meshy-node 0.0.6 → 0.0.7

package/main.cjs

@@ -22771,9 +22771,11 @@ __export(main_exports, {
   DEFAULT_CONFIG: () => DEFAULT_CONFIG3,
   DEFAULT_NODE_NAME: () => DEFAULT_NODE_NAME,
   DEFAULT_NODE_PORT: () => DEFAULT_NODE_PORT,
+  applyStartMetadata: () => applyStartMetadata,
   createDefaultConfig: () => createDefaultConfig,
   createRuntimeDefaultConfig: () => createRuntimeDefaultConfig,
   formatBanner: () => formatBanner,
+  formatLoadedStartMetadata: () => formatLoadedStartMetadata,
   getDefaultNodeName: () => getDefaultNodeName,
   isDirectRunPath: () => isDirectRunPath,
   loadConfigFile: () => loadConfigFile,
@@ -22781,12 +22783,12 @@ __export(main_exports, {
   mergeConfig: () => mergeConfig,
   parseArgs: () => parseArgs,
   promptStartOptions: () => promptStartOptions,
+  resolveRuntimeAuthMetadata: () => resolveRuntimeAuthMetadata,
+  shouldCollectStartOptions: () => shouldCollectStartOptions,
   shouldPromptForStartOptions: () => shouldPromptForStartOptions
 });
 module.exports = __toCommonJS(main_exports);
-var fs16 = __toESM(require("fs"), 1);
 var nodePath = __toESM(require("path"), 1);
-var readline = __toESM(require("readline/promises"), 1);
 
 // ../../packages/core/src/logger.ts
 var fs = __toESM(require("fs"), 1);
@@ -22810,18 +22812,19 @@ function hourlyFolder(date) {
 var FileWriter = class {
   constructor(logDir, component, clock) {
     this.logDir = logDir;
-    this.component = component;
     this.clock = clock;
+    this.fileName = component.replace(/[/\\]/g, "-");
   }
   currentFolder = "";
   currentStream = null;
+  fileName;
   write(chunk) {
     const folder = hourlyFolder(this.clock());
     if (folder !== this.currentFolder) {
       this.currentStream?.end();
       const dir = path.join(this.logDir, folder);
       fs.mkdirSync(dir, { recursive: true });
-      const filePath = path.join(dir, `${this.component}.log`);
+      const filePath = path.join(dir, `${this.fileName}.log`);
       this.currentStream = fs.createWriteStream(filePath, { flags: "a" });
       this.currentFolder = folder;
     }
@@ -22856,6 +22859,12 @@ var MeshyLogger = class _MeshyLogger {
     this.log("error", msg, data);
   }
   child(component) {
+    if (this.state.logDir) {
+      const fileWriter = new FileWriter(this.state.logDir, component, this.state.clock);
+      const writer = this.state.consoleEnabled ? new MultiWriter([process.stdout, fileWriter]) : fileWriter;
+      const childState = { ...this.state, writer };
+      return new _MeshyLogger(childState, component);
+    }
     return new _MeshyLogger(this.state, component);
   }
   log(level, msg, data) {
@@ -22912,7 +22921,9 @@ function createLogger(options = {}) {
     level: options.level ?? "info",
     nodeId: options.nodeId,
     clock,
-    writer
+    writer,
+    logDir: options.logDir,
+    consoleEnabled: options.console
   };
   return new MeshyRootLogger(state, options.component);
 }
@@ -22996,10 +23007,14 @@ function getTaskInitialMessageContent(task) {
   return normalizeTaskUserMessageContent(task.description || task.title);
 }
 
+// ../../packages/core/src/azure-cli-auth.ts
+var import_node_child_process = require("child_process");
+
 // ../../packages/core/src/node-metadata.ts
 var fs2 = __toESM(require("fs"), 1);
 var os = __toESM(require("os"), 1);
 var path2 = __toESM(require("path"), 1);
+var STARTUP_TRANSPORTS = /* @__PURE__ */ new Set(["direct", "devtunnel", "tailscale"]);
 function getDeviceNodeName() {
   return os.hostname();
 }
@@ -23026,8 +23041,59 @@ function writeNodeMetadata(storagePath, metadata) {
   fs2.mkdirSync(storagePath, { recursive: true });
   fs2.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2) + "\n", "utf-8");
 }
+function normalizeAllowedUsers(allowedUsers) {
+  if (!Array.isArray(allowedUsers)) {
+    return [];
+  }
+  const unique = /* @__PURE__ */ new Set();
+  for (const user of allowedUsers) {
+    if (typeof user !== "string") continue;
+    const normalized = user.trim().toLowerCase();
+    if (normalized.length > 0) {
+      unique.add(normalized);
+    }
+  }
+  return [...unique];
+}
+function normalizeAuthMetadata(auth) {
+  return {
+    enabled: auth?.enabled === true,
+    allowSameTenant: auth?.allowSameTenant === true,
+    allowedUsers: normalizeAllowedUsers(auth?.allowedUsers)
+  };
+}
+function normalizePositiveInteger(value) {
+  if (typeof value !== "number" || !Number.isInteger(value) || value <= 0) {
+    return void 0;
+  }
+  return value;
+}
+function normalizeString(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+function normalizeStartupTransport(value) {
+  return typeof value === "string" && STARTUP_TRANSPORTS.has(value) ? value : void 0;
+}
+function normalizeStartupMetadata(startup) {
+  return {
+    port: normalizePositiveInteger(startup?.port),
+    transport: normalizeStartupTransport(startup?.transport),
+    join: normalizeString(startup?.join),
+    workDir: normalizeString(startup?.workDir)
+  };
+}
+function hasStartupValues(startup) {
+  return startup.port !== void 0 || startup.transport !== void 0 || startup.join !== void 0 || startup.workDir !== void 0;
+}
+function resolvePersistedDefaultNodeName(storagePath) {
+  return normalizeString(readNodeMetadata(storagePath).defaultNodeName);
+}
 function resolveDefaultNodeName(storagePath, deviceName = getDeviceNodeName()) {
-  const preferredName = readNodeMetadata(storagePath).defaultNodeName?.trim();
+  const preferredName = resolvePersistedDefaultNodeName(storagePath);
   return preferredName && preferredName.length > 0 ? preferredName : deviceName;
 }
 function persistDefaultNodeName(storagePath, name, deviceName = getDeviceNodeName()) {
@@ -23040,6 +23106,46 @@ function persistDefaultNodeName(storagePath, name, deviceName = getDeviceNodeNam
   }
   writeNodeMetadata(storagePath, metadata);
 }
+function resolveNodeAuthMetadata(storagePath) {
+  return normalizeAuthMetadata(readNodeMetadata(storagePath).auth);
+}
+function resolveNodeStartupMetadata(storagePath) {
+  return normalizeStartupMetadata(readNodeMetadata(storagePath).startup);
+}
+function hasPersistedNodeStartupMetadata(storagePath) {
+  return hasStartupValues(resolveNodeStartupMetadata(storagePath));
+}
+function persistNodeAuthMetadata(storagePath, auth) {
+  const metadata = readNodeMetadata(storagePath);
+  const normalized = normalizeAuthMetadata(auth);
+  if (!normalized.enabled && !normalized.allowSameTenant && normalized.allowedUsers.length === 0) {
+    delete metadata.auth;
+  } else {
+    metadata.auth = {
+      enabled: normalized.enabled,
+      allowSameTenant: normalized.allowSameTenant,
+      allowedUsers: normalized.allowedUsers
+    };
+  }
+  writeNodeMetadata(storagePath, metadata);
+}
+function persistNodeStartupMetadata(storagePath, startup) {
+  const metadata = readNodeMetadata(storagePath);
+  const normalized = normalizeStartupMetadata(startup);
+  if (!hasStartupValues(normalized)) {
+    delete metadata.startup;
+  } else {
+    metadata.startup = normalized;
+  }
+  writeNodeMetadata(storagePath, metadata);
+}
+function persistNodeStartupTransport(storagePath, transport) {
