pal-explorer-cli 0.4.0

package/lib/core/webServer.js

@@ -0,0 +1,702 @@
+import express from 'express';
+import { createServer } from 'http';
+import { WebSocketServer } from 'ws';
+import crypto from 'crypto';
+import path from 'path';
+import fs from 'fs';
+import { fileURLToPath } from 'url';
+import config from '../utils/config.js';
+import { getDownloadDir } from '../utils/downloadDir.js';
+import os from 'os';
+import { listShares, addShare, removeShare } from './shares.js';
+import { getTransfers, trackTransfer, removeTransfer, setTransferPaused } from './transfers.js';
+import { getFriends, saveFriends } from './users.js';
+import { getGroups, getGroup, createGroup, deleteGroup, addMemberToGroup, removeMemberFromGroup, getShareComments, addShareComment, deleteShareComment } from './groups.js';
+import { isPro } from './pro.js';
+
+const TOKEN_KEY = 'webDashboardToken';
+
+function getOrCreateToken() {
+  let token = config.get(TOKEN_KEY);
+  if (!token) {
+    token = crypto.randomBytes(32).toString('hex');
+    config.set(TOKEN_KEY, token);
+  }
+  return token;
+}
+
+function authMiddleware(req, res, next) {
+  const token = req.headers.authorization?.replace('Bearer ', '');
+  if (!token) return res.status(401).json({ error: 'Unauthorized' });
+  const expected = Buffer.from(getOrCreateToken(), 'hex');
+  const provided = Buffer.from(token, 'hex');
+  if (provided.length !== expected.length || !crypto.timingSafeEqual(provided, expected)) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+  next();
+}
+
+export { getOrCreateToken };
+
+export function startWebServer(port, torrentClient, { bindAddress = '127.0.0.1' } = {}) {
+  const app = express();
+  const server = createServer(app);
+  const wss = new WebSocketServer({ server, path: '/ws' });
+
+  app.use(express.json({ limit: '64kb' }));
+
+  // Security headers
+  app.use((req, res, next) => {
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('X-Frame-Options', 'DENY');
+    res.setHeader('X-XSS-Protection', '0');
+    res.setHeader('Cache-Control', 'no-store');
+    next();
+  });
+
+  // CORS: localhost only
+  app.use((req, res, next) => {
+    const origin = req.headers.origin;
+    if (origin && /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+      res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
+      res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+    }
+    if (req.method === 'OPTIONS') return res.sendStatus(204);
+    next();
+  });
+
+  // Serve static web UI (built dist preferred, raw web/ as fallback)
+  const __dirname = path.dirname(fileURLToPath(import.meta.url));
+  const webDistPath = path.join(__dirname, '..', '..', 'web', 'dist');
+  const webRootPath = path.join(__dirname, '..', '..', 'web');
+  if (fs.existsSync(webDistPath)) {
+    app.use(express.static(webDistPath));
+  } else if (fs.existsSync(webRootPath)) {
+    app.use(express.static(webRootPath));
+  }
+
+  // ── Mobile Auth (session-based, uses same token as Bearer) ──
+
+  app.get('/api/auth/status', (req, res) => {
+    res.json({ setup: true, version: '0.4.0' });
+  });
+
+  app.post('/api/auth/login', (req, res) => {
+    const { token } = req.body;
+    if (!token) return res.status(400).json({ error: 'token required' });
+    try {
+      const expected = Buffer.from(getOrCreateToken(), 'hex');
+      const provided = Buffer.from(token, 'hex');
+      if (provided.length !== expected.length || !crypto.timingSafeEqual(provided, expected)) {
+        return res.status(401).json({ error: 'Invalid token' });
+      }
+    } catch {
+      return res.status(401).json({ error: 'Invalid token' });
+    }
+    res.json({ ok: true, token, expiresIn: 86400 * 7 });
+  });
+
+  app.post('/api/auth/logout', (req, res) => {
+    res.json({ ok: true });
+  });
+
+  app.post('/api/auth/refresh', (req, res) => {
+    const token = req.headers.authorization?.replace('Bearer ', '');
+    if (!token) return res.status(401).json({ error: 'Unauthorized' });
+    try {
+      const expected = Buffer.from(getOrCreateToken(), 'hex');
+      const provided = Buffer.from(token, 'hex');
