opensentinel 3.1.1 → 3.7.0

package/dist/chunk-S2EOIVF4.js

@@ -0,0 +1,3907 @@
+import {
+  textToSpeech
+} from "./chunk-J4JW73TT.js";
+import {
+  transcribeAudio
+} from "./chunk-BNZHWAZC.js";
+import {
+  analyzeEmail,
+  listAnalyses,
+  persistAnalysis
+} from "./chunk-SDLOMKCW.js";
+import {
+  extractTextFromDriveItem,
+  getDefaultDrive,
+  getDriveItem,
+  getSite,
+  listDriveChildren,
+  listDriveRoot,
+  listDrives,
+  listSites
+} from "./chunk-66SAOZPU.js";
+import {
+  ImapClient,
+  SmtpClient,
+  TOOLS,
+  chat,
+  chatWithTools,
+  executeTool,
+  getAppProfile,
+  getDownloadEntry,
+  init_imap_client,
+  init_smtp_client,
+  prioritizeTools
+} from "./chunk-ZMML6T63.js";
+import {
+  deleteMemory,
+  exportMemories,
+  getMemoryById,
+  searchMemories,
+  storeMemory,
+  updateMemory
+} from "./chunk-QPY3WRVM.js";
+import {
+  getErrorStats,
+  getRecentErrors
+} from "./chunk-TKBVW7ZJ.js";
+import {
+  deleteConnection,
+  getAccessToken,
+  getConnection,
+  saveConnection
+} from "./chunk-6HGMRR4J.js";
+import {
+  decryptField
+} from "./chunk-DTISLIMB.js";
+import {
+  buildAuthorizeUrl,
+  cleanupExpiredStates,
+  consumeState,
+  exchangeCodeForTokens,
+  generateCodeChallenge,
+  generateCodeVerifier,
+  getM365Config,
+  isM365Configured,
+  persistState
+} from "./chunk-3AWAWRWB.js";
+import {
+  getMe,
+  getMessage,
+  listMessages,
+  stripHtml
+} from "./chunk-PBOCSGNL.js";
+import {
+  createLogger
+} from "./chunk-7BNFELEK.js";
+import {
+  brainTelemetry
+} from "./chunk-WMFYI7XC.js";
+import {
+  flushMetrics,
+  getMetricAggregates,
+  getMetricTimeSeries,
+  recordMetric
+} from "./chunk-YEDEAX6Y.js";
+import {
+  costTracker
+} from "./chunk-6ZNCY2GI.js";
+import {
+  createPublicRecords
+} from "./chunk-V3OKHQUX.js";
+import {
+  resolveEntity
+} from "./chunk-2I5QHYG6.js";
+import {
+  audit,
+  getAuditChainIntegrity,
+  logAudit,
+  queryAuditLogs
+} from "./chunk-BBN4VCNK.js";
+import {
+  db
+} from "./chunk-5BTVJR7R.js";
+import {
+  env
+} from "./chunk-4KIHDIXZ.js";
+import {
+  apiKeys,
+  conversations,
+  graphEntities,
+  graphRelationships,
+  memories,
+  messages,
+  sessions
+} from "./chunk-ZIBRVA3Y.js";
+import {
+  __require
+} from "./chunk-UP2VWCW5.js";
+
+// src/inputs/api/server.ts
+import { Hono as Hono15 } from "hono";
+import { cors } from "hono/cors";
+import { logger } from "hono/logger";
+import { desc as desc2, eq as eq4 } from "drizzle-orm";
+
+// src/core/security/api-key-manager.ts
+import { eq, and, isNull } from "drizzle-orm";
+import { randomBytes, createHash } from "crypto";
+var KEY_PREFIX = "mb_";
+function hashApiKey(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+async function validateApiKey(rawKey) {
+  if (!rawKey.startsWith(KEY_PREFIX)) {
+    return { valid: false };
+  }
+  const keyHash = hashApiKey(rawKey);
+  const now = /* @__PURE__ */ new Date();
+  const [key] = await db.select().from(apiKeys).where(
+    and(
+      eq(apiKeys.keyHash, keyHash),
+      isNull(apiKeys.revokedAt)
+    )
+  ).limit(1);
+  if (!key) {
+    return { valid: false };
+  }
+  if (key.expiresAt && key.expiresAt < now) {
+    return { valid: false };
+  }
+  await db.update(apiKeys).set({ lastUsedAt: now }).where(eq(apiKeys.id, key.id));
+  return {
+    valid: true,
+    apiKey: {
+      id: key.id,
+      name: key.name,
+      prefix: key.keyPrefix,
+      permissions: key.permissions || [],
+      createdAt: key.createdAt,
+      lastUsedAt: now,
+      expiresAt: key.expiresAt,
+      isRevoked: false
+    },
+    userId: key.userId
+  };
+}
+function hasPermission(apiKeyPermissions, requiredPermission) {
+  if (apiKeyPermissions.includes("*")) {
+    return true;
+  }
+  return apiKeyPermissions.includes(requiredPermission);
+}
+
+// src/core/security/session-manager.ts
+import { eq as eq2, and as and2, gt, lt } from "drizzle-orm";
+import { randomBytes as randomBytes2, createHash as createHash2 } from "crypto";
+var SESSION_DURATION_MS = 7 * 24 * 60 * 60 * 1e3;
+function hashToken(token) {
+  return createHash2("sha256").update(token).digest("hex");
+}
+async function validateSession(token) {
+  const tokenHash = hashToken(token);
+  const now = /* @__PURE__ */ new Date();
+  const [session] = await db.select().from(sessions).where(and2(eq2(sessions.token, tokenHash), gt(sessions.expiresAt, now))).limit(1);
+  if (!session) {
+    return null;
+  }
+  await db.update(sessions).set({ lastActiveAt: now }).where(eq2(sessions.id, session.id));
+  return {
+    userId: session.userId,
+    sessionId: session.id,
+    expiresAt: session.expiresAt,
+    deviceInfo: session.deviceInfo
+  };
+}
+
+// src/core/security/gateway-utils.ts
+function getGatewayToken() {
+  const token = env.GATEWAY_TOKEN;
+  return token || void 0;
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    let result2 = 1;
+    for (let i = 0; i < b.length; i++) {
+      result2 |= b.charCodeAt(i) ^ (a.charCodeAt(i % (a.length || 1)) || 0);
+    }
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+// src/core/security/auth-middleware.ts
+var PUBLIC_ROUTES = [
+  "/health",
+  "/api/system/status",
+  "/api/pair",
+  "/api/sdk/register",
+  // M365 OAuth endpoints — user is unauthenticated during login + callback.
+  "/api/m365/auth/login",
+  "/api/m365/auth/callback",
+  // Legacy Entra redirect URI (aliased to /api/m365/auth/callback).
+  "/api/callbacks/outlook"
+];
+var SDK_PREFIX = "/api/sdk/";
+function authMiddleware() {
+  return async (c, next) => {
+    const path = c.req.path;
+    if (PUBLIC_ROUTES.includes(path)) {
+      return next();
+    }
+    if (path.startsWith(SDK_PREFIX) && path !== "/api/sdk/register") {
+      return next();
+    }
+    const gatewayToken = getGatewayToken();
+    if (!gatewayToken) {
+      c.set("userId", "local");
+      c.set("permissions", ["*"]);
+      c.set("authMethod", "none");
+      return next();
+    }
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      return c.json({ error: "Missing or invalid authorization header" }, 401);
+    }
+    const token = authHeader.slice(7);
+    if (timingSafeEqual(token, gatewayToken)) {
+      c.set("userId", "gateway");
+      c.set("permissions", ["*"]);
+      c.set("authMethod", "gateway");
+      logAudit({
+        userId: "gateway",
+        action: "login",
+        resource: "session",
+        details: { method: "gateway_token", path }
+      }).catch(() => {
+      });
+      return next();
+    }
+    const sessionInfo = await validateSession(token);
+    if (sessionInfo) {
+      c.set("userId", sessionInfo.userId);
+      c.set("permissions", ["*"]);
+      c.set("authMethod", "session");
+      logAudit({
+        userId: sessionInfo.userId,
+        action: "login",
+        resource: "session",
+        details: { method: "session", path }
+      }).catch(() => {
+      });
+      return next();
+    }
+    const apiKeyResult = await validateApiKey(token);
+    if (apiKeyResult.valid && apiKeyResult.apiKey && apiKeyResult.userId) {
+      c.set("userId", apiKeyResult.userId);
+      c.set("permissions", apiKeyResult.apiKey.permissions);
+      c.set("authMethod", "api_key");
+      logAudit({
+        userId: apiKeyResult.userId,
+        action: "login",
+        resource: "api_key",
+        details: { method: "api_key", keyId: apiKeyResult.apiKey.id, path }
+      }).catch(() => {
+      });
+      return next();
+    }
+    return c.json({ error: "Invalid or expired credentials" }, 401);
+  };
+}
+function requirePermission(...requiredPermissions) {
+  return async (c, next) => {
+    const permissions = c.get("permissions");
+    if (!permissions) {
+      return c.json({ error: "Not authenticated" }, 401);
+    }
+    if (permissions.includes("*")) {
+      return next();
+    }
+    for (const required of requiredPermissions) {
+      if (!hasPermission(permissions, required)) {
+        return c.json({ error: "Insufficient permissions" }, 403);
+      }
+    }
+    return next();
+  };
+}
+function getAuthUserId(c) {
+  return c.get("userId");
+}
+
+// src/inputs/api/routes/osint.ts
+import { Hono } from "hono";
+import { eq as eq3, sql, desc, ilike, and as and3 } from "drizzle-orm";
+var _publicRecords = null;
+function getPublicRecords() {
+  if (!_publicRecords) _publicRecords = createPublicRecords();
+  return _publicRecords;
+}
+var osint = new Hono();
+osint.use("*", async (c, next) => {
+  if (!env.OSINT_ENABLED) {
+    return c.json({ error: "OSINT features are disabled" }, 403);
+  }
+  await next();
+});
+osint.get("/graph", async (c) => {
+  try {
+    const graphStart = Date.now();
+    const userId = c.req.query("userId") || "system";
+    const limit = Math.min(parseInt(c.req.query("limit") || "200", 10), 1e3);
+    const since = c.req.query("since");
+    const until = c.req.query("until");
+    brainTelemetry.emitEvent({
+      type: "tool_start",
+      timestamp: graphStart,
+      requestId: `osint-graph-${graphStart}`,
+      data: { toolName: "osint_graph_load", since, until, limit }
+    });
+    const conditions = [];
+    if (since) {
+      conditions.push(sql`${graphEntities.createdAt} >= ${new Date(since)}`);
+    }
+    if (until) {
+      conditions.push(sql`${graphEntities.createdAt} <= ${new Date(until)}`);
+    }
+    const query = db.select({
+      id: graphEntities.id,
+      name: graphEntities.name,
+      type: graphEntities.type,
+      importance: graphEntities.importance,
+      description: graphEntities.description,
+      attributes: graphEntities.attributes,
+      aliases: graphEntities.aliases,
+      createdAt: graphEntities.createdAt
+    }).from(graphEntities);
+    const entities = conditions.length > 0 ? await query.where(and3(...conditions)).orderBy(desc(graphEntities.importance)).limit(limit) : await query.orderBy(desc(graphEntities.importance)).limit(limit);
+    const entityIds = entities.map((e) => e.id);
+    if (entityIds.length === 0) {
+      return c.json({ nodes: [], edges: [] });
+    }
+    const relationships = await db.select({
+      id: graphRelationships.id,
+      source: graphRelationships.sourceEntityId,
+      target: graphRelationships.targetEntityId,
+      type: graphRelationships.type,
+      strength: graphRelationships.strength
+    }).from(graphRelationships).where(
+      and3(
+        sql`${graphRelationships.sourceEntityId} = ANY(${sql`ARRAY[${sql.join(entityIds.map((id) => sql`${id}`), sql`, `)}]::uuid[]`})`,
+        sql`${graphRelationships.targetEntityId} = ANY(${sql`ARRAY[${sql.join(entityIds.map((id) => sql`${id}`), sql`, `)}]::uuid[]`})`
+      )
+    );
+    brainTelemetry.emitEvent({
+      type: "tool_complete",
+      timestamp: Date.now(),
+      requestId: `osint-graph-${graphStart}`,
+      data: { toolName: "osint_graph_load", success: true, latencyMs: Date.now() - graphStart, nodeCount: entities.length, edgeCount: relationships.length }
+    });
+    return c.json({
+      nodes: entities,
+      edges: relationships,
+      stats: {
+        totalEntities: entities.length,
+        totalRelationships: relationships.length,
+        totalSources: new Set(
+          entities.flatMap((e) => {
+            const srcs = e.attributes?.sources;
+            return Array.isArray(srcs) ? srcs.map((s) => s.type || "unknown") : [];
+          })
+        ).size
+      }
+    });
+  } catch (error) {
+    console.error("[OSINT API] /graph error:", error);
+    return c.json({ error: "Failed to fetch graph data" }, 500);
+  }
+});
+osint.get("/entity/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const results = await db.select().from(graphEntities).where(eq3(graphEntities.id, id)).limit(1);
+    if (results.length === 0) {
+      return c.json({ error: "Entity not found" }, 404);
+    }
+    const entity = results[0];
+    const outgoing = await db.select({
+      id: graphRelationships.id,
+      sourceEntityId: graphRelationships.sourceEntityId,
+      targetEntityId: graphRelationships.targetEntityId,
+      type: graphRelationships.type,
+      strength: graphRelationships.strength,
+      context: graphRelationships.context,
+      attributes: graphRelationships.attributes,
+      targetName: graphEntities.name
+    }).from(graphRelationships).innerJoin(graphEntities, eq3(graphRelationships.targetEntityId, graphEntities.id)).where(eq3(graphRelationships.sourceEntityId, id));
+    const incoming = await db.select({
+      id: graphRelationships.id,
+      sourceEntityId: graphRelationships.sourceEntityId,
+      targetEntityId: graphRelationships.targetEntityId,
+      type: graphRelationships.type,
+      strength: graphRelationships.strength,
+      context: graphRelationships.context,
+      attributes: graphRelationships.attributes,
+      sourceName: graphEntities.name
+    }).from(graphRelationships).innerJoin(graphEntities, eq3(graphRelationships.sourceEntityId, graphEntities.id)).where(eq3(graphRelationships.targetEntityId, id));
+    return c.json({
+      entity,
+      relationships: {
+        outgoing,
+        incoming
+      }
+    });
+  } catch (error) {
+    console.error("[OSINT API] /entity/:id error:", error);
+    return c.json({ error: "Failed to fetch entity" }, 500);
+  }
+});
+function normalizeFECName(raw) {
+  if (!raw.includes(",")) return toTitleCase(raw);
+  const [last, ...rest] = raw.split(",").map((s) => s.trim());
+  const first = rest.join(" ").trim();
+  if (!first) return toTitleCase(last);
+  return toTitleCase(`${first} ${last}`);
+}
+function toTitleCase(s) {
+  return s.toLowerCase().replace(/\b\w/g, (c) => c.toUpperCase());
+}
+async function searchExternalAPIs(query) {
+  const pr = getPublicRecords();
+  const newEntityIds = [];
+  const [fecCandidates, fecCommittees, ocCompanies] = await Promise.all([
+    pr.fec.searchCandidates(query).then((r) => r.slice(0, 10)).catch((err) => {
+      console.warn("[OSINT API] FEC candidates search failed:", err.message);
+      return [];
+    }),
+    pr.fec.searchCommittees(query).then((r) => r.slice(0, 10)).catch((err) => {
+      console.warn("[OSINT API] FEC committees search failed:", err.message);
+      return [];
+    }),
+    pr.opencorporates.searchCompanies(query, "us").then((r) => r.slice(0, 10)).catch((err) => {
+      console.warn("[OSINT API] OpenCorporates search failed:", err.message);
+      return [];
+    })
+  ]);
+  const candidates = [];
+  for (const c of fecCandidates) {
+    candidates.push({
+      name: normalizeFECName(c.name),
+      type: "person",
+      source: "fec",
+      identifiers: { fecId: c.candidateId },
+      attributes: {
+        party: c.party,
+        office: c.office,
+        state: c.state,
+        district: c.district,
+        cycles: c.cycles
+      }
+    });
+  }
+  for (const c of fecCommittees) {
+    candidates.push({
+      name: toTitleCase(c.name),
+      type: "committee",
+      source: "fec",
+      identifiers: { fecId: c.committeeId },
+      attributes: {
+        designation: c.designation,
+        committeeType: c.type,
+        party: c.party,
+        state: c.state,
+        treasurerName: c.treasurerName
+      }
+    });
+  }
+  for (const c of ocCompanies) {
+    candidates.push({
+      name: c.name,
+      type: "organization",
+      source: "opencorporates",
+      attributes: {
+        companyNumber: c.companyNumber,
+        jurisdiction: c.jurisdictionCode,
+        status: c.status,
+        companyType: c.companyType,
+        incorporationDate: c.incorporationDate,
+        registeredAddress: c.registeredAddress,
+        openCorporatesUrl: c.openCorporatesUrl
+      }
+    });
+  }
+  for (const candidate of candidates) {
+    try {
+      const resolved = await resolveEntity(candidate);
+      newEntityIds.push(resolved.entityId);
+    } catch (err) {
+      console.warn(`[OSINT API] Entity resolution failed for "${candidate.name}":`, err.message);
+    }
+  }
+  return [...new Set(newEntityIds)];
+}
+osint.get("/search", async (c) => {
+  try {
+    const q = c.req.query("q");
+    const type = c.req.query("type");
+    const limit = Math.min(parseInt(c.req.query("limit") || "25", 10), 100);
+    if (!q) {
+      return c.json({ error: "Query parameter 'q' is required" }, 400);
+    }
+    const searchStart = Date.now();
+    brainTelemetry.emitEvent({
+      type: "tool_start",
+      timestamp: searchStart,
+      requestId: `osint-search-${searchStart}`,
+      data: { toolName: "osint_search", query: q, entityType: type }
+    });
+    let query = db.select().from(graphEntities).where(
+      type ? and3(ilike(graphEntities.name, `%${q}%`), eq3(graphEntities.type, type)) : ilike(graphEntities.name, `%${q}%`)
+    ).orderBy(desc(graphEntities.importance)).limit(limit);
+    let results = await query;
+    let externalSearched = false;
+    if (results.length < 3 && q.length >= 2) {
+      try {
+        console.log(`[OSINT API] Local results (${results.length}) < 3 for "${q}", querying external APIs...`);
+        const externalIds = await searchExternalAPIs(q);
+        externalSearched = true;
+        if (externalIds.length > 0) {
+          const nameCondition = type ? and3(ilike(graphEntities.name, `%${q}%`), eq3(graphEntities.type, type)) : ilike(graphEntities.name, `%${q}%`);
+          const idCondition = sql`${graphEntities.id} = ANY(${sql`ARRAY[${sql.join(externalIds.map((id) => sql`${id}`), sql`, `)}]::uuid[]`})`;
+          results = await db.select().from(graphEntities).where(sql`(${nameCondition}) OR (${idCondition})`).orderBy(desc(graphEntities.importance)).limit(limit);
+        }
+      } catch (extErr) {
+        console.warn("[OSINT API] External search failed (graceful):", extErr.message);
