perplexity-user-mcp 0.8.36

package/dist/chunk-KCXM2M4B.mjs

@@ -0,0 +1,1006 @@
+import {
+  startTunnel
+} from "./chunk-6YMQVLFX.mjs";
+import {
+  getTunnelBinaryPath
+} from "./chunk-3B276PGG.mjs";
+import {
+  safeAtomicWriteFileSync
+} from "./chunk-MTDFKNXX.mjs";
+
+// src/daemon/tunnel-providers/index.ts
+import { existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync3 } from "fs";
+import { dirname as dirname3, join as join4 } from "path";
+
+// src/daemon/tunnel-providers/cloudflared-quick.ts
+import { existsSync } from "fs";
+var cloudflaredQuickProvider = {
+  id: "cf-quick",
+  displayName: "Cloudflare Quick Tunnel",
+  description: "Zero-setup ephemeral *.trycloudflare.com URL. Changes on every restart.",
+  async isSetupComplete(configDir) {
+    const binaryPath = getTunnelBinaryPath(configDir);
+    if (!existsSync(binaryPath)) {
+      return {
+        ready: false,
+        reason: "cloudflared binary not installed.",
+        action: { label: "Install cloudflared", kind: "install-binary" }
+      };
+    }
+    return { ready: true };
+  },
+  async start(options) {
+    const binaryPath = getTunnelBinaryPath(options.configDir);
+    if (!existsSync(binaryPath)) {
+      throw new Error(
+        "cloudflared is not installed. Run `npx perplexity-user-mcp daemon install-tunnel` first."
+      );
+    }
+    return startTunnel({
+      command: binaryPath,
+      port: options.port,
+      onStateChange: options.onStateChange
+    });
+  }
+};
+
+// src/daemon/tunnel-providers/cloudflared-named.ts
+import { existsSync as existsSync3 } from "fs";
+import { spawn as nodeSpawn2 } from "child_process";
+import { createInterface } from "readline";
+import { execFile as execFileCallback } from "child_process";
+import { promisify } from "util";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+
+// src/daemon/tunnel-providers/cloudflared-named-setup.ts
+import {
+  chmodSync,
+  existsSync as existsSync2,
+  mkdirSync,
+  readFileSync,
+  rmSync
+} from "fs";
+import { spawn as nodeSpawn } from "child_process";
+import { dirname, join } from "path";
+import { homedir } from "os";
+import { spawnSync } from "child_process";
+var DeleteNamedTunnelError = class extends Error {
+  constructor(message, reason) {
+    super(message);
+    this.reason = reason;
+    this.name = "DeleteNamedTunnelError";
+  }
+};
+var CONFIG_FILENAME = "cloudflared-named.yml";
+var DEFAULT_LOGIN_TIMEOUT_MS = 10 * 60 * 1e3;
+var CERT_POLL_INTERVAL_MS = 250;
+function runCloudflaredLogin(options) {
+  return new Promise((resolve, reject) => {
+    const binaryPath = options.binaryPath ?? getTunnelBinaryPath(options.configDir);
+    try {
+      assertBinaryExists(binaryPath);
+    } catch (err) {
+      reject(err);
+      return;
+    }
+    const certPath = options.certPath ?? defaultCertPath();
+    if (existsSync2(certPath)) {
+      reject(
+        new Error(
+          `cert already exists at ${certPath}; rename or delete it to re-run login.`
+        )
+      );
+      return;
+    }
+    const spawnImpl = options.dependencies?.spawn ?? nodeSpawn;
+    const timeoutMs = options.timeoutMs ?? DEFAULT_LOGIN_TIMEOUT_MS;
+    const child = spawnImpl(binaryPath, ["tunnel", "login"], {
+      stdio: ["ignore", "pipe", "pipe"],
+      windowsHide: true
+    });
+    const stderrChunks = [];
+    child.stderr?.on("data", (chunk) => {
+      const text = chunk.toString("utf8");
+      stderrChunks.push(text);
+      if (options.forwardOutput) process.stderr.write(text);
+    });
+    child.stdout?.on("data", (chunk) => {
+      const text = chunk.toString("utf8");
+      stderrChunks.push(text);
+      if (options.forwardOutput) process.stderr.write(text);
+    });
+    let settled = false;
+    let pollTimer = null;
+    let overallTimer = null;
+    const cleanup = () => {
+      if (pollTimer) clearInterval(pollTimer);
+      if (overallTimer) clearTimeout(overallTimer);
+      if (options.signal) options.signal.removeEventListener("abort", onAbort);
+      killChild(child);
+    };
+    const resolveOk = () => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve({ ok: true, certPath, stderr: stderrChunks.join("") });
+    };
+    const rejectWith = (err) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      reject(err);
+    };
+    const onAbort = () => {
+      rejectWith(new Error("cloudflared login aborted by caller."));
+    };
+    if (options.signal) {
+      if (options.signal.aborted) {