+      if (provided.length !== expected.length || !crypto.timingSafeEqual(provided, expected)) {
+        return res.status(401).json({ error: 'Invalid token' });
+      }
+    } catch {
+      return res.status(401).json({ error: 'Invalid token' });
+    }
+    res.json({ ok: true, token, expiresIn: 86400 * 7 });
+  });
+
+  // Health check (no auth)
+  app.get('/api/status', (req, res) => {
+    res.json({ status: 'ok', uptime: process.uptime() });
+  });
+
+  // P2P browse — returns one directory level of a non-private share
+  // HIGH-4 fix: require auth token, no CORS wildcard
+  app.get('/p2p/browse', authMiddleware, (req, res) => {
+    const { share: shareName, path: dirPath = '' } = req.query;
+    if (!shareName) return res.status(400).json({ error: 'share required' });
+    const shares = listShares();
+    const share = shares.find(s => s.name === shareName && s.visibility !== 'private');
+    if (!share?.path) return res.status(404).json({ error: 'Share not found' });
+    try {
+      const base = path.resolve(share.path);
+      const target = dirPath ? path.resolve(path.join(base, dirPath)) : base;
+      if (!target.startsWith(base)) return res.status(403).json({ error: 'Forbidden' });
+      const entries = fs.readdirSync(target, { withFileTypes: true });
+      res.json(entries.map(e => {
+        const entryPath = dirPath ? `${dirPath}/${e.name}` : e.name;
+        let size = null;
+        if (e.isFile()) { try { size = fs.statSync(path.join(target, e.name)).size; } catch {} }
+        return { name: e.name, path: entryPath, isDir: e.isDirectory(), size };
+      }));
+    } catch {
+      res.status(500).json({ error: 'Failed to read directory' });
+    }
+  });
+
+  // P2P file download — serves a single file from a non-private share
+  // HIGH-4 fix: require auth token, no CORS wildcard
+  app.get('/p2p/file', authMiddleware, (req, res) => {
+    const { share: shareName, path: filePath } = req.query;
+    if (!shareName || !filePath) return res.status(400).json({ error: 'share and path required' });
+    const shares = listShares();
+    const share = shares.find(s => s.name === shareName && s.visibility !== 'private');
+    if (!share?.path) return res.status(404).json({ error: 'Share not found' });
+    try {
+      const base = path.resolve(share.path);
+      const target = path.resolve(path.join(base, filePath));
+      if (!target.startsWith(base)) return res.status(403).json({ error: 'Forbidden' });
+      if (!fs.existsSync(target) || fs.statSync(target).isDirectory()) {
+        return res.status(404).json({ error: 'File not found' });
+      }
+      res.sendFile(target);
+    } catch {
+      res.status(500).json({ error: 'Failed to serve file' });
+    }
+  });
+
+  // All other API routes require auth
+  app.use('/api', authMiddleware);
+
+  // Identity (allowlist safe fields)
+  app.get('/api/identity', (req, res) => {
+    const identity = config.get('identity');
+    if (!identity) return res.json({ error: 'No identity configured' });
+    res.json({
+      publicKey: identity.publicKey,
+      name: identity.name,
+      handle: identity.handle || null,
+      createdAt: identity.createdAt || null,
+    });
+  });
+
+  // Shares
+  app.get('/api/shares', (req, res) => {
+    res.json(listShares());
+  });
+
+  app.post('/api/shares', (req, res) => {
+    try {
+      const { path: sharePath, visibility, recipients } = req.body;
+      if (!sharePath) return res.status(400).json({ error: 'path is required' });
+      const share = addShare(sharePath, 'file', visibility || 'global', { read: true, write: false }, recipients || []);
+      res.status(201).json(share);
+      broadcast({ type: 'share:created', share });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/shares/:id', (req, res) => {
+    try {
+      removeShare(req.params.id);
+      res.json({ ok: true });
+      broadcast({ type: 'share:removed', id: req.params.id });
+    } catch (err) {
+      res.status(404).json({ error: err.message });
+    }
+  });
+
+  // Pals (per-user)
+  app.get('/api/pals', (req, res) => {
+    res.json(getFriends());
+  });
+
