palmier 0.4.5 → 0.4.6

package/dist/events.js

@@ -1,11 +1,11 @@
 import { StringCodec } from "nats";
-import { getLanPort } from "./lan-lock.js";
+import { loadConfig } from "./config.js";
 const sc = StringCodec();
 /**
- * Broadcast an event to connected clients via NATS and HTTP SSE (if LAN server is running).
+ * Broadcast an event to connected clients via NATS and HTTP SSE.
  *
  * - NATS: publishes to `host-event.{hostId}.{taskId}`
- * - HTTP: POSTs to the LAN server's `/internal/event` endpoint (auto-detected via lockfile)
+ * - HTTP: POSTs to the serve daemon's `/event` endpoint
  */
 export async function publishHostEvent(nc, hostId, taskId, payload) {
     const subject = `host-event.${hostId}.${taskId}`;
@@ -13,19 +13,18 @@ export async function publishHostEvent(nc, hostId, taskId, payload) {
         nc.publish(subject, sc.encode(JSON.stringify(payload)));
         console.log(`[nats] ${subject} →`, payload);
     }
-    const lanPort = getLanPort();
-    if (lanPort) {
-        try {
-            await fetch(`http://localhost:${lanPort}/internal/event`, {
-                method: "POST",
-                headers: { "Content-Type": "application/json" },
-                body: JSON.stringify({ task_id: taskId, ...payload }),
-            });
-            console.log(`[http] host-event: ${taskId} →`, payload);
-        }
-        catch {
-            // LAN server may have shut down — ignore
-        }
+    const config = loadConfig();
+    const port = config.httpPort ?? 7400;
+    try {
+        await fetch(`http://localhost:${port}/event`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ task_id: taskId, ...payload }),
+        });
+        console.log(`[http] host-event: ${taskId} →`, payload);
+    }
+    catch {
+        // Serve HTTP may not be ready yet — ignore
     }
 }
 //# sourceMappingURL=events.js.map

package/dist/index.js

@@ -8,10 +8,7 @@ import { initCommand } from "./commands/init.js";
 import { infoCommand } from "./commands/info.js";
 import { runCommand } from "./commands/run.js";
 import { serveCommand } from "./commands/serve.js";
-import { notifyCommand } from "./commands/notify.js";
-import { requestInputCommand } from "./commands/request-input.js";
 import { pairCommand } from "./commands/pair.js";
-import { lanCommand } from "./commands/lan.js";
 import { restartCommand } from "./commands/restart.js";
 import { sessionsListCommand, sessionsRevokeCommand, sessionsRevokeAllCommand } from "./commands/sessions.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -51,34 +48,12 @@ program
     .action(async () => {
     await restartCommand();
 });
-program
-    .command("notify")
-    .description("Send a push notification to the user")
-    .requiredOption("--title <title>", "Notification title")
-    .requiredOption("--body <body>", "Notification body text")
-    .action(async (opts) => {
-    await notifyCommand(opts);
-});
-program
-    .command("request-input")
-    .description("Request input from the user (requires PALMIER_TASK_ID env var)")
-    .requiredOption("--description <desc...>", "Input descriptions to show the user")
-    .action(async (opts) => {
-    await requestInputCommand(opts);
-});
 program
     .command("pair")
     .description("Generate a pairing code for connecting a PWA client")
     .action(async () => {
     await pairCommand();
 });
-program
-    .command("lan")
-    .description("Start an on-demand LAN server for direct HTTP connections")
-    .option("-p, --port <port>", "Port to listen on", "7400")
-    .action(async (opts) => {
-    await lanCommand({ port: parseInt(opts.port, 10) });
-});
 const sessionsCmd = program
     .command("sessions")
     .description("Manage paired client sessions");

