nterminal 1.2.0

package/dist/server/files/rootToken.js

@@ -0,0 +1,139 @@
+import { createHmac, randomUUID, timingSafeEqual } from 'node:crypto';
+const ROOT_TOKEN_PREFIX = 'frt1';
+const DELETE_PREVIEW_TOKEN_PREFIX = 'fdt1';
+export class FileRootTokenError extends Error {
+    code = 'invalid_root_token';
+    constructor() {
+        super('Invalid file root token');
+    }
+}
+export class FileDeletePreviewTokenError extends Error {
+    code = 'invalid_delete_preview_token';
+    constructor() {
+        super('Invalid file delete preview token');
+    }
+}
+export function signFileRootToken(config, options) {
+    const issuedAt = (options.now ?? (() => new Date()))().toISOString();
+    const payload = {
+        version: 1,
+        terminalId: options.terminalId,
+        rootPath: options.rootPath,
+        issuedAt,
+        nonce: (options.nonce ?? randomUUID)()
+    };
+    return {
+        rootToken: signToken(ROOT_TOKEN_PREFIX, config.sessionSecret, payload),
+        issuedAt
+    };
+}
+export function verifyFileRootToken(config, token) {
+    const payload = verifyToken(config.sessionSecret, token, ROOT_TOKEN_PREFIX, () => new FileRootTokenError());
+    if (!isFileRootTokenPayload(payload)) {
+        throw new FileRootTokenError();
+    }
+    return payload;
+}
+export function signFileDeletePreviewToken(config, options) {
+    const payload = {
+        version: 1,
+        rootTokenHash: tokenHash(config.sessionSecret, options.rootToken),
+        path: options.path,
+        kind: options.kind,
+        descendantCount: options.descendantCount,
+        entryVersion: options.entryVersion,
+        issuedAt: (options.now ?? (() => new Date()))().toISOString(),
+        nonce: (options.nonce ?? randomUUID)()
+    };
+    return signToken(DELETE_PREVIEW_TOKEN_PREFIX, config.sessionSecret, payload);
+}
+export function verifyFileDeletePreviewToken(config, token, rootToken, expected) {
+    const payload = verifyToken(config.sessionSecret, token, DELETE_PREVIEW_TOKEN_PREFIX, () => new FileDeletePreviewTokenError());
+    if (!isFileDeletePreviewTokenPayload(payload)) {
+        throw new FileDeletePreviewTokenError();
+    }
+    if (payload.rootTokenHash !== tokenHash(config.sessionSecret, rootToken) ||
+        payload.path !== expected.path ||
+        payload.kind !== expected.kind ||
+        payload.descendantCount !== expected.descendantCount ||
+        !sameFileVersion(payload.entryVersion, expected.entryVersion)) {
+        throw new FileDeletePreviewTokenError();
+    }
+}
+function signToken(prefix, secret, payload) {
+    const payloadSegment = Buffer.from(JSON.stringify(payload), 'utf8').toString('base64url');
+    const signature = signatureSegment(secret, `${prefix}.${payloadSegment}`);
+    return `${prefix}.${payloadSegment}.${signature}`;
+}
+function verifyToken(secret, token, expectedPrefix, error) {
+    const parts = token.split('.');
+    if (parts.length !== 3 || parts[0] !== expectedPrefix || !parts[1] || !parts[2]) {
+        throw error();
+    }
+    const signedValue = `${parts[0]}.${parts[1]}`;
+    const expectedSignature = signatureSegment(secret, signedValue);
+    if (!timingSafeEqualString(parts[2], expectedSignature)) {
+        throw error();
+    }
+    try {
+        return JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+    }
+    catch {
+        throw error();
+    }
+}
+function signatureSegment(secret, value) {
+    return createHmac('sha256', secret).update(value).digest('base64url');
+}
+function tokenHash(secret, token) {
+    return createHmac('sha256', secret).update(token).digest('base64url');
+}
+function timingSafeEqualString(actual, expected) {
+    const actualBuffer = Buffer.from(actual, 'base64url');
+    const expectedBuffer = Buffer.from(expected, 'base64url');