+      }
+    }
+    const entityIds = results.map((e) => e.id);
+    let edges = [];
+    if (entityIds.length > 1) {
+      edges = await db.select({
+        id: graphRelationships.id,
+        source: graphRelationships.sourceEntityId,
+        target: graphRelationships.targetEntityId,
+        type: graphRelationships.type,
+        strength: graphRelationships.strength
+      }).from(graphRelationships).where(
+        and3(
+          sql`${graphRelationships.sourceEntityId} = ANY(${sql`ARRAY[${sql.join(entityIds.map((id) => sql`${id}`), sql`, `)}]::uuid[]`})`,
+          sql`${graphRelationships.targetEntityId} = ANY(${sql`ARRAY[${sql.join(entityIds.map((id) => sql`${id}`), sql`, `)}]::uuid[]`})`
+        )
+      );
+    }
+    const searchLatency = Date.now() - searchStart;
+    brainTelemetry.emitEvent({
+      type: "tool_complete",
+      timestamp: Date.now(),
+      requestId: `osint-search-${searchStart}`,
+      data: { toolName: "osint_search", success: true, latencyMs: searchLatency, resultCount: results.length, externalSearched }
+    });
+    audit.toolUse("web:dashboard", "osint_search", { query: q, entityType: type, resultCount: results.length, externalSearched, latencyMs: searchLatency }, true).catch(() => {
+    });
+    return c.json({ results, edges, total: results.length, externalSearched });
+  } catch (error) {
+    console.error("[OSINT API] /search error:", error);
+    brainTelemetry.emitEvent({
+      type: "tool_complete",
+      timestamp: Date.now(),
+      requestId: `osint-search-${Date.now()}`,
+      data: { toolName: "osint_search", success: false }
+    });
+    audit.toolUse("web:dashboard", "osint_search", { query: c.req.query("q"), error: error?.message }, false).catch(() => {
+    });
+    return c.json({ error: "Search failed" }, 500);
+  }
+});
+osint.post("/enrich", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.entityId) {
+      return c.json({ error: "entityId is required" }, 400);
+    }
+    const entity = await db.select().from(graphEntities).where(eq3(graphEntities.id, body.entityId)).limit(1);
+    if (entity.length === 0) {
+      return c.json({ error: "Entity not found" }, 404);
+    }
+    const enrichStart = Date.now();
+    const entityName = entity[0].name || body.entityId;
+    brainTelemetry.emitEvent({
+      type: "tool_start",
+      timestamp: enrichStart,
+      requestId: `osint-enrich-${enrichStart}`,
+      data: { toolName: "osint_enrich", entityId: body.entityId, entityName, sources: body.sources, depth: body.depth ?? 1 }
+    });
+    const { enrichEntity } = await import("./enrichment-pipeline-7FE5R5ZI.js");
+    const result = await enrichEntity(body.entityId, body.sources, body.depth ?? 1);
+    const enrichLatency = Date.now() - enrichStart;
+    brainTelemetry.emitEvent({
+      type: "tool_complete",
+      timestamp: Date.now(),
+      requestId: `osint-enrich-${enrichStart}`,
+      data: { toolName: "osint_enrich", success: true, latencyMs: enrichLatency, entityName, newEntities: result?.newEntitiesCreated, newRelationships: result?.newRelationshipsCreated }
+    });
+    audit.toolUse("web:dashboard", "osint_enrich", { entityId: body.entityId, entityName, sources: body.sources, depth: body.depth, newEntities: result?.newEntitiesCreated, newRelationships: result?.newRelationshipsCreated, latencyMs: enrichLatency }, true).catch(() => {
+    });
+    return c.json({ success: true, result });
+  } catch (error) {
+    if (error?.code === "MODULE_NOT_FOUND" || error?.message?.includes("Cannot find module")) {
+      return c.json({ error: "Enrichment pipeline is not available" }, 501);
+    }
+    console.error("[OSINT API] /enrich error:", error);
+    brainTelemetry.emitEvent({
+      type: "tool_complete",
+      timestamp: Date.now(),
+      requestId: `osint-enrich-${Date.now()}`,
+      data: { toolName: "osint_enrich", success: false, error: error?.message }
+    });
+    audit.toolUse("web:dashboard", "osint_enrich", { error: error?.message }, false).catch(() => {
+    });
+    return c.json({ error: "Enrichment failed" }, 500);
+  }
+});
+var FINANCIAL_REL_TYPES = ["donated_to", "funded", "awarded_contract", "grant_to", "paid"];
+osint.get("/financial-flow", async (c) => {
+  try {
+    const entityId = c.req.query("entityId");
+    if (!entityId) {
+      return c.json({ error: "Query parameter 'entityId' is required" }, 400);
+    }
+    const rootEntity = await db.select({ id: graphEntities.id, name: graphEntities.name }).from(graphEntities).where(eq3(graphEntities.id, entityId)).limit(1);
+    if (rootEntity.length === 0) {
+      return c.json({ error: "Entity not found" }, 404);
+    }
+    const outgoing = await db.select({
+      id: graphRelationships.id,
+      sourceEntityId: graphRelationships.sourceEntityId,
+      targetEntityId: graphRelationships.targetEntityId,
+      type: graphRelationships.type,
+      strength: graphRelationships.strength,
+      attributes: graphRelationships.attributes
+    }).from(graphRelationships).where(
+      and3(
+        eq3(graphRelationships.sourceEntityId, entityId),
+        sql`${graphRelationships.type} = ANY(${sql`ARRAY[${sql.join(FINANCIAL_REL_TYPES.map((t) => sql`${t}`), sql`, `)}]::text[]`})`
+      )
+    );
+    const incoming = await db.select({
+      id: graphRelationships.id,
+      sourceEntityId: graphRelationships.sourceEntityId,
+      targetEntityId: graphRelationships.targetEntityId,
+      type: graphRelationships.type,
+      strength: graphRelationships.strength,
+      attributes: graphRelationships.attributes
+    }).from(graphRelationships).where(
+      and3(
+        eq3(graphRelationships.targetEntityId, entityId),
+        sql`${graphRelationships.type} = ANY(${sql`ARRAY[${sql.join(FINANCIAL_REL_TYPES.map((t) => sql`${t}`), sql`, `)}]::text[]`})`
+      )
+    );
+    const allRels = [...outgoing, ...incoming];
+    const relatedIds = /* @__PURE__ */ new Set();
+    relatedIds.add(entityId);
+    for (const rel of allRels) {
+      relatedIds.add(rel.sourceEntityId);
+      relatedIds.add(rel.targetEntityId);
+    }
+    const relatedEntities = await db.select({
+      id: graphEntities.id,
+      name: graphEntities.name,
+      type: graphEntities.type
+    }).from(graphEntities).where(sql`${graphEntities.id} = ANY(${sql`ARRAY[${sql.join([...relatedIds].map((id) => sql`${id}`), sql`, `)}]::uuid[]`})`);
+    const entityMap = new Map(relatedEntities.map((e) => [e.id, e]));
+    const nodeValues = /* @__PURE__ */ new Map();
+    for (const rel of allRels) {
+      const attrs = rel.attributes || {};
+      const amount = attrs.amount || rel.strength || 1;
+      nodeValues.set(rel.sourceEntityId, (nodeValues.get(rel.sourceEntityId) || 0) + amount);
+      nodeValues.set(rel.targetEntityId, (nodeValues.get(rel.targetEntityId) || 0) + amount);
+    }
+    const nodes = relatedEntities.map((e) => ({
+      id: e.id,
+      name: e.name,
+      type: e.type,
+      value: nodeValues.get(e.id) || 0
+    }));
+    const links = allRels.filter((rel) => entityMap.has(rel.sourceEntityId) && entityMap.has(rel.targetEntityId)).map((rel) => {
+      const attrs = rel.attributes || {};
+      return {
+        source: rel.sourceEntityId,
+        target: rel.targetEntityId,
+        value: attrs.amount || rel.strength || 1,
+        description: `${rel.type.replace(/_/g, " ")}${attrs.period ? ` (${attrs.period})` : ""}`
+      };
+    });
+    return c.json({ nodes, links });
+  } catch (error) {
+    console.error("[OSINT API] /financial-flow error:", error);
+    return c.json({ error: "Failed to fetch financial flow data" }, 500);
+  }
+});
+osint.get("/duplicates", async (c) => {
+  try {
+    const threshold = parseFloat(c.req.query("threshold") || "0.85");
+    const { findDuplicates } = await import("./entity-resolution-7Z6STVXX.js");
+    const duplicates = await findDuplicates(threshold);
+    return c.json({ duplicates, total: duplicates.length });
+  } catch (error) {
+    console.error("[OSINT API] /duplicates error:", error);
+    return c.json({ error: "Failed to find duplicates" }, 500);
+  }
+});
+osint.get("/stats", async (c) => {
+  try {
+    const totalEntitiesResult = await db.select({ count: sql`count(*)::int` }).from(graphEntities);
+    const totalEntities = totalEntitiesResult[0]?.count ?? 0;
+    const totalRelsResult = await db.select({ count: sql`count(*)::int` }).from(graphRelationships);
+    const totalRelationships = totalRelsResult[0]?.count ?? 0;
+    const entitiesByType = await db.select({
+      type: graphEntities.type,
+      count: sql`count(*)::int`
+    }).from(graphEntities).groupBy(graphEntities.type).orderBy(desc(sql`count(*)`));
+    const topEntities = await db.select({
+      id: graphEntities.id,
+      name: graphEntities.name,
+      type: graphEntities.type,
+      mentionCount: graphEntities.mentionCount,
+      importance: graphEntities.importance
+    }).from(graphEntities).orderBy(desc(graphEntities.mentionCount)).limit(20);
+    return c.json({
+      totalEntities,
+      totalRelationships,
+      entitiesByType,
+      topEntities
+    });
+  } catch (error) {
+    console.error("[OSINT API] /stats error:", error);
+    return c.json({ error: "Failed to fetch statistics" }, 500);
+  }
+});
+
+// src/inputs/api/routes/email.ts
+import { Hono as Hono2 } from "hono";
+init_imap_client();
+init_smtp_client();
+var email = new Hono2();
+async function connectImapClientWithFallback(emailAddress) {
+  if (env.EMAIL_MASTER_USER && env.EMAIL_MASTER_PASSWORD) {
+    const authUser = `${emailAddress}*${env.EMAIL_MASTER_USER}`;
+    const localClient = new ImapClient({
+      host: env.EMAIL_LOCAL_IMAP_HOST || "127.0.0.1",
+      port: env.EMAIL_LOCAL_IMAP_PORT || 993,
+      secure: true,
+      user: authUser,
+      password: env.EMAIL_MASTER_PASSWORD,
+      tls: { rejectUnauthorized: false }
+    });
+    try {
+      await localClient.connect();
+      return localClient;
+    } catch (localErr) {
+      const remoteHost = env.EMAIL_IMAP_HOST;
+      const remotePort = env.EMAIL_IMAP_PORT || 993;
+      if (!remoteHost) throw localErr;
+      console.log(
+        `[Email API] Local IMAP unavailable (${localErr.code || localErr.message}), falling back to ${remoteHost}:${remotePort}`
+      );
+      const remoteClient = new ImapClient({
+        host: remoteHost,
+        port: remotePort,
+        secure: true,
+        user: authUser,
+        password: env.EMAIL_MASTER_PASSWORD,
+        tls: { rejectUnauthorized: false }
+      });
+      await remoteClient.connect();
+      return remoteClient;
+    }
+  } else if (env.EMAIL_USER && env.EMAIL_PASSWORD) {
+    const client = new ImapClient({
+      host: env.EMAIL_IMAP_HOST || "imap.gmail.com",
+      port: env.EMAIL_IMAP_PORT || 993,
+      secure: env.EMAIL_IMAP_SECURE !== false,
+      user: env.EMAIL_USER,
+      password: env.EMAIL_PASSWORD
+    });
+    await client.connect();
+    return client;
+  }
+  throw new Error("Email not configured");
+}
+function createSmtpClient(fromAddress) {
+  if (env.EMAIL_MASTER_USER) {
+    return new SmtpClient(
+      {
+        host: env.EMAIL_LOCAL_SMTP_HOST || "127.0.0.1",
+        port: env.EMAIL_LOCAL_SMTP_PORT || 25,
+        secure: false,
+        auth: { user: "", pass: "" },
+        tls: { rejectUnauthorized: false }
+      },
+      fromAddress
+    );
+  } else if (env.EMAIL_USER && env.EMAIL_PASSWORD) {
+    return new SmtpClient(
+      {
+        host: env.EMAIL_SMTP_HOST || "smtp.gmail.com",
+        port: env.EMAIL_SMTP_PORT || 587,
+        secure: env.EMAIL_SMTP_SECURE === true,
+        auth: { user: env.EMAIL_USER, pass: env.EMAIL_PASSWORD }
+      },
+      fromAddress
+    );
+  }
+  throw new Error("Email not configured");
+}
+function serializeEmail(email2, includeBody) {
+  const serialized = {
+    id: email2.id,
+    uid: email2.uid,
+    messageId: email2.messageId,
+    subject: email2.subject,
+    from: email2.from,
+    to: email2.to,
+    cc: email2.cc,
+    bcc: email2.bcc,
+    date: email2.date.toISOString(),
+    text: includeBody ? email2.text : email2.snippet,
+    html: includeBody ? email2.html : "",
+    snippet: email2.snippet,
+    attachments: email2.attachments.map((a) => ({
+      filename: a.filename,
+      contentType: a.contentType,
+      size: a.size,
+      contentId: a.contentId,
+      hasContent: !!a.content
+    })),
+    flags: email2.flags,
+    labels: email2.labels,
+    threadId: email2.threadId,
+    inReplyTo: email2.inReplyTo,
+    references: email2.references,
+    headers: Object.fromEntries(email2.headers)
+  };
+  return serialized;
+}
+email.use("*", async (c, next) => {
+  if (!env.EMAIL_MASTER_USER && !env.EMAIL_USER) {
+    return c.json(
+      { error: "Email not configured. Set EMAIL_MASTER_USER or EMAIL_USER in .env" },
+      503
+    );
+  }
+  await next();
+});
+email.get("/accounts", async (c) => {
+  const accounts = [];
+  if (env.EMAIL_USER) accounts.push(env.EMAIL_USER);
+  const extra = process.env.EMAIL_ACCOUNTS;
+  if (extra) {
+    for (const addr of extra.split(",").map((a) => a.trim()).filter(Boolean)) {
+      if (!accounts.includes(addr)) accounts.push(addr);
+    }
+  }
+  return c.json({ accounts });
+});
+email.get("/folders", async (c) => {
+  const emailAddress = c.req.query("email_address");
+  if (!emailAddress) {
+    return c.json({ error: "Query parameter 'email_address' is required" }, 400);
+  }
+  let imap = null;
+  try {
+    imap = await connectImapClientWithFallback(emailAddress);
+    const folders = await imap.listFolders();
+    return c.json(folders);
+  } catch (error) {
+    console.error("[Email API] /folders error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Failed to list folders" },
+      500
+    );
+  } finally {
+    if (imap) {
+      await imap.disconnect().catch(() => {
+      });
+    }
+  }
+});
+email.get("/inbox", async (c) => {
+  const emailAddress = c.req.query("email_address");
+  if (!emailAddress) {
+    return c.json({ error: "Query parameter 'email_address' is required" }, 400);
+  }
+  const folder = c.req.query("folder") || "INBOX";
+  const limit = c.req.query("limit") || "20";
+  const offset = c.req.query("offset") || "0";
+  const unreadOnly = c.req.query("unread_only") === "true";
+  let imap = null;
+  try {
+    imap = await connectImapClientWithFallback(emailAddress);
+    let emails;
+    if (unreadOnly) {
+      emails = await imap.searchEmails({
+        folder,
+        seen: false,
+        limit: parseInt(limit)
+      });
+    } else {
+      emails = await imap.fetchEmails(folder, {
+        limit: parseInt(limit),
+        offset: parseInt(offset)
+      });
+    }
+    return c.json({
+      emails: emails.map((e) => serializeEmail(e, false)),
+      folder
+    });
+  } catch (error) {
+    console.error("[Email API] /inbox error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Failed to fetch emails" },
+      500
+    );
+  } finally {
+    if (imap) {
+      await imap.disconnect().catch(() => {
+      });
+    }
+  }
+});
+email.get("/message/:uid", async (c) => {
+  const emailAddress = c.req.query("email_address");
+  if (!emailAddress) {
+    return c.json({ error: "Query parameter 'email_address' is required" }, 400);
+  }
+  const uid = parseInt(c.req.param("uid"));
+  const folder = c.req.query("folder") || "INBOX";
+  let imap = null;
+  try {
+    imap = await connectImapClientWithFallback(emailAddress);
+    const emailMsg = await imap.fetchEmail(uid, folder);
+    if (!emailMsg) {
+      return c.json({ error: "Email not found" }, 404);
+    }
+    await imap.markAsRead(uid, folder);
+    return c.json(serializeEmail(emailMsg, true));
+  } catch (error) {
+    console.error("[Email API] /message/:uid error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Failed to fetch email" },
+      500
+    );
+  } finally {
+    if (imap) {
+      await imap.disconnect().catch(() => {
+      });
+    }
+  }
+});
+email.get("/attachment/:uid/:index", async (c) => {
+  const emailAddress = c.req.query("email_address");
+  if (!emailAddress) {
+    return c.json({ error: "Query parameter 'email_address' is required" }, 400);
+  }
+  const uid = parseInt(c.req.param("uid"));
+  const index = parseInt(c.req.param("index"));
+  const folder = c.req.query("folder") || "INBOX";
+  let imap = null;
+  try {
+    imap = await connectImapClientWithFallback(emailAddress);
+    const emailMsg = await imap.fetchEmail(uid, folder);
+    if (!emailMsg) {
+      return c.json({ error: "Email not found" }, 404);
+    }
+    const attachment = emailMsg.attachments[index];
+    if (!attachment) {
+      return c.json({ error: "Attachment not found" }, 404);
+    }
+    if (!attachment.content) {
+      return c.json({ error: "Attachment content not available" }, 404);
+    }
+    return new Response(new Uint8Array(attachment.content), {
+      headers: {
+        "Content-Type": attachment.contentType || "application/octet-stream",
+        "Content-Disposition": `attachment; filename="${attachment.filename}"`,
+        "Content-Length": String(attachment.size || attachment.content.length)
+      }
+    });
+  } catch (error) {
+    console.error("[Email API] /attachment/:uid/:index error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Failed to fetch attachment" },
+      500
+    );
+  } finally {
+    if (imap) {
+      await imap.disconnect().catch(() => {
+      });
+    }
+  }
+});
+email.post("/send", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.from || !body.to || !body.subject) {
