localant 1.0.2 → 1.1.0

package/packages/mcp/dist/http-server.js

@@ -1,8 +1,12 @@
 import http from "node:http";
 import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
 import express from "express";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import { createLogger, findAvailablePort } from "@localant/shared";
+import { createLogger, findAvailablePort, APP_VERSION, ConfigSchema, isToolInProfile } from "@localant/shared";
+import { commandExists } from "@localant/gateway";
 import { dashboardHtml } from "@localant/dashboard";
 import { buildMcpServer } from "./mcp-server.js";
 const log = createLogger("http");
@@ -26,13 +30,61 @@ function extractToken(req) {
         return headerKey;
     return undefined;
 }
+/** Hostnames considered local. Used to defend the dashboard against
+ * DNS-rebinding (an attacker domain resolving to 127.0.0.1 carries its own
+ * Host header, which will not be in this set). */
+const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "::1", "[::1]"]);
+function isLocalRequest(req) {
+    // express strips the port from req.hostname.
+    return LOCAL_HOSTS.has(req.hostname);
+}
+/**
+ * Minimal fixed-window in-memory rate limiter keyed by client IP. No external
+ * dependency; resets every `windowMs`. Returns false when the caller is over
+ * the limit.
+ */
+function createRateLimiter(limit, windowMs) {
+    let windowStart = Date.now();
+    let counts = new Map();
+    return (key) => {
+        const now = Date.now();
+        if (now - windowStart >= windowMs) {
+            windowStart = now;
+            counts = new Map();
+        }
+        const next = (counts.get(key) ?? 0) + 1;
+        counts.set(key, next);
+        return next <= limit;
+    };
+}
+/** Locate a bundled asset across the dev-tree and published-package layouts. */
+function findAsset(file) {
+    const __dirname = path.dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+        path.join(__dirname, "..", "..", "..", "assets", file),
+        path.join(__dirname, "..", "assets", file),
+        path.join(__dirname, "assets", file),
+        path.join(process.cwd(), "assets", file),
+    ];
+    return candidates.find((c) => fs.existsSync(c));
+}
+function serveAsset(file, res) {
+    const found = findAsset(file);
+    if (found)
+        res.sendFile(found);
+    else
+        res.status(404).end();
+}
 /**
  * Start the public gateway server (/healthz, /status, /mcp) and the local-only
  * dashboard server. /mcp requires the auth token.
  */
 export async function startHttpServers(gw) {
     const cfg = gw.config();
-    const token = gw.configStore.getToken();
+    // Read the token fresh on every check so rotating it from the dashboard/CLI
+    // takes effect immediately, without restarting the gateway.
+    const currentToken = () => gw.configStore.getToken();
+    const pendingCodes = new Map();
     // ---------- Public gateway app ----------
     const app = express();
     app.use(express.json({ limit: "8mb" }));
@@ -40,14 +92,22 @@ export async function startHttpServers(gw) {
     app.get("/status", (_req, res) => res.json(gw.runtimeInfo()));
     const requireAuth = (req, res) => {
         const provided = extractToken(req);
-        if (!provided || !tokenMatches(provided, token)) {
+        if (!provided || !tokenMatches(provided, currentToken())) {
             res.status(401).json({ error: "Unauthorized. Provide the auth token via Authorization: Bearer <token> or ?key=<token>." });
             return false;
         }
         return true;
     };
+    // Rate limit the public MCP endpoint to blunt brute-force / abuse over the
+    // tunnel. Generous enough for normal ChatGPT use; keyed by client IP.
+    const mcpRateLimit = createRateLimiter(120, 60_000);
     // Streamable HTTP MCP endpoint (stateless: one server+transport per request).