+    return actualBuffer.length === expectedBuffer.length && timingSafeEqual(actualBuffer, expectedBuffer);
+}
+function isFileRootTokenPayload(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const payload = value;
+    return (payload.version === 1 &&
+        typeof payload.terminalId === 'string' &&
+        payload.terminalId.length > 0 &&
+        typeof payload.rootPath === 'string' &&
+        payload.rootPath.length > 0 &&
+        typeof payload.issuedAt === 'string' &&
+        typeof payload.nonce === 'string' &&
+        payload.nonce.length > 0);
+}
+function isFileDeletePreviewTokenPayload(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const payload = value;
+    return (payload.version === 1 &&
+        typeof payload.rootTokenHash === 'string' &&
+        typeof payload.path === 'string' &&
+        typeof payload.kind === 'string' &&
+        typeof payload.descendantCount === 'number' &&
+        Number.isSafeInteger(payload.descendantCount) &&
+        payload.descendantCount >= 0 &&
+        isFileVersionPayload(payload.entryVersion) &&
+        typeof payload.issuedAt === 'string' &&
+        typeof payload.nonce === 'string' &&
+        payload.nonce.length > 0);
+}
+function isFileVersionPayload(value) {
+    if (!value || typeof value !== 'object') {
+        return false;
+    }
+    const version = value;
+    return (typeof version.size === 'number' &&
+        typeof version.mtimeMs === 'number' &&
+        (version.ino === undefined || typeof version.ino === 'number'));
+}
+function sameFileVersion(left, right) {
+    return left.size === right.size && left.mtimeMs === right.mtimeMs && (right.ino === undefined || left.ino === right.ino);
+}
+//# sourceMappingURL=rootToken.js.map

package/dist/server/files/rootToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rootToken.js","sourceRoot":"","sources":["../../../src/server/files/rootToken.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAItE,MAAM,iBAAiB,GAAG,MAAM,CAAC;AACjC,MAAM,2BAA2B,GAAG,MAAM,CAAC;AA2C3C,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAClC,IAAI,GAAG,oBAAoB,CAAC;IAErC;QACE,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACnC,CAAC;CACF;AAED,MAAM,OAAO,2BAA4B,SAAQ,KAAK;IAC3C,IAAI,GAAG,8BAA8B,CAAC;IAE/C;QACE,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAC7C,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAwC,EAAE,OAAiC;IAC3G,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;IACrE,MAAM,OAAO,GAAyB;QACpC,OAAO,EAAE,CAAC;QACV,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,QAAQ;QACR,KAAK,EAAE,CAAC,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,EAAE;KACvC,CAAC;IACF,OAAO;QACL,SAAS,EAAE,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,aAAa,EAAE,OAAO,CAAC;QACtE,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAwC,EAAE,KAAa;IACzF,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,aAAa,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,CAAC,IAAI,kBAAkB,EAAE,CAAC,CAAC;IAC5G,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,kBAAkB,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,MAAwC,EACxC,OAA0C;IAE1C,MAAM,OAAO,GAAkC;QAC7C,OAAO,EAAE,CAAC;QACV,aAAa,EAAE,SAAS,CAAC,MAAM,CAAC,aAAa,EAAE,OAAO,CAAC,SAAS,CAAC;QACjE,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,eAAe,EAAE,OAAO,CAAC,eAAe;QACxC,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE;QAC7D,KAAK,EAAE,CAAC,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,EAAE;KACvC,CAAC;IACF,OAAO,SAAS,CAAC,2BAA2B,EAAE,MAAM,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,MAAwC,EACxC,KAAa,EACb,SAAiB,EACjB,QAAmG;IAEnG,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,aAAa,EAAE,KAAK,EAAE,2BAA2B,EAAE,GAAG,EAAE,CAAC,IAAI,2BAA2B,EAAE,CAAC,CAAC;IAC/H,IAAI,CAAC,+BAA+B,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,2BAA2B,EAAE