+      return c.json({ error: "Fields 'from', 'to', and 'subject' are required" }, 400);
+    }
+    const smtp = createSmtpClient(body.from);
+    const convertedAttachments = body.attachments?.map((a) => ({
+      filename: a.filename,
+      contentType: a.contentType,
+      size: Buffer.from(a.content, "base64").length,
+      content: Buffer.from(a.content, "base64")
+    }));
+    const result = await smtp.send({
+      to: body.to,
+      cc: body.cc,
+      bcc: body.bcc,
+      subject: body.subject,
+      text: body.text,
+      html: body.html,
+      attachments: convertedAttachments
+    });
+    return c.json(result);
+  } catch (error) {
+    console.error("[Email API] /send error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Failed to send email" },
+      500
+    );
+  }
+});
+email.post("/reply", async (c) => {
+  const body = await c.req.json();
+  if (!body.email_address || !body.email_uid || !body.body) {
+    return c.json(
+      { error: "Fields 'email_address', 'email_uid', and 'body' are required" },
+      400
+    );
+  }
+  const folder = body.folder || "INBOX";
+  let imap = null;
+  try {
+    imap = await connectImapClientWithFallback(body.email_address);
+    const originalEmail = await imap.fetchEmail(body.email_uid, folder);
+    if (!originalEmail) {
+      return c.json({ error: "Original email not found" }, 404);
+    }
+    const smtp = createSmtpClient(body.email_address);
+    const convertedAttachments = body.attachments?.map((a) => ({
+      filename: a.filename,
+      contentType: a.contentType,
+      size: Buffer.from(a.content, "base64").length,
+      content: Buffer.from(a.content, "base64")
+    }));
+    let result;
+    if (body.reply_all) {
+      result = await smtp.replyAll(
+        originalEmail,
+        { text: body.body, html: body.html, attachments: convertedAttachments },
+        body.email_address
+      );
+    } else {
+      result = await smtp.reply(originalEmail, {
+        text: body.body,
+        html: body.html,
+        attachments: convertedAttachments
+      });
+    }
+    return c.json(result);
+  } catch (error) {
+    console.error("[Email API] /reply error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Failed to send reply" },
+      500
+    );
+  } finally {
+    if (imap) {
+      await imap.disconnect().catch(() => {
+      });
+    }
+  }
+});
+email.post("/search", async (c) => {
+  const body = await c.req.json();
+  if (!body.email_address) {
+    return c.json({ error: "Field 'email_address' is required" }, 400);
+  }
+  let imap = null;
+  try {
+    imap = await connectImapClientWithFallback(body.email_address);
+    const searchOptions = {
+      folder: body.folder || "INBOX",
+      from: body.from,
+      to: body.to,
+      subject: body.subject,
+      body: body.body,
+      since: body.since ? new Date(body.since) : void 0,
+      before: body.before ? new Date(body.before) : void 0,
+      seen: body.unread_only ? false : void 0,
+      limit: body.limit
+    };
+    const emails = await imap.searchEmails(searchOptions);
+    return c.json({
+      emails: emails.map((e) => serializeEmail(e, false))
+    });
+  } catch (error) {
+    console.error("[Email API] /search error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Search failed" },
+      500
+    );
+  } finally {
+    if (imap) {
+      await imap.disconnect().catch(() => {
+      });
+    }
+  }
+});
+email.post("/flag", async (c) => {
+  const body = await c.req.json();
+  if (!body.email_address || !body.uid || !body.action) {
+    return c.json(
+      { error: "Fields 'email_address', 'uid', and 'action' are required" },
+      400
+    );
+  }
+  const folder = body.folder || "INBOX";
+  let imap = null;
+  try {
+    imap = await connectImapClientWithFallback(body.email_address);
+    switch (body.action) {
+      case "read":
+        await imap.markAsRead(body.uid, folder);
+        break;
+      case "unread":
+        await imap.markAsUnread(body.uid, folder);
+        break;
+      case "flag":
+        await imap.flagEmail(body.uid, folder);
+        break;
+      case "unflag":
+        await imap.unflagEmail(body.uid, folder);
+        break;
+      case "delete":
+        await imap.deleteEmail(body.uid, folder);
+        break;
+      default:
+        return c.json({ error: `Unknown action: ${body.action}` }, 400);
+    }
+    return c.json({ success: true });
+  } catch (error) {
+    console.error("[Email API] /flag error:", error);
+    return c.json(
+      { error: error instanceof Error ? error.message : "Failed to perform action" },
+      500
+    );
+  } finally {
+    if (imap) {
+      await imap.disconnect().catch(() => {
+      });
+    }
+  }
+});
+
+// src/inputs/api/routes/sdk.ts
+import { Hono as Hono3 } from "hono";
+var registeredApps = /* @__PURE__ */ new Map();
+function generateApiKey() {
+  const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
+  const segments = [8, 4, 4, 4, 12];
+  return "osk_" + segments.map((len) => Array.from({ length: len }, () => chars[Math.floor(Math.random() * chars.length)]).join("")).join("-");
+}
+async function sdkAuth(c, next) {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer osk_")) {
+    return c.json({ error: "Invalid or missing API key. Register at POST /api/sdk/register" }, 401);
+  }
+  const apiKey = authHeader.slice(7);
+  const app2 = Array.from(registeredApps.values()).find((a) => a.apiKey === apiKey);
+  if (!app2) {
+    return c.json({ error: "Unknown API key. Register at POST /api/sdk/register" }, 401);
+  }
+  app2.lastSeen = /* @__PURE__ */ new Date();
+  c.set("sdkApp", app2);
+  await next();
+}
+var sdkRoutes = new Hono3();
+sdkRoutes.post("/register", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.name || !body.type) {
+      return c.json({ error: "name and type are required" }, 400);
+    }
+    const existing = Array.from(registeredApps.values()).find(
+      (a) => a.name === body.name && a.type === body.type
+    );
+    if (existing) {
+      return c.json({
+        id: existing.id,
+        message: "App already registered. Use your existing API key; it is not re-sent for security."
+      });
+    }
+    const id = crypto.randomUUID();
+    const apiKey = generateApiKey();
+    const app2 = {
+      id,
+      name: body.name,
+      type: body.type,
+      apiKey,
+      callbackUrl: body.callbackUrl,
+      registeredAt: /* @__PURE__ */ new Date(),
+      lastSeen: /* @__PURE__ */ new Date()
+    };
+    registeredApps.set(id, app2);
+    return c.json({
+      id,
+      apiKey,
+      message: "App registered successfully. Use this API key in Authorization: Bearer header.",
+      endpoints: {
+        chat: "POST /api/sdk/chat",
+        notify: "POST /api/sdk/notify",
+        memory_store: "POST /api/sdk/memory",
+        memory_search: "POST /api/sdk/memory/search",
+        tools_list: "GET /api/sdk/tools",
+        tools_execute: "POST /api/sdk/tools/execute",
+        agent_spawn: "POST /api/sdk/agent/spawn",
+        status: "GET /api/sdk/status"
+      }
+    });
+  } catch (error) {
+    return c.json({ error: "Registration failed" }, 500);
+  }
+});
+sdkRoutes.use("/*", sdkAuth);
+sdkRoutes.post("/chat", async (c) => {
+  try {
+    const app2 = c.get("sdkApp");
+    const body = await c.req.json();
+    if (!body.message) {
+      return c.json({ error: "message is required" }, 400);
+    }
+    const messages2 = [];
+    if (body.context) {
+      messages2.push({
+        role: "user",
+        content: `[Context from ${app2.name} (${app2.type})]: ${body.context}`
+      });
+      messages2.push({
+        role: "assistant",
+        content: "Understood, I have the context. How can I help?"
+      });
+    }
+    messages2.push({ role: "user", content: body.message });
+    const toolsUsed = [];
+    const response = body.useTools !== false ? await chatWithTools(messages2, `sdk:${app2.id}`, (tool) => toolsUsed.push(tool), { appType: app2.type }) : await (await import("./brain-6QTXN4QP.js")).chat(messages2, body.systemPrompt);
+    await storeMemory({
+      content: `[${app2.name}] User asked: ${body.message.slice(0, 200)}`,
+      type: "episodic",
+      importance: 5,
+      userId: `sdk:${app2.id}`,
+      source: `sdk:${app2.name}`,
+      provenance: `sdk:${app2.type}`
+    }).catch(() => {
+    });
+    return c.json({
+      content: response.content,
+      toolsUsed,
+      usage: {
+        inputTokens: response.inputTokens,
+        outputTokens: response.outputTokens
+      },
+      app: app2.name
+    });
+  } catch (error) {
+    console.error("SDK chat error:", error);
+    return c.json({ error: "Chat failed" }, 500);
+  }
+});
+sdkRoutes.post("/notify", async (c) => {
+  try {
+    const app2 = c.get("sdkApp");
+    const body = await c.req.json();
+    if (!body.channel || !body.message) {
+      return c.json({ error: "channel and message are required" }, 400);
+    }
+    const sent = [];
+    const prefix = `[${app2.name}] `;
+    const fullMessage = prefix + body.message;
+    const channels = body.channel === "all" ? ["telegram", "discord", "slack"] : [body.channel];
+    for (const ch of channels) {
+      try {
+        switch (ch) {
+          case "telegram": {
+            const { Bot } = await import("grammy");
+            const bot = new Bot(env.TELEGRAM_BOT_TOKEN);
+            await bot.api.sendMessage(env.TELEGRAM_CHAT_ID, fullMessage);
+            sent.push("telegram");
+            break;
+          }
+          case "discord": {
+            const { createDiscordBot } = await import("./discord-6UQHCN27.js");
+            const discord = createDiscordBot({
+              token: env.DISCORD_BOT_TOKEN || "",
+              clientId: env.DISCORD_CLIENT_ID || ""
+            });
+            if (body.recipient) {
+              await discord.sendMessage(body.recipient, fullMessage);
+            }
+            sent.push("discord");
+            break;
+          }
+          case "slack": {
+            const { createSlackBot } = await import("./slack-KSS6YK5Z.js");
+            const slack = createSlackBot({
+              token: env.SLACK_BOT_TOKEN || "",
+              signingSecret: env.SLACK_SIGNING_SECRET || ""
+            });
+            if (body.recipient) {
+              await slack.sendMessage(body.recipient, fullMessage);
+            }
+            sent.push("slack");
+            break;
+          }
+          case "email": {
+            const { SmtpClient: SmtpClient2 } = await import("./email-6OIN4SYL.js");
+            const smtp = new SmtpClient2({
+              host: env.EMAIL_SMTP_HOST || "localhost",
+              port: env.EMAIL_SMTP_PORT || 587,
+              secure: env.EMAIL_SMTP_SECURE || false,
+              auth: { user: env.EMAIL_USER || "", pass: env.EMAIL_PASSWORD || "" }
+            });
+            await smtp.send({
+              to: body.recipient || "",
+              subject: `${app2.name} Notification`,
+              text: body.message
+            });
+            sent.push("email");
+            break;
+          }
+        }
+      } catch (err) {
+      }
+    }
+    return c.json({ sent, message: `Notification sent via: ${sent.join(", ") || "none (no channels configured)"}` });
+  } catch (error) {
+    return c.json({ error: "Notification failed" }, 500);
+  }
+});
+sdkRoutes.post("/memory", async (c) => {
+  try {
+    const app2 = c.get("sdkApp");
+    const body = await c.req.json();
+    if (!body.content) {
+      return c.json({ error: "content is required" }, 400);
+    }
+    const memory = await storeMemory({
+      content: body.content,
+      type: body.type || "semantic",
+      importance: body.importance || 5,
+      userId: `sdk:${app2.id}`,
+      source: `sdk:${app2.name}`,
+      provenance: `sdk:${app2.type}`
+    });
+    return c.json(memory);
+  } catch (error) {
+    return c.json({ error: "Memory store failed" }, 500);
+  }
+});
+sdkRoutes.post("/memory/search", async (c) => {
+  try {
+    const app2 = c.get("sdkApp");
+    const body = await c.req.json();
+    if (!body.query) {
+      return c.json({ error: "query is required" }, 400);
+    }
+    const userId = body.crossApp ? void 0 : `sdk:${app2.id}`;
+    const results = await searchMemories(body.query, userId, body.limit || 5);
+    return c.json(results);
+  } catch (error) {
+    return c.json({ error: "Memory search failed" }, 500);
+  }
+});
+sdkRoutes.get("/tools", (c) => {
+  const app2 = c.get("sdkApp");
+  const ordered = prioritizeTools(TOOLS, app2.type);
+  const profile = getAppProfile(app2.type);
+  const prioritySet = new Set(profile.priorityTools);
+  const toolList = ordered.map((t) => ({
+    name: t.name,
+    description: t.description,
+    priority: prioritySet.has(t.name)
+  }));
+  return c.json({ tools: toolList, count: toolList.length, appType: app2.type });
+});
+sdkRoutes.post("/tools/execute", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.tool || !body.input) {
+      return c.json({ error: "tool and input are required" }, 400);
+    }
+    const result = await executeTool(body.tool, body.input);
+    return c.json({ tool: body.tool, result });
+  } catch (error) {
+    return c.json({ error: "Tool execution failed" }, 500);
+  }
+});
+sdkRoutes.post("/agent/spawn", async (c) => {
+  try {
+    const app2 = c.get("sdkApp");
+    const body = await c.req.json();
+    if (!body.type || !body.task) {
+      return c.json({ error: "type and task are required" }, 400);
+    }
+    const agentPrompt = `As a ${body.type} agent for ${app2.name}, complete this task: ${body.task}${body.context ? `
+
+Context: ${body.context}` : ""}`;
+    const messages2 = [{ role: "user", content: agentPrompt }];
+    const toolsUsed = [];
+    const response = await chatWithTools(messages2, `sdk:${app2.id}:agent:${body.type}`, (tool) => toolsUsed.push(tool), { appType: app2.type });
+    return c.json({
+      agent: body.type,
+      result: response.content,
+      toolsUsed,
+      usage: {
+        inputTokens: response.inputTokens,
+        outputTokens: response.outputTokens
+      }
+    });
+  } catch (error) {
+    return c.json({ error: "Agent spawn failed" }, 500);
+  }
+});
+sdkRoutes.get("/status", (c) => {
+  const app2 = c.get("sdkApp");
+  const allApps = Array.from(registeredApps.values()).map((a) => ({
+    id: a.id,
+    name: a.name,
+    type: a.type,
+    registeredAt: a.registeredAt,
+    lastSeen: a.lastSeen
+  }));
+  return c.json({
+    opensentinel: {
+      status: "online",
+      version: "2.2.1",
+      uptime: process.uptime()
+    },
+    currentApp: {
+      id: app2.id,
+      name: app2.name,
+      type: app2.type
+    },
+    registeredApps: allApps,
+    tools: TOOLS.length
+  });
+});
+
+// src/inputs/api/routes/admin.ts
+import { Hono as Hono4 } from "hono";
+
+// src/core/security/rate-limiter.ts
+import Redis from "ioredis";
+var redis = new Redis(env.REDIS_URL, {
+  maxRetriesPerRequest: 3
+});
+var DEFAULT_LIMITS = {
+  "api/chat": { windowMs: 6e4, maxRequests: 30 },
+  "api/chat/tools": { windowMs: 6e4, maxRequests: 20 },
+  "api/ask": { windowMs: 6e4, maxRequests: 30 },
+  "tool/shell": { windowMs: 6e4, maxRequests: 10 },
+  "tool/browser": { windowMs: 6e4, maxRequests: 10 },
+  "tool/file_write": { windowMs: 6e4, maxRequests: 20 },
+  "agent/spawn": { windowMs: 36e5, maxRequests: 5 },
+  // 5 agents per hour
+  default: { windowMs: 6e4, maxRequests: 60 }
+};
+function getKey(identifier, endpoint) {
+  return `ratelimit:${identifier}:${endpoint}`;
+}
+async function checkRateLimit(identifier, endpoint, customConfig) {
+  const config = customConfig || DEFAULT_LIMITS[endpoint] || DEFAULT_LIMITS.default;
+  const { windowMs, maxRequests } = config;
+  const key = getKey(identifier, endpoint);
+  const now = Date.now();
+  try {
+    const multi = redis.multi();
+    multi.zremrangebyscore(key, 0, now - windowMs);
+    multi.zcard(key);
+    multi.zadd(key, now.toString(), `${now}:${Math.random()}`);
+    multi.pexpire(key, windowMs);
+    const results = await multi.exec();
+    if (!results) {
+      console.warn("[RateLimiter] Redis transaction failed, allowing request");
+      return {
+        allowed: true,
+        remaining: maxRequests,
+        resetAt: new Date(now + windowMs)
+      };
+    }
+    const currentCount = results[1]?.[1] || 0;
+    const resetAt = new Date(now + windowMs);
+    if (currentCount >= maxRequests) {
+      await redis.zrem(key, `${now}:${Math.random()}`);
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        retryAfterMs: windowMs - (now - await getWindowStart(key, now, windowMs))
+      };
+    }
+    return {
+      allowed: true,
+      remaining: maxRequests - currentCount - 1,
+      resetAt
+    };
+  } catch (error) {
+    console.error("[RateLimiter] Error checking rate limit:", error);
+    return {
+      allowed: true,
+      remaining: maxRequests,
+      resetAt: new Date(now + windowMs)
+    };
+  }
+}
+async function getWindowStart(key, now, windowMs) {
+  const oldest = await redis.zrange(key, 0, 0, "WITHSCORES");
+  if (oldest.length >= 2) {
+    return parseInt(oldest[1], 10);
+  }
+  return now - windowMs;
+}
+
+// src/inputs/api/routes/admin.ts
+var adminRouter = new Hono4();
+async function requireAdminAuth(c, next) {
+  const gatewayToken = getGatewayToken();
+  if (!gatewayToken) {
+    return next();
+  }
+  const apiKey = c.req.header("x-api-key");
+  if (apiKey) {
+    const rateLimitResult = await checkRateLimit(apiKey, "api/admin");
+    if (!rateLimitResult.allowed) {
+      return c.json(
+        { error: "Rate limit exceeded", retryAfter: rateLimitResult.retryAfterMs },