     app.post("/mcp", async (req, res) => {
+        const ip = req.ip ?? req.socket.remoteAddress ?? "unknown";
+        if (!mcpRateLimit(ip)) {
+            res.status(429).json({ error: "Too many requests. Slow down." });
+            return;
+        }
         if (!requireAuth(req, res))
             return;
         try {
@@ -69,6 +129,44 @@ export async function startHttpServers(gw) {
     const methodNotAllowed = (_req, res) => res.status(405).json({ error: "Method not allowed. Use POST for /mcp." });
     app.get("/mcp", methodNotAllowed);
     app.delete("/mcp", methodNotAllowed);
+    // OAuth 認可エンドポイント
+    app.get("/oauth/authorize", (req, res) => {
+        const { redirect_uri, state } = req.query;
+        if (!redirect_uri) {
+            return res.status(400).send("Missing redirect_uri");
+        }
+        const rt = gw.runtimeInfo();
+        if (!rt.dashboard) {
+            return res.status(500).send("Dashboard is not running, cannot authorize.");
+        }
+        const target = `${rt.dashboard}/#oauth/approve?state=${encodeURIComponent(String(state || ""))}&redirect_uri=${encodeURIComponent(String(redirect_uri))}`;
+        res.redirect(target);
+    });
+    // OAuth トークンエンドポイント
+    app.post("/oauth/token", express.urlencoded({ extended: true }), (req, res) => {
+        const body = req.body || {};
+        const { grant_type, code } = body;
+        if (grant_type !== "authorization_code") {
+            return res.status(400).json({ error: "unsupported_grant_type" });
+        }
+        if (!code) {
+            return res.status(400).json({ error: "invalid_request", error_description: "Missing code" });
+        }
+        const pending = pendingCodes.get(code);
+        if (!pending) {
+            return res.status(400).json({ error: "invalid_grant", error_description: "Invalid or expired code" });
+        }
+        if (Date.now() - pending.createdAt > 600_000) {
+            pendingCodes.delete(code);
+            return res.status(400).json({ error: "invalid_grant", error_description: "Code expired" });
+        }
+        pendingCodes.delete(code);
+        res.json({
+            access_token: currentToken(),
+            token_type: "Bearer",
+            expires_in: 315360000,
+        });
+    });
     const gatewayPort = await findAvailablePort(cfg.gateway.port, cfg.gateway.host);
     if (gatewayPort !== cfg.gateway.port) {
         log.info(`port ${cfg.gateway.port} is busy — falling back to ${gatewayPort}`);
@@ -80,40 +178,218 @@ export async function startHttpServers(gw) {
     let dashboardPort;
     if (cfg.dashboard.enabled) {
         dashboardPort = await findAvailablePort(cfg.dashboard.port, "127.0.0.1", [gatewayPort]);
+        // Per-process token embedded in the served HTML and required on /api/*.
+        // A cross-origin page cannot read the dashboard HTML (so it cannot learn
+        // the token) and cannot forge the custom header without a CORS preflight
+        // we never grant — this closes the CSRF / token-theft hole.
+        const dashToken = crypto.randomBytes(24).toString("base64url");
         const dash = express();
         dash.use(express.json({ limit: "2mb" }));
-        mountDashboardApi(dash, gw);
-        dash.get("/", (_req, res) => res.type("html").send(dashboardHtml()));
+        // DNS-rebinding defense: only serve requests whose Host is local.
+        dash.use((req, res, next) => {
+            if (!isLocalRequest(req)) {
+                res.status(403).json({ error: "Forbidden: dashboard is local-only." });
+                return;
+            }
+            next();
+        });
+        mountDashboardApi(dash, gw, dashToken, pendingCodes);
+        dash.get("/favicon.png", (_req, res) => serveAsset("hero.png", res));
+        dash.get("/favicon.ico", (_req, res) => serveAsset("hero.png", res));
+        dash.get("/hero.png", (_req, res) => serveAsset("hero.png", res));
+        dash.get("/", (_req, res) => res.type("html").send(dashboardHtml(dashToken)));
         dashboardServer = await listen(dash, dashboardPort, "127.0.0.1");
         log.info(`dashboard listening on http://127.0.0.1:${dashboardPort}`);
     }
     gw.setBoundPorts(gatewayPort, dashboardPort);
     return { gateway: gatewayServer, dashboard: dashboardServer, gatewayPort, dashboardPort };
 }
-/** Dashboard API — bound to 127.0.0.1 only, so no external auth is required. */
-function mountDashboardApi(app, gw) {
+/**
+ * Dashboard API — bound to 127.0.0.1 only and additionally gated by a
+ * per-process token (defends against CSRF / DNS-rebinding from a browser tab).