,CAAC;IAC1C,CAAC;IACD,IACE,OAAO,CAAC,aAAa,KAAK,SAAS,CAAC,MAAM,CAAC,aAAa,EAAE,SAAS,CAAC;QACpE,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,IAAI;QAC9B,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,IAAI;QAC9B,OAAO,CAAC,eAAe,KAAK,QAAQ,CAAC,eAAe;QACpD,CAAC,eAAe,CAAC,OAAO,CAAC,YAAY,EAAE,QAAQ,CAAC,YAAY,CAAC,EAC7D,CAAC;QACD,MAAM,IAAI,2BAA2B,EAAE,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,MAAc,EAAE,MAAc,EAAE,OAAgB;IACjE,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC1F,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,EAAE,GAAG,MAAM,IAAI,cAAc,EAAE,CAAC,CAAC;IAC1E,OAAO,GAAG,MAAM,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,KAAa,EAAE,cAAsB,EAAE,KAAkB;IAC5F,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,cAAc,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,MAAM,KAAK,EAAE,CAAC;IAChB,CAAC;IACD,MAAM,WAAW,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9C,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAChE,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACxD,MAAM,KAAK,EAAE,CAAC;IAChB,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAY,CAAC;IACpF,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,KAAK,EAAE,CAAC;IAChB,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc,EAAE,KAAa;IACrD,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,SAAS,CAAC,MAAc,EAAE,KAAa;IAC9C,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAc,EAAE,QAAgB;IAC7D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACtD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAC1D,OAAO,YAAY,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,IAAI,eAAe,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;AACxG,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,OAAO,GAAG,KAAsC,CAAC;IACvD,OAAO,CACL,OAAO,CAAC,OAAO,KAAK,CAAC;QACrB,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ;QACtC,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC7B,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ;QACpC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAC3B,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ;QACpC,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;QACjC,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CACzB,CAAC;AACJ,CAAC;AAED,SAAS,+BAA+B,CAAC,KAAc;IACrD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,OAAO,GAAG,KAA+C,CAAC;IAChE,OAAO,CACL,OAAO,CAAC,OAAO,KAAK,CAAC;QACrB,OAAO,OAAO,CAAC,aAAa,KAAK,QAAQ;QACzC,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ;QAChC,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ;QAChC,OAAO,OAAO,CAAC,eAAe,KAAK,QAAQ;QAC3C,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,eAAe,CAAC;QAC7C,OAAO,CAAC,eAAe,IAAI,CAAC;QAC5B,oBAAoB,CAAC,OAAO,CAAC,YAAY,CAAC;QAC1C,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ;QACpC,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;QACjC,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CACzB,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,OAAO,GAAG,KAA6B,CAAC;IAC9C,OAAO,CACL,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ;QAChC,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ;QACnC,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAC/D,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,IAAiB,EAAE,KAAkB;IAC5D,OAAO,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,KAAK,KAAK,CAAC,GAAG,CAAC,CAAC;AAC3H,CAAC"}

package/dist/server/http.d.ts

@@ -0,0 +1,13 @@
+import { type FastifyInstance } from 'fastify';
+import type { AppConfig } from './config.js';
+import { type AuthRouteServices } from './routes/authRoutes.js';
+import { type FileRouteServices } from './routes/fileRoutes.js';
+import { type TerminalLayoutRouteServices } from './routes/terminalLayoutRoutes.js';
+import { type TerminalRouteServices } from './routes/terminalRoutes.js';
+import { type UploadRouteServices } from './routes/uploadRoutes.js';