+  app.post('/api/pals', (req, res) => {
+    const { target, name } = req.body;
+    if (!target) return res.status(400).json({ error: 'target is required' });
+    if (!/^[0-9a-f]{64}$/i.test(target)) return res.status(400).json({ error: 'Invalid public key format' });
+
+    const friends = getFriends();
+    if (friends.find(f => f.id === target)) {
+      return res.status(409).json({ error: 'Pal already exists' });
+    }
+
+    const pal = { id: target, name: name || 'Unnamed Pal', handle: null, addedAt: new Date().toISOString() };
+    friends.push(pal);
+    saveFriends(friends);
+    res.status(201).json(pal);
+    broadcast({ type: 'pal:added', pal });
+  });
+
+  app.delete('/api/pals/:id', (req, res) => {
+    const friends = getFriends();
+    const index = friends.findIndex(f => f.id === req.params.id);
+    if (index === -1) return res.status(404).json({ error: 'Pal not found' });
+
+    const [removed] = friends.splice(index, 1);
+    saveFriends(friends);
+    res.json({ ok: true });
+    broadcast({ type: 'pal:removed', id: removed.id });
+  });
+
+  // Transfers
+  app.get('/api/transfers', (req, res) => {
+    res.json(getTransfers());
+  });
+
+  // Downloads
+  app.post('/api/downloads', (req, res) => {
+    const { magnet, name, encryptedShareKey } = req.body;
+    if (!magnet) return res.status(400).json({ error: 'magnet is required' });
+    if (!torrentClient) return res.status(503).json({ error: 'Torrent client not available' });
+
+    try {
+      const downloadDir = getDownloadDir();
+      trackTransfer(magnet, name || 'download', downloadDir, encryptedShareKey || null);
+      torrentClient.add(magnet, { path: downloadDir }, (torrent) => {
+        broadcast({ type: 'download:started', name: torrent.name, magnet });
+      });
+      res.status(202).json({ ok: true, magnet });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Scheduled Tasks
+  app.get('/api/schedule', (req, res) => {
+    const tasks = config.get('scheduledTasks') || [];
+    res.json(tasks);
+  });
+
+  app.post('/api/schedule', (req, res) => {
+    const { type, executeAt, data } = req.body;
+    if (!type || !executeAt) return res.status(400).json({ error: 'type and executeAt required' });
+    if (!['share', 'download', 'revoke'].includes(type)) return res.status(400).json({ error: 'Invalid type' });
+    const ts = new Date(executeAt).getTime();
+    if (isNaN(ts) || ts <= Date.now()) return res.status(400).json({ error: 'executeAt must be a valid future datetime' });
+
+    const tasks = config.get('scheduledTasks') || [];
+    const task = {
+      id: Date.now().toString(36) + Math.random().toString(36).slice(2, 6),
+      type, executeAt: ts, data: data || {},
+      status: 'pending', createdAt: new Date().toISOString(),
+    };
+    tasks.push(task);
+    config.set('scheduledTasks', tasks);
+    res.status(201).json(task);
+    broadcast({ type: 'schedule:created', task });
+  });
+
+  app.delete('/api/schedule/:id', (req, res) => {
+    const tasks = config.get('scheduledTasks') || [];
+    const task = tasks.find(t => t.id === req.params.id);
+    if (!task) return res.status(404).json({ error: 'Task not found' });
+    if (task.status !== 'pending') return res.status(400).json({ error: `Cannot cancel task with status: ${task.status}` });
+    task.status = 'cancelled';
+    config.set('scheduledTasks', tasks);
+    res.json({ ok: true });
+    broadcast({ type: 'schedule:cancelled', id: req.params.id });
+  });
+
+  // Chat messages (local history)
+  app.get('/api/chat', (req, res) => {
+    const chatHistory = config.get('chatHistory') || {};
+    res.json(chatHistory);
+  });
+
+  app.get('/api/chat/:handle', (req, res) => {
+    const chatHistory = config.get('chatHistory') || {};
+    res.json(chatHistory[req.params.handle] || []);
+  });
+
+  app.post('/api/chat', async (req, res) => {
+    const { toHandle, text } = req.body;
+    if (!toHandle || !text) return res.status(400).json({ error: 'toHandle and text required' });
+
+    const identity = config.get('identity');
+    if (!identity?.handle) return res.status(400).json({ error: 'No handle registered' });