package/dist/pending-requests.d.ts

@@ -0,0 +1,27 @@
+import type { RequiredPermission } from "./types.js";
+export interface PendingRequest {
+    type: "confirmation" | "permission" | "input";
+    resolve: (value: string[]) => void;
+    /** Permission list (for 'permission') or input descriptions (for 'input'). */
+    params?: RequiredPermission[] | string[];
+}
+/**
+ * Register a pending request for a task. Returns a Promise that resolves
+ * when `resolvePending` is called with the user's response.
+ * Only one pending request per task at a time.
+ */
+export declare function registerPending(taskId: string, type: PendingRequest["type"], params?: PendingRequest["params"]): Promise<string[]>;
+/**
+ * Resolve a pending request with the user's response.
+ * Returns true if a pending request was found and resolved.
+ */
+export declare function resolvePending(taskId: string, value: string[]): boolean;
+/**
+ * Get the current pending request for a task (if any).
+ */
+export declare function getPending(taskId: string): PendingRequest | undefined;
+/**
+ * Remove a pending request without resolving it.
+ */
+export declare function removePending(taskId: string): void;
+//# sourceMappingURL=pending-requests.d.ts.map

package/dist/pending-requests.js

@@ -0,0 +1,39 @@
+const pending = new Map();
+/**
+ * Register a pending request for a task. Returns a Promise that resolves
+ * when `resolvePending` is called with the user's response.
+ * Only one pending request per task at a time.
+ */
+export function registerPending(taskId, type, params) {
+    if (pending.has(taskId)) {
+        return Promise.reject(new Error(`Task ${taskId} already has a pending request`));
+    }
+    return new Promise((resolve) => {
+        pending.set(taskId, { type, resolve, params });
+    });
+}
+/**
+ * Resolve a pending request with the user's response.
+ * Returns true if a pending request was found and resolved.
+ */
+export function resolvePending(taskId, value) {
+    const entry = pending.get(taskId);
+    if (!entry)
+        return false;
+    pending.delete(taskId);
+    entry.resolve(value);
+    return true;
+}
+/**
+ * Get the current pending request for a task (if any).
+ */
+export function getPending(taskId) {
+    return pending.get(taskId);
+}
+/**
+ * Remove a pending request without resolving it.
+ */
+export function removePending(taskId) {
+    pending.delete(taskId);
+}
+//# sourceMappingURL=pending-requests.js.map

package/dist/rpc-handler.js

@@ -5,6 +5,7 @@ import { fileURLToPath } from "url";
 import { spawn } from "child_process";
 import { parse as parseYaml } from "yaml";
 import { listTasks, parseTaskFile, writeTaskFile, getTaskDir, readTaskStatus, writeTaskStatus, readHistory, deleteHistoryEntry, appendTaskList, removeFromTaskList, appendHistory, createRunDir, appendRunMessage, getRunDir } from "./task.js";
+import { resolvePending, getPending } from "./pending-requests.js";
 import { getPlatform } from "./platform/index.js";
 import { spawnCommand } from "./spawn-command.js";
 import crossSpawn from "cross-spawn";
@@ -131,8 +132,8 @@ export function createRpcHandler(config, nc) {
         };
     }
     async function handleRpc(request) {
-        // Session token validation: always require a valid session token
-        if (!request.sessionToken || !validateSession(request.sessionToken)) {
+        // Session token validation: skip for trusted localhost requests
+        if (!request.localhost && (!request.sessionToken || !validateSession(request.sessionToken))) {
             return { error: "Unauthorized" };
         }
         switch (request.method) {
@@ -447,7 +448,14 @@ export function createRpcHandler(config, nc) {
                 if (!status) {
                     return { task_id: params.id, error: "No status found" };
                 }
-                return { task_id: params.id, ...status };
+                const pending = getPending(params.id);
+                return {
+                    task_id: params.id,
+                    ...status,
+                    ...(pending?.type === "confirmation" ? { pending_confirmation: true } : {}),
+                    ...(pending?.type === "permission" ? { pending_permission: pending.params } : {}),
+                    ...(pending?.type === "input" ? { pending_input: pending.params } : {}),
+                };
             }
             case "task.result": {
                 const params = request.params;
@@ -494,14 +502,13 @@ export function createRpcHandler(config, nc) {
             }
             case "task.user_input": {
                 const params = request.params;
-                const taskDir = getTaskDir(config.projectRoot, params.id);
-                const currentStatus = readTaskStatus(taskDir);
-                if (!currentStatus?.pending_confirmation && !currentStatus?.pending_permission?.length && !currentStatus?.pending_input?.length) {
+                const pending = getPending(params.id);
+                if (!pending) {
                     return { ok: false, error: "not pending" };
                 }
-                writeTaskStatus(taskDir, { ...currentStatus, user_input: params.value });
+                const resolved = resolvePending(params.id, params.value);
                 console.log(`[task.user_input] ${params.id} → ${params.value}`);
-                return { ok: true };
+                return { ok: resolved };
             }
             case "taskrun.list": {
                 const params = request.params;