+  const startup = resolveNodeStartupMetadata(storagePath);
+  persistNodeStartupMetadata(storagePath, {
+    ...startup,
+    transport
+  });
+}
 function resolvePersistedDevTunnelId(storagePath, kind) {
   return readNodeMetadata(storagePath).devTunnelIds?.[kind]?.trim() || void 0;
 }
@@ -23072,6 +23178,246 @@ function resolveOrCreateDevTunnelId(storagePath, nodeId, kind) {
   return generatedId;
 }
 
+// ../../packages/core/src/azure-cli-auth.ts
+var DEFAULT_AZ_RESOURCE = process.env.MESHY_AZ_TOKEN_RESOURCE?.trim() || "https://management.azure.com/";
+var TOKEN_REFRESH_SKEW_MS = 6e4;
+function summarizeClaims(claims) {
+  return {
+    tid: claims.tid,
+    oid: claims.oid,
+    preferred_username: claims.preferred_username,
+    upn: claims.upn,
+    email: claims.email,
+    aud: claims.aud
+  };
+}
+function decodeAzureCliJwtClaims(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) {
+    throw new Error("Token is not a JWT");
+  }
+  const payload = parts[1];
+  if (!payload) {
+    throw new Error("JWT payload is empty");
+  }
+  const normalized = payload.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(payload.length / 4) * 4, "=");
+  const parsed = JSON.parse(Buffer.from(normalized, "base64").toString("utf-8"));
+  if (!parsed || typeof parsed !== "object") {
+    throw new Error("JWT payload is not an object");
+  }
+  return parsed;
+}
+function normalizeIdentityValue(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim().toLowerCase() : void 0;
+}
+function getIdentityValues(claims) {
+  const values = /* @__PURE__ */ new Set();
+  for (const candidate of [
+    claims.oid,
+    claims.preferred_username,
+    claims.upn,
+    claims.email,
+    claims.unique_name,
+    claims.sub
+  ]) {
+    const normalized = normalizeIdentityValue(candidate);
+    if (normalized) {
+      values.add(normalized);
+    }
+  }
+  return values;
+}
+function parseExpiry(value) {
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return value > 1e10 ? value : value * 1e3;
+  }
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed.length === 0) {
+      throw new Error("expiresOn is empty");
+    }
+    if (/^\d+$/.test(trimmed)) {
+      const numeric = Number(trimmed);
+      return numeric > 1e10 ? numeric : numeric * 1e3;
+    }
+    const parsed = Date.parse(trimmed);
+    if (!Number.isNaN(parsed)) {
+      return parsed;
+    }
+  }
+  throw new Error("Unable to parse Azure CLI token expiry");
+}
+function getAzureCliCommandInvocation(command, args, platform = process.platform) {
+  if (platform !== "win32") {
+    return { command, args };
+  }
+  return {
+    command,
+    args,
+    shell: true
+  };
+}
+function defaultCommandRunner(command, args) {
+  const invocation = getAzureCliCommandInvocation(command, args);
+  const result = (0, import_node_child_process.spawnSync)(invocation.command, invocation.args, {
+    encoding: "utf-8",
+    stdio: ["ignore", "pipe", "pipe"],
+    shell: invocation.shell
+  });
+  if (result.error) {
+    throw result.error;
+  }
+  if (result.status !== 0) {
+    const message = result.stderr?.trim() || `Azure CLI command exited with code ${result.status}`;
+    throw new Error(message);
+  }
+  return result.stdout;
+}
+var AzureCliNodeAuth = class {
+  constructor(storagePath, options = {}) {
+    this.storagePath = storagePath;
+    this.runCommand = options.commandRunner ?? defaultCommandRunner;
+    this.log = options.logger ?? { debug() {
+    }, info() {
+    }, warn() {
+    }, error() {
+    }, child() {
+      return this;
+    } };
+    this.resource = options.resource?.trim() || DEFAULT_AZ_RESOURCE;
+    this.settingsProvider = options.settingsProvider;
+  }
+  runCommand;
+  log;
+  resource;
+  settingsProvider;
+  cachedToken = null;
+  getSettings() {
+    return this.settingsProvider?.() ?? resolveNodeAuthMetadata(this.storagePath);
+  }
+  isEnabled() {
+    return this.getSettings().enabled;
+  }
+  getAuthorizationHeaders() {
+    if (!this.isEnabled()) {
+      return {};
+    }
+    const token = this.getAccessToken();
+    return {
+      authorization: `Bearer ${token.accessToken}`
+    };
+  }
+  validateAuthorizationHeader(header) {
+    if (!this.isEnabled()) {
+      return { ok: true, reason: "disabled" };
+    }
+    if (typeof header !== "string") {
+      return { ok: false, reason: "missing" };
+    }
+    const token = header.startsWith("Bearer ") ? header.slice("Bearer ".length).trim() : "";
+    if (!token) {
+      return { ok: false, reason: "missing" };
+    }
+    let peerClaims;
+    try {
+      peerClaims = decodeAzureCliJwtClaims(token);
+    } catch {
+      return { ok: false, reason: "invalid" };
+    }
+    const local = this.getAccessToken();
+    const settings = this.getSettings();
+    if (isPeerIdentityAllowed(peerClaims, local.claims, settings)) {
+      return {
+        ok: true,
+        reason: "match",
+        localClaims: local.claims,
+        peerClaims
+      };
+    }
+    return {
+      ok: false,
+      reason: "mismatch",
+      localClaims: local.claims,
+      peerClaims
+    };
+  }
+  getAccessToken() {
+    if (this.cachedToken && this.cachedToken.expiresAtMs - TOKEN_REFRESH_SKEW_MS > Date.now()) {
+      this.log.debug("using cached azure cli access token", {
+        resource: this.resource,
+        expiresAt: new Date(this.cachedToken.expiresAtMs).toISOString(),
+        expiresInMs: this.cachedToken.expiresAtMs - Date.now(),
+        claims: summarizeClaims(this.cachedToken.claims)
+      });
+      return this.cachedToken;
+    }
+    this.log.info("requesting azure cli access token", {
+      resource: this.resource,
+      cachedTokenPresent: this.cachedToken !== null
+    });
+    let raw;
+    try {
+      raw = this.runCommand("az", [
+        "account",
+        "get-access-token",
+        "--resource",
+        this.resource,
+        "--output",
+        "json"
+      ]);
+    } catch (error) {
+      this.log.error("failed to execute az account get-access-token", {
+        resource: this.resource,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.accessToken !== "string" || parsed.accessToken.trim().length === 0) {
+      this.log.error("azure cli token response did not include accessToken", {
+        resource: this.resource
+      });
+      throw new Error("Azure CLI did not return accessToken");
+    }
+    const expiresAtMs = parseExpiry(parsed.expiresOn ?? parsed.expires_on);
+    const claims = decodeAzureCliJwtClaims(parsed.accessToken);
+    this.cachedToken = {
+      accessToken: parsed.accessToken,
+      expiresAtMs,
+      claims
+    };
+    this.log.info("received azure cli access token", {
+      resource: this.resource,
+      expiresAt: new Date(expiresAtMs).toISOString(),
+      expiresInMs: expiresAtMs - Date.now(),
+      claims: summarizeClaims(claims)
+    });
+    return this.cachedToken;
+  }
+};
+function isPeerIdentityAllowed(peerClaims, localClaims, settings) {
+  const peerIdentities = getIdentityValues(peerClaims);
+  const localIdentities = getIdentityValues(localClaims);
+  for (const identity of peerIdentities) {
+    if (localIdentities.has(identity)) {