+        429
+      );
+    }
+    return next();
+  }
+  const authHeader = c.req.header("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    const token = authHeader.slice(7);
+    if (timingSafeEqual(token, gatewayToken)) {
+      return next();
+    }
+  }
+  return c.json({ error: "API key required" }, 401);
+}
+adminRouter.use("*", requireAdminAuth);
+adminRouter.get("/audit-logs", async (c) => {
+  try {
+    const url = new URL(c.req.url);
+    const options = {};
+    const userId = url.searchParams.get("userId");
+    if (userId) options.userId = userId;
+    const action = url.searchParams.get("action");
+    if (action) options.action = action;
+    const resource = url.searchParams.get("resource");
+    if (resource) options.resource = resource;
+    const startDate = url.searchParams.get("startDate");
+    if (startDate) options.startDate = new Date(startDate);
+    const endDate = url.searchParams.get("endDate");
+    if (endDate) options.endDate = new Date(endDate);
+    const limit = url.searchParams.get("limit");
+    options.limit = limit ? Math.min(parseInt(limit, 10), 500) : 100;
+    const offset = url.searchParams.get("offset");
+    options.offset = offset ? parseInt(offset, 10) : 0;
+    const logs = await queryAuditLogs(options);
+    return c.json({
+      success: true,
+      logs,
+      count: logs.length,
+      limit: options.limit,
+      offset: options.offset
+    });
+  } catch (err) {
+    return c.json({ error: err.message || "Failed to query audit logs" }, 500);
+  }
+});
+adminRouter.get("/audit-logs/integrity", async (c) => {
+  try {
+    const integrity = await getAuditChainIntegrity();
+    return c.json({ success: true, ...integrity });
+  } catch (err) {
+    return c.json({ error: err.message || "Failed to check integrity" }, 500);
+  }
+});
+adminRouter.get("/incidents", async (c) => {
+  try {
+    const url = new URL(c.req.url);
+    const limit = Math.min(parseInt(url.searchParams.get("limit") || "50", 10), 200);
+    const incidents = await queryAuditLogs({
+      action: "error",
+      limit
+    });
+    return c.json({
+      success: true,
+      incidents,
+      count: incidents.length
+    });
+  } catch (err) {
+    return c.json({ error: err.message || "Failed to query incidents" }, 500);
+  }
+});
+var admin_default = adminRouter;
+
+// src/inputs/api/routes/brain.ts
+import { Hono as Hono5 } from "hono";
+var brainRouter = new Hono5();
+brainRouter.get("/status", (c) => {
+  return c.json(brainTelemetry.getStatus());
+});
+brainRouter.get("/activity", (c) => {
+  const limit = parseInt(c.req.query("limit") || "100");
+  return c.json(brainTelemetry.getActivity(Math.min(limit, 500)));
+});
+brainRouter.get("/scores", async (c) => {
+  await costTracker.loadFromDb();
+  return c.json(brainTelemetry.getScores());
+});
+brainRouter.get("/agents", async (c) => {
+  const userId = c.req.query("userId");
+  try {
+    const { getUserAgents, getAllAgents } = await import("./agent-manager-JZ4IM7XI.js");
+    const agents = userId ? await getUserAgents(userId, void 0, 20) : await getAllAgents(void 0, 50);
+    return c.json(agents);
+  } catch {
+    return c.json([]);
+  }
+});
+brainRouter.get("/cost/forecast", (c) => {
+  const days = parseInt(c.req.query("days") || "7");
+  return c.json({
+    forecast: costTracker.getForecast(days),
+    trend: costTracker.getCostTrend(),
+    estimatedMonthly: costTracker.getEstimatedMonthlyCost()
+  });
+});
+brainRouter.get("/memory-graph", async (c) => {
+  const entityId = c.req.query("entityId");
+  const limit = parseInt(c.req.query("limit") || "50");
+  try {
+    let memories2 = [];
+    try {
+      memories2 = await searchMemories("*", void 0, limit);
+    } catch {
+    }
+    const nodes = [];
+    const edges = [];
+    for (const mem of memories2) {
+      nodes.push({
+        id: `mem-${mem.id}`,
+        name: (mem.content || "").slice(0, 60) + ((mem.content || "").length > 60 ? "..." : ""),
+        type: "memory",
+        importance: (mem.importance ?? 5) * 10,
+        // Scale 1-10 to 10-100
+        content: mem.content || "",
+        createdAt: mem.createdAt?.toISOString?.() || (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    if (entityId) {
+      try {
+        const { db: db2 } = await import("./db-I7MNG6CL.js");
+        const { graphEntities: graphEntities2 } = await import("./schema-ETY7L2VA.js");
+        const { eq: eq5 } = await import("drizzle-orm");
+        const [entity] = await db2.select().from(graphEntities2).where(eq5(graphEntities2.id, entityId)).limit(1);
+        if (entity) {
+          nodes.push({
+            id: entity.id,
+            name: entity.name,
+            type: entity.type,
+            importance: entity.importance ?? 50,
+            content: entity.description || "",
+            createdAt: entity.createdAt?.toISOString?.() || (/* @__PURE__ */ new Date()).toISOString()
+          });
+          for (const mem of memories2) {
+            const content = (mem.content || "").toLowerCase();
+            if (content.includes(entity.name.toLowerCase()) || (entity.aliases || []).some(
+              (a) => content.includes(a.toLowerCase())
+            )) {
+              edges.push({
+                source: `mem-${mem.id}`,
+                target: entity.id,
+                type: "relates_to",
+                strength: 60
+              });
+            }
+          }
+        }
+      } catch {
+      }
+    }
+    for (let i = 0; i < nodes.length; i++) {
+      for (let j = i + 1; j < nodes.length; j++) {
+        if (nodes[i].type === "memory" && nodes[j].type === "memory" && nodes[i].content && nodes[j].content) {
+          const words1 = new Set(nodes[i].content.toLowerCase().split(/\s+/).filter((w) => w.length > 4));
+          const words2 = new Set(nodes[j].content.toLowerCase().split(/\s+/).filter((w) => w.length > 4));
+          const overlap = [...words1].filter((w) => words2.has(w)).length;
+          if (overlap >= 3) {
+            edges.push({
+              source: nodes[i].id,
+              target: nodes[j].id,
+              type: "related",
+              strength: Math.min(100, overlap * 15)
+            });
+          }
+        }
+      }
+    }
+    return c.json({ nodes, edges });
+  } catch (error) {
+    return c.json({ nodes: [], edges: [], error: "Failed to build memory graph" }, 500);
+  }
+});
+brainRouter.get("/agents/catalog", async (c) => {
+  try {
+    const { AGENT_TOOL_PERMISSIONS } = await import("./agent-types-2T4PXLFQ.js");
+    const configs = await Promise.all([
+      import("./research-agent-WCRSY3UZ.js").then((m) => m.RESEARCH_AGENT_CONFIG),
+      import("./coding-agent-DESSU3AC.js").then((m) => m.CODING_AGENT_CONFIG),
+      import("./writing-agent-VDGLNOGO.js").then((m) => m.WRITING_AGENT_CONFIG),
+      import("./analysis-agent-JWN2GXYE.js").then((m) => m.ANALYSIS_AGENT_CONFIG),
+      import("./osint-agent-RL5XPBRQ.js").then((m) => m.OSINT_AGENT_CONFIG)
+    ]);
+    const catalog = configs.map((cfg) => ({
+      type: cfg.type,
+      name: cfg.name,
+      description: cfg.description,
+      tools: AGENT_TOOL_PERMISSIONS[cfg.type] || [],
+      settings: cfg.settings || {}
+    }));
+    return c.json(catalog);
+  } catch {
+    return c.json([]);
+  }
+});
+brainRouter.post("/agents/spawn", async (c) => {
+  try {
+    const { type, objective } = await c.req.json();
+    if (!type || !objective) {
+      return c.json({ error: "type and objective are required" }, 400);
+    }
+    const { db: db2 } = await import("./db-I7MNG6CL.js");
+    const { users: users2 } = await import("./schema-ETY7L2VA.js");
+    let systemUser = await db2.select().from(users2).limit(1);
+    if (systemUser.length === 0) {
+      systemUser = await db2.insert(users2).values({ name: "Dashboard" }).returning();
+    }
+    const { spawnAgent } = await import("./agent-manager-JZ4IM7XI.js");
+    const agent = await spawnAgent({
+      type,
+      objective,
+      userId: systemUser[0].id
+    });
+    return c.json(agent, 201);
+  } catch (error) {
+    return c.json({ error: error?.message || "Failed to spawn agent" }, 500);
+  }
+});
+brainRouter.post("/agents/seed", async (c) => {
+  try {
+    const { db: db2 } = await import("./db-I7MNG6CL.js");
+    const { subAgents, agentProgress, users: users2 } = await import("./schema-ETY7L2VA.js");
+    let systemUser = await db2.select().from(users2).limit(1);
+    if (systemUser.length === 0) {
+      systemUser = await db2.insert(users2).values({
+        name: "System"
+      }).returning();
+    }
+    const userId = systemUser[0].id;
+    const now = Date.now();
+    const tasks = [
+      {
+        userId,
+        type: "research",
+        name: "Research Agent",
+        status: "completed",
+        objective: "Research current best practices for PostgreSQL query optimization and indexing strategies",
+        tokenBudget: 5e4,
+        tokensUsed: 32450,
+        createdAt: new Date(now - 3 * 36e5),
+        result: { success: true, summary: "Compiled 12 optimization strategies including partial indexes, covering indexes, and query plan analysis. Key findings: BRIN indexes for time-series data, GIN for JSONB columns, and composite indexes for multi-column queries.", durationMs: 45200 }
+      },
+      {
+        userId,
+        type: "coding",
+        name: "Coding Agent",
+        status: "completed",
+        objective: "Implement rate limiting middleware for the API with configurable windows and Redis backing",
+        tokenBudget: 8e4,
+        tokensUsed: 61200,
+        createdAt: new Date(now - 6 * 36e5),
+        result: { success: true, summary: "Implemented sliding window rate limiter using Redis ZSET. Supports per-user and per-IP limits with configurable windows (1s, 1m, 1h, 1d). Added X-RateLimit headers and 429 responses.", durationMs: 128400 }
+      },
+      {
+        userId,
+        type: "analysis",
+        name: "Analysis Agent",
+        status: "completed",
+        objective: "Analyze token usage patterns over the last 30 days and identify cost optimization opportunities",
+        tokenBudget: 4e4,
+        tokensUsed: 28900,
+        createdAt: new Date(now - 12 * 36e5),
+        result: { success: true, summary: "Found 3 key optimization opportunities: 1) System prompts can be shortened by 40% with prompt caching, 2) Research queries could use haiku for initial filtering, 3) Redundant context in multi-turn conversations accounts for 22% of input tokens.", durationMs: 67800 }
+      },
+      {
+        userId,
+        type: "writing",
+        name: "Writing Agent",
+        status: "completed",
+        objective: "Generate API documentation for the webhook and scheduler endpoints",
+        tokenBudget: 3e4,
+        tokensUsed: 18700,
+        createdAt: new Date(now - 24 * 36e5),
+        result: { success: true, summary: "Generated OpenAPI 3.1 documentation for 8 endpoints across scheduler and webhook routes. Includes request/response schemas, authentication requirements, and usage examples.", durationMs: 34500 }
+      },
+      {
+        userId,
+        type: "research",
+        name: "Research Agent",
+        status: "completed",
+        objective: "Gather public information about recent AI security vulnerabilities and prompt injection techniques",
+        tokenBudget: 6e4,
+        tokensUsed: 45300,
+        createdAt: new Date(now - 48 * 36e5),
+        result: { success: true, summary: "Compiled report on 15 known prompt injection vectors including indirect injection via retrieved content, multi-modal attacks through images, and tool-use exploitation. Recommended 6 mitigation strategies.", durationMs: 89200 }
+      },
+      {
+        userId,
+        type: "research",
+        name: "Research Agent",
+        status: "failed",
+        objective: "Research pgvector HNSW vs IVFFlat index performance for RAG memory retrieval",
+        tokenBudget: 5e4,
+        tokensUsed: 12800,
+        createdAt: new Date(now - 2 * 36e5),
+        result: { success: false, error: "Token budget exhausted during benchmark phase. Partial results: HNSW shows better recall at higher ef_search values but IVFFlat index build is 3x faster.", durationMs: 22100 }
+      },
+      {
+        userId,
+        type: "coding",
+        name: "Coding Agent",
+        status: "running",
+        objective: "Build automated test suite for the MCP server integration layer",
+        tokenBudget: 1e5,
+        tokensUsed: 34200,
+        createdAt: new Date(now - 18e5),
+        result: null
+      },
+      {
+        userId,
+        type: "analysis",
+        name: "Analysis Agent",
+        status: "pending",
+        objective: "Analyze error patterns in the last 7 days and correlate with deployment events",
+        tokenBudget: 4e4,
+        tokensUsed: 0,
+        createdAt: new Date(now - 3e5),
+        result: null
+      }
+    ];
+    const inserted = [];
+    for (const task of tasks) {
+      const [row] = await db2.insert(subAgents).values(task).returning();
+      inserted.push(row);
+    }
+    const runningTask = inserted.find((t) => t.status === "running");
+    if (runningTask) {
+      await db2.insert(agentProgress).values([
+        { agentId: runningTask.id, step: 1, description: "Analyzing existing MCP client code and interfaces", status: "completed" },
+        { agentId: runningTask.id, step: 2, description: "Generating mock MCP server for testing", status: "completed" },
+        { agentId: runningTask.id, step: 3, description: "Writing connection lifecycle tests", status: "running" },
+        { agentId: runningTask.id, step: 4, description: "Writing tool discovery and execution tests", status: "pending" },
+        { agentId: runningTask.id, step: 5, description: "Writing error handling and retry tests", status: "pending" }
+      ]);
+    }
+    const researchTask = inserted.find((t) => t.status === "completed" && t.type === "research");
+    if (researchTask) {
+      await db2.insert(agentProgress).values([
+        { agentId: researchTask.id, step: 1, description: "Surveying PostgreSQL documentation and performance guides", status: "completed" },
+        { agentId: researchTask.id, step: 2, description: "Analyzing index types: B-tree, Hash, GIN, GiST, BRIN", status: "completed" },
+        { agentId: researchTask.id, step: 3, description: "Reviewing EXPLAIN ANALYZE best practices", status: "completed" },
+        { agentId: researchTask.id, step: 4, description: "Compiling optimization recommendations", status: "completed" }
+      ]);
+    }
+    return c.json({ success: true, seeded: inserted.length });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to seed tasks" }, 500);
+  }
+});
+brainRouter.delete("/agents/history", async (c) => {
+  try {
+    const { db: db2 } = await import("./db-I7MNG6CL.js");
+    const { subAgents } = await import("./schema-ETY7L2VA.js");
+    const { inArray } = await import("drizzle-orm");
+    await db2.delete(subAgents).where(inArray(subAgents.status, ["completed", "failed", "cancelled"]));
+    return c.json({ success: true });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to clear task history" }, 500);
+  }
+});
+brainRouter.delete("/activity", (c) => {
+  brainTelemetry.clearActivity?.();
+  return c.json({ success: true });
+});
+var brain_default = brainRouter;
+
+// src/inputs/api/routes/scheduler.ts
+import { Hono as Hono6 } from "hono";
+var schedulerRouter = new Hono6();
+schedulerRouter.get("/jobs", async (c) => {
+  try {
+    const { taskQueue, maintenanceQueue } = await import("./scheduler-6PLLAQI7.js");
+    const [taskJobs, maintenanceJobs] = await Promise.allSettled([
+      taskQueue?.getRepeatableJobs?.() ?? Promise.resolve([]),
+      maintenanceQueue?.getRepeatableJobs?.() ?? Promise.resolve([])
+    ]);
+    const jobs = [
+      ...taskJobs.status === "fulfilled" ? taskJobs.value : [],
+      ...maintenanceJobs.status === "fulfilled" ? maintenanceJobs.value : []
+    ];
+    return c.json(jobs);
+  } catch (error) {
+    return c.json([], 200);
+  }
+});
+schedulerRouter.get("/stats", async (c) => {
+  try {
+    const { getQueueStats } = await import("./scheduler-6PLLAQI7.js");
+    const stats = await getQueueStats();
+    return c.json(stats);
+  } catch (error) {
+    return c.json({ waiting: 0, active: 0, completed: 0, failed: 0, delayed: 0 });
+  }
+});
+schedulerRouter.post("/jobs", async (c) => {
+  try {
+    const { name, pattern, task } = await c.req.json();
+    if (!name || !pattern) {
+      return c.json({ error: "name and pattern are required" }, 400);
+    }
+    const { scheduleRecurring } = await import("./scheduler-6PLLAQI7.js");
+    await scheduleRecurring(name, task || { type: "custom", name }, pattern);
+    return c.json({ success: true }, 201);
+  } catch (error) {
+    return c.json({ error: "Failed to create job" }, 500);
+  }
+});
+schedulerRouter.delete("/jobs/:key", async (c) => {
+  try {
+    const key = decodeURIComponent(c.req.param("key"));
+    const { taskQueue } = await import("./scheduler-6PLLAQI7.js");
+    await taskQueue.removeRepeatableByKey(key);
+    return c.json({ success: true });
+  } catch (error) {
+    return c.json({ error: "Failed to remove job" }, 500);
+  }
+});
+schedulerRouter.put("/jobs/:key", async (c) => {
+  try {
+    const key = decodeURIComponent(c.req.param("key"));
+    const { name, pattern, task } = await c.req.json();
+    if (!pattern) {
+      return c.json({ error: "pattern is required" }, 400);
+    }