+        rejectWith(new Error("cloudflared login aborted by caller."));
+        return;
+      }
+      options.signal.addEventListener("abort", onAbort, { once: true });
+    }
+    pollTimer = setInterval(() => {
+      try {
+        if (existsSync2(certPath)) resolveOk();
+      } catch {
+      }
+    }, CERT_POLL_INTERVAL_MS);
+    overallTimer = setTimeout(() => {
+      rejectWith(
+        new Error(
+          `cloudflared login timed out after ${Math.round(timeoutMs / 1e3)}s \u2014 cert not written to ${certPath}.`
+        )
+      );
+    }, timeoutMs);
+    child.on("error", (err) => {
+      rejectWith(new Error(`cloudflared login failed to start: ${err.message}`));
+    });
+    child.on("exit", () => {
+      if (settled) return;
+      if (existsSync2(certPath)) {
+        resolveOk();
+      }
+    });
+  });
+}
+function listNamedTunnels(options) {
+  return new Promise((resolve, reject) => {
+    const binaryPath = options.binaryPath ?? getTunnelBinaryPath(options.configDir);
+    try {
+      assertBinaryExists(binaryPath);
+    } catch (err) {
+      reject(err);
+      return;
+    }
+    const spawnImpl = options.dependencies?.spawn ?? nodeSpawn;
+    const child = spawnImpl(binaryPath, ["tunnel", "list", "--output=json"], {
+      stdio: ["ignore", "pipe", "pipe"],
+      windowsHide: true
+    });
+    const stdoutChunks = [];
+    const stderrChunks = [];
+    child.stdout?.on("data", (chunk) => stdoutChunks.push(chunk.toString("utf8")));
+    child.stderr?.on("data", (chunk) => stderrChunks.push(chunk.toString("utf8")));
+    child.on("error", (err) => {
+      reject(new Error(`cloudflared list failed to start: ${err.message}`));
+    });
+    child.on("exit", (code) => {
+      const stdout = stdoutChunks.join("");
+      const stderr = stderrChunks.join("");
+      if (code !== 0) {
+        reject(new Error(`cloudflared tunnel list exited with code ${code}: ${stderr.trim() || stdout.trim()}`));
+        return;
+      }
+      const trimmed = stdout.trim();
+      if (trimmed === "" || trimmed === "null") {
+        resolve([]);
+        return;
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(trimmed);
+      } catch {
+        reject(
+          new Error(
+            `cloudflared output not parseable: ${trimmed.slice(0, 200)}`
+          )
+        );
+        return;
+      }
+      if (!Array.isArray(parsed)) {
+        resolve([]);
+        return;
+      }
+      const summaries = parsed.filter((entry) => !!entry && typeof entry === "object").map((entry) => {
+        const id = typeof entry.id === "string" ? entry.id : "";
+        const name = typeof entry.name === "string" ? entry.name : "";
+        const createdAt = typeof entry.created_at === "string" ? entry.created_at : void 0;
+        const connArr = Array.isArray(entry.connections) ? entry.connections : [];
+        return { uuid: id, name, createdAt, connections: connArr.length };
+      }).filter((entry) => entry.uuid.length > 0);
+      resolve(summaries);
+    });
+  });
+}
+var CREATE_ID_REGEX = /Created tunnel\s+(\S+)\s+with id\s+([0-9a-f-]{8,})/i;
+var CREDENTIALS_REGEX = /Tunnel credentials written to\s+(.+?\.json)/i;
+async function createNamedTunnel(options) {
+  if (!options.name) throw new Error("createNamedTunnel: name is required.");
+  if (!options.hostname) throw new Error("createNamedTunnel: hostname is required.");
+  const binaryPath = options.binaryPath ?? getTunnelBinaryPath(options.configDir);
+  assertBinaryExists(binaryPath);
+  const spawnImpl = options.dependencies?.spawn ?? nodeSpawn;
+  return runCapture(spawnImpl, binaryPath, ["tunnel", "create", options.name], options.signal).then(({ code, stdout, stderr }) => {
+    if (code !== 0) {
+      throw new Error(
+        `cloudflared tunnel create exited with code ${code}: ${stderr.trim() || stdout.trim()}`
+      );
+    }
+    const idMatch = stdout.match(CREATE_ID_REGEX) ?? stderr.match(CREATE_ID_REGEX);
+    if (!idMatch) {
+      throw new Error(
+        `cloudflared create output missing tunnel id line. Output: ${(stdout + stderr).slice(0, 400)}`
+      );
+    }
+    const credMatch = stdout.match(CREDENTIALS_REGEX) ?? stderr.match(CREDENTIALS_REGEX);
+    if (!credMatch) {
+      throw new Error(
+        `cloudflared create output missing credentials path line. Output: ${(stdout + stderr).slice(0, 400)}`
+      );
+    }
+    const uuid = idMatch[2];
+    const credentialsPath = credMatch[1].trim();
+    const parsedName = idMatch[1];