+      return true;
+    }
+  }
+  for (const allowedUser of settings.allowedUsers) {
+    if (peerIdentities.has(allowedUser)) {
+      return true;
+    }
+  }
+  if (settings.allowSameTenant) {
+    const peerTenant = normalizeIdentityValue(peerClaims.tid);
+    const localTenant = normalizeIdentityValue(localClaims.tid);
+    if (peerTenant && localTenant && peerTenant === localTenant) {
+      return true;
+    }
+  }
+  return false;
+}
+
 // ../../packages/core/src/file-store.ts
 var fs3 = __toESM(require("fs"), 1);
 var path3 = __toESM(require("path"), 1);
@@ -23516,6 +23862,7 @@ function parseNodeInfo(value) {
     lastHeartbeat: value.lastHeartbeat,
     transportType: typeof value.transportType === "string" ? value.transportType : void 0,
     devtunnelEndpoint: typeof value.devtunnelEndpoint === "string" ? value.devtunnelEndpoint : void 0,
+    dashboardOrigin: typeof value.dashboardOrigin === "string" ? value.dashboardOrigin : void 0,
     previewOrigin: typeof value.previewOrigin === "string" ? value.previewOrigin : void 0
   };
 }
@@ -23595,6 +23942,38 @@ var EventBus = class {
   }
 };
 
+// ../../packages/core/src/request-auth.ts
+var requestAuthHeadersProvider = null;
+function normalizeHeaders(headers) {
+  if (!headers) {
+    return {};
+  }
+  if (headers instanceof Headers) {
+    return Object.fromEntries(headers.entries());
+  }
+  if (Array.isArray(headers)) {
+    return Object.fromEntries(headers);
+  }
+  return Object.fromEntries(
+    Object.entries(headers).flatMap(
+      ([key, value]) => value === void 0 ? [] : [[key, String(value)]]
+    )
+  );
+}
+function setRequestAuthHeadersProvider(provider) {
+  requestAuthHeadersProvider = provider;
+}
+function applyRequestAuthHeaders(init = {}) {
+  const headers = normalizeHeaders(init.headers);
+  if (!Object.keys(headers).some((key) => key.toLowerCase() === "authorization") && requestAuthHeadersProvider) {
+    Object.assign(headers, requestAuthHeadersProvider());
+  }
+  return {
+    ...init,
+    headers
+  };
+}
+
 // ../../packages/core/src/node-endpoints.ts
 var DEFAULT_NODE_REQUEST_TIMEOUT_MS = 1500;
 function getNodePublicEndpoint(node) {
@@ -23623,10 +24002,10 @@ function createRequestSignal(signal, timeoutMs) {
 async function fetchWithTimeout(url, init, timeoutMs = DEFAULT_NODE_REQUEST_TIMEOUT_MS) {
   const { cleanup, signal } = createRequestSignal(init?.signal, timeoutMs);
   try {
-    return await fetch(url, {
+    return await fetch(url, applyRequestAuthHeaders({
       ...init,
       signal
-    });
+    }));
   } finally {
     cleanup();
   }
@@ -23746,6 +24125,24 @@ var NodeRegistry = class {
       }
     }
   }
+  updateDashboardOrigin(id, dashboardOrigin) {
+    const node = this.nodes.get(id);
+    if (node) {
+      if (dashboardOrigin) {
+        node.dashboardOrigin = dashboardOrigin;
+      } else {
+        delete node.dashboardOrigin;
+      }
+      this.store.upsertNode(node);
+    }
+    if (this.selfNode && this.selfNode.id === id) {
+      if (dashboardOrigin) {
+        this.selfNode.dashboardOrigin = dashboardOrigin;
+      } else {
+        delete this.selfNode.dashboardOrigin;
+      }
+    }
+  }
   updatePreviewOrigin(id, previewOrigin) {
     const node = this.nodes.get(id);
     if (node) {
@@ -24000,11 +24397,11 @@ var LeaderElection = class {
     const announcePromises = onlineNodes.map(async (node) => {
       try {
         const endpoint = getNodePublicEndpoint(node);
-        await fetch(`${endpoint}/api/worker/announce`, {
+        await fetch(`${endpoint}/api/worker/announce`, applyRequestAuthHeaders({
           method: "POST",
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify({ leaderId, term })
-        });
+        }));
       } catch {
       }
     });
@@ -24782,6 +25179,7 @@ var HeartbeatMonitor = class {
           this.nodeRegistry.updateHeartbeat(node.id, Date.now());
           this.nodeRegistry.updateLoad(node.id, result.load);
           this.applyReportedDevTunnelState(node.id, result.devtunnelEnabled, result.devtunnelEndpoint);
+          this.nodeRegistry.updateDashboardOrigin(node.id, result.dashboardOrigin);
           this.nodeRegistry.updatePreviewOrigin(node.id, result.previewOrigin);
           if (result.workDirFolders) {
             this.nodeRegistry.updateFolders(node.id, result.workDirFolders);
@@ -24825,6 +25223,7 @@ var HeartbeatMonitor = class {
       load: 0,
       devtunnelEnabled: self.devtunnelEndpoint !== void 0,
       devtunnelEndpoint: self.devtunnelEndpoint,
+      dashboardOrigin: self.dashboardOrigin,
       previewOrigin: self.previewOrigin,
       workDirFolders: self.workDir ? listWorkDirFolders(self.workDir) : void 0
     };
@@ -24842,6 +25241,7 @@ var HeartbeatMonitor = class {
       workDir,
       devtunnelEnabled,
       devtunnelEndpoint,
+      dashboardOrigin,
       previewOrigin,
       workDirFolders
     } = req;
@@ -24867,6 +25267,7 @@ var HeartbeatMonitor = class {
         ...transportType ? { transportType } : {},
         ...workDir ? { workDir } : {},
         ...devtunnelEnabled && devtunnelEndpoint ? { devtunnelEndpoint } : {},
+        ...dashboardOrigin ? { dashboardOrigin } : {},
         ...previewOrigin ? { previewOrigin } : {},
         ...workDirFolders ? { workDirFolders } : {}
       });
@@ -24900,6 +25301,7 @@ var HeartbeatMonitor = class {
     }
     this.nodeRegistry.updateLoad(nodeId, load);
     this.applyReportedDevTunnelState(nodeId, devtunnelEnabled, devtunnelEndpoint);
+    this.nodeRegistry.updateDashboardOrigin(nodeId, dashboardOrigin);
     this.nodeRegistry.updatePreviewOrigin(nodeId, previewOrigin);
     if (workDirFolders) {
       this.nodeRegistry.updateFolders(nodeId, workDirFolders);
@@ -24947,15 +25349,16 @@ var HeartbeatMonitor = class {
       workDir: self.workDir,
       devtunnelEnabled: self.devtunnelEndpoint !== void 0,
       devtunnelEndpoint: self.devtunnelEndpoint,
+      dashboardOrigin: self.dashboardOrigin,
       previewOrigin: self.previewOrigin,
       workDirFolders: self.workDir ? listWorkDirFolders(self.workDir) : void 0
     };
     try {
-      const response = await fetch(`${leaderEndpoint}/api/worker/keepalive`, {
+      const response = await fetch(`${leaderEndpoint}/api/worker/keepalive`, applyRequestAuthHeaders({
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(request)
-      });
+      }));
       if (response.ok) {
         const result = await response.json();
         this.log.debug("keepalive ok", { nodes: result.clusterState.nodes.length });
@@ -25125,11 +25528,11 @@ var HeartbeatMonitor = class {
       }
     }
     try {
-      const res = await fetch(`${leaderEndpoint}/api/worker/control-response`, {
+      const res = await fetch(`${leaderEndpoint}/api/worker/control-response`, applyRequestAuthHeaders({
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(response)
-      });
+      }));
       if (!res.ok) {
         this.log.warn("leader rejected control response", {
           requestId: request.requestId,
@@ -25219,12 +25622,12 @@ var DataRouter = class {
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.config.proxyTimeout);