+    const { taskQueue, scheduleRecurring } = await import("./scheduler-6PLLAQI7.js");
+    await taskQueue.removeRepeatableByKey(key);
+    const jobName = name || key.split(":::")[0] || "custom-job";
+    await scheduleRecurring(jobName, task || { type: "custom", name: jobName }, pattern);
+    return c.json({ success: true });
+  } catch (error) {
+    return c.json({ error: "Failed to update job" }, 500);
+  }
+});
+var scheduler_default = schedulerRouter;
+
+// src/inputs/api/routes/alerts.ts
+import { Hono as Hono7 } from "hono";
+var alertsRouter = new Hono7();
+alertsRouter.get("/", async (c) => {
+  try {
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    await alerting.loadAlertHistoryFromDb?.();
+    const active = alerting.getActiveAlerts?.() ?? [];
+    const history = alerting.getAlertHistory?.(50) ?? [];
+    return c.json({ active, history });
+  } catch {
+    return c.json({ active: [], history: [] });
+  }
+});
+alertsRouter.post("/:id/acknowledge", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const { by } = await c.req.json();
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    alerting.acknowledgeAlert?.(id, by || "web-user");
+    return c.json({ success: true });
+  } catch {
+    return c.json({ error: "Failed to acknowledge alert" }, 500);
+  }
+});
+alertsRouter.post("/:id/resolve", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const { by } = await c.req.json();
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    alerting.resolveAlert?.(id, by || "web-user");
+    return c.json({ success: true });
+  } catch {
+    return c.json({ error: "Failed to resolve alert" }, 500);
+  }
+});
+alertsRouter.get("/rules", async (c) => {
+  try {
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    let rules = alerting.getAlertRules?.() ?? [];
+    if (rules.length === 0 && alerting.initializeDefaultRules) {
+      alerting.initializeDefaultRules();
+      rules = alerting.getAlertRules?.() ?? [];
+    }
+    return c.json(rules);
+  } catch {
+    return c.json([]);
+  }
+});
+alertsRouter.delete("/history", async (c) => {
+  try {
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    alerting.clearAlertHistory?.();
+    return c.json({ success: true });
+  } catch {
+    return c.json({ error: "Failed to clear alert history" }, 500);
+  }
+});
+alertsRouter.post("/rules", async (c) => {
+  try {
+    const rule = await c.req.json();
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    alerting.addAlertRule?.(rule);
+    return c.json({ success: true }, 201);
+  } catch {
+    return c.json({ error: "Failed to create rule" }, 500);
+  }
+});
+alertsRouter.delete("/rules/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    const removed = alerting.removeAlertRule?.(id);
+    if (!removed) {
+      return c.json({ error: "Rule not found" }, 404);
+    }
+    return c.json({ success: true });
+  } catch {
+    return c.json({ error: "Failed to delete rule" }, 500);
+  }
+});
+alertsRouter.put("/rules/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const updates = await c.req.json();
+    const alerting = await import("./alerting-LK7VVYTX.js");
+    const rules = alerting.getAlertRules?.() ?? [];
+    const existing = rules.find((r) => r.id === id);
+    if (!existing) {
+      return c.json({ error: "Rule not found" }, 404);
+    }
+    const updated = { ...existing, ...updates, id };
+    alerting.addAlertRule?.(updated);
+    return c.json({ success: true });
+  } catch {
+    return c.json({ error: "Failed to update rule" }, 500);
+  }
+});
+var alerts_default = alertsRouter;
+
+// src/inputs/api/routes/webhooks.ts
+import { Hono as Hono8 } from "hono";
+import { v4 as uuidv4 } from "uuid";
+var webhooksRouter = new Hono8();
+webhooksRouter.get("/", async (c) => {
+  try {
+    const { WorkflowStore } = await import("./workflow-store-5Y56GUP7.js");
+    const store = new WorkflowStore();
+    const workflows = await store.getAllWorkflows();
+    const results = workflows.map((w) => ({
+      id: w.id,
+      name: w.name,
+      description: w.description || "",
+      triggerType: Array.isArray(w.triggers) && w.triggers[0]?.type || "webhook",
+      trigger: Array.isArray(w.triggers) && w.triggers[0] || {},
+      actions: (Array.isArray(w.steps) ? w.steps : []).map((s) => ({
+        type: s.action?.type || s.type || "unknown",
+        name: s.action?.name || s.action?.type || s.type || "action"
+      })),
+      enabled: w.status === "active",
+      createdAt: w.createdAt,
+      updatedAt: w.updatedAt,
+      lastTriggered: w.lastExecutedAt,
+      executionCount: w.executionCount || 0
+    }));
+    return c.json(results);
+  } catch {
+    return c.json([]);
+  }
+});
+webhooksRouter.post("/", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.name) {
+      return c.json({ error: "name is required" }, 400);
+    }
+    const { WorkflowStore } = await import("./workflow-store-5Y56GUP7.js");
+    const store = new WorkflowStore();
+    const now = /* @__PURE__ */ new Date();
+    const workflow = await store.createWorkflow({
+      id: uuidv4(),
+      name: body.name,
+      description: body.description,
+      status: "active",
+      triggers: [{ type: body.triggerType || "webhook", config: body.trigger || {} }],
+      steps: (body.actions || []).map((a, i) => ({
+        id: uuidv4(),
+        type: "action",
+        action: { type: a.type, config: a.config || {} }
+      })),
+      executionCount: 0,
+      createdAt: now,
+      updatedAt: now
+    });
+    return c.json({ id: workflow.id, success: true }, 201);
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to create webhook" }, 500);
+  }
+});
+webhooksRouter.put("/:id/toggle", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const { WorkflowStore } = await import("./workflow-store-5Y56GUP7.js");
+    const store = new WorkflowStore();
+    const workflow = await store.getWorkflow(id);
+    if (!workflow) return c.json({ error: "Workflow not found" }, 404);
+    const newStatus = workflow.status === "active" ? "disabled" : "active";
+    await store.updateWorkflow(id, { status: newStatus });
+    return c.json({ success: true, enabled: newStatus === "active" });
+  } catch {
+    return c.json({ error: "Failed to toggle webhook" }, 500);
+  }
+});
+webhooksRouter.delete("/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const { WorkflowStore } = await import("./workflow-store-5Y56GUP7.js");
+    const store = new WorkflowStore();
+    await store.deleteWorkflow(id);
+    return c.json({ success: true });
+  } catch {
+    return c.json({ error: "Failed to delete webhook" }, 500);
+  }
+});
+webhooksRouter.put("/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const body = await c.req.json();
+    const { WorkflowStore } = await import("./workflow-store-5Y56GUP7.js");
+    const store = new WorkflowStore();
+    const workflow = await store.getWorkflow(id);
+    if (!workflow) return c.json({ error: "Workflow not found" }, 404);
+    const updates = {};
+    if (body.name !== void 0) updates.name = body.name;
+    if (body.description !== void 0) updates.description = body.description;
+    if (body.triggerType !== void 0 || body.trigger !== void 0) {
+      updates.triggers = [{ type: body.triggerType || "webhook", config: body.trigger || {} }];
+    }
+    if (body.actions !== void 0) {
+      const { v4: uuidv4Gen } = await import("uuid");
+      updates.steps = body.actions.map((a) => ({
+        id: uuidv4Gen(),
+        type: "action",
+        action: { type: a.type, config: a.config || {} }
+      }));
+    }
+    await store.updateWorkflow(id, updates);
+    return c.json({ success: true });
+  } catch {
+    return c.json({ error: "Failed to update webhook" }, 500);
+  }
+});
+webhooksRouter.post("/seed", async (c) => {
+  try {
+    const { WorkflowStore } = await import("./workflow-store-5Y56GUP7.js");
+    const store = new WorkflowStore();
+    const now = /* @__PURE__ */ new Date();
+    const defaults = [
+      {
+        name: "GitHub Push Notifications",
+        description: "Alert on pushes to main branch via GitHub webhook",
+        triggers: [{
+          type: "webhook",
+          config: {
+            path: "/webhooks/github",
+            methods: ["POST"],
+            secret: "",
+            filter: { type: "key_match", expression: "ref", expectedValue: "refs/heads/main" }
+          }
+        }],
+        steps: [
+          { id: uuidv4(), type: "action", action: { type: "send_message", config: { channel: "web", message: "New push to main: {{trigger.data.head_commit.message}}" } } }
+        ]
+      },
+      {
+        name: "Email-to-Chat Forward",
+        description: "Forward important emails to web chat",
+        triggers: [{
+          type: "event",
+          config: { source: "email", eventName: "email_received" }
+        }],
+        steps: [
+          { id: uuidv4(), type: "action", action: { type: "send_message", config: { channel: "web", message: "New email from {{trigger.data.from}}: {{trigger.data.subject}}" } } }
+        ]
+      },
+      {
+        name: "Alert on High Error Rate",
+        description: "Send notification when error rate spikes",
+        triggers: [{
+          type: "event",
+          config: { source: "alerting", eventName: "alert_fired", filter: { severity: "error" } }
+        }],
+        steps: [
+          { id: uuidv4(), type: "action", action: { type: "send_message", config: { channel: "web", message: "ALERT: {{trigger.data.message}} (severity: {{trigger.data.severity}})" } } },
+          { id: uuidv4(), type: "action", action: { type: "log", config: { level: "error", message: "Alert fired: {{trigger.data.message}}" } } }
+        ]
+      },
+      {
+        name: "Daily Summary Report",
+        description: "Generate and send a daily activity summary at 9 AM",
+        triggers: [{
+          type: "time",
+          config: { pattern: "0 9 * * *", timezone: "America/New_York" }
+        }],
+        steps: [
+          { id: uuidv4(), type: "action", action: { type: "run_tool", config: { tool: "get_time", input: {} } } },
+          { id: uuidv4(), type: "action", action: { type: "send_message", config: { channel: "web", message: "Good morning! Here's your daily summary for {{date}}." } } }
+        ]
+      },
+      {
+        name: "External API Health Check",
+        description: "Monitor external API endpoint every 10 minutes",
+        triggers: [{
+          type: "time",
+          config: { pattern: "*/10 * * * *" }
+        }],
+        steps: [
+          { id: uuidv4(), type: "action", action: { type: "http_request", config: { method: "GET", url: "https://api.github.com/rate_limit", headers: {} } } },
+          { id: uuidv4(), type: "action", action: { type: "log", config: { level: "info", message: "Health check completed" } } }
+        ]
+      }
+    ];
+    let created = 0;
+    const existing = await store.getAllWorkflows();
+    const existingNames = new Set(existing.map((w) => w.name));
+    for (const wf of defaults) {
+      if (!existingNames.has(wf.name)) {
+        await store.createWorkflow({
+          id: uuidv4(),
+          ...wf,
+          status: "active",
+          executionCount: 0,
+          createdAt: now,
+          updatedAt: now
+        });
+        created++;
+      }
+    }
+    return c.json({ success: true, created, total: existing.length + created });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to seed webhooks" }, 500);
+  }
+});
+var webhooks_default = webhooksRouter;
+
+// src/inputs/api/routes/github.ts
+import { Hono as Hono9 } from "hono";
+var githubRouter = new Hono9();
+githubRouter.get("/repos", async (c) => {
+  try {
+    const { env: env2 } = await import("./env-GN5VHI43.js");
+    if (!env2.GITHUB_TOKEN) {
+      return c.json({ error: "GITHUB_TOKEN not configured" }, 400);
+    }
+    const github = await import("./github-DUWSXCNP.js");
+    const repos = await github.listRepositories();
+    return c.json(repos);
+  } catch (error) {
+    return c.json([], 200);
+  }
+});
+githubRouter.get("/issues", async (c) => {
+  try {
+    const { env: env2 } = await import("./env-GN5VHI43.js");
+    if (!env2.GITHUB_TOKEN) {
+      return c.json({ error: "GITHUB_TOKEN not configured" }, 400);
+    }
+    const repo = c.req.query("repo");
+    const state = c.req.query("state") || "open";
+    const github = await import("./github-DUWSXCNP.js");
+    if (repo) {
+      const [owner, name] = repo.split("/");
+      const issues2 = await github.listIssues(owner, name, { state });
+      return c.json(issues2);
+    }
+    const issues = await github.listIssues("", "", { state });
+    return c.json(issues);
+  } catch {
+    return c.json([], 200);
+  }
+});
+githubRouter.get("/prs", async (c) => {
+  try {
+    const { env: env2 } = await import("./env-GN5VHI43.js");
+    if (!env2.GITHUB_TOKEN) {
+      return c.json({ error: "GITHUB_TOKEN not configured" }, 400);
+    }
+    const repo = c.req.query("repo");
+    const state = c.req.query("state") || "open";
+    const github = await import("./github-DUWSXCNP.js");
+    if (repo) {
+      const [owner, name] = repo.split("/");
+      const prs2 = await github.listPullRequests(owner, name, { state });
+      return c.json(prs2);
+    }
+    const prs = await github.listPullRequests("", "", { state });
+    return c.json(prs);
+  } catch {
+    return c.json([], 200);
+  }
+});
+var github_default = githubRouter;
+
+// src/inputs/api/routes/metrics.ts
+import { Hono as Hono10 } from "hono";
+var metricsRouter = new Hono10();
+async function requireApiKey(c, next) {
+  const apiKey = c.req.header("x-api-key");
+  if (!apiKey) {
+    return c.json({ error: "API key required" }, 401);
+  }
+  const rateLimitResult = await checkRateLimit(apiKey, "api/metrics");
+  if (!rateLimitResult.allowed) {
+    return c.json(
+      {
+        error: "Rate limit exceeded",
+        retryAfter: rateLimitResult.retryAfterMs
+      },
+      429
+    );
+  }
+  await next();
+}
+metricsRouter.use("*", requireApiKey);
+metricsRouter.get("/aggregation", async (c) => {
+  const metricType = c.req.query("type");
+  const startDate = c.req.query("start");
+  const endDate = c.req.query("end");
+  const groupBy = c.req.query("groupBy");
+  if (!metricType) {
+    return c.json({ error: "Metric type required" }, 400);
+  }
+  const start = startDate ? new Date(startDate) : new Date(Date.now() - 24 * 60 * 60 * 1e3);
+  const end = endDate ? new Date(endDate) : /* @__PURE__ */ new Date();
+  const aggregation = await getMetricAggregates(metricType, start, end);
+  return c.json({
+    type: metricType,
+    period: { start: start.toISOString(), end: end.toISOString() },
+    aggregation
+  });
+});
+metricsRouter.get("/timeseries", async (c) => {
+  const metricType = c.req.query("type");
+  const startDate = c.req.query("start");
+  const endDate = c.req.query("end");
+  const interval = c.req.query("interval");
+  if (!metricType) {
+    return c.json({ error: "Metric type required" }, 400);
+  }
+  const start = startDate ? new Date(startDate) : new Date(Date.now() - 24 * 60 * 60 * 1e3);
+  const end = endDate ? new Date(endDate) : /* @__PURE__ */ new Date();
+  const timeSeries = await getMetricTimeSeries(metricType, start, end);
+  return c.json({
+    type: metricType,
+    period: { start: start.toISOString(), end: end.toISOString() },
+    interval: interval || "hour",
+    data: timeSeries
+  });
+});
+metricsRouter.post("/record", async (c) => {
+  const body = await c.req.json();
+  const { type, value, metadata, userId } = body;
+  if (!type || value === void 0) {
+    return c.json({ error: "Type and value required" }, 400);
+  }
+  await recordMetric({
+    name: type,
+    value,
+    tags: metadata
+  });
+  return c.json({ success: true });
+});
+metricsRouter.post("/flush", async (c) => {
+  await flushMetrics();
+  return c.json({ success: true, message: "Metrics flushed" });
+});
+metricsRouter.get("/errors/stats", async (c) => {
+  const days = parseInt(c.req.query("days") || "7");
+  const now = /* @__PURE__ */ new Date();
+  const since = new Date(now.getTime() - days * 24 * 60 * 60 * 1e3);
+  const stats = await getErrorStats(since, now);
+  return c.json({
+    period: `Last ${days} days`,
+    stats
+  });
+});
+metricsRouter.get("/errors/recent", async (c) => {
+  const limit = parseInt(c.req.query("limit") || "20");
+  const category = c.req.query("category");
+  const resolved = c.req.query("resolved");
+  const errors = await getRecentErrors(
+    limit,
+    category
+  );
+  return c.json({
+    count: errors.length,
+    errors
+  });
+});
+metricsRouter.get("/health", async (c) => {
+  const now = /* @__PURE__ */ new Date();
+  const recentLatency = await getMetricAggregates(
+    "response_latency",
+    new Date(now.getTime() - 5 * 60 * 1e3),
+    now
+  );
+  const recentErrors = await getRecentErrors(10);
+  const status = {
+    healthy: true,
+    timestamp: now.toISOString(),
+    metrics: {
+      avgLatencyMs: recentLatency.avg || 0,
+      recentErrorCount: recentErrors.length
+    }
+  };
+  if (recentErrors.length > 5) {
+    status.healthy = false;
+  }
+  return c.json(status, status.healthy ? 200 : 503);
+});
+metricsRouter.get("/overview", async (c) => {
+  const now = /* @__PURE__ */ new Date();
+  const dayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1e3);
+  const weekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3);
+  const [
+    latencyDay,
+    tokensDay,
+    errorsDay,
+    latencyWeek,
+    tokensWeek,
+    errorsWeek
+  ] = await Promise.all([