package/dist/transports/http-transport.d.ts

@@ -1,7 +1,9 @@
+import { type NatsConnection } from "nats";
 import type { HostConfig, RpcMessage } from "../types.js";
 export declare function detectLanIp(): string;
 /**
- * Start the HTTP transport: Express-like server with RPC, SSE, and health endpoints.
+ * Start the HTTP transport: server with RPC, SSE, PWA proxy, pairing, and
+ * localhost-only agent endpoints (notify, request-input, confirmation, permission).
  */
-export declare function startHttpTransport(config: HostConfig, handleRpc: (req: RpcMessage) => Promise<unknown>, port: number, pairingCode?: string, onReady?: () => void): Promise<void>;
+export declare function startHttpTransport(config: HostConfig, handleRpc: (req: RpcMessage) => Promise<unknown>, port: number, nc: NatsConnection | undefined, pairingCode?: string, onReady?: () => void): Promise<void>;
 //# sourceMappingURL=http-transport.d.ts.map

package/dist/transports/http-transport.js

@@ -1,7 +1,13 @@
 import * as http from "node:http";
 import * as os from "os";
+import { StringCodec } from "nats";
 import { validateSession, addSession } from "../session-store.js";
+import { registerPending } from "../pending-requests.js";
+import { getTaskDir, parseTaskFile, appendRunMessage } from "../task.js";
 const PWA_ORIGIN = "https://app.palmier.me";
+const assetCache = new Map();
+/** Paths currently being fetched (dedup concurrent requests). */
+const assetInflight = new Map();
 const CONTENT_TYPES = {
     ".html": "text/html; charset=utf-8",
     ".js": "application/javascript",
@@ -14,6 +20,8 @@ const CONTENT_TYPES = {
     ".svg": "image/svg+xml",
 };
 function guessContentType(urlPath) {
+    if (urlPath === "/")
+        return "text/html; charset=utf-8";
     const ext = urlPath.match(/\.[^.]+$/)?.[0] ?? "";
     return CONTENT_TYPES[ext] ?? "application/octet-stream";
 }
@@ -24,55 +32,39 @@ async function fetchBuffer(url) {
     return Buffer.from(await res.arrayBuffer());
 }
 /**
- * Download the PWA from palmier.me into memory.
- * Parses index.html for asset references, then fetches each one.
+ * Fetch a PWA asset on-the-fly, caching in memory.
+ * Returns null if the asset cannot be fetched.
  */
-async function downloadPwaAssets() {
-    const assets = new Map();
-    // 1. Fetch index.html
-    const html = await fetchBuffer(`${PWA_ORIGIN}/`);
-    assets.set("/", { data: html, contentType: "text/html; charset=utf-8" });
-    const htmlStr = html.toString("utf-8");
-    // 2. Extract references from HTML (src="..." and href="...")
-    // Skip service worker and manifest — they require HTTPS which LAN mode doesn't use
-    const SKIP = new Set(["/registerSW.js", "/service-worker.js", "/manifest.webmanifest"]);
-    const refRegex = /(?:src|href)="([^"]+)"/g;
-    const htmlRefs = new Set();
-    let match;
-    while ((match = refRegex.exec(htmlStr)) !== null) {
-        const ref = match[1];
-        if (ref.startsWith("/") && !ref.startsWith("//") && !SKIP.has(ref)) {
-            htmlRefs.add(ref);
-        }
-    }
-    // 3. Fetch all HTML-referenced assets
-    for (const ref of htmlRefs) {
+async function getAsset(urlPath) {
+    const cached = assetCache.get(urlPath);
+    if (cached)
+        return cached;
+    // Dedup concurrent requests for the same path
+    const inflight = assetInflight.get(urlPath);
+    if (inflight)
+        return inflight;
+    const promise = (async () => {
         try {
-            const data = await fetchBuffer(`${PWA_ORIGIN}${ref}`);
-            assets.set(ref, { data, contentType: guessContentType(ref) });
-            // 4. Parse CSS for font url() references
-            if (ref.endsWith(".css")) {
-                const cssStr = data.toString("utf-8");
-                const urlRegex = /url\(["']?([^"')]+)["']?\)/g;
-                let cssMatch;
-                while ((cssMatch = urlRegex.exec(cssStr)) !== null) {
-                    let fontRef = cssMatch[1];
-                    if (fontRef.startsWith("data:"))
-                        continue;
-                    // Resolve relative URLs against the CSS file's directory
-                    if (!fontRef.startsWith("/")) {
-                        const cssDir = ref.substring(0, ref.lastIndexOf("/") + 1);
-                        fontRef = cssDir + fontRef;
-                    }
-                    htmlRefs.add(fontRef);
-                }
+            let data = await fetchBuffer(`${PWA_ORIGIN}${urlPath}`);
+            // Inject LAN mode marker into index HTML so the PWA can detect it's served by palmier
+            if (urlPath === "/") {
+                const html = data.toString("utf-8").replace("</head>", "<script>window.__PALMIER_SERVE__=true</script></head>");
+                data = Buffer.from(html, "utf-8");
             }
+            const asset = { data, contentType: guessContentType(urlPath) };
+            assetCache.set(urlPath, asset);
+            return asset;
         }
         catch (err) {
-            console.warn(`[pwa] Failed to fetch ${ref}: ${err}`);
+            console.warn(`[pwa] Failed to fetch ${urlPath}: ${err}`);
+            return null;
         }
-    }
-    return assets;
+        finally {
+            assetInflight.delete(urlPath);
+        }
+    })();
+    assetInflight.set(urlPath, promise);
+    return promise;
 }
 const pendingPairs = new Map();
 export function detectLanIp() {
@@ -87,22 +79,18 @@ export function detectLanIp() {
     return "127.0.0.1";
 }
 /**
- * Start the HTTP transport: Express-like server with RPC, SSE, and health endpoints.
+ * Start the HTTP transport: server with RPC, SSE, PWA proxy, pairing, and
+ * localhost-only agent endpoints (notify, request-input, confirmation, permission).
  */
-export async function startHttpTransport(config, handleRpc, port, pairingCode, onReady) {
-    // Download PWA assets into memory before starting the server
-    console.log("[http] Downloading PWA assets...");
-    const pwaAssets = await downloadPwaAssets();
-    console.log(`[http] Cached ${pwaAssets.size} PWA assets in memory.`);
+export async function startHttpTransport(config, handleRpc, port, nc, pairingCode, onReady) {
     const sseClients = new Set();
-    // If a pairing code is provided (from `palmier lan`), pre-register it
+    const lanEnabled = config.lanEnabled ?? false;
+    const bindAddress = lanEnabled ? "0.0.0.0" : "127.0.0.1";
+    // If a pairing code is provided, pre-register it
     if (pairingCode) {
-        const EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours — stays valid while lan server runs
+        const EXPIRY_MS = 24 * 60 * 60 * 1000;
         const timer = setTimeout(() => { pendingPairs.delete(pairingCode); }, EXPIRY_MS);
-        pendingPairs.set(pairingCode, {
-            resolve: () => { },
-            timer,
-        });
+        pendingPairs.set(pairingCode, { resolve: () => { }, timer });
     }
     function broadcastSseEvent(data) {
         const payload = `data: ${JSON.stringify(data)}\n\n`;
@@ -114,8 +102,7 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
         const auth = req.headers.authorization;
         if (!auth || !auth.startsWith("Bearer "))
             return false;
-        const token = auth.slice(7);
-        return validateSession(token);
+        return validateSession(auth.slice(7));
     }
     function extractSessionToken(req) {
         const auth = req.headers.authorization;
@@ -139,11 +126,22 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
         const addr = req.socket.remoteAddress;
         return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1";
     }
+    /**
+     * Publish an event via NATS and SSE.
+     */
+    async function publishEvent(taskId, payload) {
+        const sc = StringCodec();
+        const subject = `host-event.${config.hostId}.${taskId}`;
+        if (nc) {
+            nc.publish(subject, sc.encode(JSON.stringify(payload)));
+        }
+        broadcastSseEvent({ task_id: taskId, ...payload });
+    }
     const server = http.createServer(async (req, res) => {
         const url = new URL(req.url ?? "/", `http://localhost:${port}`);
         const pathname = url.pathname;
-        // Internal event endpoint — localhost only, no auth
-        if (req.method === "POST" && pathname === "/internal/event") {
+        // ── Localhost-only endpoints (no auth) ─────────────────────────────
+        if (req.method === "POST" && pathname === "/event") {
             if (!isLocalhost(req)) {
                 sendJson(res, 403, { error: "localhost only" });
                 return;
@@ -159,9 +157,7 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
             }
             return;
         }
-        // Internal pair-register endpoint — localhost only, long-poll
-        // The pair CLI posts here and blocks until paired or expired.
-        if (req.method === "POST" && pathname === "/internal/pair-register") {
+        if (req.method === "POST" && pathname === "/pair-register") {
             if (!isLocalhost(req)) {
                 sendJson(res, 403, { error: "localhost only" });
                 return;
@@ -183,7 +179,6 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
                         resolve({ paired: false });
                     }, expiryMs ?? 5 * 60 * 1000);
                     pendingPairs.set(code, { resolve, timer });
-                    // Clean up if the CLI disconnects early
                     req.on("close", () => {
                         if (pendingPairs.has(code)) {
                             clearTimeout(timer);
@@ -198,7 +193,156 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
             }
             return;
         }
-        // Public pair endpoint — no auth required, PWA posts OTP code here
+        // ── GET /notify — send push notification via NATS ──────────────────
+        if (req.method === "GET" && pathname === "/notify") {
+            if (!isLocalhost(req)) {
+                sendJson(res, 403, { error: "localhost only" });
+                return;
+            }
+            if (!nc) {
+                sendJson(res, 503, { error: "NATS not connected — push notifications require server mode" });
+                return;
+            }
+            try {
+                const title = url.searchParams.get("title");
+                const notifBody = url.searchParams.get("body");
+                if (!title || !notifBody) {
+                    sendJson(res, 400, { error: "title and body query params are required" });
+                    return;
+                }
+                const sc = StringCodec();
+                const payload = { hostId: config.hostId, title, body: notifBody };
+                const subject = `host.${config.hostId}.push.send`;
+                const reply = await nc.request(subject, sc.encode(JSON.stringify(payload)), { timeout: 15_000 });
+                const result = JSON.parse(sc.decode(reply.data));
+                if (result.ok) {
+                    sendJson(res, 200, { ok: true });
+                }
+                else {
+                    sendJson(res, 502, { error: result.error ?? "Push notification failed" });
+                }
+            }
+            catch (err) {
+                sendJson(res, 500, { error: `Failed to send notification: ${err}` });
+            }
+            return;
+        }
+        // ── GET /request-input — held connection until user responds ────────
+        if (req.method === "GET" && pathname === "/request-input") {
+            if (!isLocalhost(req)) {
+                sendJson(res, 403, { error: "localhost only" });
+                return;
+            }
+            try {
+                const taskId = url.searchParams.get("taskId");
+                const runId = url.searchParams.get("runId");
+                const descriptions = url.searchParams.getAll("descriptions");
+                if (!taskId || !descriptions.length) {
+                    sendJson(res, 400, { error: "taskId and descriptions query params are required" });
+                    return;
+                }
+                const taskDir = getTaskDir(config.projectRoot, taskId);
+                const task = parseTaskFile(taskDir);
+                await publishEvent(taskId, {
+                    event_type: "input-request",
+                    host_id: config.hostId,
+                    input_descriptions: descriptions,
+                    name: task.frontmatter.name,
+                });
+                const response = await registerPending(taskId, "input", descriptions);
+                if (response.length === 1 && response[0] === "aborted") {
+                    await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "aborted" });
+                    if (runId) {
+                        appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: "Input request aborted.", type: "input" });
+                    }
+                    sendJson(res, 200, { aborted: true });
+                }
+                else {
+                    await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "provided" });
+                    if (runId) {
+                        const lines = descriptions.map((desc, i) => `**${desc}** ${response[i]}`);
+                        appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: lines.join("\n"), type: "input" });
+                    }
+                    sendJson(res, 200, { values: response });
+                }
+            }
+            catch (err) {
+                sendJson(res, 500, { error: String(err) });
+            }
+            return;
+        }
+        // ── GET /request-confirmation — held connection ─────────────────────
+        if (req.method === "GET" && pathname === "/request-confirmation") {
+            if (!isLocalhost(req)) {
+                sendJson(res, 403, { error: "localhost only" });
+                return;
+            }
+            try {
+                const taskId = url.searchParams.get("taskId");
+                if (!taskId) {
+                    sendJson(res, 400, { error: "taskId query param is required" });
+                    return;
+                }
+                await publishEvent(taskId, {
+                    event_type: "confirm-request",
+                    host_id: config.hostId,
+                });
+                const response = await registerPending(taskId, "confirmation");
+                const confirmed = response[0] === "confirmed";
+                await publishEvent(taskId, {
+                    event_type: "confirm-resolved",
+                    host_id: config.hostId,
+                    status: confirmed ? "confirmed" : "aborted",
+                });
+                sendJson(res, 200, { confirmed });
+            }
+            catch (err) {
+                sendJson(res, 500, { error: String(err) });
+            }
+            return;
+        }
+        // ── GET /request-permission — held connection ───────────────────────
+        if (req.method === "GET" && pathname === "/request-permission") {
+            if (!isLocalhost(req)) {
+                sendJson(res, 403, { error: "localhost only" });
+                return;
+            }
+            try {
+                const taskId = url.searchParams.get("taskId");
+                const taskName = url.searchParams.get("taskName");
+                const permissionsRaw = url.searchParams.get("permissions");
+                let permissions = [];
+                if (permissionsRaw) {
+                    try {
+                        permissions = JSON.parse(permissionsRaw);
+                    }
+                    catch { /* ignore */ }
+                }
+                if (!taskId || !permissions.length) {
+                    sendJson(res, 400, { error: "taskId and permissions query params are required" });
+                    return;
+                }
+                await publishEvent(taskId, {
+                    event_type: "permission-request",
+                    host_id: config.hostId,
+                    required_permissions: permissions,
+                    name: taskName,
+                });
+                const response = await registerPending(taskId, "permission", permissions);
+                const status = response[0];
+                await publishEvent(taskId, {
+                    event_type: "permission-resolved",
+                    host_id: config.hostId,
+                    status,
+                });
+                sendJson(res, 200, { response: status });
+            }
+            catch (err) {
+                sendJson(res, 500, { error: String(err) });
+            }
+            return;
+        }
+        // ── Public pair endpoint — no auth, PWA posts OTP code here ────────
         if (req.method === "POST" && pathname === "/pair") {
             try {
                 const body = await readBody(req);
@@ -212,7 +356,6 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
                     sendJson(res, 401, { error: "Invalid code" });
                     return;
                 }
-                // Create session and build response
                 const session = addSession(label);
                 const ip = detectLanIp();
                 const response = {
@@ -220,7 +363,6 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
                     sessionToken: session.token,
                     directUrl: `http://${ip}:${port}`,
                 };
-                // Resolve the long-poll and clean up
                 clearTimeout(pending.timer);
                 pendingPairs.delete(code);
                 pending.resolve({ paired: true });
@@ -231,22 +373,31 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
             }
             return;
         }
-        // Serve cached PWA assets for non-API routes (no auth required)
+        // ── PWA assets (on-the-fly, cached) ────────────────────────────────
+        // Skip service worker and manifest — they require HTTPS which LAN mode doesn't use
+        const SKIP = new Set(["/registerSW.js", "/service-worker.js", "/manifest.webmanifest"]);
         const isApiRoute = pathname === "/events" || pathname.startsWith("/rpc/");
         if (!isApiRoute) {
-            // SPA fallback: serve index.html for unrecognized paths
-            const asset = pwaAssets.get(pathname) ?? (pathname !== "/" ? pwaAssets.get("/") : undefined);
+            if (SKIP.has(pathname)) {
+                sendJson(res, 404, { error: "Not found" });
+                return;
+            }
+            // Try exact path, then fall back to index.html (SPA routing)
+            let asset = await getAsset(pathname);
+            if (!asset && pathname !== "/") {
+                asset = await getAsset("/");
+            }
             if (asset) {
                 res.writeHead(200, { "Content-Type": asset.contentType });
                 res.end(asset.data);
             }
             else {
-                sendJson(res, 404, { error: "Not found" });
+                sendJson(res, 502, { error: "Failed to fetch PWA assets" });
             }
             return;
         }
-        // API endpoints require auth
-        if (!checkAuth(req)) {
+        // ── API endpoints require auth (localhost is trusted) ───────────────
+        if (!isLocalhost(req) && !checkAuth(req)) {
             sendJson(res, 401, { error: "Unauthorized" });
             return;
         }
@@ -258,7 +409,6 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
                 Connection: "keep-alive",
             });
             res.write(":ok\n\n");
-            // Send heartbeat every 5 seconds
             const heartbeat = setInterval(() => {
                 res.write("data: {\"heartbeat\":true}\n\n");
             }, 5000);
@@ -290,7 +440,7 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
             const sessionToken = extractSessionToken(req);
             console.log(`[http] RPC: ${method}`);
             try {
-                const response = await handleRpc({ method, params, sessionToken });
+                const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
                 console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
                 sendJson(res, 200, response);
             }
@@ -303,10 +453,9 @@ export async function startHttpTransport(config, handleRpc, port, pairingCode, o
         sendJson(res, 404, { error: "Not found" });
     });
     return new Promise((resolve, reject) => {
-        server.listen(port, () => {
-            console.log(`[http] Listening on port ${port}`);
+        server.listen(port, bindAddress, () => {
+            console.log(`[http] Listening on ${bindAddress}:${port}`);
             onReady?.();
-            // Graceful shutdown
             const shutdown = () => {
                 console.log("[http] Shutting down...");
                 for (const client of sseClients) {