+
+    const discoveryUrl = process.env.PAL_DISCOVERY_URL || config.get('discoveryUrl') || 'http://localhost:3000';
+    const timestamp = Date.now();
+
+    try {
+      const r = await fetch(`${discoveryUrl}/api/v1/messages`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          toHandle, fromHandle: identity.handle,
+          payload: { type: 'chat', text, timestamp },
+        }),
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!r.ok) return res.status(502).json({ error: 'Failed to send message' });
+
+      const chatHistory = config.get('chatHistory') || {};
+      if (!chatHistory[toHandle]) chatHistory[toHandle] = [];
+      chatHistory[toHandle].push({ id: timestamp, text, sent: true, timestamp, fromHandle: identity.handle, toHandle });
+      config.set('chatHistory', chatHistory);
+
+      res.status(201).json({ ok: true, timestamp });
+      broadcast({ type: 'chat:sent', toHandle, text, timestamp });
+    } catch (err) {
+      res.status(502).json({ error: err.message });
+    }
+  });
+
+  // Transfer management (pause/resume/cancel)
+  app.post('/api/transfers/:magnet/pause', (req, res) => {
+    try {
+      setTransferPaused(req.params.magnet, true);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/transfers/:magnet/resume', (req, res) => {
+    try {
+      setTransferPaused(req.params.magnet, false);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/transfers/:magnet', (req, res) => {
+    try {
+      removeTransfer(req.params.magnet);
+      if (torrentClient) {
+        const torrent = torrentClient.torrents.find(t => t.magnetURI === req.params.magnet);
+        if (torrent) torrentClient.remove(torrent);
+      }
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Stats
+  app.get('/api/stats', (req, res) => {
+    if (!torrentClient) return res.json({ torrents: 0, uploadSpeed: 0, downloadSpeed: 0 });
+    res.json({
+      torrents: torrentClient.torrents.length,
+      uploadSpeed: torrentClient.uploadSpeed,
+      downloadSpeed: torrentClient.downloadSpeed,
+      ratio: torrentClient.ratio,
+      torrentsDetail: torrentClient.torrents.map(t => ({
+        name: t.name,
+        progress: t.progress,
+        uploadSpeed: t.uploadSpeed,
+        downloadSpeed: t.downloadSpeed,
+        numPeers: t.numPeers,
+        uploaded: t.uploaded,
+        downloaded: t.downloaded,
+        length: t.length,
+        magnetURI: t.magnetURI
+      }))
+    });
+  });
+
+  // ── PAL Protocol API ──
+
+  app.get('/api/protocol', async (req, res) => {
+    try {
+      const { PROTOCOL_NAME, PROTOCOL_VERSION } = await import('../protocol/index.js');
+      const { isPro } = await import('./pro.js');
+      const { getRelayLimits } = await import('../protocol/router.js');
+      const { FREE_POLICY_LIMITS, PRO_POLICY_LIMITS } = await import('../protocol/policy.js');
+      const pro = isPro();
+      const caps = ['share', 'sync', 'chat', 'relay'];
+      if (pro) caps.push('delta-sync', 'receipts');
+      res.json({
+        name: PROTOCOL_NAME,
+        version: PROTOCOL_VERSION,
+        tier: pro ? 'pro' : 'free',
+        capabilities: caps,
+        relayLimits: getRelayLimits(),
+        policyLimits: pro ? PRO_POLICY_LIMITS : FREE_POLICY_LIMITS,
+      });
+    } catch (err) {
+      res.status(500).json({ error: 'Internal error' });
+    }
+  });
+
+  app.get('/api/protocol/policies', (req, res) => {
+    try {
+      const { listPolicies } = require('./sharePolicy.js');
+      res.json(listPolicies());
+    } catch (err) {
+      res.status(500).json({ error: 'Internal error' });
+    }
+  });
+
+  app.post('/api/protocol/policies/:shareId', async (req, res) => {
+    try {
+      const { validatePolicy } = await import('../protocol/policy.js');
+      const { setSharePolicy } = await import('./sharePolicy.js');
+      const validation = validatePolicy(req.body);
+      if (!validation.valid) return res.status(400).json({ errors: validation.errors });
+      setSharePolicy(req.params.shareId, req.body);
+      res.json({ success: true });
+    } catch (err) {
+      res.status(500).json({ error: 'Internal error' });