     try {
-      const response = await fetch(targetUrl, {
+      const response = await fetch(targetUrl, applyRequestAuthHeaders({
         method,
         headers: forwardHeaders,
         body,
         signal: controller.signal
-      });
+      }));
       const responseHeaders = {};
       response.headers.forEach((value, key) => {
         responseHeaders[key] = value;
@@ -25418,11 +25821,11 @@ function forwardLeaderTaskPatch(log, nodeRegistry, taskId, data, options) {
     log.warn(options.missingLeaderMessage, metadata);
     return;
   }
-  fetch(`${leaderEndpoint}/api/tasks/${taskId}`, {
+  fetch(`${leaderEndpoint}/api/tasks/${taskId}`, applyRequestAuthHeaders({
     method: "PATCH",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify(buildLeaderTaskPatch(data))
-  }).then((response) => {
+  })).then((response) => {
     if (!response.ok) {
       log.warn(options.rejectedMessage, {
         ...metadata,
@@ -25469,11 +25872,11 @@ function forwardTaskOutputToLeader(log, nodeRegistry, taskId, event) {
     });
     return;
   }
-  fetch(`${leaderEndpoint}/api/worker/output`, {
+  fetch(`${leaderEndpoint}/api/worker/output`, applyRequestAuthHeaders({
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify({ taskId, event })
-  }).then((response) => {
+  })).then((response) => {
     if (!response.ok) {
       log.warn("leader rejected forwarded output", {
         taskId,
@@ -25541,7 +25944,7 @@ function registerLeaderForwarding(eventBus, nodeRegistry, log, taskId, agent) {
 // ../../packages/core/src/engines/claude-code-engine.ts
 var fs7 = __toESM(require("fs"), 1);
 var path7 = __toESM(require("path"), 1);
-var import_node_child_process = require("child_process");
+var import_node_child_process2 = require("child_process");
 function resolveClaudeInvocation() {
   if (process.platform !== "win32") {
     return { command: "claude", argsPrefix: [] };
@@ -25603,7 +26006,7 @@ var ClaudeCodeEngine = class extends ExecutionEngine {
     this.ensureLogDir();
     this.logger.info("Spawning claude CLI", { taskId: task.id, title: task.title, cwd });
     const invocation = resolveClaudeInvocation();
-    const proc = (0, import_node_child_process.spawn)(invocation.command, [...invocation.argsPrefix, ...args], {
+    const proc = (0, import_node_child_process2.spawn)(invocation.command, [...invocation.argsPrefix, ...args], {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
     });
@@ -25713,7 +26116,7 @@ var ClaudeCodeEngine = class extends ExecutionEngine {
       "stream-json"
     ];
     const invocation = resolveClaudeInvocation();
-    const proc = (0, import_node_child_process.spawn)(invocation.command, [...invocation.argsPrefix, ...args], {
+    const proc = (0, import_node_child_process2.spawn)(invocation.command, [...invocation.argsPrefix, ...args], {
       cwd: session.cwd,
       stdio: ["pipe", "pipe", "pipe"]
     });
@@ -25848,7 +26251,7 @@ var ClaudeCodeEngine = class extends ExecutionEngine {
 // ../../packages/core/src/engines/codex-engine.ts
 var fs8 = __toESM(require("fs"), 1);
 var path8 = __toESM(require("path"), 1);
-var import_node_child_process2 = require("child_process");
+var import_node_child_process3 = require("child_process");
 function buildAssistantEvent(text, timestamp = (/* @__PURE__ */ new Date()).toISOString()) {
   return {
     type: "assistant",
@@ -25907,7 +26310,7 @@ var CodexEngine = class extends ExecutionEngine {
     const args = this.buildArgs(prompt, imagePaths, { model: config.model });
     this.ensureLogDir();
     this.logger.info("Spawning codex CLI", { taskId: task.id, title: task.title, cwd });
-    const proc = (0, import_node_child_process2.spawn)("codex", args, {
+    const proc = (0, import_node_child_process3.spawn)("codex", args, {
       cwd,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -25934,7 +26337,7 @@ var CodexEngine = class extends ExecutionEngine {
     const { prompt, imagePaths } = this.prepareAssets(taskId, content);
     const args = this.buildArgs(prompt, imagePaths, { model, sessionId: session.sessionId });
     this.logger.info("Sending Codex follow-up message", { taskId, sessionId: session.sessionId });
-    const proc = (0, import_node_child_process2.spawn)("codex", args, {
+    const proc = (0, import_node_child_process3.spawn)("codex", args, {
       cwd: session.cwd,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -26300,11 +26703,11 @@ ${joinErrors.map((e) => `  - ${e}`).join("\n")}`
     if (this.selfInfo.devtunnelEndpoint) {
       joinBody.devtunnelEndpoint = this.selfInfo.devtunnelEndpoint;
     }
-    const response = await fetch(`${seedUrl}/api/cluster/join`, {
+    const response = await fetch(`${seedUrl}/api/cluster/join`, applyRequestAuthHeaders({
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(joinBody)
-    });
+    }));
     if (!response.ok) {
       const body = await response.json?.().catch(() => null);
       if (body?.error?.code === "NOT_LEADER") {
@@ -26326,11 +26729,11 @@ ${joinErrors.map((e) => `  - ${e}`).join("\n")}`
       return;
     }
     try {
-      await fetch(`${leaderEndpoint}/api/cluster/leave`, {
+      await fetch(`${leaderEndpoint}/api/cluster/leave`, applyRequestAuthHeaders({
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ nodeId: self.id })
-      });
+      }));
     } catch {
     }
     const refreshedSelf = {
@@ -26355,11 +26758,11 @@ ${joinErrors.map((e) => `  - ${e}`).join("\n")}`
     try {
       const leaderEndpoint = this.nodeRegistry.getLeaderEndpoint();
       if (leaderEndpoint) {
-        await fetch(`${leaderEndpoint}/api/cluster/leave`, {
+        await fetch(`${leaderEndpoint}/api/cluster/leave`, applyRequestAuthHeaders({
           method: "POST",
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify({ nodeId: this.selfInfo.id })
-        });
+        }));
       }
     } catch {
     }
@@ -26440,11 +26843,11 @@ ${joinErrors.map((e) => `  - ${e}`).join("\n")}`
       const leaderEndpoint = this.nodeRegistry.getLeaderEndpoint();
       if (leaderEndpoint && !this.nodeRegistry.isLeader()) {
         try {
-          await fetch(`${leaderEndpoint}/api/nodes/${this.selfInfo.id}`, {
+          await fetch(`${leaderEndpoint}/api/nodes/${this.selfInfo.id}`, applyRequestAuthHeaders({
             method: "PATCH",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify({ endpoint: newEndpoint })
-          });
+          }));
         } catch {
         }
       }
@@ -30752,6 +31155,7 @@ var NodeInfoSchema = external_exports.object({
   lastHeartbeat: external_exports.number(),
   transportType: external_exports.string().optional(),
   devtunnelEndpoint: external_exports.string().optional(),
+  dashboardOrigin: external_exports.string().optional(),
   previewOrigin: external_exports.string().optional()
 });
 var JoinTaskSchema = external_exports.object({
@@ -30821,6 +31225,7 @@ var NodeInfoSchema2 = external_exports.object({
   lastHeartbeat: external_exports.number(),
   transportType: external_exports.string().optional(),
   devtunnelEndpoint: external_exports.string().optional(),
+  dashboardOrigin: external_exports.string().optional(),