+import { type AgentRouteServices } from './agent/agentRoutes.js';
+import { type AgentManagementRouteServices } from './routes/agentManagementRoutes.js';
+import { type NotificationAssetRouteServices } from './routes/notificationAssetRoutes.js';
+export interface BuildAppServices extends AuthRouteServices, TerminalRouteServices, TerminalLayoutRouteServices, UploadRouteServices, FileRouteServices, AgentRouteServices, AgentManagementRouteServices, NotificationAssetRouteServices {
+}
+export declare function buildApp(config: AppConfig, services: BuildAppServices): Promise<FastifyInstance>;

package/dist/server/http.js

@@ -0,0 +1,69 @@
+import fastifyCookie from '@fastify/cookie';
+import fastifyMultipart from '@fastify/multipart';
+import fastifyStatic from '@fastify/static';
+import fastifyWebsocket from '@fastify/websocket';
+import Fastify from 'fastify';
+import path from 'node:path';
+import { registerAuthRoutes } from './routes/authRoutes.js';
+import { registerFileRoutes } from './routes/fileRoutes.js';
+import { registerTerminalLayoutRoutes } from './routes/terminalLayoutRoutes.js';
+import { registerTerminalRoutes } from './routes/terminalRoutes.js';
+import { registerTerminalWebSocket } from './routes/terminalWebSocket.js';
+import { registerUploadRoutes } from './routes/uploadRoutes.js';
+import { registerTotpRoutes } from './routes/totpRoutes.js';
+import { registerSecurityRoutes } from './routes/securityRoutes.js';
+import { registerUpdateRoutes } from './routes/updateRoutes.js';
+import { registerAgentRoutes } from './agent/agentRoutes.js';
+import { registerAgentManagementRoutes } from './routes/agentManagementRoutes.js';
+import { registerNotificationAssetRoutes } from './routes/notificationAssetRoutes.js';
+export async function buildApp(config, services) {
+    const app = Fastify({ logger: true, trustProxy: config.trustProxy });
+    await app.register(fastifyCookie, {
+        secret: config.sessionSecret
+    });
+    await app.register(fastifyWebsocket);
+    await app.register(fastifyMultipart, {
+        throwFileSizeLimit: false,
+        limits: {
+            files: config.uploadMaxFiles,
+            fileSize: config.uploadMaxFileBytes + 1,
+            parts: config.uploadMaxFiles + 1,
+            fields: 1
+        }
+    });
+    await registerAuthRoutes(app, config, services);
+    await registerTotpRoutes(app, config, services);
+    await registerSecurityRoutes(app, config, services);
+    await registerUpdateRoutes(app, config, services);
+    await registerTerminalRoutes(app, config, services);
+    await registerTerminalLayoutRoutes(app, config, services);
+    await registerUploadRoutes(app, config, services);
+    await registerFileRoutes(app, config, services);
+    await registerNotificationAssetRoutes(app, config, services);
+    await registerTerminalWebSocket(app, config, services);
+    if (config.agentToken) {
+        await registerAgentRoutes(app, config, services);
+    }
+    await registerAgentManagementRoutes(app, config, services);
+    app.addHook('onSend', async (_request, reply, payload) => {
+        const contentType = reply.getHeader('content-type');
+        if (typeof contentType === 'string' && contentType.includes('text/html')) {
+            reply.header('Cache-Control', 'no-store');
+        }
+        return payload;
+    });
+    await app.register(fastifyStatic, {
+        root: config.staticRoot,
+        prefix: '/'
+    });
+    app.setNotFoundHandler(async (request, reply) => {
+        const requestPath = request.url.split('?', 1)[0] ?? request.url;
+        if (requestPath === '/api' || requestPath.startsWith('/api/')) {
+            return reply.code(404).send({ error: 'not_found' });
+        }
+        reply.header('Cache-Control', 'no-store');