+    getMetricAggregates("response_latency", dayAgo, now),
+    getMetricAggregates("token_usage_input", dayAgo, now),
+    getErrorStats(dayAgo, now),
+    getMetricAggregates("response_latency", weekAgo, now),
+    getMetricAggregates("token_usage_input", weekAgo, now),
+    getErrorStats(weekAgo, now)
+  ]);
+  return c.json({
+    timestamp: now.toISOString(),
+    last24Hours: {
+      avgLatencyMs: latencyDay.avg || 0,
+      totalTokens: tokensDay.sum || 0,
+      requestCount: latencyDay.count || 0,
+      errorCount: errorsDay.total || 0
+    },
+    last7Days: {
+      avgLatencyMs: latencyWeek.avg || 0,
+      totalTokens: tokensWeek.sum || 0,
+      requestCount: latencyWeek.count || 0,
+      errorCount: errorsWeek.total || 0
+    }
+  });
+});
+var metrics_default = metricsRouter;
+
+// src/inputs/api/routes/mcp.ts
+import { Hono as Hono11 } from "hono";
+var mcpRouter = new Hono11();
+mcpRouter.get("/servers", async (c) => {
+  try {
+    const { getMCPRegistry } = await import("./tools-PJZ6RI4P.js");
+    const registry = getMCPRegistry();
+    if (!registry) {
+      return c.json({ enabled: false, servers: [], connectedCount: 0, totalToolCount: 0 });
+    }
+    const states = registry.getServerStates();
+    const servers = states.map((s) => ({
+      id: s.config?.id || "unknown",
+      name: s.config?.name || s.serverInfo?.name || s.config?.id || "Unknown",
+      transport: s.config?.transport || "stdio",
+      enabled: s.config?.enabled ?? true,
+      status: s.status || "disconnected",
+      serverVersion: s.serverInfo?.version || null,
+      toolCount: Array.isArray(s.tools) ? s.tools.length : 0,
+      tools: Array.isArray(s.tools) ? s.tools.map((t) => ({
+        name: t.name,
+        description: t.description || ""
+      })) : [],
+      lastError: s.lastError || null,
+      lastActivity: s.lastActivity || null,
+      command: s.config?.command || null,
+      args: s.config?.args || []
+    }));
+    return c.json({
+      enabled: true,
+      connectedCount: registry.connectedCount,
+      totalToolCount: registry.totalToolCount,
+      servers
+    });
+  } catch {
+    return c.json({ enabled: false, servers: [], connectedCount: 0, totalToolCount: 0 });
+  }
+});
+mcpRouter.post("/servers/:id/refresh", async (c) => {
+  try {
+    const { getMCPRegistry } = await import("./tools-PJZ6RI4P.js");
+    const registry = getMCPRegistry();
+    if (!registry) return c.json({ error: "MCP not initialized" }, 500);
+    await registry.refreshAllTools();
+    return c.json({ success: true });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to refresh" }, 500);
+  }
+});
+var mcp_default = mcpRouter;
+
+// src/inputs/api/routes/bots.ts
+import { Hono as Hono12 } from "hono";
+import { readFileSync, writeFileSync, existsSync } from "fs";
+import { resolve } from "path";
+var botsRouter = new Hono12();
+var BOT_FIELDS = {
+  telegram: [
+    { key: "botToken", envVar: "TELEGRAM_BOT_TOKEN", label: "Bot Token", type: "password", placeholder: "123456:ABC-DEF1234...", help: "Get from @BotFather on Telegram", required: true },
+    { key: "chatId", envVar: "TELEGRAM_CHAT_ID", label: "Chat ID", type: "text", placeholder: "-1001234567890", help: "Your chat/group ID for notifications" }
+  ],
+  discord: [
+    { key: "botToken", envVar: "DISCORD_BOT_TOKEN", label: "Bot Token", type: "password", placeholder: "MTIz...", help: "From Discord Developer Portal > Bot", required: true },
+    { key: "clientId", envVar: "DISCORD_CLIENT_ID", label: "Client ID", type: "text", placeholder: "123456789012345678", help: "Application ID from Discord Developer Portal" },
+    { key: "guildId", envVar: "DISCORD_GUILD_ID", label: "Guild (Server) ID", type: "text", placeholder: "123456789012345678", help: "Right-click server > Copy Server ID" },
+    { key: "allowedUserIds", envVar: "DISCORD_ALLOWED_USER_IDS", label: "Allowed User IDs", type: "text", placeholder: "id1,id2,id3", help: "Comma-separated Discord user IDs" },
+    { key: "allowedRoleIds", envVar: "DISCORD_ALLOWED_ROLE_IDS", label: "Allowed Role IDs", type: "text", placeholder: "id1,id2", help: "Comma-separated Discord role IDs" }
+  ],
+  slack: [
+    { key: "botToken", envVar: "SLACK_BOT_TOKEN", label: "Bot Token", type: "password", placeholder: "xoxb-...", help: "From Slack App > OAuth & Permissions", required: true },
+    { key: "signingSecret", envVar: "SLACK_SIGNING_SECRET", label: "Signing Secret", type: "password", placeholder: "abc123...", help: "From Slack App > Basic Information", required: true },
+    { key: "appToken", envVar: "SLACK_APP_TOKEN", label: "App Token", type: "password", placeholder: "xapp-...", help: "For Socket Mode \u2014 from Slack App > Basic Information" },
+    { key: "socketMode", envVar: "SLACK_SOCKET_MODE", label: "Socket Mode", type: "boolean", help: "Use WebSocket instead of HTTP events" },
+    { key: "port", envVar: "SLACK_PORT", label: "Port", type: "number", placeholder: "3000", help: "HTTP listener port (if not using Socket Mode)" },
+    { key: "allowedUserIds", envVar: "SLACK_ALLOWED_USER_IDS", label: "Allowed User IDs", type: "text", placeholder: "U01ABC,U02DEF", help: "Comma-separated Slack user IDs" },
+    { key: "allowedChannelIds", envVar: "SLACK_ALLOWED_CHANNEL_IDS", label: "Allowed Channel IDs", type: "text", placeholder: "C01ABC,C02DEF", help: "Comma-separated Slack channel IDs" }
+  ],
+  whatsapp: [
+    { key: "enabled", envVar: "WHATSAPP_ENABLED", label: "Enabled", type: "boolean", help: "Enable WhatsApp bot", required: true },
+    { key: "authDir", envVar: "WHATSAPP_AUTH_DIR", label: "Auth Directory", type: "text", placeholder: "./whatsapp-auth", help: "Directory for session storage" },
+    { key: "allowedNumbers", envVar: "WHATSAPP_ALLOWED_NUMBERS", label: "Allowed Numbers", type: "text", placeholder: "+1234567890,+0987654321", help: "Comma-separated phone numbers" }
+  ],
+  signal: [
+    { key: "enabled", envVar: "SIGNAL_ENABLED", label: "Enabled", type: "boolean", help: "Enable Signal bot", required: true },
+    { key: "phoneNumber", envVar: "SIGNAL_PHONE_NUMBER", label: "Phone Number", type: "text", placeholder: "+1234567890", help: "Registered Signal phone number", required: true },
+    { key: "cliPath", envVar: "SIGNAL_CLI_PATH", label: "CLI Path", type: "text", placeholder: "signal-cli", help: "Path to signal-cli binary" },
+    { key: "allowedNumbers", envVar: "SIGNAL_ALLOWED_NUMBERS", label: "Allowed Numbers", type: "text", placeholder: "+1234567890,+0987654321", help: "Comma-separated phone numbers" }
+  ],
+  imessage: [
+    { key: "enabled", envVar: "IMESSAGE_ENABLED", label: "Enabled", type: "boolean", help: "Enable iMessage bot (macOS only)", required: true },
+    { key: "mode", envVar: "IMESSAGE_MODE", label: "Mode", type: "select", options: ["applescript", "bluebubbles"], help: "AppleScript (local) or BlueBubbles (remote)" },
+    { key: "blueBubblesUrl", envVar: "IMESSAGE_BLUEBUBBLES_URL", label: "BlueBubbles URL", type: "text", placeholder: "http://localhost:1234", help: "BlueBubbles server URL" },
+    { key: "blueBubblesPassword", envVar: "IMESSAGE_BLUEBUBBLES_PASSWORD", label: "BlueBubbles Password", type: "password", help: "BlueBubbles server password" },
+    { key: "allowedNumbers", envVar: "IMESSAGE_ALLOWED_NUMBERS", label: "Allowed Numbers", type: "text", placeholder: "+1234567890,+0987654321", help: "Comma-separated phone numbers" }
+  ],
+  matrix: [
+    { key: "enabled", envVar: "MATRIX_ENABLED", label: "Enabled", type: "boolean", help: "Enable Matrix bot", required: true },
+    { key: "homeserverUrl", envVar: "MATRIX_HOMESERVER_URL", label: "Homeserver URL", type: "text", placeholder: "https://matrix.org", help: "Matrix homeserver URL", required: true },
+    { key: "accessToken", envVar: "MATRIX_ACCESS_TOKEN", label: "Access Token", type: "password", help: "Matrix access token", required: true },
+    { key: "userId", envVar: "MATRIX_USER_ID", label: "User ID", type: "text", placeholder: "@bot:matrix.org", help: "Bot's Matrix user ID" },
+    { key: "autoJoin", envVar: "MATRIX_AUTO_JOIN", label: "Auto Join Rooms", type: "boolean", help: "Automatically join rooms when invited" },
+    { key: "e2eEnabled", envVar: "MATRIX_E2E_ENABLED", label: "E2E Encryption", type: "boolean", help: "Enable end-to-end encryption" },
+    { key: "allowedRoomIds", envVar: "MATRIX_ALLOWED_ROOM_IDS", label: "Allowed Room IDs", type: "text", placeholder: "!roomid:matrix.org", help: "Comma-separated room IDs" }
+  ]
+};
+function getEnvFilePath() {
+  return resolve(process.cwd(), ".env");
+}
+function parseEnvFile() {
+  const envPath = getEnvFilePath();
+  const vars = /* @__PURE__ */ new Map();
+  if (!existsSync(envPath)) return vars;
+  const content = readFileSync(envPath, "utf-8");
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    let val = trimmed.slice(eqIdx + 1).trim();
+    if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
+      val = val.slice(1, -1);
+    }
+    vars.set(key, val);
+  }
+  return vars;
+}
+function updateEnvFile(updates) {
+  const envPath = getEnvFilePath();
+  let content = existsSync(envPath) ? readFileSync(envPath, "utf-8") : "";
+  const lines = content.split("\n");
+  for (const [key, value] of Object.entries(updates)) {
+    const lineIdx = lines.findIndex((l) => {
+      const trimmed = l.trim();
+      return !trimmed.startsWith("#") && trimmed.startsWith(key + "=");
+    });
+    const newLine = `${key}=${value}`;
+    if (lineIdx >= 0) {
+      lines[lineIdx] = newLine;
+    } else {
+      lines.push(newLine);
+    }
+  }
+  writeFileSync(envPath, lines.join("\n"), "utf-8");
+}
+botsRouter.get("/status", async (c) => {
+  try {
+    const { env: env2 } = await import("./env-GN5VHI43.js");
+    const bots = [
+      {
+        id: "telegram",
+        name: "Telegram",
+        icon: "telegram",
+        enabled: !!env2.TELEGRAM_BOT_TOKEN,
+        config: {
+          chatId: env2.TELEGRAM_CHAT_ID ? true : false
+        },
+        description: "Telegram bot via grammY framework"
+      },
+      {
+        id: "discord",
+        name: "Discord",
+        icon: "discord",
+        enabled: !!env2.DISCORD_BOT_TOKEN,
+        config: {
+          guildId: env2.DISCORD_GUILD_ID || null,
+          clientId: env2.DISCORD_CLIENT_ID ? true : false,
+          allowedUsers: env2.DISCORD_ALLOWED_USER_IDS ? env2.DISCORD_ALLOWED_USER_IDS.split(",").length : 0
+        },
+        description: "Discord bot via discord.js with slash commands and voice"
+      },
+      {
+        id: "slack",
+        name: "Slack",
+        icon: "slack",
+        enabled: !!env2.SLACK_BOT_TOKEN && !!env2.SLACK_SIGNING_SECRET,
+        config: {
+          socketMode: env2.SLACK_SOCKET_MODE || false,
+          port: env2.SLACK_PORT || 3e3,
+          allowedUsers: env2.SLACK_ALLOWED_USER_IDS ? env2.SLACK_ALLOWED_USER_IDS.split(",").length : 0,
+          allowedChannels: env2.SLACK_ALLOWED_CHANNEL_IDS ? env2.SLACK_ALLOWED_CHANNEL_IDS.split(",").length : 0
+        },
+        description: "Slack bot via @slack/bolt with Socket Mode support"
+      },
+      {
+        id: "whatsapp",
+        name: "WhatsApp",
+        icon: "whatsapp",
+        enabled: !!env2.WHATSAPP_ENABLED,
+        config: {
+          allowedNumbers: env2.WHATSAPP_ALLOWED_NUMBERS ? env2.WHATSAPP_ALLOWED_NUMBERS.split(",").length : 0
+        },
+        description: "WhatsApp bot via Baileys with QR code authentication"
+      },
+      {
+        id: "signal",
+        name: "Signal",
+        icon: "signal",
+        enabled: !!env2.SIGNAL_ENABLED && !!env2.SIGNAL_PHONE_NUMBER,
+        config: {
+          hasPhoneNumber: !!env2.SIGNAL_PHONE_NUMBER,
+          allowedNumbers: env2.SIGNAL_ALLOWED_NUMBERS ? env2.SIGNAL_ALLOWED_NUMBERS.split(",").length : 0
+        },
+        description: "Signal bot via signal-cli with end-to-end encryption"
+      },
+      {
+        id: "imessage",
+        name: "iMessage",
+        icon: "imessage",
+        enabled: !!env2.IMESSAGE_ENABLED,
+        config: {
+          mode: env2.IMESSAGE_MODE || "applescript",
+          allowedNumbers: env2.IMESSAGE_ALLOWED_NUMBERS ? env2.IMESSAGE_ALLOWED_NUMBERS.split(",").length : 0
+        },
+        description: "iMessage bot via AppleScript or BlueBubbles API"
+      },
+      {
+        id: "matrix",
+        name: "Matrix",
+        icon: "matrix",
+        enabled: !!env2.MATRIX_ENABLED && !!env2.MATRIX_HOMESERVER_URL && !!env2.MATRIX_ACCESS_TOKEN,
+        config: {
+          homeserver: env2.MATRIX_HOMESERVER_URL || null,
+          userId: env2.MATRIX_USER_ID || null,
+          autoJoin: env2.MATRIX_AUTO_JOIN ?? true,
+          e2eEnabled: env2.MATRIX_E2E_ENABLED || false,
+          allowedRooms: env2.MATRIX_ALLOWED_ROOM_IDS ? env2.MATRIX_ALLOWED_ROOM_IDS.split(",").length : 0
+        },
+        description: "Matrix bot with optional end-to-end encryption"
+      }
+    ];
+    const enabledCount = bots.filter((b) => b.enabled).length;
+    return c.json({ bots, enabledCount, totalCount: bots.length });
+  } catch {
+    return c.json({ bots: [], enabledCount: 0, totalCount: 0 });
+  }
+});
+botsRouter.get("/fields", (c) => {
+  return c.json(BOT_FIELDS);
+});
+botsRouter.get("/:id/config", async (c) => {
+  const botId = c.req.param("id");
+  const fields = BOT_FIELDS[botId];
+  if (!fields) return c.json({ error: "Unknown bot" }, 404);
+  const envVars = parseEnvFile();
+  const values = {};
+  for (const field of fields) {
+    const raw = envVars.get(field.envVar) || "";
+    if (field.type === "password" && raw) {
+      values[field.key] = raw.length > 10 ? raw.slice(0, 4) + "..." + raw.slice(-4) : "****";
+    } else {
+      values[field.key] = raw;
+    }
+  }
+  return c.json({ botId, values, fields });
+});
+botsRouter.put("/:id/config", async (c) => {
+  const botId = c.req.param("id");
+  const fields = BOT_FIELDS[botId];
+  if (!fields) return c.json({ error: "Unknown bot" }, 404);
+  try {
+    const body = await c.req.json();
+    const updates = {};
+    for (const field of fields) {
+      if (field.key in body) {
+        let val = body[field.key];
+        if (field.type === "password" && (val.includes("...") || val === "****")) continue;
+        updates[field.envVar] = val;
+      }
+    }
+    if (Object.keys(updates).length > 0) {
+      updateEnvFile(updates);
+    }
+    return c.json({ success: true, updated: Object.keys(updates).length, note: "Restart required for changes to take effect" });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to update config" }, 500);
+  }
+});
+var bots_default = botsRouter;
+
+// src/inputs/api/routes/m365.ts
+import { Hono as Hono13 } from "hono";
+import { randomBytes as randomBytes3 } from "crypto";
+
+// src/core/security/rate-limiter-enhanced.ts
+var tokenBuckets = /* @__PURE__ */ new Map();
+var cleanup = setInterval(() => {
+  const now = Date.now();
+  for (const [key, bucket] of tokenBuckets) {
+    if (now - bucket.lastRefill > 5 * 60 * 1e3) {
+      tokenBuckets.delete(key);
+    }
+  }
+}, 5 * 60 * 1e3);
+if (cleanup.unref) cleanup.unref();
+function rateLimit(key, maxTokens, refillRate, tokensToConsume = 1) {
+  const now = Date.now();
+  let bucket = tokenBuckets.get(key);
+  if (!bucket) {
+    bucket = { tokens: maxTokens, lastRefill: now };
+    tokenBuckets.set(key, bucket);
+  }
+  const elapsed = (now - bucket.lastRefill) / 1e3;
+  bucket.tokens = Math.min(maxTokens, bucket.tokens + elapsed * refillRate);
+  bucket.lastRefill = now;
+  if (bucket.tokens >= tokensToConsume) {
+    bucket.tokens -= tokensToConsume;
+    return { success: true, remaining: Math.floor(bucket.tokens) };
+  }
+  const retryAfter = Math.ceil(
+    (tokensToConsume - bucket.tokens) / refillRate
+  );
+  return { success: false, retryAfter, remaining: 0 };
+}
+
+// src/inputs/api/routes/m365.ts
+var log = createLogger("api:m365");
+var m365 = new Hono13();
+function currentUserKey(c) {
+  const id = getAuthUserId(c);
+  return id || "local";
+}
+function configGuard(c) {
+  if (!isM365Configured()) {
+    return c.json(
+      {
+        error: "M365 not configured. Set M365_CLIENT_ID, M365_CLIENT_SECRET (and optionally M365_TENANT_ID, M365_REDIRECT_URI) in .env.",
+        configured: false
+      },
+      503
+    );
+  }
+  return null;
+}
+m365.get("/status", async (c) => {
+  const configured = isM365Configured();
+  const userKey = currentUserKey(c);
+  const conn = configured ? await getConnection(userKey) : null;
+  return c.json({
+    configured,
+    connected: !!conn,
+    userKey,
+    connection: conn ? {
+      email: conn.email,
+      displayName: conn.displayName,
+      microsoftUserId: conn.microsoftUserId,
+      scope: conn.scope,
+      expiresAt: conn.expiresAt.toISOString(),
+      createdAt: conn.createdAt.toISOString(),
+      updatedAt: conn.updatedAt.toISOString()
+    } : null
+  });
+});
+m365.get("/auth/login", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const config = getM365Config();
+  cleanupExpiredStates().catch(() => {
+  });
+  const state = randomBytes3(24).toString("hex");
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  const userKey = currentUserKey(c);
+  const returnTo = c.req.query("returnTo") || void 0;
+  await persistState({ state, codeVerifier: verifier, userKey, returnTo });
+  const url = buildAuthorizeUrl(config, { state, codeChallenge: challenge });
+  log.info("oauth login initiated", { userKey });
+  if (c.req.query("format") === "json") {
+    return c.json({ url, state });
+  }
+  return c.redirect(url);
+});