   previewOrigin: external_exports.string().optional()
 });
 var NodeListQuery = external_exports.object({
@@ -30947,13 +31352,113 @@ var import_express7 = __toESM(require_express2(), 1);
 
 // ../../packages/api/src/middleware/auth.ts
 var SKIP_AUTH_PATHS = ["/api/system/health"];
+var TRUSTED_LOCAL_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "[::1]", "::1"]);
+function normalizeHost(value) {
+  if (!value) return void 0;
+  const trimmed = value.trim().toLowerCase();
+  if (!trimmed) return void 0;
+  return trimmed.replace(/:\d+$/, "");
+}
+function collectHosts(candidates) {
+  const unique = /* @__PURE__ */ new Set();
+  for (const candidate of candidates) {
+    if (!candidate) continue;
+    for (const item of candidate.split(",")) {
+      const normalized = normalizeHost(item);
+      if (normalized) {
+        unique.add(normalized);
+      }
+    }
+  }
+  return [...unique];
+}
+function getForwardedHosts(req) {
+  const forwardedHosts = collectHosts([
+    typeof req.headers["x-forwarded-host"] === "string" ? req.headers["x-forwarded-host"] : void 0
+  ]);
+  if (forwardedHosts.length > 0) {
+    return forwardedHosts;
+  }
+  const forwardedHeader = typeof req.headers.forwarded === "string" ? req.headers.forwarded : void 0;
+  if (!forwardedHeader) {
+    return [];
+  }
+  const forwardedMatches = [...forwardedHeader.matchAll(/host=([^;,\s]+)/gi)];
+  return collectHosts(forwardedMatches.map((match) => match[1]?.replace(/^"|"$/g, "")));
+}
+function getDirectHosts(req) {
+  return collectHosts([
+    req.hostname,
+    typeof req.headers.host === "string" ? req.headers.host : void 0
+  ]);
+}
+function getRequestHosts(req) {
+  const forwardedHosts = getForwardedHosts(req);
+  if (forwardedHosts.length > 0) {
+    return forwardedHosts;
+  }
+  return getDirectHosts(req);
+}
+function isTrustedDashboardRequest(req, config) {
+  const trustedHosts = new Set((config.getTrustedHosts?.() ?? []).map((host) => normalizeHost(host)).filter(Boolean));
+  for (const host of getRequestHosts(req)) {
+    if (TRUSTED_LOCAL_HOSTS.has(host) || trustedHosts.has(host)) {
+      return true;
+    }
+  }
+  return false;
+}
+function getAuthLogger(req) {
+  const logger = req.app?.locals?.deps?.logger;
+  if (logger && typeof logger.child === "function") {
+    return logger.child("api/auth");
+  }
+  return {
+    debug() {
+    },
+    warn() {
+    }
+  };
+}
 function createAuthMiddleware(config) {
   return (req, _res, next) => {
-    if (!config.apiKey) {
+    const log = getAuthLogger(req);
+    if (SKIP_AUTH_PATHS.includes(req.path)) {
       next();
       return;
     }
-    if (SKIP_AUTH_PATHS.includes(req.path)) {
+    if (config.validateBearerToken) {
+      if (isTrustedDashboardRequest(req, config)) {
+        log.debug("skipping bearer auth for trusted dashboard request", {
+          path: req.path,
+          method: req.method,
+          hosts: getRequestHosts(req)
+        });
+        next();
+        return;
+      }
+      const result = config.validateBearerToken(req.headers.authorization);
+      if (!result.ok) {
+        log.warn("rejected bearer-authenticated request", {
+          path: req.path,
+          method: req.method,
+          hosts: getRequestHosts(req),
+          reason: result.reason
+        });
+        throw new MeshyError("VALIDATION_ERROR", "Invalid or missing bearer token", 401, {
+          reason: result.reason
+        });
+      }
+      log.debug("accepted bearer-authenticated request", {
+        path: req.path,
+        method: req.method,
+        hosts: getRequestHosts(req),
+        reason: result.reason
+      });
+      next();
+      return;
+    }
+    if (!config.apiKey) {
       next();
       return;
     }
@@ -31645,10 +32150,10 @@ function readFileContent(root, relativePath) {
 }
 
 // ../../packages/api/src/output/git-diff.ts
-var import_node_child_process3 = require("child_process");
+var import_node_child_process4 = require("child_process");
 function git(args, cwd) {
   try {
-    return (0, import_node_child_process3.execFileSync)("git", ["-C", cwd, ...args], {
+    return (0, import_node_child_process4.execFileSync)("git", ["-C", cwd, ...args], {
       encoding: "utf-8",
       timeout: 1e4,
       stdio: ["pipe", "pipe", "pipe"]
@@ -31841,7 +32346,8 @@ async function executeWorkerControlRequest(deps, request) {
           return jsonResponse(request.requestId, 200, {
             ok: true,
             enabled: true,
-            devtunnelEndpoint
+            devtunnelEndpoint,
+            dashboardOrigin: deps.nodeRegistry.getSelf().dashboardOrigin
           });
         }
         if (!deps.disableDevTunnel) {
@@ -31850,7 +32356,8 @@ async function executeWorkerControlRequest(deps, request) {
         await deps.disableDevTunnel();
         return jsonResponse(request.requestId, 200, {
           ok: true,
-          enabled: false
+          enabled: false,
+          dashboardOrigin: deps.nodeRegistry.getSelf().dashboardOrigin
         });
       }
       case "task-cancel": {
@@ -32084,10 +32591,19 @@ function createNodeRoutes() {
       }
       if (enabled) {
         const devtunnelEndpoint = await enableDevTunnel();
-        res.json({ ok: true, enabled: true, devtunnelEndpoint });
+        res.json({
+          ok: true,
+          enabled: true,
+          devtunnelEndpoint,
+          dashboardOrigin: nodeRegistry.getSelf().dashboardOrigin
+        });
       } else {
         await disableDevTunnel();
-        res.json({ ok: true, enabled: false });
+        res.json({
+          ok: true,
+          enabled: false,
+          dashboardOrigin: nodeRegistry.getSelf().dashboardOrigin
+        });
       }
     } else {
       const node = nodeRegistry.getNode(targetId);
@@ -32126,6 +32642,7 @@ function createNodeRoutes() {
           if (result?.ok) {
             if (nodeRegistry.getNode(targetId)) {
               nodeRegistry.updateDevTunnelEndpoint(targetId, result.devtunnelEndpoint);
+              nodeRegistry.updateDashboardOrigin(targetId, result.dashboardOrigin);
             }
           }
           sendWorkerControlResponse(res, controlResponse);
@@ -32141,6 +32658,7 @@ function createNodeRoutes() {
       const updatedNode = nodeRegistry.getNode(targetId);
       if (updatedNode) {
         nodeRegistry.updateDevTunnelEndpoint(targetId, result.devtunnelEndpoint);
+        nodeRegistry.updateDashboardOrigin(targetId, result.dashboardOrigin);
       }
       res.json(result);
     }
@@ -33073,13 +33591,19 @@ function createSystemRoutes() {
     res.json({ status: "ok", timestamp: Date.now() });
   }));
   router.get("/info", asyncHandler5(async (req, res) => {
-    const { nodeRegistry, getTransportType } = req.app.locals.deps;
+    const { nodeRegistry, getTransportType, config, dashboardOrigin } = req.app.locals.deps;
     const self = nodeRegistry.getSelf();
     res.json({
       ...self,
       version: "0.1.0",
       uptime: process.uptime(),
-      transportType: getTransportType?.() ?? "direct"
+      transportType: getTransportType?.() ?? "direct",
+      dashboardOrigin: dashboardOrigin ?? self.dashboardOrigin,