+    }
+  });
+
+  app.delete('/api/protocol/policies/:shareId', async (req, res) => {
+    try {
+      const { removeSharePolicy } = await import('./sharePolicy.js');
+      removeSharePolicy(req.params.shareId);
+      res.json({ success: true });
+    } catch (err) {
+      res.status(500).json({ error: 'Internal error' });
+    }
+  });
+
+  app.post('/api/protocol/probe/:peerPK', async (req, res) => {
+    try {
+      const { probeRoutes, selectRoute, buildRouteInfo } = await import('../protocol/router.js');
+      const results = await probeRoutes(req.params.peerPK);
+      res.json({
+        routes: results,
+        recommended: selectRoute(results),
+        routeInfo: buildRouteInfo(results),
+      });
+    } catch (err) {
+      res.status(500).json({ error: 'Internal error' });
+    }
+  });
+
+  // ── Groups ──
+
+  app.get('/api/groups', (req, res) => {
+    res.json(getGroups());
+  });
+
+  app.get('/api/groups/:id', (req, res) => {
+    const group = getGroup(req.params.id);
+    if (!group) return res.status(404).json({ error: 'Group not found' });
+    res.json(group);
+  });
+
+  app.post('/api/groups', (req, res) => {
+    const { name } = req.body;
+    if (!name) return res.status(400).json({ error: 'name required' });
+    const identity = config.get('identity');
+    try {
+      const group = createGroup(name, identity?.publicKey, req.body);
+      res.status(201).json(group);
+      broadcast({ type: 'group:created', group });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/groups/:id', (req, res) => {
+    const identity = config.get('identity');
+    try {
+      deleteGroup(req.params.id, identity?.publicKey);
+      res.json({ ok: true });
+      broadcast({ type: 'group:deleted', id: req.params.id });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/groups/:id/members', (req, res) => {
+    const { palId, name, handle } = req.body;
+    if (!palId) return res.status(400).json({ error: 'palId required' });
+    try {
+      addMemberToGroup(req.params.id, { id: palId, name: name || 'Unknown', handle });
+      res.status(201).json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/groups/:id/members/:palId', (req, res) => {
+    try {
+      removeMemberFromGroup(req.params.id, req.params.palId);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // ── Share Comments ──
+
+  app.get('/api/shares/:shareId/comments', (req, res) => {
+    res.json(getShareComments(req.params.shareId));
+  });
+
+  app.post('/api/shares/:shareId/comments', (req, res) => {
+    const { text } = req.body;
+    if (!text) return res.status(400).json({ error: 'text required' });
+    const identity = config.get('identity');
+    try {
+      const comment = addShareComment(req.params.shareId, {
+        authorHandle: identity?.handle,
+        authorName: identity?.name,
+        text,
+      });
+      res.status(201).json(comment);
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.delete('/api/shares/:shareId/comments/:commentId', (req, res) => {
+    try {
+      deleteShareComment(req.params.shareId, req.params.commentId);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // ── Billing / Pro Status ──
+
+  app.get('/api/billing/status', (req, res) => {
+    const pro = isPro();
+    const license = config.get('license') || {};
+    res.json({
+      plan: pro ? 'pro' : 'free',
+      active: pro,
+      expiresAt: license.expiresAt || null,
+      licenseKey: license.key ? `${license.key.slice(0, 8)}...` : null,
+    });
+  });
+
+  // ── Chat by pal handle (mobile format) ──
+
+  app.get('/api/pals/messages', (req, res) => {
+    const { pal, unread } = req.query;
+    const chatHistory = config.get('chatHistory') || {};
+    if (pal) {
+      const messages = chatHistory[pal] || [];
+      if (unread === 'true') {
+        return res.json(messages.filter(m => !m.read && !m.sent));
+      }
+      return res.json(messages);
+    }
+    if (unread === 'true') {
+      const result = {};
+      for (const [handle, msgs] of Object.entries(chatHistory)) {
+        const unreadMsgs = msgs.filter(m => !m.read && !m.sent);