+ */
+function mountDashboardApi(app, gw, dashToken, pendingCodes) {
     const r = express.Router();
+    r.post("/oauth/approve", (q, s) => {
+        const { redirect_uri } = q.body;
+        if (!redirect_uri) {
+            s.status(400).json({ error: "Missing redirect_uri" });
+            return;
+        }
+        const code = crypto.randomBytes(16).toString("hex");
+        pendingCodes.set(code, {
+            redirectUri: redirect_uri,
+            createdAt: Date.now(),
+        });
+        s.json({ code });
+    });
+    // Require the dashboard token on every /api/* call. The token is embedded in
+    // the served HTML, so the legitimate same-origin page always has it; a
+    // cross-origin attacker cannot read it nor forge the custom header.
+    r.use((req, res, next) => {
+        const provided = req.header("x-dashboard-token");
+        if (!provided || !tokenMatches(provided, dashToken)) {
+            res.status(401).json({ error: "Unauthorized dashboard request." });
+            return;
+        }
+        next();
+    });
+    r.get("/tools", (_q, s) => {
+        const profile = gw.config().tools.profile;
+        s.json(gw.registry.list().map((t) => {
+            const shape = t.inputSchema.shape ?? {};
+            const inputSchema = {};
+            for (const [key, field] of Object.entries(shape)) {
+                const f = field;
+                inputSchema[key] = {
+                    type: getZodTypeString(f),
+                    description: f.description ?? f._def?.description ?? undefined,
+                };
+            }
+            return {
+                name: t.name,
+                description: t.description,
+                risk: t.risk,
+                inputSchema,
+                // Whether this tool is advertised to ChatGPT under the active profile.
+                active: isToolInProfile(t.name, profile),
+            };
+        }));
+    });
+    // --- Tool profile ---
+    r.get("/tools/profile", (_q, s) => s.json({ profile: gw.config().tools.profile }));
+    r.post("/tools/profile/:name", (q, s) => {
+        const name = q.params.name;
+        if (!["minimal", "coding", "full"].includes(name)) {
+            return s.status(400).json({ error: "profile must be minimal|coding|full" });
+        }
+        gw.saveConfig({ ...gw.config(), tools: { profile: name } });
+        s.json({ profile: name, note: "Restart the gateway for the MCP surface to refresh." });
+    });
+    // --- Agents detect ---
+    r.get("/agents/detect", async (_q, s) => s.json(await gw.agents.list()));
+    // --- MCP import-all ---
+    r.post("/mcp-servers/import-all", async (_q, s) => {
+        const res = await gw.executeTool("mcp_import_all_agent_configs", {}, { caller: "dashboard" });
+        s.json(res.data ?? { error: res.error });
+    });
+    // --- Running shell processes (local visibility; ChatGPT has no equivalent) ---
+    r.get("/processes", (_q, s) => s.json({ processes: gw.shell.listProcesses() }));
     r.get("/status", (_q, s) => s.json(gw.runtimeInfo()));
-    r.get("/health", (_q, s) => s.json({ status: "ok", version: "1.0.0", time: new Date().toISOString() }));
+    r.get("/health", (_q, s) => s.json({ status: "ok", version: APP_VERSION, time: new Date().toISOString() }));
+    r.get("/doctor", async (_q, s) => {
+        const tools = ["git", "node", "pnpm", "npm", "npx", "claude", "codex", "openclaw", "agy", "hermes", "opencode", "cloudflared", "ngrok", "adb", "docker"];
+        const checks = await Promise.all(tools.map(async (name) => ({ name, available: await commandExists(name) })));
+        const nodeMajor = Number(process.versions.node.split(".")[0]);
+        s.json({
+            node: process.version,
+            nodeOk: nodeMajor >= 20,
+            skillExecOk: nodeMajor >= 22,
+            platform: process.platform,
+            tools: checks,
+        });
+    });
     r.get("/config", (_q, s) => s.json(gw.config()));
     r.get("/mcp-endpoint", (_q, s) => {
         const t = gw.tunnel.current();
         s.json({ endpoint: t.url ? `${t.url.replace(/\/$/, "")}/mcp?key=${gw.configStore.getToken()}` : null, tunnel: t });
     });
+    r.get("/token", (_q, s) => s.json({ token: gw.configStore.getToken() }));
+    r.post("/token/rotate", (_q, s) => {
+        const token = gw.configStore.rotateToken();
+        s.json({ token });
+    });