+        return reply.sendFile('index.html', path.resolve(config.staticRoot));
+    });
+    return app;
+}
+//# sourceMappingURL=http.js.map

package/dist/server/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,MAAM,iBAAiB,CAAC;AAC5C,OAAO,gBAAgB,MAAM,oBAAoB,CAAC;AAClD,OAAO,aAAa,MAAM,iBAAiB,CAAC;AAC5C,OAAO,gBAAgB,MAAM,oBAAoB,CAAC;AAClD,OAAO,OAAiC,MAAM,SAAS,CAAC;AACxD,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,kBAAkB,EAA0B,MAAM,wBAAwB,CAAC;AACpF,OAAO,EAAE,kBAAkB,EAA0B,MAAM,wBAAwB,CAAC;AACpF,OAAO,EAAE,4BAA4B,EAAoC,MAAM,kCAAkC,CAAC;AAClH,OAAO,EAAE,sBAAsB,EAA8B,MAAM,4BAA4B,CAAC;AAChG,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAA4B,MAAM,0BAA0B,CAAC;AAC1F,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAA2B,MAAM,wBAAwB,CAAC;AACtF,OAAO,EAAE,6BAA6B,EAAqC,MAAM,mCAAmC,CAAC;AACrH,OAAO,EAAE,+BAA+B,EAAuC,MAAM,qCAAqC,CAAC;AAI3H,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAAiB,EAAE,QAA0B;IAC1E,MAAM,GAAG,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IACrE,MAAM,GAAG,CAAC,QAAQ,CAAC,aAAa,EAAE;QAChC,MAAM,EAAE,MAAM,CAAC,aAAa;KAC7B,CAAC,CAAC;IACH,MAAM,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACrC,MAAM,GAAG,CAAC,QAAQ,CAAC,gBAAgB,EAAE;QACnC,kBAAkB,EAAE,KAAK;QACzB,MAAM,EAAE;YACN,KAAK,EAAE,MAAM,CAAC,cAAc;YAC5B,QAAQ,EAAE,MAAM,CAAC,kBAAkB,GAAG,CAAC;YACvC,KAAK,EAAE,MAAM,CAAC,cAAc,GAAG,CAAC;YAChC,MAAM,EAAE,CAAC;SACV;KACF,CAAC,CAAC;IAEH,MAAM,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,sBAAsB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACpD,MAAM,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAClD,MAAM,sBAAsB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACpD,MAAM,4BAA4B,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC1D,MAAM,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAClD,MAAM,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,+BAA+B,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7D,MAAM,yBAAyB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,6BAA6B,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAE3D,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;QACvD,MAAM,WAAW,GAAG,KAAK,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QACpD,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACzE,KAAK,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,MAAM,GAAG,CAAC,QAAQ,CAAC,aAAa,EAAE;QAChC,IAAI,EAAE,MAAM,CAAC,UAAU;QACvB,MAAM,EAAE,GAAG;KACZ,CAAC,CAAC;IAEH,GAAG,CAAC,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC;QAChE,IAAI,WAAW,KAAK,MAAM,IAAI,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9D,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAC1C,OAAO,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/server/index.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/server/index.js

@@ -0,0 +1,45 @@
+import { loadConfig, loadDotEnvFile } from './config.js';
+import { buildApp } from './http.js';
+import { AuthService } from './auth/authService.js';
+import { TotpService } from './auth/totpService.js';
+import { FileStore } from './storage/fileStore.js';
+import { NodePtyAdapter } from './terminal/NodePtyAdapter.js';
+import { TmuxPtyAdapter } from './terminal/TmuxPtyAdapter.js';
+import { TerminalManager } from './terminal/TerminalManager.js';
+const config = loadConfig(loadDotEnvFile());
+const store = new FileStore(config.statePath);
+await store.init();
+const totpService = new TotpService('NTerminal');
+const authService = new AuthService(config, store, { totpService });
+// Prefer the tmux-backed adapter when available so PTYs survive
+// `nterminalctl restart` and NTerminal updates without losing shell state.
+// Falls back to the raw node-pty adapter when tmux isn't installed; the
+// rest of the system works the same, just without across-restart
+// persistence. Set NTERMINAL_PTY_PERSIST=false to force the fallback.