+    return { uuid, name: parsedName || options.name, credentialsPath };
+  }).then(async (tunnel) => {
+    const { code, stdout, stderr } = await runCapture(
+      spawnImpl,
+      binaryPath,
+      ["tunnel", "route", "dns", tunnel.uuid, options.hostname],
+      options.signal
+    );
+    if (code !== 0) {
+      throw new Error(
+        `cloudflared route dns exited with code ${code}: ${stderr.trim() || stdout.trim()}`
+      );
+    }
+    return tunnel;
+  });
+}
+async function deleteNamedTunnel(options) {
+  const uuid = options.uuid.trim();
+  if (!uuid) throw new Error("deleteNamedTunnel: uuid is required.");
+  const binaryPath = options.binaryPath ?? getTunnelBinaryPath(options.configDir);
+  assertBinaryExists(binaryPath);
+  const spawnImpl = options.dependencies?.spawn ?? nodeSpawn;
+  const { code, stdout, stderr } = await runCapture(
+    spawnImpl,
+    binaryPath,
+    ["tunnel", "delete", "--force", uuid],
+    options.signal
+  );
+  if (code !== 0) {
+    const combined = `${stderr}
+${stdout}`.trim();
+    if (isActiveConnectionDeleteFailure(combined)) {
+      throw new DeleteNamedTunnelError(
+        "cloudflared could not delete the tunnel because it still has active connections. Remove the DNS route/CNAME for this hostname, wait for connections to drain, then retry delete.",
+        "active-connections"
+      );
+    }
+    throw new DeleteNamedTunnelError(
+      `cloudflared tunnel delete exited with code ${code}: ${combined}`,
+      "unknown"
+    );
+  }
+  return { uuid };
+}
+function isActiveConnectionDeleteFailure(output) {
+  const normalized = output.toLowerCase();
+  return /active connection/.test(normalized) || /still has connections/.test(normalized) || /cannot.*delete.*connections/.test(normalized) || /unable.*delete.*connections/.test(normalized);
+}
+function runCapture(spawnImpl, command, args, signal) {
+  return new Promise((resolve, reject) => {
+    const child = spawnImpl(command, args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      windowsHide: true
+    });
+    const stdout = [];
+    const stderr = [];
+    child.stdout?.on("data", (chunk) => stdout.push(chunk.toString("utf8")));
+    child.stderr?.on("data", (chunk) => stderr.push(chunk.toString("utf8")));
+    const onAbort = () => killChild(child);
+    if (signal) {
+      if (signal.aborted) {
+        killChild(child);
+        reject(new Error("cloudflared command aborted by caller."));
+        return;
+      }
+      signal.addEventListener("abort", onAbort, { once: true });
+    }
+    child.on("error", (err) => {
+      if (signal) signal.removeEventListener("abort", onAbort);
+      reject(new Error(`cloudflared command failed to start: ${err.message}`));
+    });
+    child.on("exit", (code) => {
+      if (signal) signal.removeEventListener("abort", onAbort);
+      resolve({ code, stdout: stdout.join(""), stderr: stderr.join("") });
+    });
+  });
+}
+function getNamedTunnelConfigPath(configDir) {
+  return join(configDir, CONFIG_FILENAME);
+}
+function writeTunnelConfig(options) {
+  if (!options.uuid) throw new Error("writeTunnelConfig: uuid is required.");
+  if (!options.hostname) throw new Error("writeTunnelConfig: hostname is required.");
+  if (!Number.isFinite(options.port) || options.port <= 0) {
+    throw new Error("writeTunnelConfig: port must be a positive number.");
+  }
+  if (!options.credentialsPath) {
+    throw new Error("writeTunnelConfig: credentialsPath is required.");
+  }
+  const configPath = getNamedTunnelConfigPath(options.configDir);
+  mkdirSync(dirname(configPath), { recursive: true });
+  const yaml = serializeConfigYaml({
+    uuid: options.uuid,
+    hostname: options.hostname,
+    port: options.port,
+    credentialsPath: options.credentialsPath
+  });
+  safeAtomicWriteFileSync(configPath, yaml, { encoding: "utf8", mode: 384 });
+  applyPrivatePermissions(configPath);
+  return {
+    uuid: options.uuid,
+    hostname: options.hostname,
+    port: options.port,
+    configPath,
+    credentialsPath: options.credentialsPath
+  };
+}
+function readNamedTunnelConfig(configDir) {
+  const configPath = getNamedTunnelConfigPath(configDir);
+  if (!existsSync2(configPath)) return null;
+  let raw;
+  try {
+    raw = readFileSync(configPath, "utf8");
+  } catch {
+    return null;
+  }
+  const parsed = parseConfigYaml(raw);
+  if (!parsed) return null;
+  return {
+    uuid: parsed.uuid,
+    hostname: parsed.hostname,
+    port: parsed.port,