     r.get("/approvals", (_q, s) => s.json(gw.approvals.listPending()));
     r.post("/approvals/:id/approve", (q, s) => s.json(gw.approvals.approve(q.params.id, q.body?.scope === "session" ? "session" : "once") ?? { error: "not found" }));
     r.post("/approvals/:id/deny", (q, s) => s.json(gw.approvals.deny(q.params.id) ?? { error: "not found" }));
-    r.get("/audit", (_q, s) => s.json(gw.audit.list(100)));
-    r.get("/skills", (_q, s) => s.json(gw.skills.list().map((sk) => ({
-        name: sk.manifest.name,
-        version: sk.manifest.version,
-        description: sk.manifest.description,
-        enabled: sk.enabled,
-        generated: sk.generated,
-        riskLevel: sk.manifest.riskLevel,
-        valid: sk.valid,
-        tools: sk.manifest.tools.map((t) => t.name),
-    }))));
+    r.get("/audit", (q, s) => {
+        const query = typeof q.query.q === "string" ? q.query.q.trim() : "";
+        s.json(query ? gw.audit.search(query, 100) : gw.audit.list(100));
+    });
+    r.get("/audit/:id", (q, s) => {
+        const entry = gw.audit.get(q.params.id);
+        if (!entry) {
+            s.status(404).json({ error: "Audit entry not found." });
+            return;
+        }
+        s.json(entry);
+    });
+    r.get("/skills", (_q, s) => s.json({
+        skillsDir: gw.paths.skillsDir,
+        skills: gw.skills.list().map((sk) => ({
+            name: sk.manifest.name,
+            version: sk.manifest.version,
+            description: sk.manifest.description,
+            enabled: sk.enabled,
+            generated: sk.generated,
+            riskLevel: sk.manifest.riskLevel,
+            valid: sk.valid,
+            bundled: !sk.dir.startsWith(gw.paths.skillsDir),
+            tools: sk.manifest.tools.map((t) => t.name),
+        })),
+    }));
+    r.get("/skills/:name", (q, s) => {
+        const sk = gw.skills.get(q.params.name);
+        if (!sk) {
+            s.status(404).json({ error: `Skill not found: ${q.params.name}` });
+            return;
+        }
+        s.json({
+            ...sk,
+            bundled: !sk.dir.startsWith(gw.paths.skillsDir),
+            validation: gw.skills.validate(q.params.name),
+        });
+    });
+    r.post("/skills", (q, s) => {
+        try {
+            const { name, description, riskLevel, requirements } = q.body ?? {};
+            if (!name || !description) {
+                s.status(400).json({ error: "name and description are required." });
+                return;
+            }
+            const sk = gw.skills.generate({ name, description, riskLevel, requirements });
+            s.json({ ...sk, note: "Skill generated DISABLED. Review permissions, then enable it." });
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.post("/skills/install", async (q, s) => {
+        try {
+            const url = q.body?.url;
+            if (!url) {
+                s.status(400).json({ error: "url is required." });
+                return;
+            }
+            const res = await gw.skills.installFromGit(url);
+            s.json({ ...res, note: "Cloned DISABLED. Review permissions, then enable it." });
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.post("/skills/:name/run", async (q, s) => {
+        try {
+            const { tool, input } = q.body ?? {};
+            if (!tool) {
+                s.status(400).json({ error: "tool is required." });
+                return;
+            }
+            const result = await gw.skills.run(q.params.name, tool, input ?? {});
+            s.json({ result });
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.delete("/skills/:name", (q, s) => {
+        try {
+            s.json({ removed: gw.skills.uninstall(q.params.name) });
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
     r.post("/skills/:name/enable", (q, s) => {
         try {
             s.json(gw.skills.setEnabled(q.params.name, true));
@@ -122,12 +398,239 @@ function mountDashboardApi(app, gw) {
             s.status(400).json({ error: e.message });
         }
     });
-    r.post("/skills/:name/disable", (q, s) => s.json(gw.skills.setEnabled(q.params.name, false)));
+    r.post("/skills/:name/disable", (q, s) => {
+        try {
+            s.json(gw.skills.setEnabled(q.params.name, false));
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
     r.get("/projects", (_q, s) => s.json(gw.projects.list()));
+    r.post("/projects", (q, s) => {