+const tmuxAdapter = process.env.NTERMINAL_PTY_PERSIST === 'false' ? null : TmuxPtyAdapter.detect();
+const ptyAdapter = tmuxAdapter ?? new NodePtyAdapter();
+const terminalManager = new TerminalManager(config, ptyAdapter);
+await terminalManager.restoreSessions();
+const app = await buildApp(config, {
+    authService,
+    fileStore: store,
+    terminalManager
+});
+app.log.info({ adapter: tmuxAdapter ? 'tmux' : 'node-pty' }, tmuxAdapter
+    ? 'PTY persistence enabled — shells survive NTerminal restart'
+    : 'PTY persistence disabled (tmux not detected or disabled); shells die on NTerminal restart');
+store.setErrorHandler((err) => app.log.error({ err }, 'fileStore coalesced flush failed'));
+const shutdown = async (signal) => {
+    app.log.info({ signal }, 'shutting down');
+    terminalManager.closeAll();
+    await app.close();
+    await store.flush();
+    process.exit(0);
+};
+process.once('SIGINT', () => void shutdown('SIGINT'));
+process.once('SIGTERM', () => void shutdown('SIGTERM'));
+// Last-ditch safety net for any path that exits without going through shutdown
+// (uncaught lifecycle, beforeExit). Sync flush so it works during process tear-down.
+process.on('beforeExit', () => store.flushSync());
+await app.listen({ host: config.host, port: config.port });
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,MAAM,MAAM,GAAG,UAAU,CAAC,cAAc,EAAE,CAAC,CAAC;AAC5C,MAAM,KAAK,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC9C,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;AACnB,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC;AACjD,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;AACpE,gEAAgE;AAChE,2EAA2E;AAC3E,wEAAwE;AACxE,iEAAiE;AACjE,sEAAsE;AACtE,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC;AACnG,MAAM,UAAU,GAAG,WAAW,IAAI,IAAI,cAAc,EAAE,CAAC;AACvD,MAAM,eAAe,GAAG,IAAI,eAAe,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;AAChE,MAAM,eAAe,CAAC,eAAe,EAAE,CAAC;AAExC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE;IACjC,WAAW;IACX,SAAS,EAAE,KAAK;IAChB,eAAe;CAChB,CAAC,CAAC;AAEH,GAAG,CAAC,GAAG,CAAC,IAAI,CACV,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,EAAE,EAC9C,WAAW;IACT,CAAC,CAAC,4DAA4D;IAC9D,CAAC,CAAC,2FAA2F,CAChG,CAAC;AAEF,KAAK,CAAC,eAAe,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,kCAAkC,CAAC,CAAC,CAAC;AAE3F,MAAM,QAAQ,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;IACvD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC;IAC1C,eAAe,CAAC,QAAQ,EAAE,CAAC;IAC3B,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAClB,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC;AAEF,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AACtD,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;AACxD,+EAA+E;AAC/E,qFAAqF;AACrF,OAAO,CAAC,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;AAElD,MAAM,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC"}

package/dist/server/routes/agentManagementRoutes.d.ts

@@ -0,0 +1,9 @@
+import type { FastifyInstance } from 'fastify';
+import type { AppConfig } from '../config.js';
+import type { AuthService } from '../auth/authService.js';
+import type { FileStore } from '../storage/fileStore.js';
+export interface AgentManagementRouteServices {
+    authService: AuthService;
+    fileStore: FileStore;
+}
+export declare function registerAgentManagementRoutes(app: FastifyInstance, config: AppConfig, services: AgentManagementRouteServices): Promise<void>;

package/dist/server/routes/agentManagementRoutes.js

@@ -0,0 +1,304 @@
+import { randomUUID } from 'node:crypto';
+import { isAllowedOrigin } from '../config.js';
+import { requireAllowedOrigin } from './authRoutes.js';
+import { authenticateTerminalRequest } from './terminalRoutes.js';
+import { proxyAgentRequest } from '../agent/agentProxy.js';
+import { proxyAgentWebSocket } from '../agent/agentWebSocketProxy.js';
+import { collectSystemStats } from '../system/stats.js';
+export async function registerAgentManagementRoutes(app, config, services) {
+    // List agents
+    app.get('/api/agents', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const state = await services.fileStore.read();
+        return { agents: state.agents.map(({ id, name, url }) => ({ id, name, url })) };
+    });
+    // Read or update the main server's display name. The ServerList sidebar
+    // shows this as the "Local" entry's label and lets the operator rename it
+    // inline — without an endpoint the name was hardcoded to "Local". Stored
+    // as null when the operator hasn't picked a name yet so the client knows
+    // to fall back to its default label rather than rendering empty text.