+    credentialsPath: parsed.credentialsPath,
+    configPath
+  };
+}
+function clearNamedTunnelConfig(configDir) {
+  const configPath = getNamedTunnelConfigPath(configDir);
+  const existed = existsSync2(configPath);
+  rmSync(configPath, { force: true });
+  return existed;
+}
+function assertBinaryExists(binaryPath) {
+  if (!existsSync2(binaryPath)) {
+    throw new Error(
+      `cloudflared not installed; run "daemon install-tunnel" first (expected at ${binaryPath}).`
+    );
+  }
+}
+function defaultCertPath() {
+  return join(homedir(), ".cloudflared", "cert.pem");
+}
+function killChild(child) {
+  if (!child || child.killed) return;
+  try {
+    child.kill("SIGTERM");
+  } catch {
+  }
+}
+function serializeConfigYaml(opts) {
+  return [
+    `tunnel: ${opts.uuid}`,
+    `credentials-file: ${yamlQuoteIfNeeded(opts.credentialsPath)}`,
+    "ingress:",
+    `  - hostname: ${opts.hostname}`,
+    `    service: http://127.0.0.1:${opts.port}`,
+    "  - service: http_status:404",
+    ""
+  ].join("\n");
+}
+function yamlQuoteIfNeeded(value) {
+  if (/^[A-Za-z0-9._/\\:-]+$/u.test(value)) return value;
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+function parseConfigYaml(raw) {
+  const lines = raw.split(/\r?\n/);
+  let uuid = "";
+  let credentialsPath = "";
+  let hostname = "";
+  let port = 0;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const tunnelMatch = trimmed.match(/^tunnel:\s*(.+)$/u);
+    if (tunnelMatch) {
+      uuid = unquoteYaml(tunnelMatch[1].trim());
+      continue;
+    }
+    const credsMatch = trimmed.match(/^credentials-file:\s*(.+)$/u);
+    if (credsMatch) {
+      credentialsPath = unquoteYaml(credsMatch[1].trim());
+      continue;
+    }
+    const hostnameMatch = trimmed.match(/^- hostname:\s*(.+)$/u);
+    if (hostnameMatch) {
+      hostname = unquoteYaml(hostnameMatch[1].trim());
+      continue;
+    }
+    const serviceMatch = trimmed.match(/^service:\s*http:\/\/127\.0\.0\.1:(\d+)\s*$/u);
+    if (serviceMatch) {
+      port = Number.parseInt(serviceMatch[1], 10);
+      continue;
+    }
+  }
+  if (!uuid || !hostname || !credentialsPath || !Number.isFinite(port) || port <= 0) {
+    return null;
+  }
+  return { uuid, hostname, port, credentialsPath };
+}
+function unquoteYaml(value) {
+  if (value.length >= 2 && value.startsWith('"') && value.endsWith('"')) {
+    return value.slice(1, -1).replace(/\\"/g, '"').replace(/\\\\/g, "\\");
+  }
+  return value;
+}
+function applyPrivatePermissions(path) {
+  if (process.platform === "win32") {
+    const username = process.env.USERNAME;
+    const domain = process.env.USERDOMAIN;
+    const target = domain && username ? `${domain}\\${username}` : username ?? "";
+    if (!target) return;
+    spawnSync("icacls", [path, "/inheritance:r", "/grant:r", `${target}:(R,W)`], {
+      encoding: "utf8",
+      windowsHide: true
+    });
+    return;
+  }
+  chmodSync(path, 384);
+}
+
+// src/daemon/tunnel-providers/cloudflared-named.ts
+var execFile = promisify(execFileCallback);
+var STOP_GRACE_MS = 3e3;
+var READY_LINE_REGEX = /Registered tunnel connection/i;
+function createCloudflaredNamedProvider(options = {}) {
+  const spawnImpl = options.dependencies?.spawn ?? nodeSpawn2;
+  const homedirImpl = options.dependencies?.homedir ?? homedir2;
+  return {
+    id: "cf-named",
+    displayName: "Cloudflare Named Tunnel",
+    description: "Persistent URL on your own Cloudflare-managed zone. Requires one-time `cloudflared login` + tunnel create.",
+    async isSetupComplete(configDir) {
+      const binaryPath = getTunnelBinaryPath(configDir);
+      if (!existsSync3(binaryPath)) {
+        return {
+          ready: false,
+          reason: "cloudflared binary not installed.",
+          action: { label: "Install cloudflared", kind: "install-binary" }
+        };
+      }
+      const certPath = join2(homedirImpl(), ".cloudflared", "cert.pem");
+      if (!existsSync3(certPath)) {
+        return {
+          ready: false,
+          reason: "cloudflared login required \u2014 origin cert not found.",
+          // 8.4.2 emitted `kind: "open-url"` here but the action has no URL —
+          // it spawns `cloudflared tunnel login` on the host. 8.4.3 migrates
+          // this to the generic run-command contract: the UI dispatches the
+          // webview message identified by `command` (here: `cf-named-login`
+          // → `daemon:cf-named-login`), which the extension modal-confirms
+          // before spawning the child process.