+        try {
+            const { path: projectPath, name } = q.body ?? {};
+            if (!projectPath) {
+                s.status(400).json({ error: "path is required." });
+                return;
+            }
+            s.json(gw.projects.register(projectPath, name));
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.delete("/projects/:id", (q, s) => s.json({ removed: gw.projects.unregister(q.params.id) }));
     r.get("/secrets", (_q, s) => s.json({ names: gw.vault.list() }));
+    r.post("/secrets", (q, s) => {
+        try {
+            const { name, value } = q.body;
+            if (!name || !value) {
+                s.status(400).json({ error: "Name and value are required." });
+                return;
+            }
+            gw.vault.set(name, value);
+            s.json({ ok: true });
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.delete("/secrets/:name", (q, s) => {
+        try {
+            const ok = gw.vault.remove(q.params.name);
+            s.json({ ok });
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.post("/config", (q, s) => {
+        try {
+            const current = gw.config();
+            const next = mergeConfig(current, q.body);
+            const parsed = ConfigSchema.parse(next);
+            const saved = gw.saveConfig(parsed);
+            s.json(saved);
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
     r.get("/agents", async (_q, s) => s.json(await gw.agents.list()));
+    r.post("/agents/:name/enable", async (q, s) => setAgentEnabled(gw, q.params.name, true, s));
+    r.post("/agents/:name/disable", async (q, s) => setAgentEnabled(gw, q.params.name, false, s));
+    r.post("/agents/run", async (q, s) => {
+        try {
+            const { agent, projectId, task, mode } = q.body ?? {};
+            if (!agent || !projectId || !task) {
+                s.status(400).json({ error: "agent, projectId and task are required." });
+                return;
+            }
+            if (mode === "execute") {
+                s.json(await gw.agents.startTask(agent, projectId, task));
+            }
+            else {
+                s.json(await gw.agents.plan(agent, projectId, task));
+            }
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.get("/agents/tasks", (_q, s) => s.json(gw.agents.listTasks()));
+    r.get("/agents/tasks/:id/logs", (q, s) => {
+        try {
+            s.json({ logs: gw.agents.getLogs(q.params.id) });
+        }
+        catch (e) {
+            s.status(404).json({ error: e.message });
+        }
+    });
+    r.post("/agents/tasks/:id/stop", (q, s) => {
+        try {
+            s.json(gw.agents.stopTask(q.params.id));
+        }
+        catch (e) {
+            s.status(404).json({ error: e.message });
+        }
+    });
+    r.get("/mcp-servers", (_q, s) => {
+        const servers = gw.config().mcpServers;
+        s.json(Object.entries(servers).map(([name, cfg]) => ({
+            name,
+            command: cfg.command,
+            args: cfg.args,
+            transport: cfg.transport,
+            enabled: cfg.enabled,
+        })));
+    });
+    r.post("/mcp-servers", (q, s) => {
+        try {
+            const { name, command, args, enabled } = q.body ?? {};
+            if (!name || !command) {
+                s.status(400).json({ error: "name and command are required." });
+                return;
+            }
+            const cfg = gw.config();
+            const argList = Array.isArray(args) ? args : typeof args === "string" && args.trim() ? args.trim().split(/\s+/) : [];
+            gw.saveConfig({
+                ...cfg,
+                mcpServers: {
+                    ...cfg.mcpServers,
+                    [name]: { command, args: argList, transport: "stdio", enabled: enabled !== false },
+                },
+            });
+            s.json({ ok: true });
+        }
+        catch (e) {
+            s.status(400).json({ error: e.message });
+        }
+    });
+    r.delete("/mcp-servers/:name", (q, s) => {
+        const cfg = gw.config();
+        if (!cfg.mcpServers[q.params.name]) {
+            s.status(404).json({ error: `Unknown MCP server: ${q.params.name}` });
+            return;
+        }
+        const next = { ...cfg.mcpServers };
+        delete next[q.params.name];
+        gw.saveConfig({ ...cfg, mcpServers: next });
+        s.json({ removed: true });