+    app.get('/api/main', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const state = await services.fileStore.read();
+        return { name: state.mainName };
+    });
+    app.patch('/api/main', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const raw = request.body?.name;
+        // Accept null/empty as "clear back to default" so the operator can
+        // undo their rename without manual .env editing.
+        const trimmed = typeof raw === 'string' ? raw.trim() : '';
+        const next = trimmed.length > 0 ? trimmed.slice(0, 80) : null;
+        await services.fileStore.update((state) => ({ ...state, mainName: next }));
+        return { name: next };
+    });
+    // Add agent
+    app.post('/api/agents', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const { name, url, token } = request.body ?? {};
+        if (typeof name !== 'string' || !name.trim())
+            return reply.code(400).send({ error: 'name_required' });
+        if (typeof url !== 'string' || !url.trim())
+            return reply.code(400).send({ error: 'url_required' });
+        if (typeof token !== 'string' || token.length < 32)
+            return reply.code(400).send({ error: 'token_too_short' });
+        let parsedUrl;
+        try {
+            parsedUrl = new URL(url.trim());
+        }
+        catch {
+            return reply.code(400).send({ error: 'invalid_url' });
+        }
+        if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+            return reply.code(400).send({ error: 'invalid_url_scheme' });
+        }
+        const agent = {
+            id: randomUUID(),
+            name: name.trim(),
+            url: url.trim().replace(/\/$/, ''),
+            token,
+            createdAt: new Date().toISOString()
+        };
+        await services.fileStore.update((state) => ({ ...state, agents: [...state.agents, agent] }), { flush: 'immediate' });
+        return reply.code(201).send({ agent: { id: agent.id, name: agent.name, url: agent.url } });
+    });
+    // Rename agent
+    app.patch('/api/agents/:agentId', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const { name } = request.body ?? {};
+        if (typeof name !== 'string' || !name.trim())
+            return reply.code(400).send({ error: 'name_required' });
+        let found = false;
+        await services.fileStore.update((state) => {
+            const agents = state.agents.map((a) => {
+                if (a.id === request.params.agentId) {
+                    found = true;
+                    return { ...a, name: name.trim() };
+                }
+                return a;
+            });
+            return { ...state, agents };
+        });
+        if (!found)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return { ok: true };
+    });
+    // Remove agent
+    app.delete('/api/agents/:agentId', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        let found = false;
+        await services.fileStore.update((state) => {
+            const agents = state.agents.filter((a) => {
+                if (a.id === request.params.agentId) {
+                    found = true;
+                    return false;
+                }
+                return true;
+            });
+            // Drop the agent's stored layout too, so removed agents leave no orphaned state.
+            const { [request.params.agentId]: _removed, ...agentLayouts } = state.agentLayouts;
+            return { ...state, agents, agentLayouts };
+        }, { flush: 'immediate' });
+        if (!found)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return reply.code(204).send();
+    });
+    // System stats for the main host. Sidebar polls this on a long interval
+    // (~30s) so a delta-based CPU sample is meaningful without sampling
+    // overhead — see src/server/system/stats.ts.
