id, limit) {
+	const history = this.transcripts.get(id);
+	if (!history) return [];
+	return history.slice(-limit);
+};
+
+//#endregion
+//#region src/gateway/deps-provider.ts
+async function createDefaultGatewayDeps() {
+	const [paths, envResolve, sessionStore, channelRunner, hookLoader, core, devKeys, pendingApproval, observability, costTracker, tts, nodesRegistry, canvasRenderer, a2ui, daemon] = await Promise.all([
+		Promise.resolve().then(() => require("./paths-D-QecARF.js")),
+		Promise.resolve().then(() => require("./env-resolve-CC_po9t5.js")),
+		Promise.resolve().then(() => require("./session-store-7ZPOoB81.js")),
+		Promise.resolve().then(() => require("./runner-NvAzKXbv.js")),
+		Promise.resolve().then(() => require("./loader-B2jZXMBu.js")),
+		Promise.resolve().then(() => require("./src-DZtpIvWJ.js")),
+		Promise.resolve().then(() => require("./developer-keys-KFGbGuZj.js")),
+		Promise.resolve().then(() => require("./pending-approval-BaKZ0b_s.js")),
+		Promise.resolve().then(() => require("./observability-BfhV3r9r.js")),
+		Promise.resolve().then(() => require("./cost-tracker-DJ1tiKcx.js")),
+		Promise.resolve().then(() => require("./tts-elevenlabs-C62Wnnrg.js")),
+		Promise.resolve().then(() => require("./nodes-registry-jK7T0THg.js")),
+		Promise.resolve().then(() => require("./renderer-h3ar94cf.js")),
+		Promise.resolve().then(() => require("./a2ui-protocol-A2xow5Ch.js")),
+		Promise.resolve().then(() => require("./daemon-sZVjFUoX.js"))
+	]);
+	const createSessionStore = async (baseDir) => {
+		const store = await sessionStore.createFileSessionStore(baseDir);
+		return store;
+	};
+	const createHookLoader = () => new hookLoader.HookLoader();
+	const getCanvasState = async () => {
+		const renderer = new canvasRenderer.CanvasRenderer();
+		const canvas = await renderer.getOrCreate();
+		return canvas;
+	};
+	const getCanvasA2UI = async () => {
+		const renderer = new canvasRenderer.CanvasRenderer();
+		const canvas = await renderer.getOrCreate();
+		const msg = a2ui.toBeginRendering(canvas);
+		return a2ui.toJSONL([msg]);
+	};
+	return {
+		getHyperClawDir: paths.getHyperClawDir,
+		getConfigPath: paths.getConfigPath,
+		resolveGatewayToken: envResolve.resolveGatewayToken,
+		validateApiAuth: async (bearer) => (await devKeys.validateDeveloperKey(bearer)).valid,
+		createSessionStore,
+		startChannelRunners: channelRunner.startChannelRunners,
+		createHookLoader,
+		runAgentEngine: core.runAgentEngine,
+		createPiRPCHandler: core.createPiRPCHandler,
+		listTraces: observability.listTraces,
+		getSessionSummary: costTracker.getSessionSummary,
+		getGlobalSummary: costTracker.getGlobalSummary,
+		recordUsage: costTracker.recordUsage,
+		textToSpeech: tts.textToSpeech,
+		getPending: pendingApproval.getPending,
+		clearPending: pendingApproval.clearPending,
+		createRunTracer: observability.createRunTracer,
+		writeTraceToFile: observability.writeTraceToFile,
+		NodeRegistry: nodesRegistry.NodeRegistry,
+		getCanvasState,
+		getCanvasA2UI,
+		restartDaemon: async () => {
+			const dm = new daemon.DaemonManager();
+			await dm.restart?.();
+		}
+	};
+}
+
+//#endregion
+//#region src/gateway/server.ts
+/** Start gateway with default deps (paths, channels, hooks, etc.). */
+async function startGateway$1(opts) {
+	const deps = await createDefaultGatewayDeps();
+	return startGateway({
+		...opts,
+		deps
+	});
+}
+
+//#endregion
+Object.defineProperty(exports, 'GatewayServer', {
+  enumerable: true,
+  get: function () {
+    return GatewayServer;
+  }
+});
+Object.defineProperty(exports, 'getActiveServer', {
+  enumerable: true,
+  get: function () {
+    return getActiveServer;
+  }
+});
+Object.defineProperty(exports, 'startGateway', {
+  enumerable: true,
+  get: function () {
+    return startGateway$1;
+  }
+});