+    });
+    r.post("/mcp-servers/:name/enable", (q, s) => setMcpServerEnabled(gw, q.params.name, true, s));
+    r.post("/mcp-servers/:name/disable", (q, s) => setMcpServerEnabled(gw, q.params.name, false, s));
+    r.post("/mcp-servers/:name/test", async (q, s) => {
+        try {
+            const tools = await gw.bridge.listTools(q.params.name);
+            s.json({ ok: true, tools: tools.map((t) => t.name) });
+        }
+        catch (e) {
+            s.json({ ok: false, reason: e.message });
+        }
+    });
+    r.get("/tunnel", (_q, s) => s.json(gw.tunnel.current()));
+    r.post("/tunnel/test", async (_q, s) => {
+        const t = gw.tunnel.current();
+        if (!t.url) {
+            s.json({ reachable: false, reason: "No tunnel URL — start the tunnel first." });
+            return;
+        }
+        const target = `${t.url.replace(/\/$/, "")}/healthz`;
+        const started = Date.now();
+        try {
+            const ctrl = new AbortController();
+            const timer = setTimeout(() => ctrl.abort(), 8000);
+            const resp = await fetch(target, { signal: ctrl.signal, redirect: "manual" });
+            clearTimeout(timer);
+            s.json({ reachable: resp.ok, status: resp.status, ms: Date.now() - started, url: target });
+        }
+        catch (e) {
+            s.json({ reachable: false, ms: Date.now() - started, url: target, reason: e.message });
+        }
+    });
+    r.post("/tunnel/restart", async (_q, s) => {
+        try {
+            s.json(await gw.restartTunnel());
+        }
+        catch (e) {
+            s.status(500).json({ error: e.message });
+        }
+    });
+    r.post("/tunnel/stop", (_q, s) => {
+        gw.tunnel.stop();
+        s.json(gw.tunnel.current());
+    });
+    r.post("/tunnel/start", async (_q, s) => {
+        try {
+            s.json(await gw.tunnel.start(gw.gatewayPort()));
+        }
+        catch (e) {
+            s.status(500).json({ error: e.message });
+        }
+    });
     app.use("/api", r);
 }
+/** Toggle a coding agent's `enabled` flag in config; 404 if the agent is unknown. */
+async function setAgentEnabled(gw, name, enabled, s) {
+    const cfg = gw.config();
+    const agent = cfg.codingAgents[name];
+    if (!agent) {
+        s.status(404).json({ error: `Unknown coding agent: ${name}` });
+        return;
+    }
+    gw.saveConfig({
+        ...cfg,
+        codingAgents: { ...cfg.codingAgents, [name]: { ...agent, enabled } },
+    });
+    s.json(await gw.agents.list());
+}
+/** Toggle a downstream MCP server's `enabled` flag in config; 404 if unknown. */
+function setMcpServerEnabled(gw, name, enabled, s) {
+    const cfg = gw.config();
+    const server = cfg.mcpServers[name];
+    if (!server) {
+        s.status(404).json({ error: `Unknown MCP server: ${name}` });
+        return;
+    }
+    gw.saveConfig({
+        ...cfg,
+        mcpServers: { ...cfg.mcpServers, [name]: { ...server, enabled } },
+    });
+    s.json({ ok: true, enabled });
+}
+function mergeConfig(current, update) {
+    const next = { ...current };
+    for (const key of Object.keys(update)) {
+        if (update[key] !== null && typeof update[key] === "object" && !Array.isArray(update[key])) {
+            next[key] = mergeConfig(next[key] || {}, update[key]);
+        }
+        else {
+            next[key] = update[key];
+        }
+    }
+    return next;
+}
 function listen(app, port, host) {
     return new Promise((resolve, reject) => {
         const server = http.createServer(app);
@@ -135,4 +638,25 @@ function listen(app, port, host) {
         server.listen(port, host, () => resolve(server));
     });
 }
+function getZodTypeString(f) {
+    if (!f || !f._def)
+        return "unknown";
+    const typeName = f._def.typeName;
+    if (typeName === "ZodOptional") {
+        return `${getZodTypeString(f._def.innerType)} (optional)`;
+    }
+    if (typeName === "ZodNullable") {
+        return `${getZodTypeString(f._def.innerType)} (nullable)`;
+    }
+    if (typeName === "ZodArray") {
+        return `${getZodTypeString(f._def.type)}[]`;
+    }
+    if (typeName === "ZodEnum") {
+        return `enum (${f._def.values.join(" | ")})`;
+    }
+    if (typeName === "ZodEffects") {
+        return getZodTypeString(f._def.schema);
+    }
+    return typeName.replace(/^Zod/, "").toLowerCase();
+}
 //# sourceMappingURL=http-server.js.map