+    app.get('/api/stats', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        return collectSystemStats();
+    });
+    // Proxy: stats for a registered agent
+    app.get('/api/agents/:agentId/stats', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, '/stats', request, reply);
+    });
+    // Ping agent
+    app.get('/api/agents/:agentId/ping', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const state = await services.fileStore.read();
+        const agent = state.agents.find((a) => a.id === request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        const start = Date.now();
+        try {
+            const res = await fetch(`${agent.url}/api/agent/terminals`, {
+                headers: { Authorization: `Bearer ${agent.token}` },
+                redirect: 'manual',
+                signal: AbortSignal.timeout(5000)
+            });
+            const latencyMs = Date.now() - start;
+            return { ok: res.ok, latencyMs };
+        }
+        catch {
+            return { ok: false, latencyMs: Date.now() - start };
+        }
+    });
+    // Proxy: version / update
+    app.get('/api/agents/:agentId/version', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, '/version', request, reply);
+    });
+    app.post('/api/agents/:agentId/update/check', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, '/update/check', request, reply);
+    });
+    app.post('/api/agents/:agentId/update', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, '/update', request, reply);
+    });
+    // Proxy: terminal list
+    app.get('/api/agents/:agentId/terminals', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, '/terminals', request, reply);
+    });
+    app.get('/api/agents/:agentId/terminals/:terminalId/history', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        const query = request.url.includes('?') ? request.url.slice(request.url.indexOf('?')) : '';
+        return proxyAgentRequest(agent, `/terminals/${request.params.terminalId}/history${query}`, request, reply);
+    });
+    app.get('/api/agents/:agentId/terminals/:terminalId/transcript-history', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        const query = request.url.includes('?') ? request.url.slice(request.url.indexOf('?')) : '';
+        return proxyAgentRequest(agent, `/terminals/${request.params.terminalId}/transcript-history${query}`, request, reply, {
+            unavailableFallback: {
+                terminalId: request.params.terminalId,
+                source: null,
+                cursor: null,
+                hasMore: false,
+                output: []
+            }
+        });
+    });
+    app.get('/api/agents/:agentId/terminals/:terminalId/transcript-source', async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, `/terminals/${request.params.terminalId}/transcript-source`, request, reply, {
+            unavailableFallback: { terminalId: request.params.terminalId, source: null }
+        });
+    });
+    // Proxy: create terminal
+    app.post('/api/agents/:agentId/terminals', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, '/terminals', request, reply);
+    });
+    // Proxy: close terminal
+    app.delete('/api/agents/:agentId/terminals/:terminalId', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, `/terminals/${request.params.terminalId}`, request, reply);
+    });
+    // Proxy: rename terminal
+    app.patch('/api/agents/:agentId/terminals/:terminalId', { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+        const auth = await authenticateTerminalRequest(services.authService, request, reply);
+        if (!auth)
+            return reply;
+        const agent = await resolveAgent(services.fileStore, request.params.agentId);
+        if (!agent)
+            return reply.code(404).send({ error: 'agent_not_found' });
+        return proxyAgentRequest(agent, `/terminals/${request.params.terminalId}`, request, reply);
+    });
+    // Proxy: terminal WebSocket
+    app.get('/api/agents/:agentId/terminals/:terminalId/ws', { websocket: true }, async (socket, request) => {
+        if (!request.headers.origin || !isAllowedOrigin(config, request.headers.origin)) {
+            socket.close(1008, 'origin not allowed');
+            return;
+        }
+        const auth = await authenticateTerminalRequest(services.authService, request);
+        if (!auth) {
+            socket.close(1008, 'unauthorized');
+            return;
+        }
+        const state = await services.fileStore.read();
+        const agent = state.agents.find((a) => a.id === request.params.agentId);
+        if (!agent) {
+            socket.close(1008, 'agent not found');
+            return;
+        }
+        proxyAgentWebSocket(socket, agent, request.params.terminalId);
+    });
+    // Proxy: file routes (all file operations)
+    const filePathParts = ['root', 'list', 'read', 'write', 'create', 'move', 'delete-preview', 'delete', 'open', 'preview'];
+    for (const part of filePathParts) {
+        app.post(`/api/agents/:agentId/files/${part}`, { preHandler: (request, reply) => requireAllowedOrigin(config, request, reply) }, async (request, reply) => {
+            const auth = await authenticateTerminalRequest(services.authService, request, reply);
+            if (!auth)
+                return reply;
+            const agent = await resolveAgent(services.fileStore, request.params.agentId);
+            if (!agent)
+                return reply.code(404).send({ error: 'agent_not_found' });
+            return proxyAgentRequest(agent, `/files/${part}`, request, reply);
+        });
+    }
+}
+async function resolveAgent(fileStore, agentId) {
+    const state = await fileStore.read();
+    return state.agents.find((a) => a.id === agentId) ?? null;
+}
+//# sourceMappingURL=agentManagementRoutes.js.map