+      auth: config.authMetadata ?? {
+        enabled: false,
+        allowSameTenant: false,
+        allowedUsers: []
+      }
     });
   }));
   router.post("/transport", asyncHandler5(async (req, res) => {
@@ -33110,10 +33634,19 @@ function createSystemRoutes() {
     assertCanChangeNodeDevTunnel(taskEngine, nodeRegistry.getSelf().id);
     if (enabled) {
       const devtunnelEndpoint = await enableDevTunnel();
-      res.json({ ok: true, enabled: true, devtunnelEndpoint });
+      res.json({
+        ok: true,
+        enabled: true,
+        devtunnelEndpoint,
+        dashboardOrigin: nodeRegistry.getSelf().dashboardOrigin
+      });
     } else {
       await disableDevTunnel();
-      res.json({ ok: true, enabled: false });
+      res.json({
+        ok: true,
+        enabled: false,
+        dashboardOrigin: nodeRegistry.getSelf().dashboardOrigin
+      });
     }
   }));
   router.get("/metrics", asyncHandler5(async (req, res) => {
@@ -33243,13 +33776,39 @@ function createServer2(deps) {
   if (typeof deps.heartbeat.setControlRequestHandler === "function") {
     deps.heartbeat.setControlRequestHandler((request) => executeWorkerControlRequest(deps, request));
   }
+  const authConfig = {
+    apiKey: deps.config.apiKey,
+    validateBearerToken: deps.config.validateBearerToken,
+    getTrustedHosts: () => {
+      const trustedHosts = [];
+      if (deps.dashboardOrigin) {
+        try {
+          trustedHosts.push(new URL(deps.dashboardOrigin).host);
+        } catch {
+        }
+      }
+      return trustedHosts;
+    }
+  };
+  const isApiRequest = (req) => req.path === "/api" || req.path.startsWith("/api/");
+  const canServeDashboard = (req) => !deps.config.validateBearerToken || isTrustedDashboardRequest(req, authConfig);
   const runtimeBaseDir = resolveRuntimeBaseDir();
   const staticDir = resolveStaticDir(runtimeBaseDir);
   if (staticDir) {
-    app.use(import_express7.default.static(staticDir));
+    const staticMiddleware = import_express7.default.static(staticDir);
+    app.use((req, res, next) => {
+      if (isApiRequest(req)) {
+        next();
+        return;
+      }
+      if (!canServeDashboard(req)) {
+        res.status(404).type("text/plain").send("Not Found");
+        return;
+      }
+      staticMiddleware(req, res, next);
+    });
   }
   app.use(import_express7.default.json({ limit: JSON_BODY_LIMIT }));
-  const authConfig = { apiKey: deps.config.apiKey };
   app.use(createAuthMiddleware(authConfig));
   app.use(createRoutingMiddleware(deps.dataRouter));
   const largeBodyParser = import_express7.default.json({ limit: JSON_BODY_LIMIT_LARGE });
@@ -33262,7 +33821,15 @@ function createServer2(deps) {
   if (staticDir) {
     const indexPath = path15.join(staticDir, "index.html");
     if (fs15.existsSync(indexPath)) {
-      app.get("*", (_req, res) => {
+      app.get("*", (req, res, next) => {
+        if (isApiRequest(req)) {
+          next();
+          return;
+        }
+        if (!canServeDashboard(req)) {
+          res.status(404).type("text/plain").send("Not Found");
+          return;
+        }
         res.sendFile(indexPath);
       });
     }
@@ -33337,10 +33904,10 @@ var DirectTransport = class {
 };
 
 // ../../packages/transport/src/devtunnel.ts
-var import_node_child_process4 = require("child_process");
+var import_node_child_process5 = require("child_process");
 function isInstalled(cmd) {
   try {
-    (0, import_node_child_process4.execSync)(process.platform === "win32" ? `where ${cmd}` : `command -v ${cmd}`, { stdio: "pipe" });
+    (0, import_node_child_process5.execSync)(process.platform === "win32" ? `where ${cmd}` : `command -v ${cmd}`, { stdio: "pipe" });
     return true;
   } catch {
     return false;
@@ -33363,14 +33930,14 @@ var DevTunnelTransport = class {
       );
     }
     try {
-      (0, import_node_child_process4.execSync)("devtunnel user show", { stdio: "pipe" });
+      (0, import_node_child_process5.execSync)("devtunnel user show", { stdio: "pipe" });
     } catch {
       throw new Error(
         "Not logged in to devtunnel. Run: devtunnel user login"
       );
     }
     const hostArgs = this.buildHostArgs(localPort);
-    const child = (0, import_node_child_process4.spawn)("devtunnel", hostArgs, {
+    const child = (0, import_node_child_process5.spawn)("devtunnel", hostArgs, {
       stdio: ["pipe", "pipe", "pipe"]
     });
     this.process = child;
@@ -33475,7 +34042,7 @@ ${lines.join("")}`
       return void 0;
     }
     try {
-      (0, import_node_child_process4.execFileSync)("devtunnel", ["show", tunnelId], { stdio: "pipe" });
+      (0, import_node_child_process5.execFileSync)("devtunnel", ["show", tunnelId], { stdio: "pipe" });
       return tunnelId;
     } catch {
       const createArgs = ["create", tunnelId];
@@ -33483,7 +34050,7 @@ ${lines.join("")}`
         createArgs.push("-a");
       }
       try {
-        (0, import_node_child_process4.execFileSync)("devtunnel", createArgs, { stdio: "pipe" });
+        (0, import_node_child_process5.execFileSync)("devtunnel", createArgs, { stdio: "pipe" });
         return tunnelId;
       } catch (err) {
         throw new Error(
@@ -33498,7 +34065,7 @@ ${lines.join("")}`
       return;
     }
     try {
-      (0, import_node_child_process4.execFileSync)(
+      (0, import_node_child_process5.execFileSync)(
         "devtunnel",
         ["port", "create", tunnelId, "-p", String(localPort), "--protocol", "http"],
         { stdio: "pipe" }
@@ -33514,7 +34081,7 @@ ${lines.join("")}`
   }
   listTunnelPorts(tunnelId) {
     try {
-      const output = (0, import_node_child_process4.execFileSync)("devtunnel", ["port", "list", tunnelId, "-j"], { stdio: "pipe" });
+      const output = (0, import_node_child_process5.execFileSync)("devtunnel", ["port", "list", tunnelId, "-j"], { stdio: "pipe" });
       const parsed = JSON.parse(output.toString());
       const items = Array.isArray(parsed) ? parsed : parsed && typeof parsed === "object" && Array.isArray(parsed.ports) ? parsed.ports : parsed && typeof parsed === "object" && Array.isArray(parsed.value) ? parsed.value : [];
       return items.map((item) => getPortNumber(item)).filter((value) => value !== void 0);
@@ -33526,7 +34093,7 @@ ${lines.join("")}`
   }
   hasTunnelPort(tunnelId, localPort) {
     try {
-      (0, import_node_child_process4.execFileSync)(
+      (0, import_node_child_process5.execFileSync)(
         "devtunnel",
         ["port", "show", tunnelId, "-p", String(localPort), "-j"],
         { stdio: "pipe" }
@@ -33580,7 +34147,9 @@ function createTransport(config) {
   }
 }
 
-// src/main.ts
+// src/startup.ts
+var fs16 = __toESM(require("fs"), 1);
+var readline = __toESM(require("readline/promises"), 1);
 function getDefaultNodeName() {
   return getDeviceNodeName();
 }
@@ -33596,9 +34165,10 @@ function createDefaultConfig(storagePath = resolveDefaultStoragePath(), nodeName
   };
 }
 var DEFAULT_CONFIG3 = createDefaultConfig();
-function createRuntimeDefaultConfig(fileConfig) {
+function createRuntimeDefaultConfig(fileConfig, options = {}) {