+m365.get("/auth/callback", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const config = getM365Config();
+  const error = c.req.query("error");
+  if (error) {
+    return c.html(
+      renderCallbackPage({
+        ok: false,
+        title: "Microsoft sign-in failed",
+        body: `${error}: ${c.req.query("error_description") || ""}`
+      })
+    );
+  }
+  const code = c.req.query("code");
+  const state = c.req.query("state");
+  if (!code || !state) {
+    return c.json({ error: "Missing code or state" }, 400);
+  }
+  const saved = await consumeState(state);
+  if (!saved) {
+    log.warn("callback rejected: unknown or expired state");
+    return c.json({ error: "Invalid or expired state \u2014 start the login flow again." }, 400);
+  }
+  try {
+    const tokens = await exchangeCodeForTokens(config, code, saved.codeVerifier);
+    const me = await getMe(tokens.accessToken);
+    const userKey = saved.userKey || me.mail || me.userPrincipalName || me.id;
+    await saveConnection({
+      userKey,
+      tokens,
+      email: me.mail || me.userPrincipalName,
+      displayName: me.displayName,
+      microsoftUserId: me.id
+    });
+    log.info("oauth callback success", { userKey });
+    if (saved.returnTo) {
+      return c.redirect(saved.returnTo);
+    }
+    return c.html(
+      renderCallbackPage({
+        ok: true,
+        title: "Microsoft 365 connected",
+        body: `Signed in as ${escapeHtml(me.displayName || me.userPrincipalName || me.id)}. You can close this tab.`
+      })
+    );
+  } catch (err) {
+    log.error("oauth callback failed", {
+      error: err instanceof Error ? err.message : String(err)
+    });
+    return c.html(
+      renderCallbackPage({
+        ok: false,
+        title: "Microsoft 365 connection failed",
+        body: err instanceof Error ? err.message : "Unknown error"
+      })
+    );
+  }
+});
+m365.post("/auth/logout", async (c) => {
+  const userKey = currentUserKey(c);
+  await deleteConnection(userKey);
+  return c.json({ success: true });
+});
+m365.get("/profile", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  try {
+    const token = await getAccessToken(userKey);
+    const me = await getMe(token);
+    return c.json(me);
+  } catch (err) {
+    return c.json({ error: err instanceof Error ? err.message : "Failed" }, 401);
+  }
+});
+m365.get("/messages", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  const top = parseInt(c.req.query("top") || "20", 10);
+  const folder = c.req.query("folder") || "inbox";
+  const unreadOnly = c.req.query("unreadOnly") === "true";
+  const search = c.req.query("search") || void 0;
+  try {
+    const token = await getAccessToken(userKey);
+    const result = await listMessages(token, { top, folder, unreadOnly, search });
+    return c.json(result);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Failed";
+    const status = msg.includes("No M365 connection") ? 401 : 500;
+    return c.json({ error: msg }, status);
+  }
+});
+m365.post("/analyze-email", async (c) => {
+  const guard = configGuard(c);
+  const userKey = currentUserKey(c);
+  const limit = rateLimit(
+    `m365:analyze:${userKey}`,
+    env.M365_ANALYZE_RATE_LIMIT,
+    env.M365_ANALYZE_RATE_REFILL
+  );
+  if (!limit.success) {
+    return c.json(
+      { error: "Rate limit exceeded", retryAfter: limit.retryAfter },
+      429
+    );
+  }
+  const body = await c.req.json();
+  let input = null;
+  let inputId = body.graphMessageId;
+  if (body.graphMessageId) {
+    if (guard) return guard;
+    try {
+      const token = await getAccessToken(userKey);
+      const msg = await getMessage(token, body.graphMessageId);
+      const bodyText = msg.body?.contentType === "html" ? stripHtml(msg.body.content || "") : msg.body?.content || msg.bodyPreview || "";
+      input = {
+        subject: msg.subject || "(no subject)",
+        sender: msg.from?.emailAddress?.address || "unknown",
+        body: bodyText
+      };
+    } catch (err) {
+      return c.json(
+        { error: err instanceof Error ? err.message : "Failed to load message" },
+        500
+      );
+    }
+  } else {
+    if (!body.subject || !body.sender) {
+      return c.json({ error: "Either graphMessageId or {subject, sender} is required" }, 400);
+    }
+    input = {
+      subject: String(body.subject),
+      sender: String(body.sender),
+      body: body.body ? String(body.body) : void 0
+    };
+  }
+  const result = await analyzeEmail(input);
+  let id;
+  try {
+    id = await persistAnalysis({
+      userKey,
+      input,
+      inputId,
+      inputType: "email",
+      result
+    });
+  } catch (err) {
+    log.warn("persistAnalysis failed \u2014 returning result anyway", {
+      error: err instanceof Error ? err.message : String(err)
+    });
+  }
+  return c.json({ ...result, id });
+});
+m365.get("/analyses", async (c) => {
+  const userKey = currentUserKey(c);
+  const limit = Math.max(1, Math.min(parseInt(c.req.query("limit") || "50", 10), 200));
+  const rows = await listAnalyses(userKey, limit);
+  return c.json({ results: rows });
+});
+m365.get("/sharepoint/sites", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  const search = c.req.query("search") || void 0;
+  const top = parseInt(c.req.query("top") || "50", 10);
+  try {
+    const token = await getAccessToken(userKey);
+    const sites = await listSites(token, { search, top });
+    return c.json({ sites });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Failed";
+    const status = msg.includes("No M365 connection") ? 401 : 500;
+    return c.json({ error: msg }, status);
+  }
+});
+m365.get("/sharepoint/sites/:siteId", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  try {
+    const token = await getAccessToken(userKey);
+    const site = await getSite(token, c.req.param("siteId"));
+    return c.json(site);
+  } catch (err) {
+    return c.json({ error: err instanceof Error ? err.message : "Failed" }, 500);
+  }
+});
+m365.get("/sharepoint/sites/:siteId/drives", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  try {
+    const token = await getAccessToken(userKey);
+    const drives = await listDrives(token, c.req.param("siteId"));
+    return c.json({ drives });
+  } catch (err) {
+    return c.json({ error: err instanceof Error ? err.message : "Failed" }, 500);
+  }
+});
+m365.get("/sharepoint/sites/:siteId/files", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  const search = c.req.query("search") || void 0;
+  const top = parseInt(c.req.query("top") || "50", 10);
+  try {
+    const token = await getAccessToken(userKey);
+    const drive = await getDefaultDrive(token, c.req.param("siteId"));
+    const items = await listDriveRoot(token, drive.id, { search, top });
+    return c.json({ drive, items });
+  } catch (err) {
+    return c.json({ error: err instanceof Error ? err.message : "Failed" }, 500);
+  }
+});
+m365.get("/sharepoint/drives/:driveId/children/:itemId", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  const top = parseInt(c.req.query("top") || "50", 10);
+  try {
+    const token = await getAccessToken(userKey);
+    const items = await listDriveChildren(
+      token,
+      c.req.param("driveId"),
+      c.req.param("itemId"),
+      { top }
+    );
+    return c.json({ items });
+  } catch (err) {
+    return c.json({ error: err instanceof Error ? err.message : "Failed" }, 500);
+  }
+});
+m365.get("/sharepoint/drives/:driveId/items/:itemId", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  try {
+    const token = await getAccessToken(userKey);
+    const item = await getDriveItem(token, c.req.param("driveId"), c.req.param("itemId"));
+    return c.json(item);
+  } catch (err) {
+    return c.json({ error: err instanceof Error ? err.message : "Failed" }, 500);
+  }
+});
+m365.post("/sharepoint/analyze", async (c) => {
+  const guard = configGuard(c);
+  if (guard) return guard;
+  const userKey = currentUserKey(c);
+  const rl = rateLimit(
+    `m365:analyze:${userKey}`,
+    env.M365_ANALYZE_RATE_LIMIT,
+    env.M365_ANALYZE_RATE_REFILL
+  );
+  if (!rl.success) {
+    return c.json({ error: "Rate limit exceeded", retryAfter: rl.retryAfter }, 429);
+  }
+  const body = await c.req.json();
+  if (!body.driveId || !body.itemId) {
+    return c.json({ error: "driveId and itemId are required" }, 400);
+  }
+  try {
+    const token = await getAccessToken(userKey);
+    const item = await getDriveItem(token, body.driveId, body.itemId);
+    const extracted = await extractTextFromDriveItem(token, body.driveId, body.itemId, item);
+    if (!extracted.text || extracted.text.trim().length === 0) {
+      return c.json({
+        error: `No text could be extracted (source: ${extracted.extractedFrom})`,
+        extractedFrom: extracted.extractedFrom,
+        byteLength: extracted.byteLength
+      }, 422);
+    }
+    const analysisInput = {
+      subject: item.name || "(unnamed file)",
+      sender: item.parentReference?.path || "sharepoint",
+      body: extracted.text.slice(0, 16e3)
+      // cap to keep LLM bill sane
+    };
+    const result = await analyzeEmail(analysisInput);
+    let id;
+    try {
+      id = await persistAnalysis({
+        userKey,
+        input: analysisInput,
+        inputId: `${body.driveId}:${body.itemId}`,
+        inputType: "file",
+        result
+      });
+    } catch (err) {
+      log.warn("persistAnalysis failed", {
+        error: err instanceof Error ? err.message : String(err)
+      });
+    }
+    return c.json({
+      ...result,
+      id,
+      file: { name: item.name, size: item.size, webUrl: item.webUrl, mimeType: item.file?.mimeType },
+      extractedFrom: extracted.extractedFrom,
+      byteLength: extracted.byteLength,
+      textLength: extracted.text.length
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Failed";
+    return c.json({ error: msg }, 500);
+  }
+});
+function escapeHtml(s) {
+  return s.replace(
+    /[&<>"']/g,
+    (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]
+  );
+}
+function renderCallbackPage(opts) {
+  const color = opts.ok ? "#10b981" : "#ef4444";
+  return `<!doctype html><html><head><meta charset="utf-8"><title>${escapeHtml(opts.title)}</title>
+<style>
+body{font-family:system-ui,-apple-system,Segoe UI,Arial,sans-serif;max-width:640px;margin:40px auto;padding:24px;color:#e5e7eb;background:#0b0f17}
+h1{color:${color};margin-top:0}
+.card{background:#111827;border:1px solid #1f2937;border-radius:10px;padding:20px}
+.btn{display:inline-block;margin-top:16px;padding:10px 18px;background:#10b981;color:#fff;text-decoration:none;border-radius:6px;font-weight:600}
+.btn:hover{background:#059669}
+</style></head><body>
+<div class="card">
+<h1>${escapeHtml(opts.title)}</h1>
+<p>${escapeHtml(opts.body)}</p>
+<a class="btn" href="/">Go Back to Dashboard</a>
+</div></body></html>`;
+}
+
+// src/inputs/api/routes/users.ts
+import { Hono as Hono14 } from "hono";
+var usersRouter = new Hono14();
+usersRouter.get("/", async (c) => {
+  try {
+    const { searchUsers } = await import("./multi-user-XAEMB244.js");
+    const users2 = await searchUsers({});
+    return c.json(users2);
+  } catch {
+    return c.json([]);
+  }
+});
+usersRouter.post("/", async (c) => {
+  try {
+    const { email: email2, name, role } = await c.req.json();
+    if (!email2) {
+      return c.json({ error: "email is required" }, 400);
+    }
+    const { createUser } = await import("./multi-user-XAEMB244.js");
+    const user = await createUser({
+      email: email2,
+      name: name || "",
+      role: role || "user"
+    });
+    return c.json(user, 201);
+  } catch (error) {
+    return c.json({ error: "Failed to create user" }, 500);
+  }
+});
+usersRouter.put("/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const updates = await c.req.json();
+    if (updates.status === "suspended") {
+      const { suspendUser } = await import("./multi-user-XAEMB244.js");
+      await suspendUser(id, "Suspended via dashboard");
+      return c.json({ success: true });
+    }
+    if (updates.status === "active") {
+      const { reactivateUser } = await import("./multi-user-XAEMB244.js");
+      await reactivateUser(id);
+      return c.json({ success: true });
+    }
+    const { updateUser } = await import("./multi-user-XAEMB244.js");
+    await updateUser(id, updates);
+    return c.json({ success: true });
+  } catch (error) {
+    return c.json({ error: "Failed to update user" }, 500);
+  }
+});
+usersRouter.delete("/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const { deleteUser } = await import("./multi-user-XAEMB244.js");
+    await deleteUser(id);
+    return c.json({ success: true });
+  } catch (error) {
+    return c.json({ error: "Failed to delete user" }, 500);
+  }
+});
+var users_default = usersRouter;
+
+// src/inputs/api/server.ts
+import { tmpdir } from "os";
+import { resolve as resolve2, join } from "path";
+import { randomBytes as randomBytes4 } from "crypto";
+var serveStatic;
+try {
+  serveStatic = __require("hono/bun").serveStatic;
+} catch {
+  serveStatic = () => async (_c, next) => next();
+}
+var app = new Hono15();
+app.use("*", logger());
+app.use("/api/*", cors());
+app.use("/api/*", authMiddleware());
+app.get("/health", (c) => {
+  return c.json({ status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() });
+});
+app.post("/api/chat", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.messages || !Array.isArray(body.messages)) {
+      return c.json({ error: "messages array is required" }, 400);
+    }
+    const response = await chat(body.messages, body.systemPrompt);
+    return c.json({
+      content: response.content,
+      usage: {
+        inputTokens: response.inputTokens,
+        outputTokens: response.outputTokens
+      }
+    });
+  } catch (error) {
+    console.error("Chat API error:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.post("/api/chat/tools", requirePermission("chat:tools"), async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.messages || !Array.isArray(body.messages)) {
+      return c.json({ error: "messages array is required" }, 400);
+    }
+    const toolsUsed = [];
+    const response = await chatWithTools(body.messages, body.userId, (tool) => {
+      toolsUsed.push(tool);
+    });
+    return c.json({
+      content: response.content,
+      toolsUsed,
+      usage: {
+        inputTokens: response.inputTokens,
+        outputTokens: response.outputTokens
+      }
+    });
+  } catch (error) {
+    console.error("Chat with tools API error:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.post("/api/ask", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.message) {
+      return c.json({ error: "message is required" }, 400);
+    }
+    const messages2 = [{ role: "user", content: body.message }];
+    const response = body.useTools ? await chatWithTools(messages2) : await chat(messages2, body.systemPrompt);
+    return c.json({
+      content: response.content,
+      toolsUsed: response.toolsUsed,
+      usage: {
+        inputTokens: response.inputTokens,
+        outputTokens: response.outputTokens
+      }
+    });
+  } catch (error) {
+    console.error("Ask API error:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.get("/api/conversations", async (c) => {
+  try {
+    const convos = await db.select().from(conversations).orderBy(desc2(conversations.updatedAt)).limit(50);
+    return c.json(convos);
+  } catch (error) {
+    console.error("Error fetching conversations:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.get("/api/conversations/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const convo = await db.select().from(conversations).where(eq4(conversations.id, id)).limit(1);
+    if (convo.length === 0) {
+      return c.json({ error: "Conversation not found" }, 404);
+    }
+    const msgs = await db.select().from(messages).where(eq4(messages.conversationId, id)).orderBy(messages.createdAt);
+    const decryptedMsgs = msgs.map((m) => {
+      if (m.encrypted && m.content) {
+        try {
+          return { ...m, content: decryptField(m.content) ?? m.content };
+        } catch {
+          return m;
+        }
+      }
+      return m;
+    });
+    return c.json({ conversation: convo[0], messages: decryptedMsgs });
+  } catch (error) {
+    console.error("Error fetching conversation:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.get("/api/memories", async (c) => {
+  try {
+    const userId = c.req.query("userId");
+    const limit = parseInt(c.req.query("limit") || "50");
+    let query = db.select().from(memories).orderBy(desc2(memories.createdAt)).limit(limit);
+    const mems = await query;
+    return c.json(mems);
+  } catch (error) {
+    console.error("Error fetching memories:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.post("/api/memories/search", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.query) {
+      return c.json({ error: "query is required" }, 400);
+    }
+    const results = await searchMemories(body.query, body.userId, body.limit || 5);
+    return c.json(results);
+  } catch (error) {
+    console.error("Error searching memories:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.post("/api/memories", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.content) {
+      return c.json({ error: "content is required" }, 400);
+    }
+    const memory = await storeMemory({
+      content: body.content,
+      type: body.type || "semantic",
+      importance: body.importance || 5,
+      userId: body.userId,
+      source: "api",
+      provenance: "api:manual"
+    });
+    return c.json(memory);
+  } catch (error) {