+        if (unreadMsgs.length > 0) result[handle] = unreadMsgs;
+      }
+      return res.json(result);
+    }
+    res.json(chatHistory);
+  });
+
+  app.post('/api/pals/messages', async (req, res) => {
+    const { to, message } = req.body;
+    if (!to || !message) return res.status(400).json({ error: 'to and message required' });
+    const identity = config.get('identity');
+    if (!identity?.handle) return res.status(400).json({ error: 'No handle registered' });
+
+    const discoveryUrl = process.env.PAL_DISCOVERY_URL || config.get('discoveryUrl') || 'http://localhost:3000';
+    const timestamp = Date.now();
+
+    try {
+      const r = await fetch(`${discoveryUrl}/api/v1/messages`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          toHandle: to, fromHandle: identity.handle,
+          payload: { type: 'chat', text: message, timestamp },
+        }),
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!r.ok) return res.status(502).json({ error: 'Failed to send message' });
+
+      const chatHistory = config.get('chatHistory') || {};
+      if (!chatHistory[to]) chatHistory[to] = [];
+      chatHistory[to].push({ id: timestamp, text: message, sent: true, timestamp, fromHandle: identity.handle, toHandle: to });
+      config.set('chatHistory', chatHistory);
+
+      res.status(201).json({ ok: true, timestamp });
+      broadcast({ type: 'chat:sent', toHandle: to, text: message, timestamp });
+    } catch (err) {
+      res.status(502).json({ error: err.message });
+    }
+  });
+
+  // ── Download (mobile format) ──
+
+  app.post('/api/transfers/download', (req, res) => {
+    const { magnet, name, encryptedShareKey } = req.body;
+    if (!magnet) return res.status(400).json({ error: 'magnet is required' });
+    if (!torrentClient) return res.status(503).json({ error: 'Torrent client not available' });
+
+    try {
+      const downloadDir = getDownloadDir();
+      trackTransfer(magnet, name || 'download', downloadDir, encryptedShareKey || null);
+      torrentClient.add(magnet, { path: downloadDir }, (torrent) => {
+        broadcast({ type: 'download:started', name: torrent.name, magnet });
+      });
+      res.status(202).json({ ok: true, magnet });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  // Fallback: serve index.html for SPA routing
+  app.get('{*path}', (req, res) => {
+    const indexPath = path.join(webDistPath, 'index.html');
+    if (fs.existsSync(indexPath)) {
+      res.sendFile(indexPath);
+    } else {
+      res.status(404).json({ error: 'Web UI not built. Run: cd web && npm run build' });
+    }
+  });
+
+  // WebSocket
+  const clients = new Set();
+
+  wss.on('connection', (ws, req) => {
+    const url = new URL(req.url, `http://localhost:${port}`);
+    const token = url.searchParams.get('token');
+    const wsExpected = Buffer.from(getOrCreateToken(), 'hex');
+    const wsProvided = Buffer.from(token || '', 'hex');
+    if (wsProvided.length !== wsExpected.length || !crypto.timingSafeEqual(wsProvided, wsExpected)) {
+      ws.close(4001, 'Unauthorized');
+      return;
+    }
+    clients.add(ws);
+    ws.on('close', () => clients.delete(ws));
+  });
+
+  function broadcast(data) {
+    const msg = JSON.stringify(data);
+    for (const ws of clients) {
+      if (ws.readyState === 1) ws.send(msg);
+    }
+  }
+
+  // Broadcast transfer progress every 2 seconds
+  const progressInterval = setInterval(() => {
+    if (clients.size === 0 || !torrentClient) return;
+    const transfers = torrentClient.torrents.map(t => ({
+      name: t.name,
+      progress: t.progress,
+      uploadSpeed: t.uploadSpeed,
+      downloadSpeed: t.downloadSpeed,
+      numPeers: t.numPeers,
+      done: t.done
+    }));
+    broadcast({ type: 'transfer:progress', transfers });
+  }, 2000);
+
+  server.on('close', () => clearInterval(progressInterval));
+
+  return new Promise((resolve, reject) => {
+    server.listen(port, bindAddress, () => {
+      resolve({ server, port, token: getOrCreateToken() });
+    });
+    server.on('error', (err) => { clearInterval(progressInterval); reject(err); });
+  });
+}