   const storagePath = fileConfig.storage?.path ?? resolveDefaultStoragePath();
-  return createDefaultConfig(storagePath, resolveDefaultNodeName(storagePath));
+  const nodeName = options.ignorePersistedName ? getDeviceNodeName() : resolveDefaultNodeName(storagePath);
+  return createDefaultConfig(storagePath, nodeName);
 }
 function parseArgs(argv) {
   const result = {};
@@ -33636,6 +34206,12 @@ function parseArgs(argv) {
           result.config = argv[++i];
         }
         break;
+      case "--reset":
+        result.reset = true;
+        break;
+      case "--disable-auth":
+        result.disableAuth = true;
+        break;
     }
   }
   return result;
@@ -33746,6 +34322,67 @@ async function promptStartOptions(args, fileConfig, defaults, prompt) {
     await closePrompt?.();
   }
 }
+function applyStartMetadata(storagePath, args) {
+  const startup = resolveNodeStartupMetadata(storagePath);
+  const result = { ...args };
+  const loaded = {};
+  const persistedName = resolvePersistedDefaultNodeName(storagePath);
+  if (persistedName && result.name === void 0) {
+    loaded.name = persistedName;
+  }
+  if (startup.port !== void 0 && result.port === void 0) {
+    result.port = startup.port;
+    loaded.port = startup.port;
+  }
+  if (startup.transport && result.transport === void 0) {
+    result.transport = startup.transport;
+    loaded.transport = startup.transport;
+  }
+  if (startup.join && result.join === void 0) {
+    result.join = startup.join;
+    loaded.join = startup.join;
+  }
+  return {
+    args: result,
+    loaded: Object.keys(loaded).length > 0 ? loaded : void 0
+  };
+}
+function shouldCollectStartOptions(args, storagePath) {
+  return args.reset === true || !hasPersistedNodeStartupMetadata(storagePath);
+}
+function resolveRuntimeAuthMetadata(storagePath, disableAuth = false) {
+  const persisted = resolveNodeAuthMetadata(storagePath);
+  if (disableAuth) {
+    return { ...persisted, enabled: false };
+  }
+  if (!persisted.enabled && !persisted.allowSameTenant && persisted.allowedUsers.length === 0) {
+    return {
+      enabled: true,
+      allowSameTenant: false,
+      allowedUsers: []
+    };
+  }
+  return persisted;
+}
+function formatLoadedStartMetadata(info, authEnabled) {
+  const lines = ["Loaded startup options from metadata:"];
+  if (info.name) {
+    lines.push(`  Node: ${info.name}`);
+  }
+  if (info.port !== void 0) {
+    lines.push(`  Port: ${info.port}`);
+  }
+  if (info.transport) {
+    lines.push(`  Transport: ${info.transport}`);
+  }
+  if (info.join) {
+    lines.push(`  Join: ${info.join}`);
+  }
+  lines.push(`  Auth: ${authEnabled ? "enabled" : "disabled"}`);
+  return lines.join("\n");
+}
+
+// src/main.ts
 function formatBanner(info) {
   const lines = [
     `Node:      ${info.name}`,
@@ -33753,6 +34390,9 @@ function formatBanner(info) {
     `Endpoint:  ${info.endpoint}`,
     `Dashboard: http://localhost:${info.port}`
   ];
+  if (info.dashboardOrigin) {
+    lines.push(`Dashboard Tunnel: ${info.dashboardOrigin}`);
+  }
   const maxLen = Math.max(...lines.map((l) => l.length));
   const innerWidth = maxLen + 4;
   const top = `  \u256D${"\u2500".repeat(innerWidth)}\u256E`;
@@ -33774,16 +34414,48 @@ async function main() {
   const args = parseArgs(process.argv.slice(2));
   const configPath = args.config ?? "./config.json";
   const fileConfig = loadConfigFile(configPath);
-  const defaults = createRuntimeDefaultConfig(fileConfig);
-  const resolvedArgs = await promptStartOptions(args, fileConfig, defaults);
+  const storagePath = fileConfig.storage?.path ?? resolveDefaultStoragePath();
+  const hydratedArgs = args.reset ? { args: { ...args }, loaded: void 0 } : applyStartMetadata(storagePath, args);
+  const defaults = createRuntimeDefaultConfig(fileConfig, {
+    ignorePersistedName: args.reset === true
+  });
+  const resolvedArgs = shouldCollectStartOptions(args, storagePath) ? await promptStartOptions(
+    args.reset ? args : hydratedArgs.args,
+    fileConfig,
+    defaults
+  ) : hydratedArgs.args;
   const config = mergeConfig(defaults, fileConfig, resolvedArgs);
   persistDefaultNodeName(config.storage.path, config.node.name);
+  persistNodeStartupMetadata(config.storage.path, {
+    port: config.node.port,
+    transport: config.transport.type,
+    join: resolvedArgs.join
+  });
+  const authMetadata = resolveRuntimeAuthMetadata(config.storage.path, resolvedArgs.disableAuth === true);
+  if (!resolvedArgs.disableAuth) {
+    persistNodeAuthMetadata(config.storage.path, authMetadata);
+  }
   const logDir = nodePath.join(config.storage.path, "logs");
   const logger = createLogger({
     component: "node",
     logDir,
     console: true
   });
+  const nodeAuth = new AzureCliNodeAuth(config.storage.path, {
+    logger: logger.child("azure-auth"),
+    settingsProvider: () => authMetadata
+  });
+  if (hydratedArgs.loaded) {
+    console.log("");
+    console.log(formatLoadedStartMetadata(hydratedArgs.loaded, authMetadata.enabled));
+    console.log("");
+  }
+  if (authMetadata.enabled) {
+    nodeAuth.getAccessToken();
+    setRequestAuthHeadersProvider(() => nodeAuth.getAuthorizationHeaders());
+  } else {
+    setRequestAuthHeadersProvider(null);
+  }
   const meshyNode = new MeshyNode(config, {
     logger,
     transportFactory: createTransport
@@ -33793,9 +34465,24 @@ async function main() {
   const previewServer = new PreviewServer(previewSessionManager);
   const previewPort = config.node.port + 1;
   const actualPreviewPort = await previewServer.start(previewPort);
+  let dashboardTransport = null;
+  let dashboardOrigin;
   let previewTransport = null;
   let previewOrigin;
   let deps;
+  function createDashboardTransportConfig() {
+    return {
+      type: "devtunnel",
+      devtunnel: {
+        id: resolveOrCreateDevTunnelId(
+          config.storage.path,
+          meshyNode.getNodeRegistry().getSelf().id,
+          "dashboard"
+        ),
+        allowAnonymous: false
+      }
+    };
+  }
   function createPreviewTransportConfig() {
     return {
       type: "devtunnel",
@@ -33809,11 +34496,92 @@ async function main() {
       }
     };
   }
+  function setAdvertisedDashboardOrigin(origin) {
+    dashboardOrigin = origin;
+    deps.dashboardOrigin = origin;
+    meshyNode.getNodeRegistry().updateDashboardOrigin(meshyNode.getNodeRegistry().getSelf().id, origin);
+  }
   function setAdvertisedPreviewOrigin(origin) {
     previewOrigin = origin;
     deps.previewOrigin = origin;
     meshyNode.getNodeRegistry().updatePreviewOrigin(meshyNode.getNodeRegistry().getSelf().id, origin);
   }
+  function shouldPublishDashboardTunnel() {
+    return authMetadata.enabled && (meshyNode.getTransportType() === "devtunnel" || meshyNode.isDevTunnelEnabled());
+  }
+  async function stopDashboardTransport() {
+    if (!dashboardTransport) {
+      if (dashboardOrigin) {
+        setAdvertisedDashboardOrigin(void 0);
+      }
+      return;
+    }
+    await dashboardTransport.stop().catch(() => void 0);
+    dashboardTransport = null;
+    setAdvertisedDashboardOrigin(void 0);
+    meshyNode.getLogger().info("stopped dashboard tunnel", {