+    console.error("Error storing memory:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.get("/api/memories/export", async (c) => {
+  try {
+    const userId = c.req.query("userId");
+    const format = c.req.query("format") || "markdown";
+    const exported = await exportMemories(userId || void 0, format);
+    if (format === "json") {
+      return c.json(JSON.parse(exported));
+    }
+    return c.text(exported);
+  } catch (error) {
+    console.error("Error exporting memories:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.get("/api/memories/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const memory = await getMemoryById(id);
+    if (!memory) {
+      return c.json({ error: "Memory not found" }, 404);
+    }
+    return c.json(memory);
+  } catch (error) {
+    console.error("Error fetching memory:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.put("/api/memories/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const body = await c.req.json();
+    const updated = await updateMemory(id, body);
+    if (!updated) {
+      return c.json({ error: "Memory not found or no changes" }, 404);
+    }
+    return c.json(updated);
+  } catch (error) {
+    console.error("Error updating memory:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.delete("/api/memories/:id", requirePermission("memories:delete"), async (c) => {
+  try {
+    const id = c.req.param("id");
+    const deleted = await deleteMemory(id);
+    if (!deleted) {
+      return c.json({ error: "Memory not found" }, 404);
+    }
+    return c.json({ success: true, id });
+  } catch (error) {
+    console.error("Error deleting memory:", error);
+    return c.json({ error: "Internal server error" }, 500);
+  }
+});
+app.get("/api/autonomy", async (c) => {
+  try {
+    const { autonomyManager } = await import("./autonomy-N7W5XPLX.js");
+    const userId = c.req.query("userId");
+    return c.json({
+      level: userId ? autonomyManager.getLevel(userId) : autonomyManager.getDefaultLevel(),
+      stats: autonomyManager.getStats()
+    });
+  } catch (error) {
+    return c.json({ error: "Autonomy system not available" }, 500);
+  }
+});
+app.put("/api/autonomy", async (c) => {
+  try {
+    const { autonomyManager } = await import("./autonomy-N7W5XPLX.js");
+    const body = await c.req.json();
+    const level = body.level;
+    if (!["readonly", "supervised", "autonomous"].includes(level)) {
+      return c.json({ error: "Invalid level. Must be: readonly, supervised, or autonomous" }, 400);
+    }
+    if (body.userId) {
+      autonomyManager.setLevel(body.userId, level);
+    } else {
+      autonomyManager.setDefaultLevel(level);
+    }
+    return c.json({ success: true, level });
+  } catch (error) {
+    return c.json({ error: "Autonomy system not available" }, 500);
+  }
+});
+app.get("/metrics", async (c) => {
+  try {
+    const { prometheusExporter } = await import("./prometheus-YETCZO4I.js");
+    const text = prometheusExporter.toTextFormat();
+    return c.text(text, 200, { "Content-Type": "text/plain; version=0.0.4; charset=utf-8" });
+  } catch (error) {
+    return c.text("# Prometheus metrics not available\n", 500);
+  }
+});
+app.get("/api/metrics/prometheus", async (c) => {
+  try {
+    const { prometheusExporter } = await import("./prometheus-YETCZO4I.js");
+    const text = prometheusExporter.toTextFormat();
+    return c.text(text, 200, { "Content-Type": "text/plain; version=0.0.4; charset=utf-8" });
+  } catch (error) {
+    return c.text("# Prometheus metrics not available\n", 500);
+  }
+});
+app.post("/api/pair", async (c) => {
+  try {
+    const { pairingManager } = await import("./pairing-77N47RAT.js");
+    const body = await c.req.json();
+    if (!body.code) {
+      return c.json({ error: "code is required" }, 400);
+    }
+    const result = pairingManager.pair(body.code, body.deviceInfo || "Unknown device");
+    if (!result.success) {
+      return c.json({ error: result.error }, 401);
+    }
+    return c.json({ token: result.token });
+  } catch (error) {
+    return c.json({ error: "Pairing system not available" }, 500);
+  }
+});
+app.get("/api/providers", async (c) => {
+  try {
+    const { providerRegistry } = await import("./providers-2YQ6E3IF.js");
+    return c.json({
+      providers: providerRegistry.listProviders(),
+      default: providerRegistry.getDefaultId()
+    });
+  } catch (error) {
+    return c.json({ error: "Provider system not available" }, 500);
+  }
+});
+app.route("/api/osint", osint);
+app.route("/api/email", email);
+app.route("/api/sdk", sdkRoutes);
+app.route("/api/admin", admin_default);
+app.get("/api/audit-logs", async (c) => {
+  try {
+    const { queryAuditLogs: queryAuditLogs2 } = await import("./audit-logger-CI4WZQPD.js");
+    const url = new URL(c.req.url);
+    const options = {};
+    const userId = url.searchParams.get("userId");
+    if (userId) options.userId = userId;
+    const action = url.searchParams.get("action");
+    if (action) options.action = action;
+    const resource = url.searchParams.get("resource");
+    if (resource) options.resource = resource;
+    const startDate = url.searchParams.get("startDate");
+    if (startDate) options.startDate = new Date(startDate);
+    const endDate = url.searchParams.get("endDate");
+    if (endDate) options.endDate = new Date(endDate);
+    const limit = url.searchParams.get("limit");
+    if (limit) options.limit = parseInt(limit);
+    const offset = url.searchParams.get("offset");
+    if (offset) options.offset = parseInt(offset);
+    const logs = await queryAuditLogs2(options);
+    return c.json({ success: true, logs });
+  } catch (err) {
+    return c.json({ success: false, error: err?.message || "Failed to query audit logs", logs: [] });
+  }
+});
+app.get("/api/audit-logs/integrity", async (c) => {
+  try {
+    const { getAuditChainIntegrity: getAuditChainIntegrity2 } = await import("./audit-logger-CI4WZQPD.js");
+    const integrity = await getAuditChainIntegrity2();
+    return c.json({ success: true, ...integrity });
+  } catch (err) {
+    return c.json({ success: false, error: err?.message, chainValid: false, totalEntries: 0, lastSequence: 0 });
+  }
+});
+app.delete("/api/audit-logs", async (c) => {
+  try {
+    const { auditLogs } = await import("./schema-ETY7L2VA.js");
+    await db.delete(auditLogs);
+    return c.json({ success: true });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to clear audit logs" }, 500);
+  }
+});
+app.delete("/api/conversations", async (c) => {
+  try {
+    await db.delete(messages);
+    await db.delete(conversations);
+    return c.json({ success: true });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to clear sessions" }, 500);
+  }
+});
+app.delete("/api/conversations/:id", async (c) => {
+  try {
+    const id = c.req.param("id");
+    const convo = await db.select().from(conversations).where(eq4(conversations.id, id)).limit(1);
+    if (convo.length === 0) {
+      return c.json({ error: "Conversation not found" }, 404);
+    }
+    await db.delete(messages).where(eq4(messages.conversationId, id));
+    await db.delete(conversations).where(eq4(conversations.id, id));
+    return c.json({ success: true, id });
+  } catch (err) {
+    return c.json({ error: err?.message || "Failed to delete conversation" }, 500);
+  }
+});
+app.route("/api/brain", brain_default);
+app.route("/api/scheduler", scheduler_default);
+app.route("/api/alerts", alerts_default);
+app.route("/api/webhooks", webhooks_default);
+app.route("/api/github", github_default);
+app.get("/api/metrics/overview", async (c) => {
+  try {
+    const { getMetricAggregates: getMetricAggregates2 } = await import("./metrics-BH3ZLGEV.js");
+    const { getErrorStats: getErrorStats2 } = await import("./error-tracker-64DEH3D7.js");
+    const now = /* @__PURE__ */ new Date();
+    const dayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1e3);
+    const weekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3);
+    const [latencyDay, inputDay, outputDay, errorsDay, inputWeek, outputWeek] = await Promise.allSettled([
+      getMetricAggregates2("response_latency", dayAgo, now),
+      getMetricAggregates2("token_usage_input", dayAgo, now),
+      getMetricAggregates2("token_usage_output", dayAgo, now),
+      getErrorStats2(dayAgo, now),
+      getMetricAggregates2("token_usage_input", weekAgo, now),
+      getMetricAggregates2("token_usage_output", weekAgo, now)
+    ]);
+    const val = (r, key) => r.status === "fulfilled" ? r.value?.[key] ?? 0 : 0;
+    return c.json({
+      last24h: {
+        inputTokens: val(inputDay, "sum"),
+        outputTokens: val(outputDay, "sum"),
+        requests: val(latencyDay, "count"),
+        avgLatencyMs: val(latencyDay, "avg"),
+        errors: errorsDay.status === "fulfilled" ? errorsDay.value?.total ?? 0 : 0
+      },
+      last7d: {
+        inputTokens: val(inputWeek, "sum"),
+        outputTokens: val(outputWeek, "sum")
+      }
+    });
+  } catch {
+    return c.json({ last24h: {}, last7d: {} });
+  }
+});
+app.route("/api/metrics", metrics_default);
+app.route("/api/mcp", mcp_default);
+app.route("/api/bots", bots_default);
+app.route("/api/m365", m365);
+app.get("/api/callbacks/outlook", async (c) => {
+  const search = new URL(c.req.url).search;
+  const forward = new Request(
+    `http://localhost/api/m365/auth/callback${search}`,
+    { method: "GET", headers: c.req.raw.headers }
+  );
+  return app.fetch(forward);
+});
+app.route("/api/users", users_default);
+app.get("/api/incidents", requirePermission("admin:settings"), async (c) => {
+  try {
+    const { getOpenIncidents } = await import("./incident-response-E3UGMX5G.js");
+    const severity = c.req.query("severity");
+    const type = c.req.query("type");
+    const incidents = await getOpenIncidents({ severity, type, limit: 50 });
+    return c.json(incidents);
+  } catch (error) {
+    return c.json({ error: "Incident system not available" }, 500);
+  }
+});
+app.get("/api/incidents/:id", requirePermission("admin:settings"), async (c) => {
+  try {
+    const { generateIncidentReport } = await import("./incident-response-E3UGMX5G.js");
+    const id = c.req.param("id");
+    const report = await generateIncidentReport(id);
+    return c.json(report);
+  } catch (error) {
+    return c.json({ error: "Incident not found" }, 404);
+  }
+});
+app.post("/api/incidents/:id/status", requirePermission("admin:settings"), async (c) => {
+  try {
+    const { updateIncidentStatus } = await import("./incident-response-E3UGMX5G.js");
+    const id = c.req.param("id");
+    const body = await c.req.json();
+    const userId = getAuthUserId(c);
+    const updated = await updateIncidentStatus(id, body.status, userId, body.notes);
+    return c.json(updated);
+  } catch (error) {
+    return c.json({ error: "Failed to update incident" }, 500);
+  }
+});
+app.post("/api/incidents/:id/resolve", requirePermission("admin:settings"), async (c) => {
+  try {
+    const { resolveIncident } = await import("./incident-response-E3UGMX5G.js");
+    const id = c.req.param("id");
+    const body = await c.req.json();
+    const userId = getAuthUserId(c);
+    const resolved = await resolveIncident(id, body.notes, userId);
+    return c.json(resolved);
+  } catch (error) {
+    return c.json({ error: "Failed to resolve incident" }, 500);
+  }
+});
+app.get("/api/audit/integrity", requirePermission("admin:settings"), async (c) => {
+  try {
+    const { getAuditChainIntegrity: getAuditChainIntegrity2 } = await import("./audit-logger-CI4WZQPD.js");
+    const integrity = await getAuditChainIntegrity2();
+    return c.json(integrity);
+  } catch (error) {
+    return c.json({ error: "Audit system not available" }, 500);
+  }
+});
+app.post("/api/transcribe", async (c) => {
+  try {
+    const formData = await c.req.formData();
+    const audioFile = formData.get("audio");
+    if (!audioFile || !(audioFile instanceof File)) {
+      return c.json({ error: "audio file is required" }, 400);
+    }
+    const buffer = Buffer.from(await audioFile.arrayBuffer());
+    const text = await transcribeAudio(buffer);
+    if (!text) {
+      return c.json({ error: "Could not transcribe audio" }, 500);
+    }
+    return c.json({ text });
+  } catch (error) {
+    console.error("Transcribe API error:", error);
+    return c.json({ error: "Transcription failed" }, 500);
+  }
+});
+app.post("/api/tts", async (c) => {
+  try {
+    const body = await c.req.json();
+    if (!body.text) {
+      return c.json({ error: "text is required" }, 400);
+    }
+    const audioBuffer = await textToSpeech(body.text);
+    if (!audioBuffer) {
+      return c.json({ error: "Text-to-speech failed" }, 500);
+    }
+    return new Response(new Uint8Array(audioBuffer), {
+      headers: {
+        "Content-Type": "audio/mpeg",
+        "Content-Length": String(audioBuffer.length)
+      }
+    });
+  } catch (error) {
+    console.error("TTS API error:", error);
+    return c.json({ error: "TTS failed" }, 500);
+  }
+});
+app.get("/api/system/status", async (c) => {
+  return c.json({
+    status: "online",
+    version: "3.6.1",
+    uptime: process.uptime(),
+    memory: process.memoryUsage()
+  });
+});
+app.get("/api/callbacks/spotify", async (c) => {
+  try {
+    const code = c.req.query("code");
+    const error = c.req.query("error");
+    if (error) {
+      return c.html(`<h1>Spotify Authorization Failed</h1><p>Error: ${error}</p><p>Go back and try again.</p>`);
+    }
+    if (!code) {
+      return c.html(`<h1>Missing Authorization Code</h1><p>No code received from Spotify.</p>`);
+    }
+    const { env: appEnv } = await import("./env-GN5VHI43.js");
+    if (!appEnv.SPOTIFY_CLIENT_ID || !appEnv.SPOTIFY_CLIENT_SECRET) {
+      return c.html(`<h1>Spotify Not Configured</h1><p>Set SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET in .env</p>`);
+    }
+    const { createSpotifyAuth } = await import("./auth-PH5IHISW.js");
+    const auth = createSpotifyAuth({
+      clientId: appEnv.SPOTIFY_CLIENT_ID,
+      clientSecret: appEnv.SPOTIFY_CLIENT_SECRET,
+      redirectUri: appEnv.SPOTIFY_REDIRECT_URI || `http://localhost:${appEnv.PORT}/api/callbacks/spotify`
+    });
+    const tokens = await auth.exchangeCode(code);
+    return c.html(`
+      <html><body style="font-family: system-ui; max-width: 600px; margin: 40px auto; padding: 20px;">
+        <h1>Spotify Connected!</h1>
+        <p>Add this to your <code>.env</code> file:</p>
+        <pre style="background: #f0f0f0; padding: 16px; border-radius: 8px; word-break: break-all; white-space: pre-wrap;">SPOTIFY_REFRESH_TOKEN=${tokens.refreshToken}</pre>
+        <p>Then restart OpenSentinel. You can close this page.</p>
+      </body></html>
+    `);
+  } catch (err) {
+    console.error("Spotify callback error:", err);
+    return c.html(`<h1>Spotify Auth Error</h1><p>${err instanceof Error ? err.message : String(err)}</p>`);
+  }
+});
+app.get("/api/spotify/authorize", async (c) => {
+  try {
+    const { env: appEnv } = await import("./env-GN5VHI43.js");
+    if (!appEnv.SPOTIFY_CLIENT_ID || !appEnv.SPOTIFY_CLIENT_SECRET) {
+      return c.json({ error: "Spotify not configured. Set SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET in .env" }, 400);
+    }
+    const { createSpotifyAuth, DEFAULT_SCOPES } = await import("./auth-PH5IHISW.js");
+    const auth = createSpotifyAuth({
+      clientId: appEnv.SPOTIFY_CLIENT_ID,
+      clientSecret: appEnv.SPOTIFY_CLIENT_SECRET,
+      redirectUri: appEnv.SPOTIFY_REDIRECT_URI || `http://localhost:${appEnv.PORT}/api/callbacks/spotify`
+    });
+    const url = auth.getAuthorizationUrl(DEFAULT_SCOPES, void 0, true);
+    return c.json({ url });
+  } catch (err) {
+    return c.json({ error: err instanceof Error ? err.message : String(err) }, 500);
+  }
+});
+app.get("/api/files/download/:token", async (c) => {
+  const token = c.req.param("token");
+  const entry = getDownloadEntry(token);
+  if (!entry) {
+    return c.json({ error: "Download link expired or invalid" }, 404);
+  }
+  const tmp = resolve2(tmpdir());
+  if (!entry.filePath.startsWith(tmp)) {
+    return c.json({ error: "Access denied" }, 403);
+  }
+  try {
+    const file = Bun.file(entry.filePath);
+    if (!await file.exists()) {
+      return c.json({ error: "File not found" }, 404);
+    }
+    return new Response(file, {
+      headers: {
+        "Content-Type": entry.contentType,
+        "Content-Disposition": `attachment; filename="${entry.filename}"`
+      }
+    });
+  } catch {
+    return c.json({ error: "Failed to serve file" }, 500);
+  }
+});
+app.post("/api/files/upload", async (c) => {
+  try {
+    const formData = await c.req.formData();
+    const file = formData.get("file");
+    if (!file || !(file instanceof File)) {
+      return c.json({ error: "file field is required" }, 400);
+    }
+    if (file.size > 50 * 1024 * 1024) {
+      return c.json({ error: "File too large (50MB max)" }, 413);
+    }
+    const ext = file.name.split(".").pop() || "bin";
+    const id = randomBytes4(8).toString("hex");
+    const filename = `sentinel-upload-${id}.${ext}`;
+    const filePath = join(tmpdir(), filename);
+    const buffer = Buffer.from(await file.arrayBuffer());
+    await Bun.write(filePath, buffer);
+    return c.json({ filePath, originalName: file.name });
+  } catch {
+    return c.json({ error: "Upload failed" }, 500);
+  }
+});
+app.use("/*", serveStatic({ root: "./src/web/dist" }));
+app.get("/*", serveStatic({ path: "./src/web/dist/index.html" }));
+
+export {
+  getGatewayToken,
+  timingSafeEqual,
+  app
+};
+//# sourceMappingURL=chunk-S2EOIVF4.js.map