+          action: {
+            label: "Run cloudflared login",
+            kind: "run-command",
+            command: "cf-named-login"
+          }
+        };
+      }
+      const config = readNamedTunnelConfig(configDir);
+      if (!config) {
+        return {
+          ready: false,
+          reason: "named tunnel not configured \u2014 run the setup flow."
+        };
+      }
+      if (!existsSync3(config.credentialsPath)) {
+        return {
+          ready: false,
+          reason: `credentials file not found at ${config.credentialsPath}.`
+        };
+      }
+      return { ready: true };
+    },
+    async start(startOptions) {
+      const binaryPath = getTunnelBinaryPath(startOptions.configDir);
+      if (!existsSync3(binaryPath)) {
+        throw new Error(
+          "cloudflared is not installed. Run `npx perplexity-user-mcp daemon install-tunnel` first."
+        );
+      }
+      const certPath = join2(homedirImpl(), ".cloudflared", "cert.pem");
+      if (!existsSync3(certPath)) {
+        throw new Error(
+          "cloudflared named tunnel not set up \u2014 origin cert missing. Run `cloudflared tunnel login`."
+        );
+      }
+      const existing = readNamedTunnelConfig(startOptions.configDir);
+      if (!existing) {
+        throw new Error(
+          "named tunnel not configured \u2014 run the cf-named setup flow from the dashboard or CLI."
+        );
+      }
+      if (!existsSync3(existing.credentialsPath)) {
+        throw new Error(
+          `named tunnel credentials file missing at ${existing.credentialsPath}.`
+        );
+      }
+      const refreshed = writeTunnelConfig({
+        configDir: startOptions.configDir,
+        uuid: existing.uuid,
+        hostname: existing.hostname,
+        port: startOptions.port,
+        credentialsPath: existing.credentialsPath
+      });
+      return spawnNamedTunnel({
+        binaryPath,
+        configPath: refreshed.configPath,
+        hostname: refreshed.hostname,
+        onStateChange: startOptions.onStateChange,
+        spawnImpl
+      });
+    }
+  };
+}
+var cloudflaredNamedProvider = createCloudflaredNamedProvider();
+function spawnNamedTunnel(options) {
+  const args = [
+    "tunnel",
+    "--no-autoupdate",
+    "--config",
+    options.configPath,
+    "run"
+  ];
+  const child = options.spawnImpl(options.binaryPath, args, {
+    stdio: ["ignore", "pipe", "pipe"],
+    detached: false,
+    windowsHide: true
+  });
+  const hostnameUrl = `https://${options.hostname}`;
+  let stopping = false;
+  let settled = false;
+  let resolveExited;
+  const exited = new Promise((resolve) => {
+    resolveExited = resolve;
+  });
+  let state = {
+    status: "starting",
+    url: null,
+    pid: child.pid ?? null,
+    error: null
+  };
+  const updateState = (next) => {
+    state = next;
+    options.onStateChange(state);
+  };
+  updateState(state);
+  let resolveReady;
+  let rejectReady;
+  const waitUntilReady = new Promise((resolve, reject) => {
+    resolveReady = resolve;
+    rejectReady = reject;
+  });
+  const handleLine = (line) => {
+    if (settled) return;
+    if (!READY_LINE_REGEX.test(line)) return;
+    settled = true;
+    updateState({
+      status: "enabled",
+      url: hostnameUrl,
+      pid: child.pid ?? null,
+      error: null
+    });
+    resolveReady(hostnameUrl);
+  };
+  if (child.stderr) createInterface({ input: child.stderr }).on("line", handleLine);
+  if (child.stdout) createInterface({ input: child.stdout }).on("line", handleLine);
+  child.on("error", (error) => {
+    if (!settled) {
+      settled = true;
+      rejectReady(error);
+    }
+    updateState({
+      status: stopping ? "disabled" : "crashed",
+      url: null,
+      pid: child.pid ?? null,
+      error: error.message
+    });
+  });
+  child.on("exit", (code, signal) => {
+    if (!settled) {
+      settled = true;
+      rejectReady(
+        new Error(
+          `cloudflared exited before the named tunnel came online (code=${code ?? "null"} signal=${signal ?? "null"}).`
+        )
+      );
+    }
+    updateState({
+      status: stopping ? "disabled" : "crashed",
+      url: stopping ? null : state.url,
+      pid: null,
+      error: stopping ? null : `cloudflared exited (code=${code ?? "null"} signal=${signal ?? "null"}).`
+    });
+    resolveExited();
+  });
+  const stop = async () => {
+    if (stopping) return;
+    stopping = true;
+    if (child.exitCode !== null || child.killed) {
+      updateState({ status: "disabled", url: null, pid: null, error: null });
+      resolveExited();
+      return;
+    }
+    if (process.platform === "win32") {
+      await execFile("taskkill", ["/PID", String(child.pid), "/T", "/F"], {
+        windowsHide: true
+      }).catch(() => void 0);
+      await exited;
+      return;
+    }
+    child.kill("SIGTERM");
+    const escalate = setTimeout(() => {
+      if (!killedOrExited(child)) {
+        try {
+          child.kill("SIGKILL");
+        } catch {
+        }
+      }
+    }, STOP_GRACE_MS);
+    try {
+      await exited;
+    } finally {
+      clearTimeout(escalate);
+    }
+  };
+  return {
+    pid: child.pid ?? 0,
+    waitUntilReady,
+    stop,
+    getState: () => state
+  };
+}
+function killedOrExited(child) {
+  return child.killed || child.exitCode !== null;
+}
+
+// src/daemon/tunnel-providers/ngrok-config.ts
+import { chmodSync as chmodSync2, existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync2, rmSync as rmSync2 } from "fs";
+import { spawnSync as spawnSync2 } from "child_process";
+import { dirname as dirname2, join as join3 } from "path";
+function getNgrokConfigPath(configDir) {
+  return join3(configDir, "ngrok.json");
+}
+function readNgrokSettings(configDir) {
+  const path = getNgrokConfigPath(configDir);
+  if (!existsSync4(path)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf8"));
+    if (typeof parsed.authtoken === "string" && parsed.authtoken.length > 0) {
+      return {
+        authtoken: parsed.authtoken,
+        domain: typeof parsed.domain === "string" && parsed.domain.length > 0 ? parsed.domain : void 0,
+        updatedAt: typeof parsed.updatedAt === "string" ? parsed.updatedAt : (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function writeNgrokSettings(configDir, next) {
+  const path = getNgrokConfigPath(configDir);
+  const prev = readNgrokSettings(configDir);
+  const merged = {
+    authtoken: next.authtoken ?? prev?.authtoken ?? "",
+    domain: next.domain === null ? void 0 : next.domain ?? prev?.domain,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  if (!merged.authtoken) {
+    throw new Error("ngrok authtoken is required.");
+  }
+  mkdirSync2(dirname2(path), { recursive: true });
+  safeAtomicWriteFileSync(path, JSON.stringify(merged, null, 2) + "\n", { encoding: "utf8", mode: 384 });
+  applyPrivatePermissions2(path);
+  return merged;
+}
+function clearNgrokSettings(configDir) {
+  const path = getNgrokConfigPath(configDir);
+  rmSync2(path, { force: true });
+}
+function applyPrivatePermissions2(path) {
+  if (process.platform === "win32") {
+    const username = process.env.USERNAME;
+    const domain = process.env.USERDOMAIN;
+    const target = domain && username ? `${domain}\\${username}` : username ?? "";
+    if (!target) return;
+    spawnSync2("icacls", [path, "/inheritance:r", "/grant:r", `${target}:(R,W)`], {
+      encoding: "utf8",
+      windowsHide: true
+    });
+    return;
+  }
+  chmodSync2(path, 384);
+}
+
+// src/daemon/tunnel-providers/ngrok.ts
+var DASHBOARD_AUTHTOKEN_URL = "https://dashboard.ngrok.com/get-started/your-authtoken";
+var NgrokNativeMissingError = class extends Error {
+  platform;
+  arch;
+  cause;
+  constructor(cause) {
+    const platform = process.platform;
+    const arch = process.arch;
+    const message = `@ngrok/ngrok native binding for ${platform}-${arch} is not available in this VSIX. Reinstall the extension (or install @ngrok/ngrok manually) to use the ngrok provider, or switch to the cloudflared provider in the dashboard.`;
+    super(message);
+    this.name = "NgrokNativeMissingError";
+    this.platform = platform;
+    this.arch = arch;
+    if (cause !== void 0) {
+      this.cause = cause;
+    }
+  }
+};
+var cachedNgrok = null;
+function isNativeMissingError(err) {
+  if (!err) return false;
+  const code = err.code;
+  if (code === "MODULE_NOT_FOUND" || code === "ERR_MODULE_NOT_FOUND") return true;
+  const message = err instanceof Error ? err.message : String(err);
+  return /Cannot find module ['"]@ngrok\/ngrok[-/]/i.test(message);
+}
+async function loadNgrokNative() {
+  if (cachedNgrok) return cachedNgrok;
+  try {
+    const mod = await import("@ngrok/ngrok");
+    const resolved = mod.default ?? mod;
+    if (typeof resolved?.forward !== "function") {
+      throw new Error("@ngrok/ngrok module did not expose forward(); API changed?");
+    }
+    cachedNgrok = resolved;
+    return resolved;
+  } catch (err) {
+    if (isNativeMissingError(err)) {
+      throw new NgrokNativeMissingError(err);
+    }
+    throw err;
+  }
+}
+async function isNgrokNativeAvailable() {
+  try {
+    await loadNgrokNative();
+    return { available: true };
+  } catch (err) {
+    if (err instanceof NgrokNativeMissingError) {
+      return { available: false, error: err };
+    }
+    throw err;
+  }
+}
+var ngrokProvider = {
+  id: "ngrok",
+  displayName: "ngrok",
+  description: "Persistent URL via ngrok. Requires a free ngrok account authtoken.",
+  async isSetupComplete(configDir) {
+    const probe = await isNgrokNativeAvailable();
+    if (!probe.available) {
+      return {
+        ready: false,
+        reason: probe.error.message
+      };
+    }
+    const settings = readNgrokSettings(configDir);
+    if (!settings?.authtoken) {
+      return {
+        ready: false,
+        reason: "ngrok authtoken not set.",
+        action: {
+          label: "Get authtoken",
+          kind: "open-url",
+          url: DASHBOARD_AUTHTOKEN_URL
+        }
+      };
+    }
+    return { ready: true };
+  },
+  async start(options) {
+    const settings = readNgrokSettings(options.configDir);
+    if (!settings?.authtoken) {
+      throw new Error(
+        `ngrok authtoken not configured. Paste your authtoken from ${DASHBOARD_AUTHTOKEN_URL} into the dashboard, or run \`perplexity-user-mcp daemon set-ngrok-authtoken <token>\`.`
+      );
+    }
+    const ngrok = await loadNgrokNative();
+    let state = { status: "starting", url: null, pid: null, error: null };
+    const updateState = (next) => {
+      state = next;
+      options.onStateChange(state);
+    };
+    updateState(state);
+    try {
+      if (typeof ngrok.kill === "function") {
+        await ngrok.kill();
+      }
+    } catch {
+    }
+    let listener = null;
+    let resolveExited;
+    const exited = new Promise((resolve) => {
+      resolveExited = resolve;
+    });
+    try {
+      listener = await ngrok.forward({
+        addr: options.port,
+        authtoken: settings.authtoken,
+        ...settings.domain ? { domain: settings.domain } : {},
+        // Human-readable label in the ngrok dashboard.
+        forwards_to: `perplexity-mcp (port ${options.port})`
+      });
+    } catch (err) {
+      const raw = err instanceof Error ? err.message : String(err);
+      const friendly = translateNgrokError(raw, settings.domain);
+      updateState({ status: "crashed", url: null, pid: null, error: friendly });
+      throw new Error(friendly);
+    }
+    const url = typeof listener?.url === "function" ? listener.url() : null;
+    if (!url) {
+      await safeClose(listener);
+      updateState({ status: "crashed", url: null, pid: null, error: "ngrok returned no URL" });
+      throw new Error("ngrok did not publish a URL.");
+    }
+    updateState({ status: "enabled", url, pid: null, error: null });
+    let stopping = false;
+    const stop = async () => {
+      if (stopping) return;
+      stopping = true;
+      await safeClose(listener);
+      listener = null;
+      updateState({ status: "disabled", url: null, pid: null, error: null });
+      resolveExited();
+    };
+    return {
+      pid: 0,
+      waitUntilReady: Promise.resolve(url),
+      stop,
+      getState: () => state
+    };
+  }
+};
+async function safeClose(listener) {
+  if (!listener) return;
+  try {
+    if (typeof listener.close === "function") {
+      await listener.close();
+    }
+  } catch {
+  }
+}
+function translateNgrokError(raw, domain) {
+  if (/ERR_NGROK_334/i.test(raw) || /already online/i.test(raw)) {
+    const which = domain ? ` for "${domain}"` : "";
+    return `ngrok refused the bind${which}: the reserved domain is still registered from a previous session. Wait ~60 seconds for ngrok's server to release it, then click Enable again. Or: use the Kill daemon button to force-cleanup, then try a different domain (or leave the domain blank for an ephemeral URL). Upstream code: ERR_NGROK_334.`;
+  }
+  if (/ERR_NGROK_105/i.test(raw) || /authentication failed/i.test(raw) || /authtoken/i.test(raw)) {
+    return `ngrok rejected the authtoken. Check it at ${DASHBOARD_AUTHTOKEN_URL} and paste it into the dashboard, then try Enable again.`;
+  }
+  if (/ERR_NGROK_108/i.test(raw) || /limited to 1 simultaneous/i.test(raw)) {
+    return `ngrok free tier allows one session per account. Another device or app is already using this authtoken \u2014 stop it in the ngrok dashboard (Cloud Edge \u2192 Tunnels), then click Enable.`;
+  }
+  return `ngrok forward failed: ${raw}`;
+}
+
+// src/daemon/tunnel-providers/index.ts
+var REGISTRY = {
+  "cf-quick": cloudflaredQuickProvider,
+  ngrok: ngrokProvider,
+  "cf-named": cloudflaredNamedProvider
+};
+function getTunnelProvider(id) {
+  const provider = REGISTRY[id];
+  if (!provider) {
+    throw new Error(`Unknown tunnel provider: ${id}`);
+  }
+  return provider;
+}
+function listTunnelProviders() {
+  return Object.values(REGISTRY);
+}
+var DEFAULT_PROVIDER = "cf-quick";
+function getTunnelSettingsPath(configDir) {
+  return join4(configDir, "tunnel-settings.json");
+}
+function readTunnelSettings(configDir) {
+  const path = getTunnelSettingsPath(configDir);
+  if (!existsSync5(path)) {
+    return { activeProvider: DEFAULT_PROVIDER, updatedAt: (/* @__PURE__ */ new Date(0)).toISOString() };
+  }
+  try {
+    const parsed = JSON.parse(readFileSync3(path, "utf8"));
+    const activeProvider = parsed.activeProvider && parsed.activeProvider in REGISTRY ? parsed.activeProvider : DEFAULT_PROVIDER;
+    return {
+      activeProvider,
+      updatedAt: typeof parsed.updatedAt === "string" ? parsed.updatedAt : (/* @__PURE__ */ new Date()).toISOString()
+    };
+  } catch {
+    return { activeProvider: DEFAULT_PROVIDER, updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  }
+}
+function writeTunnelSettings(configDir, patch) {
+  const path = getTunnelSettingsPath(configDir);
+  const prev = readTunnelSettings(configDir);
+  const next = {
+    activeProvider: patch.activeProvider && patch.activeProvider in REGISTRY ? patch.activeProvider : prev.activeProvider,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  mkdirSync3(dirname3(path), { recursive: true });
+  safeAtomicWriteFileSync(path, JSON.stringify(next, null, 2) + "\n", "utf8");
+  return next;
+}
+async function listTunnelProviderStatuses(configDir) {
+  const { activeProvider } = readTunnelSettings(configDir);
+  const results = [];
+  for (const provider of listTunnelProviders()) {
+    const setup = await provider.isSetupComplete(configDir);
+    results.push({
+      id: provider.id,
+      displayName: provider.displayName,
+      description: provider.description,
+      setup,
+      isActive: provider.id === activeProvider
+    });
+  }
+  return results;
+}
+
+export {
+  DeleteNamedTunnelError,
+  runCloudflaredLogin,
+  listNamedTunnels,
+  createNamedTunnel,
+  deleteNamedTunnel,
+  isActiveConnectionDeleteFailure,
+  getNamedTunnelConfigPath,
+  writeTunnelConfig,
+  readNamedTunnelConfig,
+  clearNamedTunnelConfig,
+  createCloudflaredNamedProvider,
+  getNgrokConfigPath,
+  readNgrokSettings,
+  writeNgrokSettings,
+  clearNgrokSettings,
+  NgrokNativeMissingError,
+  loadNgrokNative,
+  isNgrokNativeAvailable,
+  getTunnelProvider,
+  listTunnelProviders,
+  getTunnelSettingsPath,
+  readTunnelSettings,
+  writeTunnelSettings,
+  listTunnelProviderStatuses
+};