+      reason: "dashboard transport no longer required",
+      mainTransportType: meshyNode.getTransportType(),
+      sidecarEnabled: meshyNode.isDevTunnelEnabled()
+    });
+  }
+  async function restartDashboardTransport(transportConfig) {
+    const previousTransport = dashboardTransport;
+    const previousOrigin = dashboardOrigin;
+    let nextTransport = null;
+    try {
+      nextTransport = createTransport(transportConfig);
+      await nextTransport.start(config.node.port);
+      const nextOrigin = await nextTransport.getEndpoint();
+      dashboardTransport = nextTransport;
+      setAdvertisedDashboardOrigin(nextOrigin);
+      meshyNode.getLogger().info("started dashboard tunnel", {
+        dashboardOrigin: nextOrigin,
+        mainTransportType: meshyNode.getTransportType(),
+        sidecarEnabled: meshyNode.isDevTunnelEnabled()
+      });
+      if (previousTransport) {
+        await previousTransport.stop().catch(() => void 0);
+      }
+    } catch (err) {
+      if (nextTransport) {
+        await nextTransport.stop().catch(() => void 0);
+      }
+      dashboardTransport = previousTransport;
+      setAdvertisedDashboardOrigin(previousOrigin);
+      meshyNode.getLogger().warn("failed to start dashboard transport", {
+        error: err instanceof Error ? err.message : String(err),
+        port: config.node.port,
+        transportType: transportConfig.type
+      });
+    }
+  }
+  async function syncDashboardTransport(reason) {
+    if (!authMetadata.enabled) {
+      await stopDashboardTransport();
+      return;
+    }
+    if (!shouldPublishDashboardTunnel()) {
+      meshyNode.getLogger().info("skipping dashboard tunnel", {
+        reason,
+        mainTransportType: meshyNode.getTransportType(),
+        sidecarEnabled: meshyNode.isDevTunnelEnabled(),
+        authEnabled: authMetadata.enabled
+      });
+      await stopDashboardTransport();
+      return;
+    }
+    if (dashboardTransport && await dashboardTransport.isHealthy().catch(() => false)) {
+      meshyNode.getLogger().debug("dashboard tunnel already active", {
+        reason,
+        dashboardOrigin,
+        mainTransportType: meshyNode.getTransportType(),
+        sidecarEnabled: meshyNode.isDevTunnelEnabled()
+      });
+      return;
+    }
+    await restartDashboardTransport(createDashboardTransportConfig());
+  }
   async function restartPreviewTransport(transportConfig) {
     const previousTransport = previewTransport;
     const previousOrigin = previewOrigin;
@@ -33849,7 +34617,11 @@ async function main() {
     eventBus: meshyNode.getEventBus(),
     engineRegistry: meshyNode.getEngineRegistry(),
     logger: meshyNode.getLogger(),
-    config: { apiKey: config.cluster.apiKey },
+    config: {
+      apiKey: config.cluster.apiKey,
+      authMetadata,
+      validateBearerToken: authMetadata.enabled ? (header) => nodeAuth.validateAuthorizationHeader(header) : void 0
+    },
     workDir: meshyNode.getWorkDir(),
     persistNodeNamePreference: (name) => persistDefaultNodeName(config.storage.path, name),
     joinCurrentNodeToCluster: async (leaderEndpoint) => {
@@ -33859,12 +34631,28 @@ async function main() {
       await meshyNode.leaveCluster();
     },
     switchTransport: async (type) => {
-      return meshyNode.switchTransport(type);
+      const endpoint = await meshyNode.switchTransport(type);
+      persistNodeStartupTransport(config.storage.path, type);
+      await syncDashboardTransport(`switchTransport:${type}`);
+      return endpoint;
     },
     getTransportType: () => meshyNode.getTransportType(),
-    enableDevTunnel: async () => meshyNode.enableDevTunnel(),
-    disableDevTunnel: async () => meshyNode.disableDevTunnel(),
+    enableDevTunnel: async () => {
+      const endpoint = await meshyNode.enableDevTunnel();
+      persistNodeStartupTransport(config.storage.path, "devtunnel");
+      await syncDashboardTransport("enableDevTunnel");
+      return endpoint;
+    },
+    disableDevTunnel: async () => {
+      await meshyNode.disableDevTunnel();
+      persistNodeStartupTransport(
+        config.storage.path,
+        meshyNode.getTransportType()
+      );
+      await syncDashboardTransport("disableDevTunnel");
+    },
     isDevTunnelEnabled: () => meshyNode.isDevTunnelEnabled(),
+    dashboardOrigin,
     ensurePreviewOrigin: async () => {
       if (previewTransport && !await previewTransport.isHealthy()) {
         await previewTransport.stop().catch(() => void 0);
@@ -33880,7 +34668,16 @@ async function main() {
   };
   deps.previewSessionManager = previewSessionManager;
   deps.previewPort = actualPreviewPort;
+  deps.dashboardOrigin = dashboardOrigin;
   deps.previewOrigin = previewOrigin;
+  meshyNode.getLogger().info("configured node auth mode", {
+    authEnabled: authMetadata.enabled,
+    allowSameTenant: authMetadata.allowSameTenant,
+    allowedUsersCount: authMetadata.allowedUsers.length,
+    mainTransportType: meshyNode.getTransportType(),
+    sidecarEnabled: meshyNode.isDevTunnelEnabled()
+  });
+  await syncDashboardTransport("startup");
   const previewHealthTimer = setInterval(() => {
     void (async () => {
       if (!previewTransport) return;
@@ -33894,6 +34691,19 @@ async function main() {
       });
     })();
   }, config.cluster.heartbeatInterval);
+  const dashboardHealthTimer = setInterval(() => {
+    void (async () => {
+      if (!dashboardTransport) return;
+      const healthy = await dashboardTransport.isHealthy().catch(() => false);
+      if (healthy) return;
+      await dashboardTransport.stop().catch(() => void 0);
+      dashboardTransport = null;
+      setAdvertisedDashboardOrigin(void 0);
+      meshyNode.getLogger().warn("dashboard transport became unhealthy and was cleared", {
+        port: config.node.port
+      });
+    })();
+  }, config.cluster.heartbeatInterval);
   const app = createServer2(deps);
   const server = app.listen(config.node.port, () => {
     const self = meshyNode.getNodeRegistry().getSelf();
@@ -33904,7 +34714,8 @@ async function main() {
       role,
       term,
       endpoint: self.endpoint,
-      port: config.node.port
+      port: config.node.port,
+      dashboardOrigin
     });
     console.log("");
     console.log(banner);
@@ -33916,7 +34727,11 @@ async function main() {
     shuttingDown = true;
     console.log("\nShutting down...");
     try {
+      clearInterval(dashboardHealthTimer);
       clearInterval(previewHealthTimer);
+      if (dashboardTransport) {
+        await dashboardTransport.stop();
+      }
       if (previewTransport) {
         await previewTransport.stop();
       }
@@ -33945,9 +34760,11 @@ if (isDirectRun) {
   DEFAULT_CONFIG,
   DEFAULT_NODE_NAME,
   DEFAULT_NODE_PORT,
+  applyStartMetadata,
   createDefaultConfig,
   createRuntimeDefaultConfig,
   formatBanner,
+  formatLoadedStartMetadata,
   getDefaultNodeName,
   isDirectRunPath,
   loadConfigFile,
@@ -33955,6 +34772,8 @@ if (isDirectRun) {
   mergeConfig,
   parseArgs,
   promptStartOptions,
+  resolveRuntimeAuthMetadata,
+  shouldCollectStartOptions,
   shouldPromptForStartOptions
 });
 /*! Bundled license information: